跳到主要內容

簡易檢索 / 詳目顯示

回結果列表
研究生: 吳香翰
Shain-Han Wu
論文名稱: 遮罩保護機制防禦差分能量攻擊之研究
The Research on Masking Countermeasure Against Differential Power Analysis
指導教授: 顏嵩銘
Sung-Ming Yen
口試委員:
學位類別: 碩士
Master
系所名稱: 資訊電機學院 - 資訊工程學系
Department of Computer Science & Information Engineering
畢業學年度: 92
語文別: 英文
論文頁數: 66
中文關鍵詞: 差分能量攻擊遮罩保護機制乘法反元素乘法遮罩保護物理攻擊法晶片卡新一代加密器密碼學能量攻擊法
外文關鍵詞: Physical cryptanalysis, Side channel attack, Power analysis attack, Smart cards, Transformed masking, Cryptography, DPA, AES, Multiplicative mask, Inversion
相關次數: 點閱:18下載:0
分享至:
查詢本校圖書館目錄 查詢臺灣博碩士論文知識加值系統 勘誤回報

    • 隨著資訊科技與網際網路的蓬勃發展,資訊安全的問題與需求,與人們的生活息息相關,因此,密碼學之相關研究已然成為現今重要的議題。除了探討密碼演算法本身的特性與結構,密碼系統的實作過程也必須納入安全分析。物理攻擊法便是藉由密碼系統運算過程中所洩漏的物理現象進行攻擊,因此即使是保證安全的密碼演算法,也會因實作過程洩漏些許資訊而可破解密碼系統。
    論文中將說明物理攻擊法的基本概念,並特別針對能量消攻擊法加以說明。以現階段技術而言,差分能量攻擊法是目前最有效且易於實施的物理攻擊法。為了有效防禦差分能量攻擊法,對應的防禦方式也被廣泛的討論,其中一類利用導入亂數,致使攻擊法統計分析失效的遮罩保護機制,將於第三章介紹其概念及演進。文中用以介紹防禦技術的新一代加密器AES,將於第二章先行簡介。
    在西元2001年,Akkar與Giraud發表新類型的遮罩保護機制,以提昇軟體實作的效能。由於此方法應用到AES,仍無法防止差分能量攻擊,於是,在西元2002年,Trichina等人發表提昇效能與增加安全的改進發法。然而,論文中將針對Trichina發表的方法進行弱點分析,並提出一種應用於此的差分能量攻擊法。
    為了兼顧執行效率與系統安全,基於遮罩保護機制的原理,於第四章提出改進的防禦方法。並進行安全分析,證明此防禦法能夠有效防止能量攻擊。接著,針對三種遮罩保護機制比較執行效能,提出的防禦法法提昇效能至少十倍以上。最後,第五章呈現攻擊後的實驗成果,顯示未受保護的密碼系統易於破解,相對地,加上提出的防禦法確實能抵抗差分能量攻擊。

    Since the explosive growth in the use of computer and Internet, the requirements for information security generate higher influence in our daily life. Therefore, cryptography becomes an important issue, which not only considers the cryptographic algorithm but also takes their implementations into account. Physical attacks on the security of a cryptosystem are characterized by viewing the information leaking from the cryptosystem being processed.
    The preliminary knowledge and requirements of physical cryptanalysis will be discussed. The discussion of physical security is extended to include an important standard, the Advanced Encryption Standard (AES). Further, an approach to the protection of cryptosystem in software-based implementation from power analysis is also addressed.
    For opposing differential power analysis, an improved technique to perform the security transformation will be developed. A masking countermeasure resisted power analysis and integrated transformations into original cryptographic architecture is presented. The principles of improved technique are discussed and the analysis of performance and security are provided completely.
    Finally, the techniques used to construct improved masking method are examined. The practical masking countermeasure has been implemented and provides the information security against the DPA attack. The experimental results demonstrated the practicality of the DPA attacks on straightforward AES and the security of AES could be achieved by using improved method.

    1 Introduction 1.1 Motivation 1.2 Conventional Mathematical Attacks Versus Physical Cryptanalysis 1.2.1 Conventional mathematical attacks 1.2.2 Physical cryptanalysis 1.3 Overview of The Thesis 2 Preliminary Background of Power Analysis Attack and AES 2.1 Power Analysis Attack 2.2 Simple Power Analysis 2.3 Differential Power Analysis 2.4 Brief Review of AES 2.4.1 Physical cryptanalysis against AES 2 Introduction to Masking Countermeasure 3.1 Random Masking Technique 3.2 Masking Conversions 3.3 Transformed Masking Method 3.3.1 Transformed masking on AES 3.3.2 Vulnerability and cryptanalysis procedures 3.3.3 Simplified and enhanced transformed masking 4 An Improved Transformed Masking for AES Implementation 4.1 Motivation 4.2The Proposed Countermeasure 4.2.1 Secure implementation on S-Box transactions 4.2.2 Updating m-Inversion tables 4.3 Security Analysis 4.3.1 Proposed DPA on simplified and enhanced transformed masking 4.3.2 Security against first-order DPA 4.3.3 Security against second-order DPA 4.4 Performance Comparisons with Other Methods 4.4.1 Multiplication in GF(2^8) 4.5 Main Contribution 5 Experimental Work 5.1 Description of Experimental Equipment 5.1.1 Experimental environment 5.1.2 The selection function of DPA 5.2 Experimental Results 5.2.1 Experimental results of straightforward AES implementation 5.2.2 Experimental results of proposed masking method 6 Concluding Remarks 6.1 Brief Review of Main Contributions 6.2 Further Research Topic and Directions

    [1] E. Biham and A. Shimar,``Differential Cryptanalysis of DES-like Cryptosystem," In advances in Cryptology -- CRYPTO''90, LNCS537, pp.2-21, Springer-Verlag, 1991.
    [2] E. Biham and A. Shimar,``Differential Cryptanalysis of DES-like Cryptosystem," Journal of Cryptology, vol.~4, no.~1, pp. 3-72, 1991.
    [3] E. Biham and A. Shimar,``Differential Cryptanalysis of Snefru Khafre, REDOC, LOKI and Lucifer," In Advances in Cryptology -- CRYPTO''91,pp. 156-171, Spribger-Verlag, 1991.
    [4] M. Matsui,``Linear Cryptanalysis Method for DES Cipher," In Advances in Cryptology -- EUROCRYPT''93, LNCS765, pp. 386-397, Springer-Verlag, 1994.
    [5] E. Biham, ``On Matusi''s Linear Cryptanalysis," In Advances in Cryptology -- EUROCRYPT''94, pp. 341-355, Springer-Verlag, 1994.
    [6] R. Anderson and M. Kuhn, ``Tamper Resistance -- A Cautionary Note," In Proceedings of the 2nd USENIX Workshop on Electronic Commerce, pp.1--11, 1996.
    [7] P. Kocher, J. Jaffe and B. Jun, ``Introduction to Differential Power Analysis and Related Attacks," 1998, available at URL <http://www.cryptography.com/dpa/technical>.
    [8] P. Kocher, J. Jaffe and B. Jun, ``Differential Power Analysis," In Advances in Cryptology -- CRYPTO''99, LNCS1666, pp.388--397, Springer-Verlag, 1999.
    [9] E. Biham and A. Shamir, ``Power Analysis of the Key Scheduling of the AES Candidates," In Proceedings of the Second Advanced Encryption Standard (AES) Candidate Conference, pp.115--121, 1999.
    [10] S. Mangrad, ``A Simple Power-Analysis (SPA) Attack on Implementations of the AES Key Expansion," In Proceedings of the International Conference on Information Security and Cryptology - ICISC 2002, LNCS2587, pp.343--358, Springer-Verlag, 2002.
    [11] T.S. Messerges, E.A. Dabbish, and R.H. Sloan, ``Investigations of Power Analysis Attacks on Smartcards," In Proceedings of USENIX Workshop on Smartcard Technology, pp.151--161, 1999.
    [12] J. Kelsey, B. Schneier, D. Wagner and C. Hall, ``Side Channel Cryptanalysis of Product Ciphers," In Proceedings of ESORICS ''98, pp. 97-110, Springer-Verlag, 1998.
    [13] NBS FIPS PUB 46, ``Data Encryption Standard," National Bureau of Standard, U.S. Department of Commerce, Jan. 1977.
    [14] R. M. Davis, ``Some Regular Properties of DES," Computer Security and the Data Encryption Standard, National Bureau of Standards Special Publication, 1978.
    [15] NBA FIPS PUB 46-1, ``Data Encryption Standard," National Bureau of Standards, U.S. Department of Commerce, 1988.
    [16] S. Chari, C.S. Jutla, J.R. Rao, and P. Rohatgi, ``A Cautionary Note Regarding Evaluation of AES Candidates on Smart-cards," In Proceedings of the Second Advanced Encryption Standard (AES) Candidate Conference, pp.133--147, 1999.
    [17] J. Daemen and V. Rijmen, ``Resistance Against Implementation Attacks: A Comparative Study of the AES Proposals," In Proceedings of the Second Advanced Encryption Standard (AES) Candidate Conference, pp.122--132, 1999.
    [18] J. Daemen, V. Rijnmen, ``AES Proposal : Rijndael," In Proceedings of the First Advanced Encryption Standard Candidate Conference (AES), 1998.
    [19] T.S. Messerges, ``Securing the AES Finalists Against Power Analysis Attacks,'' In Proceedings of Fast Software Encryption Workshop -- FSE2000, LNCS1978, pp.150--164, Springer-Verlag, 2000.
    [20]F. Sano, M. Koike, S. Kawamura and M. Shiba, ``Performance Evaluation of AES Finalists on the High-End Smart Card," Presented in the 3rd AES conference, pp.82--93, NY, USA, April 2000.
    [21] National Institute of Standards and Technology, ``FIPS-197:Advanced Encryption Standard," Federal Information Processing Standard, FIPS-197, 2001.
    [22] http://csrc.nist.gov/encryption/aes/
    [23] L. May, M. Henricksen, W. Millan, G. Carter and E. Dawson, ``Strengthening the Key Schedule of the AES," In Proceedings of the Australasian Conference on Information Security and Privacy - ACISP 2002, LNCS2384, pp.226--240, Springer-Verlag, 2002.
    [24] L. Goubin and J. Patarin, ``DES and Differential Power Analysis--The Duplication Method," In Proceedings of Workshop on Cryptographic Hardware and Embedded Systems -- CHES''99, LNCS1717, pp.158--172, Springer-Verlag, 1999.
    [25] S. Chari, C.S. Jutla, J.R. Rao, and P. Rohatgi, ``Towards Sound Approaches to Counteract Power-analysis Attacks," In Advances in Cryptology -- CRYPTO''99, LNCS1666, pp.398--412, Springer-Verlag, 1999.
    [26] J.S. Coron and L. Goubin, ``On Boolean and Arithmetic Masking Against Differential Power Analysis," In Proceedings of Workshop on Cryptographic Hardware and Embedded Systems -- CHES,2000, LNCS1965, pp.231--237, Springer-Verlag, 2000.
    [27] L. Goubin, ``A Sound Method for Switching Between Boolean and Arithmetic Masking," In Proceedings of Workshop on Cryptographic Hardware and Embedded Systems - CHES 2001, LNCS 2162, pp.3-15, Springer-Verlag, 2001.
    [28] J.S. Coron and A. Tchulkine, ``A New Algorithm for Switching from Arithmetic to Boolean Masking," Cryptographic Hardware and Embedded Systems -- CHES2003, LNCS2779, pp.89-97, Springer-Verlag, 2003.
    [29] K. Itoh, M. Takenaka and N. Torii, ``DPA Countermeasure Based on the "Masking Method"," In Proceedings of the International Conference on Information Security and Cryptology - ICISC 2001, LNCS 2288, pp. 440-456, Springer-Verlag, 2001.
    [30] M.L. Akkar and C. Giraud, ``An Implementation of DES and AES, Secure Against Some Attacks," In Proceedings of Workshop on Cryptographic Hardware and Embedded Systems - CHES 2001, LNCS 2162, pp. 309-318, Springer-Verlag, 2001.
    [31] E. Trichina, D. De Seta, and L. Germani, ``Simplified Adaptive Multiplicative Masking for AES and its Secure Implementation," In Proceedings of Workshop on Cryptographic Hardware and Embedded Systems - CHES 2002, LNCS2523, pp.187--197, Springer-Verlag, 2002.
    [32] J. Dj. Golic and C. Tymen, ``Multiplicative Masking and Power Analysis of AES," In Proceedings of Workshop on Cryptographic Hardware and Embedded Systems - CHES 2002, LNCS2523, pp.198--212, Springer-Verlag, 2002.
    [33] E. Barkan and E. Biham, ``In How Many Ways Can You Write Rijndael?," In Proceedings of ASIACRYPT 2002, LNCS2501, pp.160--175, Springer-Verlag, 2002.
    [34] P. Kocher, ``Timing Attacks on Implementations of Diffie-Hellman, RSA, DSS, and Other Systems,'' In Advances in Cryptology -- CRYPTO''96, LNCS1109, pp.104--113, Springer-Verlag, 1996.
    [35] J.F. Dhem, F. Koeune, P.A. Leroux, P. Mestre, J.J. Quisquater, and J.L. Willems, ``A Practical Implementation of the Timing Attack,'' Technical Report CG-1998/1, UCL Crypto Group, Universite catholique de Louvain, 1998.
    [36] J.F. Dhem, F. Koeune, P.A. Leroux, P. Mestre, J.J. Quisquater, and J.L. Willems, ``A Practical Implementation of the Timing Attack," In Proceedings of CARDIS''98 -- Third Smart Card Research and Advanced Application Conference, UCL, Louvain-la-Neuve, Belgium, Sep. 14-16, 1998.
    [37] H. Handschuh, ``A timing attack on RC5," In Proceedings of the Workshop on Selected Areas in Cryptography - SAC''98, Springer-Verlag, 1998.
    [38] G. Hachez, F. Koeune, and J.-J. Quisquater, ``Timing Attack: What Can Be Achieved By A Powerful Adversary?," Proceedings of the 20th Symposium on Information Theory, pp. 63--70, 1999.
    [39] F. Koeune and J.-J. Quisquater, ``A Timing Attack Against Rijndael," Crypto Group Technical Report Series CG--1999/1, Universit''e Catholique de Louvain, 1999.
    [40] A. Hevia and M. Kiwi, ``Strength of Two Data Encryption Standard Implementations under Timing Attack," ACM Transactions on Information and System Security (TISSEC), Vol.2, no.4, pp.416--437, 1999.
    [41] W. Schindler, ``A Timing Attack Against RSA with the Chinese Remainder Theorem," Cryptographic Hardware and Embedded Systems -- CHES,2000, LNCS1965, pp.109--124, Springer-Verlag, 2000.
    [42] C. D. Walter and S. Thompson, ``Distinguishing Exponent Digits by Observing Modular Subtractions," In Proceedings of the Cryptographers'' Track at the RSA conference -- CT-RSA~2001, LNCS2020, pp.192--207, 2001.
    [43] W. Schindler, F. Koeune, J.J. Quisquater, ``Unleashing the Full Power of Timing Attack,'' UCL Crypto Group, Technical report CG-2001-3, 2001.
    [44] T.S. Messerges, ``Using 2nd-order Power Analysis to Attack DPA Resistant Software," In Proceedings of Workshop on Cryptographic Hardware and Embedded Systems -- CHES,2000, LNCS1965, pp.238--251, Springer-Verlag, 2000.
    [45] M.-L. Akkar and L. Goubin, ``A Generic Protection against High-Order Differential Power Analysis," In Proceedings of FSE 2003, LNCS2887, pp.192--205, Springer-Verlag, 2003.
    [46] S. Young, ``Zilog Z80 CPU Specifications," 1997, available at URL <http://www.smspower.org/dev/docs/z80-docs2.zip>.
    [47] B.S. Kaliski Jr. and M.J.B. Robshaw, ``Comments on Some New Attacks on Cryptographic Devices," RSA Laboratories Bulletin, no.~5, 1997.
    [48] R. Anderson and M. Kuhn, ``Low Cost Attacks on Tamper Resistant Devices," In Proceedings of the 1997 Security Protocols Workshop, Lecture Notes in Computer Science 1361, pp. 125--136, Springer-Verlag, 1997.
    [49] J.S. Coron, ``Resistance Against Differential Power Analysis for Elliptic Curve Cryptosystems," In Proceedings of Workshop on Cryptographic Hardware and Embedded Systems -- CHES''99, LNCS1717, pp.292--302, Springer-Verlag, 1999.
    [50] T.S. Messerges, E.A. Dabbish, and R.H. Sloan, ``Power Analysis Attacks of Modular Exponentiation in Smartcards," In Proceedings of Workshop on Cryptographic Hardware and Embedded Systems -- CHES''99, LNCS1717, pp.144--157, Springer-Verlag, 1999.
    [51] C. Clavier, J.S. Coron, and N. Dabbous, ``Differential power analysis
    in the presence of hardware countermeasures," Cryptographic Hardware and Embedded Systems -- CHES2000, LNCS1965, pp.252--263, Springer-Verlag, 2000.
    [52] C.D. Walter, ``Sliding windows succumbs to big mac attack," Cryptographic Hardware and Embedded Systems -- CHES,2001, LNCS2162, pp.286--299, Springer-Verlag, 2001.
    [53] C. Clavier and M. Joye, ``Universal exponentiation algorithm: A first step towards provable SPA-resistance," Cryptographic Hardware and Embedded Systems -- CHES2001, LNCS2162, pp.300--308, Springer-Verlag, 2001.
    [54] T.S. Messerges, E.A. Dabbish and R.H. Sloan, ``Examing Smart-Card Security under the Threat of Power Analysis Attacks," IEEE Trans. on Computers, vol.51, no.~5, 2002.
    [55] M.L. Akkar, R. Bevan, P. Dischamp and D. Moyart, ``Power Analysis, What is Now Possible," Advance in Cryptology - ASIACRYPT 2000, LNCS1976, pp.489--502, Springer-Verlag, 2000.
    [56] S.M. Yen, ``Amplified Differential Power Cryptanalysis on Rijndael Implementations with Exponentially Fewer Power Traces," In Proceedings of the Australasian Conference on Information Security and Privacy - ACISP 2003, LNCS2727, pp.106--117, Springer-Verlag, 2003.
    [57] A. Shamir, ``Protecting Smart Cards from Passive Power Analysis with Detached Power Supplies," In Proceedings of Workshop on Cryptographic Hardware and Embedded Systems -- CHES,2000, LNCS1965, pp.71--77, Springer-Verlag, 2000.
    [58] C.N. Chen and S.M. Yen, ``Differential Fault Analysis on AES Key Schedule and Some Countermeasures," In Proceedings of the International Conference on Information Security and Cryptology - ICISC 2003, LNCS2727, pp.118--129, Springer-Verlag, 2003.

    QR CODE
    :::