Extracting keys from FPGAs, OTP Tokens and Door Locks: Side-Channel (and other) Attacks in Practice

Presented at 30C3 (2013), Dec. 28, 2013, 12:45 p.m. (60 minutes)

Side-channel analysis (SCA) and related methods exploit physical characteristics of a (cryptographic) implementations to bypass security mechanisms and extract secret keys. Yet, SCA is often considered a purely academic exercise with no impact on real systems. In this talk, we show that this is not the case: Using the example of several wide-spread real-world devices, we demonstrate that even seemingly secure systems can be attacked by means of SCA with limited effort. This talk briefly introduces implementation attacks and side-channel analysis (SCA) in particular. Typical side-channels like the power consumption and the EM emanation are introduced. The main focus is then on three case studies that have been conducted as part of the SCA research of the Chair for Embedded Security (Ruhr-Uni Bochum) since 2008: The first example are FPGAs that can be protected against reverse-engineering and product counterfeit with a feature called "bitstream encryption". Although the major vendors (Xilinx and Altera) use secure ciphers like AES, no countermeasures against SCA were implemented. As a second example, a wide-spread electronic locking system based on proprietary cryptography is analyzed. The target of the third case study is a popular one-time password token for two-factor authentication, the Yubikey 2. In all three cases, the cryptographic secrets could be recovered within a few minutes to a few hours of measurements, allowing an adversary to decrypt FPGA bitstreams, to clone Yubikeys, and to open all locks in an entire installation, respectively. In conclusion, we summarize possible countermeasures against the presented attacks and describe the communication with the respective vendors as part of a responsible disclosure process.

Presenters:

• David
  David Oswald received his PhD in IT-Security in 2013 and is currently working at the Chair for Embedded Security, Ruhr-University Bochum. His main field of research is the practical security analysis of embedded systems, e.g., commercially employed RFID smartcards. The focus is on attack methods that exploit weaknesses in the physical implementation of mathematically secure cryptographic algorithms. Those techniques include both (passive) side-channel analysis and (active) fault injection. He is co-founder of the Kasper & Oswald GmbH, offering products and services for security engineering.

Links:

• https://fahrplan.events.ccc.de/congress/2013/Fahrplan/events/5417.html

Similar Presentations:

• BSidesLV 2023 / Hiding in Plain Sight - The Untold Story of Hidden Vulnerabilities
• Still Hacking Anyway (SHA2017) / Attacking OpenSSL using Side-channel Attacks: The RSA case study
• GrrCON 2019 / PSD2, SCA, WTF?!