Masking attacks
Páginas: 12 (2874 palabras)
Publicado: 7 de marzo de 2011
[pic]
Introduction
The masking method it was developed like a way to prevent system to be attacked trough a DPA attack.
Knowing the implementation of an EP (encrypt protocol) and using a DPA attack, it is possible to guess the values of the variables used in the implementation. If variable is known, then the secrets could be broken.
The first algorithms were proposed in [1, 2]later it was found these algorithms vulnerable to refined version of DPA attacks [3, 4]. These refined versions are called Higher Order Differential Power Analysis (HODPA). The first concepts of HODPA were presented in [5-7]
Power Analysis problem.
DPA suppose the possibility to break some Encrypthation Schemes supposed secures. In order to counter this attack some technics were developed. Wehave distinguish between first order (since now only DPA) and one of his various branches like High order Differential Power analysis (since now HODPA). HODPA make reference to attack of order higher that one (later it is going to be talked about these aspects). The first concept of DPA was presented by Messerges and Dabbish [1] in the lates 90’s.
1 Differential Power Analysis.
DPA attackallow the possibility to obtain information about a secret key by making a statistical analysis of the electric consumption record measured for a large number of computation with the same key.
Like explained in [8], DPA attacks exploit the dependencies of power consumption of cryptographic devices. They use large number of power traces to analyze power consumption at a fixed moment of time as afunction of the processed data.
In order to understand the work of the masking techniques, it is needed to understand how work the DPA attack. Following is going to be given a brief of the steps that a DPA attack takes.
- Step 1: chose a part of the key that it is going to be analyzed. This part is going to be called k (can be 1 bit or a set of more bits). Chose a set of Inputs knownused during the Power analysis of the device, we can call this set d. And focus in some intermediate result from the device’s cryptographic process, this intermediate result can come from a function f(d,k). In some practical trial for DES it is considered the inputs for the S-box operations [9].
- Step2: It is moment to take several measures for the computations, it can be used an order oflike 1000 measures, it is needed to match for each measure its input data d involved in the computation. With this information it is possible to construct a matrix T that represents each data and its corresponding measures.
- Step 3: Now it is moment to present a hypothesis for the k chosen. This way it is calculate the possible values that k can take, (this values can be represented in avector k’). Now it is calculated the hypothetical value of f(d,k) for all encrythation run, and splitted in different groups, each group is the hypothetical possible value of k in the encrypthation. With this is possible to create a new matrix W, this matrix represent in each column the intermediate results for each hypothetical k.
- Step 4: Map a matrix P with all the Hypothetical PowerConsumption Values, this matrix is constructer from the matrix W.
- Step 5: Check if there is sensible differences between P and T. If after the statistical analysis, there is found sensible differences: It is needed to repeat from step 3 but with a new choice of f(d,k).
- Step 6: The rest of the parts of the key can be found though exhaustive search.
2 High Order DPA
Similar tofirst order DPA but where DPA is based in the supposition [10]:
Fundamental Hypothesis (Order 1): There exists an intermediate variable, that appears during the computation of the algorithm, such that knowing a few key bits (in practice less than 32 bits) allows to decide whether two inputs (respectively two outputs) give or not the same value for a known function of this variable.
High...
Introduction
The masking method it was developed like a way to prevent system to be attacked trough a DPA attack.
Knowing the implementation of an EP (encrypt protocol) and using a DPA attack, it is possible to guess the values of the variables used in the implementation. If variable is known, then the secrets could be broken.
The first algorithms were proposed in [1, 2]later it was found these algorithms vulnerable to refined version of DPA attacks [3, 4]. These refined versions are called Higher Order Differential Power Analysis (HODPA). The first concepts of HODPA were presented in [5-7]
Power Analysis problem.
DPA suppose the possibility to break some Encrypthation Schemes supposed secures. In order to counter this attack some technics were developed. Wehave distinguish between first order (since now only DPA) and one of his various branches like High order Differential Power analysis (since now HODPA). HODPA make reference to attack of order higher that one (later it is going to be talked about these aspects). The first concept of DPA was presented by Messerges and Dabbish [1] in the lates 90’s.
1 Differential Power Analysis.
DPA attackallow the possibility to obtain information about a secret key by making a statistical analysis of the electric consumption record measured for a large number of computation with the same key.
Like explained in [8], DPA attacks exploit the dependencies of power consumption of cryptographic devices. They use large number of power traces to analyze power consumption at a fixed moment of time as afunction of the processed data.
In order to understand the work of the masking techniques, it is needed to understand how work the DPA attack. Following is going to be given a brief of the steps that a DPA attack takes.
- Step 1: chose a part of the key that it is going to be analyzed. This part is going to be called k (can be 1 bit or a set of more bits). Chose a set of Inputs knownused during the Power analysis of the device, we can call this set d. And focus in some intermediate result from the device’s cryptographic process, this intermediate result can come from a function f(d,k). In some practical trial for DES it is considered the inputs for the S-box operations [9].
- Step2: It is moment to take several measures for the computations, it can be used an order oflike 1000 measures, it is needed to match for each measure its input data d involved in the computation. With this information it is possible to construct a matrix T that represents each data and its corresponding measures.
- Step 3: Now it is moment to present a hypothesis for the k chosen. This way it is calculate the possible values that k can take, (this values can be represented in avector k’). Now it is calculated the hypothetical value of f(d,k) for all encrythation run, and splitted in different groups, each group is the hypothetical possible value of k in the encrypthation. With this is possible to create a new matrix W, this matrix represent in each column the intermediate results for each hypothetical k.
- Step 4: Map a matrix P with all the Hypothetical PowerConsumption Values, this matrix is constructer from the matrix W.
- Step 5: Check if there is sensible differences between P and T. If after the statistical analysis, there is found sensible differences: It is needed to repeat from step 3 but with a new choice of f(d,k).
- Step 6: The rest of the parts of the key can be found though exhaustive search.
2 High Order DPA
Similar tofirst order DPA but where DPA is based in the supposition [10]:
Fundamental Hypothesis (Order 1): There exists an intermediate variable, that appears during the computation of the algorithm, such that knowing a few key bits (in practice less than 32 bits) allows to decide whether two inputs (respectively two outputs) give or not the same value for a known function of this variable.
High...
Leer documento completo
Regístrate para leer el documento completo.