1

Introduction to Information Security0368-3065, Spring 2015

Lecture 8:Side-channel key extraction from PCs

Guest lecturer:Daniel Genkin

Slides credit:John Mitchell, Stanford

2

Side-channel key extraction from PCs“Who by sound and who by ground,

who by pin and who by skin”

Daniel GenkinTechnion and Tel Aviv University

Eran TromerTel Aviv University

Laboratory for Experimental Information Security

Adi ShamirWeizmann Institute of Science

joint work with

Itamar PipmanTel Aviv University

Lev PachmanovTel Aviv University

3

Side channel attacks

electromagneticacoustic

probing

opticalpower

CPUarchitecture

4

Acoustic emanations

5

Acoustic emanations from PCs

• Noisy electrical components in the voltage regulator

• Commonly known as “coil-whine’’ but also originates from capacitors

Bzzzzzz

6

Experimental setup (example)

target

microphoneamplifier

attacker

digitizer

7

Demo: distinguishing instructions

8

Distinguishing various CPU operations [Shamir Tromer 04]

1sec

frequency

time

280kHz

9

Traditional side channel attacks methodology

1. Grab/borrow/steal device2. Find key-dependent instruction3. Record emanations using

high-bandwidth equipment(> clock rate , PC: >2GHz)

4. Obtain traces5. Signal and cryptanalytic analysis 6. Recover key

for i=1…2048sqr(…)if key[i]=1

mul(…)

Hard for PCs

10

1. Grab/borrow/steal device2. Find key-dependent instruction3. Record emanations using

high-bandwidth equipment(> clock rate , PC: >2GHz)

4. Obtain traces5. Signal and cryptanalytic analysis 6. Recover key

Traditional side channel attacks methodology

Hard for PCs

Not handed out

vs.

Measuring a 2GHz PC requires expansive and bulky equipment (compared to a 100 MHz smart card)

vs.

100,000$

1,000$

Complex electronicsrunning complicated software (in parallel)

vs.

11

Acoustic Leakage of RSA

12

Definitions (RSA)

Key setup

• sk: random primes 𝑝𝑝, 𝑞𝑞,

private exponent 𝑑𝑑

• pk: 𝑛𝑛 = 𝑝𝑝𝑞𝑞, public

exponent 𝑒𝑒

Encryption𝑐𝑐 = 𝑚𝑚𝑒𝑒 𝑚𝑚𝑚𝑚𝑑𝑑 𝑛𝑛

Decryption

𝑚𝑚 = 𝑐𝑐𝑑𝑑 𝑚𝑚𝑚𝑚𝑑𝑑 𝑛𝑛A quicker way used by most implementations

𝑚𝑚𝑝𝑝 = 𝑐𝑐𝑑𝑑𝑝𝑝 𝑚𝑚𝑚𝑚𝑑𝑑 𝑝𝑝𝑚𝑚𝑞𝑞 = 𝑐𝑐𝑑𝑑𝑞𝑞 𝑚𝑚𝑚𝑚𝑑𝑑 𝑞𝑞

Obtain 𝑚𝑚 using Chinese Remainder Theorem

13

mod qmod p

GnuPG RSA key distinguishability [Shamir Tromer 04]

sound of the keys(after frequency downshifting and filtering)

frequency

time

14

Key Extraction

15

Our results: acoustic RSA key extraction

• Low-bandwidth cryptanalytic attacks– 50 kHz bandwidth to attack a 2 GHz CPU– Inexpensive equipment

• Common cryptographic software– GnuPG 1.4.15 (CVE 2013-4576)– Worked with GnuPG developers

to mitigate the attack

• Applicable to various laptop models

16

Amplifying the key dependency

• Difficulties when attacking RSA – 2GHz CPU speed vs. 50kHz measurements– Cannot rely on a single key-dependent instruction

• New idea: leakage self-amplificationabuse algorithm’s own code to amplify its own leakage!– Craft suitable cipher-texts to affect the code inside inner-most loop – Small differences in repeated inner-most loops cause a big overall

difference in code behavior– Measure acoustic leakage

17

An adaptive chosen-ciphertext attack

�0 𝑖𝑖𝑖𝑖 𝑐𝑐 > 𝑞𝑞1 𝑖𝑖𝑖𝑖 𝑐𝑐 ≤ 𝑞𝑞

𝑐𝑐 = . . . . . . 111 … 1

𝑞𝑞 = 1? ? ? ? ? ? ? …

1111...1

1000…01

𝑞𝑞 = 11? ? ? ? ? ? …

0

𝑞𝑞 = 110? ? ? ? ? …

𝑐𝑐 = 10111111…

𝑐𝑐 = 11011111…

Bit-distinguisher oracle

𝑞𝑞 = 11011010 …

18

An adaptive chosen-ciphertext attack

�0 𝑖𝑖𝑖𝑖 𝑐𝑐 > 𝑞𝑞1 𝑖𝑖𝑖𝑖 𝑐𝑐 ≤ 𝑞𝑞

𝑐𝑐 = . . . . . . 111 … 1Total #measurements:

𝐾𝐾𝑒𝑒𝐾𝐾 𝑠𝑠𝑖𝑖𝑠𝑠𝑒𝑒2 ⋅ 2

⋅ 2

Overall: 2048 decryptions for RSA-4096 (~1 hour)

Just qCoppersmith

lattice reduction:half the bits suffice

Error correction

Bit distinguisher oracle

send chosen ciphertexts using

19

GnuPG RSA decryption - 𝑚𝑚𝑞𝑞 = 𝑐𝑐𝑑𝑑𝑞𝑞 𝑚𝑚𝑚𝑚𝑑𝑑 𝑞𝑞

modular_exponentiation(c,d,q){…karatsuba_mult(a,c)…

}

karatsuba_mult(a,c){…basic_mult(x,y)…

}

basic_mult(x,y){…

}

if (y[j]==0)return 0else return y[j]*x

x7

craft c such that𝑞𝑞𝑖𝑖 = 1 → 𝐾𝐾[𝑗𝑗] = 0𝑞𝑞𝑖𝑖 = 0 → 𝐾𝐾 𝑗𝑗 ≠ 0

(for most 𝑗𝑗’s)

x19 x2048

Grand total:272384 times

~0.5 sec of measurements

20

Modular exponentiation

m = 𝑐𝑐𝑑𝑑𝑛𝑛⋯𝑑𝑑𝑖𝑖 𝑚𝑚𝑚𝑚𝑑𝑑 𝑞𝑞

m = 𝑐𝑐𝑑𝑑𝑛𝑛⋯𝑑𝑑𝑖𝑖0 𝑚𝑚𝑚𝑚𝑑𝑑 𝑞𝑞

𝑡𝑡 = 𝑐𝑐𝑑𝑑𝑛𝑛⋯𝑑𝑑𝑖𝑖1 𝑚𝑚𝑚𝑚𝑑𝑑 𝑞𝑞

m = 𝑐𝑐𝑑𝑑𝑛𝑛⋯𝑑𝑑𝑖𝑖−1 𝑚𝑚𝑚𝑚𝑑𝑑 𝑞𝑞

Q: Why always compute 𝑡𝑡 ← 𝑚𝑚 ⋅ 𝑐𝑐 then conditionally copy?A: This is a side channel countermeasure meant to protect 𝑑𝑑

21

Extracting 𝑞𝑞𝑖𝑖 (simplified)

𝑐𝑐𝑖𝑖 = 𝑞𝑞2048 ⋯𝑞𝑞𝑖𝑖+101⋯ 1

If 𝒒𝒒𝒊𝒊 = 𝟏𝟏 then 𝑐𝑐𝑖𝑖 < 𝑞𝑞, thus 𝑐𝑐 = 𝑐𝑐𝑖𝑖. That is, 𝒄𝒄 has special structure.

If 𝒒𝒒𝒊𝒊 = 𝟎𝟎 then 2q > 𝑐𝑐𝑖𝑖 > 𝑞𝑞, thus 𝑐𝑐 = 𝑐𝑐𝑖𝑖 − 𝑞𝑞.That is, 𝒄𝒄 is random looking.and we now multiply by 𝑐𝑐causing the bit-dependent leakage.

22

Extracting 𝑞𝑞𝑖𝑖

𝑐𝑐𝑖𝑖 = 𝑞𝑞2048 ⋯𝑞𝑞𝑖𝑖+101⋯ 1 + 𝑛𝑛

If 𝒒𝒒𝒊𝒊 = 𝟏𝟏 then 𝑐𝑐𝑖𝑖 − 𝑛𝑛 < 𝑞𝑞, thus 𝑐𝑐 = 𝑐𝑐𝑖𝑖 − 𝑛𝑛. That is, 𝒄𝒄 has special structure.If 𝒒𝒒𝒊𝒊 = 𝟎𝟎 then2q > 𝑐𝑐𝑖𝑖 − 𝑛𝑛 > 𝑞𝑞, thus 𝑐𝑐= 𝑐𝑐𝑖𝑖 − 𝑞𝑞 − 𝑛𝑛.That is, 𝒄𝒄 is random looking.and we now multiply by 𝑐𝑐causing the bit-dependent leakage.

23

Extracting 𝑞𝑞𝑖𝑖 (problem)

Single multiplication is way too fast for us to measure

Multiplication is repeated 2048 times (0.5 sec of data)

24

Empirical Results

25

Distinguishing a key bit by a spectral signature

frequency

time

frequency

time

mod q

mod p

mod q

mod p

26

Demo: key extraction

27

Results

RSA 4096-bit key extraction from1 meter away using a microphone

28

Results

RSA 4096-bit key extraction from10 meters away using a parabolic microphone

29

Results

RSA 4096-bit key extraction from30cm away using a smartphone

30

Karatsuba multiplicationBased on the following identity for multiplication and runs in 𝜃𝜃 𝑛𝑛log2 3time

𝑎𝑎𝑎𝑎 = 22𝑛𝑛 + 2𝑛𝑛 𝑎𝑎𝐻𝐻𝑎𝑎𝐻𝐻 + 2𝑛𝑛 𝑎𝑎𝐻𝐻 − 𝑎𝑎𝐿𝐿 𝑎𝑎𝐿𝐿 − 𝑎𝑎𝐻𝐻 + 2𝑛𝑛 + 1 𝑎𝑎𝐿𝐿𝑎𝑎𝐿𝐿

If 𝑞𝑞𝑖𝑖 = 1 then 𝑎𝑎 has many 1-valued or 0-valued bits causing the result to have many 0-valued bits.

If 𝑞𝑞𝑖𝑖 = 0 then 𝑎𝑎 is random-looking and so is the result.

31

Basic multiplication

If 𝑎𝑎𝑖𝑖 = 0 the algorithm does nothing!

Repeated for a total of 8 times in this call and for a total of up to ~300,000 times!, allowing for the leakage to be detectable using low bandwidth means (such as sound).

32

Electric Channels

33

Power analysis• Power analysis: measure device’s power consumption

• RSA 4096-bit key extraction is possible in a few seconds

34

Key = 101011…

Ground-potential analysis• Attenuating EMI emanations

“Unwanted currents or electromagnetic fields? Dump them to the circuit ground!”(Bypass capacitors, RF shields, …)

• Device is grounded, but its “ground” potential fluctuates relative to the mains earth ground.

Computationaffects currents and EM fieldsdumped to device groundconnected to conductive chassis

35

Demo: key extraction

36

RSA and ElGamal key extraction in a few seconds usingdirect chassis measurement (non-adaptive attack)

Key = 101011…

37

RSA and ElGamal key extraction in a few seconds usinghuman touch (non-adaptive attack)

Key = 101011…

38

Ground-potential analysis

• Device is grounded, but its “ground” potential fluctuates relative to the mains earth ground.

Computationaffects device groundconnected to conductive chassisconnected to shielded cablesEven when no data, or port is turned off.

Key = 101011…

• Attenuating EMI emanations“Unwanted currents or electromagnetic fields? Dump them to the circuit ground!”(Bypass capacitors, RF shields, …)

39

Demo: key extraction

40

RSA and ElGamal key extraction in a few seconds usingthe far end of 10 meter network cable (non-adaptive attack)

Key = 101011…

works even if a firewall is present, or port is turned off

41

Key extraction on far side of Ethernet cableusing a mobile phone

42

Electromagnetic key extraction

• Currents inside the target create electromagnetic waves.

• Can be detected using an electromagnetic probe (e.g., a loop of wire).

43

Electromagnetic key extraction

• Currents inside the target create electromagnetic waves.

• Can be detected using an electromagnetic probe (e.g., a loop of wire).

44

Countermeasures(class discussion)

45

1. Shielding

Ineffective countermeasures

46

2. Adding noise(play loud music while decrypting)

3. Concurrent software load

Ineffective countermeasures (cont.)

47

Given a ciphertext 𝑐𝑐:1. Generate a random number 𝑟𝑟 and compute 𝑟𝑟𝑒𝑒

2. Decrypt 𝑟𝑟𝑒𝑒 ⋅ 𝑐𝑐 and obtain 𝑚𝑚𝑚3. Output 𝑚𝑚′ ⋅ 𝑟𝑟−1

Works since 𝑒𝑒𝑑𝑑 = 1 𝑚𝑚𝑚𝑚𝑑𝑑 𝜙𝜙(𝑛𝑛) thus:𝑟𝑟𝑒𝑒 ⋅ 𝑐𝑐 𝑑𝑑 ⋅ 𝑟𝑟−1 𝑚𝑚𝑚𝑚𝑑𝑑 𝑛𝑛 = 𝑟𝑟𝑒𝑒𝑑𝑑 ⋅ 𝑟𝑟−1 ⋅ 𝑐𝑐𝑑𝑑 𝑚𝑚𝑚𝑚𝑑𝑑 𝑛𝑛

= 𝑟𝑟 ⋅ 𝑟𝑟−1 ⋅ 𝑐𝑐𝑑𝑑 𝑚𝑚𝑚𝑚𝑑𝑑 𝑛𝑛= 𝑐𝑐𝑑𝑑 𝑚𝑚𝑚𝑚𝑑𝑑 𝑛𝑛= 𝑚𝑚

Countermeasures (ciphertext randomization)

48

cs.tau.ac.il/~tromer/acoustic CRYPTO’14 CVE 2013-4576

cs.tau.ac.il/~tromer/handsoff CHES’14 CVE-2014-5270

cs.tau.ac.il/~tromer/radioexp CVE-2014-3591