Josh Benaloh
Brian
LaMacchia
Winter 2011
Side

Channel Attacks
Breaking a cryptosystem is a frontal attack,
but there may be easier access though a
side or back door
–
especially on
embedded cryptographic devices such as
SmartCards
and RFIDs.
January 27, 2011
Practical Aspects of Modern Cryptography
2
Side

Channel Attacks
Some attack vectors …
January 27, 2011
Practical Aspects of Modern Cryptography
3
Side

Channel Attacks
Some attack vectors …
Fault Attacks
January 27, 2011
Practical Aspects of Modern Cryptography
4
Side

Channel Attacks
Some attack vectors …
Fault Attacks
Timing Attacks
January 27, 2011
Practical Aspects of Modern Cryptography
5
Side

Channel Attacks
Some attack vectors …
Fault Attacks
Timing Attacks
Cache Attacks
January 27, 2011
Practical Aspects of Modern Cryptography
6
Side

Channel Attacks
Some attack vectors …
Fault Attacks
Timing Attacks
Cache Attacks
Power Analysis
January 27, 2011
Practical Aspects of Modern Cryptography
7
Side

Channel Attacks
Some attack vectors …
Fault Attacks
Timing Attacks
Cache Attacks
Power Analysis
Electromagnetic Emissions
January 27, 2011
Practical Aspects of Modern Cryptography
8
Side

Channel Attacks
Some attack vectors …
Fault Attacks
Timing Attacks
Cache Attacks
Power Analysis
Electromagnetic Emissions
Acoustic Emissions
January 27, 2011
Practical Aspects of Modern Cryptography
9
Side

Channel Attacks
Some attack vectors …
Fault Attacks
Timing Attacks
Cache Attacks
Power Analysis
Electromagnetic Emissions
Acoustic Emissions
Information Disclosure
January 27, 2011
Practical Aspects of Modern Cryptography
10
Side

Channel Attacks
Some attack vectors …
Fault Attacks
Timing Attacks
Cache Attacks
Power Analysis
Electromagnetic Emissions
Acoustic Emissions
Information Disclosure
… others?
January 27, 2011
Practical Aspects of Modern Cryptography
11
Fault Attacks
(N.B. Problem 3 of Assignment 1 where a mod
error in
RSA decryption/signatures discloses key.)
January 27, 2011
Practical Aspects of Modern Cryptography
12
Fault Attacks
(N.B. Problem 3 of Assignment 1 where a mod
error in
RSA decryption/signatures discloses key.)
Faults may be unintentional or induced by …
January 27, 2011
Practical Aspects of Modern Cryptography
13
Fault Attacks
(N.B. Problem 3 of Assignment 1 where a mod
error in
RSA decryption/signatures discloses key.)
Faults may be unintentional or induced by …
Heat
January 27, 2011
Practical Aspects of Modern Cryptography
14
Fault Attacks
(N.B. Problem 3 of Assignment 1 where a mod
error in
RSA decryption/signatures discloses key.)
Faults may be unintentional or induced by …
Heat
Cold
January 27, 2011
Practical Aspects of Modern Cryptography
15
Fault Attacks
(N.B. Problem 3 of Assignment 1 where a mod
error in
RSA decryption/signatures discloses key.)
Faults may be unintentional or induced by …
Heat
Cold
Low power
January 27, 2011
Practical Aspects of Modern Cryptography
16
Fault Attacks
(N.B. Problem 3 of Assignment 1 where a mod
error in
RSA decryption/signatures discloses key.)
Faults may be unintentional or induced by …
Heat
Cold
Low power
Microwaves
January 27, 2011
Practical Aspects of Modern Cryptography
17
Fault Attacks
(N.B. Problem 3 of Assignment 1 where a mod
error in
RSA decryption/signatures discloses key.)
Faults may be unintentional or induced by …
Heat
Cold
Low power
Microwaves
…etc.
January 27, 2011
Practical Aspects of Modern Cryptography
18
Timing Attacks
How long does it take to perform a decryption?
January 27, 2011
Practical Aspects of Modern Cryptography
19
Timing Attacks
How long does it take to perform a decryption?
The answer may be data

dependent.
January 27, 2011
Practical Aspects of Modern Cryptography
20
Timing Attacks
How long does it take to perform a decryption?
The answer may be data

dependent.
For instance…
January 27, 2011
Practical Aspects of Modern Cryptography
21
Timing Attacks
How long does it take to perform a decryption?
The answer may be data

dependent.
For instance…
𝑁
=
January 27, 2011
Practical Aspects of Modern Cryptography
22
Timing Attacks
How long does it take to perform a decryption?
The answer may be data

dependent.
For instance…
𝑁
=
Watch decryption times for
𝑧
=
𝐸
(
𝑚
)
where
𝑚
<
and
where
𝑚
>
.
January 27, 2011
Practical Aspects of Modern Cryptography
23
Timing Attacks
How long does it take to perform a decryption?
The answer may be data

dependent.
For instance…
𝑁
=
Watch decryption times for
𝑧
=
𝐸
(
𝑚
)
where
𝑚
<
and
where
𝑚
>
.
If there is a minute difference,
can be determined with
binary search.
January 27, 2011
Practical Aspects of Modern Cryptography
24
Cache Attacks
If you can run code on the same device where a
decryption is being performed, you may be able
to selectively force certain cache lines to be
flushed.
January 27, 2011
Practical Aspects of Modern Cryptography
25
Cache Attacks
If you can run code on the same device where a
decryption is being performed, you may be able
to selectively force certain cache lines to be
flushed.
Decryption times may vary in a key

dependent
manner based upon which lines have been
flushed.
January 27, 2011
Practical Aspects of Modern Cryptography
26
Power Analysis
Power usage of a device may vary in a key

dependent manner.
January 27, 2011
Practical Aspects of Modern Cryptography
27
Power Analysis
Power usage of a device may vary in a key

dependent manner.
Careful measurement and analysis of power
consumption can be used to determine the key.
January 27, 2011
Practical Aspects of Modern Cryptography
28
Electromagnetic Emissions
One can record electromagnetic emissions of a
device
–
often at a distance.
January 27, 2011
Practical Aspects of Modern Cryptography
29
Electromagnetic Emissions
One can record electromagnetic emissions of a
device
–
often at a distance.
Careful analysis of the emissions may reveal a
secret key.
January 27, 2011
Practical Aspects of Modern Cryptography
30
Acoustic Emissions
Modular exponentiation is using done with
repeated squaring and conditional “side”
multiplications.
January 27, 2011
Practical Aspects of Modern Cryptography
31
Acoustic Emissions
Modular exponentiation is using done with
repeated squaring and conditional “side”
multiplications.
It can actually be possible to hear whether or
not these conditional multiplications are
performed.
January 27, 2011
Practical Aspects of Modern Cryptography
32
Information Disclosures
(N.B.
Bleichenbacher
Attack)
January 27, 2011
Practical Aspects of Modern Cryptography
33
Information Disclosures
(N.B.
Bleichenbacher
Attack)
A protocol may respond differently to properly and
improperly formed data.
January 27, 2011
Practical Aspects of Modern Cryptography
34
Information Disclosures
(N.B.
Bleichenbacher
Attack)
A protocol may respond differently to properly and
improperly formed data.
Careful manipulation of data may elicit responses which
disclose information about a desired key or decryption
value.
January 27, 2011
Practical Aspects of Modern Cryptography
35
Certificate Revocation
January 27, 2011
Practical Aspects of Modern Cryptography
36
Certificate Revocation
Every “reasonable” certification should
include an expiration.
January 27, 2011
Practical Aspects of Modern Cryptography
37
Certificate Revocation
Every “reasonable” certification should
include an expiration.
It is sometimes necessary to “revoke” a
certificate before it expires.
January 27, 2011
Practical Aspects of Modern Cryptography
38
Certificate Revocation
Reasons for revocation …
January 27, 2011
Practical Aspects of Modern Cryptography
39
Certificate Revocation
Reasons for revocation …
Key Compromise
January 27, 2011
Practical Aspects of Modern Cryptography
40
Certificate Revocation
Reasons for revocation …
Key Compromise
False Issuance
January 27, 2011
Practical Aspects of Modern Cryptography
41
Certificate Revocation
Reasons for revocation …
Key Compromise
False Issuance
Role Modification
January 27, 2011
Practical Aspects of Modern Cryptography
42
Certificate Revocation
Two primary mechanisms …
January 27, 2011
Practical Aspects of Modern Cryptography
43
Certificate Revocation
Two primary mechanisms …
Certificate Revocation Lists (CRLs)
January 27, 2011
Practical Aspects of Modern Cryptography
44
Certificate Revocation
Two primary mechanisms …
Certificate Revocation Lists (CRLs)
Online Certificate Status Protocol (OCSP)
January 27, 2011
Practical Aspects of Modern Cryptography
45
Certificate Revocation Lists
A CA revokes a certificate by placing the its identifying
serial number on its Certificate Revocation List (CRL)
Every CA issues CRLs to cancel out issued certs
A CRL is like anti

matter
–
when it comes into contact with a
certificate it lists it cancels out the certificate
Think “1970s

style credit

card blacklist”
Relying parties are expected to check the most recent
CRLs before they rely on a certificate
“The cert is valid unless you hear something telling you
otherwise”
January 27, 2011
Practical Aspects of Modern Cryptography
46
The Problem with CRLs
Blacklists have numerous problems
They can grow very large because certs cannot be
removed until they expire.
They are not issued frequently enough to be effective
against a serious attack.
Their size can make them expensive to distribute
(especially on low

bandwidth channels).
They are vulnerable to simple DOS attacks.
(What do you do if you can’t get the current CRL?)
January 27, 2011
Practical Aspects of Modern Cryptography
47
More Problems with CRLs
Poor CRL design has made the problem worse.
CRLs can contain retroactive invalidity dates
A CRL issued today can say a cert was invalid as of last week.
Checking that something was valid at time
𝑡
wasn’t
sufficient!
Back

dated CRLs can appear at any time in the future.
CAs can even change the CRL rules retroactively.
January 27, 2011
Practical Aspects of Modern Cryptography
48
Yet More Problems with CRLs
Revoking a cert used by a CA to issue other
certs is even harder since this may invalidate
an entire set of certs.
“Self

signed” certificates are often used as a
syntactic convenience. Is it meaningful for a
cert to revoke itself?
January 27, 2011
Practical Aspects of Modern Cryptography
49
Even More Problems with CRLs
CRLs can’t be revoked.
If a cert has been mistakenly revoked, the revocation
can’t be reversed.
CRLs can’t be updated.
There’s no mechanism to issue a new CRL to relying
parties early
–
even if there’s an urgent need to issue
new revocations.
January 27, 2011
Practical Aspects of Modern Cryptography
50
Short

Lived Certificates
If you need to go to a CA to get a fresh CRL,
why not just go to a CA to get a fresh cert?
January 27, 2011
Practical Aspects of Modern Cryptography
51
Online Status Checking
OCSP: Online Certificate Status Protocol
A way to ask “is this certificate good right now?
Get back a signed response from the OCSP server saying,
“Yes, cert C is good at time t”
Response is like a “freshness certificate”
OCSP response is like a selective CRL
Client indicates the certs for which he wants status
information
OCSP responder dynamically creates a lightweight CRL

like
response for those certs
January 27, 2011
Practical Aspects of Modern Cryptography
53
January 27, 2011
Practical Aspects of Modern Cryptography
54
OCSP in Action
End

entity
CA
Relying
Party
Cert
Cert
Request
OCSP Request
OCSP
For
Cert
OCSP Response
Transaction Response
Cert
+
Transaction
①
②
③
④
⑤
⑥
Final thoughts on Revocation
From a financial standpoint, it’s the revocation data
that is valuable, not the issued certificate itself.
For high

valued financial transactions, seller wants to know
your cert is good right now.
This is similar to credit cards, where the merchant wants
the card authorized “right now” at the point

of

sale.
Card authorizations transfer risk from merchant to
bank
–
thus they’re worth $$$.
January 27, 2011
Practical Aspects of Modern Cryptography
55
Design
Charrette
How would you design a
transit fare card system?
January 27, 2011
Practical Aspects of Modern Cryptography
56
Fare Card System Elements
An RFID card for each rider
R
eaders on each vehicle and/or transit
station (Internet connected?)
Card purchase/payment machines
A web portal for riders to manage and/or
enrich their cards
January 27, 2011
Practical Aspects of Modern Cryptography
57
Σχόλια 0
Συνδεθείτε για να κοινοποιήσετε σχόλιο