COST Action IC1403 Training School – Booket of ... - Cryptacus

COST Action IC1403

Training School – Booket of presentations

Ponta Delgada, Azores, Portugal, April 16-20, 2018

www.cryptacus.eu

Funded by the Horizon 2020 Framework Programme of the European Union

COST

“COST is an EU-funded programme that enables researchers to set up their interdisciplinaryresearch networks in Europe and beyond. [COST] provides funds for organising conferences,meetings, training schools, short scientific exchanges or other networking activities in a widerange of scientific topics.” (source: www.cost.eu)

COST Action IC1403

Recent technological advances in hardware and software have irrevocably affected the classicalpicture of computing systems. Today, these no longer consist only of connected servers, butinvolve a wide range of pervasive and embedded devices, leading to the concept of “ubiquitouscomputing systems”. The objective of the Action is to improve and adapt the existent cryptanal-ysis methodologies and tools to the ubiquitous computing framework. Cryptanalysis, which isthe assessment of theoretical and practical cryptographic mechanisms designed to ensure securityand privacy, will be implemented along four axes: cryptographic models, cryptanalysis of buildingblocks, hardware and software security engineering, and security assessment of real-world systems.Researchers have only recently started to focus on the security of ubiquitous computing systems.Despite the critical flaws found, the required highly-specialized skills and the isolation of theinvolved disciplines are a true barrier for identifying additional issues. The Action established anetwork of complementary skills, so that expertise in cryptography, information security, privacy,and embedded systems can be put to work together.

Chair: Prof. Gildas AVOINE, INSA Rennes / IRISA CNRS, FranceVice-chair: Prof. Julio HERNANDEZ-CASTRO, University of Kent, UK

Grant Holder’s Administrative Representative: Isabelle MESGUEN, INSA RennesCOST’s Science Officer: Karina MARCUS

COST’s Administrative Officer: Andrea TORTAJADA

Working GroupsWG1: Security and Privacy Models

Leader: Prof. Serge VAUDENAY, SwitzerlandVice-Leader: Prof. Frederic ARMKNECHT, Germany

WG2: Cryptanalysis of Protocols and PrimitivesLeader: Prof. Andrey BOGDANOV, Denmark

Vice-Leader: Prof. Miroslaw KUTYLOWSKI, Poland

WG3: Hardware and Software Security EngineeringLeader: Prof. Lejla BATINA, The NetherlandsVice-Leader: Prof. Ricardo CHAVES, Portugal

WG4: Security and Privacy Analysis of Real-World SystemsLeader: Prof. Flavio GARCIA, United Kingdom

Vice-Leader: Prof. Alex BIRYUKOV, Luxembourg

SCIENCE PASSION TECHNOLOGY

Software-based Microarchitectural Attacks

Daniel Gruss

April 19, 2018

Graz University of Technology

1 Daniel Gruss — Graz University of Technology

Whoami www.tugraz.at

• Daniel Gruss

• Post-Doc @ Graz University of Technology

• Twitter: @lavados

• Email: [email protected]


Timeline of Meltdown and Spectre www.tugraz.at

• Both vulnerabilities existed for many years

No one discovered it before

Suddenly, independent teams discover it within months

Let’s create an evidence board




• No one discovered it before

Suddenly, independent teams discover it within months






• Suddenly, 4 independent teams discover it within 6 months






• Suddenly, 4 independent teams discover it within 6 months

• Let’s create an evidence board


















Meltdown vs. Spectre www.tugraz.at

Why two names, two papers, etc?

• Two different problems

They only have a very loose connection

Tw different teams had already quite matured drafts ready when

learning of each other

Initially we tried to merge, but all co-authors quickly agreed that it

would mix things that don’t belong together

re on that after we understand the attacks





• They only have a very loose connection

Tw different teams had already quite matured drafts ready when










• Two different teams had already quite matured drafts ready when










• Two different teams had already quite matured drafts ready when


• Initially we tried to merge, but all co-authors quickly agreed that it


→ More on that after we understand the attacks


The Fallout www.tugraz.at

You realize it is something big when...

it is in the news, all over the w rld

you get a Wikipedia article in multiple languages

there are comics, including xkcd

you get a lot of Twitter follower after Snowden mentioned you




• it is in the news, all over the world




































• you get a Wikipedia article in multiple languages






















• there are comics, including xkcd






















• you get a lot of Twitter follower after Snowden mentioned you







• you get a lot of Twitter follower after Snowden mentioned you


The Wall www.tugraz.at


The Core of Meltdown/Spectre www.tugraz.at

• Kernel is isolated from user space

This isolation is a combination of

hardware and software

User applications cannot access

anything from the kernel

There is only a well-defined

interface syscalls

Userspace Kernelspace

ApplicationsOperating

System Memory




• This isolation is a combination of


User applications cannot access



interface syscalls



System Memory






• User applications cannot access



interface syscalls



System Memory






• User applications cannot access


• There is only a well-defined

interface → syscalls



System Memory






1337 4242

Revolutionary concept!

Store your food at home,

never go to the grocery store

during cooking.

Can store ALL kinds of food.

ONLY TODAY INSTEAD OF $1,300

ORDER VIA PHONE: +555 12345


CPU Cache www.tugraz.at

printf("%d", i);

printf("%d", i);



printf("%d", i);Cac

he miss

printf("%d", i);



printf("%d", i);Cach

e miss

Request

printf("%d", i);




e miss

Request

Response

printf("%d", i);




e miss

Request

Responsei

printf("%d", i);




e miss

Request

Responsei

printf("%d", i);

Cache hit




e miss

Request

Responsei

printf("%d", i);

Cache hit

DRAM access,

slow




e miss

Request

Responsei

printf("%d", i);

Cache hit

No DRAM access,

much faster

DRAM access,

slow


Flush+Reload www.tugraz.at

Shared Memory

ATTACKER VICTIM

flush

accessaccess



Shared Memory

ATTACKER

Shared Memory

cach

edcached

VICTIM

flush

accessaccess



Shared Memory

ATTACKER

Shared Memory

VICTIM

flush

accessaccess



Shared Memory

ATTACKER VICTIM

flush

accessaccess



Shared Memory

ATTACKER VICTIM

flush

accessaccess



Shared Memory

ATTACKER

Shared Memory

VICTIM

flush

accessaccess



Shared Memory

ATTACKER

Shared Memory

VICTIM

flush

accessaccess



Shared Memory

ATTACKER

Shared Memory

VICTIM

flush

accessaccess

fast if victim accessed data,slow otherwise


Memory Access Latency www.tugraz.at


Memory Access Latency www.tugraz.at


Cache Template Attack Demo

Cache Template www.tugraz.at

Address

Keyg h i j k l m n o p q r s t u v w x y z

0x7c680

0x7c6c0

0x7c700

0x7c740

0x7c780

0x7c7c0

0x7c800

0x7c840

0x7c880

0x7c8c0

0x7c900

0x7c940

0x7c980

0x7c9c0

0x7ca00

0x7cb80

0x7cc40

0x7cc80

0x7ccc0

0x7cd00





Wait for an hour


Wait for an hour

LATENCY



Parallelize

Depend

ency


Out-of-order Execution www.tugraz.at

1 int width = 10, height = 5;

2

3 float diagonal = sqrt(width * width

4 + height * height);

5 int area = width * height;

6

7 printf("Area %d x %d = %d\n", width , height , area);


Out-of-order Execution www.tugraz.at

1 int width = 10, height = 5;

2

3 float diagonal = sqrt(width * width

4 + height * height);

5 int area = width * height;

6

7 printf("Area %d x %d = %d\n", width , height , area);

Parallelize

Depend

ency


Building Meltdown www.tugraz.at

1 char data = *(char*)0xffffffff81a000e0;

2 printf("%c\n", data);

1

2

Kernel addresses are not accessible

Are privilege checks also done when executing instructions out of rder?





1 segfault at ffffffff81a000e0 ip 0000000000400535

2 sp 00007 ffce4a80610 error 5 in reader

Kernel addresses are not accessible








• Kernel addresses are not accessible








• Kernel addresses are not accessible

• Are privilege checks also done when executing instructions out of order?



• Adapted code

1 *( volatile char*)0;

2 array [84 * 4096] = 0; // unreachable

Static code analyzer is not happy

1 warn ing : De r e f e r e n c e o f n u l l p o i n t e r

2 ∗( l t i l e ch r ∗) 0 ;



• Adapted code

1 *( volatile char*)0;

2 array [84 * 4096] = 0; // unreachable

• Static code analyzer is not happy

1 warn ing : De r e f e r e n c e o f n u l l p o i n t e r

2 ∗( v o l a t i l e char ∗) 0 ;



• Flush+Reload over all pages of the array

0 50 100 150 200 250

300

400

500

Page

Acc

ess

tim

e

[cyc

les]

• “Unreachable” code line was actually executed

Exception was only thrown afterwards




0 50 100 150 200 250

300

400

500

Page

Acc

ess

tim

e

[cyc

les]

• “Unreachable” code line was actually executed

• Exception was only thrown afterwards



• Combine the two things


2 array[data * 4096] = 0;

= sending end of a cache covert channel

Then check whether any part of is cached

= receiving end of a cache covert channel





2 array[data * 4096] = 0;


• Then check whether any part of array is cached






2 array[data * 4096] = 0;


• Then check whether any part of array is cached





0 50 100 150 200 250

300

400

500

Page

Acc

ess

tim

e

[cyc

les]

• Index of cache hit reveals data

Permission check is in some cases not fast enough




0 50 100 150 200 250

300

400

500

Page

Acc

ess

tim

e

[cyc

les]

• Index of cache hit reveals data

• Permission check is in some cases not fast enough


Leaking Passwords from your Password Manager www.tugraz.at


Not so fast. . .


Take the kernel addresses... www.tugraz.at

• Kernel addresses in user space are a problem

Why don’t we take the kernel addresses...


Take the kernel addresses... www.tugraz.at

• Kernel addresses in user space are a problem

• Why don’t we take the kernel addresses...


...and remove them www.tugraz.at

• ...and remove them if not needed?

User accessible check in hardware is not reliable


...and remove them www.tugraz.at

• ...and remove them if not needed?

• User accessible check in hardware is not reliable


Idea www.tugraz.at

• Let’s just unmap the kernel in user space

Kernel addresses are then no longer present

Memory which is not mapped cannot be accessed at all


Idea www.tugraz.at


• Kernel addresses are then no longer present

Memory which is not mapped cannot be accessed at all


Idea www.tugraz.at


• Kernel addresses are then no longer present

• Memory which is not mapped cannot be accessed at all



Kernel Address Isolation to have Side channels Efficiently Removed


Kernel Address Isolation to have Side channels Efficiently Removed

KAISER /ˈkʌɪzə/1. [german] Emperor,ruler of an empire2. largest penguin, emperor penguin




System Memory




System Memory


Applications

Kernel View User View

context switch27 Daniel Gruss — Graz University of Technology

Kernel Address Space Isolation www.tugraz.at

• We published KAISER in July 2017

Intel and others improved and merged it into Linux as KPTI (Kernel

Page Table Isolation)

Microsoft implemented similar concept in Windows

Apple implemented it in macOS 10.13.2 and called it “Double Map”

All share the same idea: switching address spaces on context switch




• Intel and others improved and merged it into Linux as KPTI (Kernel


Microsoft implemented similar concept in Windows








• Microsoft implemented similar concept in Windows 10









• Apple implemented it in macOS 10.13.2 and called it “Double Map”








• Apple implemented it in macOS 10.13.2 and called it “Double Map”

• All share the same idea: switching address spaces on context switch



Performance www.tugraz.at

• Depends on how often you need to switch between kernel and user space

Can be slow, 40% r more on old hardware

But modern CPUs have additional features

Performance overhead on average below 2%




• Can be slow, 40% or more on old hardware

But modern CPUs have additional features






• But modern CPUs have additional features






• But modern CPUs have additional features

• ⇒ Performance overhead on average below 2%


Meltdown and Spectre www.tugraz.at


Meltdown and Spectre www.tugraz.at



Prosciutto30 Daniel Gruss — Graz University of Technology

Funghi30 Daniel Gruss — Graz University of Technology

Diavolo30 Daniel Gruss — Graz University of Technology




»A table for 6 please«



Speculative Cooking


»A table for 6 please«






What does Spectre do? www.tugraz.at

• Mistrains branch prediction

CPU speculatively executes code which should not be executed

Can also mistrain indirect calls

Spectre “convinces” program to execute code




• CPU speculatively executes code which should not be executed

Can also mistrain indirect calls






• Can also mistrain indirect calls






• Can also mistrain indirect calls

→ Spectre “convinces” program to execute code


Spectre (variant 1) www.tugraz.at

index = 0;

if (index < 4)

char* data = "textKEY";

LUT[data[index] * 4096] 0

then

else

Prediction



index = 0;

if (index < 4)



then

else

Prediction



Speculate

index = 0;

if (index < 4)



then

else

Prediction



Execute

index = 0;

if (index < 4)



then

else

Prediction



index = 1;

if (index < 4)



then

else

Prediction



index = 1;

if (index < 4)



then

else

Prediction



Speculate

index = 1;

if (index < 4)



then

else

Prediction



index = 1;

if (index < 4)



then

else

Prediction



index = 2;

if (index < 4)



then

else

Prediction



index = 2;

if (index < 4)



then

else

Prediction



Speculate

index = 2;

if (index < 4)



then

else

Prediction



index = 2;

if (index < 4)



then

else

Prediction



index = 3;

if (index < 4)



then

else

Prediction



index = 3;

if (index < 4)



then

else

Prediction



Speculate

index = 3;

if (index < 4)



then

else

Prediction



index = 3;

if (index < 4)



then

else

Prediction



index = 4;

if (index < 4)



then

else

Prediction



index = 4;

if (index < 4)



then

else

Prediction



Speculate

index = 4;

if (index < 4)



then

else

Prediction



Execute

index = 4;

if (index < 4)



then

else

Prediction



index = 5;

if (index < 4)



then

else

Prediction



index = 5;

if (index < 4)



then

else

Prediction



Speculate

index = 5;

if (index < 4)



then

else

Prediction



Execute

index = 5;

if (index < 4)



then

else

Prediction



index = 6;

if (index < 4)



then

else

Prediction



index = 6;

if (index < 4)



then

else

Prediction



Speculate

index = 6;

if (index < 4)



then

else

Prediction



Execute

index = 6;

if (index < 4)



then

else

Prediction



a->move()

Animal* a = bird;


fly()

Prediction

swim()swim

()



Speculate

a->move()

Animal* a = bird;


fly()

Prediction

swim()swim

()



a->move()

Animal* a = bird;


fly()

Prediction

swim()swim

()



Execute

a->move()

Animal* a = bird;


fly()

Prediction

swim()swim

()



a->move()

Animal* a = bird;


fly()

Prediction

fly()swim

()



Speculate

a->move()

Animal* a = bird;


fly()

Prediction

fly()swim

()



a->move()

Animal* a = bird;


fly()

Prediction

fly()swim

()



a->move()

Animal* a = fish;


fly()

Prediction

fly()swim

()



Speculate

a->move()

Animal* a = fish;


fly()

Prediction

fly()swim

()



a->move()

Animal* a = fish;


fly()

Prediction

fly()swim

()



Execute

a->move()

Animal* a = fish;


fly()

Prediction

fly()swim

()



a->move()

Animal* a = fish;


fly()

Prediction

swim()swim

()


Mitigating Spectre www.tugraz.at

• Trivial approach: disable speculative execution

No wrong speculation if there is no speculation

Problem: massive performance hit!

Also: How to disable it?

Speculative execution is deeply integrated int CPU




• No wrong speculation if there is no speculation

Problem: massive performance hit!







• Problem: massive performance hit!








• Also: How to disable it?







• Also: How to disable it?

• Speculative execution is deeply integrated into CPU


Spectre Variant 1 Mitigations www.tugraz.at

W rkaround: insert instructions stopping speculation

insert after every bounds check

x86: , ARM:

Available on all Intel CPUs, retrofitted to existing

ARMv7 and ARMv8



• Workaround: insert instructions stopping speculation

insert after every bounds check

x86: , ARM:


ARMv7 and ARMv8




→ insert after every bounds check

x86: , ARM:


ARMv7 and ARMv8





• x86: LFENCE, ARM: CSDB


ARMv7 and ARMv8





• x86: LFENCE, ARM: CSDB

• Available on all Intel CPUs, retrofitted to existing

ARMv7 and ARMv8



Speculation barrier requires compiler supp rted

Already implemented in GCC, LLVM, and MSVC

Can be automated (MSVC) not really reliable

Explicit use by programmer:



• Speculation barrier requires compiler supported

Already implemented in GCC, LLVM, and MSVC






• Already implemented in GCC, LLVM, and MSVC







• Can be automated (MSVC) → not really reliable






• Can be automated (MSVC) → not really reliable

• Explicit use by programmer: builtin load no speculate







Speculation barrier w rks if affected code constructs are

known

Programmer has to fully understand vulnerability

Automatic detection is not reliable

Non-negligible performance overhead of barriers



• Speculation barrier works if affected code constructs are

known

Programmer has to fully understand vulnerability






known

• Programmer has to fully understand vulnerability






known


• Automatic detection is not reliable





known


• Automatic detection is not reliable

• Non-negligible performance overhead of barriers


Spectre Variant 2 Mitigations (Microcode/MSRs) www.tugraz.at

Intel released microcode updates

• Indirect Branch Restricted Speculation (IBRS):

• Do not speculate based on anything before entering IBRS mode

lesser privileged code cannot influence predictions

Indirect Branch Predictor Barrier (IBPB):

• Flush branch-target buffer

Single Thread Indirect Branch Predictors (STIBP):

• Isolates branch prediction state between two hyperthreads






lesser privileged code cannot influence predictions










→ lesser privileged code cannot influence predictions











• Indirect Branch Predictor Barrier (IBPB):






















• Single Thread Indirect Branch Predictors (STIBP):










• Single Thread Indirect Branch Predictors (STIBP):



Spectre Variant 2 Mitigations (Software) www.tugraz.at

Retpoline (compiler extension)

1 push <call_target >

2 call 1f

3 2:

4 lfence

5 jmp 2b

6 1:

7 lea 8(% rsp), %rsp

8 ret

always predict to enter an endless loop

instead of the correct (or wrong) target function performance?

On Broadwell r newer:

• ret may fall-back to the BTB for prediction

microcode patches to prevent that





2 call 1f

3 2: ; speculation will continue here

4 lfence ; speculation barrier

5 jmp 2b ; endless loop

6 1:

7 lea 8(% rsp), %rsp ; restore stack pointer

8 ret ; the actual call to <call_target >

→ always predict to enter an endless loop

instead of the correct (or wrong) target function performance?








2 call 1f




6 1:




• instead of the correct (or wrong) target function

performance?








2 call 1f




6 1:




• instead of the correct (or wrong) target function → performance?








2 call 1f




6 1:





• On Broadwell or newer:







2 call 1f




6 1:












2 call 1f




6 1:







→ microcode patches to prevent that



• ARM provides hardened Linux kernel

Clears branch-predictor state on context switch

Either via instruction ( )...

...or w rkaround (disable/enable MMU)

Non-negligible performance overhead (≈ 200-300 ns)




• Clears branch-predictor state on context switch

Either via instruction ( )...







• Either via instruction (BPIALL)...








• ...or workaround (disable/enable MMU)







• ...or workaround (disable/enable MMU)

• Non-negligible performance overhead (≈ 200-300 ns)


What does not work www.tugraz.at

• Prevent access to high-resolution timer

Own timer using timing thread

Flush instruction only privileged

Cache eviction through memory accesses

Just move secrets into secure w rld

Spectre w rks on secure enclaves




→ Own timer using timing thread

Flush instruction only privileged








• Flush instruction only privileged









→ Cache eviction through memory accesses









• Just move secrets into secure world








• Just move secrets into secure world

→ Spectre works on secure enclaves



Meltdown

Out-of-Order Execution

has nothing to do with branch prediction

turning off speculative execution entirely

has no effect on Meltdown

melts down the isolation provided by the

-bit

in theory: OoO not required, pipelining

can be sufficient

mitigated by KAISER

Spectre

Speculative Execution (subset of

Out-of-Order Execution)

fundamentally builds on branch

(mis)prediction


would w rk

has nothing to do with the

-bit

KAISER has no effect on Spectre at all



Meltdown

• Out-of-Order Execution

has nothing to do with branch prediction




-bit


can be sufficient

mitigated by KAISER

Spectre

• Speculative Execution (subset of


fundamentally builds on branch

(mis)prediction


would w rk


-bit




Meltdown


• has nothing to do with branch prediction




-bit


can be sufficient

mitigated by KAISER

Spectre



• fundamentally builds on branch

(mis)prediction


would w rk


-bit




Meltdown



• turning off speculative execution entirely



-bit


can be sufficient

mitigated by KAISER

Spectre




(mis)prediction


would work


-bit




Meltdown





→ melts down the isolation provided by the

user accessible-bit


can be sufficient

mitigated by KAISER

Spectre




(mis)prediction


would work

• has nothing to do with the

user accessible-bit




Meltdown






user accessible-bit

• in theory: OoO not required, pipelining

can be sufficient

mitigated by KAISER

Spectre




(mis)prediction


would work


user accessible-bit

• KAISER has no effect on Spectre at all



Meltdown






user accessible-bit

• in theory: OoO not required, pipelining

can be sufficient

• mitigated by KAISER

Spectre




(mis)prediction


would work


user accessible-bit

• KAISER has no effect on Spectre at all



Meltdown

performs illegal memory accesses we

need to take care of processor exceptions

• exception handling

• exception suppression with TSX

• exception suppression with branch

misprediction

Spectre

performs only legal memory accesses

• has nothing to do with exception

handling

or suppression

• abc

• abc

tw papers, tw names, etc.



Meltdown

• performs illegal memory accesses → we





misprediction

Spectre

• performs only legal memory accesses


handling

or suppression

• abc

• abc




Meltdown






misprediction

Spectre



handling

or suppression

• abc

• abc




Meltdown






misprediction

Spectre



handling or suppression

• abc

• abc




Meltdown






misprediction

Spectre




• abc

• abc




Meltdown






misprediction

Spectre




• abc

• abc

→ two papers, two names, etc.


But ... www.tugraz.at

... why were they named variant 1, and by Google?

“How can you use speculative execution maliciously?”

Intel had much interest in not fancy-naming them ;)

... why were they presented on the same date and on the same website?

We did not choose the date

We did not want to have one of them overshadow the other

immediately



... why were they named variant 1, and by Google?






immediately



... why were they named variant 1, 2 and 3 by Google?






immediately




• “How can you use speculative execution maliciously?”





immediately





• Intel had much interest in not fancy-naming them ;)




immediately









immediately









immediately







• We did not choose the date


immediately







• We did not choose the date

• We did not want to have one of them overshadow the other

immediately


What do we learn from it? www.tugraz.at

We have ignored microarchitectural attacks for many many years:

attacks on crypto “software should be fixed”

attacks on ASLR “ASLR is broken anyway”

attacks on SGX and TrustZone “not part of the threat model”

for years we solely optimized for performance




• attacks on crypto

“software should be fixed”







• attacks on crypto → “software should be fixed”








• attacks on ASLR

“ASLR is broken anyway”







• attacks on ASLR → “ASLR is broken anyway”








• attacks on SGX and TrustZone

“not part of the threat model”







• attacks on SGX and TrustZone → “not part of the threat model”







• attacks on SGX and TrustZone → “not part of the threat model”

→ for years we solely optimized for performance


When you read the manuals... www.tugraz.at

After learning about a side channel you realize:

the side channels were documented in the Intel manual

only now we understand the implications




• the side channels were documented in the Intel manual

only now we understand the implications




• the side channels were documented in the Intel manual

• only now we understand the implications



Motor Vehicle Deaths in U.S. by Year


Conclusions www.tugraz.at

A unique chance to

• rethink processor design

grow up, like other fields (car industry, construction industry)

dedicate more time into identifying problems and not solely in

mitigating known problems



A unique chance to


• grow up, like other fields (car industry, construction industry)

dedicate more time into identifying problems and not solely in




A unique chance to


• grow up, like other fields (car industry, construction industry)

• dedicate more time into identifying problems and not solely in



SCIENCE PASSION TECHNOLOGY

Software-based Microarchitectural Attacks

Daniel Gruss

April 19, 2018

Graz University of Technology


www.tugraz.at

How to have a MeltdownDaniel GrussGraz University of Technology

April 19/20, 2018 — Cryptacus Training School

Daniel Gruss, Graz University of TechnologyApril 19/20, 2018 — Cryptacus Training School1

www.tugraz.at

Get your computer ready!

Within the first two hours we will:

Checkout https://github.com/IAIK/cache_template_attacks

Make a histogram

Key stroke attack on an editor

Try to establish a covert channel


www.tugraz.at

Get your computer ready!

Within the third hour we will:

Use our covert channel in a Meltdown attack

Leak data from kernel addresses

for Meltdown: boot with nopti nokaslr


www.tugraz.at

1. Quick Start

2. Measuring and exploiting timing leakage

3. CPU caches

4. Cache attacks

5. Cache covert channels

6. Cache template attacks


www.tugraz.at

What to profile?

# ps -A | grep gedit

# cat /proc/pid/maps

00400000-00489000 r-xp 00000000 08:11 396356

/usr/bin/gedit

7f5a96991000-7f5a96a51000 r-xp 00000000 08:11 399365

/usr/lib/x86_64-linux-gnu/libgdk-3.so.0.1400.14

...

memory range, access rights, offset, –, –, file name


www.tugraz.at

Profiling a single event

cd ../profiling/generic_low_frequency_example

# put the threshold into spy.c (MIN_CACHE_MISS_CYCLES)

make

./spy

# start the targeted program

sleep 2; ./spy 200 400000-489000 -- 20000

-- -- /usr/bin/gedit

... and hold down key in the targeted programsave addresses with peaks!


www.tugraz.at

Exploitation phase

cd ../exploitation/generic


make

./spy file offset


www.tugraz.at

Information leakage

Shared hardware

x86 CPU

Data andinstruction

cache

Arithmeticlogicunit

Branchprediction

unit

Memory

Memorybus

Memorydeduplication


www.tugraz.at

Why targeting the cache?

shared across cores

fast

→ fast cross-core attacks!


www.tugraz.at

Why targeting the cache?

shared across cores

fast

→ fast cross-core attacks!


www.tugraz.at

Timing differences

caches improve performance

SRAM is expensive→ small caches

different timings for memory accesses

data is cached→ cache hit→ fastdata is not cached→ cache miss→ slow


www.tugraz.at

1. Quick Start


3. CPU caches

4. Cache attacks




www.tugraz.at

Mesuring timing leakage

How every timing attack works:

learn timing of different corner cases

later, we recognize these corner cases by timing only


www.tugraz.at

Mesuring timing leakage

How every timing attack works:

learn timing of different corner cases

later, we recognize these corner cases by timing only


www.tugraz.at

Calibration

git clone https://github.com/IAIK/cache_template_attacks.git

cd calibration

make

./calibration


www.tugraz.at

Steps

1. build two cases: cache hits and cache misses

2. time each case many times (get rid of noise)

3. we have a histogram!

4. find a threshold to distinguish the two cases


www.tugraz.at

Steps






www.tugraz.at

Steps






www.tugraz.at

Step 1.1. Cache hits

Loop:

1. measure time

2. access variable (always cache hit)

3. measure time

4. update histogram with delta


www.tugraz.at

Step 1.2. Cache misses

Loop:

1. measure time

2. access variable (always cache miss)

3. measure time

4. update histogram with delta

5. flush variable (clflush instruction)


www.tugraz.at

Step 2. Accurate timings

very short timings

rdtsc instruction: cycle-accurate timestamps

[...]

rdtsc

function()

rdtsc

[...]


www.tugraz.at


do you measure what you think you measure?

out-of-order execution→ what is really executed

rdtsc

function()

[...]

rdtsc

rdtsc

[...]

rdtsc

function()

rdtsc

rdtsc

function()

[...]


www.tugraz.at


use pseudo-serializing instruction rdtscp (recent CPUs)

and/or use serializing instructions like cpuid

and/or use fences like mfence


www.tugraz.at






www.tugraz.at






www.tugraz.at





Intel, How to Benchmark Code Execution Times on Intel IA-32 and IA-64Instruction Set Architectures White Paper, December 2010.


www.tugraz.at

Step 3. Histogram


www.tugraz.at

Step 3. Histogram


www.tugraz.at

Step 4. Find threshold

as high as possible

most cache hits are below

no cache miss below


www.tugraz.at

Side-channel attack on user input

locate key-dependent memory accesses

with cache template attacks


www.tugraz.at

Profiling Phase: one event

Attacker address space

Cache

Victim address space

Shared 0x0

Shared 0x0

Cache is empty


www.tugraz.at



Cache


AShared 0x0

Shared 0x0

Attacker triggers an event

Shared 0x0

Shared 0x0

Shared 0x0


www.tugraz.at



Cache


Shared 0x0

Shared 0x0

Attacker checks one address for cache hits (“Reload”)

Shared 0x0

Shared 0x0

Shared 0x0


www.tugraz.at



Cache


Shared 0x0

Shared 0x0

Update number of cache hits per event

Shared 0x0

Shared 0x0

Shared 0x0


www.tugraz.at



Cache


Shared 0x0

Shared 0x0

Attacker flushes shared memory

Shared 0x0

Shared 0x0

Shared 0x0

flush


www.tugraz.at



Cache


Shared 0x0

Shared 0x0

Repeat for higher accuracy

A


www.tugraz.at



Cache


Continue with next address

A

Shared 0x40

Shared 0x40


www.tugraz.at



Cache



A

Shared 0x80

Shared 0x80


www.tugraz.at

1. Quick Start


3. CPU caches

4. Cache attacks




www.tugraz.at

Directly mapped cache

Memory Address


www.tugraz.at


Memory Address Cache


www.tugraz.at


Memory Address CacheTag Data


www.tugraz.at


Memory Address CacheTag Data


www.tugraz.at


Memory Address CacheTag Datab bits

2b bytes


www.tugraz.at



2b bytes

n bits

Cache Index


www.tugraz.at



2b bytes

n bits

Cache Index

2n cache lines


www.tugraz.at



2b bytes

n bits

Cache Index

2n cache linesf

=?

Tag

Hit/Miss


www.tugraz.at



2b bytes

n bits

Cache Index

2n cache linesf

=?

Tag

Hit/Miss

Problem: working on congruent addresses


www.tugraz.at

2-way set associativity

Memory Address CacheTag Datab bitsn bits

Cache Index

2n cache linesf


www.tugraz.at



Cache Index

f 2n cache sets

Way 2 Tag Way 2 DataWay 1 Tag Way 1 Data


www.tugraz.at



Cache Index

f 2n cache sets


=?

=?Tag


www.tugraz.at



Cache Index

f 2n cache sets


=?

=?Tag

Data


www.tugraz.at



Cache Index

f 2n cache sets


=?

=?Tag

Data→ replacement policy


www.tugraz.at

Caches today

core 0

L1

L2

core 1

L1

L2

core 2

L1

L2

core 3

L1

L2 ring bus

LLCslice 0

LLCslice 1

LLCslice 2

LLCslice 3

L1 and L2 are private

last-level cache:

divided in slicesshared across coresinclusive


www.tugraz.at

Cache levels: Latency comparison

On current Intel CPUs:

L1 cache: 4 cycles

L2 cache: 12 cycles

L3 cache: 26-31 cycles

DRAM memory: >120 cycles


www.tugraz.at



L1 cache: 4 cycles

L2 cache: 12 cycles




www.tugraz.at



L1 cache: 4 cycles

L2 cache: 12 cycles




www.tugraz.at



L1 cache: 4 cycles

L2 cache: 12 cycles




www.tugraz.at



L1 cache: 4 cycles

L2 cache: 12 cycles




www.tugraz.at

(Unprivileged) cache maintainance

User programs can optimize cache usage:

prefetch: suggest CPU to load data into cache

clflush: throw out data from from all caches

... based on virtual addresses


www.tugraz.at

1. Quick Start


3. CPU caches

4. Cache attacks




www.tugraz.at

CPU cache attacks

cache-based keylogging

crypto key recovery

various implementations (AES, RSA, ECC, ...)up to 97% key bits recovered after 1 encryption

cross-VM, cross-core, even cross-CPU

any CPU vendor


www.tugraz.at

Cross-core attacks?

using the inclusive property

last-level cache is a superset of L1 and L2

data evicted from last-level cache→ evicted from L1 and L2

a core can evict lines in the private L1 of another core


www.tugraz.at

Cross-core attacks?






www.tugraz.at

Cross-core attacks?






www.tugraz.at

Cross-core attacks?






www.tugraz.at

Access-driven attacks

Attacker monitors its own activity to find sets accessed by victim.

Prime+ProbePercival 2005Liu et al. 2015

Clementine Maurice, Neumann, et al. 2015

Flush+ReloadGullasch et al. 2011

Yarom and Falkner 2014Gruss, Spreitzer, et al. 2015

Same techniques for covert and side channels


www.tugraz.at

Flush+Reload: Building Blocks

Shared Library / load binary twice / page deduplication

clflush throws data out of cache

→ We can throw other shared code out of the cache

rdtsc / rdtscp give accurate timing information

→ We can measure whether shared code is in the cache


www.tugraz.at








www.tugraz.at








www.tugraz.at

Flush+Reload: First steps

Measure timing of cached memory

Measure timing of non-cached memory (flush before measuring)

Draw a histogram


www.tugraz.at

Flush+ReloadAttacker

address space Cache Victimaddress space

step 0: attacker maps shared library→ shared memory, shared in cache


www.tugraz.at



step 0: attacker maps shared library→ shared memory, shared in cache

cached cached


www.tugraz.at



step 0: attacker maps shared library→ shared memory, shared in cachestep 1: attacker flushes the shared line

flushes


www.tugraz.at



step 0: attacker maps shared library→ shared memory, shared in cachestep 1: attacker flushes the shared linestep 2: victim loads data while performing encryption

loads data


www.tugraz.at



step 0: attacker maps shared library→ shared memory, shared in cachestep 1: attacker flushes the shared linestep 2: victim loads data while performing encryptionstep 3: attacker reloads data→ fast access if the victim loaded the line

reloads data


www.tugraz.at

Flush+Reload

Pros: fine granularity (1 line)

Cons: restrictive

1. needs clflush instruction (not available e.g., in JS)

2. needs shared memory


www.tugraz.at

Variants of Flush+Reload

Flush+Flush Gruss, Clementine Maurice, et al. 2016

Evict+Reload Gruss, Spreitzer, et al. 2015 on ARM Lipp et al. 2016


www.tugraz.at

Prime+ProbeAttacker


step 0: attacker fills the cache (prime)


www.tugraz.at

Prime+ProbeAttacker




www.tugraz.at

Prime+ProbeAttacker




www.tugraz.at

Prime+ProbeAttacker


step 0: attacker fills the cache (prime)step 1: victim evicts cache lines while performing encryption

loads data


www.tugraz.at

Prime+ProbeAttacker



loads data


www.tugraz.at

Prime+ProbeAttacker



loads data


www.tugraz.at

Prime+ProbeAttacker



loads data


www.tugraz.at

Prime+ProbeAttacker




www.tugraz.at

Prime+ProbeAttacker


step 0: attacker fills the cache (prime)step 1: victim evicts cache lines while performing encryptionstep 2: attacker probes data to determine if the set was accessed


www.tugraz.at

Prime+ProbeAttacker



fast access


www.tugraz.at

Prime+ProbeAttacker



slow access


www.tugraz.at

Prime+Probe

Pros: less restrictive

1. no need for clflush instruction (not available e.g., in JS)

2. no need for shared memory

Cons: coarser granularity (1 set)


www.tugraz.at

Issues with Prime+Probe

We need to evict caches lines without clflush or shared memory:

1. which addresses do we access to have congruent cache lines?

2. without any privilege?

3. and in which order do we access them?


www.tugraz.at

#1.1: Which physical addresses to access?

“LRU eviction”:

assume that cache uses LRU replacement

accessing n addresses from the same cache set to evict an n-way set

eviction from last level→ from whole hierarchy (it’s inclusive!)


www.tugraz.at

#1.2: Which addresses map to the same set?

slice 0 slice 1 slice 2 slice 3

H

2

offsetsettagphysical address

30

061735

11

line

function H that maps slices isundocumented

reverse-engineered byClementine Maurice,Le Scouarnec, et al. 2015; Inciet al. 2015; Yarom, Ge, et al.2015

hash function basically anXOR of address bits


www.tugraz.at


slice 0 slice 1 slice 2 slice 3

H

2

offsetsettagphysical address

30

061735

11

line

function H that maps slices isundocumented

reverse-engineered byClementine Maurice,Le Scouarnec, et al. 2015; Inciet al. 2015; Yarom, Ge, et al.2015

hash function basically anXOR of address bits


www.tugraz.at


3 functions, depending on the number of cores

Address bit3 3 3 3 3 3 3 3 2 2 2 2 2 2 2 2 2 2 1 1 1 1 1 1 1 1 1 1 0 0 0 07 6 5 4 3 2 1 0 9 8 7 6 5 4 3 2 1 0 9 8 7 6 5 4 3 2 1 0 9 8 7 6

2 cores o0 ⊕ ⊕ ⊕ ⊕ ⊕ ⊕ ⊕ ⊕ ⊕ ⊕ ⊕ ⊕ ⊕ ⊕ ⊕ ⊕

4 cores o0 ⊕ ⊕ ⊕ ⊕ ⊕ ⊕ ⊕ ⊕ ⊕ ⊕ ⊕ ⊕ ⊕ ⊕ ⊕ ⊕ ⊕o1 ⊕ ⊕ ⊕ ⊕ ⊕ ⊕ ⊕ ⊕ ⊕ ⊕ ⊕ ⊕ ⊕ ⊕ ⊕ ⊕ ⊕

8 coreso0 ⊕ ⊕ ⊕ ⊕ ⊕ ⊕ ⊕ ⊕ ⊕ ⊕ ⊕ ⊕ ⊕ ⊕ ⊕ ⊕ ⊕ ⊕ ⊕o1 ⊕ ⊕ ⊕ ⊕ ⊕ ⊕ ⊕ ⊕ ⊕ ⊕ ⊕ ⊕ ⊕ ⊕ ⊕ ⊕ ⊕ ⊕ ⊕o2 ⊕ ⊕ ⊕ ⊕ ⊕ ⊕ ⊕ ⊕ ⊕ ⊕ ⊕ ⊕ ⊕ ⊕ ⊕


www.tugraz.at

#2: Obtain information without root privileges

last-level cache is physically indexed

root privileges needed for physical addresses

use 2 MB pages→ lowest 21 bits are the same as virtual address

→ enough to compute the cache set


www.tugraz.at







www.tugraz.at







www.tugraz.at







www.tugraz.at

#3.1: Replacement policy on older CPUs

“LRU eviction” memory accesses

cache set

LRU replacement policy: oldest entry first

timestamps for every cache line

access updates timestamp


www.tugraz.at



cache set





www.tugraz.at



cache set 2 5 8 1 7 6 3 4





www.tugraz.at



cache set 2 5 8 1 7 6 3 4

load

9





www.tugraz.at



cache set 2 5 8 1 7 6 3 49

load

10





www.tugraz.at



cache set 2 5 8 1 7 6 3 4910

load

11





www.tugraz.at



cache set 2 5 8 1 7 6 3 4910 11

load

12





www.tugraz.at



cache set 2 5 8 1 7 6 3 4910 11 12

load

13





www.tugraz.at



cache set 2 5 8 1 7 6 3 4910 11 1213

load

14





www.tugraz.at



cache set 2 5 8 1 7 6 3 4910 11 1213 14

load

15





www.tugraz.at



cache set 2 5 8 1 7 6 3 4910 11 1213 1415

load

16





www.tugraz.at

#3.2: Replacement policy on recent CPUs


cache set 2 5 8 1 7 6 3 4

no LRU replacement

only 75% success rate on Haswell

more accesses→ higher success rate, but too slow


www.tugraz.at



cache set 2 5 8 1 7 6 3 4

load

9

no LRU replacement




www.tugraz.at



cache set 2 5 8 1 7 6 3 49

load

10

no LRU replacement




www.tugraz.at



cache set 2 5 8 1 7 6 3 4910

load

11

no LRU replacement




www.tugraz.at



cache set 2 5 8 1 7 6 3 4910 11

load

12

no LRU replacement




www.tugraz.at



cache set 2 5 8 1 7 6 3 4910 1112

load

13

no LRU replacement




www.tugraz.at



cache set 2 5 8 1 7 6 3 4910 1112 13

load

14

no LRU replacement




www.tugraz.at



cache set 2 5 8 1 7 6 3 4910 1112 1314

load

15

no LRU replacement




www.tugraz.at



cache set 2 5 8 1 7 6 3 4910 1112 1314 15

load

16

no LRU replacement




www.tugraz.at



cache set 2 5 8 1 7 6 3 4910 1112 1314 1516

no LRU replacement




www.tugraz.at



cache set 2 5 8 1 7 6 3 4910 1112 1314 1516

no LRU replacement




www.tugraz.at

#3.3: Cache eviction strategy

Add

ress

a1

a2

a3

a4

a5

a6

a7

a8

a9

TimeFigure: Fast and effective on Haswell. Eviction rate >99.97%.


www.tugraz.at

What to profile?

# ps -A | grep gedit

# cat /proc/pid/maps

00400000-00489000 r-xp 00000000 08:11 396356

/usr/bin/gedit

7f5a96991000-7f5a96a51000 r-xp 00000000 08:11 399365

/usr/lib/x86_64-linux-gnu/libgdk-3.so.0.1400.14

...

memory range, access rights, offset, –, –, file name


www.tugraz.at

Profiling a single event

cd ../profiling/generic_low_frequency_example


make

./spy

# start the targeted program

sleep 2; ./spy 200 400000-489000 -- 20000

-- -- /usr/bin/gedit

... and hold down key in the targeted programsave addresses with peaks!


www.tugraz.at

Exploitation phase

cd ../exploitation/generic


make

./spy file offset


www.tugraz.at

1. Quick Start


3. CPU caches

4. Cache attacks




www.tugraz.at

Side channels vs covert channels

side channel: attacker spies a victim process

covert channel: communication between two processes

that are not supposed to communicatethat are collaborating


www.tugraz.at

1-bit cache covert channels

ideas for 1-bit channels:

Prime+Probe: use one cache set to transmit

0: sender does not access the set→ low access time in receiver1: sender does access the set→ high access time in receiver

Flush+Reload/Flush+Flush/Evict+Reload: use one address to transmit

0: sender does not access the address→ high access time inreceiver

1: sender does access the address→ low access time in receiver


www.tugraz.at









www.tugraz.at









www.tugraz.at

1-bit covert channels

1 bit data, 0 bit control?

idea: divide time into slices (e.g., 50µs frames)

synchronize sender and receiver with a shared clock


www.tugraz.at

1-bit covert channels

1 bit data, 0 bit control?

idea: divide time into slices (e.g., 50µs frames)

synchronize sender and receiver with a shared clock


www.tugraz.at

Problems of 1-bit covert channels

errors?

→ error-correcting codes

retransmission may be more efficient (less overhead)

desynchronization

optimal transmission duration may vary


www.tugraz.at

Problems of 1-bit covert channels

errors? → error-correcting codes

retransmission may be more efficient (less overhead)

desynchronization

optimal transmission duration may vary


www.tugraz.at

Multi-bit covert channels

combine multiple 1-bit channels

avoid interferences

→ higher performance

use 1-bit for sending = true/false


www.tugraz.at



avoid interferences




www.tugraz.at



avoid interferences




www.tugraz.at

Packets / frames

Organize data in packets / frames:

some data bits

check sum

sequence number

→ keep sender and receiver synchronous

→ check whether retransmission is necessary


www.tugraz.at

State of the art

method raw capacity err. rate true capacity env.F+F Gruss, Clementine Maurice, et al. 2016 3968Kbps 0.840% 3690Kbps nativeF+R Gruss, Clementine Maurice, et al. 2016 2384Kbps 0.005% 2382Kbps nativeE+R Lipp et al. 2016 1141Kbps 1.100% 1041Kbps nativeP+P Liu et al. 2015 600Kbps 1.000% 552Kbps virt


www.tugraz.at

1. Quick Start


3. CPU caches

4. Cache attacks




www.tugraz.at

Cache Template Attacks

Profiling Phase

Preprocessing step to find exploitable addresses automatically

w.r.t. “events” (keystrokes, encryptions, ...)called “Cache Template”

Exploitation Phase

Monitor exploitable addresses


www.tugraz.at

Cache Template Attacks

Profiling Phase

Preprocessing step to find exploitable addresses automatically

w.r.t. “events” (keystrokes, encryptions, ...)called “Cache Template”

Exploitation Phase

Monitor exploitable addresses


www.tugraz.at

Profiling Phase


Cache


Shared 0x0

Shared 0x0

Cache is empty


www.tugraz.at

Profiling Phase


Cache


AShared 0x0

Shared 0x0

Attacker triggers an event

Shared 0x0

Shared 0x0

Shared 0x0


www.tugraz.at

Profiling Phase


Cache


Shared 0x0

Shared 0x0

Attacker checks one address for cache hits (“Reload”)

Shared 0x0

Shared 0x0

Shared 0x0


www.tugraz.at

Profiling Phase


Cache


Shared 0x0

Shared 0x0

Update cache hit ratio (per event and address)

Shared 0x0

Shared 0x0

Shared 0x0


www.tugraz.at

Profiling Phase


Cache


Shared 0x0

Shared 0x0

Attacker flushes shared memory

Shared 0x0

Shared 0x0

Shared 0x0

flush


www.tugraz.at

Profiling Phase


Cache


Shared 0x0

Shared 0x0

Repeat for higher accuracy

A


www.tugraz.at

Profiling Phase


Cache


Shared 0x0

Shared 0x0

Repeat for all events

B


www.tugraz.at

Profiling Phase


Cache


Shared 0x0

Shared 0x0

Repeat for all events

C


www.tugraz.at

Profiling Phase


Cache



A

Shared 0x40

Shared 0x40


www.tugraz.at

Profiling Phase


Cache



A

Shared 0x80

Shared 0x80


www.tugraz.at

Profiling a Single Event


www.tugraz.at



www.tugraz.at



www.tugraz.at



www.tugraz.at



www.tugraz.at



www.tugraz.at



www.tugraz.at



www.tugraz.at



www.tugraz.at



www.tugraz.at



www.tugraz.at



www.tugraz.at



www.tugraz.at



www.tugraz.at



www.tugraz.at



www.tugraz.at



www.tugraz.at



www.tugraz.at



www.tugraz.at



www.tugraz.at



www.tugraz.at



www.tugraz.at



www.tugraz.at



www.tugraz.at



www.tugraz.at



www.tugraz.at



www.tugraz.at



www.tugraz.at



www.tugraz.at



www.tugraz.at



www.tugraz.at



www.tugraz.at



www.tugraz.at



www.tugraz.at



www.tugraz.at



www.tugraz.at



www.tugraz.at



www.tugraz.at



www.tugraz.at



www.tugraz.at



www.tugraz.at



www.tugraz.at



www.tugraz.at



www.tugraz.at



www.tugraz.at



www.tugraz.at



www.tugraz.at



www.tugraz.at



www.tugraz.at



www.tugraz.at



www.tugraz.at

Profiling Phase: 1 Event, 1 AddressA

DD

RE

SS

KEYn

0x7c800


www.tugraz.at

Profiling Phase: 1 Event, 1 Address

AD

DR

ES

S

KEYn

0x7c800

Example: Cache Hit Ratio for (0x7c800, n): 200 / 200


www.tugraz.at

Profiling Phase: All Events, 1 AddressA

DD

RE

SS

KEYg h i j k l m n o p q r s t u v w x y z

0x7c800


www.tugraz.at

Profiling Phase: All Events, 1 Address

AD

DR

ES

S


0x7c800

Example: Cache Hit Ratio for (0x7c800, u): 13 / 200


www.tugraz.at

Profiling Phase: All Events, 1 AddressA

DD

RE

SS


0x7c800

Distinguish n from other keys by monitoring 0x7c800


www.tugraz.at

Profiling Phase: All Events, All Addresses

AD

DR

ES

S


0x7c6800x7c6c00x7c7000x7c7400x7c7800x7c7c00x7c8000x7c8400x7c8800x7c8c00x7c9000x7c9400x7c9800x7c9c00x7ca000x7cb800x7cc400x7cc800x7ccc00x7cd00


www.tugraz.at

Exploitation Phase

Monitor addresses from Cache Template

Report to log file / attacker

Manual analysis of log file

Find password in keypress log, etc.


www.tugraz.at

Exploitation Phase






www.tugraz.at

Exploitation Phase






www.tugraz.at

Example Attacks


www.tugraz.at

Attack 1: Keystroke Timings

Spy on keystroke timings onLinux, Windows and OS X

Sub-microsecond accuracy

Derive text input from timings


www.tugraz.at




Derive text input from timings0 0.1 0.2

Miss

Hit

TIME IN CYCLES

2.24 2.25 2.26

·107

Event trace Cache-hit trace

Eve

ntst

art

Cac

he-h

itph

ase

Eve

nten

d


www.tugraz.at




Derive text input from timings0 0.1 0.2

Miss

Hit

TIME IN CYCLES

2.24 2.25 2.26

·107

Event trace Cache-hit trace

Eve

ntst

art

Cac

he-h

itph

ase

Eve

nten

d


www.tugraz.at

Attack 2: Keylogging

Linux with GTK: monitorkeystrokes of specific keys

Detect groups of keys

Some keys distinct

AD

DR

ES

S


0x7c6800x7c6c00x7c7000x7c7400x7c7800x7c7c00x7c8000x7c8400x7c8800x7c8c00x7c9000x7c9400x7c9800x7c9c00x7ca000x7cb800x7cc400x7cc800x7ccc00x7cd00


www.tugraz.at

Attack 3: Locate AES T-Tables

AES uses T-Tables (precomputed from S-Boxes)

4 T-Tables

T0[k0,4,8,12 ⊕ p0,4,8,12

]

T1[k1,5,9,13 ⊕ p1,5,9,13

]

...

If we know which entry of T is accessed, we know the result of ki ⊕ pi.Known-plaintext attack (pi is known)→ ki can be determined


www.tugraz.at


AES T-Table implementation from OpenSSL 1.0.2

Most addresses in two groups:

Cache hit ratio 100% (always cache hits)Cache hit ratio 0% (no cache hits)

One 4096 byte memory block:

Cache hit ratio of 92%Cache hits depend on key value and plaintext valueThe T-Tables


www.tugraz.at








www.tugraz.at








www.tugraz.at

Attack 4: AES T-Table Template Attack


Known-plaintext attack

Events: encryption with only one fixed key byte

Profile each event

Exploitation phase:

Eliminate key candidatesReduction of key space in first-round attack:

64 bits after 16–160 encryptions

State of the art: full key recovery after 30000 encryptions


www.tugraz.at





Profile each event

Exploitation phase:





www.tugraz.at





Profile each event

Exploitation phase:

Eliminate key candidates

Reduction of key space in first-round attack:64 bits after 16–160 encryptions



www.tugraz.at





Profile each event

Exploitation phase:





www.tugraz.at





Profile each event

Exploitation phase:





www.tugraz.at

Attack 4: AES T-Table Template

k0 = 0x00 k0 = 0x55

(transposed)


www.tugraz.at

Meltdown

Boot with

nopti nokaslr


www.tugraz.at

Meltdown setup

1. identify a promising kernel address

/proc/kallsysms

https://github.com/IAIK/meltdown/tree/master/libkdumpsize t paddr = libkdump virt to phys((size t)secret);

2. create a page aligned 256 × 4KB = 1MB array


www.tugraz.at

Meltdown setup


/proc/kallsysms




www.tugraz.at

Meltdown setup


/proc/kallsysms

https://github.com/IAIK/meltdown/tree/master/libkdump

size t paddr = libkdump virt to phys((size t)secret);



www.tugraz.at

Meltdown setup


/proc/kallsysms




www.tugraz.at

Meltdown setup


/proc/kallsysms




www.tugraz.at

Meltdown in three easy steps

1. load one byte from a kernel address into a register

2. compute array index: multiply byte in register by page size (4KB)

3. access array offset with this index


www.tugraz.at






www.tugraz.at






www.tugraz.at

Meltdown: Reading the Secret

1. Flush+Reload over all array offsets

2. Read 0? Repeat.

3. Even something like 500k repetitions can make sense.

4. We can just ignore cache line 0.


www.tugraz.at



2. Read 0? Repeat.




www.tugraz.at



2. Read 0? Repeat.




www.tugraz.at



2. Read 0? Repeat.




www.tugraz.at

Improving Meltdown

1. Add a null pointer

2. Add software/hardware prefetching

3. Add concurrent loads to the same address


www.tugraz.at

Improving Meltdown





www.tugraz.at

Improving Meltdown





www.tugraz.at

Preventing Meltdown

1. Run the same attack without bootflag nopti

2. Won’t work...


www.tugraz.at

Preventing Meltdown

1. Run the same attack without bootflag nopti

2. Won’t work...


www.tugraz.at

How to have a MeltdownDaniel GrussGraz University of Technology

April 19/20, 2018 — Cryptacus Training School


www.tugraz.at

Bibliography I

Gruss, Daniel, Clementine Maurice, Klaus Wagner, and Stefan Mangard (2016).“Flush+Flush: A Fast and Stealthy Cache Attack”. In: DIMVA’16.

Gruss, Daniel, Raphael Spreitzer, and Stefan Mangard (2015). “Cache TemplateAttacks: Automating Attacks on Inclusive Last-Level Caches”. In: USENIXSecurity Symposium.

Gullasch, David, Endre Bangerter, and Stephan Krenn (2011). “Cache Games –Bringing Access-Based Cache Attacks on AES to Practice”. In: S&P’11.

Inci, Mehmet Sinan, Berk Gulmezoglu, Gorka Irazoqui, Thomas Eisenbarth, andBerk Sunar (2015). “Seriously, get off my cloud! Cross-VM RSA Key Recovery ina Public Cloud”. In: Cryptology ePrint Archive, Report 2015/898, pp. 1–15.


www.tugraz.at

Bibliography IILipp, Moritz, Daniel Gruss, Raphael Spreitzer, Clementine Maurice, and

Stefan Mangard (2016). “ARMageddon: Last-Level Cache Attacks on MobileDevices”. In: USENIX Security Symposium.

Liu, Fangfei, Yuval Yarom, Qian Ge, Gernot Heiser, and Ruby B. Lee (2015).“Last-Level Cache Side-Channel Attacks are Practical”. In: S&P’15.

Maurice, Clementine, Nicolas Le Scouarnec, Christoph Neumann, Olivier Heen,and Aurelien Francillon (2015). “Reverse Engineering Intel Complex AddressingUsing Performance Counters”. In: RAID.

Maurice, Clementine, Christoph Neumann, Olivier Heen, and Aurelien Francillon(2015). “C5: Cross-Cores Cache Covert Channel”. In: DIMVA’15.

Percival, Colin (2005). “Cache missing for fun and profit”. In: Proceedings ofBSDCan.


www.tugraz.at

Bibliography IIIYarom, Yuval and Katrina Falkner (2014). “Flush+Reload: a High Resolution, Low

Noise, L3 Cache Side-Channel Attack”. In: USENIX Security Symposium.Yarom, Yuval, Qian Ge, Fangfei Liu, Ruby B. Lee, and Gernot Heiser (2015).

“Mapping the Intel Last-Level Cache”. In: Cryptology ePrint Archive, Report2015/905, pp. 1–12.


THREAT MODELS IN DISTANCE BOUNDING

Handan Kılınç[email protected]

Presentation at Training School 2018 on Cryptanalysis of Ubiquitous Computing Systems

OUTLINE

Introduction

Plain Model

Secure Hardware Model

Conclusion

2

INTRODUCTIONDISTANCE BOUNDING

3

The prover authenticatesand proves its proximity

ProverVerifier

INTRODUCTIONREAL WORLD SCENARIOS

4

Brands and Chaum [Eurocrypt’93]


4

Brands and Chaum [Eurocrypt’93] Relay Attack


4

Brands and Chaum [Eurocrypt’93] Relay Attack


5

Relay Attack


5

Relay Attack

device 2


5

Relay Attack

device 2


5

Relay Attack

device 1

device 2


5

Relay Attack

device 1

device 2


5

Relay Attack

device 1

device 2


5

Relay Attack

device 1

device 2


5

Relay Attack

device 1

device 2


5

Relay Attack

device 1

device 2


5

Relay Attack

device 1

device 2

INTRODUCTION

6

ProverVerifier

...

c1r1

r2

c2

cn

rn

ts1

tr1

tr2

ts2

tsn

trn

……..

……..

^ tri ts

i

c 2B<latexit sha1_base64="xBpTduJ1VYOLYRgb/J8krzbaB7A=">AAACE3icbVC7TsMwFHV4lvIKMLJYtEgIiSrpAmNVFsYi0YfUlMhxb1qrzgPbAVVR/oGFX2FhACFWFjb+BqftAC1HuldH59wr+x4v5kwqy/o2lpZXVtfWCxvFza3tnV1zb78lo0RQaNKIR6LjEQmchdBUTHHoxAJI4HFoe6PL3G/fg5AsCm/UOIZeQAYh8xklSkuueVp2HqA/AOykji8ITZXLbsVZ3mWW0gw7HO5wte5kZdcsWRVrArxI7BkpoRkarvnl9COaBBAqyomUXduKVS8lQjHKISs6iYSY0BEZQFfTkAQge+nkpgwfa6WP/UjoChWeqL83UhJIOQ48PRkQNZTzXi7+53UT5V/0UhbGiYKQTh/yE45VhPOAcJ8JoIqPNSFUMP1XTIdER6N0jEUdgj1/8iJpVSu2VbGvq6VafRZHAR2iI3SCbHSOaugKNVATUfSIntErejOejBfj3fiYji4Zs50D9AfG5w8vxJ2w</latexit><latexit sha1_base64="xBpTduJ1VYOLYRgb/J8krzbaB7A=">AAACE3icbVC7TsMwFHV4lvIKMLJYtEgIiSrpAmNVFsYi0YfUlMhxb1qrzgPbAVVR/oGFX2FhACFWFjb+BqftAC1HuldH59wr+x4v5kwqy/o2lpZXVtfWCxvFza3tnV1zb78lo0RQaNKIR6LjEQmchdBUTHHoxAJI4HFoe6PL3G/fg5AsCm/UOIZeQAYh8xklSkuueVp2HqA/AOykji8ITZXLbsVZ3mWW0gw7HO5wte5kZdcsWRVrArxI7BkpoRkarvnl9COaBBAqyomUXduKVS8lQjHKISs6iYSY0BEZQFfTkAQge+nkpgwfa6WP/UjoChWeqL83UhJIOQ48PRkQNZTzXi7+53UT5V/0UhbGiYKQTh/yE45VhPOAcJ8JoIqPNSFUMP1XTIdER6N0jEUdgj1/8iJpVSu2VbGvq6VafRZHAR2iI3SCbHSOaugKNVATUfSIntErejOejBfj3fiYji4Zs50D9AfG5w8vxJ2w</latexit><latexit sha1_base64="xBpTduJ1VYOLYRgb/J8krzbaB7A=">AAACE3icbVC7TsMwFHV4lvIKMLJYtEgIiSrpAmNVFsYi0YfUlMhxb1qrzgPbAVVR/oGFX2FhACFWFjb+BqftAC1HuldH59wr+x4v5kwqy/o2lpZXVtfWCxvFza3tnV1zb78lo0RQaNKIR6LjEQmchdBUTHHoxAJI4HFoe6PL3G/fg5AsCm/UOIZeQAYh8xklSkuueVp2HqA/AOykji8ITZXLbsVZ3mWW0gw7HO5wte5kZdcsWRVrArxI7BkpoRkarvnl9COaBBAqyomUXduKVS8lQjHKISs6iYSY0BEZQFfTkAQge+nkpgwfa6WP/UjoChWeqL83UhJIOQ48PRkQNZTzXi7+53UT5V/0UhbGiYKQTh/yE45VhPOAcJ8JoIqPNSFUMP1XTIdER6N0jEUdgj1/8iJpVSu2VbGvq6VafRZHAR2iI3SCbHSOaugKNVATUfSIntErejOejBfj3fiYji4Zs50D9AfG5w8vxJ2w</latexit><latexit sha1_base64="xBpTduJ1VYOLYRgb/J8krzbaB7A=">AAACE3icbVC7TsMwFHV4lvIKMLJYtEgIiSrpAmNVFsYi0YfUlMhxb1qrzgPbAVVR/oGFX2FhACFWFjb+BqftAC1HuldH59wr+x4v5kwqy/o2lpZXVtfWCxvFza3tnV1zb78lo0RQaNKIR6LjEQmchdBUTHHoxAJI4HFoe6PL3G/fg5AsCm/UOIZeQAYh8xklSkuueVp2HqA/AOykji8ITZXLbsVZ3mWW0gw7HO5wte5kZdcsWRVrArxI7BkpoRkarvnl9COaBBAqyomUXduKVS8lQjHKISs6iYSY0BEZQFfTkAQge+nkpgwfa6WP/UjoChWeqL83UhJIOQ48PRkQNZTzXi7+53UT5V/0UhbGiYKQTh/yE45VhPOAcJ8JoIqPNSFUMP1XTIdER6N0jEUdgj1/8iJpVSu2VbGvq6VafRZHAR2iI3SCbHSOaugKNVATUfSIntErejOejBfj3fiYji4Zs50D9AfG5w8vxJ2w</latexit>

INTRODUCTIONATTACKS

Mafia Fraud (MiM): A man-in-the-middle (MiM) adversary between a verifier

and a far-away honest prover tries to make the verifier accept.

Distance Fraud (DF): A malicious, far-away prover tries to prove that (s)he is

close enough.

Distance Hijacking (DH): A far-away malicious prover takes advantage of some

honest and active provers who are close to the verifier to make the verifier grant

privileges to the far-away prover.

Terrorist fraud (TF): A far-away malicious prover, with the help of the

adversary, tries to make the verifier accept. 7

INTRODUCTIONATTACKS




close enough.






.V .P.Afar

INTRODUCTIONATTACKS




close enough.






.V .P.Afar

.V .Pfar

INTRODUCTIONATTACKS




close enough.






.V .P.Afar

.V .Pfar

.V .P.P’far

INTRODUCTIONATTACKS




close enough.






.V .P.Afar

.V .Pfar

.V .P.P’far

.V .P.Afar

INTRODUCTIONBRANDS AND CHAUM

8

OUTLINE

Introduction

Plain Model*


Conclusion

9

* Ioana Boureanu, Aikaterini Mitrokotsa, and Serge Vaudenay. Practical and provably secure distance-bounding, Journal of Computer Security

10

DISTANCE BOUNDINGFORMAL DEFINITION OF SYMMETRIC DB

ProverVerifier

10


ProverVerifierK! K

10


ProverVerifierK! K

V (K) P (K)

10


ProverVerifier

B

K! K

V (K) P (K)

10


ProverVerifier

BOutV

K! K

V (K) P (K)

10


ProverVerifier

BOutV

K! K

V (K) P (K)

DB = (K, P, V, B)<latexit sha1_base64="pUfFokJ2hwdLHYwc+ihhAsEOxf0=">AAACA3icdVBNS0JBFJ1nX2Zfr9rVZkgDA5EZF6mLQKxF0MYgP0BF5o2jDs77YGZeIA+hTX+lTYsi2vYn2vVvmqcGFXXgwuGce7n3HicQXGmEPqzE0vLK6lpyPbWxubW9Y+/uNZQfSsrq1Be+bDlEMcE9VtdcC9YKJCOuI1jTGZ/HfvOWScV970ZPAtZ1ydDjA06JNlLPPshcVOEZzHZcokeUiOhqmqvlGrnqSaZnp1EeIYQxhjHBxVNkSLlcKuASxLFlkAYL1Hr2e6fv09BlnqaCKNXGKNDdiEjNqWDTVCdULCB0TIasbahHXKa60eyHKTw2Sh8OfGnK03Cmfp+IiKvUxHVMZ3yq+u3F4l9eO9SDUjfiXhBq5tH5okEooPZhHAjsc8moFhNDCJXc3ArpiEhCtYktZUL4+hT+TxqFPEZ5fF1IV6qLOJLgEByBLMCgCCrgEtRAHVBwBx7AE3i27q1H68V6nbcmrMXMPvgB6+0TUB6VZA==</latexit><latexit sha1_base64="pUfFokJ2hwdLHYwc+ihhAsEOxf0=">AAACA3icdVBNS0JBFJ1nX2Zfr9rVZkgDA5EZF6mLQKxF0MYgP0BF5o2jDs77YGZeIA+hTX+lTYsi2vYn2vVvmqcGFXXgwuGce7n3HicQXGmEPqzE0vLK6lpyPbWxubW9Y+/uNZQfSsrq1Be+bDlEMcE9VtdcC9YKJCOuI1jTGZ/HfvOWScV970ZPAtZ1ydDjA06JNlLPPshcVOEZzHZcokeUiOhqmqvlGrnqSaZnp1EeIYQxhjHBxVNkSLlcKuASxLFlkAYL1Hr2e6fv09BlnqaCKNXGKNDdiEjNqWDTVCdULCB0TIasbahHXKa60eyHKTw2Sh8OfGnK03Cmfp+IiKvUxHVMZ3yq+u3F4l9eO9SDUjfiXhBq5tH5okEooPZhHAjsc8moFhNDCJXc3ArpiEhCtYktZUL4+hT+TxqFPEZ5fF1IV6qLOJLgEByBLMCgCCrgEtRAHVBwBx7AE3i27q1H68V6nbcmrMXMPvgB6+0TUB6VZA==</latexit><latexit sha1_base64="pUfFokJ2hwdLHYwc+ihhAsEOxf0=">AAACA3icdVBNS0JBFJ1nX2Zfr9rVZkgDA5EZF6mLQKxF0MYgP0BF5o2jDs77YGZeIA+hTX+lTYsi2vYn2vVvmqcGFXXgwuGce7n3HicQXGmEPqzE0vLK6lpyPbWxubW9Y+/uNZQfSsrq1Be+bDlEMcE9VtdcC9YKJCOuI1jTGZ/HfvOWScV970ZPAtZ1ydDjA06JNlLPPshcVOEZzHZcokeUiOhqmqvlGrnqSaZnp1EeIYQxhjHBxVNkSLlcKuASxLFlkAYL1Hr2e6fv09BlnqaCKNXGKNDdiEjNqWDTVCdULCB0TIasbahHXKa60eyHKTw2Sh8OfGnK03Cmfp+IiKvUxHVMZ3yq+u3F4l9eO9SDUjfiXhBq5tH5okEooPZhHAjsc8moFhNDCJXc3ArpiEhCtYktZUL4+hT+TxqFPEZ5fF1IV6qLOJLgEByBLMCgCCrgEtRAHVBwBx7AE3i27q1H68V6nbcmrMXMPvgB6+0TUB6VZA==</latexit><latexit sha1_base64="pUfFokJ2hwdLHYwc+ihhAsEOxf0=">AAACA3icdVBNS0JBFJ1nX2Zfr9rVZkgDA5EZF6mLQKxF0MYgP0BF5o2jDs77YGZeIA+hTX+lTYsi2vYn2vVvmqcGFXXgwuGce7n3HicQXGmEPqzE0vLK6lpyPbWxubW9Y+/uNZQfSsrq1Be+bDlEMcE9VtdcC9YKJCOuI1jTGZ/HfvOWScV970ZPAtZ1ydDjA06JNlLPPshcVOEZzHZcokeUiOhqmqvlGrnqSaZnp1EeIYQxhjHBxVNkSLlcKuASxLFlkAYL1Hr2e6fv09BlnqaCKNXGKNDdiEjNqWDTVCdULCB0TIasbahHXKa60eyHKTw2Sh8OfGnK03Cmfp+IiKvUxHVMZ3yq+u3F4l9eO9SDUjfiXhBq5tH5okEooPZhHAjsc8moFhNDCJXc3ArpiEhCtYktZUL4+hT+TxqFPEZ5fF1IV6qLOJLgEByBLMCgCCrgEtRAHVBwBx7AE3i27q1H68V6nbcmrMXMPvgB6+0TUB6VZA==</latexit>

DISTANCE BOUNDINGFORMAL DEFINITION OF PUBLIC-KEY DB

ProverVerifier


ProverVerifierKP ! (skP , pkP )KV ! (skV , pkV )


ProverVerifierV (skV , pkV )

KP ! (skP , pkP )

P (skP , pkP , pkV )

KV ! (skV , pkV )


ProverVerifier

B

V (skV , pkV )

KP ! (skP , pkP )


KV ! (skV , pkV )


ProverVerifier

B

V (skV , pkV )

KP ! (skP , pkP )


KV ! (skV , pkV )

OutVPOut = pkP


ProverVerifier

B

V (skV , pkV )

KP ! (skP , pkP )


KV ! (skV , pkV )

DB = (KV , KP , P, V, B)

OutVPOut = pkP

THREAT MODELSADVERSARIAL AND COMMUNICATION MODEL

DB protocols run in a natural communication settings.

• notion of time, e.g., time-unit, a notion of measurable distance

• communication cannot be faster than speed of light

The adversary sees all the messages.

The adversary can change the destinations of messages.

The adversary can create polynomially many instances of parties.

The honest instances cannot be run in parallel. 12

MAFIA FRAUD (MIM)HONEST PROVER

The game begins by running the key set up algorithms:

The game gives to the adversary

The adversary creates instances of the honest prover, verifier and itself.

The adversary wins if there exists an instance V which outputs and when P is far away.

A DB protocol is MiM-secure if the success probability of winning the game is negligible.

13

pkP , pkV

OutV = 1

KV ! (skV , pkV ) KP ! (skP , pkP )

PoutV = pkP<latexit sha1_base64="FYG8rHnpBjTUZl8DIhopr2/JmXs=">AAACCnicdVDLSsNAFJ3UV62vqEs3o63gqiR1YbsQim5cRrAPaEOYTCft0MkkzEyEErJ246+4caGIW7/AnX/jNG3B54ELh3Pu5d57/JhRqSzrwygsLa+srhXXSxubW9s75u5eW0aJwKSFIxaJro8kYZSTlqKKkW4sCAp9Rjr++HLqd26JkDTiN2oSEzdEQ04DipHSkmceVvohUiMZpE6UqMxrw3O4UOJx5jkVzyxb1Vqjbp024G9iV60cZTCH45nv/UGEk5BwhRmSsmdbsXJTJBTFjGSlfiJJjPAYDUlPU45CIt00fyWDx1oZwCASuriCufp1IkWhlJPQ1535lT+9qfiX10tUUHdTyuNEEY5ni4KEQRXBaS5wQAXBik00QVhQfSvEIyQQVjq9kg5h8Sn8n7RrVduq2te1cvNiHkcRHIAjcAJscAaa4Ao4oAUwuAMP4Ak8G/fGo/FivM5aC8Z8Zh98g/H2CVDKmqo=</latexit><latexit sha1_base64="FYG8rHnpBjTUZl8DIhopr2/JmXs=">AAACCnicdVDLSsNAFJ3UV62vqEs3o63gqiR1YbsQim5cRrAPaEOYTCft0MkkzEyEErJ246+4caGIW7/AnX/jNG3B54ELh3Pu5d57/JhRqSzrwygsLa+srhXXSxubW9s75u5eW0aJwKSFIxaJro8kYZSTlqKKkW4sCAp9Rjr++HLqd26JkDTiN2oSEzdEQ04DipHSkmceVvohUiMZpE6UqMxrw3O4UOJx5jkVzyxb1Vqjbp024G9iV60cZTCH45nv/UGEk5BwhRmSsmdbsXJTJBTFjGSlfiJJjPAYDUlPU45CIt00fyWDx1oZwCASuriCufp1IkWhlJPQ1535lT+9qfiX10tUUHdTyuNEEY5ni4KEQRXBaS5wQAXBik00QVhQfSvEIyQQVjq9kg5h8Sn8n7RrVduq2te1cvNiHkcRHIAjcAJscAaa4Ao4oAUwuAMP4Ak8G/fGo/FivM5aC8Z8Zh98g/H2CVDKmqo=</latexit><latexit sha1_base64="FYG8rHnpBjTUZl8DIhopr2/JmXs=">AAACCnicdVDLSsNAFJ3UV62vqEs3o63gqiR1YbsQim5cRrAPaEOYTCft0MkkzEyEErJ246+4caGIW7/AnX/jNG3B54ELh3Pu5d57/JhRqSzrwygsLa+srhXXSxubW9s75u5eW0aJwKSFIxaJro8kYZSTlqKKkW4sCAp9Rjr++HLqd26JkDTiN2oSEzdEQ04DipHSkmceVvohUiMZpE6UqMxrw3O4UOJx5jkVzyxb1Vqjbp024G9iV60cZTCH45nv/UGEk5BwhRmSsmdbsXJTJBTFjGSlfiJJjPAYDUlPU45CIt00fyWDx1oZwCASuriCufp1IkWhlJPQ1535lT+9qfiX10tUUHdTyuNEEY5ni4KEQRXBaS5wQAXBik00QVhQfSvEIyQQVjq9kg5h8Sn8n7RrVduq2te1cvNiHkcRHIAjcAJscAaa4Ao4oAUwuAMP4Ak8G/fGo/FivM5aC8Z8Zh98g/H2CVDKmqo=</latexit><latexit sha1_base64="FYG8rHnpBjTUZl8DIhopr2/JmXs=">AAACCnicdVDLSsNAFJ3UV62vqEs3o63gqiR1YbsQim5cRrAPaEOYTCft0MkkzEyEErJ246+4caGIW7/AnX/jNG3B54ELh3Pu5d57/JhRqSzrwygsLa+srhXXSxubW9s75u5eW0aJwKSFIxaJro8kYZSTlqKKkW4sCAp9Rjr++HLqd26JkDTiN2oSEzdEQ04DipHSkmceVvohUiMZpE6UqMxrw3O4UOJx5jkVzyxb1Vqjbp024G9iV60cZTCH45nv/UGEk5BwhRmSsmdbsXJTJBTFjGSlfiJJjPAYDUlPU45CIt00fyWDx1oZwCASuriCufp1IkWhlJPQ1535lT+9qfiX10tUUHdTyuNEEY5ni4KEQRXBaS5wQAXBik00QVhQfSvEIyQQVjq9kg5h8Sn8n7RrVduq2te1cvNiHkcRHIAjcAJscAaa4Ao4oAUwuAMP4Ak8G/fGo/FivM5aC8Z8Zh98g/H2CVDKmqo=</latexit>

.V .P.Afar

MAFIA FRAUD (MIM)MIM-SECURITY GAME

14

pkP , pkV

Adversary (A)


14

pkP , pkV

Adversary (A)V

P

V A

P

A

V PA V

A

V

PA

VPA A


14

pkP , pkV

Adversary (A)V

P

V A

P

A

V PA V

A

V

PA

VPA A


14

pkP , pkV

Adversary (A)V

P

V A

P

A

V PA V

A

VA

P

AAAOutV = 1

POutV = pkP

The adversary wins if

V

PA

VPA A

DISTANCE FRAUDMALICIOUS PROVER

The game begins by running key setup algorithm:

The game gives the public key

The adversary generates with

The adversary creates instances of the verifier and itself.

The adversary wins if V outputs and when P is far away.

A DB protocol is DF-secure if the success probability of winning the game is negligible.

15

KV ! (skV , pkV )

pkV

KP (pkP )! (skP , pkP )(skP , pkP )

OutV = 1 PoutV = pkP<latexit sha1_base64="FYG8rHnpBjTUZl8DIhopr2/JmXs=">AAACCnicdVDLSsNAFJ3UV62vqEs3o63gqiR1YbsQim5cRrAPaEOYTCft0MkkzEyEErJ246+4caGIW7/AnX/jNG3B54ELh3Pu5d57/JhRqSzrwygsLa+srhXXSxubW9s75u5eW0aJwKSFIxaJro8kYZSTlqKKkW4sCAp9Rjr++HLqd26JkDTiN2oSEzdEQ04DipHSkmceVvohUiMZpE6UqMxrw3O4UOJx5jkVzyxb1Vqjbp024G9iV60cZTCH45nv/UGEk5BwhRmSsmdbsXJTJBTFjGSlfiJJjPAYDUlPU45CIt00fyWDx1oZwCASuriCufp1IkWhlJPQ1535lT+9qfiX10tUUHdTyuNEEY5ni4KEQRXBaS5wQAXBik00QVhQfSvEIyQQVjq9kg5h8Sn8n7RrVduq2te1cvNiHkcRHIAjcAJscAaa4Ao4oAUwuAMP4Ak8G/fGo/FivM5aC8Z8Zh98g/H2CVDKmqo=</latexit><latexit sha1_base64="FYG8rHnpBjTUZl8DIhopr2/JmXs=">AAACCnicdVDLSsNAFJ3UV62vqEs3o63gqiR1YbsQim5cRrAPaEOYTCft0MkkzEyEErJ246+4caGIW7/AnX/jNG3B54ELh3Pu5d57/JhRqSzrwygsLa+srhXXSxubW9s75u5eW0aJwKSFIxaJro8kYZSTlqKKkW4sCAp9Rjr++HLqd26JkDTiN2oSEzdEQ04DipHSkmceVvohUiMZpE6UqMxrw3O4UOJx5jkVzyxb1Vqjbp024G9iV60cZTCH45nv/UGEk5BwhRmSsmdbsXJTJBTFjGSlfiJJjPAYDUlPU45CIt00fyWDx1oZwCASuriCufp1IkWhlJPQ1535lT+9qfiX10tUUHdTyuNEEY5ni4KEQRXBaS5wQAXBik00QVhQfSvEIyQQVjq9kg5h8Sn8n7RrVduq2te1cvNiHkcRHIAjcAJscAaa4Ao4oAUwuAMP4Ak8G/fGo/FivM5aC8Z8Zh98g/H2CVDKmqo=</latexit><latexit sha1_base64="FYG8rHnpBjTUZl8DIhopr2/JmXs=">AAACCnicdVDLSsNAFJ3UV62vqEs3o63gqiR1YbsQim5cRrAPaEOYTCft0MkkzEyEErJ246+4caGIW7/AnX/jNG3B54ELh3Pu5d57/JhRqSzrwygsLa+srhXXSxubW9s75u5eW0aJwKSFIxaJro8kYZSTlqKKkW4sCAp9Rjr++HLqd26JkDTiN2oSEzdEQ04DipHSkmceVvohUiMZpE6UqMxrw3O4UOJx5jkVzyxb1Vqjbp024G9iV60cZTCH45nv/UGEk5BwhRmSsmdbsXJTJBTFjGSlfiJJjPAYDUlPU45CIt00fyWDx1oZwCASuriCufp1IkWhlJPQ1535lT+9qfiX10tUUHdTyuNEEY5ni4KEQRXBaS5wQAXBik00QVhQfSvEIyQQVjq9kg5h8Sn8n7RrVduq2te1cvNiHkcRHIAjcAJscAaa4Ao4oAUwuAMP4Ak8G/fGo/FivM5aC8Z8Zh98g/H2CVDKmqo=</latexit><latexit sha1_base64="FYG8rHnpBjTUZl8DIhopr2/JmXs=">AAACCnicdVDLSsNAFJ3UV62vqEs3o63gqiR1YbsQim5cRrAPaEOYTCft0MkkzEyEErJ246+4caGIW7/AnX/jNG3B54ELh3Pu5d57/JhRqSzrwygsLa+srhXXSxubW9s75u5eW0aJwKSFIxaJro8kYZSTlqKKkW4sCAp9Rjr++HLqd26JkDTiN2oSEzdEQ04DipHSkmceVvohUiMZpE6UqMxrw3O4UOJx5jkVzyxb1Vqjbp024G9iV60cZTCH45nv/UGEk5BwhRmSsmdbsXJTJBTFjGSlfiJJjPAYDUlPU45CIt00fyWDx1oZwCASuriCufp1IkWhlJPQ1535lT+9qfiX10tUUHdTyuNEEY5ni4KEQRXBaS5wQAXBik00QVhQfSvEIyQQVjq9kg5h8Sn8n7RrVduq2te1cvNiHkcRHIAjcAJscAaa4Ao4oAUwuAMP4Ak8G/fGo/FivM5aC8Z8Zh98g/H2CVDKmqo=</latexit>

.V .Pfar

DISTANCE FRAUDDF-GAME

16

Adversary (A)

pkVK

P (pkP )! (skP , pkP )


16

Adversary (A)

V

P

V

P

V P

VPP

pkVK


V

P

P

P


16

Adversary (A)

V

P

V

P

V P

VPP

pkVK


V

P

P

P


16

Adversary (A)

V

P

V

P

V P

V

P

VPP

OutV = 1POutV = pkP

The adversary wins ifpkV

KP (pkP )! (skP , pkP )

V

P

P

P

The game begins by running key generation algorithms.

The game gives the public keys and

The adversary generates where with

The adversary creates instances of the verifier, the honest prover and itself.The adversary wins if V outputs and when P

is far away.

A DB protocol is DH-secure if the success probability of winning the game is negligible.

17

DISTANCE HIJACKINGMALICIOUS PROVER

KP (pkV , pkP 0)! (skP , pkP )

KP ! (skP 0 , pkP 0)

POutV = pkP

KV ! (skV , pkV )pkV pkP 0

(skP , pkP )

OutV = 1

pkP 6= pkP 0<latexit sha1_base64="jF3GHqQ6MggKF0hYz3VenD2a7PI=">AAACDnicdVC7TsMwFHXKq5RXgJHFoq1gipIy0G4VLIxBog+pjSrHdVqrjhNsB6mK8gUs/AoLAwixMrPxN7hpkXge6UpH59yre+/xY0alsu13o7C0vLK6VlwvbWxube+Yu3ttGSUCkxaOWCS6PpKEUU5aiipGurEgKPQZ6fiT85nfuSFC0ohfqWlMvBCNOA0oRkpLA7Na6YdIjWWQxpNs4MI+J9fwq5S6R1llYJZtq9ao2ycN+Js4lp2jDBZwB+ZbfxjhJCRcYYak7Dl2rLwUCUUxI1mpn0gSIzxBI9LTlKOQSC/N38lgVStDGERCF1cwV79OpCiUchr6ujM/9Kc3E//yeokK6l5KeZwowvF8UZAwqCI4ywYOqSBYsakmCAuqb4V4jATCSidY0iF8fgr/J+2a5diWc1krN88WcRTBATgEx8ABp6AJLoALWgCDW3APHsGTcWc8GM/Gy7y1YCxm9sE3GK8fqtycgQ==</latexit><latexit sha1_base64="jF3GHqQ6MggKF0hYz3VenD2a7PI=">AAACDnicdVC7TsMwFHXKq5RXgJHFoq1gipIy0G4VLIxBog+pjSrHdVqrjhNsB6mK8gUs/AoLAwixMrPxN7hpkXge6UpH59yre+/xY0alsu13o7C0vLK6VlwvbWxube+Yu3ttGSUCkxaOWCS6PpKEUU5aiipGurEgKPQZ6fiT85nfuSFC0ohfqWlMvBCNOA0oRkpLA7Na6YdIjWWQxpNs4MI+J9fwq5S6R1llYJZtq9ao2ycN+Js4lp2jDBZwB+ZbfxjhJCRcYYak7Dl2rLwUCUUxI1mpn0gSIzxBI9LTlKOQSC/N38lgVStDGERCF1cwV79OpCiUchr6ujM/9Kc3E//yeokK6l5KeZwowvF8UZAwqCI4ywYOqSBYsakmCAuqb4V4jATCSidY0iF8fgr/J+2a5diWc1krN88WcRTBATgEx8ABp6AJLoALWgCDW3APHsGTcWc8GM/Gy7y1YCxm9sE3GK8fqtycgQ==</latexit><latexit sha1_base64="jF3GHqQ6MggKF0hYz3VenD2a7PI=">AAACDnicdVC7TsMwFHXKq5RXgJHFoq1gipIy0G4VLIxBog+pjSrHdVqrjhNsB6mK8gUs/AoLAwixMrPxN7hpkXge6UpH59yre+/xY0alsu13o7C0vLK6VlwvbWxube+Yu3ttGSUCkxaOWCS6PpKEUU5aiipGurEgKPQZ6fiT85nfuSFC0ohfqWlMvBCNOA0oRkpLA7Na6YdIjWWQxpNs4MI+J9fwq5S6R1llYJZtq9ao2ycN+Js4lp2jDBZwB+ZbfxjhJCRcYYak7Dl2rLwUCUUxI1mpn0gSIzxBI9LTlKOQSC/N38lgVStDGERCF1cwV79OpCiUchr6ujM/9Kc3E//yeokK6l5KeZwowvF8UZAwqCI4ywYOqSBYsakmCAuqb4V4jATCSidY0iF8fgr/J+2a5diWc1krN88WcRTBATgEx8ABp6AJLoALWgCDW3APHsGTcWc8GM/Gy7y1YCxm9sE3GK8fqtycgQ==</latexit><latexit sha1_base64="jF3GHqQ6MggKF0hYz3VenD2a7PI=">AAACDnicdVC7TsMwFHXKq5RXgJHFoq1gipIy0G4VLIxBog+pjSrHdVqrjhNsB6mK8gUs/AoLAwixMrPxN7hpkXge6UpH59yre+/xY0alsu13o7C0vLK6VlwvbWxube+Yu3ttGSUCkxaOWCS6PpKEUU5aiipGurEgKPQZ6fiT85nfuSFC0ohfqWlMvBCNOA0oRkpLA7Na6YdIjWWQxpNs4MI+J9fwq5S6R1llYJZtq9ao2ycN+Js4lp2jDBZwB+ZbfxjhJCRcYYak7Dl2rLwUCUUxI1mpn0gSIzxBI9LTlKOQSC/N38lgVStDGERCF1cwV79OpCiUchr6ujM/9Kc3E//yeokK6l5KeZwowvF8UZAwqCI4ywYOqSBYsakmCAuqb4V4jATCSidY0iF8fgr/J+2a5diWc1krN88WcRTBATgEx8ABp6AJLoALWgCDW3APHsGTcWc8GM/Gy7y1YCxm9sE3GK8fqtycgQ==</latexit>

.V .P.P’far

18

Adversary (A)

pkV

DISTANCE HIJACKINGDH-GAME


pkP 0

18

Adversary (A)

V

P

V

P

V P

VP’P

pkV

V

P

P

P’

P’


V PP’


pkP 0

18

Adversary (A)

V

P

V

P

V P

VP’P

pkV

V

P

P

P’

P’


V PP’


pkP 0

18

Adversary (A)

V

P

V

P

V P

VP’P

pkV

V

P

P

P’

P’


V

P

P’

V PP’


pkP 0

18

Adversary (A)

V

P

V

P

V P

VP’P

OutV = 1POutV = pkP

The adversary wins ifpkV

V

P

P

P’

P’


V

P

P’

V PP’


pkP 0

TERRORIST FRAUD

TF-security is impossible to achieve because of the trivial attack.

19

Verifier ProverAdversaryClose Far away and malicious

(skP , pkP )

.V .P.Afar

TERRORIST FRAUD


19


(skP , pkP )skP

.V .P.Afar

TERRORIST FRAUD


19


(skP , pkP )skP

.V .P.Afar

TERRORIST FRAUD


19


(skP , pkP )skP

V (skV , pkV )

.V .P.Afar

TERRORIST FRAUD


19


(skP , pkP )skP

V (skV , pkV ) P (skP , pkP , pkV )

.V .P.Afar

TERRORIST FRAUD’TF’-SECURITY

Assumption: The malicious prover does not reveal any secret key related information to the adversary.

• Any information forwarded to a close-by adversary would allow another adversary to later pass, without a help of the prover, with the same probability.

• Extractor based definition: If V accepts, then the extractor constructs the secret key by using the view of close parties.

20

Dürholz, U., Fischlin, M., Kasper, M., & Onete, C. A formal approach to distance-bounding RFID protocols, 2011 Fischlin, M., & Onete, C. Terrorism in distance bounding: modeling terrorist-fraud resistance, 2013 Vaudenay, S. On modeling terrorist frauds, 2013

RELATIONS BETWEEN THREAT MODELS

21

TF

MiM

DH

DF


21

TF

MiM

DH

DF


21

TF

MiM

DH

DF


21

TF

MiM

DH

DF


21

TF

MiM

DH

DF

V (skV , pkP ) P (skP , pkP , pkV )

...

c1

c2

c2

cn

cn

ts1

tr1

tr2

ts2

tsn

trn

……..

c1

Echo Protocol


21

TF

MiM

DH

DF


21

TF

MiM

DH

DF


21

TF

MiM

DH

DF


21

TF

MiM

DH

DFV P’ P

A(skV , pkV , pkP , N)! s<latexit sha1_base64="bzGJGSME4BKamAkWsGxIGjbAXcU=">AAACUXicbVFLS8NAEJ7Gd31VPXpZrIJCKUksVm8+Lp6kgq1CE8pmu2mXbh7sbpQS8hc96Mn/4cWD4qatoK0fLHzzzQwz860XcyaVab4VjLn5hcWl5ZXi6tr6xmZpa7slo0QQ2iQRj8SDhyXlLKRNxRSnD7GgOPA4vfcGV3n+/pEKyaLwTg1j6ga4FzKfEay01Cn19y8OnQCrvvRTOcg6rcpPFM9EaSOr3Bw5gvX6CgsRPaHUGW3QFj3PTc3q2emJXTupmFXTrFu2lRO7XjuuZTLb75TKuZ4DzRJrQsowQaNTenG6EUkCGirCsZRty4yVm2KhGOE0KzqJpDEmA9yjbU1DHFDppqN9MnSglS7yI6FfqNBI/d2R4kDKYeDpytGB07lc/C/XTpR/6qYsjBNFQzIe5CccqQjl9qIuE5QoPtQEE8H0roj0scBE6U8oahOs6ZNnScuuWmbVurXL55cTO5ZhF/bgECyowzlcQwOaQOAZ3uETvgqvhQ8DDGNcahQmPTvwB8bqNwKAsTw=</latexit><latexit sha1_base64="bzGJGSME4BKamAkWsGxIGjbAXcU=">AAACUXicbVFLS8NAEJ7Gd31VPXpZrIJCKUksVm8+Lp6kgq1CE8pmu2mXbh7sbpQS8hc96Mn/4cWD4qatoK0fLHzzzQwz860XcyaVab4VjLn5hcWl5ZXi6tr6xmZpa7slo0QQ2iQRj8SDhyXlLKRNxRSnD7GgOPA4vfcGV3n+/pEKyaLwTg1j6ga4FzKfEay01Cn19y8OnQCrvvRTOcg6rcpPFM9EaSOr3Bw5gvX6CgsRPaHUGW3QFj3PTc3q2emJXTupmFXTrFu2lRO7XjuuZTLb75TKuZ4DzRJrQsowQaNTenG6EUkCGirCsZRty4yVm2KhGOE0KzqJpDEmA9yjbU1DHFDppqN9MnSglS7yI6FfqNBI/d2R4kDKYeDpytGB07lc/C/XTpR/6qYsjBNFQzIe5CccqQjl9qIuE5QoPtQEE8H0roj0scBE6U8oahOs6ZNnScuuWmbVurXL55cTO5ZhF/bgECyowzlcQwOaQOAZ3uETvgqvhQ8DDGNcahQmPTvwB8bqNwKAsTw=</latexit><latexit sha1_base64="bzGJGSME4BKamAkWsGxIGjbAXcU=">AAACUXicbVFLS8NAEJ7Gd31VPXpZrIJCKUksVm8+Lp6kgq1CE8pmu2mXbh7sbpQS8hc96Mn/4cWD4qatoK0fLHzzzQwz860XcyaVab4VjLn5hcWl5ZXi6tr6xmZpa7slo0QQ2iQRj8SDhyXlLKRNxRSnD7GgOPA4vfcGV3n+/pEKyaLwTg1j6ga4FzKfEay01Cn19y8OnQCrvvRTOcg6rcpPFM9EaSOr3Bw5gvX6CgsRPaHUGW3QFj3PTc3q2emJXTupmFXTrFu2lRO7XjuuZTLb75TKuZ4DzRJrQsowQaNTenG6EUkCGirCsZRty4yVm2KhGOE0KzqJpDEmA9yjbU1DHFDppqN9MnSglS7yI6FfqNBI/d2R4kDKYeDpytGB07lc/C/XTpR/6qYsjBNFQzIe5CccqQjl9qIuE5QoPtQEE8H0roj0scBE6U8oahOs6ZNnScuuWmbVurXL55cTO5ZhF/bgECyowzlcQwOaQOAZ3uETvgqvhQ8DDGNcahQmPTvwB8bqNwKAsTw=</latexit><latexit sha1_base64="bzGJGSME4BKamAkWsGxIGjbAXcU=">AAACUXicbVFLS8NAEJ7Gd31VPXpZrIJCKUksVm8+Lp6kgq1CE8pmu2mXbh7sbpQS8hc96Mn/4cWD4qatoK0fLHzzzQwz860XcyaVab4VjLn5hcWl5ZXi6tr6xmZpa7slo0QQ2iQRj8SDhyXlLKRNxRSnD7GgOPA4vfcGV3n+/pEKyaLwTg1j6ga4FzKfEay01Cn19y8OnQCrvvRTOcg6rcpPFM9EaSOr3Bw5gvX6CgsRPaHUGW3QFj3PTc3q2emJXTupmFXTrFu2lRO7XjuuZTLb75TKuZ4DzRJrQsowQaNTenG6EUkCGirCsZRty4yVm2KhGOE0KzqJpDEmA9yjbU1DHFDppqN9MnSglS7yI6FfqNBI/d2R4kDKYeDpytGB07lc/C/XTpR/6qYsjBNFQzIe5CccqQjl9qIuE5QoPtQEE8H0roj0scBE6U8oahOs6ZNnScuuWmbVurXL55cTO5ZhF/bgECyowzlcQwOaQOAZ3uETvgqvhQ8DDGNcahQmPTvwB8bqNwKAsTw=</latexit>

B(skP , pkP , pkV , N)! s0<latexit sha1_base64="yaBAKwQHRiL1bhvXQsc1pgJ+GVM=">AAACUnicbZJNTwIxEIYLfiGioh69NIJRE0JaDgI3ghdPBhNBE3ZDuqULDd2PtF0N2exvNDFe/CFePKhlwUTBSZo8885MOjOtEwquNEJvmeza+sbmVm47v1PY3dsvHhz2VBBJyro0EIF8cIhigvusq7kW7CGUjHiOYPfO5GoWv39kUvHAv9PTkNkeGfnc5ZRoIw2KvNw+tzyix8qN1SQZdCo/Xrjixb2kcnNhST4aayJl8ARjK+2gL0eOHaMqQghjXJkBrl8iA81mo4YbiTpLyoNiKc0wBlcBL6AEFtYZFF+sYUAjj/maCqJUH6NQ2zGRmlPBkrwVKRYSOiEj1jfoE48pO04bSuCpUYbQDaQ5voap+rsiJp5SU88xmemEy7GZ+F+sH2m3YcfcDyPNfDq/yI0E1AGc7RcOuWRUi6kBQiU3vUI6JpJQbV4hb5aAl0dehV6tilEV39ZKrfZiHTlwDE7AOcCgDlrgGnRAF1DwDN7BJ/jKvGY+suaXzFOzmUXNEfhj2cI3aEyxXA==</latexit><latexit sha1_base64="yaBAKwQHRiL1bhvXQsc1pgJ+GVM=">AAACUnicbZJNTwIxEIYLfiGioh69NIJRE0JaDgI3ghdPBhNBE3ZDuqULDd2PtF0N2exvNDFe/CFePKhlwUTBSZo8885MOjOtEwquNEJvmeza+sbmVm47v1PY3dsvHhz2VBBJyro0EIF8cIhigvusq7kW7CGUjHiOYPfO5GoWv39kUvHAv9PTkNkeGfnc5ZRoIw2KvNw+tzyix8qN1SQZdCo/Xrjixb2kcnNhST4aayJl8ARjK+2gL0eOHaMqQghjXJkBrl8iA81mo4YbiTpLyoNiKc0wBlcBL6AEFtYZFF+sYUAjj/maCqJUH6NQ2zGRmlPBkrwVKRYSOiEj1jfoE48pO04bSuCpUYbQDaQ5voap+rsiJp5SU88xmemEy7GZ+F+sH2m3YcfcDyPNfDq/yI0E1AGc7RcOuWRUi6kBQiU3vUI6JpJQbV4hb5aAl0dehV6tilEV39ZKrfZiHTlwDE7AOcCgDlrgGnRAF1DwDN7BJ/jKvGY+suaXzFOzmUXNEfhj2cI3aEyxXA==</latexit><latexit sha1_base64="yaBAKwQHRiL1bhvXQsc1pgJ+GVM=">AAACUnicbZJNTwIxEIYLfiGioh69NIJRE0JaDgI3ghdPBhNBE3ZDuqULDd2PtF0N2exvNDFe/CFePKhlwUTBSZo8885MOjOtEwquNEJvmeza+sbmVm47v1PY3dsvHhz2VBBJyro0EIF8cIhigvusq7kW7CGUjHiOYPfO5GoWv39kUvHAv9PTkNkeGfnc5ZRoIw2KvNw+tzyix8qN1SQZdCo/Xrjixb2kcnNhST4aayJl8ARjK+2gL0eOHaMqQghjXJkBrl8iA81mo4YbiTpLyoNiKc0wBlcBL6AEFtYZFF+sYUAjj/maCqJUH6NQ2zGRmlPBkrwVKRYSOiEj1jfoE48pO04bSuCpUYbQDaQ5voap+rsiJp5SU88xmemEy7GZ+F+sH2m3YcfcDyPNfDq/yI0E1AGc7RcOuWRUi6kBQiU3vUI6JpJQbV4hb5aAl0dehV6tilEV39ZKrfZiHTlwDE7AOcCgDlrgGnRAF1DwDN7BJ/jKvGY+suaXzFOzmUXNEfhj2cI3aEyxXA==</latexit><latexit sha1_base64="yaBAKwQHRiL1bhvXQsc1pgJ+GVM=">AAACUnicbZJNTwIxEIYLfiGioh69NIJRE0JaDgI3ghdPBhNBE3ZDuqULDd2PtF0N2exvNDFe/CFePKhlwUTBSZo8885MOjOtEwquNEJvmeza+sbmVm47v1PY3dsvHhz2VBBJyro0EIF8cIhigvusq7kW7CGUjHiOYPfO5GoWv39kUvHAv9PTkNkeGfnc5ZRoIw2KvNw+tzyix8qN1SQZdCo/Xrjixb2kcnNhST4aayJl8ARjK+2gL0eOHaMqQghjXJkBrl8iA81mo4YbiTpLyoNiKc0wBlcBL6AEFtYZFF+sYUAjj/maCqJUH6NQ2zGRmlPBkrwVKRYSOiEj1jfoE48pO04bSuCpUYbQDaQ5voap+rsiJp5SU88xmemEy7GZ+F+sH2m3YcfcDyPNfDq/yI0E1AGc7RcOuWRUi6kBQiU3vUI6JpJQbV4hb5aAl0dehV6tilEV39ZKrfZiHTlwDE7AOcCgDlrgGnRAF1DwDN7BJ/jKvGY+suaXzFOzmUXNEfhj2cI3aEyxXA==</latexit>


21

TF

MiM

DH

DF


21

TF

MiM

DH

DF


21

TF

MiM

DH

DF


21

TF

MiM

DH

DF


21MiM

DH

DFTF’

OUTLINE

Introduction

Plain Model

Secure Hardware Model*

Conclusion

22

Handan Kılınç and Serge Vaudenay, Formal Analysis of Distance Bounding with Secure Hardware, ACNS 2018

SECURE HARDWARE MODEL(SHM)

23

Verifier Prover

Hardware



23

Verifier Prover

HardwareSecure hardware are

honest parties.

Each prover possesses its own secure hardware.

The secure hardware of an honest prover can only communicate with its prover and they are both at the same location.


24


Verifier Prover

Hardware


24


Verifier Prover

Hardware

KV ! (skV , pkV ) KP ! (skP , pkP )


24


Verifier Prover

Hardware

KV ! (skV , pkV )

V (skV , pkV )

KP ! (skP , pkP )


24


Verifier Prover

Hardware

KV ! (skV , pkV )

V (skV , pkV )

KP ! (skP , pkP )

P (pkP , pkV )


24


Verifier Prover

Hardware

KV ! (skV , pkV )

V (skV , pkV )

KP ! (skP , pkP )

H(skP , pkP , pkV )

P (pkP , pkV )


24


Verifier Prover

Hardware

KV ! (skV , pkV )

V (skV , pkV )

KP ! (skP , pkP )

H(skP , pkP , pkV )

P (pkP , pkV )

BOutV

PoutV


24


Verifier Prover

Hardware

KV ! (skV , pkV )

V (skV , pkV )

KP ! (skP , pkP )

H(skP , pkP , pkV )

P (pkP , pkV )

BOutV

PoutV

DB = (KV , KP , P, V, B, H)



25

VA

P’H’

H

P


25

VA

P’H’

H

P

OutV = 1POutV = pkP


25

TF

MiM

DH

DF VA

P’H’

H

P

OutV = 1POutV = pkP


25

TF

MiM

DH

DF VA

P’H’

H

P

Secure = TF, DF, MiM, DH secure in SHM

OutV = 1POutV = pkP

PM AND SHM RELATIONSNOTATIONS

is a dummy prover algorithm in SHM which only relays the messages between the outside world and H without even using any of its input.

26

PdumV H

Pdum

donothing

27


is the algorithm which is constructed from joining P and H in SHM. More precisely, runs P and instead of interacting with H, it executes the same computation that H would do if P had interacted.

PH

PH

27



PH

PH

V H

do AB

do CD

E do FG

do I

P

27



PH

PH

V H

do AB

do CD

E do FG

do I

P PHVdo A

Bdo CD

E do FGdo I

27



PH

PH

PHdum is the hardware algorithm H.

V H

do AB

do CD

E do FG

do I

P PHVdo A

Bdo CD

E do FGdo I

PM AND SHM RELATIONSMIM IN SHM MIM IN PM

28

Theorem 1: Let be a DB

protocol in SHM. We define in

PM. If is MiM-secure then is MiM-secure.DB0DB

)

DB0 = (KV , KP , V, PH , B)<latexit sha1_base64="XYpAZLMJ1hE2bRK2J1INdXtVmZU=">AAACF3icdVDLSgMxFM3UV62vqks3wVasMAwzdWG7EEp1UXBTwdZCW4dMmmlDMw+SjFCG/oUbf8WNC0Xc6s6/MdNWqK8DgZNz7uXee5yQUSFN80NLLSwuLa+kVzNr6xubW9ntnaYIIo5JAwcs4C0HCcKoTxqSSkZaISfIcxi5doZniX99S7iggX8lRyHpeqjvU5diJJVkZ438efUQnsJCx0NygBGLL8Z2U5//1XXY1Os3Nb16lLezOdMolkvmcRn+JpZhTpADM9Tt7HunF+DII77EDAnRtsxQdmPEJcWMjDOdSJAQ4SHqk7aiPvKI6MaTu8bwQCk96AZcPV/CiTrfESNPiJHnqMpkX/HTS8S/vHYk3VI3pn4YSeLj6SA3YlAGMAkJ9ignWLKRIghzqnaFeIA4wlJFmVEhfF0K/yfNomGZhnVZzFWqszjSYA/sgwKwwAmogBqogwbA4A48gCfwrN1rj9qL9jotTWmznl3wDdrbJ+ptnUk=</latexit><latexit sha1_base64="XYpAZLMJ1hE2bRK2J1INdXtVmZU=">AAACF3icdVDLSgMxFM3UV62vqks3wVasMAwzdWG7EEp1UXBTwdZCW4dMmmlDMw+SjFCG/oUbf8WNC0Xc6s6/MdNWqK8DgZNz7uXee5yQUSFN80NLLSwuLa+kVzNr6xubW9ntnaYIIo5JAwcs4C0HCcKoTxqSSkZaISfIcxi5doZniX99S7iggX8lRyHpeqjvU5diJJVkZ438efUQnsJCx0NygBGLL8Z2U5//1XXY1Os3Nb16lLezOdMolkvmcRn+JpZhTpADM9Tt7HunF+DII77EDAnRtsxQdmPEJcWMjDOdSJAQ4SHqk7aiPvKI6MaTu8bwQCk96AZcPV/CiTrfESNPiJHnqMpkX/HTS8S/vHYk3VI3pn4YSeLj6SA3YlAGMAkJ9ignWLKRIghzqnaFeIA4wlJFmVEhfF0K/yfNomGZhnVZzFWqszjSYA/sgwKwwAmogBqogwbA4A48gCfwrN1rj9qL9jotTWmznl3wDdrbJ+ptnUk=</latexit><latexit sha1_base64="XYpAZLMJ1hE2bRK2J1INdXtVmZU=">AAACF3icdVDLSgMxFM3UV62vqks3wVasMAwzdWG7EEp1UXBTwdZCW4dMmmlDMw+SjFCG/oUbf8WNC0Xc6s6/MdNWqK8DgZNz7uXee5yQUSFN80NLLSwuLa+kVzNr6xubW9ntnaYIIo5JAwcs4C0HCcKoTxqSSkZaISfIcxi5doZniX99S7iggX8lRyHpeqjvU5diJJVkZ438efUQnsJCx0NygBGLL8Z2U5//1XXY1Os3Nb16lLezOdMolkvmcRn+JpZhTpADM9Tt7HunF+DII77EDAnRtsxQdmPEJcWMjDOdSJAQ4SHqk7aiPvKI6MaTu8bwQCk96AZcPV/CiTrfESNPiJHnqMpkX/HTS8S/vHYk3VI3pn4YSeLj6SA3YlAGMAkJ9ignWLKRIghzqnaFeIA4wlJFmVEhfF0K/yfNomGZhnVZzFWqszjSYA/sgwKwwAmogBqogwbA4A48gCfwrN1rj9qL9jotTWmznl3wDdrbJ+ptnUk=</latexit><latexit sha1_base64="XYpAZLMJ1hE2bRK2J1INdXtVmZU=">AAACF3icdVDLSgMxFM3UV62vqks3wVasMAwzdWG7EEp1UXBTwdZCW4dMmmlDMw+SjFCG/oUbf8WNC0Xc6s6/MdNWqK8DgZNz7uXee5yQUSFN80NLLSwuLa+kVzNr6xubW9ntnaYIIo5JAwcs4C0HCcKoTxqSSkZaISfIcxi5doZniX99S7iggX8lRyHpeqjvU5diJJVkZ438efUQnsJCx0NygBGLL8Z2U5//1XXY1Os3Nb16lLezOdMolkvmcRn+JpZhTpADM9Tt7HunF+DII77EDAnRtsxQdmPEJcWMjDOdSJAQ4SHqk7aiPvKI6MaTu8bwQCk96AZcPV/CiTrfESNPiJHnqMpkX/HTS8S/vHYk3VI3pn4YSeLj6SA3YlAGMAkJ9ignWLKRIghzqnaFeIA4wlJFmVEhfF0K/yfNomGZhnVZzFWqszjSYA/sgwKwwAmogBqogwbA4A48gCfwrN1rj9qL9jotTWmznl3wDdrbJ+ptnUk=</latexit>

DB = (KV , KP , V, P, B, H)<latexit sha1_base64="3+D27Dw5judt+/m1D4NiusSz/n8=">AAACFnicdVDLSgMxFM3UV62vUZdugq1QYSwzdWG7EEp1UXAzgn1AOwyZNG1DMw+SjFCGfoUbf8WNC0Xcijv/xvQh1NeBwMk593LvPV7EqJCm+aGllpZXVtfS65mNza3tHX13ryHCmGNSxyELectDgjAakLqkkpFWxAnyPUaa3vBi4jdvCRc0DG7kKCKOj/oB7VGMpJJc/SR3WYXnMN/xkRxgxJKrsdswFn+2ARuGbVSN2nHO1bNmoVgumadl+JtYBXOKLJjDdvX3TjfEsU8CiRkSom2ZkXQSxCXFjIwznViQCOEh6pO2ogHyiXCS6VljeKSULuyFXL1Awqm62JEgX4iR76nKyb7ipzcR//LaseyVnIQGUSxJgGeDejGDMoSTjGCXcoIlGymCMKdqV4gHiCMsVZIZFcLXpfB/0igWLLNgXRezleo8jjQ4AIcgDyxwBiqgBmxQBxjcgQfwBJ61e+1Re9FeZ6Upbd6zD75Be/sENhic5g==</latexit><latexit sha1_base64="3+D27Dw5judt+/m1D4NiusSz/n8=">AAACFnicdVDLSgMxFM3UV62vUZdugq1QYSwzdWG7EEp1UXAzgn1AOwyZNG1DMw+SjFCGfoUbf8WNC0Xcijv/xvQh1NeBwMk593LvPV7EqJCm+aGllpZXVtfS65mNza3tHX13ryHCmGNSxyELectDgjAakLqkkpFWxAnyPUaa3vBi4jdvCRc0DG7kKCKOj/oB7VGMpJJc/SR3WYXnMN/xkRxgxJKrsdswFn+2ARuGbVSN2nHO1bNmoVgumadl+JtYBXOKLJjDdvX3TjfEsU8CiRkSom2ZkXQSxCXFjIwznViQCOEh6pO2ogHyiXCS6VljeKSULuyFXL1Awqm62JEgX4iR76nKyb7ipzcR//LaseyVnIQGUSxJgGeDejGDMoSTjGCXcoIlGymCMKdqV4gHiCMsVZIZFcLXpfB/0igWLLNgXRezleo8jjQ4AIcgDyxwBiqgBmxQBxjcgQfwBJ61e+1Re9FeZ6Upbd6zD75Be/sENhic5g==</latexit><latexit sha1_base64="3+D27Dw5judt+/m1D4NiusSz/n8=">AAACFnicdVDLSgMxFM3UV62vUZdugq1QYSwzdWG7EEp1UXAzgn1AOwyZNG1DMw+SjFCGfoUbf8WNC0Xcijv/xvQh1NeBwMk593LvPV7EqJCm+aGllpZXVtfS65mNza3tHX13ryHCmGNSxyELectDgjAakLqkkpFWxAnyPUaa3vBi4jdvCRc0DG7kKCKOj/oB7VGMpJJc/SR3WYXnMN/xkRxgxJKrsdswFn+2ARuGbVSN2nHO1bNmoVgumadl+JtYBXOKLJjDdvX3TjfEsU8CiRkSom2ZkXQSxCXFjIwznViQCOEh6pO2ogHyiXCS6VljeKSULuyFXL1Awqm62JEgX4iR76nKyb7ipzcR//LaseyVnIQGUSxJgGeDejGDMoSTjGCXcoIlGymCMKdqV4gHiCMsVZIZFcLXpfB/0igWLLNgXRezleo8jjQ4AIcgDyxwBiqgBmxQBxjcgQfwBJ61e+1Re9FeZ6Upbd6zD75Be/sENhic5g==</latexit><latexit sha1_base64="3+D27Dw5judt+/m1D4NiusSz/n8=">AAACFnicdVDLSgMxFM3UV62vUZdugq1QYSwzdWG7EEp1UXAzgn1AOwyZNG1DMw+SjFCGfoUbf8WNC0Xcijv/xvQh1NeBwMk593LvPV7EqJCm+aGllpZXVtfS65mNza3tHX13ryHCmGNSxyELectDgjAakLqkkpFWxAnyPUaa3vBi4jdvCRc0DG7kKCKOj/oB7VGMpJJc/SR3WYXnMN/xkRxgxJKrsdswFn+2ARuGbVSN2nHO1bNmoVgumadl+JtYBXOKLJjDdvX3TjfEsU8CiRkSom2ZkXQSxCXFjIwznViQCOEh6pO2ogHyiXCS6VljeKSULuyFXL1Awqm62JEgX4iR76nKyb7ipzcR//LaseyVnIQGUSxJgGeDejGDMoSTjGCXcoIlGymCMKdqV4gHiCMsVZIZFcLXpfB/0igWLLNgXRezleo8jjQ4AIcgDyxwBiqgBmxQBxjcgQfwBJ61e+1Re9FeZ6Upbd6zD75Be/sENhic5g==</latexit>


28




DB0

DB

The proof is trivial by adding a hardware to every honest prover at the same location: A MiM-game against becomes a MiM-game against .

)




28




DB0

DB


)

.V.A.APH.




28




DB0

DB


)

.V.A.APH. ..V.A

.AP H



PM AND SHM RELATIONSMIM-SECURITY IN PM WITH SECURITY IN SHM

29

PHdum ,

Theorem 2: Let be a DB in SHM and and be a DB in PM where H in corresponds H of . is MiM secure in PM if and only if is TF-secure in SHM.

DB0 DB DB0

DB


DB0 = (KV , KP , V, PHdum, B)

<latexit sha1_base64="2Q4XTbcL484TTSq9+2UNgs3waCI=">AAACHXicdVDLSgMxFM3UV62vqks3wVasUMpMFWwXQqkuCm5GsNNCW4dMmmlDMw+SjFCG/ogbf8WNC0VcuBH/xvQh1NeBwMk593LvPU7IqJC6/qElFhaXlleSq6m19Y3NrfT2jiWCiGNSxwELeNNBgjDqk7qkkpFmyAnyHEYazuB87DduCRc08K/lMCQdD/V86lKMpJLs9En2onoIz2Cu7SHZx4jFlyPbys//zDy08qYddyNvdFPLV4+ydjqjF4rlkn5chr+JUdAnyIAZTDv91u4GOPKILzFDQrQMPZSdGHFJMSOjVDsSJER4gHqkpaiPPCI68eS6ETxQShe6AVfPl3CiznfEyBNi6Dmqcry1+OmNxb+8ViTdUiemfhhJ4uPpIDdiUAZwHBXsUk6wZENFEOZU7QpxH3GEpQo0pUL4uhT+T6xiwdALxlUxU6nO4kiCPbAPcsAAp6ACasAEdYDBHXgAT+BZu9cetRftdVqa0GY9u+AbtPdPJYOgIg==</latexit><latexit sha1_base64="2Q4XTbcL484TTSq9+2UNgs3waCI=">AAACHXicdVDLSgMxFM3UV62vqks3wVasUMpMFWwXQqkuCm5GsNNCW4dMmmlDMw+SjFCG/ogbf8WNC0VcuBH/xvQh1NeBwMk593LvPU7IqJC6/qElFhaXlleSq6m19Y3NrfT2jiWCiGNSxwELeNNBgjDqk7qkkpFmyAnyHEYazuB87DduCRc08K/lMCQdD/V86lKMpJLs9En2onoIz2Cu7SHZx4jFlyPbys//zDy08qYddyNvdFPLV4+ydjqjF4rlkn5chr+JUdAnyIAZTDv91u4GOPKILzFDQrQMPZSdGHFJMSOjVDsSJER4gHqkpaiPPCI68eS6ETxQShe6AVfPl3CiznfEyBNi6Dmqcry1+OmNxb+8ViTdUiemfhhJ4uPpIDdiUAZwHBXsUk6wZENFEOZU7QpxH3GEpQo0pUL4uhT+T6xiwdALxlUxU6nO4kiCPbAPcsAAp6ACasAEdYDBHXgAT+BZu9cetRftdVqa0GY9u+AbtPdPJYOgIg==</latexit><latexit sha1_base64="2Q4XTbcL484TTSq9+2UNgs3waCI=">AAACHXicdVDLSgMxFM3UV62vqks3wVasUMpMFWwXQqkuCm5GsNNCW4dMmmlDMw+SjFCG/ogbf8WNC0VcuBH/xvQh1NeBwMk593LvPU7IqJC6/qElFhaXlleSq6m19Y3NrfT2jiWCiGNSxwELeNNBgjDqk7qkkpFmyAnyHEYazuB87DduCRc08K/lMCQdD/V86lKMpJLs9En2onoIz2Cu7SHZx4jFlyPbys//zDy08qYddyNvdFPLV4+ydjqjF4rlkn5chr+JUdAnyIAZTDv91u4GOPKILzFDQrQMPZSdGHFJMSOjVDsSJER4gHqkpaiPPCI68eS6ETxQShe6AVfPl3CiznfEyBNi6Dmqcry1+OmNxb+8ViTdUiemfhhJ4uPpIDdiUAZwHBXsUk6wZENFEOZU7QpxH3GEpQo0pUL4uhT+T6xiwdALxlUxU6nO4kiCPbAPcsAAp6ACasAEdYDBHXgAT+BZu9cetRftdVqa0GY9u+AbtPdPJYOgIg==</latexit><latexit sha1_base64="2Q4XTbcL484TTSq9+2UNgs3waCI=">AAACHXicdVDLSgMxFM3UV62vqks3wVasUMpMFWwXQqkuCm5GsNNCW4dMmmlDMw+SjFCG/ogbf8WNC0VcuBH/xvQh1NeBwMk593LvPU7IqJC6/qElFhaXlleSq6m19Y3NrfT2jiWCiGNSxwELeNNBgjDqk7qkkpFmyAnyHEYazuB87DduCRc08K/lMCQdD/V86lKMpJLs9En2onoIz2Cu7SHZx4jFlyPbys//zDy08qYddyNvdFPLV4+ydjqjF4rlkn5chr+JUdAnyIAZTDv91u4GOPKILzFDQrQMPZSdGHFJMSOjVDsSJER4gHqkpaiPPCI68eS6ETxQShe6AVfPl3CiznfEyBNi6Dmqcry1+OmNxb+8ViTdUiemfhhJ4uPpIDdiUAZwHBXsUk6wZENFEOZU7QpxH3GEpQo0pUL4uhT+T6xiwdALxlUxU6nO4kiCPbAPcsAAp6ACasAEdYDBHXgAT+BZu9cetRftdVqa0GY9u+AbtPdPJYOgIg==</latexit>


29

PHdum ,


DB0 DB DB0

DB PHdum = H





29

PHdum ,


DB0 DB DB0

DB

Consider a TF-game in SHM. We run this game in PM by simulating the secure hardware H of with the prover of and simulating the prover P in SHM with an actor in PM. Then, we obtain MiM-game of . If A wins the MiM-game of , then a TF adversary runs A and wins the TF-game for .

)

(

DB0 PHdum

DB0

DB0DB0

DB

PHdum = H




PM AND SHM RELATIONSWHY NOT WITH

30

PH

V(K) P(K)

for i = 1 to n

NP

NV

ci

ri

C = c1||c2||...||cn

R = r1||r2||...||rn

pick NP

pick NV

C[i] 6= ciif , abort

MiM-symDB

C||R = fK(NP , NV ) C||R = fK(NP , NV )

31

PM AND SHM RELATIONSWHY NOT WITH PH

V(K) P(K)

for i = 1 to n

NP

NV

ci

ri

C = c1||c2||...||cn

R = r1||r2||...||rn

pick NP

pick NV

C[i] 6= ciif , abort

MiM-symDB in SHM

C||R = fK(NP , NV ) C||R = fK(NP , NV )

H(K)

NV NP

ci

ri

32


P H(K)V(K)

PH

32


Ppick NP

H(K)V(K)

PH

32


Ppick NP

H(K)V(K) NP

PH

32


Ppick NP

H(K)V(K) NP

pick NV

PH

32


Ppick NP

H(K)V(K) NP

NVpick NV

PH

32


Ppick NP

H(K)

until find C||R

V(K) NP

NVpick NV

PH

32


Ppick NP

H(K)

NP NVuntil find C||R

V(K) NP

NVpick NV

PH

32


Ppick NP

H(K)


V(K) NP

NVpick NV

PH

C||R = fK(NP , NV )

32


Ppick NP

H(K)


V(K)

for i = 1 to n

NP

NVpick NV

PH

C||R = fK(NP , NV )

32


Ppick NP

H(K)


if C[i] = ;

V(K)

for i = 1 to n

NP

NVpick NV

PH

C||R = fK(NP , NV )

32


Ppick NP

H(K)

NP NV

c0ipick

until find C||R

if C[i] = ;

V(K)

for i = 1 to n

NP

NVpick NV

PH

C||R = fK(NP , NV )

32


Ppick NP

H(K)

NP NV

c0ipick

until find C||R

if C[i] = ;

else: c0i = C[i]

V(K)

for i = 1 to n

NP

NVpick NV

PH

C||R = fK(NP , NV )

32


Ppick NP

H(K)

NP NV

c0ipick

until find C||R

if C[i] = ;

else: c0i = C[i]

c0i

V(K)

for i = 1 to n

NP

NVpick NV

PH

C||R = fK(NP , NV )

32


Ppick NP

H(K)

NP NV

c0ipick

if , abortC[i] 6= c0i

until find C||R

if C[i] = ;

else: c0i = C[i]

c0i

V(K)

for i = 1 to n

NP

NVpick NV

PH

C||R = fK(NP , NV )

32


Ppick NP

H(K)

NP NV

ri

c0ipick

if , abortC[i] 6= c0i

until find C||R

if C[i] = ;

else: c0i = C[i]

c0i

V(K)

for i = 1 to n

NP

NVpick NV

PH

C||R = fK(NP , NV )

32


Ppick NP

H(K)

NP NV

ri

c0ipick

if , abortC[i] 6= c0iif not abort

C[i] = c0iR[i] = ri

until find C||R

if C[i] = ;

else: c0i = C[i]

c0i

V(K)

for i = 1 to n

NP

NVpick NV

PH

C||R = fK(NP , NV )

32


Ppick NP

H(K)

NP NV

ri

c0ipick


C[i] = c0iR[i] = ri

else: return beginning

until find C||R

if C[i] = ;

else: c0i = C[i]

c0i

V(K)

for i = 1 to n

NP

NVpick NV

PH

C||R = fK(NP , NV )

32


Ppick NP

H(K)

NP NV

ri

c0ipick


C[i] = c0iR[i] = ri

else: return beginning

until find C||R

if C[i] = ;

else: c0i = C[i]

c0i

V(K)

for i = 1 to n

NP

NV

ci ri

pick NV

PH

C||R = fK(NP , NV )

PM AND SHM RELATIONSIMPORTANT RESULTS OF THEOREM

33







DB0 DB DB0

DB




PM AND SHM RELATIONSIMPORTANT RESULTS OF THEOREM

33







DB0 DB DB0

DB PHdum = H




PM AND SHM RELATIONSIMPORTANT RESULTS OF THEOREMS

We can conclude if is MiM-secure and correct DB protocol, then we can construct a secure DB protocol . SHM for any algorithm P. is further correct when .

In order to prove security of in SHM, it is enough to prove MiM-security of in PM.

MiM security and security of a DB protocol . in SHM are equivalent if due to Theorem 1 and Theorem 2. Note that this result may not hold without . .

34

Pdum

P = Pdum

DB

P = Pdum



DB = (KP , KP , V, P, B, H)

DB = (KP , KP , V, P, B, H)DB0 = (KV , KP , V, PH

dum, B)<latexit sha1_base64="2Q4XTbcL484TTSq9+2UNgs3waCI=">AAACHXicdVDLSgMxFM3UV62vqks3wVasUMpMFWwXQqkuCm5GsNNCW4dMmmlDMw+SjFCG/ogbf8WNC0VcuBH/xvQh1NeBwMk593LvPU7IqJC6/qElFhaXlleSq6m19Y3NrfT2jiWCiGNSxwELeNNBgjDqk7qkkpFmyAnyHEYazuB87DduCRc08K/lMCQdD/V86lKMpJLs9En2onoIz2Cu7SHZx4jFlyPbys//zDy08qYddyNvdFPLV4+ydjqjF4rlkn5chr+JUdAnyIAZTDv91u4GOPKILzFDQrQMPZSdGHFJMSOjVDsSJER4gHqkpaiPPCI68eS6ETxQShe6AVfPl3CiznfEyBNi6Dmqcry1+OmNxb+8ViTdUiemfhhJ4uPpIDdiUAZwHBXsUk6wZENFEOZU7QpxH3GEpQo0pUL4uhT+T6xiwdALxlUxU6nO4kiCPbAPcsAAp6ACasAEdYDBHXgAT+BZu9cetRftdVqa0GY9u+AbtPdPJYOgIg==</latexit><latexit sha1_base64="2Q4XTbcL484TTSq9+2UNgs3waCI=">AAACHXicdVDLSgMxFM3UV62vqks3wVasUMpMFWwXQqkuCm5GsNNCW4dMmmlDMw+SjFCG/ogbf8WNC0VcuBH/xvQh1NeBwMk593LvPU7IqJC6/qElFhaXlleSq6m19Y3NrfT2jiWCiGNSxwELeNNBgjDqk7qkkpFmyAnyHEYazuB87DduCRc08K/lMCQdD/V86lKMpJLs9En2onoIz2Cu7SHZx4jFlyPbys//zDy08qYddyNvdFPLV4+ydjqjF4rlkn5chr+JUdAnyIAZTDv91u4GOPKILzFDQrQMPZSdGHFJMSOjVDsSJER4gHqkpaiPPCI68eS6ETxQShe6AVfPl3CiznfEyBNi6Dmqcry1+OmNxb+8ViTdUiemfhhJ4uPpIDdiUAZwHBXsUk6wZENFEOZU7QpxH3GEpQo0pUL4uhT+T6xiwdALxlUxU6nO4kiCPbAPcsAAp6ACasAEdYDBHXgAT+BZu9cetRftdVqa0GY9u+AbtPdPJYOgIg==</latexit><latexit sha1_base64="2Q4XTbcL484TTSq9+2UNgs3waCI=">AAACHXicdVDLSgMxFM3UV62vqks3wVasUMpMFWwXQqkuCm5GsNNCW4dMmmlDMw+SjFCG/ogbf8WNC0VcuBH/xvQh1NeBwMk593LvPU7IqJC6/qElFhaXlleSq6m19Y3NrfT2jiWCiGNSxwELeNNBgjDqk7qkkpFmyAnyHEYazuB87DduCRc08K/lMCQdD/V86lKMpJLs9En2onoIz2Cu7SHZx4jFlyPbys//zDy08qYddyNvdFPLV4+ydjqjF4rlkn5chr+JUdAnyIAZTDv91u4GOPKILzFDQrQMPZSdGHFJMSOjVDsSJER4gHqkpaiPPCI68eS6ETxQShe6AVfPl3CiznfEyBNi6Dmqcry1+OmNxb+8ViTdUiemfhhJ4uPpIDdiUAZwHBXsUk6wZENFEOZU7QpxH3GEpQo0pUL4uhT+T6xiwdALxlUxU6nO4kiCPbAPcsAAp6ACasAEdYDBHXgAT+BZu9cetRftdVqa0GY9u+AbtPdPJYOgIg==</latexit><latexit sha1_base64="2Q4XTbcL484TTSq9+2UNgs3waCI=">AAACHXicdVDLSgMxFM3UV62vqks3wVasUMpMFWwXQqkuCm5GsNNCW4dMmmlDMw+SjFCG/ogbf8WNC0VcuBH/xvQh1NeBwMk593LvPU7IqJC6/qElFhaXlleSq6m19Y3NrfT2jiWCiGNSxwELeNNBgjDqk7qkkpFmyAnyHEYazuB87DduCRc08K/lMCQdD/V86lKMpJLs9En2onoIz2Cu7SHZx4jFlyPbys//zDy08qYddyNvdFPLV4+ydjqjF4rlkn5chr+JUdAnyIAZTDv91u4GOPKILzFDQrQMPZSdGHFJMSOjVDsSJER4gHqkpaiPPCI68eS6ETxQShe6AVfPl3CiznfEyBNi6Dmqcry1+OmNxb+8ViTdUiemfhhJ4uPpIDdiUAZwHBXsUk6wZENFEOZU7QpxH3GEpQo0pUL4uhT+T6xiwdALxlUxU6nO4kiCPbAPcsAAp6ACasAEdYDBHXgAT+BZu9cetRftdVqa0GY9u+AbtPdPJYOgIg==</latexit>



PM AND SHM RELATIONSIMPORTANT RESULTS OF THE THEOREM

35

TF

MiM

DH

DF TF MiM DH DF

Security Implications in PM and SHM

Security Implicationsin SHM with

Pdum

OUTLINE

Introduction

Plain Model


Conclusion

36

CONCLUSION

We have to consider MiM, DF, DH and TF security in a distance bounding protocol.

In plain model, it is not possible to achieve TF-security because of the trivial attack.

In secure hardware model, it is possible to prevent the trivial attack, so we can have TF-security.

Constructing secure protocols in SHM are easier and more efficient than PM.

We have following relations between PM and SHM

• MiM in SHM MiM in PM

• MiM-security in PM with Security in SHM

• If the prover algorithm is dummy one then MiM-security in SHM Security in SHM

37

)PH

dum

,,

Innovations in permutation-based crypto

Joan Daemen1,2

based on joint work withGuido Bertoni3, Seth Hoffert, Michaël Peeters1, Gilles Van Assche1 and RonnyVan Keer1

Cryptacus Training School, Azores, April 17, 20181STMicroelectronics 2Radboud University 3Security Pattern

1

Pseudo-random function (PRF)

input

…

2

Stream encryption

nonce

plaintext = ciphertext

3

Message authentication (MAC)

plaintext

plaintext

4

Authenticated encryption

nonce

plaintext = ciphertext

plaintext

5

String sequence input and incrementality

packet #1 packet #2 packet #3

packet #1 packet #2 packet #3

FK(P(3) P(2) P(1)

)

6

Session authenticated encryption (SAE) [KT, SAC 2011]

K, N1

T(0)

A(1) P(1)

C(1) T(1)

A(2) P(2)

C(2) T(3)

A(3) P(3)

C(3) T(2)

Initialization taking nonce NT← 0t + FK (N)

history← Nreturn tag T of length t

Wrap taking metadata A and plaintext PC← P+ FK (A history)

T← 0t + FK (C A history)

history← C A historyreturn ciphertext C of length |P| and tag T of length t

7

Synthetic initialization value (SIV) of [KT, eprint 2016/1188]

A

P

FK FK

T C

Unwrap taking metadata A, ciphertext C and tag TP← C+ FK (T A)τ ← 0t + FK (P A)if τ = T then return error!else return plaintext P of length |C|

Variant of SIV of [Rogaway & Shrimpton, EC 2006]

8

How to build a PRF?

By icelight (flickr.com)

9

Sponge [Keccak Team, Ecrypt 2008]

input output

outerinner

0

0

r

c

f f f f f f

absorbing squeezing

Taking K as first part of input gives a PRF

10

More efficient: donkeySponge [Keccak Team, DIAC 2012]

11

Incrementality: duplex [Keccak Team, SAC 2011]

0

0

r

c

outerinner

initialize

pad trunc

f

duplexing

σ0 Z0

pad trunc

f

duplexing

σ1 Z1

pad trunc

f

duplexing

σ2 Z2

…

12

More efficient: MonkeyDuplex [Keccak Team, DIAC 2012]

Instances:

Ketje [Keccak Team, now extended with Ronny Van Keer, CAESAR 2014] + half a dozen other CAESAR submissions

13

Consolidation: Full-state keyed duplex

±

Kf

iv

Z ¾

f

Z ¾

f

Z ¾

…

[Mennink, Reyhanitabar, & Vizar, Asiacrypt 2015]

[Daemen, Mennink & Van Assche, Asiacrypt 2017]

14

SAE with full-state keyed duplex: Motorist [KT, Keyak 2015]

0 SUV1

T(0)

A(1)P(1)

C(1) T(1)

P(2)

C(2) T(2)

A(3)

T(3)

15

How to build a parallelizable PRF?

by Barilla Food Service

16

Farfalle: early attempt [KT 2014-2016]

0k f

M0

1k f

M1

ik f

Mi

… …

f

k

0 Z0

f

k

1 Z1

f

k

j Zj

Similar to Protected Counter Sums [Bernstein, “stretch”, JOC 1999]

Problem: collisions with higher-order differentials if f has low degree

17

Farfalle now [Keccak Team + Seth Hoffert, ToSC 2018]

pc

c

m0

k

pc

c

m1

k

…

pc

i c

mi

k

pee

z0

k′

pee

z1

k′

…

peje

zj

k′

K∥10∗ pb

i+2c

pd

Input mask rolling and pc against accumulator collisions State rolling, pe and output mask against state retrieval atoutput

Middle pd against higher-order DC Input-output attacks have to deal with pe pd pc

18

Kravatte as in TOSC 2018

fm0

k

fm1

k

…

f

i

mi

k

f z0

k′

f z1

k′

…

fj zj

k′

K∥10∗ f

i+2

f

Target security: 128 bits, incl. multi-target and quantum adv. pi = Keccak-p[1600] with # rounds 6666 : Achouffe configuration Input mask rolling with LFSR, state rolling with NLFSR

19

In which sense is Kravatte lightweight?

fm0

k

fm1

k

…

f

i

mi

k

f z0

k′

f z1

k′

…

fj zj

k′

K∥10∗ f

i+2

f

Workload per round (in HW or bit-slice SW)• AES: 16 XORs and 4 AND per bit• Keccak-p: 3 XORs and 1 AND per bit

Number of rounds• AES CBC or CTR: 10 rounds• Kravatte compress or expand: 6 rounds

Disadvantage of Kravatte: 200-byte granularity

20

by Perrie Nicholas Smith (perriesmith.deviantart.com)

21

Gimli [Bernstein, Kölbl, Lucks, Massolino, Mendel, Nawaz, Schneider, Schwabe, Stan-daert, Todo, Viguier, CHES 2017]

Ideal size and shape: 48 bytes in 12 words of 32 bits• compact on low-end: fits registers of ARM Cortex M3/M4• fast on high-end: suitable for SIMD

For low-end platforms: locality of operations to limit swapping• limits diffusion, see e.g. [Mike Hamburg, 2017]• no problem for nominal number of rounds: 24• not clear how many rounds needed in Farfalle

22

Xoodoo · [noun, mythical] · /zu: du:/ · Alpinemammal that lives in compact herds, can surviveavalanches and is appreciated for the wide trails itcreates in the landscape. Despite its fluffy appear-ance it is very robust and does not get distracted byside channels.

23

Xoodoo [Keccak team with Seth Hoffert and Johan De Meulder]

https://github.com/XoodooTeam/Xoodoo

384-bit permutation

Main purpose: usage in Farfalle: XooPRF• Achouffe configuration• Full-state rolling functions• Efficient on wide range of platforms

But also for• small-state authenticated encryption, Ketje style• sponge-based hashing, …

Keccak-p philosophy ported to Gimli dimensions 3× 4× 32! 24

Xoodoo state

x

y

z

statex

y

z

plane

x

y

z

lanex

y

z

column

State: 3 horizontal planes each consisting of 4 lanes

25

Xoodoo round function

θ

ρwest

χ

ρeast

Iterated: nr rounds that differ only by round constant

26

Nonlinear mapping χ

Effect on one plane:

0

1

2

complement

χ as in Keccak-p, operating on 3-bit columns Involution and same propagation differentially and linearly

27

Mixing layer θ

+ =

column parity θ-effect

fold

Column parity mixer: compute parity, fold and add to state good average diffusion, identity for states in kernel

28

Plane shift ρeast

0

1

2shift (2,8)

shift (0,1)

After χ and before θ

Shifts planes y = 1 and y = 2 over different directions

29

Plane shift ρwest

0

1

2shift (0,11)

shift (1,0)

After θ and before χ

Shifts planes y = 1 and y = 2 over different directions

30

Xoodoo pseudocodenr rounds from i = 1− nr to 0, with a 5-step round function:

θ :P← A0 + A1 + A2E← P ≪ (1, 5) + P ≪ (1, 14)Ay ← Ay + E for y ∈ 0, 1, 2

ρwest :A1 ← A1 ≪ (1, 0)A2 ← A2 ≪ (0, 11)

ι :A0,0 ← A0,0 + rci

χ :B0 ← A1 · A2B1 ← A2 · A0B2 ← A0 · A1Ay ← Ay + By for y ∈ 0, 1, 2

ρeast :A1 ← A1 ≪ (0, 1)A2 ← A2 ≪ (2, 8)

31

Xoodoo software performance

width cycles/byte per roundARM Intel

bytes Cortex M3 SkylakeKeccak-p[1600] 200 2.44 0.080ChaCha 64 0.69 0.059Gimli 48 0.91 0.074∗Xoodoo 48 1.20 0.083

∗ on Intel Haswell

32

Xoodoo diffusion and confusion

Trail bounds, using [Mella, Daemen, Van Assche, ToSC 2016]:

min. trail weights# rounds diff. linear

1 2 22 8 83 36 366 ≥ 100 ≥ 100

Strict Avalanche Criterion (SAC) [Webster, Tavares, Crypto ’85]A mapping satisfies SAC if flipping an input bit will make eachoutput bit flip with probability close to 1/2

Xoodoo satisfies SAC

after 3 rounds in forward direction after 2 rounds in backward direction

33

Do you think this is interesting?

I’m hiring!PhD positions, starting September

Scope:

Propagation in Xoodoo-like functions• computer-assisted bound proving• mathematical unification of attacks

Interaction between modes and permutations Impact of key schedule in block ciphers DPA vulnerability of Xoodoo-like functions …

34

Thanks for your attention!

θ

ρwest

χ

ρeast

35

Slide 1

Body Impedance for Authentication, KeyGeneration and Device Pairing

Kasper [email protected]

University of Oxford

April 18, 2018

Body Impeedence Biometric

Slide 3

Body Impeedence (Pulse Response)

• Pulse signal applied to the palm of one hand.• The biometric is captured by measuring the response in the user’s

other hand.

0.0

0.5

1.0

0 100 200 300 400 500 600 700Time [ns]

Sig

nal m

agni

tude

[Vol

t]

Input signal

Measured signal

0

100

200

300

400

500

0 25 50 75 100Frequency bins

Spe

ctra

l den

sity

Measured signal

Slide 4

Clasification

Slide 5

Clasification Results

Equal Error Rate

Equal Error Rate

Equal Error Rate

Equal Error Rate

Equal Error Rate

Equal Error Rate

Equal Error Rate

Equal Error Rate

Equal Error Rate

Equal Error Rate

Equal Error Rate

Equal Error Rate

Equal Error Rate

Equal Error Rate

Equal Error Rate

Equal Error Rate

Equal Error Rate

Equal Error Rate

Equal Error Rate

Equal Error Rate

Equal Error Rate

Equal Error Rate

Equal Error Rate

Equal Error Rate

Equal Error Rate

Equal Error Rate

Equal Error Rate

Equal Error Rate

Equal Error Rate

Equal Error Rate

Equal Error Rate

Equal Error Rate

Equal Error Rate

Equal Error Rate

Equal Error Rate

Equal Error Rate

Equal Error Rate

Equal Error Rate

Equal Error Rate

Equal Error Rate

Equal Error Rate

Equal Error Rate

Equal Error Rate

Equal Error Rate

Equal Error Rate

Equal Error Rate

Equal Error Rate

Equal Error Rate

Equal Error Rate

Equal Error Rate

Equal Error Rate

Equal Error Rate

Equal Error Rate

Equal Error Rate

Equal Error Rate

Equal Error Rate

Equal Error Rate

Equal Error Rate

Equal Error Rate

Equal Error Rate

Equal Error Rate

Equal Error Rate

Equal Error Rate

Equal Error Rate

Equal Error Rate

Equal Error Rate

Equal Error Rate

Equal Error Rate

Equal Error Rate

Equal Error Rate

Equal Error Rate

Equal Error Rate

Equal Error Rate

Equal Error Rate

Equal Error Rate

Equal Error Rate

Equal Error Rate

Equal Error Rate

Equal Error Rate

Equal Error Rate

Equal Error Rate

Equal Error Rate

Equal Error Rate

Equal Error Rate

Equal Error Rate

Equal Error Rate

Equal Error Rate

Equal Error Rate

Equal Error Rate

Equal Error Rate

Equal Error Rate

Equal Error Rate

Equal Error Rate

Equal Error Rate

Equal Error Rate

Equal Error Rate

Equal Error Rate

Equal Error Rate

Equal Error Rate

Equal Error Rate

Equal Error Rate

Equal Error Rate

Equal Error Rate

Equal Error Rate

Equal Error Rate

Equal Error Rate

Equal Error Rate

Equal Error Rate

Equal Error Rate

Equal Error Rate

Equal Error Rate

Equal Error Rate

Equal Error Rate

Equal Error Rate

Equal Error Rate

Equal Error Rate

Equal Error Rate

Equal Error Rate

Equal Error Rate

Equal Error Rate

Equal Error Rate

Equal Error Rate

Equal Error Rate

Equal Error Rate

Equal Error Rate

Equal Error Rate

Equal Error Rate

Equal Error Rate

Equal Error Rate

Equal Error Rate

Equal Error Rate

Equal Error Rate

Equal Error Rate

Equal Error Rate

Equal Error Rate

Equal Error Rate

Equal Error Rate

Equal Error Rate

Equal Error Rate

Equal Error Rate

Equal Error Rate

0.00

0.25

0.50

0.75

1.00

0.00 0.25 0.50 0.75 1.00False positive rate (FPR)

True

pos

itive

rat

e (T

PR

)

Classifier

Euclidean

Mahalanobis

SVM

Data set

Over time

Single data set

Key Generation

Slide 7

Biometric keys• Biometric classifiers can be used directly to make security decisions

• Authentication• Identification• Access control

• Biometric information is difficult to use in large scale applications• Because most biometrics are constant over time (tracking, profiling,

replay)• Cannot be revoked• Can only be used ”locally” (i.e., not over a network)

Biometric keys• Extend biometric properties to remote verifiers• Key will be tied to an individual• Nothing to remember

Slide 8

Generating keys from a biometric

Biometric samples

Feature extraction

Key generation

Biometric features Biometric keys

54 89 e9 d1 a3 43 ..

c5 df 15 fd 85 07 ..

c2 11 04 1e a1 01 ..

User 2User 1 User 3A

cquisition of biometric

Individuals

• Three things are needed:• Acquire the biometric (we use the ”pulse-response” biometric)• Extract features• Compute key (using a Template)

The Template is what allows us to turn a feature vector into a key in arepeatable way.

Slide 9

Feature Extraction

Feature learning• Two identical deep neural networks in a Siamese configuration• Minimize the Hinge loss: |Ωa − Ωb| or max(m − |Ωa − Ωb|), if a = b or

a 6= b respectively.

Slide 10

Feature Quantization

c

Strong Featuresfeature φ i isconsidered ”strong”for a particular user, ifthe range of its valuesfor all enrollmentsamples (β1, . . . , βj) issmaller than δ.

Slide 11

Key and Template Generation (Enrollment)• Based on Randomized Biometric Templates [Ballard2008]• Pairs are ordered such that all strong features are located before all

other features

• Stopping token generated

• Key generated

Slide 12

User Verification (Key Generation)• Takes as input the template TU , a sample β and the pin π

• Keep trying to hash quantized samples until the stop token is found

• When the token is found use the key-hash to calculate the key

Slide 13

Our Optimal Key guessing algorithm

• Improved the version from [Ballard2008]• Used the fact that the algorithm is deterministic• Closed-form expression• Much stronger than previous algorithms

• Best case for the adversary• tighter bound on security• We have results that are comparable in numbers (i.e., much better given

the stronger adversary)

Slide 14

Key generation results

0

20

30

40

50

60

80

100

1 220 230 242 250 258260 270

Number of guesses

Fra

ctio

n of

key

s [%

]

Shannon entropy estimate

Our key guessing algorithm

Key guessing algorithm of Ballard et al. [2]

• 50% of the keys take more than 258 guesses.• equivalent to 59 bit keys• Guaranteed that the person was involved in transaction

Slide 15

Remote Biometric Authentication

There is a potential problem with the amount of entropy from the underlyingbiometric

• Dangerous to use the biometric key directly to do things like MACK (·)• It give the adversary a token with which to test offline key-guesses.

We propose a new scheme

• Based on integer commitment scheme from 2001 by Damgard et al.• Enables secure remote authentication

• without requiring the biometric measurements to be sent neither to theVerifier nor the Authority.

• without giving an eavesdropping adversary any offline guessing material

Slide 16

Remote User Authentication – EnrolmentUser

U

Reader

R

Authority

CAuth

choose h ∈ G, γand set g = hγ

g, h

Prove to Reader that g ∈ 〈h〉

Choose PIN πU , PIN π

sample β1, . . . , βj

TU = Enroll(β1, . . . , βj, π)

K = KeyGen(β1, . . . , βj , TU , π)

choose random r andcompute cU = gKhr

cU

notify U

Remote User Authentication – enrollment

Slide 17

Remote User AuthenticationUser

U

Reader

R

Verifier

V

U , PIN π

sample β′

K ′ = KeyGen(β′, TU , π)

Pick: y and s andcompute d = gyhs

d

Pick challenge ee

compute u = y+e·K ′

and v = s+ e · r

U, u, v

verify thatguhv = d(cU )

e

Remote User Authentication

Slide 18

Security guaranties

Passive eavesdropper• To get the key an attacker would need to extract it from

guhv = geK+yher+s = gyhs(gK hr )e = d(cU)e

Active manipulation• the adversary knows neither r nor K• so by the hiding property of [damgard2001], he has to guess either y

and s, or K and r themselves to create a message that will pass theverifiers check.

Replay• cannot reuse the captured values u and v because they both depend

on the challenge e

Slide 19

Biometric security properties

• Only the ”right person” can generate the ”right key”• Remote devices can be sure the user is present (and involved)• Biometric stays private (no one else gets a copy)

Device Pairing

Slide 21

Device Pairing

• Bootstrap secure communication

• Two un-associated devices derive a mutual secret

• No trusted third party

• Problem: Establish the “identity” of the other device

Slide 22

Existing Device Pairing Schemes

Most existing schemes either

• depend on physical assumptions on thecommunication channel

OR• use an auxiliary channel

• require users to makesecurity relevant decisions

Near field communication

C8 00 21

=?

Short string comparison

Slide 23

Our Idea in a Nutshell

• Two devices can be paired if

they are being held by the same human at the same time

• Physical access to both devices implies ability to pair• All a device needs to determine if it is being held is a small electrode,

i.e., a conductive patch• User does not make any security decisions!

Interface Properties• Can be built into almost any device.• Does not require a screen, keyboard, camera, . . .

Slide 24

Our Approach (System Model)

• Devices share twocommunication channels:

1. Regular wireless channel(actually any communicationchannel will do)

2. Body channel via capacitivecoupling

• A human touches an electrodeon each device to establish datatransmission

Device A Device B

Electrodes

Bodychannel

Wirelesschannel

Slide 25

Adversary Model

Wireless channel

Device A(Alice)

Adversary

Device B(Bob)

Body channel

Body channel leakage

Adversary• No physical access to devices• Full (read/write) access to

wireless channel• Read-only access to body

channel

The goal is passive eavesdroppingOR to achieve remote pairing• without a human present• with a device held by a human• as MITM in regular pairing

session

Slide 26

Pairing Protocol

Device A(Alice)

Device B(Bob)

DH

key

exc

han

ge

Key

co

nfi

rmat

ion

Body chan

nel

Slide 27

Security Guarantees

Device A(Alice)

Device B(Bob)

DH

key

exc

han

ge

Key

co

nfi

rmat

ion

Passive Eavesdropping

Remote pairingWith or without a human present

Become MITM in pairing session

Slide 28

Security Guarantees

Device A(Alice)

Device B(Bob)

DH

key

exc

han

ge

Key

co

nfi

rmat

ion

Passive Eavesdropping• Adversary can

• Obtain identifiers A and B• But cannot

• obtain the key (by DH assumption)• lean “useful” information



Slide 29

Security Guarantees

Device A(Alice)

Device B(Bob)

DH

key

exc

han

ge

Key

co

nfi

rmat

ion



• Adversary can• complete DH• receive MAC

• But cannot (by read-only property)• send MAC on body channel


Slide 30

Security Guarantees

Device A(Alice)

Device B(Bob)

DH

key

exc

han

ge

Key

co

nfi

rmat

ion



Become MITM in pairing session• Adversary can

• complete DH with both devices• But cannot (by 2nd pre-img resistance)

• force valid MAC

Slide 31

Is The Body Channel Really Read-Only?

• The security of the pairing protocol relies on read-only property of thebody channel

• The receiving device needs to be able to distinguish between

A. Messages from anotherdevice being held by theperson

B. Messages from an externalsource

Receivingdevice

Adversary

Transmittingdevice

A

B

B

• We experimentally verify this property

Slide 32

Brief Aside on Intra-Body Communication

Galvanic Coupling

• Induce AC in thebody

• Small currentthrough human

− Short transmission− Two electrodes

required

Surface Wave• RF transmission• body as a

wave-guide

− Affected by externalelectromagneticwaves

Capacitive Coupling

• Electrostaticcoupling to earthground

+ Hand to hand+ One electrode

External ground

Signal electrodes

Ground electrodes

Electric field

ReceiverTransmitter

Skin

Electromagnetic wave

ReceiverTransmitter

Current flows

Singal path / Closed loop

Slide 33

Implementation / SetupProof-of-concept for body channel transmitter and receiver

Isolator

Electrodes

Balun

Synchronization

Waveform GeneratorSoftware Defined Radio

Isolator Isolator

Workstation

RF Amplifier

Bal

un

Touch-electrodeGround electrode

7cm

4cm2cm

4cm

7cm

Frequency bandwidth 0.5 MHz - 3.5 MHzTransmitter voltage 3 Volts (peek-peek)Current through body ∼10 micro-Amperes

User Safety• Very little current flow through body• Much less than, e.g., body composition scales

Miniaturized version can be manufactured as single chip

Slide 34

Prototype Body Channel Transmission• On-off keying of manchester-encoded

data• Frequency sweep during “on-periods”• Sweep allows to characterize the

channel

Manchesterencoding

Data

Transmittedsignal

1 0 1001 1

1 0 1001 10 1 0110 0

Frequency sweep

Prototype Performance• 500 bit/s (on-period is

1ms)• Transmitting two 56bit

MACs takes 224ms• Measured bit error rate is

below 10−6

Slide 35

Body Channel Characteristics

• Energy transmitted on bodychannel is attenuated due to• Capacitive coupling• Intrinsic resistance (and

capacitance) of humanbody

• Sweeps are attenuateddepending on frequency

• We chose communicationfrequencies between 0.5MHz and 3.5 MHz

0.2 0.5 1.0 2.0 3.5 5.0 10.0

Frequency [MHz]

100

80

60

40

20

0

Att

enuati

on [

dB

]

Receiver directly connected to transmitter

Body channel

No connection

Slide 36

Experimental Verification of Read-Only Property

1. Classifier to let devices distinguish body channel transmissions fromexternal transmissions• Person sitting• Person standing

2. Different adversarial antennas to maximize the advantage for theadversary

3. Different external transmission distances.

Slide 37

Classification of Transmission Origin

0.00 0.05 0.10 0.15 0.20

False positive rate

0.80

0.85

0.90

0.95

1.00

Tru

e p

osi

tive r

ate

Sitting and standingSitting only

• False positives: externaltransmission accepted

• True positives: bodychannel transmissionaccepted

• External sources can beexcluded with very highprobability

Slide 38

Different Antennas and Distances

• It seems as if injectioncan happen if theexternal source• is very close to

receiver and• has a large

capacitance

We used a large aluminiumsheet, right next to the victim,to maximize the adversary’sadvantage.

Person touches device Device by itself

Rodantenna

Rodantenna

Aluminiumsheet

Aluminiumsheet

40%

91%

1% 9% 9%0%

30%

0%

at 30 cmat 60 cm

Slide 39

Additional Verification Using Signal Injection Model

Human Body Model• Simulate injection from near field• Approximation with three

cylinders• Dielectric properties of human

tissues• Receiver and transmitter can be

attached anywhere on body

Arm diameter

Arm length

Torso diameter

Torso length

Arm unit length

Torso unit length

Slide 40

External Signal Injection

• Pattern changes significantlyif sheet is 5cm further away

• Attenuation pattern is volatile

External Source• Has to match body channel

characteristics• High capacitance antenna

with high output power• Works only in near field

Injection with aluminium sheet

0.50 0.75 1.00 1.50 2.00 3.00 3.50

Frequency [MHz]

90

80

70

60

50

40

Att

enuati

on [

dB

]

Read-only assumption holds when the adversary is 50cm away.

Slide 41

Collaborators

This work is done, in part, in collaboration with

Marc Roeschlin Ivan Martinovic Gene Tsudik

Slide 42

Thank you for your attention

[email protected]://www.cs.ox.ac.uk/people/kasper.rasmussen/

IntroductionSCA of Ed25519FI on Ed25519

ConclusionRadboud University Nijmegen

Physical Attacks: from a concept to real-world

Lejla Batina

Institute for Computing and Information Sciences – Digital SecurityRadboud University Nijmegen

Ponta Delgada, PortugalApril 16, 2018

Lejla Batina CRYPTACUS training school 2018 FI and SCA on Ed25519 1 / 23



Contents

Introduction to Physical Attacks

Breaking Ed25519 in WolfSSL

Niels Samwel, Lejla Batina, Guido Bertoni, Joan Daemen and Ruggero Susella, CTRSA2018

Practical Fault Injection on Deterministic Signatures: the Case of EdDSA

Niels Samwel and Lejla Batina, AFRICACRYPT 2018




Embedded cryptographic devices




Blackbox scenario

Cryptographic Device CiphertextPlaintext

• The cipher (e.g. AES) model: the fixed key (unknown to the adversary), as theparameter that takes input to generate output

• Analyzing the security in the blackbox scenario relates to classical cryptanalysis

• Can you derive the secret key by observing plaintext/ciphertext pairs?




Greybox scenario

Cryptographic Device CiphertextPlaintext

Leakage

• The cryptographic algorithm is implemented on a real device such as amicrocontroller, FPGA etc.• We can observe certain physical quantities in the device’s vicinity and use the

additional information during cryptanalysis• Observations: execution time, power consumption, EM radiation, sound• Side-channel attacks are attacks on implementations of algorithmsLejla Batina CRYPTACUS training school 2018 FI and SCA on Ed25519 5 / 23



Side-channel attacks in the news

sing EM measurements, we were able tofully extract secret signing keys fromOpenSSL and CoreBitcoin running on iOSdevices. We also showed partial keyleakage from OpenSSL running on AndroidMarch 2016.https://www.cs.tau.ac.il/~tromer/acoustic/

http://www.theregister.co.uk/2016/06/04/sidechannel_

encryption_theft/




Taxonomy of implementation attacks

Active vs passive:

• Active i.e. tampering: the key is recovered by exploiting some abnormal behaviore.g. power glitches or laser pulses

• Passive i.e. eavesdropping: the device operates within its specification

Invasiveness:

• Invasive aka expensive: the strongest type e.g. bus probing

• Semi-invasive: the device is de-packaged but no direct contact with the chip e.g.optical attacks or faults/glitches by voltage, clock, EM, etc.• Non-invasive aka low-cost:

• power/EM measurements• data remanence in memories ooling down is increasing the retention time• Rowhammer




Timing side-channel: PIN verification

Input: 4-digit PIN code

Output: PIN verified or rejected

Process CheckPIN (pin[4])

int pin_ok=0;

if (pin[0]==5)

if (pin[1]==9)

if (pin[2]==0)

if (pin[3]==2)

pin_ok=1;

end

end

end

end

return pin_ok;

EndProcess

What are the execution times of the process for PIN inputs

[0,1,2,3], [5,3,0,2], [5,9,0,0]?




Power side-channel: CMOS leakage

• The most relevant leakage for side-channel attacks is the charge and discharge ofthe CMOS load capacitance a.k.a dynamic power consumption• Dynamic power consumption (Pdyn) is produced by CMOS transitions from state

0 to 1 and from state 1 to 0• Pdyn = CV 2

DDP0→1f ,where C the transistor capacitance, VDD the power supply voltage, f thefrequency and P0→1 the probability of a 0→ 1 transition




Power side-channel: Modeling the leakage

• Hamming distance model counts the number of 0→ 1 and 1→ 0 transitions• Ex. 1: A hardware register R storing the result of an AES round (initial value v0

gets overwritten with value v1)

• Power consumption is related to the number of bit flips (due to the reg. transitionv0 → v1)• It can be modeled as HammingDistance(v0, v1) = HammingWeight(v0 ⊕ v1)




Power side-channel: Modeling the leakage

• Ex. 2: In a microcontroller, assume register A with value v0mov rB, rA

• In processors the instruction will transfer value v0 from register A to B via theCPU, using the bus• Often bus is pre-charged at all bits being zeros or all being one (busInitialValue)• Power consumption of the assembly instruction can be modeled as

HammingDistance(busInitialValue,v0) = HammingWeight(v0 ⊕ 0) = HW(v0)




Power side-channel: Measurement setup

• Usually power measurements requires physical proximity to the device andcustomized measurement equipment (resistor, oscilloscope)




Power side-channel: Measurement setup




SPA on AES

• Power consumption leakage of an AES cipher implementation on an AVRmicrocontroller

• How many rounds are executed?




SPA on AES




SPA on RSA Square and Multiply

RSA modular exponentiation

Input: integers x, e, n, length l of e

Output: x^e mod n

Process ModularExponentiation(x, e, n, l)

r=1;

for j=l-1 down to 0

r=r^2 mod n //square

if (bit j of e) == 1

r= r*x mod n //multiply

end

return r;

EndProcess





• Can you find the exponent bits by visual inspection of the patterns?





• Square and Multiply (bit==1) are lengthier operations than Square only (bit==0)

• Multiplications are often more power consuming compared to Squarings




Power side-channel: RSA Square and Multiply Always

• Trying to fix the problem we create a timing-constant implementation

Process ConstantTimeModExp(x, e, n, l)

r[0]=1;

r[1]=1;

for j=l-1 down to 0

r[0]=r[0]^2 mod n //square

r[1]= r[0]*x mod n //multiply

index=bit j of e

r[0]=r[index]

return r[0];

EndProcess

• Side-channel leakage still exists! Can you see it?• Location-based leakage can lead to key recovery




EM side-channel

• Observing a power signal in an embedded device can be messy• Board capacitors, complicated SoCs, multiple peripherals• Countermeasures trying to flatten the power consumption signal• Use an electromagnetic probe instead

• A probe is an easy way to access the power consumption with less boardmodifications• Smaller probes can focus on interesting locations and ignore interference from

unrelated electrical components




EM side-channel: Decapsulation

• To improve spatial resolution of analysis use a micrometer-sized antenna

• To exploit more leakage decapsulate the chip using chemicals




EM side-channel: Decapsulation and Microprobing

• Left: close inspection of decapsulated ARM processor using a microscope

• Right: EM emission heatmap of the same chip




Sound emission

• In 1965, MI5 put a microphone near the rotor-cipher machine used by theEgyptian Embassy• RSA Key Extraction via Low-Bandwidth Acoustic Cryptanalysis, Shamir et al.

• Attacking a computer by listening to the high-pitched (10 to 150 KHz) soundsproduced as it decrypts data

• Extracted 4096-bit RSA keys• Using low- and high-pass filters to ensure to get only the sounds that emanate from

the PC while the CPU is decrypting data• Can be carried out over a distance of 4m with a high-quality microphone (or a

smartphone)




Out-of-order and speculative execution

• January 3rd 2018

• Kernel addresses were access unintentionally due to out-of-order execution

• Seems hard to patch since the culprit is the structure of a processor

• Meltdown and Spectre, https://meltdownattack.com/




Attackers goals and targets

• Targets: transportation cards, medical devices, passports, payment system etc.• The goals of side-channel analysis:• Recover the key and data• Gain anauthorized access• Acquire intellectual property• Privacy mining• Reverse engineering• Malware/intrusion detectionLejla Batina CRYPTACUS training school 2018 FI and SCA on Ed25519 25 / 23



In short

• Overall side-channels pose a threat to secure implementations

• Side-channel attacks are usually passive (i.e. just listening or eavesdropping)

• Some are non-invasive e.g. power analysis or simple EM probing

• Others are classified as semi-invasive attacks e.g. high-resolution EM or photonicside-channel, since they require decapsulation

• Passive and non-invasive attacks are fairly cheap to launch




Correlation Power Analysis (CPA)




Ed25519

• Instance of EdDSA, which was proposed to “fix the unnecessary requirements onrandomness” in ECDSA

• Does not depend on a “good” source of randomness, but instead derives a secretdeterministically (hashing the msg and a long-term auxiliary key)

• Widely adopted by OpenSSH, Tor, Signal, WolfSSL etc.

• Turns out to be easy to attacks in some real-world deployments i.e. WolfSSL

Niels Samwel, Lejla Batina, Guido Bertoni, Joan Daemen and Ruggero Susella:Breaking Ed25519 in WolfSSL, CTRSA2018.Niels Samwel, Lejla Batina Practical Fault Injection on Deterministic Signatures: theCase of EdDSA, Africacrypt 2018.




The Attack Components

Three components

• Attacking Ed25519 to recover long term secret

• Attack on SHA512

• DPA on modular addition




Ed25519

Algorithm 1 Ed25519 key setup and signature generation

Key setup.1: Hash k such that H(k) = (h0, h1, . . . , h2b−1) = (a, b)2: a = (h0, . . . , hb−1), private scalar3: b = (hb, . . . , h2b−1), auxiliary key4: Compute public key: A = aB

Signature generation.5: Compute ephemeral private key: r = H(b,M)6: Compute ephemeral public key: R = rB7: Compute h = H(R,A,M) and convert to integer8: Compute: S = (r + ha) mod l9: Signature pair: (R,S)




Attacking Ed25519

Using auxiliary key b that was successfully recovered:

1 Compute r = H(b,M).2 Compute h = H(R,A,M).3 Compute a = (S − r)h−1 mod l .




SHA512

Algorithm 2 Merkle Damgard

Input: Message M with 0 ≤ bit-length < 2128

Output: Hash value of M1: Pad message M by appending an encoding of the message length2: Initialize chaining value CV with constant IV3: Split padded message M into blocks4: for all blocks Mi do5: CVi+1 ← CF(CVi ,Mi )6: end for7: return H ← CV




SHA512 construction

IV R

K M0−k w

CV R

M1 w

CV




SHA512 message schedule

0

1

2

3

4

5

6

7

8

9

10

11

12

13

14

15

16

17

18

19

· · ·

w[ ]

Round[0]

Round[1]

Round[2]

Round[3]

Round[4]

Round[5]

Round[6]

Round[7]

Round[8]

Round[9]

Round[10]

Round[11]

Round[12]

Round[13]

Round[14]

Round[15]

Round[16]

Round[17]

Round[18]

Round[19]

· · ·

σ0

σ1




Attack




DPA on modular addition

Setup





0 2 4 6 8 10 12

Time samples 104

-150

-100

-50

0

50

100

150

Dis

cret

e po

wer

con

sum

ptio

n va

lues

Round 16





w [16]← σ1(w [14]) + w [9] + σ0(w [1]) + w [0]





102 103

Number of traces

0

0.1

0.2

0.3

0.4

0.5

0.6

0.7

0.8

0.9

1

Suc

ces

prob

abili

ty

k16

k17

k18

k19




Countermeasure

IV R

K 0 R0 w

CV R

M0 w

CV




FI on Ed25519

Contributions• We present a differential fault attack on Ed25519.

• We apply the attack on a real-world implementation using EM and voltageglitching.




Ed25519

Algorithm 3 Ed25519 key setup and signature generation

Key setup.1: Hash k such that H(k) = (h0, h1, . . . , h2b−1) = (a, b)2: a = (h0, . . . , hb−1), Private scalar3: b = (hb, . . . , h2b−1), Auxiliary key4: Compute public key: A = aB.

Signature generation.5: Compute ephemeral private key: r = H(b,M).6: Compute ephemeral public key: R = rB.7: Compute h = H(R,A,M) and convert to integer.8: Compute: S = (r + ha) mod l .9: Signature pair: (R,S).




The Attack

Two signatures, original (R,S) and faulty (R ′, S ′):

S = r + ha

S ′ = r + h′a

S − ha = S ′ − h′a

a =S − S ′

h − h′




Setup

PCPC

Oscilloscope

FTDI

Trigger

VC Glitcher

Vcc

Trigger

Reset

Reset line

Glitch Amplifier

InOut

Current Probe

In +In -Out

XYZ-Table

Target

Pulse Amplitude

Digital Glitch

(a) Setup Overview (b) Setup Photo




Results

0 500 1000 1500 2000 2500 3000 3500 4000 4500 5000

Glitch length (ns)

-0.5

-0.45

-0.4

-0.35

-0.3

-0.25

-0.2

-0.15

-0.1

-0.05

0

Glit

ch v

olta

ge (

V)

0 0.2 0.4 0.6 0.8 1 1.2 1.4 1.6 1.8 2

Glitch offset (ns) 106

-0.5

-0.45

-0.4

-0.35

-0.3

-0.25

-0.2

-0.15

-0.1

-0.05

0

Glit

ch v

olta

ge (

V)

0 0.2 0.4 0.6 0.8 1 1.2 1.4 1.6 1.8 2

Glitch offset (ns) 106

0

500

1000

1500

2000

2500

3000

3500

4000

4500

5000

Glit

ch le

ngth

(ns

)

Figure: Voltage fault injection results, Normal (green), Inconclusive (yellow), Successful (red).




Results

x-axis

y-axis

FigureLejla Batina CRYPTACUS training school 2018 FI and SCA on Ed25519 46 / 23



Conclusion

Two physical attacks on Ed25519

• Side-channel analysis of Ed25519 with 4000 traces

• Fault injection on Ed25519 with 100% success rate for EM FI and 70% for voltageglitching out of 10 000 measurements

• For both attacks there exist inexpensive countermeasures


Differential Cryptanalysis

Maria EichlsederCRYPTACUS Training School, Azores, 20 April 2018

www.iaik.tugraz.at

This Lecture: Overview

The contextIntroduction to differential cryptanalysisFinding characteristics with automatic toolsImpact for lightweight cryptoApplications beyond cryptanalysis

1 / 31

protocols – TLS, . . .schemes – SHA-2, AES-GCM, . . .

primitives – AES, . . .

protocols – TLS, . . .schemes – SHA-2, AES-GCM, . . .

primitives – AES, . . .

www.iaik.tugraz.at

Primitives

E

MK

C

block cipher

E

M TK

C

tweakable bc

P

M

C

permutation

F

Hi Mi

Hi+1compression f.

3 / 31www.iaik.tugraz.at

Primitives – A Look Inside

Rh

Rh

. . .. . .

Rh

MT,K

C4 / 31

www.iaik.tugraz.at

Differential Cryptanalysis [BS90]Method

EK∆M

∆C

Attack GoalsEK

∆M

∆C

Kr

p

key recovery

EK∆M

∆C

p

∆C0

collision,forgery

· · ·

5 / 31

Part IDifferential Characteristics

www.iaik.tugraz.at

Primitives – A Closer Look InsideExample: The block cipher PRESENT (31 rounds) [BKL+07]

S

S

S

S

S

S

S

S

S

S

S

S

S

S

S

S

S

S

S

S

S

S

S

S

S

S

S

S

S

S

S

S


Primitives – A Closer Look InsideExample: A toy block cipher

⊕K0S S S S

⊕K1S S S S

⊕K2S S S S

⊕K3S S S S

⊕K4S S S S

⊕K5S S S S

K6

x 0 1 2 3 4 5 6 7 8 9 a b c d e f

S(x) 2 0 4 3 9 5 6 7 1 d e f a 8 c b

7 / 31

www.iaik.tugraz.at

Let’s Flip a BitK0

S S S S

K1S S S S

K2S S S S

K3S S S S

K4S S S S

K5S S S S

K6

S“active”


Differential Properties of S-boxes (Confusion)∆in = 8 → ∆out =?

x 0 1 2 3 4 5 6 7 8 9 a b c d e f

S(x) 2 0 4 3 9 5 6 7 1 d e f a 8 c b

9 / 31

www.iaik.tugraz.at


x 0 1 2 3 4 5 6 7 8 9 a b c d e f

S(x) 2 0 4 3 9 5 6 7 1 d e f a 8 c b

∆in = 8

∆out = 3



x 0 1 2 3 4 5 6 7 8 9 a b c d e f

S(x) 2 0 4 3 9 5 6 7 1 d e f a 8 c b

∆in = 8

∆out = d

9 / 31

www.iaik.tugraz.at


x 0 1 2 3 4 5 6 7 8 9 a b c d e f

S(x) 2 0 4 3 9 5 6 7 1 d e f a 8 c b

∆in = 8

∆out = a


Differential Properties of S-boxes (Confusion)∆in = 8 → ∆out ∈ 3, a, c, d

x 0 1 2 3 4 5 6 7 8 9 a b c d e f

S(x) 2 0 4 3 9 5 6 7 1 d e f a 8 c b

Knowing the value tells us the differenceKnowing the difference tells us (something about) the value:

solutions(∆in,∆out) := x : S(x ⊕∆in) ⊕ S(x) = ∆out

9 / 31

www.iaik.tugraz.at

Differential Distribution Table (DDT)I\O 0 1 2 3 4 5 6 7 8 9 a b c d e f

0 16 - - - - - - - - - - - - - - -1 - 4 4 - - - - 4 - - - - 4 - - -2 - - 4 4 - - 4 - - - - - - - - 43 - 4 - 4 4 - - - - - - - - - 4 -4 - - 4 - 4 4 - - - - - 4 - - - -5 - - - 4 - 4 - 4 - 4 - - - - - -6 - - - - 4 - 4 4 - - - - - 4 - -7 - 4 - - - 4 4 - - - 4 - - - - -8 - - - 4 - - - - - - 4 - 4 4 - -9 - 4 - - - - - - - - - 4 - 4 - 4a - - - - - 4 - - - - - - 4 - 4 4b - - 4 - - - - - - 4 - - - 4 4 -c - - - - - - - - 16 - - - - - - -d - - - - 4 - - - - 4 4 - - - - 4e - - - - - - - 4 - - 4 4 - - 4 -f - - - - - - 4 - - 4 - 4 4 - - - 10 / 31

www.iaik.tugraz.at


S S S S

K1S S S S

K2S S S S

K3S S S S

K4S S S S

K5S S S S

K6

S

∆ p8000 1

11 / 31

www.iaik.tugraz.at


S S S S

K1S S S S

K2S S S S

K3S S S S

K4S S S S

K5S S S S

K6

S

∆ p8000 13000 2−2

·2−2



S S S S

K1S S S S

K2S S S S

K3S S S S

K4S S S S

K5S S S S

K6

S

S S

∆ p8000 13000 2−2

0280 2−2

·2−2

·1

11 / 31

www.iaik.tugraz.at


S S S S

K1S S S S

K2S S S S

K3S S S S

K4S S S S

K5S S S S

K6

S

S S

∆ p8000 1a000 2−2

8200 2−2

·2−2

·1



S S S S

K1S S S S

K2S S S S

K3S S S S

K4S S S S

K5S S S S

K6

S

SS S

∆ p8000 1d000 2−2

a080 2−2

·2−2

·1

11 / 31

www.iaik.tugraz.at


S S S S

K1S S S S

K2S S S S

K3S S S S

K4S S S S

K5S S S S

K6

S

SS

∆ p8000 1c000 2−2

a000 2−2

·2−2

·1



S S S S

K1S S S S

K2S S S S

K3S S S S

K4S S S S

K5S S S S

K6

S

SS

∆ p8000 1c000 2−2

a000 2−2

·2−2

·1

S

c000 2−4

a000 2−4

·2−2

·1

... ...11 / 31

www.iaik.tugraz.at

Differential Properties of Mixing Layers (Diffusion)Branch number B:Min number of active S-boxes in 2 consecutive roundsIn our toy cipher: B = 2Can we do better?

Best case: B = 1+ number of S-boxes per roundRequires actual “mixing” (xor), not just bit permutations


Design of AES

00 00 00 40

00 00 00 00

00 00 00 00

00 00 00 00

S7−→

00 00 00 6a

00 00 00 00

00 00 00 00

00 00 00 00

PMC7−→

00 00 00 d4

00 00 00 6a

00 00 00 6a

00 00 00 be

S7−→

00 00 00 2b

00 00 00 61

00 00 00 61

00 00 00 cd

PM7−→

cd 61 a3 56

cd a3 c2 2b

4c c2 61 2b

81 61 61 7d

2−6 2−6×4

Max differential probability (MDP) of the 8× 8 S-box: 2−6MDS mixing layer with B = 5 (in 2 rounds→≥ 5 active S-boxes)In 4 rounds→≥ 25 active S-boxes→ p ≤ 2−6×25 = 2−150

13 / 31

Part IIFinding Differential Characteristics

www.iaik.tugraz.at

Automated tools for cryptanalysisMotivation:

Finding the best (or very good) characteristics can be very hardNecessary to evaluate new primitives

Solvers:By handGeneral-purpose solvers:SAT/SMT (Boolean SATisfiability/Sat. Modulo Theories): STP, Lingeling, . . .

MILP (Mixed Integer Linear Programming) IBM ILOG CPLEX, Gurobi, . . .CP (Constraint Programming): Z3, Choco, . . .

Dedicated solversnltool (SHA-2)KeccakTools (SHA-3). . .

15 / 31

www.iaik.tugraz.at

Example: AES as a Mixed-Integer Linear Program (MILP) [MWGP11]Variables:

Sr ,i ∈ 0, 1: Is S-box i in round r active?Mr ,j ∈ 0, 1: Is MixColumns j in round r active?

Linear Program (LP):min

∑

r ,iSr ,i (Min # active S-boxes)

s.t. B ·Mr ,j ≤4∑

i=1Sr ,ji +

8∑i=5

Sr+1,ji ≤ 8 ·Mr ,j (For each MixColumns)∑

r ,iSr ,i ≥ 1 (Non-triviality)

16 / 31

Part IIIExploiting Differentials

www.iaik.tugraz.at

A Differential CharacteristicK0

S S S S

K1S S S S

K2S S S S

K3

S

S

∆ p = 2−68000

a000

·2−2

Sa000

·2−2

a000

·2−2


A DifferentialK0

S S S S

K1S S S S

K2S S S S

K3

∆ p ≥ 2−68000

≥ 2−6

a000

?19 / 31

www.iaik.tugraz.at

For ForgeriesExample: CBC-MAC

EK · · · EK EK

M1 M`−1 M`

T

0

· · · ∆M`−1

EK

∆M`

Forgery with success probability p


For Key Recovery

EK∆M

∆C

Kr

p

Assume p 2−bQuery about 1/p chosen-plaintext pairs (M ,M ′)→ (C ,C ′)Decrypt each pair 1 round with each possible last-round key KrIf we get ∆C , upvote candidate Kr

Kr Upvote counter0000

0001

0002

0003. . . . . .

21 / 31

www.iaik.tugraz.at

For Key Recovery – Detailsp : Expected differential probability for R − 1 roundsN : Number of queried pairsA : Upvoted candidates per pairB : Fraction of pairs after filtering ciphertextsk : Number of guessed key bitsPs: Target success probability of the attack

Signal-to-Noise Ratio SNR =N · prightN · pwrong =

pA · B · 2−k .

Need roughly N ≈ 3 · 1/p pairs if SNR 2, or N ≈ 30 · 1/p if 1 < SNR ≤ 2.More precisely, using ranking statistics, to recover the k bits we need about:

N =

(√SNR+ 1 · Φ−1(Ps) + Φ−1(1− 2−k ))2

SNR · p−1.22 / 31

www.iaik.tugraz.at

Some Grains of Salt“Expected differential probability (EDP)”

“Hypothesis of stochastic equivalence”

“Wrong key randomization hypothesis”

Dependencies, Known-/Related-key constructions, Clustering, . . .∆K

23 / 31

Part IVThe Case of Lightweight Ciphers

www.iaik.tugraz.at

The Case of Lightweight Ciphers

What they offerSome out of. . .

Lower areaLower energyLower latencyCheaper SC protection

How they do itSmall, low-degree S-boxes → higher pLightweight linear layer → lower BMinimal security margin (?) → fragileConstrain attack model (?) → fragile

25 / 31

www.iaik.tugraz.at

Example: Analysis of MANTIS [BJK+16]Breaking a low-latency tweakable block cipher in 1 hour [DEKM16; EK17]

M

C

T

k0

k ′0

1

12

k1

k1+α

2

11

S

S

h C

k1

k1+α

P

P

M

M

S

S

h C

k1

k1+α

P

P

M

M

3

10

S

S

h C

k1

k1+α

P

P

M

M

4

9

S

S

h C

k1

k1+α

5

8

?

?

P

P

M

M

6*

7*

S

S

M

1 = |χi | Differential characteristic 2−72

15 or 16 Truncated differential characteristic 2−1004 This cluster 2−3913 Data complexity per solution 2≈25

26 / 31

Part V“Cheating” with Differences

www.iaik.tugraz.at

Cheat 1: Changing the Intermediates, not the InputDifferential Fault Attacks (DFA) [BS97], Statistical Fault Attacks (SFA) [FJLT13]

EK∆M

∆C

Kr

p

differential cryptanalysis

EKM

∆CE Kr

differential fault analysis

EKM

∆C ,CE Kr

statistical fault analysis


Cheat 1: Changing the Intermediates, not the InputStatistical Ineffective Fault Attacks (SIFA) [DEK+18]

EKM

∆C ,CE Kr

only if ∆ = 0 500 1000212427

NLLR

LLR∗W µ∗W LLRR µR

https://eprint.iacr.org/2018/071→ [email protected]

29 / 31

www.iaik.tugraz.at

Cheat 1: Changing the Intermediates, not the InputSIFA Revisited for Masked Implementations [DEG+18]

...

Implementation view

Round R−1

Round R E

•E

...

Analysis viewK

E

•E

https://eprint.iacr.org/2018/357→ [email protected]


Cheat 2: Changing the Outside, not the Inside(Cryptographic) polyglots [AAE+14]

good!

file0.mbr

evil!

file1.mbr

good.

file0.sh

evil.

file1.sh

good0090

90. . .file0.rar

evil“evil.txt”file1.rar

= =

= =collision

@angealbertini

31 / 31

Differential Cryptanalysis

Maria EichlsederCRYPTACUS Training School, Azores, 20 April 2018

www.iaik.tugraz.at

Bibliography I[BS90] E. Biham and A. ShamirDifferential cryptanalysis of DES-like cryptosystemsAdvances in Cryptology – CRYPTO 1990[BKL+07] A. Bogdanov, L. R. Knudsen, G. Leander, C. Paar, A. Poschmann, M. J. B. Robshaw, Y. Seurin, andC. VikkelsoePRESENT: an ultra-lightweight block cipherCryptographic Hardware and Embedded Systems – CHES 2007[MWGP11] N. Mouha, Q. Wang, D. Gu, and B. PreneelDifferential and linear cryptanalysis using mixed-integer linear programmingInformation Security and Cryptology – Inscrypt 2011[BJK+16] C. Beierle, J. Jean, S. Kolbl, G. Leander, A. Moradi, T. Peyrin, Y. Sasaki, P. Sasdrich, and S. M. SimThe SKINNY family of block ciphers and its low-latency variant MANTISAdvances in Cryptology – CRYPTO 2016[DEKM16] C. Dobraunig, M. Eichlseder, D. Kales, and F. MendelPractical key-recovery attack on MANTIS5IACR Transactions on Symmetric Cryptology 2016:2, 2016[EK17] M. Eichlseder and D. KalesClustering related-tweak characteristics: Application to MANTIS-6IACR Cryptology ePrint Archive, Report 2017/1136

www.iaik.tugraz.at

Bibliography II[BS97] E. Biham and A. ShamirDifferential fault analysis of secret key cryptosystemsAdvances in Cryptology – CRYPTO ’97[FJLT13] T. Fuhr, E. Jaulmes, V. Lomne, and A. ThillardFault attacks on AES with faulty ciphertexts onlyFault Diagnosis and Tolerance in Cryptography – FDTC 2013[DEK+18] C. Dobraunig, M. Eichlseder, T. Korak, S. Mangard, F. Mendel, and R. PrimasExploiting ineffective fault inductions on symmetric cryptographyIACR Cryptology ePrint Archive, Report 2018/071[DEG+18] C. Dobraunig, M. Eichlseder, H. Gross, S. Mangard, F. Mendel, and R. PrimasStatistical ineffective fault attacks on masked aes with fault countermeasuresIACR Cryptology ePrint Archive, Report 2018/357[AAE+14] A. Albertini, J.-P. Aumasson, M. Eichlseder, F. Mendel, and M. SchlafferMalicious hashing: Eve’s variant of SHA-1Selected Areas in Cryptography – SAC 2014

Efficient, portabletemplate attacks

Marios O. Choudary, Markus G. Kuhn

Computer Laboratory

https://www.cl.cam.ac.uk/~mgk25/

Paper: IEEE Trans. Inf. Foren. Sec. 13(2), Feb. 2018,DOI 10.1109/TIFS.2017.2757440

1 / 46

2 / 46

3 / 46

4 / 46

0 2 4 6 8 100

2

4

6

8

Time [µs]

Current[m

A]

5 / 46

Side-channel attacks on microcontrollers I

The power-supply current waveform of microprocessors (andresulting EM emissions) is affected at each clock cycle by

I (category of) the executed instruction

I addresses/registers accessed

I operands

I status flags

I result values

I prior state (of wires, bus lines, flip flops, memory cells)

I intermediate activities (e.g., glitches before ALU results arestable)

I micro-architectural state

I etc.

6 / 46

Side-channel attacks on microcontrollers II

Instruction categories are often easy to distinguish visually, e.g. ifa conditional branch is taken or not. (“simple power analysis”)

In some cases (e.g., with interpreters) this enables reconstructionof executed application instruction sequences from recordings of asingle execution.

Data-dependent variations require more effort to separate themfrom measurement noise:

I repeat measurements

I statistical signal processing

I exploitation of knowledge of executed algorithms

I low-noise/low-jitter measurement setup

7 / 46

528 528.1 528.2 528.3 528.4 528.5 528.6 528.7 528.8 528.9 529−5

0

5

10

15

20

µs

mA

Current traces for 256 different values of password byte 1

wrong inputs: min/max measured currents

wrong inputs: min/max difference to median

correct input: current

correct input: difference to median

8 / 46

Side-channel attacks on microcontroller data busses

Many techniques have been demonstrated since 1998 to exploitdata-dependent variations in power and EM emissions. Most ofthese reconstruct subkeys used in known crypto algorithms byobserving operation vk(p) = S(p⊕ k) with known plain-text inputp and substitution table (“s-box”) S, e.g. in first round of a blockcipher:

Differential Power Analysis: [Kocher, et al., 1998]

I for all candidate subkey bytes k ∈ S and each observed inputp predict one bit b in vk(p)

I estimate leakage trace xk,b(t) as a function of b (by averagingmany traces with different p but identical k and b)

I only the correct candidate key k will cause a significant peakat time t in the difference-of-means trace xk,1(t)− xk,0(t)Only if the assumed k was correct will we have split our set of recorded tracescorrectly into two piles, one for b = 0 and one for b = 1, such that the twoaverage traces, one for each pile, show a difference (contributed by b).

9 / 46



Correlation Power Analysis:

I for all candidate subkeys k ∈ S predict a value f(vk(p)) thatis expected to be proportional to some samples in the leakagetraces, e.g. the Hamming weight of vk(p)

I the correct candidate key k will cause the highest Pearsoncorrelation coefficient between f(vk(p)) and some samplepositions in the recorded leakage traces

9 / 46



Mutual Information Analysis:

I the correct candidate key k will cause the highest mutualinformation between (some function f of) vk(p) and somesample positions in the recorded leakage traces

9 / 46



Template Attack: [Chari, et al., 2003]

I profiling phase: build a Gaussian multivariate model (pdf) forthe leakage trace for each result byte vrequires access to a test chip/mode where k and hence v is known

I attack phase: find the maximum-likelihood candidate key kgiven na leakage traces xp1 ,xp2 , . . . ,xpna

and associatedinputs p, using the probability density function f(xp|v) builtduring the profiling phase

9 / 46



“Stochastic Model”: [Schindler, et al., 2005]

I profiled, like template attack, but rather than building a pdffor each possible value v, model the leakage trace of v as alinear combination of traces for its individual bits (or pairs)

I shorter profiling phase due to reduced number of parametersto be estimated

I more practical for 16-bit busses

I can be less accurate than full template attack, especially withsmall design sizes (more non-linear effects, capacitive couplingbetween bus traces, etc.) 9 / 46



“Deep Learning”:

I profiled attack to train a neural network to classify tracesaccording to v

I very compute intensive, very large number of parameters

I convolutional layers may learn to auto align traces, whereastemplate attacks rely strongly on low-jitter alignment

I all magic

9 / 46

Objectives here:

I Use template attack independent of any cryptographicalgorithm (no known s-box, etc.).

I Directly eavesdrop on 8-bit parallel bus lines(or 32-bit busses that handle 8-bit data)

I Demonstration attack target: a single 8-bit load instruction(e.g., RAM to register) in a microcontroller

I Example targets: data parsers handling secrets, stringprocessing functions, instruction fetch cycles, loading keys intocryptographic hardware, etc. (“sub-cryptographic algorithms”)

I Such code may still lack masking/hiding countermeasures

I Much more demanding than DPA-style crypto attacks, as wenow depend on all bits being distinguishable (rather than justcruder leakage models, such as Hamming weights)

I Signal pre-processing and dimensionality reduction tomaximize signal-to-noise ratio and reduce number ofparameters to estimate become crucial

10 / 46

Template attack (basics, notation)

Hopefully identical hardware: profiling device, attacked device

Goal: infer some secret value k? ∈ S, processed by the attackeddevice at some point. For 8-bit microcontroller: S = 0, . . . , 255Required: ability to sample supply-current or electro-magneticwaveforms (“raw leakage vectors” xr ∈ Rmr

) at times t1, . . . , tmrduring and near the point in time where k? is processed.

Profiling phase: record np raw leakage vectors xrki ∈ Rmr

(1 ≤ i ≤ np) from the profiling device for each possible candidatevalue k ∈ S.

Result: one raw leakage matrix

Xrk =

:::::::::

:::::::::

...:::::::::

∈ Rnp×mr

for each k ∈ S, containing row vectors xrki′ ( ′ = transposed)

11 / 46

Trace compression (basics, notation)

Raw leakage vectors xrki may contain mr = hundreds or thousands

of samples, due to high sampling rates used.

We may compress them before further processing, either by

I sample selection: keep only a subset of m mr samples

I dimensionality reduction: Principal Component Analysis(PCA) or Fisher’s Linear Discriminant Analysis (LDA)

Compressed leakage vectors: xrki ∈ Rmr 7→ xki ∈ Rm

Combine these as rows into the compressed leakage matrix

Xk =

. . . . . .

. . . . . ....

. . . . . .

∈ Rnp×m .

Without any such compression step: Xk = Xrk and m = mr.

12 / 46

Template parameters (basics, notation)

Now use compressed leakage matrices Xk to estimate for eachpossible value k ∈ S

Mean trace: xk = 1np

np∑

i=1

xki

Covariance matrix: Sk = 1np−1

np∑

i=1

(xki − xk)(xki − xk)′

Note:

np∑

i=1

(xki − xk)(xki − xk)′ = X′kXk where Xk is Xk with x′ksubtracted from each row.

Side-channel leakage traces can generally be modelled well by aGaussian multi-variate distribution, meaning that xk and Sk aresufficient statistics defining the underlying distribution (probabilitydensity function)

f(x | k) =1√

(2π)m |Sk|· e− 1

2(x−xk)′S−1

k (x−xk)

13 / 46

Illustrative example

-50 -40 -30 -20 -10 0 10 20 30 40

-20

-10

0

10

20

30

Each dot represents a trace x (with just m = 2 samples, colour indicates k),red circles represent mean traces xk, red lines represent eigenvectors ofcovariance matrix Sk, and the green ellipses are equiprobability lines of f(x | k). 14 / 46

Attack phase (basics, notation)

Infer the secret value k? ∈ S processed by the attacked device:

I Trigger repeat processing of k? for na times.

I Use same recording technique and compression method as inprofiling phase.

I Obtain na leakage vectors xi ∈ Rm , store in leakage matrix

Xk? =

. . . . . .

. . . . . ....

. . . . . .

∈ Rna×m

I For each k ∈ S compute a discriminant score D(k | Xk?).

I Finally try all k ∈ S on the attacked device, in order ofdecreasing score (optimized brute-force search, e.g. for apassword or cryptographic key), until correct k? found.

15 / 46

Discriminant function

Given a trace xi from Xk?, Bayes rule suggests:

D(k | xi) = f(xi | k)P (k)

or, if P (k) is independent of k (P (k) = |S|−1), then

D(k | xi) = f(xi | k).

The full Bayes likelihood is

L(k | xi) =f(xi | k)P (k)∑k′ f(xi | k′)P (k′)

but we can omit here factors that are same for each k and therefore do not affect therelative order of the discriminat scores.

With more than one measurement, assuming noise is independentacross repeat measurements, the joint likelihood over all attacktraces xi in Xk? is

L(k | Xk?) =∏

xi in Xk?

L(k | xi)

Is this a better discriminat than L(k | n−1a∑na

i=1 xi), i.e. averaging all attack tracesfirst before looking up a pdf? Yes, but . . .

16 / 46

Numerical problems

So far so simple. But in practice the pdf

f(x | k) =1√

(2π)m |Sk|· e− 1

2(x−xk)′S−1

k (x−xk)

can easily cause numerical problems that require attention:

I Sk may not be invertible (|Sk| ≈ 0):

In fact Sk cannot be invertible if np ≤ m:

This is because Sk is essentially X′kXk, and therefore

Xk ∈ Rnp×m and Sk ∈ Rm×m have the same rank.

I |Sk| may also overflow easily

I ex may overflow easilyIEEE double covers ex only for |x| < 710, easily exceeded for large m.

17 / 46

Pooled co-variance matrix

The template mean vectors xk characterize the signal.The co-variance matrices Sk characterize the noise.

If the measured noise is independent of the signal, then theunderlying covariances estimated by the Sk will be identical(“homoscedasticity”).

We can then average the Sk into a single pooled covariance matrix:

Spooled =1

|S|∑

k∈SSk

This has many advantages:

I better noise model (more data)

I relaxation of the necessary condition for Spooled beinginvertible: m < |S| · np, or np >

m|S|

I enables compression with Linear Discriminant Analysis (LDA)

I enables faster and more stable discriminant functionsBut: some side-channel countermeasures can result in data-dependent noise.

18 / 46

Illustrative example

-50 -40 -30 -20 -10 0 10 20 30 40

-20

-10

0

10

20

30

All |S| = 8 error ellipses are identically sized and orientated, and do not depend on k.

19 / 46

Compression: sample selection I

I keeping the dimension m of the multivariate pdf model smallhelps avoid numerical problems

I many samples in xri will contain no data-dependent variation

I discarding too much information will reduce success rate

Data-dependent variation characterized by between-groups vectors:

τk = xrk − xr where xr =

1

|S|∑

k∈Sxrk.

Various per-sample signal-strength estimates have been proposed:Difference of Means (DOM), the Sum of Squared Differences(SOSD), the Signal to Noise Ratio (SNR) and SOST. Example:

sDOM(t) =∑

1≤k<k′<|S||xrk(t)− xr

k′(t)|

20 / 46

Compression: sample selection II

Normalized signal-strength estimates from DOM, SOSD and SNR on our referencedata set (Grizzly Beta).

1 1.5 2 2.5clock cycles

domsosdsnrstdclock

Simplest techniques: take the m samples with the highest signalstrength s(t), or all above some threshold.

But these may all come from the same clock cycle and be highlycorrelated with each other (i.e., not say much new).

Alternative strategy: Take a maximum number of samples (e.g.,1, 3, 20) from each clock clock cycle.

21 / 46

Covariance of the between-group vectors

-50 -40 -30 -20 -10 0 10 20 30 40

-20

-10

0

10

20

30

The between-groups vectors τk = xrk − xr shown in blue.

22 / 46

Principal Component Analysis [Archambeau et al., 2006]

Sample-between-groups matrix:

B =∑

k∈S(xrk − xr)(xr

k − xr)′

Singular value decomposition: B = UDU′

I each column of the orthonormal matrix U ∈ Rmr×mris an

eigenvector uj of B

I diagonal matrix D ∈ Rmr×mrcontains the corresponding

eigenvalues δj , with δ1 ≥ δ2 ≥ · · · ≥ δmr .

Only the first m |S| eigenvectors (u1 . . .um) = Um are neededto preserve most of the variability from the mean vectors xr

k.

Compression step:Xk = Xr

kUm

This projects each raw trace xri in Xr

k onto the just m largesteigenvectors of B: xi = xr

iUm.

23 / 46

PCA example: eigenvectors of B

0 500 1000 1500 2000 2500

u1u2u3u4u5u6

24 / 46

PCA example: eigenvalues of B

0 5 10 15 2010 6

10 7

10 8

10 9

10 10

10 11

25 / 46

Linear discriminant analysis: maximising SNR

-50 -40 -30 -20 -10 0 10 20 30 40

-20

-10

0

10

20

30

LDA uses two covariance matrixes: B for signal and Spooled for noise, and projects the

xri onto the largest eigenvectors of the “signal-to-noise matrix”

(Sr

pooled

)−1B.

26 / 46

Linear discriminant analysis I [Standaert/Archambeau, 2008]

PCA finds directions δj where the signal is strong, to project onto,but ignores the noise.

Fisher’s LDA instead considers projections yj = aj′xr and finds

directions aj ∈ Rmrthat maximize

between-groups variance

within-groups variance=

∑

k∈S

(E (yjk)− E (yj)

)2

∑

k∈SVar (yjk)

=

∑

k∈S

(aj′(E (xr

k)− E (xr)))2

∑

k∈SVar

(aj′xrk

)

which can be estimated as

|S|(np − 1)∑

k∈S(aj′(xr

k − xr))2

∑

k∈S

np∑

i=1

aj′(xki − xk)(xki − xk)′aj

=aj′Baj

aj ′Srpooledaj

27 / 46

Linear discriminant analysis II

The coefficient aj that maximises

aj′Baj

aj ′Srpooledaj

is the first eigenvector (i.e., the one with the largest associatedeigenvalue) of (

Srpooled

)−1B

With the constraint Cov(yik, yjk) = 0, the other aj that maximisethe above ratio are the eigenvectors with the next largesteigenvalues.Note that

(Sr

pooled

)−1B is not necessarily symmetric, so we cannot directly apply

singular-value decomposition to obtain orthonormal eigenvectors. Instead, we can first

compute the eigenvectors uj of the symmetric matrix(Sr

pooled

)− 12 B(Sr

pooled

)− 12 ,

which has the same eigenvalues as(Sr

pooled

)−1B, and from which we can then obtain

the coefficients aj =(Sr

pooled

)− 12 uj .

There are a maximum of s = min(mr, |S| − 1) non-zero eigenvectors, as that is themaximum number of independent linear combinations available in B.

28 / 46

LDA example: eigenvectors of B

0 500 1000 1500 2000 2500

u1u2u3u4u5u6

29 / 46

LDA example: eigenvectors of(Sr

pooled

)

0 500 1000 1500 2000 2500

u1u2u3u4u5u6

30 / 46

LDA example: eigenvectors of(Sr

pooled

)−1B

0 500 1000 1500 2000 2500

u1u2u3u4u5u6

31 / 46

Linear discriminant analysis III

I Like with PCA, pick m such that the first m eigenvalues of(Sr

pooled

)−1B cover e.g. 95% of the sum of all eigenvalues.

I Let A = (a1 . . .am) be the matrix of the first m eigenvectors

of(Sr

pooled

)−1B, then project each leakage matrix as

Xk = XrkA

I LDA generally outperforms all other compression methods,but relies on homoscedasticity, therefore PCA remains usefulwhere the noise is not easily characterized.

I When we scale the coefficients aj , such that

aj′Sr

pooledaj = 1

the covariance in the discriminant function becomes theidentity matrix, i.e. Sk = I, which greatly reducescomputation and storage requirements.

32 / 46

After linear discriminant analysis

-20 -15 -10 -5 0 5 10 15-10

-8

-6

-4

-2

0

2

4

6

8

10

33 / 46

The log-likelihood discriminant

Recall the numerical problems with

f(x | k) =1√

(2π)m |Sk|· e− 1

2(x−xk)′S−1

k (x−xk)

Avoid overflowing ex and |Sk| by using instead the log-likelihood

log f(x | k) = −m2

log 2π− 1

2log |Sk| −

1

2(x− xk)′S−1

k (x− xk)

Compute log |Sk| = 2∑m

i=1 log cii using the Cholesky decomposition Sk = C′C.Since C is triangular, its determinant is the product of its diagonal elements cii.

Dropping the first term (constant across all k) gives us a robustdiscriminant based on the log-likelihood:

Dlog(k | xi) = −1

2log |Sk| −

1

2(xi − xk)′S−1

k (xi − xk)

34 / 46

The linear discriminant

Using Spooled, we can discard log |Sk| as well. This leaves the“Mahalanobis distance”

d2M(x, xk) = (x− xk)′S−1

pooled(x− xk) ≥ 0

to compare candidates k. (Covariance is positive semidefinite.)

Rewrite as

d2M(x, xk) = x′S−1

pooledx− 2x′kS−1pooledx + x′kS

−1pooledxk

and drop the first term (constant for all candidates k) to obtain adiscriminant that depends linearly on xi:

Dlinear(k | xi) = x′kS−1pooledxi −

1

2x′kS

−1pooledxk

35 / 46

Joint discriminants

Recall that to combine na attack traces (essential for the successof many side-channel attacks), we need to compute a discriminantbased on their their joint likelihood

L(k | Xk?) =∏

xi in Xk?

L(k | xi) or logL(k | Xk?) =na∑

i=1

logL(k | xi)

This costs O(nam2) for

Dlog(k | Xk?) = −na

2log |Sk| −

1

2

na∑

i=1

(xi − xk)′S−1k (xi − xk)

but only O(nam +m2) for

Dlinear(k | Xk?) = x′kS−1pooled

( na∑

i=1

xi

)− na

2x′kS

−1pooledxk

since x′kS−1pooled and x′kS

−1pooledxk only need to be done once.

Practical evaluation example: Dlog 3.5 days, Dlinear 30 min!

36 / 46

Example: comparison of different compression methods

Our test dataset Grizzly (available online):

I Atmel XMEGA 256 A3U processor

I 10 ohm resistor in ground line

I powered from 3.3 V battery via voltage regulator

I 1 MHz sine wave clock

I 250 MHz sampling frequency, 8-bit samples

I 3072 traces for each byte, mr = 2500 samples per trace

I sequence of LOAD instructions, where only one handles k?,all others handle constant value zero

Guessing entropy: Binary logarithm of rank order of correct k? inlist of k value sorted by decreasing discriminant function, averagedover 10 attacks.

Sample selections: ≤ 1 samples/clock (1ppc, m ≈ 8), ≤ 3samples/clock 3ppc (m ≈ 25), 20ppc (m ≈ 77) and allap(m ≈ 125) selections (all selected samples above the highest 95thpercentile of s(t)).

37 / 46

10 0 10 1 10 2 10 3

na (log axis)

0

1

2

3

4

5

6

7

Gue

ssin

g en

trop

y (b

its)

10 0 10 1 10 2 10 3

na (log axis)

0

1

2

3

4

5

6

7

Gue

ssin

g en

trop

y (b

its)

PCA, m=4sample, 1ppcsample, 3ppcsample, 20ppcsample, allap

10 0 10 1 10 2 10 3

na (log axis)

0

1

2

3

4

5

6

7

Gue

ssin

g en

trop

y (b

its)

10 0 10 1 10 2 10 3

na (log axis)

0

1

2

3

4

5

6

7

Gue

ssin

g en

trop

y (b

its)

LDA, m=4PCA, m=4sample, 1ppcsample, 3ppcsample, 20ppcsample, allap

Sk

(Dlo

g)

Sp

oo

led

(Dlin

ear)

np = 200 np = 2000

PCA

LDA

1ppc

38 / 46

Attacks on AES software/hardware implementations

10 0 10 1 10 2

na (log axis)

0

1

2

3

4

5

6

7

Gue

ssin

g en

trop

y (b

its)

LDA, m=4PCA, m=41ppc3ppc20ppcallap

10 0 10 1 10 2

na (log axis)

0

1

2

3

4

5

6

7

Gue

ssin

g en

trop

y (b

its)

LDA, m=10PCA, m=101ppc, m=63ppc, m=1820ppc, m=120

Left: Guessing entropy after template attack on the Grizzly datasetin an AES S-box scenario (simulated).

⇒ DPA-style attack on AES much easier than directeavesdropping of a single LOAD instruction.

Right: Template attack on AES engine (Polar dataset).

⇒ Software implementation much easier to attack than hardwareimplementation.

39 / 46

Attacks on different devices

Four XMEGA PCB devices used in our experiments.40 / 46

Classic template attacks in different scenarios

10 0 10 1 10 2 10 3

na (log axis)

0

1

2

3

4

5

6

7

Gue

ssin

g en

trop

y (b

its) LDA, m=4

PCA, m=4sample, 1ppcsample, 3ppcsample, 20ppcsample, allap

10 0 10 1 10 2 10 3

na (log axis)

0

1

2

3

4

5

6

7

Gue

ssin

g en

trop

y (b

its) LDA, K=4

PCA, K=4sample, 1ppcsample, 3ppcsample, 20ppcsample, allap

Left: using device Alpha for profiling and device Beta for attack.

Right: using same device (Beta) but different acquisitioncampaigns for profile (Beta) and attack (Beta Bis)

⇒ all compression techniques (except for LDA!) failed badly acrossdifferent devices or even across different campaigns on the samedevice.

41 / 46

Major cause: DC drift across devices, boards, campaigns

850 878 884 900 9500

1

2

3

4

5

mA

single trace from Beta

850 878 884 900 950-0.3

-0.2

-0.1

0

0.1

mA

AlphaBetaBeta bisGammaDeltaBeta + ciBeta - ciSNR of Beta

Top: Trace from Beta (first clock cycle of target LOAD)

Bottom: overall mean vectors xr for all campaigns minus overall mean vector of Beta42 / 46

LDA gets this:(Sr

pooled

)(noise) has DC eigenvector

0 500 1000 1500 2000 2500

u1u2u3u4u5u6

43 / 46

No major incompatibility of underlying leakage model

3.2 3.4 3.6 3.8 4 4.2 4.4 4.6 4.8

mA

0

0.5

1

1.5

2

2.5

0123456789

3.2 3.4 3.6 3.8 4 4.2 4.4 4.6 4.8

mA

0

0.5

1

1.5

2

2.5

0123456789

Normal distribution at sample index j = 884 based on thetemplate parameters (xr

k,Srpooled) for k ∈ 0, . . . , 9 on Alpha

(left) and Beta (right).

44 / 46

I Template attacks are very sensitive to changes in DC bias

I Changes in DC bias can also happen within a single campaign(e.g. due to temperature changes)

I This causes a DC eigenvector to emerge in Srpooled which LDA

utilizes to ignore DC drift as noise

Workarounds:

I Use different devices during profiling campaigns.

I Allow temperature variation during profiling campaigns (canalso affect switching thresholds).

I Use LDA.

I Where LDA is not applicable: use PCA with random DCoffsets added to mean vectors before calculating B, to pushmost DC signal into a single eigenvector and keep the restDC-free.

I Apply DC-block filter: happens already automatically if EMsensors or other high-pass filters are used. However this canalso significantly increase noise, by spreading nearby variabilityvia filter impulse response.

45 / 46

Profiling on Alpha, attack on Beta

100

101

102

103

0

1

2

3

4

5

6

na (log axis)

Gue

ssin

g en

trop

y (b

its)

LDA, m=4PCA, m=4sample, 1ppcsample, 3ppcsample, 20ppcsample, allapLDA, m=3LDA, m=5LDA, m=6LDA, m=40PCA, m=5PCA, m=6PCA, m=40

10 0 10 1 10 2 10 3

na (log axis)

0

1

2

3

4

5

6

Gue

ssin

g en

trop

y (b

its)

LDA, m=4LDA, m=5PCA, m=4PCA, m=5

LDA m = 3,m = 4

PCA m = 4

Left: using various compressions with the classic method.DC eigenvector of B: j = 5

Right: using PCA and LDA after adding random DC offset. DCeigenvector of B: j = 1

PCA benefits from including DC eigenvector in projection, LDAdoes not.

46 / 46

GDPRchallenges

M.Kutyłowski

classicalapproachescriminal law

Common Criteria

standards

contract based

GDPR

GDPR and legal challenges for designingdistance bounding protocols

Mirosław Kutyłowski

Politechnika Wrocławska

Cryptacus Training School, Ponta Delgada 2018

GDPRchallenges

M.Kutyłowski


Common Criteria

standards

contract based

GDPR

Security in system design

security of all parties involved must be concerned, notonly of a user... in particular security of the system designermany things may go wrong:

financial claims against system designer based onsystem errorspressure from the authorities on system designer tomisbehavepressure on certificate/audit bodies to provide falseevidencemistakes during implementationpatent claims...

GDPRchallenges

M.Kutyłowski


Common Criteria

standards

contract based

GDPR

Security and privacy

Standard approaches to ensure Security and Privacycriminal lawcertification/audit frameworksindustrial standardslegal contracts

GDPRchallenges

M.Kutyłowski


Common Criteria

standards

contract based

GDPR Criminal law

GDPRchallenges

M.Kutyłowski


Common Criteria

standards

contract based

GDPR

Situation in EU

in most countries the same roots of the legal system(Roman Empire)there are two incompatible systems: continental law,common lawthe same ideas occur in European countries, howeverpractically there are deep differences based on detailseven more differences with USA

GDPRchallenges

M.Kutyłowski


Common Criteria

standards

contract based

GDPR

German criminal law versus system design

Section 202a, Data espionage1 Whosoever unlawfully obtains data for himself or another

that were not intended for him and were especially protectedagainst unauthorised access, if he has circumvented theprotection, shall be liable to imprisonment not exceedingthree years or a fine.

2 Within the meaning of subsection (1) above data shall onlybe those stored or transmitted electronically or magneticallyor otherwise in a manner not immediately perceivable.

GDPRchallenges

M.Kutyłowski


Common Criteria

standards

contract based

GDPR


Section 202b, PhishingWhosoever unlawfully intercepts data (section 202a(2)) notintended for him, for himself or another by technical meansfrom a non-public data processing facility or from theelectromagnetic broadcast of a data processing facility,shall be liable to imprisonment not exceeding two years or afine, unless the offense incurs a more severe penalty underother provisions.

GDPRchallenges

M.Kutyłowski


Common Criteria

standards

contract based

GDPR


Section 202c Acts preparatory to data espionage andphishing

1 Whosoever prepares the commission of an offenseunder section 202a or section 202b by producing,acquiring for himself or another, selling, supplying toanother, disseminating or making otherwise accessible

1 passwords or other security codes enabling access todata (section 202a(2)), or

2 software for the purpose of the commission of such anoffense,

shall be liable to imprisonment not exceeding one yearor a fine.

GDPRchallenges

M.Kutyłowski


Common Criteria

standards

contract based

GDPR


Section 203 Violation of private secrets(1) Whosoever unlawfully discloses a secret of another, inparticular, a secret which belongs to the sphere of personalprivacy or a business or trade secret, which was confided toor otherwise made known to him in his capacity as a ...[here a narrow closed list] ...

GDPRchallenges

M.Kutyłowski


Common Criteria

standards

contract based

GDPR


Section 204, Exploitation of the secrets of another(1) Whosoever unlawfully exploits the secret of another, inparticular a business or trade secret, which he is obliged tokeep secret pursuant to section 203, shall be liable toimprisonment not exceeding two years or a fine.

GDPRchallenges

M.Kutyłowski


Common Criteria

standards

contract based

GDPR


Section 206 Violation of the postal and telecommunicationssecret

1 Whosoever unlawfully discloses to another person factswhich are subject to the postal or telecommunicationssecret and which became known to him as the owneror employee of an enterprise in the business ofproviding postal or telecommunications services, shallbe liable to ...

2 Whosoever, as an owner or employee of an enterpriseindicated in subsection (1) above unlawfully

1 opens a piece of sealed mail ...

shall incur the same penalty.

GDPRchallenges

M.Kutyłowski


Common Criteria

standards

contract based

GDPR


Section 263a, Computer fraud1 Whosoever with the intent of obtaining for himself or a

third person an unlawful material benefit damages theproperty of another by influencing the result of a dataprocessing operation through incorrect configuration ofa program, use of incorrect or incomplete data,unauthorised use of data or other unauthorisedinfluence on the course of the processing shall be liableto imprisonment not exceeding five years or a fine.

2 The attempt shall be punishable.

GDPRchallenges

M.Kutyłowski


Common Criteria

standards

contract based

GDPR


Section 263a, Computer fraud3. In especially serious cases the penalty shall be

imprisonment from six months to ten years. Anespecially serious case typically occurs if the offender

1 acts on a commercial basis or as a member of a gangwhose purpose is the continued commission of forgeryor fraud;

2 causes a major financial loss of or acts with the intent ofplacing a large number of persons in danger of financialloss by the continued commission of offenses of fraud;

3 places another person in financial hardship;4 abuses his powers or his position as a public official ; or

GDPRchallenges

M.Kutyłowski


Common Criteria

standards

contract based

GDPR Common Criteria

GDPRchallenges

M.Kutyłowski


Common Criteria

standards

contract based

GDPR

Common Criteria Framework

Goals1 a common evaluation framework2 guide for a customer to choose the right product

However1 CC certificate is not a security guarantee2 it is frequently misunderstood as a security certificate3 processing cost is still high

GDPRchallenges

M.Kutyłowski


Common Criteria

standards

contract based

GDPR


Idea1 write a Protection Profile based on evaluation of risks

(PP)2 build a product according to Protection Profile (Security

Target, ST)3 audit the product according to a very formalized

procedure by a certification body

ease the process,reuse work,build from standard components

GDPRchallenges

M.Kutyłowski


Common Criteria

standards

contract based

GDPR


CC certificate contributionCC certification says that a product has beendeveloped according to a given PP (or ST)assurance level concerns only the stated requirements,e.g. trivial requirements⇒high EAL level(possible mistake: demanding high EAL level withoutspecifying PP)

GDPRchallenges

M.Kutyłowski


Common Criteria

standards

contract based

GDPR

Protection Profile

Target of Evaluation (TOE)“is aimed at potential consumers who are looking throughlists of evaluated TOEs/Products to find TOEs that maymeet their security needs, and are supported by theirhardware, software and firmware”

GDPRchallenges

M.Kutyłowski


Common Criteria

standards

contract based

GDPR

Protection Profile

important sections of TOEUsage and major security features of the TOE

crucial properties of the system (high level) and securityfeatures from the point of view of the security effect and nothow it is achieved

life-cyclethe product in the whole life cycle including manufacturing,delivery and destroying

TOE typewhich parts, which general purpose, which functionalities arepresent and which are missing, e.g. ATM card with nocontactless payments

Required non-TOE hardware/software/firmwareother components that can be crucial for evaluation

GDPRchallenges

M.Kutyłowski


Common Criteria

standards

contract based

GDPR

Protection Profile

Conformance ClaimCC Conformance Claim: version of CCPP claim: other PP taken into account in aplug-and-play wayPackage claim: which EAL package level

GDPRchallenges

M.Kutyłowski


Common Criteria

standards

contract based

GDPR

Protection Profile

EAL

6 “assurance classes”

subdivided into 27 sub-categories (the so-called “assurancefamilies”)

for each assurance family – grading of an evaluation: a number

EAL result: an array of 27 values

7 predefined ratings, called evaluation assurance levels or EALs.called EAL1 to EAL7, with EAL1 the lowest and EAL7 the highest

e.g.: EAL2 assigns the rating 2 to 7 assurance families, the rating 1to 11 assurance families, and 0 to the other 9 assurance families

monotonic: EALn+1 gives at least the same assurance level asEALn in each assurance family

GDPRchallenges

M.Kutyłowski


Common Criteria

standards

contract based

GDPR

Example assurance familyALC FLR Flaw remediation

ALC FLR.1

The flaw remediation procedures documentation shall describe theprocedures used to track all reported security flaws in each releaseof the TOE.

The flaw remediation procedures shall require that a description ofthe nature and effect of each security flaw be provided, as well asthe status of finding a correction to that flaw.

The flaw remediation procedures shall require that correctiveactions be identified for each of the security flaws.

The flaw remediation procedures documentation shall describe themethods used to provide flaw information, corrections andguidance on corrective actions to TOE users.

GDPRchallenges

M.Kutyłowski


Common Criteria

standards

contract based

GDPR

Example assurance familyALC FLR Flaw remediation

ALC FLR.2:

ALC FLR.1 as before

The flaw remediation procedures shall describe a means by whichthe developer receives from TOE users reports and enquiries ofsuspected security flaws in the TOE.

The procedures for processing reported security flaws shall ensurethat any reported flaws are remediated and the remediationprocedures issued to TOE users.

The procedures for processing reported security flaws shall providesafeguards that any corrections to these security flaws do notintroduce any new flaws.

The flaw remediation guidance shall describe a means by whichTOE users report to the developer any suspected security flaws inthe TOE.

GDPRchallenges

M.Kutyłowski


Common Criteria

standards

contract based

GDPR

Protection Profile

Security Problem DefinitionOSP Object Security Problem : “The security

problem definition defines the security problemthat is to be addressed.”

axiomatic : deriving the security problem definitionoutside the scope of CC

crucial: “the usefulness of the results of an evaluationstrongly depends on the security problemdefinition”

requires work : “spend significant resources and usewell-defined processes and analyses to derivea good security problem definition”

GDPRchallenges

M.Kutyłowski


Common Criteria

standards

contract based

GDPR

Protection ProfileSecurity Problem Definition

assets

entities that someone places value upon.E.g. contents of a file, - distance correctness, - presence at a givenplace, - anonymity with respect to an external observer

threats

threats to assets, what may happen that would endanger an asset

assets versus threats

a mapping matrix: mark which threat endangers which asset

an asset which is not the subject of any threat can be disregarded

from this point we are not talking about assets but only threats

GDPRchallenges

M.Kutyłowski


Common Criteria

standards

contract based

GDPR

Protection Profile

Security objectives

The security objectives are a concise and abstract statement of theintended solution to the problem defined by the security problemdefinition.

Role of SO

a high-level, natural language solution of the problem;

divide this solution into part-wise solutions, each addressing a partof the problem;

demonstrate that these part-wise solutions form a completesolution to the problem.

bridge between the security problem and Security FunctionalRequirements (SFR)

Example of SO: the token communicates only with legitimate readers

GDPRchallenges

M.Kutyłowski


Common Criteria

standards

contract based

GDPR

Protection ProfileSO

mapping

mapping objectives to threats: a matrix with SO andthreatseach threat should be covered, each objective has torespond to some threatanswers the question:

what is sufficient to avoid threats?have we forgot about something?

rationale: a verifiable explanation why the mapping issound

after this stage we may forget about threats and think aboutSOs only

GDPRchallenges

M.Kutyłowski


Common Criteria

standards

contract based

GDPR

Protection Profile

SFR (Security Functional requirements)SFRs are a translation of the security objectives for theTOE.a complete translation (the security objectives must becompletely addressed)SFRs should be independent of any specific technicalsolution (implementation)standardized language - to ease evaluation andcomparison

GDPRchallenges

M.Kutyłowski


Common Criteria

standards

contract based

GDPR

Protection Profile

SFRs catalogue

many SFRs already predefined via CCpossibility to add own onescustomizing possible in most cases (options left for thewriter of a PP)

GDPRchallenges

M.Kutyłowski


Common Criteria

standards

contract based

GDPR

Protection Profile

examples of predefined classesLogging and audit class FAUIdentification and authentication class FIACryptographic operation class FCSAccess control families FDP ACC, FDP ACFInformation flow control families FDP IFC, FDP IFManagement functions class FMT(Technical) protection of user data families FDP RIP,FDP ITT, FDP ROL(Technical) protection of TSF data class FPT...

GDPRchallenges

M.Kutyłowski


Common Criteria

standards

contract based

GDPR

Common Criteriasummary

“compose from pieces” approach (versus monolithicapproach)checkable: divide-and-conquer approachkey security issue: poorly written PP⇒ insecuresystem

GDPRchallenges

M.Kutyłowski


Common Criteria

standards

contract based

GDPR

Standards

Standards versus securitystandardization is a process of getting a compromiseregarding choice of technical details,security relevant consequences:

it is better to have one target to analyze/attack thanpotentially unlimited number of choicescompromise is almost always not driven by securityissuesnot a transparent process, security specialists might bemissing in the team

Threat: many decision makers regard a technical standardas a security guarantee.

GDPRchallenges

M.Kutyłowski


Common Criteria

standards

contract based

GDPR

Contracts

Typical practicesno responsibility for correct operation, “use program as it is”

theoretically a user can try to negotiate better conditions,but it is nearly impossibleGDPR changes the situation dramatically – with regard topersonal data protection

GDPRchallenges

M.Kutyłowski


Common Criteria

standards

contract based

GDPR Privacy protection and GDPR

GDPRchallenges

M.Kutyłowski


Common Criteria

standards

contract based

GDPR

Privacy by design

GDPR1 General Data Protection Regulation in EU2 scope:

activities in EUexporting such dataactivities outside Europe concerning commercialservices in EU

3 in practice enforcing the same regime elsewhere

“devices compliant with GDPR”

GDPRchallenges

M.Kutyłowski


Common Criteria

standards

contract based

GDPR

GDPR

Technical scopeGDPR “applies to the processing of personal data wholly orpartly by automated means and to the processing other thanby automated means of personal data which form part of afiling system or are intended to form part of a filing system.”

most systems processing data in systematic way fulfill theseconditions

GDPRchallenges

M.Kutyłowski


Common Criteria

standards

contract based

GDPR

GDPR

personal dataany information relating to an identified or identifiablenatural person (“data subject”);

an identifiable natural person is one who can be identified,directly or indirectly, in particular by reference to an identifiersuch as a name, an identification number, location data, anonline identifier or to one or more factors specific to thephysical, physiological, genetic, mental, economic, culturalor social identity of that natural person;

recommendationwhenever possible create systems so that data cannotbe linked to a natural person

GDPRchallenges

M.Kutyłowski


Common Criteria

standards

contract based

GDPR

GDPR

processingany operation or set of operations

which is performed on personal data or on sets of personaldata,

whether or not by automated means,

such as collection, recording, organization, structuring,storage,adaptation or alteration, retrieval, consultation, use,disclosure by transmission, dissemination or otherwisemaking available, alignment or combination, restriction,erasure or destruction;

corollarypossessing personal data already means “processing”.destroying is also processing and must be lawful

GDPRchallenges

M.Kutyłowski


Common Criteria

standards

contract based

GDPR

GDPR

pseudonymisationprocessing of personal data in such a manner that thepersonal data can no longer be attributed to a specific datasubject without the use of additional information, providedthat such additional information is kept separately and issubject to technical and organizational measures to ensurethat the personal data are not attributed to an identified oridentifiable natural person;

corollarypseudonymisation reversible with additional keys

apply whenever it might be necessary to recover thelink to a natural person

GDPRchallenges

M.Kutyłowski


Common Criteria

standards

contract based

GDPR

GDPRactors

controller ... body which determines the purposes andmeans of the processing of personal data;

processor ... processes personal data on behalf of thecontroller;

GDPRchallenges

M.Kutyłowski


Common Criteria

standards

contract based

GDPR

GDPRrules of processing

Personal data shall be:(a) processed lawfully, fairly and in a transparent manner in

relation to the data subject“lawfulness, fairness and transparency”;

(b) collected for specified, explicit and legitimate purposesand not further processed in a manner that isincompatible with those purposes;further processing for archiving purposes in the public interest,scientific or historical research purposes or statistical purposesshall, ... not be considered to be incompatible with the initialpurposes“purpose limitation”;

GDPRchallenges

M.Kutyłowski


Common Criteria

standards

contract based

GDPR


Personal data shall be:(c) adequate, relevant and limited to what is necessary in

relation to the purposes for which they are processed“data minimization”

(d) accurate and, where necessary, kept up to date; everyreasonable step must be taken to ensure that personaldata that are inaccurate, having regard to the purposesfor which they are processed, are erased or rectifiedwithout delay “accuracy”

GDPRchallenges

M.Kutyłowski


Common Criteria

standards

contract based

GDPR


Personal data shall be:(e) kept in a form which permits identification of data

subjects for no longer than is necessary for thepurposes for which the personal data are processed; ...“storage limitation”

(f) processed in a manner that ensures appropriatesecurity of the personal data, including protectionagainst unauthorised or unlawful processing andagainst accidental loss, destruction or damage, usingappropriate technical or organizational measures“integrity and confidentiality”

GDPRchallenges

M.Kutyłowski


Common Criteria

standards

contract based

GDPR

GDPRprivacy by design

accountabilityThe controller shall be responsible for, and be able todemonstrate compliance with [these rules]

provable security!not regarding an abstract model but realitythe previous regulation referred to responsibility only

GDPRchallenges

M.Kutyłowski


Common Criteria

standards

contract based

GDPR

GDPR lawful processing

Conditions for lawful processing1 the data subject has given consent to the processing ... for one or

more specific purposes;

2 processing is necessary for the performance of a contract to whichthe data subject is party or in order to take steps at the request ofthe data subject prior to entering into a contract;

3 processing is necessary for compliance with a legal obligation towhich the controller is subject;

4 processing is necessary in order to protect the vital interests of thedata subject or of another natural person;

5 processing is necessary for the performance of a task carried out inthe public interest or in the exercise of official authority vested in thecontroller;

6 processing is necessary for the purposes of the legitimate interestspursued by the controller or by a third party, except where suchinterests are overridden by the interests or fundamental rights andfreedoms of the data subject ...

GDPRchallenges

M.Kutyłowski


Common Criteria

standards

contract based

GDPR

GDPR

Conditions for consent1 ... the controller shall be able to demonstrate that the

data subject has consented to processing ...2 The data subject shall have the right to withdraw his or

her consent at any time.3 ... It shall be as easy to withdraw as to give consent.

extra requirements for enabling to leave the system andremove data

GDPRchallenges

M.Kutyłowski


Common Criteria

standards

contract based

GDPR

GDPR

Problems with biometric data1. Processing of personal data revealing racial or ethnic

origin, political opinions, religious or philosophicalbeliefs, or trade union membership, and the processingof genetic data, biometric data for the purpose ofuniquely identifying a natural person, ... shall beprohibited.

2. Paragraph 1 shall not apply if one of the followingapplies: ...

corollaryavoid any processing of biometric data,if you must process biometric data, then particular careduring system design is necessary

GDPRchallenges

M.Kutyłowski


Common Criteria

standards

contract based

GDPR

GDPR

Information to the data subjectThe controller shall take appropriate measures to provideany information referred to in Articles 13 and 14 and anycommunication under Articles 15 to 22 and 34 relating toprocessing to the data subject in a concise, transparent,intelligible and easily accessible form, using clear and plainlanguage, in particular for any information addressedspecifically to a child.

consequencesautomatic processing necessarycompleteness of informationcentralized information retrieval

GDPRchallenges

M.Kutyłowski


Common Criteria

standards

contract based

GDPR

GDPR

who gets the dataWhere personal data relating to a data subject are collectedfrom the data subject, the controller shall, at the time whenpersonal data are obtained, provide the data subject with allof the following information:

(c) the purposes of the processing for which the personaldata are intended as well as the legal basis for theprocessing;

(e) the recipients or categories of recipients of the personaldata, if any;

GDPRchallenges

M.Kutyłowski


Common Criteria

standards

contract based

GDPR

GDPR

Information obligationsIn addition to the information referred to in paragraph 1, thecontroller shall, at the time when personal data areobtained, provide the data subject with the following furtherinformation necessary to ensure fair and transparentprocessing:(a) (a) the period for which the personal data will be stored,

or if that is not possible, the criteria used to determinethat period;...

consequencethe controller must have an information channel to the datasubject

GDPRchallenges

M.Kutyłowski


Common Criteria

standards

contract based

GDPR

GDPR

Right of access by the data subject

The data subject shall have the right to obtain from the controllerconfirmation as to whether or not personal data concerning him or herare being processed, and, where that is the case, access to the personaldata and the following information:

(a) the purposes of the processing;

(b) the categories of personal data concerned;

(c) the recipients or categories of recipient to whom the personal datahave been or will be disclosed, in particular recipients in thirdcountries or international organizations;

...

consequences

online access for a user?

you have to be particularly careful about transfering data outsideEurope

GDPRchallenges

M.Kutyłowski


Common Criteria

standards

contract based

GDPR

GDPRright-to-be-forgotten

The data subject shall have the right to obtain from the controller theerasure of personal data ... without undue delay ... where one of thefollowing grounds applies:

(a) the personal data are no longer necessary in relation to thepurposes ...

(b) the data subject withdraws consent on which the processing isbased according to and where there is no other legal ground for theprocessing;

(c) the data subject objects to the processing pursuant to Article 21(1)and there are no overriding legitimate grounds ...

(d) the personal data have been unlawfully processed;

...

consequences

problems for distributed ledgers

automated (erasure) processing versus examination of legalsituation

GDPRchallenges

M.Kutyłowski


Common Criteria

standards

contract based

GDPR

GDPRfurther topics

1 right for correcting information2 profiling users and the right to object3 data portability

GDPRchallenges

M.Kutyłowski


Common Criteria

standards

contract based

GDPR

GDPR

Security obligations of the controller and the processor1. Taking into account the state of the art, the costs of implementation

and the nature, scope, context and purposes of processing as wellas the risk of varying likelihood and severity for the rights andfreedoms of natural persons,

the controller and the processor shall implement appropriatetechnical and organizational measures to ensure a level of securityappropriate to the risk, including inter alia as appropriate:

(a) the pseudonymisation and encryption of personal data;(b) the ability to ensure the ongoing confidentiality, integrity,

availability and resilience of processing systems and services;(c) the ability to restore the availability and access to personal

data in a timely manner in the event of a physical or technicalincident;

(d) a process for regularly testing, assessing and evaluating theeffectiveness of technical and organizational measures forensuring the security of the processing.

GDPRchallenges

M.Kutyłowski


Common Criteria

standards

contract based

GDPR

GDPR

Security obligations of the controller and the processor2. In assessing the appropriate level of security account shall be taken

in particular of the risks that are presented by processing, inparticular from accidental or unlawful destruction, loss, alteration,unauthorised disclosure of, or access to personal data transmitted,stored or otherwise processed.

3. Adherence to an approved code of conduct as referred to in Article40 or an approved certification mechanism as referred to in Article42 may be used as an element by which to demonstrate compliancewith the requirements set out in paragraph 1 of this Article.

4. The controller and processor shall take steps to ensure that anynatural person acting under the authority of the controller or theprocessor who has access to personal data does not process themexcept on instructions from the controller, unless he or she isrequired to do so by Union or Member State law.

GDPRchallenges

M.Kutyłowski


Common Criteria

standards

contract based

GDPR

GDPRpenalties

Administrative fines for controllers and processorsup to 20.000.000 EUR up to 4 % of the total worldwideannual turnover of the preceding financial year, whichever ishigherdepending on the art of the problem

the upper bounds established so that they are not negligiblefor big players from USA, but for small enterprises ....

GDPRchallenges

M.Kutyłowski


Common Criteria

standards

contract based

GDPR

Identification challenge

identificationin most scenarios if two devices interact, then theyhave to present their identifiersbut if they communicate over an open channel.. there is no privacy-by-design

asymmetric cryptoestablish a secure channel - e.g. with Diffie-Hellmanexchange identity data over secure channel

symmetric crypto???tracing threats might be hard to avoid for lightweightdevices, a significant challenge to implement systemsaccording to GDPR

(C) 2018 P. Schaumont (VT)

Fault Attacks on Embedded Software:

Threats, Design, and MitigationPatrick Schaumont

ProfessorBradley Department of ECE

Virginia Tech

AcknowledgementsFAME Project Team

https://sites.google.com/view/famechip

Supported throughNational Science Foundation

Semiconductor Research Corporation1


Objective

2

input

output’

(Secure)SW

correctbehavior

faultybehavior

Fault Analysis

The black‐box model

output

FaultInjection

?

? ?

?


Objective

3

input

output’

(Secure)SW

correctbehavior

faultybehavior

Fault Analysis


output

FaultInjection

The grey‐box model

?

? ?

?


Objective

4

input

output’

(Secure)SW

correctbehavior

faultybehavior

Fault Analysis


output

FaultInjection


Microprocessor

Mem Hierarchy

(Secure) SWInjection

Manifestation

Propagation

Observation

Fault

Exploitation


Objective

5

input

output’

(Secure)SW

correctbehavior

faultybehavior

Fault Analysis


output

FaultInjection


Microprocessor

Mem Hierarchy

(Secure) SWInjection

Manifestation

Propagation

Observation

Fault

Exploitation

• Make a systematic review of the fault‐attack process on embedded software


Outline

1. Introducing the Fault Attack2. Anatomy of a Fault Attack3. Fault Injection Techniques4. Manifestation and Propagation in the ISA5. FAME – A Mitigation Technique for

Microprocessors

6


Attacks on Embedded Software

7

CPUMEMI/O

• Embedded Software assumes execution is correct• (This presentation)

Incorrect execution as starting point for attack‐ Privilege Escalation ‐ Information Leakage


Privilege Escalation & Information Leakage

• Privilege Escalation= Adversarial Control of Critical Decisions

if (! access_allowed )abort( );

• Information Leakage= Disclosure of Secret Data & Dependencies

if (key_bit)out = f(r1);

elseout = f(r0);

8

r1

key_bit leaks through out


Triggering Incorrect Execution

Attacker Attack Target Security FailureInput/Output Attacker Input/Output Data Software BugsMemory Attacker Application/Task Image Lack of Mem IsolationHardware Attacker Instruction Opcode Modification

Instruction Execution Micro-ArchitectureCircuit Timing, Threshold LevelsEnvironment Operating Conditions

9

CPUMEMI/O

this talk


Outline


Microprocessors

10


Anatomy of a Fault Attack

1. Fault Attack Design• Fault Target and Fault Model• Fault Injection Method • Fault Exploitation Method

2. Fault Attack Implementation• Fault Injection• Fault Manifestation• Fault Propagation• Fault Observation• Fault Exploitation

11

Defined by Security (Attack)

Objective

Constrained by Implementation



12

Physical Level Fault Injection

electrical transient



13

Circuit Level

Physical Level Fault Injection


Fault Manifestation

faulty bits



14

Instruction Memory

Data MemRegister File

Boot ROM

Status Regs

DatapathControl

I‐Fetch

DecodeD‐Fetch

Execute

Store

Hardware

Circuit Level

Physical Level

Micro‐ArchitectureLevel

Fault Injection


Fault Manifestation

faulty bits

Fault Propagation

faulty micro‐op



15

Instruction Set Architecture

Instruction Memory


Boot ROM

Status Regs

DatapathControl

I‐Fetch

Decode

D‐Fetch

Execute

Store

Software

Hardware

Circuit Level

Physical Level


ApplicationOS

Firmware

int verify(S,P) int r; if (S = P) r = 1; else r = 0; return r

1 23

45

1

2

3 4

5

S,P

r r

SPFaulty Control Flowand/or Data Flow

Fault Injection


Fault Manifestation

faulty bits

Fault Propagation

faulty instruction

Fault Observation

faulty micro‐op



16


Instruction Memory


Boot ROM

Status Regs

DatapathControl

I‐Fetch

DecodeD‐Fetch

Execute

Store

Software

Hardware

Circuit Level

Physical Level


ApplicationOS

Firmware

int verify(S,P) int r; if (S = P) r = 1; else r = 0; return r

1 23

45

1

2

3 4

5

S,P

r r

SPFaulty Control Flowand/or Data Flow

Fault Injection


Fault Manifestation

faulty bits

Fault Propagation

faulty instruction

Fault Observation

Fault Exploitation

faulty micro‐op


Outline


Microprocessors

17


Fault‐injection Control

18

Hardware‐controlledFault Injection

Software‐controlledFault Injection

CPUMEMI/O CPUMEMI/O

InjectorFault Control

Physical StressTiming

Fault Injection Hardware

VictimCTL/Injection

Software Tasks

Physical Stress


Timing

19

clk

critical path

+ slack

nominal clock period

logic

VddTemp


Artificial Timing Faults

20

clk

critical path

shortened clock period

logic

VddTemp

• Overclocking• Clock Glitching

increased critical path

nominal clock period

‐ slack

‐ slack

• Underfeeding• Voltage Glitching• Overheating

TimingViolation


Noise Injection ‐ EMFI

21

clk

logic

Field B

Area A

E = ‐A . dBdt

didt

E

Faraday’s Law


Noise Injection ‐ EMFI

22

clk

logic

Field B

Area A

E = ‐A . dBdt

didt

E

Faraday’s Law


Noise Injection – Laser Faults

23

Vss

Vdd

Laser Beam

0 1

Photocurrent

on

off

Laser Beam

Flip

Glitches Single Event Upset


Software‐Controlled Faults

• DVFS Interface (CLKSCREW)

• Memory Disturbance

24

row buffer

row 0row 1row 2

word

bit

leak charge @ repeated word access

PLL

PMIC

f1

f2 Core1

Core2V1

V2

ProgrammingInterface timing violation by modified (V2,f2)

software controlled

software controlled


Fault Injection Portfolio

25

Fault Injection SpatialPrecision

TemporalPrecision

Cost Intensity

Overclocking Low Low Low Clock fClock Glitching Low High Low Glitch WidthUnderfeeding Low Low Low VoltageVoltage Glitching Low High Low Glitch V/WOverheating Low Low Low TemperatureLight Pulse Medium Medium Low Pulse W/EnrgyLaser Pulse High High High Pulse W/EnrgyEM Pulse Medium High High Probe CurrentDVFS Interface Low Medium Zero V/fMemory Disturbance High Medium Zero Disturbance f


Outline


Microprocessors

26


Processor Micro‐architecture

27


• Instruction Semantics & Syntax• Memory Model• Interrupt/Exception Interface

Instruction Memory

Control

Datapath

RegFileData Mem

Micro‐Architecture

Programmer’s Model

Fetch

Decode

LoadStore

Flags


Processor Micro‐architecture Faults

28


• Instruction Semantics & Syntax• Memory Model• Interrupt/Exception Interface

Manifestation

Propagation

Instruction Memory

Control

Datapath

RegFileData Mem

Micro‐Architecture

Programmer’s Model

Fetch

Decode

LoadStore

Flags

• Fault Location• Fault Effect• Fault Duration• Fault Size

Faulty Instruction



29

Instruction‐memory

Instruction‐fetch

Instruction‐decode

Operand‐fetch

Execute

Store

Data‐memory

Register File

Status Flags

Micro‐architecture Element



30


Instruction‐fetch


Operand‐fetch

Execute

Store

Data‐memory

Register File

Status Flags


Function ImmediateOperand

Differentinstruction

Differentsource/dest

Differentvalue



31

ld [%i1 + 4], %g1


Instruction‐fetch


Operand‐fetch

Execute

Store

Data‐memory

Register File

Status Flags


Assume a one‐bit fault on




Differentvalue

Resulting fault space includes• 21 ld variants with different load address• 6 ld variants with a different target• 1 add variant• 1 store variant• 1 call variant• 2 unknown variants (trap)



32

add %l2, %l7, %g2


Instruction‐fetch


Operand‐fetch

Execute

Store

Data‐memory

Register File

Status Flags






Differentvalue

Resulting fault space includes• 12 add variants with a different source• 9 unknown variants (trap)• 5 add variants with a different target• 3 arithmetic variants (sub, addx, addcc)• 2 logical variants (or, and)• 1 ld variant



33

be 0x40005924


Instruction‐fetch


Operand‐fetch

Execute

Store

Data‐memory

Register File

Status Flags






Differentvalue

Resulting fault space includes• 23 be variants with a different target• 5 branch targets with different condition• 2 unknown variants (trap)• 1 call variant• 1 add variant



34


Instruction‐fetch


Operand‐fetch

Execute

Store

Data‐memory

Register File

Status Flags


Modifies the PC, can modify control flow



35


Instruction‐fetch


Operand‐fetch

Execute

Store

Data‐memory

Register File

Status Flags


Modifies the value of the source operands

ld [r1 + r2], r3

cmp r1, r2

be dest

faulty r3

faulty flags

no effect



36


Instruction‐fetch


Operand‐fetch

Execute

Store

Data‐memory

Register File

Status Flags


Modifies the value of the computation

ld [r1 + r2], r3

cmp r1, r2

be dest

faulty r3

faulty flags

faulty jump address



37


Instruction‐fetch


Operand‐fetch

Execute

Store

Data‐memory

Register File

Status Flags


‐ Fault effects on a microarchitecture are highly nonlinear

+ For a given fault effect, analysis is possible


Outline1. Introducing the Fault Attack2. Anatomy of a Fault Attack3. Fault Injection Techniques4. Manifestation and Propagation in the ISA5. FAME – A Mitigation Technique for

Microprocessors

38

Intermezzo: Fault Exploitation

DFA Biased FaultAnalysis

Safe ErrorAnalysis

Cryptanalysis Fault‐AidedSCA

Fault‐EnabledLogical Attacks


Bit‐flip Attack on AES

SubBytes

ShiftRows

AddRoundKey

Secret state v9th round

Ciphertext C

Last round of the Advanced Encryption Standard

S S S S S S S S S S S S S S S S



SubBytes

ShiftRows

AddRoundKey

Fault Model: Bit‐flip on a secret state bit

A bit‐flip results in a faulty ciphertext byte

S S S S S S S S S S S S S S S S



• Fault Differentialc = sbox(v) k c' = sbox(v') kHence = c c' = sbox(v) sbox(v')

• Fault AnalysisReconstruct v by analyzing Once we know v, we find the last round‐key as:

k = sbox(v) c

32 bit‐flip faults in round 10 disclose entire key

S

c c'

v, v'


Classic Differential Fault Analysis

CryptographicAlgorithm Fault Model

Random ByteRandom BitChosen Bit

DFAC, C’, C’’, .. → K

42

[TM 2010] Single random byte fault at 8th round of AES-128: Key 2128 212

[SL+ 2012] Two seq. byte fault at 9th, 10th round of AES-192: Key 2128 1

Current DFA methods are optimalIF

the fault model can be realized


Implementations and Actual Faults



DFAC, C’, C’’, .. → K

Implementation FaultInjection

CryptographicArchitecture Fault

43


Biased Fault Attacks



DFAC, C’, C’’, .. → K

Implementation FaultInjection

CryptographicArchitecture Fault Fault Bias

1-bit, 2-bit, ..

FSA [2010]NUEVA [2012]NUFVA [2013]DFIA [2014]DERA [2015]...

Variable Fault Intensity

44


Biased Faults as a Side Channel

45

S

C

RK

SBOX

(8-dimensional space)

correct S

faulty S’

C’

BiasedFaultInjection

8


Biased Faults as a Side Channel

46

S

C

RK

SBOX

correct S

faulty S’

C’ C’

SBOX-1(C’ RKhyp)

4

SBOX-1(C’ RKhyp)

Under Correct Key Hypothesis

Under WrongKey HypothesisBiased

FaultInjection

8


Differential Fault Intensity Analysis

47

S

C

RK

SBOX

BiasedFaultInjection

1. Inject Faults at different Fault IntensitiesHW(S S’) <

2. Collect Fault Ciphertext C’

3. For all Key hypothesis RKhyp computeSi,RK = SBOX‐1(C’ RKhyp)

4. Select RK for whichRK = ArgMin(i j HD(Si,RK, Sj,RK))

Differential Fault Intensity Analysis

8


DFIA versus DFA

DFA• makes a precise assumption on the injected fault• needs a system of equations to resolve key guess

DFIA• makes an approximate model of the injected fault• uses max likelihood testing to resolve key guess

DFIA relaxes the fault model requirements and is more suitable when fault injection is hard to control

48


Outline


Microprocessors

49

Mitigating Fault Attacks on Embedded SW

50

Redundant Execution in SW Sensors and Checkpoint



Strategy 1:Redundant Execution in SW

Strategy 2:HW Sensors and Checkpoint

Detection Verify redundant copies Dedicated HW sensor(Timing, EM, Voltage, ..)

Response Correct fault using redundancy Recover from checkpoint

Overhead Redundant execution Checkpoint storageRisk Redundant Fault False pos/neg on sensor



Strategy 1:Redundant Execution in SW

Strategy 2:HW Sensors and Checkpoint

Detection Verify redundant copies Dedicated HW sensor(Timing, EM, Voltage, ..)

Response Correct fault using redundancy Recover from checkpoint

Overhead Redundant execution Checkpoint storageRisk Redundant Fault False pos/neg on sensor

FAMEFault‐attack Aware Microprocessor Extension


FAME Operation [HASP 16]

53

Fault DetectionUnit (FDU)

Fault Control Unit (FCU)

Baseline Processor

Fault Response Registers (FRR)

Secure Trap Handler (STH)

Application Software

2. alarm

FAME Processor

Protected Software 3. transfer the control to the trap handler

Fault‐attack Aware Microprocessor Extensions

3. fault recovery info

Vddclk

1. fault injection4. access and restorefault‐free checkpoint


All‐digital Fault Sensors in FAME

54

alarm

T‐flopD‐flop

D‐flop

c[i]configurable delay stage (20x)

clk

clk

clk

d q

qdq

Glitch Timing Sensor

In‐situ EM Sensor


Single‐cycle Checkpointing Hardware

Fault Response Registers (FRR) for critical processor state, including PC, PSR and last two pipeline stages

55


FAME Chip 1 Block Diagram

56

LEON3Core

(w FRR)

Sensor(FDU)

Recovery(FCU)

FAME CoreAHB

APB

FAME ASIC

FAME Core Functionality

I$ (1KB)D$ (2KB)

ResetManagement



57

LEON3Core

(w FRR)

Sensor(FDU)

Recovery(FCU)

FAME CoreAHB

APB

FAME ASIC

DebugUART1

DebugUART2Debug Support Unit

SRAM64KB

ROM1KB

debugger

Download and Debug Software

I$ (1KB)D$ (2KB)

ResetManagement



58

LEON3Core

(w FRR)

Sensor(FDU)

Recovery(FCU)

FAME CoreAHB

APB

FAME ASIC

User Applications

DebugUART1


SRAM64KB

ROM1KB

debugger

GPIO

UserUART

InterruptController

user I/O

I$ (1KB)D$ (2KB)

ResetManagement



59

DebugUART1


LEON3Core

(w FRR)

Sensor(FDU)

Recovery(FCU)

I$ (1KB)D$ (2KB)

SRAM64KBReset

Management

GPIO

UserUART

InterruptController

FAME Core

ROM1KB

AHB

APB

Trigger

Observe

debugger user I/Ofault injection

controller

Fault injector(FPGA)

FAME ASIC

Fault Injection and Fault Diagnosis



60

DebugUART1


LEON3Core

(w FRR)

Sensor(FDU)

Recovery(FCU)

I$ (1KB)D$ (2KB)

SRAM64KBReset

Management

GPIO

UserUART

InterruptController

FAME Core

ROM1KB

AHB

APB

Trigger

Observe

debugger user I/Ofault injection

controller

Fault injector(FPGA)

FAME ASIC


FAME Chip 1 Micrograph

61

• 180nm 6LM TSMC• 25 mm2 die area• Active area

LEON3: 6.217mm2

w FAME: 6.301 mm2

w FAME+Diag: 6.364 mm2

• FAME extensions overhead1.35% (of active area)

• 80 MHz clock• 54 I/O

• Clock, reset• 8 I/O, 16 Core Power• 3x UART• 4 GPIO• 4 Trigger• Sensor alarm monitor• Scan and test pins

• 108-pin PGA package


FAME Chip 1 Test PCB

62

SAKURA-G FPGA wglitch generator

Debug/User USB-UART

PowerMeasurement

Power/ Clock Glitcher

FPGA Interface: GPIO, Trigger, Scan, Alarm


FAME Chip 1 Test Setup

63

GlitchControl

Software

FAMEApplicationMonitor


FAME Chip 1 Fault Sensor

64

alarm

T‐flopD‐flop

D‐flop

c[i]configurable delay stage (20x)

clk

clk

clk

d q

qdq


Secure Trap Handler Development

65

falls through

ptc--;


Traditional Redundancy Based Design

66

int ptc = 3;

int ptc = 3; //Pin Try Counterchar devicePIN[5] = “12824”;

int VerifyPin(userPIN) ptc--; if (ptc > 0) if (ptc > 0) if (Cmp(userPIN,devicePIN)) if (Cmp(userPIN,devicePIN))

result = 1; ptc++;

else result = 0; else result = 0; else result = 0; else result = 0; return result;

hardened if

Algorithm-level redundancyInstruction-level redundancy


Traditional Redundancy Based Design

67

Disadvantage- performance overhead- Fails under redundant fault injection

Algorithm-level redundancyInstruction-level redundancy int ptc = 3;

int ptc = 3; //Pin Try Counterchar devicePIN[5] = “12824”;

int VerifyPin(userPIN) ptc--; if (ptc > 0) if (ptc > 0) if (Cmp(userPIN,devicePIN)) if (Cmp(userPIN,devicePIN))

result = 1; ptc++;

else result = 0; else result = 0; else result = 0; else result = 0; return result;


FAME Based Design

68

int ptc = 3; //Pin Try Counterchar devicePIN[5] = “12824”;int noFault = 1;int VerifyPin(userPIN) if (ptc > 0)if (Cmp(userPIN,devicePIN))result = noFault;

elseresult = 0;ptc--;

else result = 0;return result;

SecureTrapHandler() if (ptc > 0)ptc--;noFault = 0;

No redundancy needed:FAME FRR Hardware Checkpointprevents fault propagation

No overhead without fault

Secure trap handler enablesuser-defined fault response


EMFI on FAME

69

Clock TreeRoot

Clock TreeLeaves

FAMEFlip‐flop

[DAC2018]


EMFI on FAME

70

146 Faulty Flip Flop 24 Faulty Flip Flop

Global Effect of EMFIInjection at clock tree root

Local Effect of EMFIInjection at clock tree leaves

[DAC2018]


References

1. B. Yuce, M. Witteman, P. Schaumont, “Fault Attacks on Secure Embedded Software: Threats, Design and Evaluation,” Journal of Hardware and Systems Security, (preprint).

2. B. Yuce, C. Deshpande, M. Ghodrati, A. Bendre, L. Nazhandali, P. Schaumont, "A Secure Exception Mode for Fault‐Attack‐Resistant Processing" IEEE Transactions on Dependable and Secure Computing, (preprint).

3. M. Ghodrati, B. Yuce, S. Gujar, C. Deshpande, L. Nazhandali, P. Schaumont, “Inducing Local Timing Fault through EM Injection”, DAC 2018.

4. FAME – Fault Awareness using Microprocessor Enhancements. https://sites.google.com/view/famechip

71


Thank You!

Questions?

Patrick [email protected]

72

Science and

Communication

CRYPTACUS 2018 training school

Tiago Dias and Ricardo Chaves

technologyfrom seed

Science and Communication

• Scientific research

• Information gathering and analysis

• Communicating with others

– Written

– Oral

– …

CRYPTACUS 2018 training school - Science and Communication Tiago Dias and RIcardo Chaves 20/4/20182

technologyfrom seed

Scientific research

• Seek and properly interpret the facts.

Interesting examples:

– Black plague, who is to blame?

• Rats?

– Facts:

• Propagation rate: > 3Km/day (within 4 years all Europe was

contaminated)

• Incubation period of 20 days

• Total amount of deaths: 25.000.000

– Cause: Human merchants!


technologyfrom seed

Scientific research

• Scientific method:– a method of learning about the physical universe by applying

the principles of the scientific method, which includes making empirical observations, proposing hypotheses to explain those observations, and testing those hypotheses in valid and reliableways;

– the central theme in this methodology is the testing of hypotheses and the ability to make predictions. The overall goalof science is to better understand nature and our Universe.

– also refers to the organized body of knowledge that results from the scientific study.

• Research:– to study a subject thoroughly, especially in order to discover

(new) information or reach a (new) understanding


technologyfrom seed

Scientific research

• Problem with these definitions:

– Validation/fallacies:

• Is astronomy a science?

– How to validate/verify the BigBang!

– Explanation of Nature:

• Is Physics a science?

– What is gravity: Wave or particle?

• Is Mathematics a science?

– Or just a rule game/ artificial postulates (without support)!

• Is “Social Science” a science?

– What can we really predict? Or just explains/reports past events!

• Everything is science?

– As long as we use the right tools


technologyfrom seed

Close-up of lunar roving vehicle at Apollo 17 Taurus-Littrow landing site

Description: A close-up view of the lunar roving vehicle (LRV) at the Apollo 17 Taurus-Littrow landing site extravehicular activity (EVA). Note the makeshift repair arrangement on the right rear fender of the LRV. During EVA-1 a hammer got underneath the fender and a part of it was knocked off. Following a suggestion from Astronaut John W. Young in Mission Control Center at Houston, the crewmen reapired the fender early in EVA-2 using lunar maps and clamps from the optical alignment telescope lamp. Schmitt is seated in the rover. Cernan took this picture.

http://www.hq.nasa.gov/office/pao/History/alsj/a17/AS17-137-20979HR.jpg

What is missing in this NASA picture ?


Scientific research

technologyfrom seed

• What is wrong with this one?

– AS17-140-21370.jpg

Conclusion? …


Scientific research

1. Too much light

2. I see aliens at the end!

3. Men never went to the moon...

and the Earth is flat.

4. Other

technologyfrom seed

Scientific research

• Tampering (with evidences):

– Ethical questions.

– Peer pressure.

– What can we actually conclude from the data we have?

– We are humans! “errare humanum est”

• Scientists are accused of promoting horrors:– E.g.: Nuclear weapons

• If they would refuse to develop them they would be considered traitors!

– E.g.: Biologic weapons

• How many treatments/therapeutic drugs resulted from these studies?

– Current attempts to perform Human cloning!?

• Unfulfilled promises:– Should we keep financing the research?

errare humanum est, sed perseverare diabolicum:

to err is human, but to persist (in the mistake) is diabolical.

Moral and ethical questions


technologyfrom seed

Information gathering and analysis

• Available information

• Information triage

• Where to obtain the information

• Exploring the information

• Storage and usage of the information


technologyfrom seed


• Search for existing theories

– Should not be something too esoteric

– A theory should have a practical interest, but…

• What research has been performed on the topic by

the scientific community?

• Which methods were used?

• Where to look for this information?

– Indexed data bases of tutorials and papers (articles)


technologyfrom seed


• Perform a critical unbiased analysis of the results and methods used by others to avoid:

– Sagging to peer trends

– Fooled by result manipulation

– Inadequate methods

• Do not be obsessed by:

– The most recent results

• Is the most recent more innovative / complete?

– Quantitative results

• The magic of number manipulation

– Qualitative results

• May lack thoroughness / rigor


technologyfrom seed


• What as been written about ‘The topic’

– Under-information

• Not enough information sometimes on obvious results

– Over-information

• Too many papers/works on identical topics on the same field

– Pseudo-information

• Scientific information on the media

• Literature of science (aka popular science)

• Wikipedia and similar sites


technologyfrom seed


• How to handle information:

– Under-information

• Exploring the under-information gaps

– E.g. interdisciplinary search/techniques

– Over-information

• Search only for useful information having in mind the goals

– Not always easy!


• Comparative analyses of the information


technologyfrom seed


• Where to obtain the information:

– Origin:

• Libraries

– physical or electronic

• Reliable sources

– ieeexplore.ieee.org, portal.acm.org, …, b-on, and scholar.google.com !!

• Semi-reliable sources


» Eg: internet, Wikipedia, …

– Support:

• Encyclopedias, dictionaries, …

• Books and specialized journals

• Scientific proceedings and conferences


technologyfrom seed


• Exploring the information:1. Select the information

– Keywords, acronyms, authors, topics

2. Treat the information

3. Interpret that same information

– Triage:

• Start by selecting a set of documents (Beware of literary gluttony)• Successive approximations (towards the mother lode).

• Support:– Written word

– Audio

– Pictures and video

– Others (Data loggers, …)


technologyfrom seed


• Save time by reading what is relevant!

• How to explore the text/information:– Title and keywords

– Does it sound of any interest to your work / (re)search

– Author and institution or editor– Are they known?

– Are they reliable?

– Index

– Abstract/Summary– What the paper is about

– What is proposed/novelty

– Key results

– Conclusions– Small version of the entire paper

– Clear and concise

– Introduction and results section

– And finally … the main body of the paper– If more details or in-depth knowledge of the described work is needed


technologyfrom seed


• Storage and usage of the information:– Organize your bibliography

• Sooner or later you will need to go back to it“what was the name of that paper??…”

– Organization of references:• Author’s name

• Title of the paper

• Where and When was it published

• Topic of the paper

• Other relevant data

BibTeX is an useful tool to facilitate the organization and use of references. Used directly in LaTeX.


technologyfrom seed

Communicating with others

• Written communication

• Oral and visual communication

• Communicating using slides


technologyfrom seed

Written communication

• Written communication

– Types of document

• Reports

• Papers

• Thesis

– Organization & Structure of the document

– Writing it…


technologyfrom seed


Types of documents

• Reports– Technical

– Project

– Progress

• Scientific communications – Conferences

– Journals

• Theses– Graduation

– MSc

– PhD

• Advertisement – Billboards (written communication?)

– Magazines (scientific or not)

• Others


technologyfrom seed


• What to transmit about the research work:

– Goals

– The object of the work

– Related work

• relation between what is proposed and what has been proposed

– Developed work

– Obtained results

• Adequate analysis of the obtained results

– Conclusions

– Future work


technologyfrom seed


Target of the communication

Scientific

community

Public and private

organizationsMedia

Clarity + ++ ++++

Depth ++++ ++ +

Terminology Coded Semi-coded Simplified

StructureRigorous &

Detailed Simplified Appealing

Always: Seek the truth (Rigor) ; Have a Correct speech (Clarity)


technologyfrom seed


• Organization of the text:

– Goals

– Presentation of the problem

• Introduction to the problem

• Back ground / State of the art

– Research process

• Methodology

• Theoretical / Practical development

– Achieved results

• Simulations

• Experimental results

– Consequences of the results

• Added value

– Analytical analyses of the results

– Comparison with the related state of the art

• Future work


technologyfrom seed


• Structure of a paper– Title

– Authors information

– Abstract (1-3%)

– Keywords (3-5#)

– Introduction (10-15%)

– Main body (60-75%)

• State of the art

• Methodology

• Development

– Results (10-20%)

– Conclusions (3-5%)

– Acknowledgments

– References (4-6%)

• Structure of a report/theses– Cover

• Title and Author(s)/Company information

i. Abstract• May be in more than one language

• Keywords

ii. Acknowledgments

iii. List of contents • Content of the report/theses

• List of Figures and Tables

• List of Acronyms

1. Introduction

2. Main body

3. Conclusions

I. Appendix

Bibliography

Index


technologyfrom seed


• Where to start?

– Compose the contents table (index table)

• Organizing the structural units

– Chapters

– Sections

– Subsections

» Helps to structure the information

• Structures the presentation of the work

• Should not be rigid

– The structure may change

» As fluid as the work!!

» Use it as a LEGO


technologyfrom seed


• The Title:

– Works as a calling card.

– It should:

• attract the reader

• be in accordance with the content

• be concise

– One line (two at most)

– Length also depends on the specificity of the presented work

• be as clear/descriptive as possible

• acronyms help, but…

• Keywords• topics / areas that are the object of the document


technologyfrom seed


• The Abstract/Summary:

– Allows to perceive the work without the need to read the whole paper

• Research topic

• Methodology & developed work

• Obtained results

• Key conclusions

Small version of the whole paper, focusing on the key aspects

– Some times each chapter has a summary of its own

• In big reports/theses

• Clear exposition of the work

• Improves the levels of reading


technologyfrom seed


• The Abstract:

– A summary of the main ideas that allows to perceive the whole

research work presented in the paper.

• Most of the detail should be left out!

– The key trick is to plan your argument in 6 sentences

what’s the topic?

• What’s the key research question?

• Why nobody else has answered this research question?

• What’s your big new idea?

• How did you go about doing the research?

• What’s the key impact of your research?

• Use these questions to structure the entire thesis/paper!


technologyfrom seed


• Results section:

– How the results were obtained:

• Simulation

– Model(s) used

• Experimental results

– How was it measured

– Environmental and external conditions

– Comparison with the related work

• Using the same criteria/conditions

– If not possible, why and what approximations were made

– Improve the related work by more than 5-10%

• Giving a margin for simulation/measuring errors

Be impartial, thorough, clear, and critical of your own work when comparing.

- Nevertheless, you may give more focus on the positive aspects

of your results!!CRYPTACUS 2018 training school - Science and Communication Tiago Dias and RIcardo Chaves 20/4/201829

technologyfrom seed


• Introduction:

– Motivation for the work

– Background

– Proposed Work

– Dissertation/work objectives

– Key results

– Paper overview/organization

• Some author prefer not to add this, particularly in smaller documents

– When/at which stage to finish writing it?

• At the end

– Only then do we have a full perspective of the developed/described work


technologyfrom seed


• Figures and tables:– Used to illustrate concepts/results

– One picture is worth 1000 words

– It is a tool to achieve the goal, not the goal itself !• Must be referenced and explained in the text.

– Must have a caption• Option a: Concise and clear

– Caption = title of the picture

– The description of the pictures goes in the text, not in the caption

• Option b: Descriptive – Caption describes the image in detail. Allows the reader to get the idea without

reading the text

• Legend– Explain the symbols used (very concise)

– Avoid unnecessary complexity

– Types of Figures:• Graphics, diagrams, images, pictures


technologyfrom seed


• References:– Inner text

– chapters, sections, appendixes, figures, equations, …

– Bibliographic:• Use credible and scientific references from credible sources:

1. peer reviewed papers (Scientific journals and conferences)

2. published books, theses

3. reports, internal reports, …

4. ‘Wikipedia like’ references are not adequate

– Bibliography listing:• By order of citation

– Papers, reports

• Alphabetic– Theses, books

• Typically defined by the publisher


technologyfrom seed


• What to put in appendix:

– Complementary information

• Important information

• Mandatory information

• Informative information

– Theoretical deductions

• To validate or prove statements in the main body

– Others

• Code

• Auxiliary figures, tables, …

Text that is not fundamental to understand the description in the main body but

required to prove statements or complement the information


technologyfrom seed


• Things to avoid:

– Chapters with 1 or 2 pages

– Section with few lines of text

– Frequent use of footnotes• Breaks the reading flow

– Frequent information redirection• See Chapter # / Section #

• See reference …

– Different names/designations for the same entity

– Distinct entities with the same name

– Unchecked or unsubstantiated statements• Unproven affirmations must have a valid reference

– Undefined concepts, acronyms, etc.

– Incoherent concepts and relations


technologyfrom seed


• In conclusion:

– Be clear but specific/detailed

– Be structured but appealing

– Go to the point, avoid digressing

Remember: Levels of reading/information

» Abstract: Illustrative but short

» Main body: detailed but long


technologyfrom seed


• Acknowledgments

– Give credit to those who helped accomplishing the work

• Financial support

– Scholarships

– Equipment

– Others

• Scientific support

• Personal support

– In theses or in special cases


technologyfrom seed

Acknowledgments

To professor António Serralheiro for his notes on

“Projecto/Metodologias da investigação”


technologyfrom seed

Oral and visual communication

• Communicate with:

– Clarity

– Confidence

– Expressiveness

– Empathy

• Communicate in a positive fashion

– Maintain visual contact

• Without staring

– Listen to what the other people are ‘saying’

– Have a good posture

A good communication = A good deal/transaction


technologyfrom seed


• Communication effectiveness:– Transmit a succinct but complete message

– Use supportive forms of communication• Images/animations

• Charts / Graphic representations

• Gestures

• Sounds

– Good vocal projection and diction• Speak to the audience not to the slides

– Adequate graphics • Colors used

• Explicit charts and diagrams

– Make sure the message got through• Analyze the body language

• Questions asked or not asked• …


technologyfrom seed


• Body language (examples):

+ Hands in the hips

+ Sincere look

+ Smile

+ Slightly bend forward

+ Adequate distance from the listener

• 1 meter > L > 1,5 meters

– Looking down when speaking

– Staring the other person

– Shoulders down

– Harms crossed

– Hands in the pockets


technologyfrom seed


• Revealing hints (examples):

– Sweaty hands → nervous

– Broken verbal fluidity → lack of preparation

– Touching the earlobe → doubt / uncertainty

– Self hand massage → lack of confidence in oneself

Beware of generalizations and assumption…

• Improving yourself:

– Practice in front of a mirror

– Rehearse with your co-workers

– Record and playback to analyze yourself

– To calm yourself : breath deep and slowly (discreetly)


technologyfrom seed


• Helpful techniques:

– Take notes

– Smile

• Even on the phone

– Be cordial

• Get up when saluting others

• Avoid interrupting the other peoples sentences

• Show interest

– Have a good posture

• Sit up straight

• Adequately dressed

– If justified use communication and marketing professionals

– Be on time

• Or even slightly earlier to make sure everything is prepared


technologyfrom seed


• Helpful techniques:

– Discreetly mimic the target.

• Dress code

• Behavior

– Keep an open mind to other ideas

– Put things in writing as soon as possible:

• Agreements

• Promises

• Decisions

– Use examples

• Beware not to loose generalization of the goal !

– Adjust the message and the communication medium

• Depending on the target

• The objective of the communication


technologyfrom seed

Communicating using slides

• Communicating using slides:– Mixture between oral and visual presentation

– Use short meaningful sentences• As if the title of what you are saying

• Keywords

– Use Illustrative figures and charts• With simple captions / subtitles

• Complement them with an oral explanation

– Use different levels of reading• Headings

• Different letter size

• Highlighted text/ Color text

• …

– If the audience looses track of what you are talking about, they should be able to use the slides to get back on track

– The attention span of the audience is limited• Typically 25 to 45 minutes, after this they disconnect


From: D.A.Bligh, “What’s the use of Lectures?“, Intellect books,1998.

technologyfrom seed


• Content of the slides:

– Do not overload the slides with information

– Present yourself• specially in conferences, multiple presentation meetings

– Describe the content of the presentations

– Put the slide(s) overall topic on the header

– Use your company/institute logo in each slide• Discrete but constant, be known

• If appropriate also add your name

– Number each slide

– Finish the presentation with an conclusion• Achieved goals

• Key results

• And if adequate, with future work


technologyfrom seed


• When presenting:– To large audiences:

• You may select a few people in the room to talk to– To focus your presentation

– Perceive if the audience is getting the message

– Look and talk towards the audience• Do not speak to the floor or the slide projection

– Use a pointing device • Do not just point with your finger

– Properly manage the available time• Do not finish significantly before time

• Do not use more time than the one you have

• Do not start fast and finish slow, nor vice-versa

– Adjust your presentation to the time you have available

– Speak clearly and at a controlled pace


technologyfrom seed


• In conclusion:

– Be clear and illustrative

– Do not overload the audience with information• make then desire for more information!

– Slides are a complement to your verbal exposition/explanation

– Go to the point, avoid digressing

– Allow the audience to get back on track

Remember: Levels of reading and key points


technologyfrom seedFinal words on research and

development

Creativity & Discipline

Creativity: mostly about breaking rules

Discipline: mostly about following rules

Rules = internal consistency, mathematical correctness,

sticking with stated assumptions


SecurePosi+oning:FromGPStoIoT

SrdjanČapkunDepartmentofComputerScience

ETHZurich

All photographs, imagery, media belong to their respective owners/creators.

Applica+onsof(Secure)DistanceMeasurement/Posi+oning

AccessControlHomeAutoma+on Robo+cs,UAVPayments

Industrialautoma+onInternetofThingsAssetandPeopleTrackingReal-TimeLocaliza+on

BasicS&P

SpoofingResilience:devicecanobtainitstrueLoca+on

Incorrectloca+ones+matedbythedrone

Drone ASackerSpoofingsignal

GPSsatellites

BasicS&P




OneCanVerifyLoca+onsofOthers(Remotely)

Areyouathome?

Hm…howcanIbesure?

Parolofficer Exinmatehome

Exinmate

Yes,Iamathome!

GPSsatellites

BasicS&P


Loca+onandIden+tyPrivacy



OneCanVerifyLoca+onsofOthers(Remotely)

Areyouathome?

Hm…howcanIbesure?

Parolofficer Exinmatehome

Exinmate

Yes,Iamathome!

GPSsatellites

GPSsecurity

GPSsignalgenerators

http://www.bbc.com/news/technology-18643134http://www.csmonitor.com/World/Middle-East/2011/1215/Exclusive-Iran-hijacked-US-drone-says-Iranian-engineer-Video

5

5

GPSspoofing

p

L1

L2 L3

L4

s1(t) s2(t)

s3(t) s4(t)

|L1 – p|

|L2 – p| |L3 – p| |L4 – p|

c·δ"

BS1

BS2 BS3 BS4

7

ASackereithermodifiesthenaviga+onmessagecontentsormanipulatesthe+meofarrival

CivilianGPSarenotauthen+catedandcanbegeneratedORdelayedMilitaryGPSsignalscanonlybedelayed

p’ (spoofed location)

p (true location)

enlarged ranges

GPSspoofing

Detec%ngGPSSpoofing

OverviewofCountermeasures

*Seereferencesattheendofthetalk.


• ChangestoGPS/Galileo



• ChangestoGPS/Galileo• Authen+ca+onofNaviga+onMessages(signatures/TESLA)• Doesn’thelp(messagescans+llbedelayed)




• DirectSequenceSpreadSpectrum(DSSS)• SecretSpreadingCodes-Requiressharedsecretkeys





• DSSSwithDelayedCodeDisclosure[Kuhn05]• DelayedSpreadingCodeDisclosure/Delaystheposi+oncalcula+on• Doesn’tsolveallaSacks/Highgainantennascanseparatesignals







0 200 400 600 800 1000 1200 1400 1600 1800

Time samples

40

60

80

100

120

140

160

180

200

dBm

Variation of noise values due to GPS spoofing

SpoofingDetec+onwithoutchangestoGPS• MonitorAGC,Noiselevel,#ofsatellites• Autocorrela+onPeakDistor+on• Spa+alDiversity(AoA,…)






0 200 400 600 800 1000 1200 1400 1600 1800

Time samples

40

60

80

100

120

140

160

180

200

dBm

Variation of noise values due to GPS spoofing

SpoofingDetec+onwithoutchangestoGPS• MonitorAGC,Noiselevel,#ofsatellites• Autocorrela+onPeakDistor+on• Spa+alDiversity(AoA,…)

10

SeamlessTakeoverASack

-Tippenhauer,Popper,Rasmussen,Capkun,OntherequirementsforsuccessfulGPSspoofingaFacks,ACMCCS2011-Nighswander,Ledvina,Diamond,Brumley,Brumley,GPSsoSwareaFacks,ACMCCS2012.

10



10



10



10



10



10



10



10



10



10



• SPoofingREsistantGPSrEceiver(SPREE),thefirstGPSreceivercapableofdetec+ng(uptoanaccuracy)allknownspoofingaSacks.

• Anovelauxiliarypeaktrackingtechniqueenablesdetec+onofaseamlesstakeoveraSacks(tracksallpeaks…)

Detec+ngSpoofingWithaSingleReceiver?






• SPREEisbasedonGNSS-SDRandopensource[2016]: www.spree-gnss.ch[MobiCom2016]


12

• OurownGPSsimulators• TEXASSpoofingBaSery(TEXBAT)

• de-factostandardofpubliclyavailablespoofingtraces(includesseamlesstakeoveraSack)

• Wardriving

GPStraces

config file

Spoofing Resistant GPS Receiver

(SPREE)

Fig. 8. Evaluation Setup: A configuration file specified vital system param-eters such as input source, source signal sampling rate and configuration ofthe spoofing detection module.

including those needed by the spoofing detection module. Inour evaluations, the GPS signal traces (spoofing and clean)were recorded and stored in files and later input to SPREE.First, we describe the various GPS signal traces that were usedin evaluating SPREE’s effectiveness against spoofing attacks.We then proceed to evaluate the effectiveness of each of ourspoofing detection modules against the attackers described inSection III. Finally, we summarize the results and show thatSPREE detects all spoofing attacks described in literature.

A. GPS Traces

We evaluated SPREE against three different sets of GPSsignals: (i) The Texas Spoofing Battery (TEXBAT) [17], (ii)signals recorded through our own wardriving effort and (iii)spoofing signals generated using COTS GPS simulators.

Texas Spoofing Test Battery (TEXBAT): TEXBAT [17]is a set of digital recordings containing both static anddynamic civilian GPS spoofing tests conducted by theUniversity of Texas at Austin. TEXBAT is the de-factostandard for testing spoofing resilience of GPS receivers.TEXBAT includes two clean data sets, one each for a staticand dynamic receiver setting, in addition to eight spoofingscenarios based on the location and time of the clean GPStraces. One scenario replicates the case where the attackerhas physical access to the targets antenna and can thuscompletely remove the authentic signals and replace themwith his counterfeit signals. All other scenarios perform atake-over attack where either the time or position of thetarget is spoofed. TEXBAT also includes a scenario werean security code estimation and replay (SCER) attack [16]is performed. In an SCER attack, the attacker attempts toguess the value of the navigational data bit in real time.The spoofing signals are closely code-phase aligned withthe authentic signals. However, the carrier phase alignmentof the spoofing signals with the authentic signals dependson the scenario. For example, when the attacker attemptsto spoof the victim receiver’s position or time, the carrierphase is manipulated such that the rate of change of spoofingsignal’s carrier phase equals that of the authentic signal. Intwo spoofing scenarios, the carrier phase of the spoofingsignal is also aligned to the authentic GPS signals duringthe take over. We note that, such carrier-phase alignment is

Fig. 9. Our wardriving setup with a front-end consisting of a (1) a activeconical GPS antenna and a (2) USRP N210R4. The signals were recordedusing a (3) laptop. The recording were periodically moved to an (4) externalhard disk.

possible only under controlled laboratory conditions due tothe precise cm-level position knowledge that is required bythe attacker. In other scenarios the attackers signals’ carrierphase is either proportional to the code phase change (CodePhase Proportional) or the initial phase offset between thecounterfeit signals and the authentic signals is maintainedthroughout the spoofing scenario (Frequency Lock mode). Wetest SPREE and present our results even against such a strongattacker. In addition, the TEXBAT scenarios include varyinglevels of spoofing to authentic signal power advantage. Wesummarize the properties of the TEXBAT dataset in Table III.

Wardriving: In addition to using TEXBAT scenarios, wecollected our own authentic GPS traces through an extensivewardriving effort. The setup used for recording the GPSsignals during the wardriving effort is shown in 9. The frontend of the setup consists of an active conical GPS antennawith a 25 dB gain. A bias-tee that outputs 5 V powers theantenna’s amplifier. We followed a two-step procedure torecord GPS signals. First, we used a custom script thatdetected any satellite signals present in real-time. Oncesatellite signals were detected, we switched to the recordingmode where we started recording raw signals without anyprocessing into an external hard disk. The signals wererecorded as complex signals with a sampling rate of 10 MHz.The setup itself was powered through the car’s power outlet.GPS signals were recorded at various locations over adistance of over 200 km. The locations were as follows:(i) An open field, (ii) parking lot of a small village, (iii)driving on a highway, (iv) driving inside a city, (v) inside acity with neighbouring tall buildings and (vi) inside a forestwith dense tree cover. We used the wardriving dataset toevaluate SPREE’s behaviour in a non-adversarial scenario anddetermine how reliable are the proposed spoofing detectionwith respect to false triggers.

GPS Simulator: We also evaluated SPREE against our ownspoofing signals generated using commercial off the shelfGPS simulators. Specifically we used Spectracom’s GSG-5Series advanced GPS simulator [2] in order to generate ourspoofing traces. One of the key features of the simulator

GPSSignalTraces

ResultsSoFar…

12

3

4

12

• OurownGPSsimulators• TEXASSpoofingBaSery(TEXBAT)

• de-factostandardofpubliclyavailablespoofingtraces(includesseamlesstakeoveraSack)

• Wardriving

GPStraces

config file

Spoofing Resistant GPS Receiver

(SPREE)

Fig. 8. Evaluation Setup: A configuration file specified vital system param-eters such as input source, source signal sampling rate and configuration ofthe spoofing detection module.

including those needed by the spoofing detection module. Inour evaluations, the GPS signal traces (spoofing and clean)were recorded and stored in files and later input to SPREE.First, we describe the various GPS signal traces that were usedin evaluating SPREE’s effectiveness against spoofing attacks.We then proceed to evaluate the effectiveness of each of ourspoofing detection modules against the attackers described inSection III. Finally, we summarize the results and show thatSPREE detects all spoofing attacks described in literature.

A. GPS Traces

We evaluated SPREE against three different sets of GPSsignals: (i) The Texas Spoofing Battery (TEXBAT) [17], (ii)signals recorded through our own wardriving effort and (iii)spoofing signals generated using COTS GPS simulators.

Texas Spoofing Test Battery (TEXBAT): TEXBAT [17]is a set of digital recordings containing both static anddynamic civilian GPS spoofing tests conducted by theUniversity of Texas at Austin. TEXBAT is the de-factostandard for testing spoofing resilience of GPS receivers.TEXBAT includes two clean data sets, one each for a staticand dynamic receiver setting, in addition to eight spoofingscenarios based on the location and time of the clean GPStraces. One scenario replicates the case where the attackerhas physical access to the targets antenna and can thuscompletely remove the authentic signals and replace themwith his counterfeit signals. All other scenarios perform atake-over attack where either the time or position of thetarget is spoofed. TEXBAT also includes a scenario werean security code estimation and replay (SCER) attack [16]is performed. In an SCER attack, the attacker attempts toguess the value of the navigational data bit in real time.The spoofing signals are closely code-phase aligned withthe authentic signals. However, the carrier phase alignmentof the spoofing signals with the authentic signals dependson the scenario. For example, when the attacker attemptsto spoof the victim receiver’s position or time, the carrierphase is manipulated such that the rate of change of spoofingsignal’s carrier phase equals that of the authentic signal. Intwo spoofing scenarios, the carrier phase of the spoofingsignal is also aligned to the authentic GPS signals duringthe take over. We note that, such carrier-phase alignment is

Fig. 9. Our wardriving setup with a front-end consisting of a (1) a activeconical GPS antenna and a (2) USRP N210R4. The signals were recordedusing a (3) laptop. The recording were periodically moved to an (4) externalhard disk.

possible only under controlled laboratory conditions due tothe precise cm-level position knowledge that is required bythe attacker. In other scenarios the attackers signals’ carrierphase is either proportional to the code phase change (CodePhase Proportional) or the initial phase offset between thecounterfeit signals and the authentic signals is maintainedthroughout the spoofing scenario (Frequency Lock mode). Wetest SPREE and present our results even against such a strongattacker. In addition, the TEXBAT scenarios include varyinglevels of spoofing to authentic signal power advantage. Wesummarize the properties of the TEXBAT dataset in Table III.

Wardriving: In addition to using TEXBAT scenarios, wecollected our own authentic GPS traces through an extensivewardriving effort. The setup used for recording the GPSsignals during the wardriving effort is shown in 9. The frontend of the setup consists of an active conical GPS antennawith a 25 dB gain. A bias-tee that outputs 5 V powers theantenna’s amplifier. We followed a two-step procedure torecord GPS signals. First, we used a custom script thatdetected any satellite signals present in real-time. Oncesatellite signals were detected, we switched to the recordingmode where we started recording raw signals without anyprocessing into an external hard disk. The signals wererecorded as complex signals with a sampling rate of 10 MHz.The setup itself was powered through the car’s power outlet.GPS signals were recorded at various locations over adistance of over 200 km. The locations were as follows:(i) An open field, (ii) parking lot of a small village, (iii)driving on a highway, (iv) driving inside a city, (v) inside acity with neighbouring tall buildings and (vi) inside a forestwith dense tree cover. We used the wardriving dataset toevaluate SPREE’s behaviour in a non-adversarial scenario anddetermine how reliable are the proposed spoofing detectionwith respect to false triggers.

GPS Simulator: We also evaluated SPREE against our ownspoofing signals generated using commercial off the shelfGPS simulators. Specifically we used Spectracom’s GSG-5Series advanced GPS simulator [2] in order to generate ourspoofing traces. One of the key features of the simulator

GPSSignalTraces

ResultsSoFar…

12

3

4

AllspoofingaFacks>1kmdetected!(peakseparaZonclearlydisZnguishablefrommulZ-path)

Detec%ngGPSSpoofingusingMul%pleReceivers

LeveragingSpa+alDiversity

ASackertransmitsomnidirec+onally=>BothR1andR2computetheirposiZoningatV

R2

t4

t3t2

t1

L2

R1

t3t2

t1t4

L1

V

Ifd(R1,R2)isknown =>spoofingdetecZon

-Tippenhauer,Popper,Rasmussen,Capkun,OntherequirementsforsuccessfulGPSspoofingaFacks,ACMCCS2011

LeveragingSpa+alDiversity

R1

L1

R2

R3

L2

L3

R1

L’1

R2

R3

L’2

L’3

L’I are spoofed locations

“TheGPSGroupSpoofingProblem is theproblemoffindingcombina+onsofGPSsignals (sentby theaSacker),transmission6mes (atwhichthespoofingsignalsaresent),andspooferloca6onssuchthattheloca+onor+meofeachvic+misspoofedtothedesiredloca+on/+me.”

Spa+alDiversityConstrainstheASacker

Showstheloca+onswheretheaSackercanplacespooferstosuccessfullyspoof(assumingomnidirec+onalaSacker).

04

812

1620

x

–4–2

02

4

y

–15–10

–505

1015

z

(a) 2 receivers

04

812

1620

x

–4–2

02

4

y

–15–10

–505

1015

z

(b) 3 receivers

04

812

1620

x

–4–2

02

4

y

–15–10

–505

1015

z

(c) 4 receivers

Figure 5: Visualization of possible attacker placements. For (a) two victims, all points on the hyperboloid are viable solutions; for (b)three victims the solutions lie on a curve (red/white intersection); and (c) for four victims only two points are viable solutions (whitedots).

and LA3 = (2, 2, 0) for the claimed satellite positions in the GPS

messages. This determines three hyperboloids relative to P1 andP2 based on b0112, b0212, and b0312.

Result 3. A necessary condition for a successful GPS group spoof-ing attack is that 8Vj , Vk, 8si, b0ijk |Pj Pk| .

In other words, the difference b0ijk of the perceived pseudorangesof each signal sA

i at any two spoofed victim locations L0j and L0

k

must be smaller than or equal to the distance between the victims’physical locations Pj and Pk. From Equation 11 and the triangleinequality it follows that bijk |Pj Pk|. Since it must hold thatb0ijk = bijk, if b0ijk > |PjPk| for any si, then there is no possiblesolution for the attacker’s placement P A

i . Thus we get

|Pj Pk| |L0j LA

i | |L0k LA

i | + 0j 0

k (13)

as a necessary condition for a successful attack.

As we know from Result 2, for two victims, all possible an-tenna placements for the attacker lie on a hyperboloid defined byPj , L

0j ,

0j and LA

i . We will now extend this result to the case ofthree and more victims. In the following, we assume that b0ijk |Pj Pk| is fulfilled 8Vj , Vk and 8si, i. e., it is physically possibleto spoof the locations of the receivers.

Result 4. In a GPS group spoofing attack on three victims V1, V2, V3

to specific locations L0j and time offsets 0j , all possible attacker

placements P Ai lie on the intersection of two hyperboloids defined

by b0i12, b0i13.

This can be shown by constructing two hyperboloids using b0i12and b0i13 as in Result 2. Both hyperboloids yield the possible place-ments of attacker’s antennas to achieve the correct pseudorange forV1, V2 or V1, V3, respectively. Each point on the intersection of thetwo hyperboloids has a specific A

i and is at the correct distance toall three victims. Therefore, all points of this space curve are validP A

i to solve the group spoofing problem.

We can extend our example from Result 2 by a third victimplaced at P3 = (1, 5, 0), which is spoofed to L0

3 = (1, 1, 0) with03 = 0. This reduces the possible locations from the hyperboloid asshown in Figure 5(a) to the intersection curve of the hyperboloidsconstructed using b0i12 and b0i13, as shown in Figure 5(b).

Result 5. In a GPS group spoofing attack on four victims V1, . . . , V4

to specific locations L0j and time offsets 0j , there are at most two

possible placements for P Ai to impersonate a satellite at LA

i . Theseare the intersection points of three hyperboloids defined by b0i12,b0i13, b

0i14.

As previously, to show this, we consider each signal sAi sepa-

rately. By computing b0i12, b0i13, b

0i14 (and b0i11 = 0) according to

Equation 11 and setting bijk = b0ijk, we can construct three hyper-boloids. Their intersection points are possible placements for theantennas of the attacker. As the intersection of two hyperboloidsyields a spaced curve, the intersection of three hyperboloids is anintersection of this curve with a third hyperboloid, which resultsin at most two points. We can also arrive at this number of solu-tions by considering the system of four quadratic equations basedon Equation 7. These can be transformed into three linear and onequadratic equation [1], defining the solutions for the location LA

i

and time offset Ai . As the quadratic equation has at most two solu-

tions [1], and each of the linear equations has one unique solution,there are at most two solutions for the attacker’s position and trans-mission time.

This result can also be observed in our example by adding afourth victim placed at P4 = (10, 0, 0), which is spoofed to L0

4 =(1, 0, 0) with 04 = 0. The possible placements for the attacker’santenna is now the intersection of the previously obtained curvewith another hyperboloid, yielding two points only (Figure 5(c)).

Result 6. In a GPS group spoofing attack on five or more victimsV1, . . . , Vn to specific locations L0

j and time offsets 0j , there is atmost one possible placement for P A

i to impersonate a satellite atLA

i . This is the intersection point of n 1 hyperboloids defined byb0i12, . . . , b

0i1n.

This result directly continues our previous reasoning: Each addedvictim adds another hyperboloid to the set of hyperboloids whichmust intersect to yield a possible P A

i . For five or more receivers,the set of (n 1) linear equations and one quadratic equation isoverdetermined, and therefore has at most one solution.

From Result 5, we know that for military GPS receivers, thereare at most two solutions for a given combination of Pj , L

0j ,

0j , and

LAi = LS

i . For attacks on civilian GPS receivers, the attacker caninfluence the position of the two solutions of the system of equa-tions by changing the claimed satellite location LA

i . We will now

Spoofing to Spoofing to multipleone location locations (preserved formation)

n Civ. & Mil. GPS Civilian GPS Military GPS

1 P Ai 2 R3 - -

2 P Ai 2 R3 set of hyperboloids one hyperboloid

3 P Ai 2 R3 set of intersections intersection of

of two hyperboloids two hyperboloids4 P A

i 2 R3 set of 2 points 2 points5 P A

i 2 R3 set of points 1 point

Table 2: Summary of results for the number of possible at-tacker locations P A

i for n victims.

give an intuition where these solutions are located for a formation-preserving GPS spoofing attack.

Result 7. When spoofing a group of GPS receivers V1, . . . , Vn

such that the formation (i. e., the mutual distances and relative timeoffsets) is preserved, there is always at least one solution to thedecisional group GPS spoofing problem.

One way to show this result is to use an affine transformation todescribe the relation between physical and spoofed locations of thereceivers and senders. If the formation of the victims is preserved,there exists a bijective affine augmented transformation matrix Twhich describes this translation and rotation. Assuming that L andP are represented as augmented row vectors, we can therefore writeT · Lj = L0

j . Then, the inverse transformation T1 applied to LAi

will yield a possible antenna placement P Ai = T1 · LA

i , becauseall pseudoranges R0

ij between L0j and LA

i and the measured rangeRij between P A

i and Pj will be the same (the transformation pre-serves the Euclidean distance).

As a consequence of Results 6 and 7, spoofing five or more re-ceivers while retaining their formation has exactly one solution, anaffine transformation of the claimed satellite position LA

i .

Summary of results: Table 2 gives an overview of sets of possiblepositions P A

i for the attacker’s antenna depending on the numberof victims and on the target locations: spoofing all receivers to onelocation or each victim to a different location with a preserved for-mation. The results are shown for civilian and military GPS; ‘hy-perboloid’ refers to half of a two-sheeted hyperboloid. In the tablewe assume that the condition of Result 3 holds.

The results in Table 2 show that there are no restrictions on theattacker’s position for spoofing any number of victims to one lo-cation (P A

i 2 R3). With an increasing number of victims and aconstant formation, the attacker is getting more and more restrictedin terms of his antenna placement. For civilian GPS, the attackerhas more degrees of freedom because he can select claimed (false)satellite locations LA

i and thus influence the hyperboloid, intersec-tion of hyperboloids, etc., whereas these are fixed for military GPS(i. e., there is only one specific hyperboloid of attacker positions foreach transmitted signal per pair of victims).

5. EXPERIMENTS ON SATELLITE-LOCKTAKEOVER

A GPS spoofing attack in the presence of legitimate GPS satellitesignals requires the attacker to make the victim stop receiving sig-nals from the legitimate satellites and start receiving the attacker’s

Figure 6: The experimental setup.

signals. If this takeover is noticed by the victim, e. g. because thevictim suddenly loses contact to previously seen satellites, it candetect the spoofing attack. While the victim might lose contactdue to random noise or environmental changes, the attacker ideallyshould take over without being noticed. We say that the receiverhas a lock on a specific transmitter when it is already receiving datafrom that satellite. The satellite lock makes spoofing attacks hardersince a spoofing signal is likely to be misaligned (in phase, Dopplershift, or data content) to the legitimate signal. When the attacker’ssignal is turned on, this momentary interruption in the data-flowfrom that satellite could cause the victim to be temporarily unableto compute his position. Therefore, we now investigate how theattacker can take over the victim’s lock with the victim losing theability to calculate its position, even for a moment.

In Section 3 we assumed a strong attacker, who is always able togenerate signals with perfect timing and power level, and who hasperfect knowledge of his own and the victim’s position. In a practi-cal attack, many of these assumptions might be invalid. We conductexperiments to evaluate the influence of such imperfections. Be-cause we do not change the claimed location of the satellite in thedata sent by the attacker, all discussed imperfections should applyequally for military and public GPS receivers.

5.1 Experimental Setup and ProcedureIn our experiments, the spoofing signals and the legitimate GPS

signals are sent over a cable to eliminate the influence of the trans-mission channel. This enables us to measure the unique influenceof the parameters of interest while disregarding channel and an-tenna noise.

We conduct the lock takeover attacks using a Spirent GSS7700GPS simulator (see Figure 6). The GPS signal simulator is a hard-ware device that generates GPS signals and is controlled by a dedi-cated simulation PC running the SimGen simulation software pack-age [20]. The GSS7700 GPS simulator generates two independentGPS constellations with up to 16 satellites in each. One constel-lation is simulating the signals from the legitimate GPS satellites,and the other is simulating the attacker’s signals. Both are mixedtogether and sent to the GPS receiver via a wired connection. TheGPS receiver in our experiments is an Antaris evaluation kit by u-blox, containing the ATR0600 GPS chip from Atmel.

At the start of each experiment, we send only the legitimate GPSsignals for a static location. We reset the GPS receiver to make sureall experiments are independent and no internal state is kept froma previous experiment. After about 30 seconds the GPS receiverwill lock on to enough satellites to be able to calculate a stableposition. This position is the legitimate position L and the goal ofthe attacker is now to move the victim to a new location L0 suchthat (i) the victim is continuously able to compute its position (ii)no noticeable discontinuities in the location occur.

BroadcastsystemslikeGPScannotbefullysecured(ASSUMINGASTRONGATTACKER)!!!

GPSSpoofingcanbePreventedinanumberofScenariosbut…


p (true location)

enlarged ranges




p (true location)

enlarged ranges

• Secureposi+oningrequireseither:• bidirec+onalcommunica+onor• communica+onfromthedevicetotheinfrastructure(i.e.,HIDDENBASESTATIONS)

BacktoEarth:IoTPosi%oning

i.e.,(usingbidirec6onalcommunica6on tosecureposi6oning)

SecureDistanceMeasurement

SecureDistanceMeasurement:-Measuringacorrectdistance(bound)betweentwodevicesinthepresenceofanaSacker.-Typically,secureproximityverifica+on.

A B

[DB]StefanBrands,DavidChaum:Distance-boundingprotocols,Eurocrypt1993

[Desmedt88]Desmedt,Y.:Majorsecurityproblemswiththe’unforgeable’(feige)-fiat-shamirproofsofiden+tyandhowtoovercomethem.In:SecuriCom1988



A B

M





A B

M

SecureProximityDetecZon:AFackercannotconvinceAandBthattheyarecloserthantheyare.(i.e.,distanceupperbound)



OtherProper+es

DistanceFraud• dishonestproverpretendstobeclosertotheverifierthanitis

MafiaFraud(WEMAINLYDISCUSSTHIS)• honestprover• aSackerconvincesverifierandproverthattheyarecloserthantheytrulyare

DistanceFraud

MafiaFraud

Proximity-BasedAuthoriza+onandAccessControl

Exampleapplica+ons:• Ifkeyfobclose(1m)tothecar/door=>unlockthecar/door• Iflaptopclose(1m)totheaccesspoint=>allownetworkaccess• Ifphoneinthebuilding/room=>allowaccesstodata• ifphone/cardclose(20cm)totheterminal=>executepayment• Ifbraceletclose(10cm)tothegun=>allowtheguntobefired• Iftwodevicesclose(10cm)=>establishkeys

Proximity-BasedAuthoriza+onandAccessControl

Exampleapplica+ons:• Ifkeyfobclose(1m)tothecar/door=>unlockthecar/door• Iflaptopclose(1m)totheaccesspoint=>allownetworkaccess• Ifphoneinthebuilding/room=>allowaccesstodata• ifphone/cardclose(20cm)totheterminal=>executepayment• Ifbraceletclose(10cm)tothegun=>allowtheguntobefired• Iftwodevicesclose(10cm)=>establishkeys

Intui+ve,non-interac+veandsecureapproachtoauthorizingaccesstophysicalspaces,dataandtotheexecu+onofservices.

ASack:PassiveKeylessEntryandStartSystems

THE KEYLESS ACCESS WORLD problem

K

K

[DA11]A.Francillon,B.Danev,S.Capkun

RelayASacksonPassiveKeylessEntryandStartSystemsinModernCars,NDSS2011



FreshChallenge(LF,120-135KHz)

Authen%cReply (UHF,315-433MHz)

shortrange(<2m)

longrange(<100m)

If:-correctkeyKisused-replywithinMaxDelay

then:-opendoor/startcar

K

K







shortrange(<2m)

longrange(<100m)



K

K







shortrange(<2m)

longrange(<100m)



K

K



Weneed-anauthen+cateddistanceboundingprotocol:-adistancemeasurementtechnique(thatprovidesgoodrangeandprecision)-physicallayer/distancemeasurementthatissecureagainstallaFacks-lowpower/complexityofimplementa+on

V P

d = (tr-ts-tp)c/2

tp<< tr-ts

ts

tr

f(NP,NV)

authentication

HowToSecureDistanceMeasurement?

NP

HowToSecureDistanceMeasurement?

Mainidea:MeasurethedistancebetweenVandP+AuthenZcateMessages

IDM=IndirectDistanceMeasurement(noTime-of-Flight)NFC/RFID(e.g.,ISO)RSSImeasurement(e.g.,WiFi,Bluetooth,802.15.4)Phase(mul+-carrier)measurement(e.g.,AtmelAT86RF233)FMCW(Frequency-ModulatedCon+nuous-Wave)AoA(AngleofArrival)measurement(e.g.,Bluetooth5.0)

DirectDistanceMeasurement(Time-of-Flight)ChirpSpreadSpectrum(802.15.4a,ISO/IEC24730-5,NanoLOC)UltraWideBand(UWB)•802.15.4aUWB•802.15.4fUWB(singlepulseperbit)andmul%-pulseperbit[Singh17]

[Ran17]A.Ranganathan,S.Capkun,AreWeReallyClose?VerifyingProximityinWirelessSystems,IEEESecurity&PrivacyMagazine,May-June2017(overview)

SecureDistanceMeasurement:PhysicalLayerASacks

AFackerreducesthemeasureddistance!By -advancingthearrivalofthesignal(ordirectlychangingitsfeatures)(a)-injec%ngsignalstochangetheToAes%mate(b,c)

SimpleRelay,PhaseRelay,SignalAmplifica+on,EarlyDetect/LateCommit,Cicada,PreambleAdvance,…

SecureDistanceMeasurement:ASacks

EarlyDetect/LateCommitASack

[CL06]J.Clulow,G.P.Hancke,M.G.Kuhn,T.Moore,SoNearandYetSoFar:Distance-BoundingASacksinWirelessNetworks,ESAS2006

Weknow:longsymbols(fromasmallsymbolspace)=>ED/LCandCicadaaFacks

Twoop+onstocounteraSacks:

-shortsymbols(ToAover1pulse=>shortrange)• 1UWBpulseperbit=>fullysecure(aFackercancheatwithinthewidthofthepulse)

-longsymbols(ToAoversequence=>longrange)• randomizedsymbols• UWBwithpulsereordering:interleavingofmul%-pulsesymbols[Singh17]

PhysicalLayer

HowToSecureDistanceMeasurement?[Singh17]

SoWeNeedtoDo“RapidBitExchange”?

MANY PROTOCOLS DESIGNED AND MODELS DEVELOPED UNDER THIS ASSUMPTIONIMPLYING LIMITED RANGE AND APPLICABILITY OF THESE PROTOCOLS / SYSTEMS

HowToSecureDistanceMeasurementwithLongSymbols?[Singh17]

WITH PULSE REORDERING, WE CAN HAVE “ARBITRARY RANGE”

Security[Singh17]

SupportforBothTrustedandUntrustedProver

TrustedProveristriviallysupported:• ProverdecodesUWBPRsequences• Computesareply(fixed+mecomputa+on)• Replies

UntrustedProver:• Proverreplies“blindly”topulses(similarto

CRCS[Rasmussen10])• No“real+me”decodingattheprover• VerifierdecodestheUWBPRsequences


V P

d = (tr-ts-tp)c/2

tp<< tr-ts

ts

tr

f(NP,NV)

authentication

NP

(illustraZon-differentprotocolscanbesupported)

PhysicallayerthatsupportsdistancemeasurementandissecureagainstallaFacks-BasedonUWB802.15.4f,500MHz-1GHzbandwidth-Roundtrip+meofflight

Currentimplementa+on:• 150-200m(LoS)range,15cmprecision• 1mspermeasurement• Lowpower

UsinglongsymbolswithReordering,rangecanbeextended“arbitrarily”(tradingoff%meofmeasurement)(incontrasttopastimplementa%onsthathavelimitedrange)


[Singh17]M.Singh,P.Leu,S.Capkun,UWBwithPulseReordering:SecuringRangingagainstRelayandPhysicalLayerASacks,EPrintArchive,2017

TechnologyandImplementa+on

With3DBtechnologies(hSps://www.3db-access.com)

DoweNeedRapidBitExchange?

V P

d = (tr-ts-tp)c/2

tp<< tr-ts

ts

tr

f(NP,NV)

authentication

NP

No-singlerounddistancemeasurementoverasinglemessageisbothsecureandpreferable.

THISSIMPLIFIESPROTOCOLDESIGNANDANALYSISANDINCREASESTHERANGEANDAPPLICATIONSPACE





p (true location)

enlarged ranges

• Secureposi+oningrequireseither:• bidirec+onalcommunica+onor• communica+onfromthedevicetotheinfrastructure(i.e.,HIDDENBASESTATIONS)

Nowthatwecandosecuredistancemeasurementwith“unlimitedrange” (i.e.,aSackercannotreducethemeasureddistance)=>SecurePosi+oningthroughVerifiableMul%latera%on[Cap05]

SecurePosi+oning

V1 V2

V3

P

P’

d1 d2

d3

d2’

P→P’ => d2’<d2

[Cap05]S.Capkun,J.P.Hubaux,Secureposi+oninginwirelessnetworks,JSAC2006/INFOCOM2005

Implica+onsforPastResearch/Assump+onsMadeintheCommunity

SomeCommentsontheAssump+onsMadeintheCommunity

-Israpidbitexchangeneededfordistancebounding?No.Weshowthatmul+-bitnoncescanalsobeused.Itwillalsorequiremore+mesinceroundtrip+memeasurementisexecutedseveral+mes.

-Areprotocolsbasedonmul+-bitnoncesinsecure?No,unlessoneuses“insecure”physicallayer.

-Isthedistancemeasuredon‘individualbits’?No.Forrobustness/performance,distanceistypicallymeasuredoveraseriesofsymbolsandbutsActually,typicallyitismeasuredoverapreambleandthenverifiedoverthedata(DistanceCommitment).

-DoesRapidBitExchangeimprovetheRobustness?Doweneed“robust”rapidbitexchange?Notreally,ifbitsareencodedaslongsequencesofpulses,thereisenoughrobustnesstocompensateforfailuresonthechannel.

WereBrandsandChaum[BC]and[CL06]Right?

[BC]:-userapidbitexchange[CL06]:-userapidbitexchange(mul+-bitchallenge-responseisinsecure)-use1(UWB)symbolperbit-specificprotocolsthatusemul+-bitchallenge-responsesareinsecure

Ourwork[Singh17]showsthat-Mul+-pulseperbitsymbolscanbesecure-Mul+-bitchallengeresponsecanbesecure-Protocolsthatwereclaimedtobevulnerablein[CL06]aresecure



Clulowetal.[CL06]-ED/LCaSacks

“Weshowthatproposeddistance-boundingprotocolsofHu,PerrigandJohnson(2003),Sastry,ShankarandWagner(2003),andČapkunandHubaux(2005,2006)arevulnerabletoaguessingaKackwherethemaliciousproverpreemp6velytransmitsguessedvaluesforanumberofresponsebits.”

and

“WeproposeanumberofprinciplestoadheretowhenimplemenZngdistance-boundingsystems.TheserestrictthechoiceofcommunicaZonmediumtospeed-of-lightchannels,thecommunica6onformattosinglebitexchangesfor6ming,symbollengthtonarrow(ultrawideband)pulses,andprotocolstoerror-tolerantversions.TheserestricZonsincreasethetechnicalchallengeofimplemenZngsecuredistancebounding.“

Basedonourresults,theseconclusionsdonothold.


WereBrandsandChaum[BC]and[CL06]Right?

[CL06]:• mul+-bitchallenge-responsedistanceboundingandprotocolsofHu/Perrig/Johnson,Sastry/

ShankarandCapkun/HubauxthatusethemarevulnerabletoED/LCaSacksOurwork[Singh17]showsthatthisisnotcorrect:• mul+-bitconstruc+onsandthereforetheaboveprotocolsaresecureifanappropriatephysical

layerischosen.• Noneoftheseprotocolsassumedapar+cularphysicallayerandthereforetheaSacksclaimedin

[CL06]donotholdexceptunderthephysicallayerassumedin[CL06].

[CL06]:• SymbollengthisrestrictedtosingleUWBpulsesandprotocolstoerrortolerantversionsOurwork[Singh17]showsthatthisisnotcorrect:• Mul+-pulseandmul+-bitconstruc+onsarepossible(andpreferable)• Errortoleranceisnotnecessaryattheprotocollevel,asitfollowsfromtherobustphysicallayer


DirectTimeMeasurementvs“DistanceCommitment”

Allowsfortheprovertorespondbeforeitevendecodesthereceivedsymbol/bit.[Tipp15,Singh17]=>distancefraudcanbeimplementedwithmul+-pulsesymbolsandmul+-bitnonces

DoweNeedRapidBitExchange?

V P

d = (tr-ts-tp)c/2

tp<< tr-ts

ts

tr

f(NP,NV)

authentication

NP

No-singlerounddistancemeasurementoverasinglemessageisbothsecureandpreferable.


Otherusesofproximity: LeveragingProximityforOn-lineAuthen%ca%on

2ndFactorAuthen+ca+on

• Interac%ve:• OTP(SMS,RSAsecurID),PhotoTAN• GoogleTwoStep,DuoSecurity,EncapSecuritypushmessagetophone,…

• Non-interac%ve:• If2ndfactordeviceisclosetoPC=>authen6cate• Enablescon6nuousauthen6ca6on

HowtoDetectProximitytothePhone?

• Phoneneedstodetectifitisclosetothelaptoponwhichtheuserisopeningabrowsersessiontotheserver.



• Butbrowsersaresandboxed=>noaccesstoWiFi,BT,…(openingupnow)




• Wedon’twantaddi+onalSW,browserextensions,plugins,…



Design goal: Usability and deployability


• Wedon’twantaddi+onalSW,browserextensions,plugins,…

Sound-Proof:LeveragingSoundtoEstablishProximity

• Accesstomicrophonesupportedbyallmajorbrowsers• Accessgrantedbyuserperdomain• Permanentorper-session



• PhoneandServerScriptcan• communicate=>checkproximity.• recordambientnoise=>checkproximity.



• PhoneandServerScriptcan• communicate=>checkproximity.• recordambientnoise=>checkproximity.

Sound-Proof:BasicIdea

1. Username, password


1. Username, password 2. Transmit and Record

2. Transmit and Record










Similarity score s+ additional checks (ML/AI)



2. Transmit and Record 3. Login authorization




2. Transmit and Record 3. Login authorization



• communicatetocheckproximity(near-ultrasound)• recordambientnoisetocheckproximity(ambientsound)

Sound-Proof

• Easyandfastforend-users(5secondstoauthen+cate)• Con+nuousAuthen+ca+on• Zerointerac+on• Workswellinawiderangeofenvironments

(evenwhenphoneinpocket/purse)• Deployable:Compa+blewithsmartphonesandmajorbrowsers

withoutplugins• Easyintegra+onwithbackend

Acknowledgements(inrandomorder):

• MridulaSingh• PatrickLeu• AanjhanRanganathan• BorisDanev• NilsTippenhauer• KasperRasmussen• Chris+naPopper• NikosKarapanos• ClaudioSoriente• ClaudioMarforio• HildurOlafsdo|r…

MoreInforma+on

• www.zisc.ethz.ch• hSps://secureposi+oning.com/

• [email protected]

COST Action IC1403 Training School – Booket of ... - Cryptacus

Documents