高级搜索

密码产品的侧信道分析与评估

陈华 习伟 范丽敏 焦志鹏 冯婧怡

引用本文: 陈华, 习伟, 范丽敏, 焦志鹏, 冯婧怡. 密码产品的侧信道分析与评估[J]. 电子与信息学报, doi: 10.11999/JEIT190853 shu
Citation:  Hua CHEN, Wei XI, Limin FAN, Zhipeng JIAO, Jingyi FENG. Side Channel Analysis and Evaluation on Cryptographic Products[J]. Journal of Electronics and Information Technology, doi: 10.11999/JEIT190853 shu

密码产品的侧信道分析与评估

    作者简介: 陈华: 女,1976年生,正高级工程师,博导,研究方向为侧信道分析与防护、密码检测;
    习伟: 男,1980年生,高级工程师,研究方向为智能电网与电力芯片;
    范丽敏: 女,1978年生,高级工程师,硕导,研究方向为侧信道分析与防护、密码检测;
    焦志鹏: 男,1992年生,博士生,研究方向为侧信道分析与防护;
    冯婧怡: 女,1991年生,博士生,研究方向为侧信道分析与防护
    通讯作者: 陈华,chenhua@tca.iscas.ac.cn
  • 基金项目: 国家重点研发计划(2018YFB0904900, 2018YFB0904901),十三五国家密码发展基金(MMJJ20170214, MMJJ20170211)

摘要: 作为一类重要的信息安全产品,密码产品中所使用的密码技术保障了信息的保密性、完整性和不可抵赖性。而侧信道攻击是针对密码产品的一类重要的安全威胁,它主要利用了密码算法运算过程中侧信息(如时间、功耗等)的泄露,通过分析侧信息与秘密信息的依赖关系进行攻击。对密码产品的抗侧信道攻击能力进行评估已成为密码测评的重要内容。该文从攻击性测试、通用评估以及形式化验证3个角度介绍了目前密码产品抗侧信道评估的发展情况。其中攻击性测试是目前密码侧信道测评所采用的最主要的评估方式,它通过执行具体的攻击流程来恢复密钥等秘密信息。后两种方式不以恢复秘密信息等为目的,而是侧重于评估密码实现是否存在侧信息泄露。与攻击性测试相比,它们无需评估人员深入了解具体的攻击流程和实现细节,因此通用性更强。通用评估是以统计测试、信息熵计算等方式去刻画信息泄露的程度,如目前被广泛采用的测试向量泄露评估(TVLA)技术。利用形式化方法对侧信道防护策略有效性进行评估是一个新的发展方向,其优势是可以自动化/半自动化地评估密码实现是否存在侧信道攻击弱点。该文介绍了目前针对软件掩码、硬件掩码、故障防护等不同防护策略的形式化验证最新成果,主要包括基于程序验证、类型推导及模型计数等不同方法。

English

    1. [1]

      KOCHER P C. Timing attacks on implementations of Diffie-Hellman, RSA, DSS, and other systems[C]. The 16th Annual International Cryptology Conference Santa Barbara on Advances in Cryptology, Santa Barbara, USA, 1996: 104–113. doi: 10.1007/3-540-68697-5_9.

    2. [2]

      KOCHER P, JAFFE J, and JUN B. Differential power analysis[C]. The 19th Annual International Cryptology Conference Santa Barbara on Advances in Cryptology, Santa Barbara, USA, 1999: 388–397. doi: 10.1007/3-540-48405-1_25.

    3. [3]

      GANDOLFI K, MOURTEL C, and OLIVIER F. Electromagnetic analysis: Concrete results[C]. The 3rd International Workshop Paris on Cryptographic Hardware and Embedded Systems, Paris, France, 2001: 251–261. doi: 10.1007/3-540-44709-1_21.

    4. [4]

      BONEH D, DEMILLO R A, and LIPTON R J. On the importance of checking cryptographic protocols for faults[C]. International Conference on the Theory and Application of Cryptographic Techniques Konstanz on Advances in Cryptology, Konstanz, Germany, 1997: 37–51. doi: 10.1007/3-540-69053-0_4.

    5. [5]

      MANGARD S, OSWALD E, POPP T, 冯登国, 周永彬, 刘继业, 等译. 能量分析攻击[M]. 北京: 科学出版社, 2010: 3–4, 49–50.
      MANGARD S, OSWALD E, POPP T, FENG Dengguo, ZHOU Yongbin, LIU Jiye, et al. translation. Power Analysis Attacks[M]. Beijing: Science Press, 2010: 3–4, 49–50.

    6. [6]

      NIST. FIPS 140–3 Security requirements for cryptographic modules[S]. NIST, 2019.

    7. [7]

      ISO/IEC 19790: 2012. Information technology-security techniques-security requirements for cryptographic modules[S]. 2012.

    8. [8]

      State Cryptography Administration. GM/T 0028–2014 Cryptography module security technical requirements[S]. Beijing: China Standard Press, 2014.

    9. [9]

      国家密码管理局. GM/T 0008–2012 安全芯片密码检测准则[S]. 北京: 中国标准出版社, 2012.
      State Cryptography Administration. GM/T 0008–2012 Cryptography test criteria for security IC[S]. Beijing: China Standard Press, 2012.

    10. [10]

      BRIER E, CLAVIER C, and OLIVIER F. Correlation power analysis with a leakage mode[C]. The 6th International Workshop Cambridge on Cryptographic Hardware and Embedded Systems, Cambridge, USA, 2004: 16–29. doi: 10.1007/978-3-540-28632-5_2.

    11. [11]

      GIERLICHS B, BATINA L, TUYLS P, et al. Mutual information analysis[C]. The 10th International Workshop on Cryptographic Hardware and Embedded Systems, Washington, USA, 2008: 426–442. doi: 10.1007/978-3-540-85053-3_27.

    12. [12]

      CHARI S, RAO J R, and ROHATGI P. Template attacks[C]. The 4th International Workshop Redwood Shores on Cryptographic Hardware and Embedded Systems, Redwood City, USA, 2002: 13–28. doi: 10.1007/3-540-36400-5_3.

    13. [13]

      HOSPODAR G, GIERLICHS B, DE MULDER E, et al. Machine learning in side-channel analysis: A first study[J]. Journal of Cryptographic Engineering, 2011, 1(4): 293. doi: 10.1007/s13389-011-0023-x

    14. [14]

      LERMAN L, BONTEMPI G, and MARKOWITCH O. A machine learning approach against a masked AES[J]. Journal of Cryptographic Engineering, 2015, 5(2): 123–139. doi: 10.1007/s13389-014-0089-3

    15. [15]

      MAGHREBI H, PORTIGLIATTI T, and PROUFF E. Breaking cryptographic implementations using deep learning techniques[C]. The 6th International Conference on Security, Privacy, and Applied Cryptography Engineering, Hyderabad, India, 2016: 3–26. doi: 10.1007/978-3-319-49445-6_1.

    16. [16]

      TIMON B. Non-profiled deep learning-based side-channel attacks with sensitivity analysis[J]. IACR Transactions on Cryptographic Hardware and Embedded Systems, 2019, 2019(2): 107–131.

    17. [17]

      BIHAM E and SHAMIR A. Differential fault analysis of secret key cryptosystems[C]. The 17th Annual International Cryptology Conference Santa Barbara on Advances in Cryptology, Santa Barbara, USA, 1997: 513–525. doi: 10.1007/BFb0052259.

    18. [18]

      BIEHL I, MEYER B, and MÜLLER V. Differential fault attacks on elliptic curve cryptosystems[C]. The 20th Annual International Cryptology Conference Santa Barbara on Advances in Cryptology, Santa Barbara, USA, 2000: 131–146. doi: 10.1007/3-540-44598-6_8.

    19. [19]

      SCHMIDT J M and MEDWED M. A fault attack on ECDSA[C]. The 2009 Workshop on Fault Diagnosis and Tolerance in Cryptography, Lausanne, Switzerland, 2009: 93–99. doi: 10.1109/FDTC.2009.38.

    20. [20]

      GOODWILL G, JUN B, JAFFE J, et al. A testing methodology for side-channel resistance validation[C]. NIST Non-Invasive Attack Testing Workshop, Nara, Japan, 2011: 115–136.

    21. [21]

      BECKER G, COOPER J, DEMULDER E, et al. Test Vector Leakage Assessment (TVLA) methodology in practice[C]. International Cryptographic Module Conference, Gaithersburg, USA, 2013: 13.

    22. [22]

      DING A A, CHEN Cong, and EISENBARTH T. Simpler, faster, and more robust t-test based leakage detection[C]. The 7th International Workshop on Constructive Side, Graz, Austria, 2016: 163–183. doi: 10.1007/978-3-319-43283-0_10.

    23. [23]

      MORADI A, RICHTER B, SCHNEIDER T, et al. Leakage detection with the X2-test[J]. IACR Transactions on Cryptographic Hardware and Embedded Systems, 2018, 2018(1): 209–237. doi: 10.13154/tches.v2018.i1.209-237

    24. [24]

      WEGENER F, MOOS T, and MORADI A. DL-LA: Deep learning leakage assessment[J]. IACR Cryptology ePrint Archive, 2019. https://eprint.iacr.org/2019/505.pdf.

    25. [25]

      SAKIYAMA K, LI YANG, IWAMOTO M, et al. Information­theoretic approach to optimal differential fault analysis[J]. IEEE Transactions on Information Forensics and Security, 2012, 7(1): 109–120. doi: 10.1109/TIFS.2011.2174984

    26. [26]

      BERTONI G, BREVEGLIERI L, KOREN I, et al. Error analysis and detection procedures for a hardware implementation of the advanced encryption standard[J]. IEEE Transactions on Computers, 2003, 52(4): 492–505. doi: 10.1109/tc.2003.1190590

    27. [27]

      JOYE M, MANET P, and RIGAUD J B. Strengthening hardware AES implementations against fault attacks[J]. IET Information Security, 2007, 1(3): 106–110. doi: 10.1049/iet-ifs:20060163

    28. [28]

      GHOSH S, SAHA D, SENGUPTA A, et al. Preventing fault attacks using fault randomization with a case study on AES[C]. The 20th Australasian Conference on Information Security and Privacy, Brisbane, Australia, 2015: 343–355. doi: 10.1007/978-3-319-19962-7_20.

    29. [29]

      TUPSAMUDRE H, BISHT S, and MUKHOPADHYAY D. Destroying fault invariant with randomization[C]. The 16th International Workshop on Cryptographic Hardware and Embedded Systems, Busan, Korea, 2014: 93–111. doi: 10.1007/978-3-662-44709-3_6.

    30. [30]

      FENG Jingyi, CHEN Hua, LI Yang, et al. A framework for evaluation and analysis on infection countermeasures against fault attacks[J]. IEEE Transactions on Information Forensics and Security, 2020, 15: 391–406. doi: 10.1109/TIFS.2019.2903653

    31. [31]

      GOUBIN L and PATARIN J. DES and differential power analysis the “duplication” method[C]. The 1st International Workshop on Cryptographic Hardware and Embedded Systems, Worcester, USA, 1999: 158–172. doi: 10.1007/3-540-48059-5_15.

    32. [32]

      BAYRAK A G, REGAZZONI F, NOVO D, et al. Sleuth: Automated verification of software power analysis countermeasures[C]. The 15th International Workshop on Cryptographic Hardware and Embedded Systems, Santa Barbara, USA, 2013: 293–310. doi: 10.1007/978-3-642-40349-1_17.

    33. [33]

      BARTHE G, BELAÏD S, DUPRESSOIR F, et al. Strong non-interference and type-directed higher-order masking[C]. The 2016 ACM SIGSAC Conference on Computer and Communications Security, New York, USA, 2016: 116–129. doi: 10.1145/2976749.2978427.

    34. [34]

      BARTHE G, BELAÏD S, DUPRESSOIR F, et al. Verified proofs of higher-order masking[C]. The 34th Annual International Conference on the Theory and Applications of Cryptographic Techniques on Advances in Cryptology, Sofia, Bulgaria, 2015: 457–485. doi: 10.1007/978-3-662-46800-5_18.

    35. [35]

      CORON J S. Formal verification of side-channel countermeasures via elementary circuit transformations[C]. The 16th International Conference on Applied Cryptography and Network Security, Leuven, Belgium, 2018: 65–82. doi: 10.1007/978-3-319-93387-0_4.

    36. [36]

      EL OUAHMA I B, MEUNIER Q L, HEYDEMANN K, et al. Side-channel robustness analysis of masked assembly codes using a symbolic approach[J]. Journal of Cryptographic Engineering, 2019, 9(3): 231–242. doi: 10.1007/s13389-019-00205-7

    37. [37]

      ELDIB H, WANG Chao, and SCHAUMONT P. Formal verification of software countermeasures against side-channel attacks[J]. ACM Transactions on Software Engineering and Methodology, 2014, 24(2): 1–24. doi: 10.1145/2685616

    38. [38]

      ELDIB H, WANG Chao, and SCHAUMONT P. SMT-based verification of software countermeasures against side-channel attacks[C]. The 20th International Conference on Tools and Algorithms for the Construction and Analysis of Systems, Grenoble, France, 2014: 62–77. doi: 10.1007/978-3-642-54862-8_5.

    39. [39]

      ZHANG Jun, GAO Pengfei, SONG Fu, et al. SCINFER: Refinement-based verification of software countermeasures against side-channel attacks[C]. The 30th International Conference on Computer Aided Verification, Oxford, England, 2018: 157–177. doi: 10.1007/978-3-319-96142-2_12.

    40. [40]

      BERTONI G and MARTINOLI M. A methodology for the characterisation of leakages in combinatorial logic[C]. The 6th International Conference on Security, Privacy, and Applied Cryptography Engineering, Hyderabad, India, 2016: 363–382. doi: 10.1007/978-3-319-49445-6_21.

    41. [41]

      BLOEM R, GROSS H, IUSUPOV R, et al. Formal verification of masked hardware implementations in the presence of glitches[C]. The 37th Advances in Cryptology, Tel Aviv, Israel, 2018: 321–353. doi: 10.1007/978-3-319-78375-8_11.

    42. [42]

      GOUBET L, HEYDEMANN K, ENCRENAZ E, et al. Efficient design and evaluation of countermeasures against fault attacks using formal verification[C]. The 14th International Conference on Smart Card Research and Advanced Applications, Bochum, Germany, 2015: 177–192. doi: 10.1007/978-3-319-31271-2_11.

    1. [1]

      江小平, 王妙羽, 丁昊, 李成华. 基于信道状态信息幅值-相位的被动式室内指纹定位. 电子与信息学报,

    2. [2]

      杨亚涛, 赵阳, 张卷美, 黄洁润, 高原. 同态密码理论与应用进展. 电子与信息学报,

    3. [3]

      周义明, 李英顺, 田小平. 基于瑞利多径衰落信道的信号包络频谱感知. 电子与信息学报,

    4. [4]

      曾菊玲, 张春雷, 蒋砺思, 夏凌. 基于信道定价的无线虚拟网络资源分配策略:匹配/Stackelberg分层博弈. 电子与信息学报,

    5. [5]

      王永娟, 王涛, 袁庆军, 高杨, 王相宾. 密码算法旁路立方攻击改进与应用. 电子与信息学报,

    6. [6]

      张卓然, 张煌, 张方国. 列表译码在密码中的应用综述. 电子与信息学报,

    7. [7]

      蒋瀚, 刘怡然, 宋祥福, 王皓, 郑志华, 徐秋亮. 隐私保护机器学习的密码学方法. 电子与信息学报,

    8. [8]

      袁庆军, 张勋成, 高杨, 王永娟. 轻量级分组密码PUFFIN的差分故障攻击. 电子与信息学报,

    9. [9]

      赵海霞, 韦永壮, 刘争红. 一种变体BISON分组密码算法及分析. 电子与信息学报,

    10. [10]

      李伟, 高嘉浩, 杜怡然, 陈韬. 一种密码专用可编程逻辑阵列的分组密码能效模型及其映射算法. 电子与信息学报,

    11. [11]

      高巍, 蒋刚毅, 郁梅, 骆挺. 基于熵编码的立体视频加密与信息隐藏算法. 电子与信息学报,

    12. [12]

      熊伟, 顾祥岐, 徐从安, 崔亚奇. 多编队目标先后出现时的无先验信息跟踪方法. 电子与信息学报,

    13. [13]

      陈建华, 和志圆, 王炯. 基于边信息改进的分布式信源编码方案. 电子与信息学报,

    14. [14]

      周杨, 张天骐. 多径环境下异步长码DS-CDMA信号伪码序列及信息序列盲估计. 电子与信息学报,

    15. [15]

      孙子文, 叶乔. 利用震荡环频率特性提取多位可靠信息熵的物理不可克隆函数研究. 电子与信息学报,

    16. [16]

      苗美媛, 宋丹, 徐位凯, 湛佳, 王琳. 非平稳信道下的鲁棒数据链优化设计综述——带限环境下的混沌传输系统. 电子与信息学报,

    17. [17]

      夏晓峰, 向宏, 肖震宇, 蔡挺. 基于国产密码算法的数控网络的双层安全防护模型研究及安全评估. 电子与信息学报,

    18. [18]

      刘雪艳, 芦婷婷, 杨晓涛. 具有隐私保护的完整性可验证的关键字搜索方案. 电子与信息学报,

    19. [19]

      左志斌, 常朝稳, 祝现威. 一种基于数据平面可编程的软件定义网络报文转发验证机制. 电子与信息学报,

    20. [20]

      王璐慧, 王越, 钱梦瑶, 董亚非. 基于氧化石墨烯与金属离子的逻辑模型设计与可控性验证. 电子与信息学报,

  • 表 1  密码测评标准中的抗侧信道防护要求比较

    测评标准FIPS140~3(1~4级)GM/T0028(1~4级)GM/T0008(1~3级)
    非侵入/半侵入式能量1~4级1~4级2~3级
    计时1~4级1~4级2~3级
    电磁1~4级1~4级2~3级
    温度3~4级3~4级2~3级
    电压3~4级3~4级2~3级
    错误注入4级4级3级
    侵入式2~4级2~4级2~3级
    下载: 导出CSV

    表 2  能量攻击防护方案通用评估方法对比

    评估方法优点缺点
    TVLA简单高效低噪声情况下以及泄露信息分布在多个统计距情况下不适用
    χ2-test有效弥补TVLA的不足,在低噪声以及泄露信息
    分布在多个统计距的情况下仍然适用
    在信噪比较低的情况下,效率较低
    DL-LA无需预处理,更低的误报率存在概率适应性以及过拟合等问题
    下载: 导出CSV

    表 3  3种评估方法对比

    评估方法优点缺点适用场景
    侧信道攻击测评评估思路简单直接:利用现有攻击逐一尝试,攻击成功则不通过,失败则为通过由于攻击方法繁多,实现繁琐,评估周期长,同时难以保障评估的完备性符合攻击条件的侧信道泄露场景,也可作为其它评估技术的验证
    基于信息泄露的通用评估评估实现简单,评估结果可提供一定的理论安全依据评估的准确度和解释性有待提高与增强可单独作为评估技术使用,也可作为攻击测评中侧信息泄露点定位工具
    形式化验证技术可为防护实现提供安全性的理论评估,自动化程度高实现代价大,评估效率较低可作为可证明安全防护设计方案的验证工具
    下载: 导出CSV
  • 加载中
计量
  • PDF下载量:  19
  • 文章访问数:  89
  • HTML全文浏览量:  81
文章相关
  • 通讯作者:  陈华, chenhua@tca.iscas.ac.cn
  • 收稿日期:  2019-11-01
  • 录用日期:  2020-06-05
  • 网络出版日期:  2020-07-07
通讯作者: 陈斌, bchen63@163.com
  • 1. 

    沈阳化工大学材料科学与工程学院 沈阳 110142

  1. 本站搜索
  2. 百度学术搜索
  3. 万方数据库搜索
  4. CNKI搜索

/

返回文章