Showing papers on "Timing attack published in 2016"

Post-quantum key exchange: a new hope

Abstract: At IEEE Security & Privacy 2015, Bos, Costello, Naehrig, and Stebila proposed an instantiation of Peikert's ring-learning-with-errors-based (Ring-LWE) key-exchange protocol (PQCrypto 2014), together with an implementation integrated into OpenSSL, with the affirmed goal of providing post-quantum security for TLS. In this work we revisit their instantiation and stand-alone implementation. Specifically, we propose new parameters and a better suited error distribution, analyze the scheme's hardness against attacks by quantum computers in a conservative way, introduce a new and more efficient error-reconciliation mechanism, and propose a defense against backdoors and all-for-the-price-of-one attacks. By these measures and for the same lattice dimension, we more than double the security parameter, halve the communication overhead, and speed up computation by more than a factor of 8 in a portable C implementation and by more than a factor of 27 in an optimized implementation targeting current Intel CPUs. These speedups are achieved with comprehensive protection against timing attacks.

Prefetch Side-Channel Attacks: Bypassing SMAP and Kernel ASLR

Abstract: Modern operating systems use hardware support to protect against control-flow hijacking attacks such as code-injection attacks. Typically, write access to executable pages is prevented and kernel mode execution is restricted to kernel code pages only. However, current CPUs provide no protection against code-reuse attacks like ROP. ASLR is used to prevent these attacks by making all addresses unpredictable for an attacker. Hence, the kernel security relies fundamentally on preventing access to address information. We introduce Prefetch Side-Channel Attacks, a new class of generic attacks exploiting major weaknesses in prefetch instructions. This allows unprivileged attackers to obtain address information and thus compromise the entire system by defeating SMAP, SMEP, and kernel ASLR. Prefetch can fetch inaccessible privileged memory into various caches on Intel x86. It also leaks the translation-level for virtual addresses on both Intel x86 and ARMv8-A. We build three attacks exploiting these properties. Our first attack retrieves an exact image of the full paging hierarchy of a process, defeating both user space and kernel space ASLR. Our second attack resolves virtual to physical addresses to bypass SMAP on 64-bit Linux systems, enabling ret2dir attacks. We demonstrate this from unprivileged user programs on Linux and inside Amazon EC2 virtual machines. Finally, we demonstrate how to defeat kernel ASLR on Windows 10, enabling ROP attacks on kernel and driver binary code. We propose a new form of strong kernel isolation to protect commodity systems incuring an overhead of only 0.06-5.09%.

Jump over ASLR: attacking branch predictors to bypass ASLR

Abstract: Address Space Layout Randomization (ASLR) is a widely-used technique that protects systems against a range of attacks. ASLR works by randomizing the offset of key program segments in virtual memory, making it difficult for an attacker to derive the addresses of specific code objects and consequently redirect the control flow to this code. In this paper, we develop an attack to derive kernel and user-level ASLR offset using a side-channel attack on the branch target buffer (BTB). Our attack exploits the observation that an adversary can create BTB collisions between the branch instructions of the attacker process and either the user-level victim process or on the kernel executing on its behalf. These collisions, in turn, can impact the timing of the attacker's code, allowing the attacker to identify the locations of known branch instructions in the address space of the victim process or the kernel. We demonstrate that our attack can reliably recover kernel ASLR in about 60 milliseconds when performed on a real Haswell processor running a recent version of Linux. Finally, we describe several possible protection mechanisms, both in software and in hardware.

Breaking Kernel Address Space Layout Randomization with Intel TSX

Abstract: Kernel hardening has been an important topic since many applications and security mechanisms often consider the kernel as part of their Trusted Computing Base (TCB). Among various hardening techniques, Kernel Address Space Layout Randomization (KASLR) is the most effective and widely adopted defense mechanism that can practically mitigate various memory corruption vulnerabilities, such as buffer overflow and use-after-free. In principle, KASLR is secure as long as no memory leak vulnerability exists and high entropy is ensured. In this paper, we introduce a highly stable timing attack against KASLR, called DrK, that can precisely de-randomize the memory layout of the kernel without violating any such assumptions. DrK exploits a hardware feature called Intel Transactional Synchronization Extension (TSX) that is readily available in most modern commodity CPUs. One surprising behavior of TSX, which is essentially the root cause of this security loophole, is that it aborts a transaction without notifying the underlying kernel even when the transaction fails due to a critical error, such as a page fault or an access violation, which traditionally requires kernel intervention. DrK turned this property into a precise timing channel that can determine the mapping status (i.e., mapped versus unmapped) and execution status (i.e., executable versus non-executable) of the privileged kernel address space. In addition to its surprising accuracy and precision, DrK is universally applicable to all OSes, even in virtualized environments, and generates no visible footprint, making it difficult to detect in practice. We demonstrated that DrK can break the KASLR of all major OSes (i.e., Windows, Linux, and OS X) with near-perfect accuracy in under a second. Finally, we propose potential countermeasures that can effectively prevent or mitigate the DrK attack. We urge our community to be aware of the potential threat of having Intel TSX, which is present in most recent Intel CPUs -- 100% in workstation and 60% in high-end Intel CPUs since Skylake -- and is even available on Amazon EC2 (X1).

A high-resolution side-channel attack on last-level cache

Abstract: Recently demonstrated side-channel attacks on shared Last Level Caches (LLCs) work under a number of constraints on both the system and the victim behavior that limit their applicability. This paper demonstrates on a real system a new high-resolution LLC side channel attack that relaxes some of these assumptions. Specifically, we introduce and exploit new techniques to achieve high-resolution tracking of the victim accesses to enable attacks on ciphers where critical events have a small cache footprint. We compare the quality of the side-channel in our attack to that obtained using Flush+ Reload attacks, which are significantly more precise but work only when the sensitive data is shared between the attacker and the victim. We show that our attack frequently obtains an equal quality channel, which we also confirmed by reconstructing the victim cryptographic key.

A complete key recovery timing attack on a GPU

Abstract: Graphics Processing Units (GPUs) have become mainstream parallel computing devices. They are deployed on diverse platforms, and an increasing number of applications have been moved to GPUs to exploit their massive parallel computational resources. GPUs are starting to be used for security services, where high-volume data is encrypted to ensure integrity and confidentiality. However, the security of GPUs has only begun to receive attention. Issues such as side-channel vulnerability have not been addressed. The goal of this paper is to evaluate the side-channel security of GPUs and demonstrate a complete AES (Advanced Encryption Standard) key recovery using known ciphertext through a timing channel. To the best of our knowledge, this is the first work that clearly demonstrates the vulnerability of a commercial GPU architecture to side-channel timing attacks. Specifically, for AES-128, we have been able to recover all key bytes utilizing a timing side channel in under 30 minutes.

"Make Sure DSA Signing Exponentiations Really are Constant-Time"

Abstract: TLS and SSH are two of the most commonly used protocols for securing Internet traffic. Many of the implementations of these protocols rely on the cryptographic primitives provided in the OpenSSL library. In this work we disclose a vulnerability in OpenSSL, affecting all versions and forks (e.g. LibreSSL and BoringSSL) since roughly October 2005, which renders the implementation of the DSA signature scheme vulnerable to cache-based side-channel attacks. Exploiting the software defect, we demonstrate the first published cache-based key-recovery attack on these protocols: 260 SSH-2 handshakes to extract a 1024/160-bit DSA host key from an OpenSSH server, and 580 TLS 1.2 handshakes to extract a 2048/256-bit DSA key from an stunnel server.

CacheBleed: A Timing Attack on OpenSSL Constant Time RSA

Abstract: The scatter-gather technique is a commonly implemented approach to prevent cache-based timing attacks. In this paper we show that scatter-gather is not constant time. We implement a cache timing attack against the scatter-gather implementation used in the modular exponentiation routine in OpenSSL version 1.0.2f. Our attack exploits cache-bank conflicts on the Sandy Bridge microarchitecture. We have tested the attack on an Intel Xeon E5-2430 processor. For 4096-bit RSA our attack can fully recover the private key after observing 16,000 decryptions.

Lucky Microseconds: A Timing Attack on Amazon's s2n Implementation of TLS

Abstract: s2n is an implementation of the TLS protocol that was released in late June 2015 by Amazon. It is implemented in around 6,000 lines of C99 code. By comparison, OpenSSL needs around 70,000 lines of code to implement the protocol. At the time of its release, Amazon announced that s2n had undergone three external security evaluations and penetration tests. We show that, despite this, s2n -- as initially released -- was vulnerable to a timing attack in the case of CBC-mode ciphersuites, which could be extended to complete plaintext recovery in some settings. Our attack has two components. The first part is a novel variant of the Lucky 13 attack that works even though protections against Lucky 13 were implemented in s2n. The second part deals with the randomised delays that were put in place in s2n as an additional countermeasure to Lucky 13. Our work highlights the challenges of protecting implementations against sophisticated timing attacks. It also illustrates that standard code audits are insufficient to uncover all cryptographic attack vectors.

Defeating MAC Address Randomization Through Timing Attacks

Abstract: MAC address randomization is a common privacy protection measure deployed in major operating systems today. It is used to prevent user-tracking with probe requests that are transmitted during IEEE 802.11 network scans. We present an attack to defeat MAC address randomization through observation of the timings of the network scans with an off-the-shelf Wi-Fi interface. This attack relies on a signature based on inter-frame arrival times of probe requests, which is used to group together frames coming from the same device although they use distinct MAC addresses. We propose several distance metrics based on timing and use them together with an incremental learning algorithm in order to group frames. We show that these signatures are consistent over time and can be used as a pseudo-identifier to track devices. Our framework is able to correctly group frames using different MAC addresses but belonging to the same device in up to 75% of the cases. These results show that the timing of 802.11 probe frames can be abused to track individual devices and that address randomization alone is not always enough to protect users against tracking.

Timing-based reconnaissance and defense in software-defined networks

Abstract: Software-defined Networking (SDN) enables advanced network applications by separating a network into a data plane that forwards packets and a control plane that computes and installs forwarding rules into the data plane. Many SDN applications rely on dynamic rule installation, where the control plane processes the first few packets of each traffic flow and then installs a dynamically computed rule into the data plane to forward the remaining packets. Control plane processing adds delay, as the switch must forward each packet and meta-information to a (often centralized) control server and wait for a response specifying how to handle the packet. The amount of delay the control plane imposes depends on its load, and the applications and protocols it runs. In this work, we develop a non- intrusive timing attack that exploits this property to learn about a SDN network's configuration. The attack analyzes the amount of delay added to timing pings that are specially crafted to invoke the control plane, while transmitting other packets that may invoke the control plane, depending on the network's configuration. We show, in a testbed with physical OpenFlow switches and controllers, that an attacker can probe the network at a low rate for short periods of time to learn a bevy of sensitive information about networks with > 99% accuracy, including host communication patterns, ACL entries, and network monitoring settings. We also implement and test a practical defense: a timeout proxy, which normalizes control plane delay by providing configurable default responses to control plane requests that take too long. The proxy can be deployed on unmodified OpenFlow switches. It reduced the attack accuracy to below 50% in experiments, and can be configured to have minimal impact on non-attack traffic.

Gossip NoC -- Avoiding Timing Side-Channel Attacks through Traffic Management

Abstract: The wide use of Multi-processing systems-on-chip (MPSoCs) in embedded systems and the trend to increase the integration between devices have turned these systems vulnerable to attacks. Malicious software executed on compromised IP may become a serious security problem. By snooping the traffic exchanged through the Network-on-chip (NoC), it is possible to infer sensitive information such as secrets keys. NoCs are vulnerable to side channel attacks that exploit traffic interference as timing channels. When multiple IP cores are infected, they can work coordinately to implement a distributed timing attack (DTA). In this work we present for the first time the execution of a DTA and a secure enhanced NoC architecture able to avoid the timing attacks. Results show that our NoC proposal can avoid the DTA with an increase of only 1% in area and 0.8% in power regarding the whole chip design.

New method of attack and security enhancement on an asymmetric cryptosystem based on equal modulus decomposition

Abstract: A recently proposed asymmetric cryptosystem based on coherent superposition and equal modulus decomposition has shown to be robust against a specific attack. In this paper, we have shown that it is vulnerable to a newly designed attack. With this attack, an intruder is able to access the exact private key and obtain precise attack results using a phase retrieval algorithm. In addition, we have also proposed a security-enhanced asymmetric cryptosystem using a random decomposition technique and a 4f optical system. In the proposed system, random decomposition is employed to create an effective trapdoor one-way function. As a result, it is able to avoid various types of attacks and maintain the asymmetric characteristics of the cryptosystem. Numerical simulations are presented to demonstrate the feasibility and robustness of the proposed method.

When Constant-Time Source Yields Variable-Time Binary: Exploiting Curve25519-donna Built with MSVC 2015

Abstract: The elliptic curve Curve25519 has been presented as protected against state-of-the-art timing attacks [2] This paper shows that a timing attack is still achievable against a particular X25519 implementation which follows the RFC 7748 requirements [10] The attack allows the retrieval of the complete private key used in the ECDH protocol This is achieved due to timing leakage during Montgomery ladder execution and relies on a conditional branch in the Windows runtime library 2015 The attack can be applied remotely

Verifiable Side-Channel Security of Cryptographic Implementations: Constant-Time MEE-CBC

Abstract: We provide further evidence that implementing software countermeasures against timing attacks is a non-trivial task and requires domain-specific software development processes: we report an implementation bug in the s2n library, recently released by AWS Labs. This bug now fixed allowed bypassing the balancing countermeasures against timing attacks deployed in the implementation of the MAC-then-Encode-then-CBC-Encrypt MEE-CBC component, creating a timing side-channel similar to that exploited by Lucky 13. Although such an attack could only be launched when the MEE-CBC component is used in isolation --- Albrecht and Paterson recently confirmed in independent work that s2n's second line of defence, once reinforced, provides adequate mitigation against current adversary capabilities --- its existence serves as further evidence to the fact that conventional software validation processes are not effective in the study and validation of security properties. To solve this problem, we define a methodology for proving security of implementations in the presence of timing attackers: first, prove black-box security of an algorithmic description of a cryptographic construction; then, establish functional correctness of an implementation with respect to the algorithmic description; and finally, prove that the implementation is leakage secure. We present a proof-of-concept application of our methodology to MEE-CBC, bringing together three different formal verification tools to produce an assembly implementation of this construction that is verifiably secure against adversaries with access to some timing leakage. Our methodology subsumes previous work connecting provable security and side-channel analysis at the implementation level, and supports the verification of a much larger case study. Our case study itself provides the first provable security validation of complex timing countermeasures deployed, for example, in OpenSSL.

Side channel attack on NoC-based MPSoCs are practical: NoC prime+probe attack

Abstract: Many authors have shown how to break the AES cryptographic algorithm with side channel attacks, specially the timing attacks oriented to caches, like Prime+Probe. In this paper, we present a practical timing attack on NoC that improves Prime+Probe technique. Our attack targets the communication between an ARM Cortex-A9 core and a shared cache memory. Furthermore, we evaluate a secure enhanced NoC applied as a countermeasure of the timing attack. Finally, we demonstrate that attacks on MPSoCs through the NoC are a real threat and need to be further explored.

Security RBSG: Protecting Phase Change Memory with Security-Level Adjustable Dynamic Mapping

Abstract: As an emerging memory technology to build the future main memory systems, Phase Change Memory (PCM) can increase memory capacity in a cost-effective and power-efficient way. However, PCM is facing security threats for its limited write endurance: a malicious adversary could wear out the cells and cause the whole PCM system to fail within a short period of time. To address this issue, several wear-leveling schemes have been proposed to evenly distribute write traffic in a security-aware manner. In this work, we present a new type of timing attacknamed Remapping Timing Attack (RTA), based on the asymmetry in write time of PCM. Our analysis and experimental results show that the new revealed RTA can make two state-of-the-art wear-leveling schemes (Region Based Start-Gap and Security Refresh) lose effectiveness, failing PCM with these two techniques in several days (even minutes). In order to defend such attack, we further propose a novel wear-leveling scheme called Security Region Based Start-Gap (Security RBSG), which employs a two-stage strategy and uses a dynamic Feistel Network to enhance the simple Start-Gap wear leveling with level-adjustable security assurance. The theoretical analysis and evaluation results show that the proposed Security RBSG is the most robust wear-leveling methodology so far, which not only better defends the new RTA, but also performs well on the traditional malicious attacks, i.e., Repeated Address Attack and Birthday Paradox Attack.

Enhanced AES cryptosystem by using genetic algorithm and neural network in S-box

Abstract: Cryptography based on block ciphers use Key-dependent ciphers for encryption and decryption. The efficiency of these systems depends on the security and the speed of the algorithm. The encryption process needs to be adaptive and dynamic in order to face any cryptanalytic attacks. Increasing the complexity of the algorithm is one way to prevent the attacks. The introduced complexity increases the execution time of the algorithm which leads to timing attacks. This paper attempts to propose two enhanced AES cryptosystem by employing Genetic algorithm (GA) in SPboxes and modification of AES by implementing nonlinear neural network (NN) in SP network to increase the security against timing attack and reduce the computational time of the proposed system. Both GA and NN are used in key expansion and key distribution of the AES algorithm.

Dynamic NoC buffer allocation for MPSoC timing side channel attack protection

Abstract: Multi-Processors Systems-on-Chip (MPSoCs), as a key technology enabler of the new computation paradigm Internet-of-Things (IoT), are exposed to attacks. Malicious applications can be downloaded at runtime to the MPSoC, infect IPs and open doors to perform timing attacks. By monitoring the Network-on-Chip (NoC) traffic, an attacker is able to spy sensitive information such as secret keys. Previous works have shown that NoC routers can be used to avoid timing attacks. However, such approaches may lead to overall system performance degradation. In this paper we propose SER, a secure enhanced router architecture that dynamically configures the router memory space according to the communication and security properties of the traffic. Timing attacks are avoided by turning the attacker oblivious of the sensitive traffic. We evaluate the security, performance and cost of our approach. We show that our architecture is able to secure paths during runtime while adding only low cost and performance penalties to the MPSoC.

K maximum probability attack paths dynamic generation algorithm

Abstract: An attack graph depicts multiple-step attack and provides a description of system security vulnerabilities. It illustrates critical information necessary to identify potential weaknesses and areas for enhanced defense. Attack graphs include multiple attack paths, which are a focus for further detailed analysis and risk mitigation. Considering that different vulnerabilities have different probabilities of being exploited, this paper proposes an algorithm to dynamically generate the top K attack paths with maximum probabilities for every node of a system. The proposed algorithm does not require generation of the full attack graph to calculate the K attack paths. Instead, it directly processes and analyzes the system input data and dynamically identifies the K attack paths. The computational time, based upon the complexity of the attack paths, can be constrained by the parameter K. Experimental results show that the algorithm is scalable and efficient.

A secure exponentiation algorithm resistant to a combined attack on RSA implementation

Abstract: Because two types of side-channel attacks, namely passive information leakages and active fault injections, are considered separate implementation threats to cryptographic modules, most countermeasures against these attacks have been independently developed. However, Amiel et al. demonstrated that a fault injection combined with a simple power analysis SPA can break such a classical Rivest, Shamir, and Adelman RSA system implementation. In this paper, we show that this combined attack CA can be applied to the Boscher, Naciri, and Prouff algorithm, which is an SPA/fault attack FA-resistant exponentiation method for RSA implementation. Furthermore, this paper proposes a novel exponentiation algorithm resistant to power analysis and an FA as well as to the CA. The proposed exponentiation algorithm can be employed for secure Chinese remainder theorem-RSA implementation. In addition, the paper presents some experimental results of an SPA under the assumption of a successful fault injection.

Information fusion-based method for distributed domain name system cache poisoning attack detection and identification

Abstract: In this study, the authors consider the detection and identification problems of distributed domain name system (DNS) cache poisoning attack. In the considered distributed attack, multiple cache servers are invaded simultaneously and the attack intensity for each cache server is slight. It is difficult to detect and identify the distributed attack by the existing local information-based detection methods, as the abnormal features for each cache server are indistinctive under distributed attack. To handle this problem, they propose an information fusion-based detection and identification methods. They find that the entropies of the query Internet protocol (IP) addresses for all cache servers are approximately stationary and statistically independent under normal cases. When distributed attack happens, they show the fact that the correlation of the entropies among all cache servers could increase dramatically. On the basis of this feature, they make use of principal component analysis to design the detection and identification methods. Specifically, attack is true when the maximum eigenvalue of the normalised entropies matrix exceeds a threshold, and the attacked servers are identified by the main loading vector. At last, they take a large-scale DNS in China and a simulation as two examples to show the effectiveness of their methods.

Scalable Attack Graph Generation

Abstract: Attack graphs are a powerful modeling technique with which to explore the attack surface of a system. However, they can be difficult to generate due to the exponential growth of the state space, often times making exhaustive search impractical. This paper discusses an approach for generating large attack graphs with an emphasis on scalable generation over a distributed system. First, a serial algorithm is presented, highlighting bottlenecks and opportunities to exploit inherent concurrency in the generation process. Then a strategy to parallelize this process is presented. Finally, we discuss plans for future work to implement the parallel algorithm using a hybrid distributed/shared memory programming model on a heterogeneous compute node cluster.

Differential power analysis attack on the secure bit permutation in the McEliece cryptosystem

Abstract: The segment of post-quantum cryptography rises its importance with increasing improvements in the quantum computing. Cryptographic post-quantum algorithms have been proposed since 1970s. However, side-channel attack vulnerabilities of these algorithms are still in focus of the recent research. In this paper, we present a differential power analysis attack on the McEliece public-key cryptosystem. We demonstrate that a part of a private key, permutation matrix, can be recovered using the power analysis. We attack a software implementation of a secure bit permutation that was proposed by Strenzke et al. at PQCrypto 2008. The cryptosystem is implemented on a 32-bit ARM based microcontroller. We provide details of the attack and results using power consumption measurements of the device. In addition, we outline a novel countermeasure against the introduced attack. The countermeasure uses properties of the linear codes and does not require large amount of random bits which can be profitable for low-cost embedded devices.

Strong, efficient and reliable personal messaging peer to peer architecture based on Hybrid RSA

Abstract: Rivest- Shamir-Adleman (RSA) algorithm is the widespread encryption scheme that promises confidentiality and authenticity over an insecure communication channel. The RSA has drawbacks of various attacks like Brute force key search, Mathematical attacks, Timing attacks and Chosen Ciphertext attacks etc. So here a Strong, efficient and reliable personal messaging peer to peer architecture based on Hybrid RSA for an active networked environment is proposed. The main peer to peer personal messaging architecture will be strong, efficient and reliable, and communication protocol will allow only one authenticated person to converse with the person who is in the server end, multiple chat clients can be connected to the server but has to wait for authenticated connection with secure server one by one. Also multiple servers with multiple clients can run for distributed strong, efficient and reliable messaging. As at the key exchange level, the Miller-Rabin test is done with pseudo random numbers generated and changing the keys synchronously with predefined time frames, these mechanisms make the keys absolutely strong and main RSA integration with shared RSA gives more statistical complexity here. In the decryption process, The Chinese Remainder Theorem (CRT) is used with shadows along with the strong prime of RSA criterion extended into domain of Gaussian Integer for very high efficiency. The Shared RSA adds more complexity in decryption. Public Key Cryptography Standards (PKCS) version 5 is used to tackle the Chosen cipher text attack when messaging is going on. The Efficient RSA with Rabin-Miller strong Primality test integration and pohligHellmanEncipher with salt and padding integration makes it strong and reliable.

A unified method based on SPA and timing attacks on the improved RSA

Abstract: Nowadays the modular multiplications in many kinds of smartcards are utilized Montgomery's algorithm modular multiplier, so traditional SPA to RSA becomes invalid. An improved attack method is proposed based on SPA which just depends on the fact that there exist some subtle differences in each loop during the operation of cd mod n. At same time, compared with the traditional SPA, it doesn't need to select the clear text or some known message. Using this method, attacks can easy to discover the mode of RSA implementation and extract the bits of decryption key just based on a few collected traces. From the real attack test on several main kinds of smartcard, the private keys of RSA stored inside can be analyzed successfully.

A Hybrid Secure Scheme for Wireless Sensor Networks against Timing Attacks Using Continuous-Time Markov Chain and Queueing Model

Abstract: Wireless sensor networks (WSNs) have recently gained popularity for a wide spectrum of applications. Monitoring tasks can be performed in various environments. This may be beneficial in many scenarios, but it certainly exhibits new challenges in terms of security due to increased data transmission over the wireless channel with potentially unknown threats. Among possible security issues are timing attacks, which are not prevented by traditional cryptographic security. Moreover, the limited energy and memory resources prohibit the use of complex security mechanisms in such systems. Therefore, balancing between security and the associated energy consumption becomes a crucial challenge. This paper proposes a secure scheme for WSNs while maintaining the requirement of the security-performance tradeoff. In order to proceed to a quantitative treatment of this problem, a hybrid continuous-time Markov chain (CTMC) and queueing model are put forward, and the tradeoff analysis of the security and performance attributes is carried out. By extending and transforming this model, the mean time to security attributes failure is evaluated. Through tradeoff analysis, we show that our scheme can enhance the security of WSNs, and the optimal rekeying rate of the performance and security tradeoff can be obtained.

Towards a timing attack aware high-level synthesis of integrated circuits

Abstract: Variabilities in the execution time of integrated circuits are frequently exploited as a side channel attack to expose secret information of deployed systems. Standard countermeasures analyze and change the explicit timing behavior in lower level hardware description languages, but their application is time consuming and error-prone. In this paper we investigate the integration of timing attack resilience into the high-level synthesis (HLS). HLS translates programs expressed in higher level programming languages, such as C, seamlessly to synthesizable hardware. We use timing annotations of basic blocks in C to add scheduling constraints that in the synthesis process balance the execution time of security-related execution branches. We integrate our approach to the scheduling of the open source LegUp HLS tool and apply the proposed method for the asymmetric cryptography algorithms RSA and ECC. The results proof the resistance against timing attacks, with a negligible overhead in synthesis efforts, area, and run-time.

An Improved Power Attack on Small RSA Public Exponent

Abstract: RSA is one of the most widely used public key cryptographic algorithms in embedded cryptographic devices. However, the side-channel attacks especially simple side-channel analysis (SPA) can obtain information about the cryptosystem by measuring power consumption and processing time. To resist this attack there appear a number of countermeasures such as classical exponent randomization and messages blinding. This paper present an improved power attack on RSA when the public exponent is short, for instance 3 or 216 +1, and when the classical countermeasures are used. This attack works by distinguishing the conditional subtraction of Montgomery modular multiplication (MMM). Simulation and experiment results demonstrate that this attack method can retrieve secret keys easily using a few power traces. Several countermeasures that can resist this kind of attack are also proposed in this paper.