Side-Channel Attacks Meet Secure Network Protocols
- 6 Citations
- 1.9k Downloads
Abstract
Side-channel attacks are powerful tools for breaking systems that implement cryptographic algorithms. The Advanced Encryption Standard (AES) is widely used to secure data, including the communication within various network protocols. Major cryptographic libraries such as OpenSSL or ARM mbed TLS include at least one implementation of the AES. In this paper, we show that most implementations of the AES present in popular open-source cryptographic libraries are vulnerable to side-channel attacks, even in a network protocol scenario when the attacker has limited control of the input. We present an algorithm for symbolic processing of the AES state for any input configuration where several input bytes are variable and known, while the rest are fixed and unknown as is the case in most secure network protocols. Then, we classify all possible inputs into 25 independent evaluation cases depending on the number of bytes controlled by attacker and the number of rounds that must be attacked to recover the master key. Finally, we describe an optimal algorithm that can be used to recover the master key using Correlation Power Analysis (CPA) attacks. Our experimental results raise awareness of the insecurity of unprotected implementations of the AES used in network protocol stacks.
Keywords
Side-channel attack Secure network protocol CPA AESNotes
Acknowledgements
We would like to thank the ACNS 2017 reviewers for their valuable feedback and Johann Großschädl for proofreading the final version of this paper. The work of Daniel Dinu is supported by the CORE project ACRYPT (ID C12-15-4009992) funded by the Fonds National de la Recherche (FNR) Luxembourg.
References
- 1.Agrawal, D., Archambeault, B., Rao, J.R., Rohatgi, P.: The EM side-channel(s). In: Kaliski, B.S., Koç, K., Paar, C. (eds.) CHES 2002. LNCS, vol. 2523, pp. 29–45. Springer, Heidelberg (2003). doi: 10.1007/3-540-36400-5_4 CrossRefGoogle Scholar
- 2.ARM. mbed TLS. https://tls.mbed.org/. Accessed Apr 2017
- 3.Balasch, J., Gierlichs, B., Reparaz, O., Verbauwhede, I.: DPA, bitslicing and masking at 1 GHz. In: Güneysu, T., Handschuh, H. (eds.) CHES 2015. LNCS, vol. 9293, pp. 599–619. Springer, Heidelberg (2015). doi: 10.1007/978-3-662-48324-4_30 CrossRefGoogle Scholar
- 4.Biryukov, A., Dinu, D., Großschädl, J.: Correlation power analysis of lightweight block ciphers: from theory to practice. In: Manulis, M., Sadeghi, A.-R., Schneider, S. (eds.) ACNS 2016. LNCS, vol. 9696, pp. 537–557. Springer, Cham (2016). doi: 10.1007/978-3-319-39555-5_29 Google Scholar
- 5.Brier, E., Clavier, C., Olivier, F.: Correlation power analysis with a leakage model. In: Joye, M., Quisquater, J.-J. (eds.) CHES 2004. LNCS, vol. 3156, pp. 16–29. Springer, Heidelberg (2004). doi: 10.1007/978-3-540-28632-5_2 CrossRefGoogle Scholar
- 6.cryptlib. The cryptlib Security Software Development Toolkit. http://www.cryptlib.com/. Accessed Apr 2017
- 7.Crypto++. Crypto++: a free C++ class library of cryptographic schemes. https://www.cryptopp.com/. Accessed Apr 2017
- 8.Daemen, J., Rijmen, V.: The Design of Rijndael: AES - The Advanced Encryption Standard. Springer, Heidelberg (2002)CrossRefzbMATHGoogle Scholar
- 9.Dworkin, M.J.: Recommendation for block cipher modes of operation: the CCM mode for authentication and confidentiality. NIST Special Publication 800-38C (2007)Google Scholar
- 10.GitHub. libtomcrypt: a fairly comprehensive, modular and portable cryptographic toolkit. https://github.com/libtom/libtomcrypt. Accessed Apr 2017
- 11.GitHub. mbed TLS - An open source, portable, easy to use, readable and flexible SSL library. https://github.com/ARMmbed/mbedtls/blob/development/library/aes.c. Accessed Apr 2017
- 12.GitHub. OpenSSL - TLS/SSL and crypto library. https://github.com/openssl/openssl/blob/master/crypto/aes/aes_core.c. Accessed Apr 2017
- 13.Hofemeier, G., Chesebrough, R.: Introduction to intel AES-NI and intel secure key instructions. Technical report. https://software.intel.com/sites/default/files/m/d/4/1/d/8/Introduction_to_Intel_Secure_Key_Instructions.pdf. Accessed Apr 2017
- 14.Housley, R.: Using Advanced Encryption Standard (AES) CCM Mode with IPsec Encapsulating Security Payload (ESP). RFC 4309, December 2005. https://tools.ietf.org/html/rfc4309
- 15.IEEE. IEEE Standard for Low-Rate Wireless Networks. https://standards.ieee.org/about/get/802/802.15.html
- 16.Jaffe, J.: A first-order DPA attack against AES in counter mode with unknown initial counter. In: Paillier, P., Verbauwhede, I. (eds.) CHES 2007. LNCS, vol. 4727, pp. 1–13. Springer, Heidelberg (2007). doi: 10.1007/978-3-540-74735-2_1 CrossRefGoogle Scholar
- 17.Kocher, P., Jaffe, J., Jun, B.: Differential power analysis. In: Wiener, M. (ed.) CRYPTO 1999. LNCS, vol. 1666, pp. 388–397. Springer, Heidelberg (1999). doi: 10.1007/3-540-48405-1_25 Google Scholar
- 18.Libgcrypt. Libgcrypt: a general purpose cryptographic library based on the code from GnuPG. https://www.gnu.org/software/libgcrypt/. Accessed Apr 2017
- 19.libsodium. The Sodium crypto library (libsodium). https://download.libsodium.org/doc/. Accessed Apr 2017
- 20.Lipp, M., Gruss, D., Spreitzer, R., Maurice, C., Mangard, S.: Armageddon: cache attacks on mobile devices. In: Holz, T., Savage, S. (eds.) 25th USENIX Security Symposium, USENIX Security 16, Austin, TX, USA, 10–12 August 2016, pp. 549–564. USENIX Association (2016)Google Scholar
- 21.LoRa Alliance. Wide Area Networks for IoT. https://www.lora-alliance.org/. Accessed Apr 2017
- 22.Nettle. Nettle - a low-level cryptographic library. http://www.lysator.liu.se/ nisse/nettle/. Accessed Apr 2017
- 23.NIST. Specification for the Advanced Encryption Standard (AES). Federal Information Processing Standards Publication 197 (2001)Google Scholar
- 24.O’Flynn, C., Chen, Z.: Power Analysis Attacks Against IEEE 802.15.4 Nodes. In: Standaert, F.-X., Oswald, E. (eds.) COSADE 2016. LNCS, vol. 9689, pp. 55–70. Springer, Cham (2016). doi: 10.1007/978-3-319-43283-0_4 CrossRefGoogle Scholar
- 25.OpenSSL. Cryptography and SSL/TLS Toolkit. https://www.openssl.org/. Accessed Apr 2017
- 26.Osvik, D.A., Shamir, A., Tromer, E.: Cache attacks and countermeasures: the case of AES. In: Pointcheval, D. (ed.) CT-RSA 2006. LNCS, vol. 3860, pp. 1–20. Springer, Heidelberg (2006). doi: 10.1007/11605805_1 CrossRefGoogle Scholar
- 27.Randombit. mbed TLS. https://botan.randombit.net/. Accessed Apr 2017
- 28.Saab, S., Rohatgi, P., Hampel, C.: Side-channel protections for cryptographic instruction set extensions. Cryptology ePrint Archive, Report 2016/700 (2016). http://eprint.iacr.org/2016/700
- 29.Sastry, N., Wagner, D.: Security considerations for IEEE 802.15.4 networks. In: Jakobsson, M., Perrig, A. (eds.) Proceedings of the 2004 ACM Workshop on Wireless Security, Philadelphia, PA, USA, 1 October 2004, pp. 32–42. ACM (2004)Google Scholar
- 30.Schwabe, P., Stoffelen, K.: All the AES you need on Cortex-M3 and M4. In: Selected Areas in Cryptography-SAC (2016)Google Scholar
- 31.Song, J., Poovendran, R., Lee, J., Iwata, T.: The AES-CMAC algorithm. RFC 4493, June 2006. https://tools.ietf.org/html/rfc4493
- 32.STMicroelectronics. STM32 MCU Nucleo. http://www.st.com/en/evaluation-tools/stm32-mcu-nucleo.html. Accessed Apr 2017
- 33.Vadnala, P.K.: Time-memory trade-offs for side-channel resistant implementations of block ciphers. In: Handschuh, H. (ed.) CT-RSA 2017. LNCS, vol. 10159, pp. 115–130. Springer, Cham (2017). doi: 10.1007/978-3-319-52153-4_7 CrossRefGoogle Scholar
- 34.Whiting, D., Housley, R., and N. Ferguson. Counter with CBC-MAC (CCM). RFC 3610, September 2003. https://tools.ietf.org/html/rfc3610
- 35.wolfSSL. wolfCrypt Embedded Crypto Engine. https://www.wolfssl.com/wolfSSL/Products-wolfcrypt.html. Accessed Apr 2017