Yossef Oren

The Spy in the Sandbox: Practical Cache Attacks in JavaScript and their Implications

We present a micro-architectural side-channel attack that runs entirely in the browser. In contrast to previous work in this genre, our attack does not require the attacker to install software on the victims machine; to facilitate the attack, the victim needs only to browse to an untrusted webpage that contains attacker-controlled content. This makes our attack model highly scalable, and extremely relevant and practical to todays Web, as most desktop browsers currently used to access the Internet are affected by such side channel threats. Our attack, which is an extension to the last-level cache attacks of Liu et al., allows a remote adversary to recover information belonging to other processes, users, and even virtual machines running on the same physical host with the victim web browser. We describe the fundamentals behind our attack, and evaluate its performance characteristics. In addition, we show how it can be used to compromise user privacy in a common setting, letting an attacker spy after a victim that uses private browsing. Defending against this side channel is possible, but the required countermeasures can exact an impractical cost on benign uses of the browser.

A low-resource public-key identification scheme for RFID tags and sensor nodes

We revisit a public key scheme presented by Shamir in [19] (and simultaneously by Naccache in [15]) and examine its applicability for general-purpose RFID tags in the supply chain. Using a combination of new and established space-saving methods, we present a full-fledged public key identification scheme, which is secure yet highly efficient. The 1024-bit scheme fits completely (including RAM) into 4682 gate equivalents and has a mean current consumption of 14.2μA. The main novelty in our implementation is the replacement of the long pseudo-random sequence, originally stored on 260 bytes of EEPROM in [19], by a reversible stream cipher using less than 300 bits of RAM. We show how our scheme offers tag-to-reader and reader-to-tag authentication and how it can be fit into the existing RFID supply chain infrastructure.

Algebraic side-channel analysis in the presence of errors

Measurement errors make power analysis attacks difficult to mount when only a single power trace is available: the statistical methods that make DPA attacks so successful are not applicable since they require many (typically thousands) of traces. Recently it was suggested by [18] to use algebraic methods for the single-trace scenario, converting the key recovery problem into a Boolean satisfiability (SAT) problem, then using a SAT solver. However, this approach is extremely sensitive to noise (allowing an error rate of well under 1% at most), and the question of its practicality remained open. In this work we show how a single-trace side-channel analysis problem can be transformed into a pseudo-Boolean optimization (PBOPT) problem, which takes errors into consideration. The PBOPT instance can then be solved using a suitable optimization problem solver. The PBOPT syntax provides for a more expressive input specification which allows a very natural representation of measurement errors. Most importantly, we show that using our approach we are able to mount successful and efficient single-trace attacks even in the presence of realistic error rates of 10%-20%. We call our new attack methodology Tolerant Algebraic Side-Channel Analysis (TASCA). We show practical attacks on two real ciphers: Keeloq and AES.

On the effectiveness of the remanence decay side-channel to clone memory-based PUFs

We present a side-channel attack based on remanence decay in volatile memory and show how it can be exploited effectively to launch a non-invasive cloning attack against SRAM PUFs -- an important class of PUFs typically proposed as lightweight security primitive with low overhead by using the existing memory of the underlying device. We validate our approach against two SRAM PUF implementations in 65 nm CMOS ASICs. We discuss countermeasures against our attack and propose the constructive use of remanence decay to improve the cloning-resistance of SRAM PUFs. Moreover, as a further contribution of independent interest, we show how to use our evaluation results to significantly improve the performance of the recently proposed TARDIS scheme, which is based on remanence decay in SRAM and used as a time-keeping mechanism for low-power clock-less devices.

Algebraic side-channel attacks beyond the hamming weight leakage model

Algebraic side-channel attacks (ASCA) are a method of cryptanalysis which allow performing key recoveries with very low data complexity. In an ASCA, the side-channel leaks of a device under test (DUT) are represented as a system of equations, and a machine solver is used to find a key which satisfies these equations. A primary limitation of the ASCA method is the way it tolerates errors. If the correct key is excluded from the system of equations due to noise in the measurements, the attack will fail. On the other hand, if the DUT is described in a more robust manner to better tolerate errors, the loss of information may make computation time intractable. In this paper, we first show how this robustness-information tradeoff can be simplified by using an optimizer, which exploits the probability data output by a side-channel decoder, instead of a standard SAT solver. For this purpose, we describe a way of representing the leak equations as vectors of aposteriori probabilities, enabling a natural integration of template attacks and ASCA. Next, we put forward the applicability of ASCA against devices which do not conform to simple leakage models (e.g. based on the Hamming weight of the manipulated data). We finally report on various experiments that illustrate the strengths and weaknesses of standard and optimizing solvers in various settings, hence demonstrating the versatility of ASCA.

Toward practical public key anti-counterfeiting for low-cost EPC tags

In this work we report on a practical design, and a working prototype implementation, of a public-key anti-counterfeiting system based on the Electronic Product Code (EPC) standard for supply chain RFID tags. The use of public-key cryptography simplifies deployment, reduces trust issues between the tag integrator and tag manufacturer, eliminates the need for on-line checks by a central authority, and protects user privacy. Contrary to earlier claims of impracticality, we demonstrate that EPC tags are capable of performing full-strength public-key encryption. The crucial element in our system is WIPR, a recently-proposed variant of the well known Rabin encryption scheme, that enjoys a remarkably low resource footprint (less than 4700 gate equivalents for a complete ASIC implementation) — for a full-strength 1024-bit encryption. Our prototype system consists of an ultra-high frequency (UHF) tag running custom firmware, which communicates with a standard off-the-shelf reader. No modifications were made to the reader or the air interface, proving that high-security anti-counterfeiting tags and standard EPC tags can coexist and share the same infrastructure. Surprisingly, we identify that the time bottleneck is not the tags computation time: the delay is dominated by inefficiencies in the way the reader implements the EPC standard. The insights from our performance measurements let us identify how a few simple changes to the reader can drastically improve the system throughput.

Practical template-algebraic side channel attacks with extremely low data complexity

Template-based Tolerant Algebraic Side Channel Attacks (Template-TASCA) were suggested in [20] as a way of reducing the high data complexity of template attacks by coupling them with algebraic side-channel attacks. In contrast to the maximum-likelihood method used in a standard template attack, the template-algebraic attack method uses a constraint solver to find the optimal state correlated to the measured side-channel leakage. In this work we present the first application of the template-algebraic key recovery attack to a publicly available data set (IAIK WS2). We show how our attack can successfully recover the encryption key even when the attacker has extremely limited access to the device under test -- only 200 traces in the offline phase and as little as a single trace in the online phase.

Range Extension Attacks on Contactless Smart Cards

The security of many near-field RFID systems such as credit cards, access control, e-passports, and e-voting, relies on the assumption that the tag holder is in close proximity to the reader. This assumption should be reasonable due to the fact that the nominal operation range of the RFID tag is only few centimeters. In this work we demonstrate a range extension setup which breaks this proximity assumption. Our system allows full communications with a near-field RFID reader from a range of 115cm – two orders of magnitude greater than nominal range – and uses power that can be supplied by a car battery. The added flexibility offered to an attacker by this range extension significantly improves the effectiveness and practicality of relay attacks on real-world systems.

RFID-based electronic voting: What could possibly go wrong?

When Israels Ministry of Internal Affairs decided to move to electronic voting, it chose to replace the traditional paper ballot with secure contactless smartcards. The system was designed around HF RFID technology to make voting stations easier to use and less prone to mechanical faults. However, in doing so the system was exposed to a powerful class of hardwarebased attacks called relay attacks, which can extend the interrogation range of HF RFID tags far beyond the nominal range of 5 centimetres. We show how a low-budget adversary armed with a relay device can read out all votes already cast into the ballot box, suppress the votes of one or several voters, rewrite votes at will and even completely disqualify all votes in a single voting station. Our attacks are easy to mount, very difficult to detect, and compromise both the confidentiality and the integrity of the election system.

A New Framework for Constraint-Based Probabilistic Template Side Channel Attacks

The use of constraint solvers, such as SAT- or Pseudo-Boolean-solvers, allows the extraction of the secret key from one or two side-channel traces. However, to use such a solver the cipher must be represented at bit-level. For byte-oriented ciphers this produces very large and unwieldy instances, leading to unpredictable, and often very long, run times. In this paper we describe a specialized byte-oriented constraint solver for side channel cryptanalysis. The user only needs to supply code snippets for the native operations of the cipher, arranged in a flow graph that models the dependence between the side channel leaks. Our framework uses a soft decision mechanism which overcomes realistic measurement noise and decoder classification errors, through a novel method for reconciling multiple probability distributions. On the DPA v4 contest dataset our framework is able to extract the correct key from one or two power traces in under 9 seconds with a success rate of over 79%.