PPT

daughterinsectΤεχνίτη Νοημοσύνη και Ρομποτική

21 Νοε 2013 (πριν από 3 χρόνια και 8 μήνες)

67 εμφανίσεις

Josh Benaloh

Brian
LaMacchia

Winter 2011

Side
-
Channel Attacks

Breaking a cryptosystem is a frontal attack,
but there may be easier access though a
side or back door


especially on
embedded cryptographic devices such as
SmartCards

and RFIDs.

January 27, 2011

Practical Aspects of Modern Cryptography

2

Side
-
Channel Attacks

Some attack vectors …

January 27, 2011

Practical Aspects of Modern Cryptography

3

Side
-
Channel Attacks

Some attack vectors …


Fault Attacks

January 27, 2011

Practical Aspects of Modern Cryptography

4

Side
-
Channel Attacks

Some attack vectors …


Fault Attacks


Timing Attacks

January 27, 2011

Practical Aspects of Modern Cryptography

5

Side
-
Channel Attacks

Some attack vectors …


Fault Attacks


Timing Attacks


Cache Attacks

January 27, 2011

Practical Aspects of Modern Cryptography

6

Side
-
Channel Attacks

Some attack vectors …


Fault Attacks


Timing Attacks


Cache Attacks


Power Analysis

January 27, 2011

Practical Aspects of Modern Cryptography

7

Side
-
Channel Attacks

Some attack vectors …


Fault Attacks


Timing Attacks


Cache Attacks


Power Analysis


Electromagnetic Emissions

January 27, 2011

Practical Aspects of Modern Cryptography

8

Side
-
Channel Attacks

Some attack vectors …


Fault Attacks


Timing Attacks


Cache Attacks


Power Analysis


Electromagnetic Emissions


Acoustic Emissions

January 27, 2011

Practical Aspects of Modern Cryptography

9

Side
-
Channel Attacks

Some attack vectors …


Fault Attacks


Timing Attacks


Cache Attacks


Power Analysis


Electromagnetic Emissions


Acoustic Emissions


Information Disclosure

January 27, 2011

Practical Aspects of Modern Cryptography

10

Side
-
Channel Attacks

Some attack vectors …


Fault Attacks


Timing Attacks


Cache Attacks


Power Analysis


Electromagnetic Emissions


Acoustic Emissions


Information Disclosure


… others?

January 27, 2011

Practical Aspects of Modern Cryptography

11

Fault Attacks

(N.B. Problem 3 of Assignment 1 where a mod


error in
RSA decryption/signatures discloses key.)

January 27, 2011

Practical Aspects of Modern Cryptography

12

Fault Attacks

(N.B. Problem 3 of Assignment 1 where a mod


error in
RSA decryption/signatures discloses key.)

Faults may be unintentional or induced by …

January 27, 2011

Practical Aspects of Modern Cryptography

13

Fault Attacks

(N.B. Problem 3 of Assignment 1 where a mod


error in
RSA decryption/signatures discloses key.)

Faults may be unintentional or induced by …


Heat

January 27, 2011

Practical Aspects of Modern Cryptography

14

Fault Attacks

(N.B. Problem 3 of Assignment 1 where a mod


error in
RSA decryption/signatures discloses key.)

Faults may be unintentional or induced by …


Heat


Cold

January 27, 2011

Practical Aspects of Modern Cryptography

15

Fault Attacks

(N.B. Problem 3 of Assignment 1 where a mod


error in
RSA decryption/signatures discloses key.)

Faults may be unintentional or induced by …


Heat


Cold


Low power


January 27, 2011

Practical Aspects of Modern Cryptography

16

Fault Attacks

(N.B. Problem 3 of Assignment 1 where a mod


error in
RSA decryption/signatures discloses key.)

Faults may be unintentional or induced by …


Heat


Cold


Low power


Microwaves

January 27, 2011

Practical Aspects of Modern Cryptography

17

Fault Attacks

(N.B. Problem 3 of Assignment 1 where a mod


error in
RSA decryption/signatures discloses key.)

Faults may be unintentional or induced by …


Heat


Cold


Low power


Microwaves


…etc.

January 27, 2011

Practical Aspects of Modern Cryptography

18

Timing Attacks

How long does it take to perform a decryption?



January 27, 2011

Practical Aspects of Modern Cryptography

19

Timing Attacks

How long does it take to perform a decryption?


The answer may be data
-
dependent.


January 27, 2011

Practical Aspects of Modern Cryptography

20

Timing Attacks

How long does it take to perform a decryption?


The answer may be data
-
dependent.


For instance…

January 27, 2011

Practical Aspects of Modern Cryptography

21

Timing Attacks

How long does it take to perform a decryption?


The answer may be data
-
dependent.


For instance…


𝑁
=


January 27, 2011

Practical Aspects of Modern Cryptography

22

Timing Attacks

How long does it take to perform a decryption?


The answer may be data
-
dependent.


For instance…


𝑁
=



Watch decryption times for
𝑧
=
𝐸
(
𝑚
)

where
𝑚
<


and
where
𝑚
>

.

January 27, 2011

Practical Aspects of Modern Cryptography

23

Timing Attacks

How long does it take to perform a decryption?


The answer may be data
-
dependent.


For instance…


𝑁
=



Watch decryption times for
𝑧
=
𝐸
(
𝑚
)

where
𝑚
<


and
where
𝑚
>

.


If there is a minute difference,


can be determined with
binary search.

January 27, 2011

Practical Aspects of Modern Cryptography

24

Cache Attacks

If you can run code on the same device where a
decryption is being performed, you may be able
to selectively force certain cache lines to be
flushed.

January 27, 2011

Practical Aspects of Modern Cryptography

25

Cache Attacks

If you can run code on the same device where a
decryption is being performed, you may be able
to selectively force certain cache lines to be
flushed.

Decryption times may vary in a key
-
dependent
manner based upon which lines have been
flushed.

January 27, 2011

Practical Aspects of Modern Cryptography

26

Power Analysis


Power usage of a device may vary in a key
-
dependent manner.


January 27, 2011

Practical Aspects of Modern Cryptography

27

Power Analysis


Power usage of a device may vary in a key
-
dependent manner.


Careful measurement and analysis of power
consumption can be used to determine the key.

January 27, 2011

Practical Aspects of Modern Cryptography

28

Electromagnetic Emissions


One can record electromagnetic emissions of a
device


often at a distance.

January 27, 2011

Practical Aspects of Modern Cryptography

29

Electromagnetic Emissions


One can record electromagnetic emissions of a
device


often at a distance.


Careful analysis of the emissions may reveal a
secret key.

January 27, 2011

Practical Aspects of Modern Cryptography

30

Acoustic Emissions


Modular exponentiation is using done with
repeated squaring and conditional “side”
multiplications.

January 27, 2011

Practical Aspects of Modern Cryptography

31

Acoustic Emissions


Modular exponentiation is using done with
repeated squaring and conditional “side”
multiplications.


It can actually be possible to hear whether or
not these conditional multiplications are
performed.

January 27, 2011

Practical Aspects of Modern Cryptography

32

Information Disclosures

(N.B.
Bleichenbacher

Attack)


January 27, 2011

Practical Aspects of Modern Cryptography

33

Information Disclosures

(N.B.
Bleichenbacher

Attack)


A protocol may respond differently to properly and
improperly formed data.


January 27, 2011

Practical Aspects of Modern Cryptography

34

Information Disclosures

(N.B.
Bleichenbacher

Attack)


A protocol may respond differently to properly and
improperly formed data.


Careful manipulation of data may elicit responses which
disclose information about a desired key or decryption
value.

January 27, 2011

Practical Aspects of Modern Cryptography

35

Certificate Revocation

January 27, 2011

Practical Aspects of Modern Cryptography

36

Certificate Revocation



Every “reasonable” certification should
include an expiration.


January 27, 2011

Practical Aspects of Modern Cryptography

37

Certificate Revocation



Every “reasonable” certification should
include an expiration.



It is sometimes necessary to “revoke” a
certificate before it expires.

January 27, 2011

Practical Aspects of Modern Cryptography

38

Certificate Revocation

Reasons for revocation …

January 27, 2011

Practical Aspects of Modern Cryptography

39

Certificate Revocation

Reasons for revocation …


Key Compromise

January 27, 2011

Practical Aspects of Modern Cryptography

40

Certificate Revocation

Reasons for revocation …


Key Compromise


False Issuance

January 27, 2011

Practical Aspects of Modern Cryptography

41

Certificate Revocation

Reasons for revocation …


Key Compromise


False Issuance


Role Modification

January 27, 2011

Practical Aspects of Modern Cryptography

42

Certificate Revocation

Two primary mechanisms …


January 27, 2011

Practical Aspects of Modern Cryptography

43

Certificate Revocation

Two primary mechanisms …



Certificate Revocation Lists (CRLs)



January 27, 2011

Practical Aspects of Modern Cryptography

44

Certificate Revocation

Two primary mechanisms …



Certificate Revocation Lists (CRLs)



Online Certificate Status Protocol (OCSP)


January 27, 2011

Practical Aspects of Modern Cryptography

45

Certificate Revocation Lists


A CA revokes a certificate by placing the its identifying
serial number on its Certificate Revocation List (CRL)


Every CA issues CRLs to cancel out issued certs


A CRL is like anti
-
matter


when it comes into contact with a
certificate it lists it cancels out the certificate


Think “1970s
-
style credit
-
card blacklist”


Relying parties are expected to check the most recent
CRLs before they rely on a certificate


“The cert is valid unless you hear something telling you
otherwise”

January 27, 2011

Practical Aspects of Modern Cryptography

46

The Problem with CRLs

Blacklists have numerous problems


They can grow very large because certs cannot be
removed until they expire.


They are not issued frequently enough to be effective
against a serious attack.


Their size can make them expensive to distribute
(especially on low
-
bandwidth channels).


They are vulnerable to simple DOS attacks.
(What do you do if you can’t get the current CRL?)

January 27, 2011

Practical Aspects of Modern Cryptography

47

More Problems with CRLs

Poor CRL design has made the problem worse.


CRLs can contain retroactive invalidity dates

A CRL issued today can say a cert was invalid as of last week.


Checking that something was valid at time
𝑡

wasn’t
sufficient!


Back
-
dated CRLs can appear at any time in the future.


CAs can even change the CRL rules retroactively.

January 27, 2011

Practical Aspects of Modern Cryptography

48

Yet More Problems with CRLs



Revoking a cert used by a CA to issue other
certs is even harder since this may invalidate
an entire set of certs.



“Self
-
signed” certificates are often used as a
syntactic convenience. Is it meaningful for a
cert to revoke itself?

January 27, 2011

Practical Aspects of Modern Cryptography

49

Even More Problems with CRLs



CRLs can’t be revoked.

If a cert has been mistakenly revoked, the revocation
can’t be reversed.



CRLs can’t be updated.

There’s no mechanism to issue a new CRL to relying
parties early


even if there’s an urgent need to issue
new revocations.

January 27, 2011

Practical Aspects of Modern Cryptography

50

Short
-
Lived Certificates

If you need to go to a CA to get a fresh CRL,
why not just go to a CA to get a fresh cert?

January 27, 2011

Practical Aspects of Modern Cryptography

51

Online Status Checking


OCSP: Online Certificate Status Protocol


A way to ask “is this certificate good right now?


Get back a signed response from the OCSP server saying,
“Yes, cert C is good at time t”


Response is like a “freshness certificate”


OCSP response is like a selective CRL


Client indicates the certs for which he wants status
information


OCSP responder dynamically creates a lightweight CRL
-
like
response for those certs

January 27, 2011

Practical Aspects of Modern Cryptography

53

January 27, 2011

Practical Aspects of Modern Cryptography

54

OCSP in Action

End
-
entity

CA

Relying

Party

Cert

Cert

Request

OCSP Request

OCSP

For

Cert

OCSP Response

Transaction Response

Cert

+

Transaction













Final thoughts on Revocation


From a financial standpoint, it’s the revocation data
that is valuable, not the issued certificate itself.


For high
-
valued financial transactions, seller wants to know
your cert is good right now.


This is similar to credit cards, where the merchant wants
the card authorized “right now” at the point
-
of
-
sale.


Card authorizations transfer risk from merchant to
bank


thus they’re worth $$$.

January 27, 2011

Practical Aspects of Modern Cryptography

55

Design
Charrette


How would you design a
transit fare card system?

January 27, 2011

Practical Aspects of Modern Cryptography

56

Fare Card System Elements


An RFID card for each rider


R
eaders on each vehicle and/or transit
station (Internet connected?)


Card purchase/payment machines


A web portal for riders to manage and/or
enrich their cards

January 27, 2011

Practical Aspects of Modern Cryptography

57