1 / 29

"The generation of random numbers is too important to be left to chance. ”

"The generation of random numbers is too important to be left to chance. ”. -- Robert R. Coveyou Oak Ridge National Laboratory. Xkcd http://xkcd.com/221/. Netscape 1.1 Seeding Process. RNG_CreateContext() { (seconds, microseconds) = time of day; /* Time elapsed since 1970 */

ahava
Download Presentation

"The generation of random numbers is too important to be left to chance. ”

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. "The generation of random numbers is too important to be left to chance.” -- Robert R. CoveyouOak Ridge National Laboratory

  2. Xkcd http://xkcd.com/221/

  3. Netscape 1.1 Seeding Process RNG_CreateContext() { (seconds, microseconds) = time of day; /* Time elapsed since 1970 */ pid = process ID; ppid = parent process ID; a = mklcpr(microseconds); b = mklcpr(pid + seconds + (ppid << 12)); seed = MD5(a, b); /* seed is a global variable */ } mklcpr(x) { /* not cryptographically significant; shown for completeness */ return ((0xDEECE66D * x + 0x2BBB62DC) >> 1); } From Goldberg and Wagner, “Randomness and the Netscape Browser”, Dr. Dobb’s, January 1996.

  4. Netscape 1.1 Key Generation RNG_GenerateRandomBytes() { x = MD5(seed); seed = seed + 1; return x; } global variable challenge, secret_key; create_key() { RNG_CreateContext(); tmp = RNG_GenerateRandomBytes(); tmp = RNG_GenerateRandomBytes(); challenge = RNG_GenerateRandomBytes(); secret_key = RNG_GenerateRandomBytes(); } From Goldberg and Wagner, “Randomness and the Netscape Browser”, Dr. Dobb’s, January 1996.

  5. Jone’s RNG Rules • Don’t use system generators • Use a known good RNG you implemented • Properly seed the RNG

  6. KISS Generator (G. Marsaglia) static unsigned int /* Seed variables */ x = 123456789, y = 362436000, z = 521288629, c = 7654321; unsigned int KISS() { unsigned long long t, a = 698769069ULL; x = 69069*x+12345; // y never == 0! */ y ^= (y<<13); y ^= (y>>17); y ^= (y<<5); t = a*z+c; c = (t>>32); // Also avoid setting z=c=0! return x+y+(z=t); }

  7. Chosen ciphertext attack against RSA -Schneier n (modulus) = product of secret primes p and q e (public key) = relatively prime to (p-1)(q-1) d (private key) = e-1 mod ((p-1)(q-1))) Encrypt c=me mod n Decrypt m=cd mod n Eve gets ciphertext message c from Alice, wants to read it i.e., she wants to find m = cd Choose random r < n, and use Alice’s public key e x=re mod n y=xc mod n t=r-1 mod n Note if x=re mod n, then r=xd mod n ! Eve tricks Alice into encrypting (signing) y with her d Alice sends Eve u=yd mod n Eve then calculates tu mod n = r-1yd mod n = r-1xdcd mod n = cd mod n = m

  8. ECRYPT 2012 Key Length Advice See www.keylength.com/en/3

  9. Captured One-Time Pads

  10. Russian One-Time Pad captured by MI5

  11. Don’t reuse those one-time pads! If C1=P1 K1 C2=P2 K1 Then C1 C2 => P1 K1 P2 K1 => P1 P2

  12. Key? What Key? • Alice encrypts: P K=>C • Bob knows the key and decrypts: C  K=>P • They agree on a dummy plaintext D and if they’re ever captured, they will give up the key K’=C D • If the authorities decrypt C K’ => D

  13. Simple Power Analysis: `DES Parity Check DES-CheckParity(byte Key[8]) for i = 8 down to 1 parity=0; for j = 8 down to 1 if (bit j of Key[i] is set) // CONDITIONAL parity = parity+1 // OPERATION endif endfor if (parity is even) parity_error(); endfor end DES-CheckParity

  14. SPA Attack on DES-Parity

  15. EM History • Classified TEMPEST standards. Some parts declassified Jan '01, http://www.cryptome.org. • Published work • EM Leakages from Peripherals, E.g., Monitors: Van Eck, Anderson & Kuhn. • EM Leakage from smart-cards during Computation. • J.-J. Quisquater & David Samyde, E-smart 2001, • Gemplus Team [GMO ’01], CHES ’01. • SEMA/DEMA attacks. • Best results require "decapsulation" of chip packaging and/or precise micro-antennas positioning on chip surface

  16. Rao et.al.’s Work` • Deeper understanding of the EM leakages. • Similar to declassified TEMPEST literature. • Key Insights/Results • Plenty of EM signals are available, provided you know what to look for and where. • Superior signals and attacks possible without micro-antennas or decapsulation. • Some attacks possible from a distance. • EM side-channel(s) >> Power side-channel • EM can break DPA-resistant implementations.

  17. EM Emanations Background • Origin/Types of EM Emanations • Direct emanations from intended currents. • Maxwell’s equations, Ampere’s and Faraday’s laws. • Unintentional emanations from coupling effects. • Depend on physical factors, e.g., circuit geometry. • Most couplings ignored by circuit designers. • Manifest as modulation of carriers (e.g. clock harmonics) present/generated/introduced in device. • AM or Angle (FM/Phase) Modulation. • Compromising signals available via demodulation. • Propagation of EM • Radiation, Conduction, Combination of both. • E.g., Faint EM signals riding on power line.

  18. EM Capturing Equipment • Antennas (Far-field) and Near-field probes • Current probes. • Analog processing: Filters/Amplifiers, Tunable wideband receiver or equivalent $$ • Digital sampling hardware.

  19. ICOM wideband radio receiver with IF output

  20. MAKE YOUR OWN

  21. EM vs. Power • Sometimes, EM is the only side-channel available. • Filtered power supplies, restricted access… • E.g. Crypto Tokens, SSL Accelerators,...

  22. EM Signal from SSL Accelerator S at 15 feet Amplitude Time (10ns)

  23. EM vs. Power • Is EM useful in the presence of power? • Yes, several EM carriers: Generated, Ambient, Introduced… • Experimentally verified: • Different carriers carry different information. • Some EM leakages substantially different from Power leakages.

  24. Bad Instructions • Instructions where some EM leakage >> Power leakage. • Typically CPU intensive rather than bus intensive. • All architectures have BAD Instructions. • Example: Bit-test on several 6805 based systems leaks tested bit.

  25. EM Attack Example2 signals, different data, same exp & modulus

  26. TESTED BIT = 0 IN BOTH TRACES O

  27. TESTED BIT DIFFERENT O

  28. Countermeasures • Require sound vulnerability assessment. • Countermeasures include: • Circuit redesign to reduce unintentional emanations. • Reducing S/N ratio • EM Shielding • Noise introduction • Physically secure zones. • Randomization based software countermeasures similar to DPA countermeasures.

More Related