© UCL Crypto group – October 2004 – I0 Low Cost Security for Internet-0? Frontiers and Limits Jean-Jacques Quisquater [email protected] (visiting scientist.

© UCL Crypto group – October 2004 – I0

Low Cost Securityfor Internet-0?

Frontiers and LimitsJean-Jacques Quisquater

[email protected]

(visiting scientist at MIT)

(research director CNRS, France)

Université catholique de Louvain

Louvain-la-Neuve, Belgium

UCL Crypto Group

http://uclcrypto.org

© UCL Crypto group October 2004 - I0 2

b

questionsquestionsquestionsquestions

• security?• existence of secure objects?• low cost security?• state-of-the art?

• security?• existence of secure objects?• low cost security?• state-of-the art?


Goal of security for I-0

• Accidental access by neighbors• Malicious access by others• Cloning?• Security from internet-1?: many solutions:

ssh, tls, https, ipsec, …• Many crypto algorithms are not designed for

low power or for small implementations (compression?)

• Similar situation: smart card (contact or contactless) versus card reader


Cost of security?

• Implementation (not the losses)

• Comms

• Silicon area

• Programs (protocols)

• Detectors (intrusion) and firewalls

• Physical security (tamperresistance)

• Update: the third version syndrome


Internet-0

• Low cost object

• Slow and close communication

• « serial » communication

• …


Cost of security? Smart cards

• Implementation (not the risk)

• Comms 9600b-100kb-…-

• Silicon area 3mm2-O.1…

• Programs (protocols) 2kBytes-

• Detectors (intrusion) and firewalls %

• Physical security (tamperresistance) !!!???

• Update: Java applets


Security is a dynamic process

• Best at the beginning of the system life, if static

• Initialisation (keys, names, …): here we need some physical security (context)

• Uses: new applications and contexts

• Update, new attacks (algo, hardware, …)

• End of life


Short Story of Smart Cards

• René Barjavel (1966) « La nuit des temps » (Gondas) • several inventors in USA (IBM - 1968), Japan,

Germany, France• Roland Moreno (F) pushed the right version (1974)• Michel Ugon and Louis Guillou were the technical

inventors (~ 1977)• SPOM: single chip (security): 1981: first crypto algo

and protocol (secret key): tests in France• first DES: 1985 (TRASEC, Belgium,TB100 -> Proton)• first RSA: CORSAIR(Philips): 1989 (coprocessor)• first RISC 32 bits: 1997 (CASCADE-> GemExpresso)• first JAVA smart card: 1997 (Schlumberger-software)• ...


Ring by Moreno (1974) and first smart card (1980)


The chip (a complete computer)

• CPU• security logic and sensors• ROM: OS - including self-test procedures• RAM (mainly static)• (E)EPROM and/or flash memory

– cryptographic keys– PIN– biometric profiles– applications

• serial I/O• internal bus(ses)• accelerators for cryptoalgorithms DES, RSA ...

(coprocessors)


The chip (IC)

ROMROM EEPROMflash memory

EEPROMflash memory

CPUCPU I/OI/O coprocessorDES – RSA -ECC

coprocessorDES – RSA -ECC

securitylogic

securitylogic

RAMRAM

sensorssensorsfirewall

Reset Ground Volt Clock


A complete computer with crypto


Standards for (secure) chips

• ISO-7816

• GSM 11.*

• EMV

• FIPS 140-1,-2

• …

• Do you need it?


Lesson learned from smart cards

• Design for:– access for payTV,– phone coins,– banking cards,– common property: easy to trace or small loss.

• Security is « easy »: avoiding intrusion• But used for many applications with high

targets (SWIFT, …)• Problems of side-channels (1996)


identification

possessionpossession

knowledgeknowledge

(biological)(biological)characteristicscharacteristics

PIN - passwordPIN - passwordPIN - passwordPIN - password

passportpassportsmart cardsmart cardI-0 deviceI-0 device

passportpassportsmart cardsmart cardI-0 deviceI-0 device

biometrybiometrybiometrybiometry

IEEE spectrumIEEE spectrumFeb. 94Feb. 94

IEEE spectrumIEEE spectrumFeb. 94Feb. 94

proof?proof?

proof?proof?proof?proof?


(Physical) naming process

• By an authority (TTP)

• Self-nomination (using some random process)

• Distributed // election of a leader in a group

© UCL Crypto group October 2004 - I0

transform or add redondancy : cryptography

SENDER(Alice)

SENDER(Alice)

RECEIVER(Bob)Trust!

RECEIVER(Bob)Trust!

message10010100111


authentication

PROVERPROVER VERIFIERVERIFIER password

computerwarden

carlamplamp

userpersondriverswitchswitch

identity

spy (on line) fake prover (copy or fake identity) fake verifier


Authentication today

PROVERPROVERVERIFIERVERIFIER

contract

commitment

surprise

answer


proof:

– specific protocol: theory invented in 1984, called “zero-knowledge”

new proof (fresh):– verifier must be convinced it is not a replay

tamper-resistant object:– “smart card”– secure and powerful microprocessor– important subject of research

Solutions


Alice Bob

Query: (d-bit string)

Response: (t-bit string)q ← getRandomCorner();

send (q);

r ← receive();

if (abs(r-f(q))<tol)

accept;

else reject;

q ← receive();

R ← f(q)

send(r);



Generic model of card for passive attacks

ChipChipChipChip

CLK

GRD

VCC

RST

I/O

2. SPA-DPA2. SPA-DPA1. timing1. timing

3. probing3. probing4. measuresof radiations

4. measuresof radiations


Side Story of Side Channel Analysis

• 1986: PIN code of smart card broken by timing attack …• 1992: TNO discovers a relation between smart card power

consumption and program code• 1992: Philips did the same …• 1994: TNO develops software to visualise program structure• 1995: BellCore invents the “MicroWave Attack”, and

Differential Fault Analysis (DFA)• 1995: Paul Kocher invents timing attack• 1997: Paul Kocher invents Differential Power Analysis (DPA)• 1998: TNO implements DPA• 1998: Gemplus invents Voltage Manipulation (VM)• 1999: TNO implements VM for Single Fault Injection (SFI)• 2000: Q.-Samyde implements Electromagnetic Analysis (EMA)

TNO©


Security: Baran (1964, Rand)


Analysis of a simple model (Vernam)

EXOREXOR

secret key ki

output ciinput mi

mi ki ci

0 0 00 1 11 0 11 1 0

mi ki ci

0 0 00 1 11 0 11 1 0

if for some reason the two zeroes are not the same (SPA ...)this perfect system is completely broken.


Timing attacks

ChipChipChipChip

CLK

GRD

VCC

RST

I/O

1. timing1. timing

• the measure of the timing and the (some) knowledge of the implementation of the used cryptographic algorithm together a lot of well chosen inputs-outputs with some statistical treatment give the secret key in use (works well for RSA-like algorithms)• countermeasure: I/O not related to the key at all (constant run-time for instance).


Fault attacks (Bellcore)

Key=1010110...


Implementation problems(Joye, Lenstra, Q.)

- optimisation: minimisation of the number of multiplications and squareError or attack? Bug Pentium …

- Chinese Remainder Theorem

mod pmod p

mod qmod q

expexpmm

expexp

combinecombine

error!error! p and qare in danger!

p and qare in danger!


ElectroMagnetic Analysis

• Similar processing as PA, sensing and leakage are different.

• Use a different probe (that not interferes with the chip): – Hand-made (Gemplus)– RF receiver (IBM)– Flat inductor and MEMS (UCL)

3 mm

0.5 mm


Spatial positioning

• Horizontal cartography (XY plane)– to pinpoint instruction related areas– better if automated

CPU

EEPROM

EEPROM

ROM

ROM

RAM

CRYPTO

Probe

4.5 mm

5.5 mm

Gemplus©


Side Channel Conclusion

• Direct and serious threat to the security of crypto systems

• Applicable to all algorithms

• (mostly) a non-destructive class of attacks

• Can be developed in order of weeks, repeated in order of hours

• Can be prevented or discouraged by (combinations of) countermeasures


Faults insertion

- Eddy Currents (ESmart 2002)

• Aim: Cryptanalysis of an algorithm using fault(s)

- Local heating

- Optical attack (Ches 2002)

- Glitch attack clock

- Local ionisation (Rads 2003)- UV light applied to a certain location

- X-rays


Security? Free slot at a cyclotron


Countermeasures

• Scramble the memory structure

• Dedicated sensors

• Opaque passivation layer or top-layer shielding

• Self-timed circuit & Dual-rail logic

• CRC

• Software countermeasures


Countermeasures• Software

– Check each bit before to set/reset it– Test integrity of all ( Data, Crypto, … )

• Hardware :– Scramble the memory structure– Implement CRC (Well chosen)– Build new architecture for error

detection/corrections– Asynchronous processors (www.g3card.org)– Dedicated sensors and avoid static sensors

If there is a CRC check, there’s a transistor to give a right or wrong value…

It could then be possible to lock the value (FPGA,…).

UCL©


Countermeasures

• A lot: New hardware design, new technology, …

• Randomize carefully!• No difference between square and multiply

(add and doubling): subtle solutions,• Verify the result before outputs,• …• Very mathematical, very cryptographic,• Another story (see recent thesis of Mathieu

Ciet – UCL, June 2003 about ECC, aso).



Other directions

• Quantum cryptography: nanocrypto

• More physics less cryptography: new research

• Identify the object (variations, added or not)

• Use the object in protocols?

© UCL Crypto group – October 2004 – I0 Low Cost Security for Internet-0? Frontiers and Limits Jean-Jacques Quisquater [email protected] (visiting scientist.

Documents

crypto slide

cost of security

i0 low cost security

belgium ucl crypto group

crypto algorithms

bquestionsquestions

goal of security

single chip security