Cosic seminar

1
Cosic seminar
Differential Power Analysis
Stef Hoeben
NOTE some images have been removed
Wednesday, April 28 1999
2
Overview

• Smart Cards
• Physical Attacks
• Simple Power Analysis
• Differential Power Analysis
• Philosophy
• Example
• Characteristics, countermeasures, status
• Online resources

3
Smart Cards

• Embossed magnetic cards (-gt identification)
• Phone Cards
• Bancontact, Mister Cash
• Memory Cards
• Only a counter
• Access control logic (e.g. telecards)
• Smart Cards (have a microcontroller)
• GSM SIM Card
• Electronic Purses (Proton, CLIP, Mondex, ...)
• Super Cards (with display and keyboard)

4

• What are Smart Cards?
• 8 (16, 32) bit CPU
• Often at 3.5795 or 4.9152 MHz
• RAM 128 bytes- 16 Kbytes
• ROM 1 - 32 Kbytes
• Contains the code
• EEPROM 1 - 32 Kbytes
• Contains the data
• A small part are OTP (One Time Programmable)
  bytes
• Optional
• Random Noise Generation, sensors, security
  logic,
• Modular Exponentiations Unit or Co-processor

5

• EEPROM data
• Organized as a directory structure
• one Master File ( root)
• Dedicated Files ( directories)
• Elementary Files ( files)

MF
EF
DF
...
EF
DF
DF
...
EF

• Examples of Elementary files
• Purse File (balance, currency, validity,
  transaction counter, )
• Logging File (keeps record of the previous
  payments)
• Key File (keys for credit, debit, update,
  authentication, )

6

• Some standards
• ISO 7810 and ISO/IEC 7816
• 1 Physical characteristics
• 2 Contacts
• 3 Electronic Signals Transmissions Protocols
• 4 Commands
• 5 Application identifiers
• 6 Inter-industry data elements
• 7 SCQL (Structured Card Query Language)
• CEN/CENELEC and ETSI (specifically for GSM SIM
  cards)
• EMV (specifically for payment cards)
• 1 Electromechanical characteristics, logical
  interfaces, transmission protocol
• 2 Data elements commands
• 3 Transaction processing
• ISO/IEC 10536
• Contactless cards, close coupling
• ISO/IEC 14443
• Contactless cards, remote coupling

7
SC contacts (ISO/IEC 7816 part 2)

• Vcc power supply
• RST reset
• Vpp EEPROM writing voltage (still used?)
• CLK clock
• GND ground
• I/O input/output

8
Commands (ISO/IEC 7816 part 4)
command
Terminal
Smart Card
(response ) status code

• Example the INTERNAL AUTHENTICATE command
• Terminal sends lt00 88 01 01 08 26 48 75
  13 62 59 56 84gthex
• INS CLA P1
  P2 LEN 8 byte random
• Smart Card calculates result
  DES(KINTERNAL_AUTH , random)
• and sends this to the Terminal lt25 65 48
  95 68 74 15 23 90 00gthex
• 
  
  8 bytes result status

9
Physical attacks (1)

• Reverse engineering
• HNO3 etching and probing, UV light to erase
  EEPROM,
• etching away chip layers, Focussed Ion Beam,
• Danger real, even the best SCs wont be safe
  after
• more than 3 or 4 years.
• Fault introduction (change clock or power,
  microwaves)
• Bellcore attack (Boneh, DeMillo, Lipton -
  EUROCRYPT 97)
• Differential Fault Analysis (Biham, Shamir -
  CRYPTO 97)
• Danger were announced as being theoretical
  however
• practical attacks are said to be upcoming.

10
Physical attacks (2)

• Electromagnetic radiation (Van Eyck effect)
• See http//www.jastech-emc.com/paper1.htm
• Timing attacks (Kocher - CRYPTO 96)
• With or without Chinese Remainder Theorem
• Danger very real for unprotected cards
• Power Analysis (Kocher - 98)
• Simple Power Analysis
• Differential Power Analysis
• See http//www.cryptography.com/dpa/index.html
• Danger see below ...

11

• In General
• Given enough resources (time, knowledge,
  equipment,
• money), no smart card is secure.
• Technology to analyze ICs advances at the same
• speed as IC development itself.
• So
• Cost for security loss by fraud
• Maximize the cost to break in and
• minimize the consequences of such an attack.

12
Simple Power Analysis
The power consumption Ptotal during each
clockcycle can approximately be divided into 3
parts

constant random data
dependent And as can be seen on the next image
Pinstruction gt Pnoise gt Pdata (Pdata not
visible) Which means that groups of instructions
and even individual instructions can be
distinguished.
Ptotal Pinstruction Pnoise Pdata
13
Plot of the power consumption during each clock
cycle during a cryptographic calculation (removed)
How to use SPA in attacks? E.g. if it would be
possible to distinguish between a square and a
multiply operation in RSA, one single
power measurement will reveal the private key.
14
Differential Power Analysis

• The power consumption during a cryptographic
• operation is measured.
• Is a statistical attack (-gt many measurements).
• Applicable for all crypto algorithms and smart
  cards
• (when no special measures are taken).
• Goal find the key that is used in the
  algorithm.
• Requirements digital oscilloscope, smart card
  reader,
• computer, software to interface the reader and
  scope.
• Difference with SPA the attack relies on
  differences
• in Pdata

15
Philosophy (1) If you could measure very
accurately the power consumption
A Known plaintext Ki Pi
Oi Pi part of the plaintext
-gt known Oi output -gt measured Ki part of the
key -gt can be found by exhaustive search, if
you have some values of Pi and Oi
(An operation is a part of the encryption
algorithm, e.g. an exor or an exor followed by
an S-box)
operation
But Oi cant be measured accurately enough
because the noise power exceeds the change in
power caused by the data.
16
Philosophy (2) If you could measure very
accurately the power consumption
A Known plaintext Ki Pi
Oi Pi part of the plaintext
-gt known Oi output -gt measured Ki part of the
key -gt can be found by exhaustive search, if
you have some values of Pi and Oi
B Known Ciphertext Ki Ii
Ci Ci part of the
ciphertext -gt known Ii input -gt measured Ki
part of the key -gt can be found by exhaustive
search, if you have some values of Ii and Ci
operation
operation
But Oi or Ii cant be measured accurately enough
because the noise power exceeds the change in
power caused by the data.
17
Philosophy (3) So - Use many measurements n,
until the summed power caused by the data Pdata
exceeds the summed power of the noise Pnoise.
Ptotal Pinstruction Pnoise Pdata -
Divide the measurements into 2 populations and
subtract the means of those populations (such
that Pinstruction will be removed). The division
into 2 populations has to reflect the difference
in Pdata See example...
Pnoise (n)1/2 Pdata n
18
Example A known plaintext DPA attack on
DES. Equipment
SC reader with SC

• PC
• sends 600 different plaintexts
• to the SC and saves them in a
• file
• reads scope measurements
• and saves them to a file

Current probe over Vcc
Digital scope (or DAQ card)
19
Example of a measurement
Image of the power consumption of a full DES
operation (removed)
Image of the power consumption of the first 2
rounds (removed)
20
Start of 1st round
The attack (1)
L0 (32 bits)
R0 (32 bits)
expansion
- Take K1 K11 K18 then K11 (6 bits) will
be exor-ed with the first 6 bits of Exp and
go to S1. - Say S1b1 is the first bit of the
output of S1 after permutation and exor-ing
with the corresponding L0 bit. - For each of the
26 possible values of K11, only one will give
the correct value for S1b1 for all 600
measurements next slide...
Exp (48 bits)
K1
exor
8 x 6 bits
...
S8
S1
8 x 4 bits
...
21
The attack (2)

• So for each of the 26 possible values of K11
• calculate for all 600 plaintexts the value of
  S1b1
• place the corresponding measurements in one of
• the populations S1b1 1 or S1b1 0
• calculate the statistical difference between
• the averages of both populations (for each
  instruction)
• Plotting these statistical differences for the
  instructions
• in the second round (in which S1b1 will be
  present)
• gives for 63 values of K11 plots like the
  following ...

22
The attack (3)
Image of the statistical differences for each
clock cycle, for a wrong key (removed)
and for one value of K11
Image of the statistical differences for each
clock cycle, for a correct key (removed)
23
The attack (4)
The reason When the wrong key is guessed, the
populations will be randomly chosen (which gives
statistical differences of at most 3 times the
standard deviation). But the right key will
reflect the difference in Pdata for the
instructions which use S1b1. This attack can
be repeated for the other 3 output bits of S1 to
check if they give the same K11 And can of
course also be repeated for all other output bits
of the other S-boxes which gives us K1 (so 48
bits of the DES key are then known).
24
The attack (4)
For example, the plot below shows the power on
the largest peak (of 20.2 times the standard
deviation, on clock cycle 244) for all 600
measurements
(removed)
25

• Remarks (1)
• Actually, the plots dont show the power in
• each instruction but in each clock cycle (each
• instruction consists of some clock cycles).
• Negative power values due to normalization
• Some plots for a wrong key do show some
• peaks because those keys are related to the
• right key with respect to that S box and that
  bit.
• In Kochers paper, no statistical difference is
• made but in each population, the measurements
• are added and these sums are subtracted.

26

• Remarks (2)
• Other kinds of attacks are possible, such as
  attacking
• only the exor (without the S-box, permutation and
  exor
• with the left part
• A Cautionary Note Regarding Evaluation of AES
  Candidates
• on Smart-Cards (Chari, Jutla, Rao and Tohatgi,
  IBM)
• paper submitted to the second AES conference
• http//www.nist.gov/aes/

27
Characteristics of DPA

• The attack needs to be performed on an operation
• where both a part of the data and a part of
  the key
• come together Operation (Datain, Keyi)
  Dataout
• Either Datain or Dataout of for that operation
• should be known (so a DPA attack in the middle
  of
• the crypto algorithm is not possible).
• An exhaustive search on Keyi is needed (so the
• less bits Keyi has, the faster the attack).
• All samples need to be synchronized.
• Statistical analysis -gt many samples needed (gt
  100)

28

• Notes
• Other related attacks are also possible, these
  attacks
• dont necessarily have the same characteristics.
• e.g. compare the power where 2 different keys are
• loaded from EEPROM to RAM (many measurements
• for both). Differences in the number of zeros or
  ones
• of both keys should be detectable. (Power
  Analysis of
• the Key Scheduling o the AES Candidates, Biham
  and
• Shamir, second AES Conference)
• High-Order DPA instead of analyzing one event,
• correlate information between multiple
  operations.
• See Kochers paper.

29

• Countermeasures
• Hardware solutions
• algorithm in hardware
• reduce power consumption, increase noise.
• Software solutions
• add random instructions as to desynchronize,
  that
• much so that resynchronization (by software)
  fails.
• dont let the instructions depend on data or key
• (e.g. conditional jumps if data bits are set)
  (SPA only)
• if possible reduce the number of times the
  algorithm
• can be executed
• pay much attention to the beginning and end of
• the algorithm (DPA only)

30

• Current status
• Most unprotected cards are expected to be
  vulnerable.
• No perfect solution is found yet, and none is
  not
• expected (soon).
• Smart card companies do investigations and
  implement
• their solutions.
• These solutions are often kept secret, also
  because of
• the security this offers.
• Not much third-party checks for these solutions,
  or without
• inside information needed for thorough
  checking.

31
Online resources

• General links
• http//www.cardeurope.demon.co.uk/
• http//cctpwww.cityu.edu.hk/computer/c3_smartcard.
  htm
• http//www.smart-card.com/
• Info
• http//www.smartcard.co.uk/tech1.html
• http//www.gemplus.com/basics/index.htm
• http//www.linuxnet.com/tutorial.html
• Attacks
• http//www.cl.cam.ac.uk/users/rja14/Reliability
• http//members.tripod.com/telecardnews/index.html
• Standards
• http//www.cardeurope.demon.co.uk/stds.htm
• http//www.ioc.ee/atsc/