Unformatted text preview: MING ATTACKS
s Well, normally not : 28 × 7 + 10 × 10 = 296 is an even number and
10 × 7 + 28 × 10 = 350 is also even… s However, just by monitoring the time it takes to give
the answer (the mental calculation leading to 296 is
more complicated than the one leading to 350) one
can tell where each amount is! 24 Rennes presentation CONCLUSION
s The external monitoring
processing time may leak
external world (e.g. credit 25 of power consumption or
secret information to the
keys, PINs etc). Rennes presentation DPA’s Principle
Key x Message
Mi Cryptographic
Algorithm Ciphertext Power Consumption Waveform Pi 26 Rennes presentation Ci DPA is statistical test
s Inputs :
x a batch of data acquisitions for various inputs Mk 0 1 k x the messages Mk
dfdsffb fdgcxv lklkjlsdq M0 M1 Mk x the 256 possible values of some byte xi in the key x 0
27 1 255 2
Rennes presentation The Idea (very important slide)
s The encryption algorithm (not it’s source code!) is known to
the hacker, the key x is not.
s To produce Ck the device must begin, at some point in time,
to mix Mk with the unknown key x.
s Since the device is an 8bit microcontroller, at this point in
time the operation performed must be:
result=operation(function(Mk),function(x))
s Where:
x result and function(x) are bytes.
x blue formula parts are known to hacker, reds are not.
s Let D be one of the bits (say bit 5) of result 28 Rennes presentation Differential Power Analysis
s For function(x)=0 to 255 repeat the following: function(x) D D=0  D=1 n
1
0 lklkjlsdq
fdgcxv
Mn
dfdsffb
M1
M0 Average 29 Rennes presentation DPA For a Wrong Guess
D=1
D=1
Average 1 D=0
D=0
Average 0 Average 1  Average 0
30 Rennes presentation No DPA peak DPA For a Right Guess
D=1
D=1
Average 1 D=0
D=0
Average 0 DPA peak Average 1  Average 0
31 Rennes presentation Guess Selection
s Choosing the right guess for function(x) 0 32 2n1 1 Rennes presentation Propagating the blue
s After selecting the good guess, function(x) becomes function(x), iterate
on next red bytes, turn them to blue and progressively recover the
whole key.
s Bonus: not only we get the secret key, we also learn where each byte
is created i.e. reverse engineer to some extent...
View
Full
Document
 Fall '10
 ALIULGER
 Cryptography, power analysis, DPA, Side channel attack, Rennes presentation

Click to edit the document details