高级搜索

留言板

尊敬的读者、作者、审稿人, 关于本刊的投稿、审稿、编辑和出版的任何问题, 您可以本页添加留言。我们将尽快给您答复。谢谢您的支持!

姓名
邮箱
手机号码
标题
留言内容
验证码

密码产品的侧信道分析与评估

陈华 习伟 范丽敏 焦志鹏 冯婧怡

陈华, 习伟, 范丽敏, 焦志鹏, 冯婧怡. 密码产品的侧信道分析与评估[J]. 电子与信息学报, 2020, 42(8): 1836-1845. doi: 10.11999/JEIT190853
引用本文: 陈华, 习伟, 范丽敏, 焦志鹏, 冯婧怡. 密码产品的侧信道分析与评估[J]. 电子与信息学报, 2020, 42(8): 1836-1845. doi: 10.11999/JEIT190853
Hua CHEN, Wei XI, Limin FAN, Zhipeng JIAO, Jingyi FENG. Side Channel Analysis and Evaluation on Cryptographic Products[J]. Journal of Electronics and Information Technology, 2020, 42(8): 1836-1845. doi: 10.11999/JEIT190853
Citation: Hua CHEN, Wei XI, Limin FAN, Zhipeng JIAO, Jingyi FENG. Side Channel Analysis and Evaluation on Cryptographic Products[J]. Journal of Electronics and Information Technology, 2020, 42(8): 1836-1845. doi: 10.11999/JEIT190853

密码产品的侧信道分析与评估

doi: 10.11999/JEIT190853
基金项目: 国家重点研发计划(2018YFB0904900, 2018YFB0904901),十三五国家密码发展基金(MMJJ20170214, MMJJ20170211)
详细信息
    作者简介:

    陈华:女,1976年生,正高级工程师,博士生导师,研究方向为侧信道分析与防护、密码检测

    习伟:男,1980年生,高级工程师,研究方向为智能电网与电力芯片

    范丽敏:女,1978年生,高级工程师,硕士生导师,研究方向为侧信道分析与防护、密码检测

    焦志鹏:男,1992年生,博士生,研究方向为侧信道分析与防护

    冯婧怡:女,1991年生,博士生,研究方向为侧信道分析与防护

    通讯作者:

    陈华 chenhua@tca.iscas.ac.cn

  • 中图分类号: TN918; TP309

Side Channel Analysis and Evaluation on Cryptographic Products

Funds: The National Key R&D Program of China (2018YFB0904900, 2018YFB0904901), The National Cryptography Development Fund of China (MMJJ20170214, MMJJ20170211)
  • 摘要: 作为一类重要的信息安全产品,密码产品中所使用的密码技术保障了信息的保密性、完整性和不可抵赖性。而侧信道攻击是针对密码产品的一类重要的安全威胁,它主要利用了密码算法运算过程中侧信息(如时间、功耗等)的泄露,通过分析侧信息与秘密信息的依赖关系进行攻击。对密码产品的抗侧信道攻击能力进行评估已成为密码测评的重要内容。该文从攻击性测试、通用评估以及形式化验证3个角度介绍了目前密码产品抗侧信道评估的发展情况。其中攻击性测试是目前密码侧信道测评所采用的最主要的评估方式,它通过执行具体的攻击流程来恢复密钥等秘密信息。后两种方式不以恢复秘密信息等为目的,而是侧重于评估密码实现是否存在侧信息泄露。与攻击性测试相比,它们无需评估人员深入了解具体的攻击流程和实现细节,因此通用性更强。通用评估是以统计测试、信息熵计算等方式去刻画信息泄露的程度,如目前被广泛采用的测试向量泄露评估(TVLA)技术。利用形式化方法对侧信道防护策略有效性进行评估是一个新的发展方向,其优势是可以自动化/半自动化地评估密码实现是否存在侧信道攻击弱点。该文介绍了目前针对软件掩码、硬件掩码、故障防护等不同防护策略的形式化验证最新成果,主要包括基于程序验证、类型推导及模型计数等不同方法。
  • 表  1  密码测评标准中的抗侧信道防护要求比较

    测评标准FIPS140~3(1~4级)GM/T0028(1~4级)GM/T0008(1~3级)
    非侵入/半侵入式能量1~4级1~4级2~3级
    计时1~4级1~4级2~3级
    电磁1~4级1~4级2~3级
    温度3~4级3~4级2~3级
    电压3~4级3~4级2~3级
    错误注入4级4级3级
    侵入式2~4级2~4级2~3级
    下载: 导出CSV

    表  2  能量攻击防护方案通用评估方法对比

    评估方法优点缺点
    TVLA简单高效低噪声情况下以及泄露信息分布在多个统计距情况下不适用
    χ2-test有效弥补TVLA的不足,在低噪声以及泄露信息
    分布在多个统计距的情况下仍然适用
    在信噪比较低的情况下,效率较低
    DL-LA无需预处理,更低的误报率存在概率适应性以及过拟合等问题
    下载: 导出CSV

    表  3  3种评估方法对比

    评估方法优点缺点适用场景
    侧信道攻击测评评估思路简单直接:利用现有攻击逐一尝试,攻击成功则不通过,失败则为通过由于攻击方法繁多,实现繁琐,评估周期长,同时难以保障评估的完备性符合攻击条件的侧信道泄露场景,也可作为其它评估技术的验证
    基于信息泄露的通用评估评估实现简单,评估结果可提供一定的理论安全依据评估的准确度和解释性有待提高与增强可单独作为评估技术使用,也可作为攻击测评中侧信息泄露点定位工具
    形式化验证技术可为防护实现提供安全性的理论评估,自动化程度高实现代价大,评估效率较低可作为可证明安全防护设计方案的验证工具
    下载: 导出CSV
  • [1] KOCHER P C. Timing attacks on implementations of Diffie-Hellman, RSA, DSS, and other systems[C]. The 16th Annual International Cryptology Conference Santa Barbara on Advances in Cryptology, Santa Barbara, USA, 1996: 104–113. doi: 10.1007/3-540-68697-5_9.
    [2] KOCHER P, JAFFE J, and JUN B. Differential power analysis[C]. The 19th Annual International Cryptology Conference Santa Barbara on Advances in Cryptology, Santa Barbara, USA, 1999: 388–397. doi: 10.1007/3-540-48405-1_25.
    [3] GANDOLFI K, MOURTEL C, and OLIVIER F. Electromagnetic analysis: Concrete results[C]. The 3rd International Workshop Paris on Cryptographic Hardware and Embedded Systems, Paris, France, 2001: 251–261. doi: 10.1007/3-540-44709-1_21.
    [4] BONEH D, DEMILLO R A, and LIPTON R J. On the importance of checking cryptographic protocols for faults[C]. International Conference on the Theory and Application of Cryptographic Techniques Konstanz on Advances in Cryptology, Konstanz, Germany, 1997: 37–51. doi: 10.1007/3-540-69053-0_4.
    [5] MANGARD S, OSWALD E, POPP T. 冯登国, 周永彬, 刘继业, 等译. 能量分析攻击[M]. 北京: 科学出版社, 2010: 3–4, 49–50.

    MANGARD S, OSWALD E, and POPP T. FENG Dengguo, ZHOU Yongbin, LIU Jiye, et al. translation. Power Analysis Attacks[M]. Beijing: Science Press, 2010: 3–4, 49–50.
    [6] NIST. FIPS 140–3 Security requirements for cryptographic modules[S]. NIST, 2019.
    [7] ISO/IEC 19790: 2012. Information technology-security techniques-security requirements for cryptographic modules[S]. 2012.
    [8] State Cryptography Administration. GM/T 0028–2014 Cryptography module security technical requirements[S]. Beijing: China Standard Press, 2014.
    [9] 国家密码管理局. GM/T 0008–2012 安全芯片密码检测准则[S]. 北京: 中国标准出版社, 2012.

    State Cryptography Administration. GM/T 0008–2012 Cryptography test criteria for security IC[S]. Beijing: China Standard Press, 2012.
    [10] BRIER E, CLAVIER C, and OLIVIER F. Correlation power analysis with a leakage mode[C]. The 6th International Workshop Cambridge on Cryptographic Hardware and Embedded Systems, Cambridge, USA, 2004: 16–29. doi: 10.1007/978-3-540-28632-5_2.
    [11] GIERLICHS B, BATINA L, TUYLS P, et al. Mutual information analysis[C]. The 10th International Workshop on Cryptographic Hardware and Embedded Systems, Washington, USA, 2008: 426–442. doi: 10.1007/978-3-540-85053-3_27.
    [12] CHARI S, RAO J R, and ROHATGI P. Template attacks[C]. The 4th International Workshop Redwood Shores on Cryptographic Hardware and Embedded Systems, Redwood City, USA, 2002: 13–28. doi: 10.1007/3-540-36400-5_3.
    [13] HOSPODAR G, GIERLICHS B, DE MULDER E, et al. Machine learning in side-channel analysis: A first study[J]. Journal of Cryptographic Engineering, 2011, 1(4): 293. doi:  10.1007/s13389-011-0023-x
    [14] LERMAN L, BONTEMPI G, and MARKOWITCH O. A machine learning approach against a masked AES[J]. Journal of Cryptographic Engineering, 2015, 5(2): 123–139. doi:  10.1007/s13389-014-0089-3
    [15] MAGHREBI H, PORTIGLIATTI T, and PROUFF E. Breaking cryptographic implementations using deep learning techniques[C]. The 6th International Conference on Security, Privacy, and Applied Cryptography Engineering, Hyderabad, India, 2016: 3–26. doi: 10.1007/978-3-319-49445-6_1.
    [16] TIMON B. Non-profiled deep learning-based side-channel attacks with sensitivity analysis[J]. IACR Transactions on Cryptographic Hardware and Embedded Systems, 2019(2): 107–131.
    [17] BIHAM E and SHAMIR A. Differential fault analysis of secret key cryptosystems[C]. The 17th Annual International Cryptology Conference Santa Barbara on Advances in Cryptology, Santa Barbara, USA, 1997: 513–525. doi: 10.1007/BFb0052259.
    [18] BIEHL I, MEYER B, and MÜLLER V. Differential fault attacks on elliptic curve cryptosystems[C]. The 20th Annual International Cryptology Conference Santa Barbara on Advances in Cryptology, Santa Barbara, USA, 2000: 131–146. doi: 10.1007/3-540-44598-6_8.
    [19] SCHMIDT J M and MEDWED M. A fault attack on ECDSA[C]. The 2009 Workshop on Fault Diagnosis and Tolerance in Cryptography, Lausanne, Switzerland, 2009: 93–99. doi: 10.1109/FDTC.2009.38.
    [20] GOODWILL G, JUN B, JAFFE J, et al. A testing methodology for side-channel resistance validation[C]. NIST Non-Invasive Attack Testing Workshop, Nara, Japan, 2011: 115–136.
    [21] BECKER G, COOPER J, DEMULDER E, et al. Test Vector Leakage Assessment (TVLA) methodology in practice[C]. International Cryptographic Module Conference, Gaithersburg, USA, 2013: 13.
    [22] DING A A, CHEN Cong, and EISENBARTH T. Simpler, faster, and more robust t-test based leakage detection[C]. The 7th International Workshop on Constructive Side, Graz, Austria, 2016: 163–183. doi: 10.1007/978-3-319-43283-0_10.
    [23] MORADI A, RICHTER B, SCHNEIDER T, et al. Leakage detection with the X2-test[J]. IACR Transactions on Cryptographic Hardware and Embedded Systems, 2018(1): 209–237. doi:  10.13154/tches.v2018.i1.209-237
    [24] WEGENER F, MOOS T, and MORADI A. DL-LA: Deep learning leakage assessment[J]. IACR Cryptology ePrint Archive, 2019. https://eprint.iacr.org/2019/505.pdf.
    [25] SAKIYAMA K, LI YANG, IWAMOTO M, et al. Information­theoretic approach to optimal differential fault analysis[J]. IEEE Transactions on Information Forensics and Security, 2012, 7(1): 109–120. doi:  10.1109/TIFS.2011.2174984
    [26] BERTONI G, BREVEGLIERI L, KOREN I, et al. Error analysis and detection procedures for a hardware implementation of the advanced encryption standard[J]. IEEE Transactions on Computers, 2003, 52(4): 492–505. doi:  10.1109/tc.2003.1190590
    [27] JOYE M, MANET P, and RIGAUD J B. Strengthening hardware AES implementations against fault attacks[J]. IET Information Security, 2007, 1(3): 106–110. doi:  10.1049/iet-ifs:20060163
    [28] GHOSH S, SAHA D, SENGUPTA A, et al. Preventing fault attacks using fault randomization with a case study on AES[C]. The 20th Australasian Conference on Information Security and Privacy, Brisbane, Australia, 2015: 343–355. doi: 10.1007/978-3-319-19962-7_20.
    [29] TUPSAMUDRE H, BISHT S, and MUKHOPADHYAY D. Destroying fault invariant with randomization[C]. The 16th International Workshop on Cryptographic Hardware and Embedded Systems, Busan, Korea, 2014: 93–111. doi: 10.1007/978-3-662-44709-3_6.
    [30] FENG Jingyi, CHEN Hua, LI Yang, et al. A framework for evaluation and analysis on infection countermeasures against fault attacks[J]. IEEE Transactions on Information Forensics and Security, 2020, 15: 391–406. doi:  10.1109/TIFS.2019.2903653
    [31] GOUBIN L and PATARIN J. DES and differential power analysis the “duplication” method[C]. The 1st International Workshop on Cryptographic Hardware and Embedded Systems, Worcester, USA, 1999: 158–172. doi: 10.1007/3-540-48059-5_15.
    [32] BAYRAK A G, REGAZZONI F, NOVO D, et al. Sleuth: Automated verification of software power analysis countermeasures[C]. The 15th International Workshop on Cryptographic Hardware and Embedded Systems, Santa Barbara, USA, 2013: 293–310. doi: 10.1007/978-3-642-40349-1_17.
    [33] BARTHE G, BELAÏD S, DUPRESSOIR F, et al. Strong non-interference and type-directed higher-order masking[C]. The 2016 ACM SIGSAC Conference on Computer and Communications Security, New York, USA, 2016: 116–129. doi: 10.1145/2976749.2978427.
    [34] BARTHE G, BELAÏD S, DUPRESSOIR F, et al. Verified proofs of higher-order masking[C]. The 34th Annual International Conference on the Theory and Applications of Cryptographic Techniques on Advances in Cryptology, Sofia, Bulgaria, 2015: 457–485. doi: 10.1007/978-3-662-46800-5_18.
    [35] CORON J S. Formal verification of side-channel countermeasures via elementary circuit transformations[C]. The 16th International Conference on Applied Cryptography and Network Security, Leuven, Belgium, 2018: 65–82. doi: 10.1007/978-3-319-93387-0_4.
    [36] EL OUAHMA I B, MEUNIER Q L, HEYDEMANN K, et al. Side-channel robustness analysis of masked assembly codes using a symbolic approach[J]. Journal of Cryptographic Engineering, 2019, 9(3): 231–242. doi:  10.1007/s13389-019-00205-7
    [37] ELDIB H, WANG Chao, and SCHAUMONT P. Formal verification of software countermeasures against side-channel attacks[J]. ACM Transactions on Software Engineering and Methodology, 2014, 24(2): 1–24. doi:  10.1145/2685616
    [38] ELDIB H, WANG Chao, and SCHAUMONT P. SMT-based verification of software countermeasures against side-channel attacks[C]. The 20th International Conference on Tools and Algorithms for the Construction and Analysis of Systems, Grenoble, France, 2014: 62–77. doi: 10.1007/978-3-642-54862-8_5.
    [39] ZHANG Jun, GAO Pengfei, SONG Fu, et al. SCINFER: Refinement-based verification of software countermeasures against side-channel attacks[C]. The 30th International Conference on Computer Aided Verification, Oxford, England, 2018: 157–177. doi: 10.1007/978-3-319-96142-2_12.
    [40] BERTONI G and MARTINOLI M. A methodology for the characterisation of leakages in combinatorial logic[C]. The 6th International Conference on Security, Privacy, and Applied Cryptography Engineering, Hyderabad, India, 2016: 363–382. doi: 10.1007/978-3-319-49445-6_21.
    [41] BLOEM R, GROSS H, IUSUPOV R, et al. Formal verification of masked hardware implementations in the presence of glitches[C]. The 37th Advances in Cryptology, Tel Aviv, Israel, 2018: 321–353. doi: 10.1007/978-3-319-78375-8_11.
    [42] GOUBET L, HEYDEMANN K, ENCRENAZ E, et al. Efficient design and evaluation of countermeasures against fault attacks using formal verification[C]. The 14th International Conference on Smart Card Research and Advanced Applications, Bochum, Germany, 2015: 177–192. doi: 10.1007/978-3-319-31271-2_11.
  • [1] 夏晓峰, 向宏, 肖震宇, 蔡挺.  基于国产密码算法的数控网络的认证与验证模型研究及安全评估, 电子与信息学报. doi: 10.11999/JEIT190893
    [2] 魏伟, 陈佳哲, 李丹, 张宝峰.  椭圆曲线Diffie-Hellman密钥交换协议的比特安全性研究, 电子与信息学报. doi: 10.11999/JEIT190845
    [3] 黎剑兵, 李庆, 董庆宽, 李小平.  有扰信道下基于门限密码的链式组播源认证技术, 电子与信息学报. doi: 10.11999/JEIT140884
    [4] 陈俊杰, 司江勃, 李赞, 石莎, 黄海燕.  非理想信道状态信息对频谱共享认知中继网络性能的影响, 电子与信息学报. doi: 10.3724/SP.J.1146.2011.01073
    [5] 郭卫栋, 刘琚, 陈赫, 刘玉玺, 张国伟.  基于过时信道信息的多用户中继网络性能分析, 电子与信息学报. doi: 10.3724/SP.J.1146.2011.00389
    [6] 郁滨, 卢锦元, 房礼国.  基于迭代算法的可验证视觉密码, 电子与信息学报. doi: 10.3724/SP.J.1146.2010.00270
    [7] 高伟东, 王文博, 程昱, 彭木根, 张欢.  基于不同信道状态信息的MIMO中继系统收发信机设计, 电子与信息学报. doi: 10.3724/SP.J.1146.2008.01650
    [8] 杨亥娟, 邱玲.  Rician信道下基于信道均值信息的自适应反馈方案, 电子与信息学报. doi: 10.3724/SP.J.1146.2008.01213
    [9] 徐瑨, 陶小峰, 张平.  基于迭代信道软信息的编码MIMO检测, 电子与信息学报. doi: 10.3724/SP.J.1146.2007.01202
    [10] 许道峰, 黄永明, 杨绿溪.  OFDMA框架下一种低代价直接信道信息反馈方法, 电子与信息学报. doi: 10.3724/SP.J.1146.2006.01885
    [11] 许方敏, 陶小峰, 张平.  非精确信道状态信息下MIMO系统中的干扰删除, 电子与信息学报. doi: 10.3724/SP.J.1146.2007.00801
    [12] 文静华, 李祥, 张焕国, 梁敏, 张梅.  基于ATL的公平电子商务协议形式化分析, 电子与信息学报. doi: 10.3724/SP.J.1146.2005.01088
    [13] 王永学, 陈芳炯, 韦岗.  非精确信道信息下的自适应MIMO-OFDM系统性能分析, 电子与信息学报.
    [14] 李军, 廖桂生, 郭庆华.  利用补零信息的单载波块传输盲信道估计方法, 电子与信息学报.
    [15] 张福泰, 师军, 王育民.  向量空间接入结构上信息论安全的可验证秘密分享, 电子与信息学报.
    [16] 郑红, 李师贤.  CORBA规范的形式化描述及分析, 电子与信息学报.
    [17] 胡成军, 郑援, 吕述望, 沈昌祥.  安全协议的形式化规范, 电子与信息学报.
    [18] 刘传东, 吕述望, 范修斌.  密码学控选逻辑控制序列与输出序列的互信息, 电子与信息学报.
    [19] 张彤, 杨波, 王育民, 李真富.  阈下信道的一个信息论模型, 电子与信息学报.
    [20] 滕志猛, 何野, 童勤义.  侧风效应和SG方法, 电子与信息学报.
  • 加载中
  • 计量
    • 文章访问数:  239
    • HTML全文浏览量:  161
    • PDF下载量:  36
    • 被引次数: 0
    出版历程
    • 收稿日期:  2019-11-01
    • 修回日期:  2020-06-05
    • 网络出版日期:  2020-07-07
    • 刊出日期:  2020-08-18

    目录

      /

      返回文章
      返回

      官方微信,欢迎关注