|
|
| Line 1: |
Line 1: |
| [[File:Power attack.png|thumb|An attempt to decode [[RSA (algorithm)|RSA]] key bits using [[power analysis]]. The left peak represents the CPU power variations during the step of the [[Exponentiation by squaring|algorithm]] without multiplication, the right (broader) peak - step with multiplication, allowing to read bits 0, 1. ]]
| |
| In [[cryptography]], a '''side channel attack''' is any attack based on information gained from the physical [[implementation]] of a [[cryptosystem]], rather than [[brute force attack|brute force]] or theoretical weaknesses in the [[algorithm]]s (compare [[cryptanalysis]]). For example, timing information, power consumption, [[electromagnetic radiation|electromagnetic]] leaks or even [[acoustic cryptanalysis|sound]] can provide an extra source of information which can be exploited to break the system. Some side-channel attacks require technical knowledge of the internal operation of the system on which the cryptography is implemented, although others such as [[differential power analysis]] are effective as black-box attacks. Many powerful side channel attacks are based on statistical methods pioneered by [[Paul Kocher]].{{citation needed|date=April 2012}}
| |
|
| |
|
| Attempts to break a cryptosystem by deceiving or coercing people with legitimate access are not typically called side-channel attacks: see [[social engineering (computer security)|social engineering]] and [[rubber-hose cryptanalysis]]. For attacks on computer systems themselves (which are often used to perform cryptography and thus contain [[cryptographic key]]s or [[plaintext]]s), see [[computer security]]. The rise of [[Web 2.0]] applications and [[software-as-a-service]] has also significantly raised the possibility of side-channel attacks on the web, even when transmissions between a web browser and server are encrypted (e.g., through HTTPS or WiFi encryption), according to researchers from Microsoft Research and Indiana University.<ref>{{cite web|url=http://research.microsoft.com/pubs/119060/WebAppSideChannel-final.pdf|title=Side-Channel Leaks in Web Applications: a Reality Today, a Challenge Tomorrow|publisher=IEEE Symposium on Security & Privacy 2010|date=May 2010|author=Shuo Chen, Rui Wang, XiaoFeng Wang, and Kehuan Zhang}}</ref>
| |
|
| |
|
| ==General==
| | Computer games can give you a major universe of experience, exercise and exhilaration. One might learn, get a comman sense of success or in essence enjoy beating down a bad-guy. No challenege show up form of video egaming you are into, are often the helpful tips in such post to give you and your family more fun whenever you play your next pc game Website.<br><br>Beginning nearly enough gems to get another local building company. Don''t waste some of the gems from any way on rush-building anything, as if it all can save you consumers you are going to eventually obtain enough totally free of charge extra gems to purchase that extra builder without having to cost. Particularly, you may can get free gems for clearing obstructions adore rocks and trees, because of you clear them outside they come back in addition to you may re-clear items to get more flagstones.<br><br>Result There are a regarding Apple fans who play the above game all internationally. This generation has hardly been the JRPG's best; in fact it's been unanimously its worst. Exclusively at Target: Mission: Impossible 4-Pack DVD Set with all 4 Mission: Impossible movies). Although it is a special day's grand gifts and gestures, one Valentines Day will blend into another far too easily. clash of clans is one among the quickest rising video games as of late.<br><br>Don't be frightened to relieve. It's normal on wish to play fighting opponents who are throughout or below your abilities level. In most of the end, it is correct interesting to always shift! There's, still, an important disadvantage to this scheme . there is no benefit to progress. You actually are playing against that are better than you, you'll learn from your trusty own mistakes and is on their degree in a timely manner.<br><br>If you liked this article and you would certainly like to receive more facts regarding [http://prometeu.net hack clash of clans no survey] kindly browse through our own web site. Help keep your game just some possible. While car-preservation is a good characteristic, do not count with this. Particularly, when you initially start playing a game, you may not have any thought when the game saves, which might result in a impede of significant info down the line. Until you thoroughly grasp the sport better, vigilantly save yourself.<br><br>Be careful about letting your tyke play online video games, especially games with feed sound. There can be foul language in these channels, in addition a number of bullying behavior. You may also have child predators in these kinds of chat rooms. Know what your child is putting in and surveil these conversation times due to those [http://www.bing.com/search?q=protection&form=MSNNWS&mkt=en-us&pq=protection protection].<br><br>And all our options are screened and approved from the best possible virus recognition software and as a result anti-virus in the target ensure a security-level as large as you can, in example you fear for the security of your computer or perhaps your cellular device, no inconveniences. In case you nevertheless have any sort of doubts, take a examine the movie and you'll take note of it operates and it's very 100% secure! It takes merely a few moments of your respective! |
| General classes of side channel attack include:
| |
| | |
| * [[Timing attack]] — attacks based on measuring how much time various computations take to perform.
| |
| * [[Power analysis|Power monitoring attack]] — attacks which make use of varying power consumption by the hardware during computation.
| |
| * Electromagnetic attacks — attacks based on leaked electromagnetic radiation which can directly provide plaintexts and other information. Such measurements can be used to infer cryptographic keys using techniques equivalent to those in power analysis, or can be used in non-cryptographic attacks, e.g. [[TEMPEST]] (aka [[van Eck phreaking]] or radiation monitoring) attacks.
| |
| * [[Acoustic cryptanalysis]] — attacks which exploit sound produced during a computation (rather like power analysis).
| |
| * [[Differential fault analysis]] — in which secrets are discovered by introducing faults in a computation.
| |
| *[[Data remanence]] — in which sensitive data are read after supposedly having been deleted.
| |
| | |
| In all cases, the underlying principle is that physical effects caused by the operation of a cryptosystem (''on the side'') can provide useful extra information about secrets in the system, for example, the [[cryptographic key]], partial state information, full or partial [[plaintext]]s and so forth. The term cryptophthora (secret degradation) is sometimes used to express the degradation of secret key material resulting from side channel leakage.
| |
| | |
| ==Examples==
| |
| A ''timing attack'' watches data movement into and out of the [[Central processing unit|CPU]], or memory, on the hardware running the cryptosystem or algorithm. Simply by observing variations in how long it takes to perform cryptographic operations, it might be possible to determine the entire secret key. Such attacks involve statistical analysis of timing measurements, and have been demonstrated across networks.<ref>{{cite web|url=http://crypto.stanford.edu/~dabo/papers/ssl-timing.pdf|title=Remote timing attacks are practical|author=David Brumley, Dan Boneh|year=2003}}</ref>
| |
| | |
| A ''power analysis attack'' can provide even more detailed information by observing the power consumption of a hardware device such as CPU or cryptographic circuit. These attacks are roughly categorized into simple power analysis (SPA) and differential power analysis (DPA).
| |
| | |
| Fluctuations in current also generate [[electromagnetic radiation|radio waves]], enabling attacks that analyze measurements of electromagnetic emanations. These attacks typically involve similar statistical techniques as power analysis attacks.
| |
| | |
| Non-cryptographic historical analogues to modern side channel attacks are known. A recently declassified NSA document reveals that as far back as 1943, an engineer with Bell telephone observed decipherable spikes on an oscilloscope associated with the decrypted output of a certain encrypting teletype.<ref>{{cite web|url=http://blog.wired.com/27bstroke6/2008/04/nsa-releases-se.html|title=Declassified NSA document reveals the secret history of TEMPEST|publisher=Wired.com|date=April 29, 2008}}</ref> According to former [[MI5]] officer [[Peter Wright]], the British Security Service analysed emissions from French cipher equipment in the 1960s.<ref>[http://cryptome.org/tempest-time.htm Cryptome.org]</ref> In the 1980s, [[KGB|Soviet]] eavesdroppers were suspected of having planted [[Surveillance bug|bugs]] inside IBM [[Selectric]] typewriters to monitor the electrical noise generated as the type ball rotated and pitched to strike the paper; the characteristics of those signals could determine which key was pressed.<ref>{{cite web|url=http://www.time.com/time/magazine/article/0,9171,964052-2,00.html|title=The Art of High-Tech Snooping| last= Church |first= George|publisher=Time|date=April 20, 1987|accessdate=January 21, 2010}}</ref>
| |
| | |
| Power consumption of devices causes heating, which is offset by cooling effects. Temperature changes create thermally induced mechanical stress. This stress can create low level [[acoustics|acoustic]] (i.e. ''noise'') emissions from operating CPUs (about 10 kHz in some cases). Recent research by [[Adi Shamir|Shamir]] et al. has suggested that information about the operation of cryptosystems and algorithms can be obtained in this way as well. This is an [[acoustic cryptanalysis|acoustic attack]]; if the surface of the CPU chip, or in some cases the CPU package, can be observed, [[infrared]] images can also provide information about the code being executed on the CPU, known as a ''thermal imaging attack''.
| |
| | |
| ==Countermeasures==
| |
| Because side channel attacks rely on the relationship between information emitted (leaked) through the side-channel and the secret data, countermeasures fall into two main categories: (1) eliminate or reduce the release of such information; and (2) eliminate the relationship between the leaked information and the secret data; that is, make the leaked information unrelated, or rather ''uncorrelated'', to the secret data, typically through some form of randomization of the ciphertext that transforms the data in a way that can be undone after the cryptographic operation (e.g., decryption) is completed.
| |
| | |
| Under the first category, displays are now commercially available which have been specially shielded to lessen electromagnetic emissions reducing susceptibility to [[TEMPEST]] attacks. Power line conditioning and filtering can help deter power monitoring attacks, although such measures must be used cautiously since even very small correlations can remain and compromise security. Physical enclosures can reduce the risk of surreptitious installation of microphones (to counter acoustic attacks) and other micro-monitoring devices (against CPU power draw or thermal imaging attacks).
| |
| | |
| Another countermeasure (still in the first category) is to jam the emitted channel with noise. For instance, a random delay can be added to deter timing attacks, although adversaries can compensate for these delays by averaging multiple measurements together (or, more generally, using more measurements in the analysis). As the amount of noise in the side channel increases, the adversary needs to collect more measurements.
| |
| | |
| In the case of timing attacks against targets whose computation times are quantized into discrete clock cycle counts, an effective countermeasure against is to design the software so that it is isochronous—so it runs in an exactly constant amount of time, independently of secret values. This makes timing attacks impossible.<ref name="Spadavecchia" >
| |
| [http://www.era.lib.ed.ac.uk/bitstream/1842/860/1/Spadavecchia_thesis.pdf "A Network-based Asynchronous Architecture for Cryptographic Devices"] | |
| by Ljiljana Spadavecchia
| |
| 2005
| |
| in sections "3.2.3 Countermeasures", "3.4.2 Countermeasures",
| |
| "3.5.6 Countermeasures", "3.5.7 Software countermeasures",
| |
| "3.5.8 Hardware countermeasures", and "4.10 Side-channel analysis of asynchronous architectures".
| |
| </ref> Such countermeasures can be difficult to implement in practice, since even individual instructions can have variable timing on some CPUs.
| |
| | |
| One partial countermeasure against simple power attacks, but not differential power analysis attacks, is to design the software so that it is "PC-secure" in the "program counter security model". In a PC-secure program, the execution path does not depend on secret values—in other words, all conditional branches depend only on public information.
| |
| (This is a more restrictive condition than isochronous code, but a less restrictive condition than branch-free code.)
| |
| Even though multiply operations draw more power than [[NOP]] on practically all CPUs, using a constant execution path prevents such operation-dependent power differences—differences in power from choosing one branch over another—from leaking any secret information.<ref name="Spadavecchia"/>
| |
| On architectures where the instruction execution time is not data-dependent, a PC-secure program is also immune to timing attacks.
| |
| <ref>[http://en.scientificcommons.org/42451051 "The Program Counter Security Model: Automatic Detection and Removal of Control-Flow Side Channel Attacks"]</ref><ref>[http://www.usenix.org/events/sec05/wips.html Usenix.org] by David Molnar, Matt Piotrowski, David Schultz, David Wagner (2005)</ref>
| |
| | |
| Another way in which code can be non-isochronous is that modern CPUs have a memory cache: accessing infrequently used information incurs a large timing penalty, revealing some information about the frequency of use of memory blocks. Cryptographic code designed to resist cache attacks attempts to use memory in only a predictable fashion (such as accessing only the input, outputs and program data, and doing so according to a fixed pattern). For example data-dependent [[look-up table]]s must be avoided because the cache could reveal which part of the look-up table was accessed.
| |
| | |
| Other partial countermeasures attempt to reduce the amount of information leaked from data-dependent power differences.
| |
| Some operations use power that is correlated to the number of 1 bits in a secret value.
| |
| Using a [[constant-weight code]] (such as using [[Fredkin gate]]s or dual-rail encoding) can reduce the leakage of information about the [[Hamming weight]] of the secret value, although exploitable correlations are likely to remain unless the balancing is perfect. This "balanced design" can be approximated in software by manipulating both the data and its complement together.<ref name="Spadavecchia" />
| |
| | |
| Several "secure CPUs" have been built as [[asynchronous circuit#Asynchronous CPU|asynchronous CPU]]s; they have no global timing reference. While these CPUs were intended to make timing and power attacks more difficult,<ref name="Spadavecchia" /> subsequent research found that timing variations in asynchronous circuits are harder to remove {{Citation needed|date=May 2013}}.
| |
| | |
| A typical example of the second category is a technique known as ''[[blinding (cryptography)|blinding]]''. In the case of [[RSA]] decryption with secret exponent <math>d</math> and corresponding encryption exponent <math>e</math> and modulus <math>m</math>, the technique applies as follows (for simplicity, the modular reduction by m is omitted in the formulas): before decrypting; that is, before computing the result of <math>y^d</math> for a given ciphertext <math>y</math>, the system picks a random number <math>r</math> and encrypts it with public exponent <math>e</math> to obtain <math>r^e</math>. Then, the decryption is done on <math>y \cdot r^e</math>, to
| |
| obtain <math>{(y \cdot r^e)}^d = y^d \cdot r^{e\cdot d} = y^d \cdot r</math>. Since the decrypting system chose <math>r</math>, it can compute its inverse modulo <math>m</math> to cancel out the factor <math>r</math> in the result and obtain <math>y^d</math>, the actual result of the decryption. For attacks that require collecting side-channel information from operations with data ''controlled by the attacker'', blinding is an effective countermeasure, since the actual operation is executed on a randomized version of the data, over which the attacker has no control or even knowledge.
| |
| | |
| ==See also==
| |
| * [[Differential power analysis]]
| |
| * [[Brute-force attack]]
| |
| * [[Computer surveillance]]
| |
| * [[Covert channel]]
| |
| | |
| ==References==
| |
| {{refimprove|date=March 2009}}
| |
| {{reflist}}
| |
| | |
| ==Further reading==
| |
| ;Books
| |
| * {{cite book|authors=Ambrose, Jude et al.|title=Power Analysis Side Channel Attacks: The Processor Design-level Context|publisher=VDM Verlag|year=2010|isbn=9783836485081|url=http://books.google.com/books?id=n9wsQwAACAAJ}}
| |
| | |
| ;Articles
| |
| * [http://www.cryptography.com/public/pdf/DPA.pdf], Differential Power Analysis, P. Kocher, J. Jaffe, B. Jun, appeared in CRYPTO'99.
| |
| * [http://www.cryptography.com/public/pdf/TimingAttacks.pdf], Timing Attacks on Implementations of Diffie-Hellman, RSA, DSS, and Other Systems, P. Kocher.
| |
| * [http://www.cryptography.com/dpa/technical/ Cryptography.com], Introduction to Differential Power Analysis and Related attacks, 1998, P Kocher, J Jaffe, B Jun.
| |
| * [http://csrc.nist.gov/encryption/aes/round1/conf2/papers/chari.pdf Nist.gov], a cautionary Note Regarding Evaluation of AES Candidates on Smart Cards, 1999, S Chari, C Jutla, J R Rao, P Rohatgi
| |
| * DES and Differential Power Analysis, L Goubin and J Patarin, in Proceedings of CHES'99, Lecture Notes in Computer Science Nr 1717, Springer-Verlag
| |
| * {{cite book|authors=Grabher, Philipp et al.|chapter=Cryptographic Side-Channels from Low-power Cache Memory|editor=Galbraith, Steven D.|title=Cryptography and coding: 11th IMA International Conference, Cirencester, UK, December 18-20, 2007 : proceedings, Volume 11|publisher=Springer|year=2007|isbn=9783540772712|url=http://books.google.com/books?id=V0L2Ki72osoC&pg=PA170}}
| |
| *{{cite journal |first=Abdel Alim |last=Kamal |first2=Amr M. |last2=Youssef |title=Fault analysis of the NTRUSign digital signature scheme |journal=Cryptography and Communications |volume=4 |issue=2 |pages=131–144 |year=2012 |doi=10.1007/s12095-011-0061-3 }}
| |
| | |
| ==External links==
| |
| * [http://www.scientificamerican.com/article.cfm?id=hackers-can-steal-from-reflections New side channel attack techniques]
| |
| * [http://cosade.org/ COSADE Workshop] International Workshop on Constructive Side-Channel Analysis and Secure Design
| |
| | |
| {{Cryptography navbox}}
| |
| | |
| {{DEFAULTSORT:Side Channel Attack}}
| |
| [[Category:Cryptographic attacks]]
| |
| [[Category:Side channel attacks| ]]
| |
| | |
| {{Link GA|ru}}
| |
Computer games can give you a major universe of experience, exercise and exhilaration. One might learn, get a comman sense of success or in essence enjoy beating down a bad-guy. No challenege show up form of video egaming you are into, are often the helpful tips in such post to give you and your family more fun whenever you play your next pc game Website.
Beginning nearly enough gems to get another local building company. Dont waste some of the gems from any way on rush-building anything, as if it all can save you consumers you are going to eventually obtain enough totally free of charge extra gems to purchase that extra builder without having to cost. Particularly, you may can get free gems for clearing obstructions adore rocks and trees, because of you clear them outside they come back in addition to you may re-clear items to get more flagstones.
Result There are a regarding Apple fans who play the above game all internationally. This generation has hardly been the JRPG's best; in fact it's been unanimously its worst. Exclusively at Target: Mission: Impossible 4-Pack DVD Set with all 4 Mission: Impossible movies). Although it is a special day's grand gifts and gestures, one Valentines Day will blend into another far too easily. clash of clans is one among the quickest rising video games as of late.
Don't be frightened to relieve. It's normal on wish to play fighting opponents who are throughout or below your abilities level. In most of the end, it is correct interesting to always shift! There's, still, an important disadvantage to this scheme . there is no benefit to progress. You actually are playing against that are better than you, you'll learn from your trusty own mistakes and is on their degree in a timely manner.
If you liked this article and you would certainly like to receive more facts regarding hack clash of clans no survey kindly browse through our own web site. Help keep your game just some possible. While car-preservation is a good characteristic, do not count with this. Particularly, when you initially start playing a game, you may not have any thought when the game saves, which might result in a impede of significant info down the line. Until you thoroughly grasp the sport better, vigilantly save yourself.
Be careful about letting your tyke play online video games, especially games with feed sound. There can be foul language in these channels, in addition a number of bullying behavior. You may also have child predators in these kinds of chat rooms. Know what your child is putting in and surveil these conversation times due to those protection.
And all our options are screened and approved from the best possible virus recognition software and as a result anti-virus in the target ensure a security-level as large as you can, in example you fear for the security of your computer or perhaps your cellular device, no inconveniences. In case you nevertheless have any sort of doubts, take a examine the movie and you'll take note of it operates and it's very 100% secure! It takes merely a few moments of your respective!