(34.237.52.11) 您好!臺灣時間:2021/05/18 14:00
字體大小: 字級放大   字級縮小   預設字形  
回查詢結果

詳目顯示:::

: 
twitterline
研究生:楊舜民
論文名稱:實體密碼攻擊法之研究
論文名稱(外文):On the study of physical cryptanalysis
指導教授:顏嵩銘顏嵩銘引用關係
學位類別:碩士
校院名稱:國立中央大學
系所名稱:資訊工程研究所
學門:工程學門
學類:電資工程學類
論文種類:學術論文
論文出版年:2001
畢業學年度:89
語文別:中文
論文頁數:75
中文關鍵詞:實體密碼攻擊法錯誤攻擊法時序攻擊法能量攻擊法
外文關鍵詞:physical cryptanalysisfault-based attacktiming attackpower monitoring attack
相關次數:
  • 被引用被引用:0
  • 點閱點閱:290
  • 評分評分:
  • 下載下載:25
  • 收藏至我的研究室書目清單書目收藏:0
在現今科技進步的時代,如Smart Card, PDA等等有效率且精密的電子設備紛紛被研發,並用以輔助使用者處理或儲存個人的秘密資料。然而,此類電子設備通常操作在公開的環境中,因此極有可能在某些條件之下,而洩漏秘密資料,進而危及個人權益。
而在近幾年,實體密碼攻擊法(physical cryptanalysis)已經在密碼學中自成一門新興的領域。現存的各類密碼演算法,經常被設計成硬體或軟體,一旦在設計時,考慮不周詳,即可能遭到實體密碼攻擊法的攻擊。在本篇論文中,實體密碼攻擊法將被仔細的討論,且將特別針對錯誤攻擊法(fault-based attack)以及時序攻擊法(timing attack)加以討論。
在第四章,一種新型態錯誤攻擊法被發表,該錯誤攻擊法可以用來分析IDEA, RC5與RC6。該攻擊法主要針對模加法(modular addition)與模乘法(modular multiplication)兩種運算加以分析。正因為這兩種運算被廣泛的使用在傳統加密器中,所以其相對的安全性更需要被仔細的討論。
在傳統設計中,除法鏈演算法(division chain algorithm)是被用來提昇指數運算效率的演算法,正因為其具有良好的效率,所以受到廣泛的重視。隨機亂序除法鏈的觀念在第五章被提出來,該觀念用來防禦現行可能的時序攻擊法,並且相關的執行效率也一併被討論。
混合式攻擊法(Hybrid attacks)基本上是合併兩種以上的實體密碼攻擊法,同時用以分析密碼系統。在某些合理的假設之下,混合式攻擊法將較單一的實體密碼攻擊法更有效率。在第六章,混合式攻擊法以及可行的防禦機制設計觀念將被提出來討論。

Nowadays, some popular and small electronic devices, e.g., smart IC cards, are developed in order to provide possible solutions for data security, such as data processing and storage. However, these devices operate frequently in public environments and may suffer to leak secret information.
In this thesis, physical cryptanalysis will be examined with great details. Physical cryptanalysis analyze careless implements of cryptosystems and open a brand new direction of cryptanalysis during the past few years. In this thesis, we focus especially on the fault-based attack and timing attack.
In Chapter 4, new fault-based attacks on IDEA and RC5 (and also RC6) ciphers are considered. These attacks are conducted upon either modular addition or modular multiplication. Moreover, these two modular operations are used frequently in many cryptosystems, so their security should be considered
extensively. Analysis shows that the considered cryptanalysis in this thesis is reasonable.
Division chain algorithm was originally developed for improving exponentiation computation. In Chapter 5, the concept of randomized division chain is proposed to counteract the possible timing cryptanalysis when performing an exponentiation computation.
Hybrid attacks, i.e., a novel combination of more than one physical cryptanalysis at the same time, are believed to be much powerful than any single physical cryptanalysis. In Chapter 6, possible guidelines, although not exhaustive, to
prevent hybrid attacks are considered.

Abstract………………………………………………………………… I
Acknowledgements……………………………………………………… II
Contents………………………………………………………………… III
List of Tables………………………………………………………… V
List of Figures…………………………………………………………VII
Contents
1.Introduction………………………………………………………… 1
1.1 Motivation……………………………………………………… 1
1.2 Conventional Engineering and Security Engineering……2
1.3 Taxonomy of Cryptanalysis……………………………………2
1.4 Physical Security Cryptanalysis……………………………3
1.5 Overview of the Thesis……………………………………… 4
2.Review of Hardware Fault Cryptanalysis……………………… 5
2.1 Introduction…………………………………………………… 5
2.1.1History……………………………………………………… 5
2.1.2Types of Fault………………………………………………6
2.2 Bellcore Fault Attack…………………………………………7
2.2.1Fault model………………………………………………… 7
2.2.2An attack on “RSA-CRT”…………………………………8
2.3 Differential Fault Analysis…………………………………9
2.3.1Fault model of DFA…………………………………………9
2.3.2A differential fault analysis on DES…………………10
2.4 Discussion……………………………………………………… 13
3.Review of Timing Attack and Power Monitoring Attack………15
3.1 Kocher’s Timing Attack………………………………………17
3.1.1Preliminaries……………………………………………… 17
3.1.2Attack procedure……………………………………………18
3.1.3Analysis of Kocher’s timing attack………………… 20
3.1.4Possible countermeasures…………………………………21
3.2 Improved Timing Attack……………………………………… 21
3.2.1Preliminaries……………………………………………… 21
3.2.2Attack by exploiting multiplication………………… 23
3.2.3Attack by exploiting squaring………………………… 23
3.2.4Possible countermeasures…………………………………25
3.3 The Other Timing Attacks…………………………………… 25
3.4 Power Monitoring Attack………………………………………26
3.4.1Simple power analysis…………………………………… 26
3.4.2Differential power analysis…………………………… 27
3.4.3Improved DPA…………………………………………………30
3.4.4Possible countermeasures…………………………………31
3.5 Discussion……………………………………………………… 32
4.Differential Fault Attack on IDEA Cipher…………………… 33
4.1 Introduction…………………………………………………… 33
4.2 Fault Model and Cryptanalysis Procedure…………………33
4.2.1Assumption and general model……………………………34
4.2.2Our simple fault model……………………………………35
4.3 Cryptanalysis Complexity…………………………………… 39
4.3.1Computing cost of attacking multiplication
modulo 2^16+1……………………………………………… 39
4.3.2Computing cost of attacking addition modulo
2^16……………………………………………………………39
4.4 Discussion and Open Problems……………………………… 40
5.Countermeasure against Timing Cryptanalysis by Randomized
Division Chain……………………………………………………… 43
5.1 Introduction…………………………………………………… 43
5.2 The Division Chain for Exponentiation……………………43
5.3 Timing Cryptanalysis over Division Chain……………… 44
5.3.1The characteristic of division chain…………………45
5.3.2Timing cryptanalysis procedure…………………………46
5.3.3Possible countermeasures…………………………………47
5.3.4Penalties of countermeasures……………………………49
5.4 Discussion……………………………………………………… 52
6.Some Remarks of Cryptanalysis……………………………………53
6.1 Common Conception of Physical Attack…………………… 53
6.2 Design Rule of Countermeasures…………………………… 56
6.3 Discussion……………………………………………………… 57
7.Conclusions……………………………………………………………59
7.1 Brief Review of Main Contributions……………………… 59
7.2 Further Research Topics and Directions………………… 60
Reference…………………………………………………………………63

[1]M.-L. Akkar, R. Bevan, P. Dischamp and D. Moyart, “Power Analysis, What Is Now Possible,” Advance in Cryptology - ASIACRYPT 2000, Lecture Notes in Computer Science1976, Springer-Verlag, 2000, pp. 489-502
[2]“Analysis of the floating point flaw in the Pentium processor,” Nov. 1994 http://www.intel.com/procs/support/pentium/fdiv/white11/index.htm
[3]R. Anderson and M. Kuhn, “Tamper Resistance - a Cautionary Note,” Proceedings of the 2nd Workshop on Electronic Commerce, pp.1-11, 1996
[4]R. Anderson and M. Kuhn, “Low Cost attacks on Tamper Resistant Devices,” Proceedings of the 1997 Security Protocols Workshop, Paris, Lecture Notes in Computer Science 1361, Springer-Verlag, 1997, pp. 125-136.
[5]E. Biham and A. Shamir, “Differential Fault Analysis of Secret Key Cryptosystems,” Advances in Cryptology - CRYPTO'97, Lecture Notes in Computer Science vol. 1249, Springer-Verlag, 1997, pp. 513-525
[6]E. Biham and A. Shamir, “Power Analysis of the Key Scheduling of the AES Candidates,” Proceedings of the Second Advanced Encryption Standard (AES) Candidate Conference, Mar. 1999
[7]D. Boneh, R.A. Demillo and R.J. Lipton, “On the Importance of Checking Cryptographic Protocols for faults,” Advance in Cryptology - EUROCRYPT'97, Lecture Notes in Computer Science, Springer-Verlag, 1997, pp.37-51
[8]S. Chari, C.S. Jutla, J.R. Rao and P. Rohatgi, “A Cautionary Note regarding Evaluation of AES Candidates on Smart-Cards,” Proceedings of the Second Advanced Encryption Standard (AES) Candidate Conference, Mar. 1999
[9]D. Chaum, “Blind Signatures for Untraceable Payments,” Advances in Cryptology-CRYPTO'82, Plenum Press, 1983, pp. 199-203
[10]J.-S. Coron and L. Goubin, “On Boolean and Arithmetic Masking against Differential Power Analysis,” Proceedings of Cryptographic Hardware and Embedded Systems '00, Lecture Notes in Computer Science, Springer-Verlag, 2000
[11]J. Daemen and V. Rijmen, “AES proposal: Rijndael,” Proceedings of the First Advanced Encryption Standard (AES) Conference, Aug. 1998
[12]J.-F. Dhem, F. Koeune, P.-A. Leroux, P. Mestre, J.-J. Quisquater and J.-L. Willems, “A practical implementation of the timing attack,” Crypto Group Technical Report Series CG--1998/1, Universit'e Catholique de Louvain and Proceedings of the CARDIS 1998, 1998
[13]S.E. Eldridge and C.D. Walter, “Hardware Implementation of Montgomery's Modular Multiplication Algorithm,” IEEE Trans. on computers, V.42, n. 6, pp. 693-699, Jun. 1993
[14]J.J. Farrell III, “Smartcards become an international technology,” TRON Project International Symposium, 1996. TEPS '96, 1996, pp. 134-140
[15]U. Feige, A. Fiat and A. Shamir, “Zero knowledge proofs of identity,” Journal of Cryptology, Vol. 1, No. 2, 1988, pp. 77-94
[16]D.M. Gordon, “A survey of fast exponentiation methods,” Journal of Algorithms, 27, 1998. pp. 129-146
[17]G. Hachez, F. Koeune, and J.-J. Quisquater, “Timing Attack: What Can Be Achieved By A Powerful Adversary?,” Proceedings of the 20th symposium on Information Theory in the Benelux, May 1999, pp. 63-70
[18]H. Handschuh, “A Timing Attack on RC5,” Proceedings of the Workshop on Selected Areas in Cryptography - SAC'98, Springer-Verlag, Aug 1998
[19]J. Kelsey, B. Schneier, D. Wagner and C. Hall, “Side Channel Cryptanalysis of Product Ciphers,” Computer Security-ESORICS'98, Lecture Notes in Computer Science 1485, Springer-Verlag, 1998
[20]J. Kilian and P. Rogaway, “How to Protect DES Against Exhaustive Key Search,” Advances in Cryptology-CRYPTO'96, Springer-Verlag,1996, pp. 252-267
[21]C.K. Koc, T. Acar and B.S. Kaliski,Jr., “Analyzing and comparing Montgomery multiplication algorithms,” IEEE Micro, Volume: 16 Issue: 3 , June 1996 pp. 26 -33
[22]P.C. Kocher, “Timing Attacks on Implementations of Diffie-Hellman, RSA, DSS, and Other Systems,” Advance in Cryptology - CRYPTO'96, Lecture Notes in Computer Science, Springer-Verlag, 1996, pp. 104-113
[23]P. Kocher, J. Jaffe and B. Jun, “Differential Power Analysis,” Advance in Cryptology - CRYPTO'99, Springer-Verlag, 1999, pp. 388-397
[24]P. Kocher, J. Jaffe and B. Jun, “Introduction to Differential Power Analysis and Related Attacks,” 1998, http://www.cryptography.com/dpa/technical
[25]F. Koeune, and J.-J. Quisquater, “A Timing Attack against Rijndael,” Crypto Group Technical Report Series CG--1999/1, Universit'e Catholique de Louvain., 1999
[26]O. Kommerling and M. G. Kuhn, “Design Principles for Tamper-Resistant Smartcard Processors,” Proceedings of USENIX Workshop on smartcard Technology (Smartcard'99), May 1999, pp. 9-20
[27]M. Kuhn, “Cipher Instruction Search Attack on the Bus-Encryption Security Microcontroller DS5002FP,” IEEE Trans. on computers, v. 47, n. 10, pp. 1153-1157, Oct 1998
[28]X. Lai, On the Design and Security of Block Ciphers, ETH Series in Information Processing, v.1, Konstanz: Hartung-gorre Verlag, 1992
[29]A. Menezes, P. van Oorschot and S. Vanstone, “Handbook of Applied Cryptography,” CRC Press, 1996
[30]T.S. Messerges, “Securing the AES Finalists Against Power Analysis Attacks,” Proceedings of Fast Software Encryption Workshop 2000, Lecture Notes in Computer Science, Springer-Verlag, Apr. 2000
[31]T.S. Messerges, E.A. Dabbish and R.H. Sloan, “Investigations of Power Analysis Attacks on Smartcards,” Proceedings of USENIX Workshop on smartcard Technology, May 1999, pp. 151-161
[32]D. Naccache and D. M'Raihi, “Cryptographic Smart Cards,” IEEE Micro, Volume: 16 Issue: 3 , June 1996 pp. 15 -24
[33]National Bureau of Standards, Data Encryption Standard, U.S. Department of Commerce, FIPS pub. 46,Jan 1977
[34]B.J. Phillips and N. Burgess, “Algorithms for Exponentiation of Long Integers - A Survey of Published Algorithms,” The University of ADELAIDE, Centre for Gallium Arsenide VLSI Technology, Digital Arithmetic Group, May 1996
[35]R. Rivest, “The RC5 Encryption Algorithm,” Proceedings of Second International Workshop on Fast Software Encryption, 1994, pp. 86-96
[36]R. Rivest, M.J.B. Robshaw, R. Sidney, and Y.L. Yin, “The RC6 Block Cipher,” Technical Report of RSA Laboratory, 1998
[37]R.L. Rivest, A. Shamir, and L.M. Adleman, “A Method for Obtaining Digital Signatures and Public-Key Cryptosystems,” Communications of the ACM, v. 21, n. 2, pp. 120-126, Feb 1978
[38]V. Taponen, “Tamper-resistant Smart Cards - Too Much To Ask For?,” HUT TML 2000 Tik-110.501 Seminar on Network Security; http://www.hut.fi/~vtaponen/draft40.html 2000
[39]C.D. Walter, “Exponentiation Using Division Chains” IEEE Trans. on computers, V.47, n. 7, pp. 757-765, Jul. 1998
[40]S.-M. Yen and M. Joye, “Checking Before Output May Not Be Enough Against Fault-Based Cryptanalysis,” IEEE Trans. on computers, v. 49, n. 9, pp. 967-970, Sep 2000

QRCODE
 
 
 
 
 
                                                                                                                                                                                                                                                                                                                                                                                                               
第一頁 上一頁 下一頁 最後一頁 top