Back to course catalog

Crypto chip-set security

CL-CHS
3 days
Specific topic
Course page in PDF Inquiry

Course information

Preparedness

Professional

Exercises

No

Delivery methods

Classroom

Course Reviews

Clear and well-explained

February 2011 Sophia-Antipolis

View all reviews

Description

The biggest challenge for professionals working on design and development of crypto chip-sets is to be continuously up-to-date regarding the attack methods and their mitigation. Serving them, this course explains various physical and logical attacks on security chips, possible countermeasures and best practices.

Regarding physical attacks, the passive attacks are detailed through optical reverse engineering and various side channel analysis methods, while active attacks are discussed with special emphasis on fault injection, Focused Ion Beams and hardware Trojans. The very powerful passive and active combined attack (PACA) type is introduced through the practical example of RSA implementations. Discussion of logical attacks not only covers practical attacks against specific cryptographic algorithm implementations, but also the relevant programming bugs and mitigation techniques like buffer overflow or integer problems are introduced.

Finally, a set of guidelines is assembled to follow by engineers working in this field, and the testing methods are presented that can help to find and avoid the discussed security flaws and vulnerabilities.

Participants attending this course will

  • Understand basic concepts of security, IT security and secure coding
  • Have a practical understanding of cryptography
  • Understand the requirements of secure communication
  • Understand essential security protocols
  • Understand some recent attacks against cryptosystems

Outline

  • IT security and secure coding
  • Requirements of secure communication
  • Practical cryptography
  • Security protocols
  • Simple physical attacks and protections
  • Passive physical attacks
  • Active physical attacks
  • Passive and active combined attacks
  • Special security functions – Requirements and solutions
  • Principles of security and secure coding

Table of Contents

  • Day 1
    • IT security and secure coding
      • Nature of security
      • What is risk?
      • IT security vs. secure coding
      • Nature of security flaws
      • Reasons of difficulty
    • Requirements of secure communication
      • Security levels
      • Secure acknowledgment
        • Malicious message absorption
          • Feasibility of secure acknowledgment
          • The solution: Clearing Centers
        • Inadvertent message loss
      • Integrity
        • Error detection - Inadvertent message distortion (noise)
          • Modeling message distortion
          • Error detection and correction codes
        • Authenticity - Malicious message manipulation
          • Modeling message manipulation
          • Practical integrity protection (detection)
        • Non-repudiation
          • Non-repudiation
        • Summary
          • Detecting integrity violation
      • Confidentiality
        • Model of encrypted communication
        • Encryption methods in practice
        • Strength of encryption algorithms
      • Remote identification
        • Requirements of remote identification
      • Anonymity and traffic analysis
        • Model of anonymous communication
        • Traffic analysis
        • Theoretically strong protection against traffic analysis
        • Practical protection against traffic analysis
      • Summary
        • Relationship between the requirements
    • Practical cryptography
      • Rule #1 of implementing cryptography
      • Cryptosystems
        • Elements of a cryptosystem
      • Symmetric-key cryptography
        • Providing confidentiality with symmetric cryptography
        • Symmetric encryption algorithms
        • Modes of operation
      • Other cryptographic algorithms
        • Hash or message digest
        • Hash algorithms
        • SHAttered
        • Message Authentication Code (MAC)
        • Providing integrity and authenticity with a symmetric key
        • Random numbers and cryptography
        • Cryptographically-strong PRNGs
        • Hardware-based TRNGs
      • Asymmetric (public-key) cryptography
        • Providing confidentiality with public-key encryption
        • Rule of thumb – possession of private key
        • Combining symmetric and asymmetric algorithms
      • Public Key Infrastructure (PKI)
        • Man-in-the-Middle (MitM) attack
        • Digital certificates against MitM attack
        • Certificate Authorities in Public Key Infrastructure
        • X.509 digital certificate
  • Day 2
    • Security protocols
      • SSL/TLS protocols
        • Security services
        • SSL/TLS handshake
      • Protocol-level vulnerabilities
        • BEAST
        • FREAK
        • FREAK – attack against SSL/TLS
        • Logjam attack
      • Padding oracle attacks
        • Adaptive chosen-ciphertext attacks
        • Padding oracle attack
        • CBC decryption
        • Padding oracle example
        • Lucky Thirteen
        • POODLE
    • Simple physical attacks and protections
      • Passive, active and PACA attacks
      • Physical access to the chip
      • Levels of invasiveness
      • Protection principles
    • Passive physical attacks
      • Reverse Engineering
        • Reverse engineering of integrated circuits
        • Decapsulation
        • Decapsulation in practice
        • Deprocessing
        • Removal of the passivation layer
        • Different lasers against different passivation layers
        • Optical reverse engineering
        • Requirements towards the optical microscope
        • Bonding to chip surface
      • Physical protection of the chip
        • Multi-layering
        • Protective layer
        • Examples of protective shields
        • Planarization
        • Confusing attackers
        • Obfuscating the design
        • Shuffling the internal bus lines
        • Internal memory encryption
      • Side channel analysis
        • Power analysis attacks
        • Process of a power analysis attack
        • Modeling power consumption
      • Simple power analysis
        • Examples for simple power analysis
        • Example power consumption of DES encryption
        • SPA against RSA
        • Countermeasures against SPA
      • Differential power analysis
        • Process of a DPA attack
        • DPA attack – the difference function
        • DPA attack – visible correlation
        • DPA attack – spikes in differential traces
        • Influence of noise and measurement errors on DPA attack
        • DPA against DES
          • DES algorithm
          • Feistel function
          • DPA against DES
        • Improved DPA attacks
          • DPA enhancements
          • Correlation power analysis (CPA)
          • Process of CPA attack
      • Protections against power analysis attacks
        • Protection measures against power analysis
        • Hiding techniques
        • Hiding: adding noise, desynchronization
        • Hiding: dual-rail precharge logic (DRP)
        • Hiding, DRP: sense amplifier based logic (SABL)
        • Hiding: current mode logic (CML)
        • Masking: masked dual rail precharge logic (MDPL)
        • Limitations of PA resisting logic styles
      • Electromagnetic analysis
        • Electromagnetic emanation
        • Simple electromagnetic analysis (SEMA)
        • Electromagnetic analysis countermeasures
      • RSA timing attack
        • Implementation of encoding/decoding in RSA
        • Fast exponentiation
        • Differences in execution times
        • RSA timing attack
        • Measurements
        • RSA timing attack – principles
        • Correlation of total and partial execution times
        • RSA timing attack – in practice
        • Example – RSA measurements
        • Example – Partial execution times are calculated for first i bits
        • Example – Candidates are ordered according to the variance
        • The RSA timing attack algorithm
        • Practical exploitation using the RSA timing attack
        • Attacking SSL/TLS servers
        • Protection against timing attacks
          • Hiding: RSA timing attack countermeasures
          • Masking: using blind signature
          • Real RSA implementations
          • Summary – lessons learnt from side channel attacks
          • Security evaluation of side-channel protections
  • Day 3
    • Active physical attacks
      • Manipulating the circuit layout
        • Focused ion beam (FIB) workstation
        • Milling and cutting using FIB
        • Creation of test points
        • FIB accessibility
      • Hardware trojan horses
        • Hardware trojan horse (HTH) risk factors
        • Taxonomy of trojans
        • Physical characteristics
        • Prevention – dead space removal
        • Design facilitated logic testing
        • Transparent mode
        • IC fingerprint / transient power-based analysis
        • IC fingerprint / timing-based analysis
        • Detection and correction using DEFENSE methodology
      • Fault injection attacks
        • Fault injection attacks (FIA)
        • Fault injection models
        • Practical attacks
        • Microprobing
        • Microprobe station parts
        • Case study – reading the memory using chip surgery
        • Light, X-Ray, electromagnetic radiation
        • UV light attack – resetting the fuse
        • UV attack – locating the fuse
        • Effect of UV light on EEPROM and floating gate devices
        • Optical fault injection – white light
        • Pulsed laser
        • Tampering with temperature – data remanence
        • Tampering with temperature – cooling
        • Localized heating
        • Clock glitch attack
        • Execution of the attack
        • A sample attack against a Motorola microcontroller
        • Assembly code of the attack
        • Power glitching
        • Power glitch examples – attack on Motorola microcontroller
        • Power glitch examples – microchip PIC16F84 microcontroller
      • Fault injection into RSA with CRT optimization
        • Chinese Remainder Theorem
        • RSA using CRT – mathematical background
        • RSA using CRT – the algorithm
        • Bellcore attack on RSA with CRT
        • Bellcore attack algorithm
        • Lenstra attack on RSA with CRT
        • Non permanent bit-flip attack on RSA without CRT
        • RSA non permanent bit-flip attack
        • Detection of fault injection attacks
    • Passive and active combined attacks
      • PACA against RSA with blinding and doublechecking
      • SPA/DPA resistant RSA blinding
      • Power traces before and after fault injection
      • Fault injection – word by word multiplication
      • PACA resistant RSA with CRT and Montgomery’s Ladder
      • Montgomery’s Ladder: improved square and multiply always
      • FA-SPA resistant modular exponentiation
      • FA-SPA resistant RSA with CRT
      • PACA protection – detect and derive
      • DnD example – protecting the secret key
      • Fault injection into ECC
        • Elliptic Curve Cryptography (ECC)
        • Elliptic curves
        • Addition and multiplication operations over elliptic curves
        • Discrete Logarithm Problem (DLP)
        • ECC fault injection attack
        • ECC attack method
      • DES final round attack
        • DES algorithm
        • Feistel function
        • DES final round with permutation compensation
        • DES final round attack principle
        • DES final round attack algorithm
        • Completing the DES attack
      • AES fault injection attacks
        • Advanced Encryption Standard (AES)
        • AES operation
        • AES algorithm
        • AES final round differential injection attack principle
        • Giraud's differential fault analysis attack
        • Blömer-Seifert fault attack on AES-128
        • AES pre-whitening step attack principle
        • Blömer-Seifert fault attack on AES
        • Assessment of the Blömer-Seifert fault attack on AES
    • Special security functions – Requirements and solutions
      • Physically unclonable functions
        • Main PUF properties
        • PUF types
        • Secret key generation with PUFs
        • Further PUF applications
      • JTAG attacks and protections
        • JTAG overview
        • JTAG based attacks
        • Defending against JTAG attacks
      • Miscellaneous protection measures
        • Keeping the memory programming method secret
        • Unique chip ID
        • Bus scrambling
        • Sensors
        • Further design guidelines
    • Principles of security and secure coding
      • Matt Bishop’s principles of robust programming
      • The security principles of Saltzer and Schroeder
Show full table of contents

Get more information