密碼產(chǎn)品的側(cè)信道分析與評估

陳華; 習(xí)偉; 范麗敏; 焦志鵬; 馮婧怡

doi:10.11999/JEIT190853

密碼產(chǎn)品的側(cè)信道分析與評估

doi: 10.11999/JEIT190853 cstr: 32379.14.JEIT190853

陳華^{1, 2, ,},
習(xí)偉³,
范麗敏¹,
焦志鵬^{1, 4},
馮婧怡^{1, 4}

1.
中國科學(xué)院軟件研究所可信計算與信息保障實驗室北京 100190
2.
密碼科學(xué)技術(shù)國家重點實驗室北京 100878
3.
南方電網(wǎng)科學(xué)研究院廣州 510663
4.
中國科學(xué)院大學(xué) 北京 100049

基金項目: 國家重點研發(fā)計劃(2018YFB0904900, 2018YFB0904901)，十三五國家密碼發(fā)展基金(MMJJ20170214, MMJJ20170211)

詳細(xì)信息

作者簡介:
陳華：女，1976年生，正高級工程師，博士生導(dǎo)師，研究方向為側(cè)信道分析與防護、密碼檢測

習(xí)偉：男，1980年生，高級工程師，研究方向為智能電網(wǎng)與電力芯片

范麗敏：女，1978年生，高級工程師，碩士生導(dǎo)師，研究方向為側(cè)信道分析與防護、密碼檢測

焦志鵬：男，1992年生，博士生，研究方向為側(cè)信道分析與防護

馮婧怡：女，1991年生，博士生，研究方向為側(cè)信道分析與防護

通訊作者:
陳華　chenhua@tca.iscas.ac.cn

中圖分類號: TN918; TP309
計量
- 文章訪問數(shù): 2743
- HTML全文瀏覽量: 1908
- PDF下載量: 291
- 被引次數(shù): 0
出版歷程
- 收稿日期: 2019-11-01
- 修回日期: 2020-06-05
- 網(wǎng)絡(luò)出版日期: 2020-07-07
- 刊出日期: 2020-08-18

Side Channel Analysis and Evaluation on Cryptographic Products

Hua CHEN^{1, 2
, ,},
Wei XI³,
Limin FAN¹,
Zhipeng JIAO^{1, 4},
Jingyi FENG^{1, 4}

1.
TCA Laboratory, Institute of Software, Chinese Academy of Sciences, Beijing 100190, China
2.
State Key Laboratory of Cryptology, Beijing 100878, China
3.
Electric Power Research Institute, China Southern Power Grid, Guangzhou 510663, China
4.
University of Chinese Academy of Sciences, Beijing 100049, China

Funds: The National Key R&D Program of China (2018YFB0904900, 2018YFB0904901), The National Cryptography Development Fund of China (MMJJ20170214, MMJJ20170211)

摘要

摘要: 作為一類重要的信息安全產(chǎn)品，密碼產(chǎn)品中所使用的密碼技術(shù)保障了信息的保密性、完整性和不可抵賴性。而側(cè)信道攻擊是針對密碼產(chǎn)品的一類重要的安全威脅，它主要利用了密碼算法運算過程中側(cè)信息(如時間、功耗等)的泄露，通過分析側(cè)信息與秘密信息的依賴關(guān)系進行攻擊。對密碼產(chǎn)品的抗側(cè)信道攻擊能力進行評估已成為密碼測評的重要內(nèi)容。該文從攻擊性測試、通用評估以及形式化驗證3個角度介紹了目前密碼產(chǎn)品抗側(cè)信道評估的發(fā)展情況。其中攻擊性測試是目前密碼側(cè)信道測評所采用的最主要的評估方式，它通過執(zhí)行具體的攻擊流程來恢復(fù)密鑰等秘密信息。后兩種方式不以恢復(fù)秘密信息等為目的，而是側(cè)重于評估密碼實現(xiàn)是否存在側(cè)信息泄露。與攻擊性測試相比，它們無需評估人員深入了解具體的攻擊流程和實現(xiàn)細(xì)節(jié)，因此通用性更強。通用評估是以統(tǒng)計測試、信息熵計算等方式去刻畫信息泄露的程度，如目前被廣泛采用的測試向量泄露評估(TVLA)技術(shù)。利用形式化方法對側(cè)信道防護策略有效性進行評估是一個新的發(fā)展方向，其優(yōu)勢是可以自動化/半自動化地評估密碼實現(xiàn)是否存在側(cè)信道攻擊弱點。該文介紹了目前針對軟件掩碼、硬件掩碼、故障防護等不同防護策略的形式化驗證最新成果，主要包括基于程序驗證、類型推導(dǎo)及模型計數(shù)等不同方法。
- 密碼產(chǎn)品 /
- 側(cè)信道 /
- 信息泄露 /
- 形式化驗證
Abstract: As a kind of important information security products, the cryptographic technique adopted by cryptographic products guarantees the confidentiality, integrity and non-repudiation of information. The side channel attack is an important security threat against cryptographic products. It mainly utilizes the leakage of side information (such as time, power consumption, etc.) during the operation of cryptographic algorithm, and attacks by analyzing the dependence between side information and secret information. It has become an important test content to evaluate the ability of cryptographic products to defend against the side channel attack. The development of side channel evaluation of cryptographic products is introduced from three aspects of attack test, general evaluation and formal verification. The attack test is the most popular way adopted in side channel evaluation, which aims to recover the secret imformation such as the key by executing specific attack process. The latter two methods are not for the purpose of recovering secret information, but focus on assessing whether there is any side information leakage in the cryptographic implementation. They are more general than the attack test because they do not require the evaluator to go into the details of the attack process and implementation. The general evaluation is to describe the degree of information leakage by means of statistical test and information entropy calculation. For example, Test Vector Leakage Assessment (TVLA) technology is widely used at present. The formal method is a new development direction to evaluate the effectiveness of side channel protection strategy which has the advantage that it can automatically/semi-automatically evaluate whether the cryptographic implementation has side channel attack vulnerability. The latest results of formal verification for different protection strategies such as software mask, hardware mask and fault protection is introduced in this paper, mainly including program verification, type inference and model counting.
- Cryptographic product /
- Side channel /
- Information leakage /
- Formal verification

HTML全文

表 1 密碼測評標(biāo)準(zhǔn)中的抗側(cè)信道防護要求比較

測評標(biāo)準(zhǔn)		FIPS140～3(1～4級)	GM/T0028(1～4級)	GM/T0008(1～3級)
非侵入/半侵入式	能量	1～4級	1～4級	2～3級
	計時	1～4級	1～4級	2～3級
	電磁	1～4級	1～4級	2～3級
	溫度	3～4級	3～4級	2～3級
	電壓	3～4級	3～4級	2～3級
	錯誤注入	4級	4級	3級
侵入式		2～4級	2～4級	2～3級

下載: 導(dǎo)出CSV

表 2 能量攻擊防護方案通用評估方法對比

評估方法	優(yōu)點	缺點
TVLA	簡單高效	低噪聲情況下以及泄露信息分布在多個統(tǒng)計距情況下不適用
χ²-test	有效彌補TVLA的不足，在低噪聲以及泄露信息分布在多個統(tǒng)計距的情況下仍然適用	在信噪比較低的情況下，效率較低
DL-LA	無需預(yù)處理，更低的誤報率	存在概率適應(yīng)性以及過擬合等問題

下載: 導(dǎo)出CSV

表 3 3種評估方法對比

評估方法	優(yōu)點	缺點	適用場景
側(cè)信道攻擊測評	評估思路簡單直接：利用現(xiàn)有攻擊逐一嘗試，攻擊成功則不通過，失敗則為通過	由于攻擊方法繁多，實現(xiàn)繁瑣，評估周期長，同時難以保障評估的完備性	符合攻擊條件的側(cè)信道泄露場景，也可作為其它評估技術(shù)的驗證
基于信息泄露的通用評估	評估實現(xiàn)簡單，評估結(jié)果可提供一定的理論安全依據(jù)	評估的準(zhǔn)確度和解釋性有待提高與增強	可單獨作為評估技術(shù)使用，也可作為攻擊測評中側(cè)信息泄露點定位工具
形式化驗證技術(shù)	可為防護實現(xiàn)提供安全性的理論評估，自動化程度高	實現(xiàn)代價大，評估效率較低	可作為可證明安全防護設(shè)計方案的驗證工具

下載: 導(dǎo)出CSV

參考文獻(42)

KOCHER P C. Timing attacks on implementations of Diffie-Hellman, RSA, DSS, and other systems[C]. The 16th Annual International Cryptology Conference Santa Barbara on Advances in Cryptology, Santa Barbara, USA, 1996: 104–113. doi: 10.1007/3-540-68697-5_9.

KOCHER P, JAFFE J, and JUN B. Differential power analysis[C]. The 19th Annual International Cryptology Conference Santa Barbara on Advances in Cryptology, Santa Barbara, USA, 1999: 388–397. doi: 10.1007/3-540-48405-1_25.

GANDOLFI K, MOURTEL C, and OLIVIER F. Electromagnetic analysis: Concrete results[C]. The 3rd International Workshop Paris on Cryptographic Hardware and Embedded Systems, Paris, France, 2001: 251–261. doi: 10.1007/3-540-44709-1_21.

BONEH D, DEMILLO R A, and LIPTON R J. On the importance of checking cryptographic protocols for faults[C]. International Conference on the Theory and Application of Cryptographic Techniques Konstanz on Advances in Cryptology, Konstanz, Germany, 1997: 37–51. doi: 10.1007/3-540-69053-0_4.

MANGARD S, OSWALD E, POPP T. 馮登國, 周永彬, 劉繼業(yè), 等譯. 能量分析攻擊[M]. 北京: 科學(xué)出版社, 2010: 3–4, 49–50.

MANGARD S, OSWALD E, and POPP T. FENG Dengguo, ZHOU Yongbin, LIU Jiye, et al. translation. Power Analysis Attacks[M]. Beijing: Science Press, 2010: 3–4, 49–50.

NIST. FIPS 140–3 Security requirements for cryptographic modules[S]. NIST, 2019.

ISO/IEC 19790: 2012. Information technology-security techniques-security requirements for cryptographic modules[S]. 2012.

State Cryptography Administration. GM/T 0028–2014 Cryptography module security technical requirements[S]. Beijing: China Standard Press, 2014.

國家密碼管理局. GM/T 0008–2012 安全芯片密碼檢測準(zhǔn)則[S]. 北京: 中國標(biāo)準(zhǔn)出版社, 2012.

State Cryptography Administration. GM/T 0008–2012 Cryptography test criteria for security IC[S]. Beijing: China Standard Press, 2012.

BRIER E, CLAVIER C, and OLIVIER F. Correlation power analysis with a leakage mode[C]. The 6th International Workshop Cambridge on Cryptographic Hardware and Embedded Systems, Cambridge, USA, 2004: 16–29. doi: 10.1007/978-3-540-28632-5_2.

GIERLICHS B, BATINA L, TUYLS P, et al. Mutual information analysis[C]. The 10th International Workshop on Cryptographic Hardware and Embedded Systems, Washington, USA, 2008: 426–442. doi: 10.1007/978-3-540-85053-3_27.

CHARI S, RAO J R, and ROHATGI P. Template attacks[C]. The 4th International Workshop Redwood Shores on Cryptographic Hardware and Embedded Systems, Redwood City, USA, 2002: 13–28. doi: 10.1007/3-540-36400-5_3.

HOSPODAR G, GIERLICHS B, DE MULDER E, et al. Machine learning in side-channel analysis: A first study[J]. Journal of Cryptographic Engineering, 2011, 1(4): 293. doi: 10.1007/s13389-011-0023-x

LERMAN L, BONTEMPI G, and MARKOWITCH O. A machine learning approach against a masked AES[J]. Journal of Cryptographic Engineering, 2015, 5(2): 123–139. doi: 10.1007/s13389-014-0089-3

MAGHREBI H, PORTIGLIATTI T, and PROUFF E. Breaking cryptographic implementations using deep learning techniques[C]. The 6th International Conference on Security, Privacy, and Applied Cryptography Engineering, Hyderabad, India, 2016: 3–26. doi: 10.1007/978-3-319-49445-6_1.

TIMON B. Non-profiled deep learning-based side-channel attacks with sensitivity analysis[J]. IACR Transactions on Cryptographic Hardware and Embedded Systems, 2019(2): 107–131.

BIHAM E and SHAMIR A. Differential fault analysis of secret key cryptosystems[C]. The 17th Annual International Cryptology Conference Santa Barbara on Advances in Cryptology, Santa Barbara, USA, 1997: 513–525. doi: 10.1007/BFb0052259.

BIEHL I, MEYER B, and MüLLER V. Differential fault attacks on elliptic curve cryptosystems[C]. The 20th Annual International Cryptology Conference Santa Barbara on Advances in Cryptology, Santa Barbara, USA, 2000: 131–146. doi: 10.1007/3-540-44598-6_8.

SCHMIDT J M and MEDWED M. A fault attack on ECDSA[C]. The 2009 Workshop on Fault Diagnosis and Tolerance in Cryptography, Lausanne, Switzerland, 2009: 93–99. doi: 10.1109/FDTC.2009.38.

GOODWILL G, JUN B, JAFFE J, et al. A testing methodology for side-channel resistance validation[C]. NIST Non-Invasive Attack Testing Workshop, Nara, Japan, 2011: 115–136.

BECKER G, COOPER J, DEMULDER E, et al. Test Vector Leakage Assessment (TVLA) methodology in practice[C]. International Cryptographic Module Conference, Gaithersburg, USA, 2013: 13.

DING A A, CHEN Cong, and EISENBARTH T. Simpler, faster, and more robust t-test based leakage detection[C]. The 7th International Workshop on Constructive Side, Graz, Austria, 2016: 163–183. doi: 10.1007/978-3-319-43283-0_10.

MORADI A, RICHTER B, SCHNEIDER T, et al. Leakage detection with the X²-test[J]. IACR Transactions on Cryptographic Hardware and Embedded Systems, 2018(1): 209–237. doi: 10.13154/tches.v2018.i1.209-237

WEGENER F, MOOS T, and MORADI A. DL-LA: Deep learning leakage assessment[J]. IACR Cryptology ePrint Archive, 2019. https://eprint.iacr.org/2019/505.pdf.

SAKIYAMA K, LI YANG, IWAMOTO M, et al. Information-theoretic approach to optimal differential fault analysis[J]. IEEE Transactions on Information Forensics and Security, 2012, 7(1): 109–120. doi: 10.1109/TIFS.2011.2174984

BERTONI G, BREVEGLIERI L, KOREN I, et al. Error analysis and detection procedures for a hardware implementation of the advanced encryption standard[J]. IEEE Transactions on Computers, 2003, 52(4): 492–505. doi: 10.1109/tc.2003.1190590

JOYE M, MANET P, and RIGAUD J B. Strengthening hardware AES implementations against fault attacks[J]. IET Information Security, 2007, 1(3): 106–110. doi: 10.1049/iet-ifs:20060163

GHOSH S, SAHA D, SENGUPTA A, et al. Preventing fault attacks using fault randomization with a case study on AES[C]. The 20th Australasian Conference on Information Security and Privacy, Brisbane, Australia, 2015: 343–355. doi: 10.1007/978-3-319-19962-7_20.

TUPSAMUDRE H, BISHT S, and MUKHOPADHYAY D. Destroying fault invariant with randomization[C]. The 16th International Workshop on Cryptographic Hardware and Embedded Systems, Busan, Korea, 2014: 93–111. doi: 10.1007/978-3-662-44709-3_6.

FENG Jingyi, CHEN Hua, LI Yang, et al. A framework for evaluation and analysis on infection countermeasures against fault attacks[J]. IEEE Transactions on Information Forensics and Security, 2020, 15: 391–406. doi: 10.1109/TIFS.2019.2903653

GOUBIN L and PATARIN J. DES and differential power analysis the “duplication” method[C]. The 1st International Workshop on Cryptographic Hardware and Embedded Systems, Worcester, USA, 1999: 158–172. doi: 10.1007/3-540-48059-5_15.

BAYRAK A G, REGAZZONI F, NOVO D, et al. Sleuth: Automated verification of software power analysis countermeasures[C]. The 15th International Workshop on Cryptographic Hardware and Embedded Systems, Santa Barbara, USA, 2013: 293–310. doi: 10.1007/978-3-642-40349-1_17.

BARTHE G, BELA?D S, DUPRESSOIR F, et al. Strong non-interference and type-directed higher-order masking[C]. The 2016 ACM SIGSAC Conference on Computer and Communications Security, New York, USA, 2016: 116–129. doi: 10.1145/2976749.2978427.

BARTHE G, BELA?D S, DUPRESSOIR F, et al. Verified proofs of higher-order masking[C]. The 34th Annual International Conference on the Theory and Applications of Cryptographic Techniques on Advances in Cryptology, Sofia, Bulgaria, 2015: 457–485. doi: 10.1007/978-3-662-46800-5_18.

CORON J S. Formal verification of side-channel countermeasures via elementary circuit transformations[C]. The 16th International Conference on Applied Cryptography and Network Security, Leuven, Belgium, 2018: 65–82. doi: 10.1007/978-3-319-93387-0_4.

EL OUAHMA I B, MEUNIER Q L, HEYDEMANN K, et al. Side-channel robustness analysis of masked assembly codes using a symbolic approach[J]. Journal of Cryptographic Engineering, 2019, 9(3): 231–242. doi: 10.1007/s13389-019-00205-7

ELDIB H, WANG Chao, and SCHAUMONT P. Formal verification of software countermeasures against side-channel attacks[J]. ACM Transactions on Software Engineering and Methodology, 2014, 24(2): 1–24. doi: 10.1145/2685616

ELDIB H, WANG Chao, and SCHAUMONT P. SMT-based verification of software countermeasures against side-channel attacks[C]. The 20th International Conference on Tools and Algorithms for the Construction and Analysis of Systems, Grenoble, France, 2014: 62–77. doi: 10.1007/978-3-642-54862-8_5.

ZHANG Jun, GAO Pengfei, SONG Fu, et al. SCINFER: Refinement-based verification of software countermeasures against side-channel attacks[C]. The 30th International Conference on Computer Aided Verification, Oxford, England, 2018: 157–177. doi: 10.1007/978-3-319-96142-2_12.

BERTONI G and MARTINOLI M. A methodology for the characterisation of leakages in combinatorial logic[C]. The 6th International Conference on Security, Privacy, and Applied Cryptography Engineering, Hyderabad, India, 2016: 363–382. doi: 10.1007/978-3-319-49445-6_21.

BLOEM R, GROSS H, IUSUPOV R, et al. Formal verification of masked hardware implementations in the presence of glitches[C]. The 37th Advances in Cryptology, Tel Aviv, Israel, 2018: 321–353. doi: 10.1007/978-3-319-78375-8_11.

GOUBET L, HEYDEMANN K, ENCRENAZ E, et al. Efficient design and evaluation of countermeasures against fault attacks using formal verification[C]. The 14th International Conference on Smart Card Research and Advanced Applications, Bochum, Germany, 2015: 177–192. doi: 10.1007/978-3-319-31271-2_11.

相關(guān)文章

施引文獻

資源附件(0)

訪問統(tǒng)計