Differential Cache-Collision Timing Attacks on AES with Applications

Report
Wide Collisions in Practice
Xin Ye, Thomas Eisenbarth
Florida Atlantic University, USA
10th ACNS 2012- Singapore
Overview
• Side Channel Collision Attacks
• Wide Collisions for AES
• Improving Recognition Rates
• Attack Results
Embedded Systems
• Specific purpose device with
computing capabilities
• Constrained resources
• Many require security
Side Channel Attacks
plaintext
Leakage
ciphertext
0.8
right key
wrong keys
0.7
0.6
0.5
Correlation
0.4
0.3
0.2
0.1
0
-0.1
-0.2
0
20
40
60
80
100
Time
120
140
… leaks additional information via side channel!
e.g. power consumption / EM emanation
160
180
200
Collisions in AES
plaintext
Add_Key
Sub_Bytes
S
S
S
y1
S
S
S
S
y4 = y 1
Collision: Querying same S-box value twice
Collision Attack: Exploiting collision detections
to recover secret key
S-box 1
S-box 4
Collision Detection
Collisions are highly frequent:
– First round:
– One encryption:
.41 collisions
>40 collisions
Detecting collisions is hard:
– One encryption: 12 720 comparisons
– Probability of a collision: <0.4%
– False positive rate of 1%: >120 faulty detections
 Should minimize false positives
Wide Collisions (I)



Two AES encryptions with chosen inputs
Same plaintexts except for diagonals!
AddRoundKey, SubBytes -> same difference
Wide Collisions (II)
• ShiftRows aligns differences
• MixColumns can result in equal bytes
Collision
Wide Collisions (III)



2nd ShiftRows results in equal columns
Full column collides until next ShiftRows!
5 predictable S-Box collisions between 2 encryptions!
Full Column Collision
Collision Detection
• Direct Comparison of two power traces
• Ideally only compared in leaking regions
(5 s-Boxes and full MixColumns colliding)
Point selection necessary:
– Knowledge of implementation or profiling needed
+ S-box in round 2
+ Mix Columns
S-box 4 S-boxes (in round 3)
Key Recovery Phase
• 1st byte after 1st MixColumns:
• 4 collisions reduce key candidates from
232 to 1 candidate per diagonal.
• Full key recovery: 16 distinct collisions.
Avoid false positives
Outlier Method
Procedure:
Find overall
Mean Trace
Locate Outlier
Region
Locate
Neighboring
Pairs
Mean Trace
Individual Trace
Outlier Region
Outlier Method: Details
Two parameters:
• Size of outlier region
• Admitted distance between
neighboring points
Both influence
• Number of detected collisions
• Rate of false positives
Tradeoff depends on implementation
Results
• Unprotected SW implementation, 8-bit Smart Card
• Results on 3000 power traces:
Leaking Points
Detected Collisions
Correct Detections
1 (R = 0.9, dmax = 0.3)
127
23.0%
4 (R = 0.9, dmax = 0.3)
46
71.1%
8 (R = 0.9, dmax = 0.3)
88
93.7%
 Wide Collisions stronger, but knowledge of
implementation or profiling needed
 Blind Templates (+ PCA) are great for device
profiling
Optimized Collision Detection
• Targeting Wide Collisions
– Strong leakage, easier to detect
– Requires chosen inputs
• Using Outlier Detection method:
– Reduces overall detection of collisions
– Minimizes false positives
Conclusion
• Wide collisions yield feasible power based
collision attack
• Outlier Method is a helpful tool for decreasing
false positive detections
Thank you very much for your attention!
[email protected]

similar documents