實體密碼攻擊法之研究

以作者查詢圖書館館藏

、以作者查詢臺灣博碩士

、以作者查詢全國書目

、勘誤回報

、線上人數：17

、訪客IP：18.118.186.19

姓名

楊舜民(Shen-Ming Yang ) 查詢紙本館藏

畢業系所

資訊工程研究所

論文名稱

實體密碼攻擊法之研究

相關論文

★ 多種數位代理簽章之設計	★ 小額電子支付系統之研究
★ 商業性金鑰恢復與金鑰託管機制之研究	★ AES資料加密標準之實體密碼分析研究
★ 電子競標系統之研究	★ 針對堆疊滿溢攻擊之動態程式區段保護機制
★ 通用型數域篩選因數分解法之參數探討	★ 於8051單晶片上實作可防禦DPA攻擊之AES加密器
★ 以非確定式軟體與遮罩分割對策防禦能量攻擊之研究	★ 遮罩保護機制防禦差分能量攻擊之研究
★ AES資料加密標準之能量密碼分析研究	★ 小額電子付費系統之設計與密碼分析
★ 公平電子現金系統之研究	★ RSA公開金鑰系統之實體密碼分析研究
★ 保護行動代理人所收集資料之研究	★ 選擇密文攻擊法之研究與實作

檔案

[Endnote RIS 格式]

[Bibtex 格式]

[相關文章]

[文章引用]

[完整記錄]

[館藏目錄]

[檢視]

[下載]

本電子論文使用權限為同意立即開放。
已達開放權限電子全文僅授權使用者為學術研究之目的，進行個人非營利性質之檢索、閱讀、列印。
請遵守中華民國著作權法之相關規定，切勿任意重製、散佈、改作、轉貼、播送，以免觸法。

摘要(中)

在現今科技進步的時代，如Smart Card, PDA等等有效率且精密的電子設備紛紛被研發，並用以輔助使用者處理或儲存個人的秘密資料。然而，此類電子設備通常操作在公開的環境中，因此極有可能在某些條件之下，而洩漏秘密資料，進而危及個人權益。
而在近幾年，實體密碼攻擊法(physical cryptanalysis)已經在密碼學中自成一門新興的領域。現存的各類密碼演算法，經常被設計成硬體或軟體，一旦在設計時，考慮不周詳，即可能遭到實體密碼攻擊法的攻擊。在本篇論文中，實體密碼攻擊法將被仔細的討論，且將特別針對錯誤攻擊法(fault-based attack)以及時序攻擊法(timing attack)加以討論。
在第四章，一種新型態錯誤攻擊法被發表，該錯誤攻擊法可以用來分析IDEA, RC5與RC6。該攻擊法主要針對模加法(modular addition)與模乘法(modular multiplication)兩種運算加以分析。正因為這兩種運算被廣泛的使用在傳統加密器中，所以其相對的安全性更需要被仔細的討論。
在傳統設計中，除法鏈演算法(division chain algorithm)是被用來提昇指數運算效率的演算法，正因為其具有良好的效率，所以受到廣泛的重視。隨機亂序除法鏈的觀念在第五章被提出來，該觀念用來防禦現行可能的時序攻擊法，並且相關的執行效率也一併被討論。
混合式攻擊法(Hybrid attacks)基本上是合併兩種以上的實體密碼攻擊法，同時用以分析密碼系統。在某些合理的假設之下，混合式攻擊法將較單一的實體密碼攻擊法更有效率。在第六章，混合式攻擊法以及可行的防禦機制設計觀念將被提出來討論。

摘要(英)

Nowadays, some popular and small electronic devices, e.g., smart IC cards, are developed in order to provide possible solutions for data security, such as data processing and storage. However, these devices operate frequently in public environments and may suffer to leak secret information.
In this thesis, physical cryptanalysis will be examined with great details. Physical cryptanalysis analyze careless implements of cryptosystems and open a brand new direction of cryptanalysis during the past few years. In this thesis, we focus especially on the fault-based attack and timing attack.
In Chapter 4, new fault-based attacks on IDEA and RC5 (and also RC6) ciphers are considered. These attacks are conducted upon either modular addition or modular multiplication. Moreover, these two modular operations are used frequently in many cryptosystems, so their security should be considered
extensively. Analysis shows that the considered cryptanalysis in this thesis is reasonable.
Division chain algorithm was originally developed for improving exponentiation computation. In Chapter 5, the concept of randomized division chain is proposed to counteract the possible timing cryptanalysis when performing an exponentiation computation.
Hybrid attacks, i.e., a novel combination of more than one physical cryptanalysis at the same time, are believed to be much powerful than any single physical cryptanalysis. In Chapter 6, possible guidelines, although not exhaustive, to
prevent hybrid attacks are considered.

關鍵字(中)

★ 實體密碼攻擊法
★ 時序攻擊法
★ 能量攻擊法
★ 錯誤攻擊法

關鍵字(英)

★ fault-based attack
★ physical cryptanalysis
★ power monitoring attack
★ timing attack

論文目次

Abstract………………………………………………………………… I
Acknowledgements……………………………………………………… II
Contents………………………………………………………………… III
List of Tables………………………………………………………… V
List of Figures…………………………………………………………VII
Contents
1.Introduction………………………………………………………… 1
1.1 Motivation……………………………………………………… 1
1.2 Conventional Engineering and Security Engineering……2
1.3 Taxonomy of Cryptanalysis……………………………………2
1.4 Physical Security Cryptanalysis……………………………3
1.5 Overview of the Thesis……………………………………… 4
2.Review of Hardware Fault Cryptanalysis……………………… 5
2.1 Introduction…………………………………………………… 5
2.1.1History……………………………………………………… 5
2.1.2Types of Fault………………………………………………6
2.2 Bellcore Fault Attack…………………………………………7
2.2.1Fault model………………………………………………… 7
2.2.2An attack on “RSA-CRT”…………………………………8
2.3 Differential Fault Analysis…………………………………9
2.3.1Fault model of DFA…………………………………………9
2.3.2A differential fault analysis on DES…………………10
2.4 Discussion……………………………………………………… 13
3.Review of Timing Attack and Power Monitoring Attack………15
3.1 Kocher’s Timing Attack………………………………………17
3.1.1Preliminaries……………………………………………… 17
3.1.2Attack procedure……………………………………………18
3.1.3Analysis of Kocher’s timing attack………………… 20
3.1.4Possible countermeasures…………………………………21
3.2 Improved Timing Attack……………………………………… 21
3.2.1Preliminaries……………………………………………… 21
3.2.2Attack by exploiting multiplication………………… 23
3.2.3Attack by exploiting squaring………………………… 23
3.2.4Possible countermeasures…………………………………25
3.3 The Other Timing Attacks…………………………………… 25
3.4 Power Monitoring Attack………………………………………26
3.4.1Simple power analysis…………………………………… 26
3.4.2Differential power analysis…………………………… 27
3.4.3Improved DPA…………………………………………………30
3.4.4Possible countermeasures…………………………………31
3.5 Discussion……………………………………………………… 32
4.Differential Fault Attack on IDEA Cipher…………………… 33
4.1 Introduction…………………………………………………… 33
4.2 Fault Model and Cryptanalysis Procedure…………………33
4.2.1Assumption and general model……………………………34
4.2.2Our simple fault model……………………………………35
4.3 Cryptanalysis Complexity…………………………………… 39
4.3.1Computing cost of attacking multiplication
modulo 2^16+1……………………………………………… 39
4.3.2Computing cost of attacking addition modulo
2^16……………………………………………………………39
4.4 Discussion and Open Problems……………………………… 40
5.Countermeasure against Timing Cryptanalysis by Randomized
Division Chain……………………………………………………… 43
5.1 Introduction…………………………………………………… 43
5.2 The Division Chain for Exponentiation……………………43
5.3 Timing Cryptanalysis over Division Chain……………… 44
5.3.1The characteristic of division chain…………………45
5.3.2Timing cryptanalysis procedure…………………………46
5.3.3Possible countermeasures…………………………………47
5.3.4Penalties of countermeasures……………………………49
5.4 Discussion……………………………………………………… 52
6.Some Remarks of Cryptanalysis……………………………………53
6.1 Common Conception of Physical Attack…………………… 53
6.2 Design Rule of Countermeasures…………………………… 56
6.3 Discussion……………………………………………………… 57
7.Conclusions……………………………………………………………59
7.1 Brief Review of Main Contributions……………………… 59
7.2 Further Research Topics and Directions………………… 60
Reference…………………………………………………………………63

參考文獻

[1]M.-L. Akkar, R. Bevan, P. Dischamp and D. Moyart, “Power Analysis, What Is Now Possible,” Advance in Cryptology - ASIACRYPT 2000, Lecture Notes in Computer Science1976, Springer-Verlag, 2000, pp. 489-502
[2]“Analysis of the floating point flaw in the Pentium processor,” Nov. 1994 http://www.intel.com/procs/support/pentium/fdiv/white11/index.htm
[3]R. Anderson and M. Kuhn, “Tamper Resistance - a Cautionary Note,” Proceedings of the 2nd Workshop on Electronic Commerce, pp.1-11, 1996
[4]R. Anderson and M. Kuhn, “Low Cost attacks on Tamper Resistant Devices,” Proceedings of the 1997 Security Protocols Workshop, Paris, Lecture Notes in Computer Science 1361, Springer-Verlag, 1997, pp. 125-136.
[5]E. Biham and A. Shamir, “Differential Fault Analysis of Secret Key Cryptosystems,” Advances in Cryptology - CRYPTO'97, Lecture Notes in Computer Science vol. 1249, Springer-Verlag, 1997, pp. 513-525
[6]E. Biham and A. Shamir, “Power Analysis of the Key Scheduling of the AES Candidates,” Proceedings of the Second Advanced Encryption Standard (AES) Candidate Conference, Mar. 1999
[7]D. Boneh, R.A. Demillo and R.J. Lipton, “On the Importance of Checking Cryptographic Protocols for faults,” Advance in Cryptology - EUROCRYPT'97, Lecture Notes in Computer Science, Springer-Verlag, 1997, pp.37-51
[8]S. Chari, C.S. Jutla, J.R. Rao and P. Rohatgi, “A Cautionary Note regarding Evaluation of AES Candidates on Smart-Cards,” Proceedings of the Second Advanced Encryption Standard (AES) Candidate Conference, Mar. 1999
[9]D. Chaum, “Blind Signatures for Untraceable Payments,” Advances in Cryptology-CRYPTO'82, Plenum Press, 1983, pp. 199-203
[10]J.-S. Coron and L. Goubin, “On Boolean and Arithmetic Masking against Differential Power Analysis,” Proceedings of Cryptographic Hardware and Embedded Systems '00, Lecture Notes in Computer Science, Springer-Verlag, 2000
[11]J. Daemen and V. Rijmen, “AES proposal: Rijndael,” Proceedings of the First Advanced Encryption Standard (AES) Conference, Aug. 1998
[12]J.-F. Dhem, F. Koeune, P.-A. Leroux, P. Mestre, J.-J. Quisquater and J.-L. Willems, “A practical implementation of the timing attack,” Crypto Group Technical Report Series CG--1998/1, Universit'e Catholique de Louvain and Proceedings of the CARDIS 1998, 1998
[13]S.E. Eldridge and C.D. Walter, “Hardware Implementation of Montgomery's Modular Multiplication Algorithm,” IEEE Trans. on computers, V.42, n. 6, pp. 693-699, Jun. 1993
[14]J.J. Farrell III, “Smartcards become an international technology,” TRON Project International Symposium, 1996. TEPS '96, 1996, pp. 134-140
[15]U. Feige, A. Fiat and A. Shamir, “Zero knowledge proofs of identity,” Journal of Cryptology, Vol. 1, No. 2, 1988, pp. 77-94
[16]D.M. Gordon, “A survey of fast exponentiation methods,” Journal of Algorithms, 27, 1998. pp. 129-146
[17]G. Hachez, F. Koeune, and J.-J. Quisquater, “Timing Attack: What Can Be Achieved By A Powerful Adversary?,” Proceedings of the 20th symposium on Information Theory in the Benelux, May 1999, pp. 63-70
[18]H. Handschuh, “A Timing Attack on RC5,” Proceedings of the Workshop on Selected Areas in Cryptography - SAC'98, Springer-Verlag, Aug 1998
[19]J. Kelsey, B. Schneier, D. Wagner and C. Hall, “Side Channel Cryptanalysis of Product Ciphers,” Computer Security-ESORICS'98, Lecture Notes in Computer Science 1485, Springer-Verlag, 1998
[20]J. Kilian and P. Rogaway, “How to Protect DES Against Exhaustive Key Search,” Advances in Cryptology-CRYPTO'96, Springer-Verlag,1996, pp. 252-267
[21]C.K. Koc, T. Acar and B.S. Kaliski,Jr., “Analyzing and comparing Montgomery multiplication algorithms,” IEEE Micro, Volume: 16 Issue: 3 , June 1996 pp. 26 -33
[22]P.C. Kocher, “Timing Attacks on Implementations of Diffie-Hellman, RSA, DSS, and Other Systems,” Advance in Cryptology - CRYPTO'96, Lecture Notes in Computer Science, Springer-Verlag, 1996, pp. 104-113
[23]P. Kocher, J. Jaffe and B. Jun, “Differential Power Analysis,” Advance in Cryptology - CRYPTO'99, Springer-Verlag, 1999, pp. 388-397
[24]P. Kocher, J. Jaffe and B. Jun, “Introduction to Differential Power Analysis and Related Attacks,” 1998, http://www.cryptography.com/dpa/technical
[25]F. Koeune, and J.-J. Quisquater, “A Timing Attack against Rijndael,” Crypto Group Technical Report Series CG--1999/1, Universit'e Catholique de Louvain., 1999
[26]O. Kommerling and M. G. Kuhn, “Design Principles for Tamper-Resistant Smartcard Processors,” Proceedings of USENIX Workshop on smartcard Technology (Smartcard'99), May 1999, pp. 9-20
[27]M. Kuhn, “Cipher Instruction Search Attack on the Bus-Encryption Security Microcontroller DS5002FP,” IEEE Trans. on computers, v. 47, n. 10, pp. 1153-1157, Oct 1998
[28]X. Lai, On the Design and Security of Block Ciphers, ETH Series in Information Processing, v.1, Konstanz: Hartung-gorre Verlag, 1992
[29]A. Menezes, P. van Oorschot and S. Vanstone, “Handbook of Applied Cryptography,” CRC Press, 1996
[30]T.S. Messerges, “Securing the AES Finalists Against Power Analysis Attacks,” Proceedings of Fast Software Encryption Workshop 2000, Lecture Notes in Computer Science, Springer-Verlag, Apr. 2000
[31]T.S. Messerges, E.A. Dabbish and R.H. Sloan, “Investigations of Power Analysis Attacks on Smartcards,” Proceedings of USENIX Workshop on smartcard Technology, May 1999, pp. 151-161
[32]D. Naccache and D. M'Raihi, “Cryptographic Smart Cards,” IEEE Micro, Volume: 16 Issue: 3 , June 1996 pp. 15 -24
[33]National Bureau of Standards, Data Encryption Standard, U.S. Department of Commerce, FIPS pub. 46,Jan 1977
[34]B.J. Phillips and N. Burgess, “Algorithms for Exponentiation of Long Integers - A Survey of Published Algorithms,” The University of ADELAIDE, Centre for Gallium Arsenide VLSI Technology, Digital Arithmetic Group, May 1996
[35]R. Rivest, “The RC5 Encryption Algorithm,” Proceedings of Second International Workshop on Fast Software Encryption, 1994, pp. 86-96
[36]R. Rivest, M.J.B. Robshaw, R. Sidney, and Y.L. Yin, “The RC6 Block Cipher,” Technical Report of RSA Laboratory, 1998
[37]R.L. Rivest, A. Shamir, and L.M. Adleman, “A Method for Obtaining Digital Signatures and Public-Key Cryptosystems,” Communications of the ACM, v. 21, n. 2, pp. 120-126, Feb 1978
[38]V. Taponen, “Tamper-resistant Smart Cards - Too Much To Ask For?,” HUT TML 2000 Tik-110.501 Seminar on Network Security; http://www.hut.fi/~vtaponen/draft40.html 2000
[39]C.D. Walter, “Exponentiation Using Division Chains” IEEE Trans. on computers, V.47, n. 7, pp. 757-765, Jul. 1998
[40]S.-M. Yen and M. Joye, “Checking Before Output May Not Be Enough Against Fault-Based Cryptanalysis,” IEEE Trans. on computers, v. 49, n. 9, pp. 967-970, Sep 2000

指導教授

顏嵩銘(Sung-Ming Yen)

審核日期

2001-6-29

推文