Advanced SCA Attacks & Business Perspective PV204 Security Technologies Lukasz Chmielewski CRoCS, Masaryk University, chmiel@fi.muni.cz Part of the content is reused with permission of Lejla Batina and Ileana Buhan, Radboud University Nijmegen, The Netherlands. April 29th, 2024 Advanced SCA April 29th, 2024 1 / 85 Outline 1 Advanced Passive Attacks Higher-Order Attacks Profiled Attacks 2 Introductions/Recall on Fault Attacks 3 Recall on Differential Fault Analysis (RSA) 4 Real-world example: fault attacks on WolfSSL 5 Symmetric DFA DFA on (Triple) DES DFA on AES 6 Advanced Fault Injection Attacks (Selection) Fault Injection And Side-Channel Analysis Statistical Ineffective Fault Attacks 7 Practical Aspects of Fault Injection Attacks 8 The industry perspective Evaluating Hardware attacks 9 sec-certs 10 Conclusions and Further Reading Conclusions: SCA and FI Conclusions: Business Perspective Advanced SCA April 29th, 2024 2 / 85 Advanced Passive Attacks Plan 1 Advanced Passive Attacks Higher-Order Attacks Profiled Attacks 2 Introductions/Recall on Fault Attacks 3 Recall on Differential Fault Analysis (RSA) 4 Real-world example: fault attacks on WolfSSL 5 Symmetric DFA DFA on (Triple) DES DFA on AES 6 Advanced Fault Injection Attacks (Selection) Fault Injection And Side-Channel Analysis Statistical Ineffective Fault Attacks 7 Practical Aspects of Fault Injection Attacks 8 The industry perspective Evaluating Hardware attacks 9 sec-certs 10 Conclusions and Further Reading Conclusions: SCA and FI Conclusions: Business Perspective Advanced SCA April 29th, 2024 3 / 85 Advanced Passive Attacks Higher-Order Attacks Recall: Masking Principle: randomizing intermediate values with a secret sharing scheme so DPA fails Boolean masking: a dth-order secure Boolean masking scheme splits a sensitive value x into d + 1 shares (x0, x1, ..., xd ), as follows: x = x0 ⊕ x1 ⊕ · · · ⊕ xd The number of traces required for a successful attack grows exponentially w.r.t. the security order d. Probing-secure scheme. We refer to a scheme that uses certain families of shares as t−probing-secure iff any set of at most t intermediate variables is independent from the sensitive values. Advanced SCA April 29th, 2024 4 / 85 Advanced Passive Attacks Higher-Order Attacks Recall: Masking with 2 shares X = X1 ⊕ X2 The leakage L(X) = HW (X1, X2) depends on two variables. It does not reveal any information on the value of X when a DPA is performed Advanced SCA April 29th, 2024 5 / 85 Advanced Passive Attacks Higher-Order Attacks Recall: 2nd order attacks: the idea The original paper of Kocher at al. states: ““Of particular importance are high-order DPA functions that combine multiple samples from within a trace.” T. Messerges: t = 1 : m = rand() (generate mask-byte) t = 2 : x = p ⊕ m (XOR mask with plaintext-byte) t = 3 : y = x ⊕ k (XOR masked plaintext with key-byte) The point in the power trace where t = 1 is “subtracted” from the point in the power trace where t = 3. The joint distribution of these two power samples allows to derive the key-byte bit by bit. The adversary calculates the means of the two sets S0 and S1 (depending on the plaintext bit), and then the DoM is used again. Thomas S. Messerges. “Using Second-Order Power Analysis to Attack DPA Resistant Software”, CHES 2000, pages 238–251, Springer, 2000. Advanced SCA April 29th, 2024 6 / 85 Advanced Passive Attacks Higher-Order Attacks Recall: Approaches to 2nd order attacks It comes down to performing a pre-processing step and standard (1st-order) DPA-attacks Different options for the pre-processing function/step: (absolute) difference the appropriate points in the power trace multiplication the points FFT Most of the approaches proven sound for the Hamming weight model and Gaussian noise Advanced SCA April 29th, 2024 7 / 85 Advanced Passive Attacks Higher-Order Attacks Recall: 2nd order DPA attack on a software impl. The following relation holds: HW (a ⊕ b) = |HW(a) - HW(b)|. Consequently, we can correctly predict |p(a)-p(b)| with HW(a ⊕ b) and we do the attack as follows. Step 1: Fix an interval I for all power traces pi . The interval is determined by an educated guess for the time frame in which two intermediate values F1(xi ) ⊕ Mi and F2(xi ) ⊕ Mi are computed. For each trace pi we calculate a pre-processed trace that contains all values |Ia − Ib| Step 2: Perform standard (1st-order) DPA attack on the pre-processed power traces. With this attack, we guess a part of the key K to predict the value HW(F1(xi ) ⊕ F2(xi )). The value |p(F1(xi ) ⊕ Mi ) − p(F2(xi ) ⊕ Mi )| occurs in the pre-processed traces. Advanced SCA April 29th, 2024 8 / 85 Advanced Passive Attacks Profiled Attacks Template motivation example + sboxLayer ... update in y k Key k is refreshed before every encryption Does classical DPA work? No! It requires a constant key We rely on several assumptions (for attacks): 1 We assume the leakage to be related to the Hamming weight (or distance) 2 We look for leakage in the Sbox output only 3 We assume the leakage to be univariate Ideally we would like to extract more leakage with minimal assumptions Advanced SCA April 29th, 2024 9 / 85 Advanced Passive Attacks Profiled Attacks Template Attack Attacking a well-protected device directly is hard We often do not get many traces with the same secret So we use an unprotected device of the same model Figure: protected device (left), unprotected device (right) We profile, i.e. template the unprotected device We use the profile to break the protected device Advanced SCA April 29th, 2024 10 / 85 Advanced Passive Attacks Profiled Attacks Template Attack Procedure 1 Choose a model that describes the power consumption 2 Profile the unprotected device to create the template (Template Building) 3 Use the template to break the protected device (Template Matching) The same steps are always performed. The model can be different. Advanced SCA April 29th, 2024 11 / 85 Advanced Passive Attacks Profiled Attacks Example Advanced SCA April 29th, 2024 12 / 85 Introductions/Recall on Fault Attacks Plan 1 Advanced Passive Attacks Higher-Order Attacks Profiled Attacks 2 Introductions/Recall on Fault Attacks 3 Recall on Differential Fault Analysis (RSA) 4 Real-world example: fault attacks on WolfSSL 5 Symmetric DFA DFA on (Triple) DES DFA on AES 6 Advanced Fault Injection Attacks (Selection) Fault Injection And Side-Channel Analysis Statistical Ineffective Fault Attacks 7 Practical Aspects of Fault Injection Attacks 8 The industry perspective Evaluating Hardware attacks 9 sec-certs 10 Conclusions and Further Reading Conclusions: SCA and FI Conclusions: Business Perspective Advanced SCA April 29th, 2024 13 / 85 Introductions/Recall on Fault Attacks Attack categories Side-channel attacks use some physical (analog) characteristics the target is running in normal conditions Faults: use abnormal conditions causing malfunctions in the system Micro-probing: accessing the chip surface directly in order to observe, learn and manipulate the device Reverse engineering Advanced SCA April 29th, 2024 14 / 85 Introductions/Recall on Fault Attacks Types of implementation attacks Active vs passive: Passive i.e. eavesdropping: the device operates within its specification Active i.e. tampering: the key is recovered by exploiting some abnormal behavior e.g. power glitches or laser pulses Invasiveness: Non-invasive aka low-cost: power/EM measurements Coldboot attacks: data remanence in memories - cooling down is increasing the retention time Rowhammer – is essentially a fault attack Semi-invasive: the device is de-packaged but no direct contact exists with the chip e.g. optical attacks Invasive aka expensive: the strongest type is bus probing Advanced SCA April 29th, 2024 15 / 85 Introductions/Recall on Fault Attacks Methods Variation in supply voltage i.e. glitching Can cause a processor skip instruction Actively investigated by smartcard industry So-called unloopers were used to activate the infinity loop in PayTV smartcards Variation in the external clock: may cause data misread or an instruction miss Change in temperature The temperature threshold is defined for which the chip will work properly Can cause changes in RAM content White light: photons induce faults X-rays and ion beams Advanced SCA April 29th, 2024 16 / 85 Introductions/Recall on Fault Attacks Goals Insert computational fault Null key Wrong crypto result (Differential Fault Analysis - DFA) Change software decisions Force approval of false PIN Reverse life cycle state – PayTV and old phone cards Enforce access rights Break secure boot Advanced SCA April 29th, 2024 17 / 85 Introductions/Recall on Fault Attacks Practical Fault Injection Aspects and what we concentrate on in this lecture Most common FI: voltage and EM (due to its price) https://github.com/newaetech/chipshouter-picoemp Differential Fault Analysis (DFA) We mention a few advanced recent methods that strongly relate to SCA Glitching decisions: secure boot obtaining memory dumps enabling debug interfaces Advanced SCA April 29th, 2024 18 / 85 Recall on Differential Fault Analysis (RSA) DFA Bellcore attack in 1995 Differential faults on RSA-CRT signatures Requires 1 correct and 1 wrong signature Attack on DES in 1997 by Biham and Shamir Special attacks on AES, ECC etc. Fault attacks on key transfer Advanced SCA April 29th, 2024 19 / 85 Recall on Differential Fault Analysis (RSA) DFA on cryptosystems Basic DFA scenario: adversary obtains a pair of ciphertexts that are derived by encrypting the same plaintext (one is correct value and the other is faulty) two encryptions are identical up to the point where the fault occurred → two ciphertexts can be regarded as the outputs of a reduced-round iterated block cipher where the inputs are unknown but show a small (and possibly known) differential DFA on DES the original attack of Biham and Shamir exploits computational errors occurring in the final rounds of the cipher assumes that one bit of the right half of the DES internal state is flipped at a random position Advanced SCA April 29th, 2024 20 / 85 Recall on Differential Fault Analysis (RSA) RSA with CRT Optimization of computing a signature giving about 4-fold speedup: n = p · q Signature: s = md mod n Pre-computed values dp := d mod (p − 1) dq := d mod (q − 1) iq := q−1 mod p sp := mdp mod p sq := mdq mod q Garner’s method (1965) to recombine sp and sq: s = sq + q · (iq(sp − sq) mod p) Where to glitch? Almost anywhere :-) computations of sp and sq. If error is in sp then the adversary can recover q as follows: q = gcd(n, s − ˆs). Advanced SCA April 29th, 2024 21 / 85 Real-world example: fault attacks on WolfSSL Plan 1 Advanced Passive Attacks Higher-Order Attacks Profiled Attacks 2 Introductions/Recall on Fault Attacks 3 Recall on Differential Fault Analysis (RSA) 4 Real-world example: fault attacks on WolfSSL 5 Symmetric DFA DFA on (Triple) DES DFA on AES 6 Advanced Fault Injection Attacks (Selection) Fault Injection And Side-Channel Analysis Statistical Ineffective Fault Attacks 7 Practical Aspects of Fault Injection Attacks 8 The industry perspective Evaluating Hardware attacks 9 sec-certs 10 Conclusions and Further Reading Conclusions: SCA and FI Conclusions: Business Perspective Advanced SCA April 29th, 2024 22 / 85 Real-world example: fault attacks on WolfSSL Ed25519 Instance of EdDSA, which was proposed to “fix the unnecessary requirements on randomness” in ECDSA Does not depend on a “good” source of randomness, but instead derives a secret deterministically (hashing the msg and a long-term auxiliary key) Widely adopted by TLS1.3, Zcash, SSH, Tor, Signal, WolfSSL etc. (check “Things that use Ed25519”) Turns out to be easy to attacks in some real-world deployments i.e. WolfSSL Niels Samwel, Lejla Batina, Guido Bertoni, Joan Daemen and Ruggero Susella: Breaking Ed25519 in WolfSSL, CTRSA2018. Niels Samwel, Lejla Batina: Practical Fault Injection on Deterministic Signatures: the Case of EdDSA, Africacrypt 2018. Advanced SCA April 29th, 2024 23 / 85 Real-world example: fault attacks on WolfSSL Ed25519 Algorithm 1 Ed25519 key setup and signature generation Key setup. 1: Hash k such that H(k) = (h0, h1, . . . , h2b−1) = (a, b) 2: a = (h0, . . . , hb−1), Private scalar 3: b = (hb, . . . , h2b−1), Auxiliary key 4: Compute public key: A = aB. Signature generation. 5: Compute ephemeral private key: r = H(b, M). 6: Compute ephemeral public key: R = rB. 7: Compute h = H(R, A, M) and convert to integer. 8: Compute: S = (r + ha) mod l. 9: Signature pair: (R, S). Advanced SCA April 29th, 2024 24 / 85 Real-world example: fault attacks on WolfSSL The Attack Two signatures, original (R, S) and faulty (R , S ): S = r + ha S = r + h a S − ha = S − h a a = S − S h − h Advanced SCA April 29th, 2024 25 / 85 Real-world example: fault attacks on WolfSSL Setup PCPC Oscilloscope FTDI Trigger VC Glitcher Vcc Trigger Reset Reset line Glitch Amplifier In Out Current Probe In + In -Out XYZ-Table Target Pulse Amplitude Digital Glitch Advanced SCA April 29th, 2024 26 / 85 Real-world example: fault attacks on WolfSSL Results 0 500 1000 1500 2000 2500 3000 3500 4000 4500 5000 Glitch length (ns) -0.5 -0.45 -0.4 -0.35 -0.3 -0.25 -0.2 -0.15 -0.1 -0.05 0 Glitchvoltage(V) 0 0.2 0.4 0.6 0.8 1 1.2 1.4 1.6 1.8 2 Glitch offset (ns) 106 -0.5 -0.45 -0.4 -0.35 -0.3 -0.25 -0.2 -0.15 -0.1 -0.05 0 Glitchvoltage(V) 0 0.2 0.4 0.6 0.8 1 1.2 1.4 1.6 1.8 2 Glitch offset (ns) 106 0 500 1000 1500 2000 2500 3000 3500 4000 4500 5000 Glitchlength(ns) Voltage fault injection results, Normal (green), Inconclusive (yellow), Successful (red). Advanced SCA April 29th, 2024 27 / 85 Real-world example: fault attacks on WolfSSL Results x-axis y-axis Advanced SCA April 29th, 2024 28 / 85 Real-world example: fault attacks on WolfSSL Conclusion Two real physical side-channel attacks were actually performed against Ed25519 Side-channel analysis of Ed25519 with 4 000 traces Fault injection on Ed25519 with 100% success rate for EM FI and 70% for voltage glitching out of 10 000 measurements For both attacks there exist inexpensive countermeasures Advanced SCA April 29th, 2024 29 / 85 Symmetric DFA Plan 1 Advanced Passive Attacks Higher-Order Attacks Profiled Attacks 2 Introductions/Recall on Fault Attacks 3 Recall on Differential Fault Analysis (RSA) 4 Real-world example: fault attacks on WolfSSL 5 Symmetric DFA DFA on (Triple) DES DFA on AES 6 Advanced Fault Injection Attacks (Selection) Fault Injection And Side-Channel Analysis Statistical Ineffective Fault Attacks 7 Practical Aspects of Fault Injection Attacks 8 The industry perspective Evaluating Hardware attacks 9 sec-certs 10 Conclusions and Further Reading Conclusions: SCA and FI Conclusions: Business Perspective Advanced SCA April 29th, 2024 30 / 85 Symmetric DFA DFA on (Triple) DES Final rounds of a DES encryption This part of the presentation is based on: Eloi Sanfelix, Cristofaro Mune, and Job de Haas Unboxing the White-Box Practical attacks against Obfuscated Ciphers, Black Hat 2015.1 Attack on Triple DES usually ≈ two (or three) attacks on DES Who remembers how DES works? How many rounds are there? How does DES finish? 1 https://www.blackhat.com/docs/eu-15/materials/ eu-15-Sanfelix-Unboxing-The-White-Box-Practical-Attacks-Against-Obfuscated-Ciphers-wp.pdf Advanced SCA April 29th, 2024 31 / 85 Symmetric DFA DFA on (Triple) DES The DES Feistel function, F Advanced SCA April 29th, 2024 32 / 85 Symmetric DFA DFA on (Triple) DES The Attack / Equations Recover one round key at a time, until the complete key can be computed. Recover the last round key (K16) using a DFA attack by injecting faults during the execution of round 15. Using the correct and faulty output, we can write the following equations: R16 = F(R15, K16) ⊕ L15, R16 = F(R15, K16) ⊕ L15, where K16 and L15 are unknown. Combine the above equations to obtain the following: R16 ⊕ R16 = F(R15, K16) ⊕ F(R15, K16), where only K16 is unknown. For each S-Box the following equation needs to be solved: (P−1 (R16 ⊕ R16)))i = Si (E(R15) ⊕ K16,i ) ⊕ Si (E(R15) ⊕ K16,i ), where E and P represent the expansion and permutation in the F function. Advanced SCA April 29th, 2024 33 / 85 Symmetric DFA DFA on (Triple) DES The Attack: how to recover the key? Problems? Typically a single equation results in a number of candidates for each affected sub-key (for each fault). Sometimes when the faults are not injected as expected (by the attack) it is possible to discard a correct key. Counting strategy: For each fault, compute the set of solutions to the equation and increase the count for the respective key-byte candidates. When all faults are analyzed, the candidate with the highest count is selected as the correct candidate. Scores: Processing round 16: Best result S-Box 1: 0, sub key: 25 (0x19), value: 1.00000 1, sub key: 27 (0x1B), value: 0.43750 2, sub key: 17 (0x11), value: 0.38890 3, sub key: 24 (0x18), value: 0.33330 Best result S-Box 2: ... Advanced SCA April 29th, 2024 34 / 85 Symmetric DFA DFA on (Triple) DES The Attack: how to recover the key? cont’d When the last round key is known, the attack can be iterated to the previous round key. Why? The round key is 48-bits and the full key is 56-bits. Inject faults one round earlier and compute the output of the one but last round by using the recovered last round key. For 112-bit TDES: the same attack can be applied to the middle DES once the final DES broken. For 168-bit TDES (with three keys): the attack is iterated to the initial DES. Advanced SCA April 29th, 2024 35 / 85 Symmetric DFA DFA on AES DFA High Level Attack Who remembers how AES works? How many rounds? How does AES-128 finish? This DFA on AES is also based on aforementioned Black Hat 2015 paper based on the attack from P. Dusart, G. Letournex and O. Vivolo Differential fault analysis on AES, Springer, 2003.2 The attack is more complex than for DES so refer to the papers for details or ask me. 2 https://eprint.iacr.org/2003/010.pdf Advanced SCA April 29th, 2024 36 / 85 Advanced Fault Injection Attacks (Selection) Plan 1 Advanced Passive Attacks Higher-Order Attacks Profiled Attacks 2 Introductions/Recall on Fault Attacks 3 Recall on Differential Fault Analysis (RSA) 4 Real-world example: fault attacks on WolfSSL 5 Symmetric DFA DFA on (Triple) DES DFA on AES 6 Advanced Fault Injection Attacks (Selection) Fault Injection And Side-Channel Analysis Statistical Ineffective Fault Attacks 7 Practical Aspects of Fault Injection Attacks 8 The industry perspective Evaluating Hardware attacks 9 sec-certs 10 Conclusions and Further Reading Conclusions: SCA and FI Conclusions: Business Perspective Advanced SCA April 29th, 2024 37 / 85 Advanced Fault Injection Attacks (Selection) Fault Injection And Side-Channel Analysis Fault Injection as an Oscilloscope This part of the presentation is based on: Albert Spruyt, Alyssa Milburn, and Lukasz Chmielewski Fault Injection as an Oscilloscope: Fault Correlation Analysis, CHES 2021.3 3 https://tches.iacr.org/index.php/TCHES/article/view/8732/8332 Advanced SCA April 29th, 2024 38 / 85 Advanced Fault Injection Attacks (Selection) Fault Injection And Side-Channel Analysis Constructing ‘probability traces’ from faults A fault probability is dependent on the data being processed by a device. From: Yang Li, Kazuo Sakiyama, Shigeto Gomisawa, Toshinori Fukunaga, Junko Takahashi, and Kazuo Ohta Fault sensitivity analysis, CHES 2010. This paper shows how to exploit this leakage to recover the AES key. That is true but operation leakage would also be visible! A voltage FI device can be transformed into a 1-bit sampling oscilloscope! Let’s see one AES power trace. Approximately 15k FI attempts per point in time for one AES FI barchart trace. Advanced SCA April 29th, 2024 39 / 85 Advanced Fault Injection Attacks (Selection) Fault Injection And Side-Channel Analysis Simple Fault Analysis on RSA Advanced SCA April 29th, 2024 40 / 85 Advanced Fault Injection Attacks (Selection) Fault Injection And Side-Channel Analysis Fault Correlation Analysis on AES (1) Advanced SCA April 29th, 2024 41 / 85 Advanced Fault Injection Attacks (Selection) Statistical Ineffective Fault Attacks Statistical Ineffective Fault Attacks (SIFA) Presented in: C. Dobraunig, M. Eichlseder, T. Korak, S. Mangard, F. Mendel, and R. Primas SIFA: Exploiting Ineffective Fault Inductions onSymmetric Cryptography4 SIFA combines older attacks Ineffective Fault Attacks (Christophe Clavier, Secret external encodings do not prevent transient fault analysis, CHES 2010) + Exploits only correct ciphertexts – Requires precise faults with known effect Statistical Fault Analysis (T. Fuhr, ´E. Jaulmes, V. Lomn´e, and A. Thillard. Fault attacks on AES with faulty ciphertexts only, FDTC 2013) + Any fault, even if effect is unknown – Mitigated by detection/infection SIFA exploits only correct ciphertexts any fault, even if effect is unknown works against masked implementations For me see the paper or ask me. 4 https://tches.iacr.org/index.php/TCHES/article/view/7286/6463 Advanced SCA April 29th, 2024 42 / 85 Practical Aspects of Fault Injection Attacks Plan 1 Advanced Passive Attacks Higher-Order Attacks Profiled Attacks 2 Introductions/Recall on Fault Attacks 3 Recall on Differential Fault Analysis (RSA) 4 Real-world example: fault attacks on WolfSSL 5 Symmetric DFA DFA on (Triple) DES DFA on AES 6 Advanced Fault Injection Attacks (Selection) Fault Injection And Side-Channel Analysis Statistical Ineffective Fault Attacks 7 Practical Aspects of Fault Injection Attacks 8 The industry perspective Evaluating Hardware attacks 9 sec-certs 10 Conclusions and Further Reading Conclusions: SCA and FI Conclusions: Business Perspective Advanced SCA April 29th, 2024 43 / 85 Practical Aspects of Fault Injection Attacks What is fault injection used for? Enabling JTAG glitching check? glitching registers? changing setting during booting? glitching secure boot? Side Channel Analysis Characterization + Fault Injection Common: Voltage / EMFI More rare: Laser Setting registers Advanced SCA April 29th, 2024 44 / 85 Practical Aspects of Fault Injection Attacks What is fault injection used for? cont’d glitching communication for memory dumps wild jungle jump (ARM) FISim / other simulatiors DFA, RSA, SIFA, ... TEE security mechanisms? attacking (protected) secure ROMs chain of trust, runtime control Settings: DDR/Clock, do we need FI? what to attack in boot process? Advanced SCA April 29th, 2024 45 / 85 Practical Aspects of Fault Injection Attacks What to attack in boot process? Automotive example5 : 5 Example taken from https://www.renesas.com/us/en/blogs/ achieving-root-trust-secure-boot-automotive-rh850-and-r-car-devices-part-3 Advanced SCA April 29th, 2024 46 / 85 Practical Aspects of Fault Injection Attacks Comparison of various FIs - what we want Generic solutions with little assumptions No ciphertext knowledge Attacks on generic target No clock control Non-profiled How much are we willing to pay for generic attacks? All that flexibility comes at a price of large number of faults. Advanced SCA April 29th, 2024 47 / 85 The industry perspective Plan 1 Advanced Passive Attacks Higher-Order Attacks Profiled Attacks 2 Introductions/Recall on Fault Attacks 3 Recall on Differential Fault Analysis (RSA) 4 Real-world example: fault attacks on WolfSSL 5 Symmetric DFA DFA on (Triple) DES DFA on AES 6 Advanced Fault Injection Attacks (Selection) Fault Injection And Side-Channel Analysis Statistical Ineffective Fault Attacks 7 Practical Aspects of Fault Injection Attacks 8 The industry perspective Evaluating Hardware attacks 9 sec-certs 10 Conclusions and Further Reading Conclusions: SCA and FI Conclusions: Business Perspective Advanced SCA April 29th, 2024 48 / 85 The industry perspective Why invest in a security evaluation? Motivation for purchasing security evaluation services: 1 Have to, or the product cannot be sold; 2 Protect against potential future damage; 3 Competitive advantage; 4 Produce secure devices for the safety of their customers; Advanced SCA April 29th, 2024 49 / 85 The industry perspective Security Certification Evidence that a products meets a set of given security requirements; Regulate access to certain markets: payment, content protection, government, etc Different security evaluation standards are available: industry product type: IC, OS, application security requirements geographical location Cost-effective: recognition of certificates pre-defined security requirements pre-defined evaluation methodology Vendor liability Advanced SCA April 29th, 2024 50 / 85 The industry perspective Short history: Certification schemes timeline: (1994) Common Criteria: France, Germany, the Netherlands, UK (1994) FIPS 140-1, USA (1999) EMVco - payment industry (2001 )FIPS 140-2 (2019) FIPS 140-3 (2019) Security Evaluation Standard for IoT Platforms (SESIP) ... Advanced SCA April 29th, 2024 51 / 85 The industry perspective Common Criteria (1994) France, Germany, the Netherlands, UK (2022) Certificate Authorizing Members: Australia, Canada, France, Germany, India, Italy, Japan, Malaysia, Netherlands, New Zeeland, Norway, Korea, Singapore, Spain, Sweden, Turkey, USA. Certificate Consuming Members: Austria, Czech Republic, Denmark, Ethiopia, Finland, Greece,Hungary, Indonesia,Israel, Pakistan, Poland, Qatar, Slovak Republic, UK. Separation of the role of the certifier(national schemes) and evaluator(accredited commercial laboratories). The sponsor of the evaluation is the vendor. Advanced SCA April 29th, 2024 52 / 85 The industry perspective Objectives of CC evaluation Stated 6 objective of CC evaluations: 1 to ensure that evaluations of Information Technology (IT) products and protection profiles are performed to high and consistent standards, and are seen to contribute significantly to confidence in the security of those products and profiles; 2 to improve the availability of evaluated, security-enhanced IT products and protection profiles; 3 to eliminate the burden of duplicating evaluations of IT products and protection profiles; 4 to continuously improve the efficiency and cost-effectiveness of the evaluation and certification/validation process for IT products and protection profiles. 6 Arrangement on the Recognition of Common Criteria Certificates In the field of Information Technology Security, May 2000, https://www.commoncriteriaportal.org/files/operatingprocedures/cc-recarrange.pdf Advanced SCA April 29th, 2024 53 / 85 The industry perspective Which products? The graph includes archived products (expired certificates).7 7 data from: https://www.commoncriteriaportal.org/products/stats/ Advanced SCA April 29th, 2024 54 / 85 The industry perspective CC certificates are public Advanced SCA April 29th, 2024 55 / 85 The industry perspective Recent evaluations Advanced SCA April 29th, 2024 56 / 85 The industry perspective Inside a CC certificate Qualcomm Secure Processor Unit SPU250 (Version: 4.1) in SM8350 SoC (Qualcomm® Snapdragon™ 888) with symmetric and asymmetric crypto support, 2 December 2021, https://www.commoncriteriaportal.org/files/epfiles/NSCIB-CC-0227918-CR.pdf Advanced SCA April 29th, 2024 57 / 85 The industry perspective Inside a CC certificate Qualcomm Secure Processor Unit SPU250 (Version: 4.1) in SM8350 SoC (Qualcomm® Snapdragon™ 888) with symmetric and asymmetric crypto support, 2 December 2021, https://www.commoncriteriaportal.org/files/epfiles/NSCIB-CC-0227918-CR.pdf Advanced SCA April 29th, 2024 58 / 85 The industry perspective Inside a CC certificate Qualcomm Secure Processor Unit SPU250 (Version: 4.1) in SM8350 SoC (Qualcomm® Snapdragon™ 888) with symmetric and asymmetric crypto support, 2 December 2021, https://www.commoncriteriaportal.org/files/epfiles/NSCIB-CC-0227918-CR.pdf Advanced SCA April 29th, 2024 59 / 85 The industry perspective Inside a CC certificate Qualcomm Secure Processor Unit SPU250 (Version: 4.1) in SM8350 SoC (Qualcomm® Snapdragon™ 888) with symmetric and asymmetric crypto support, 2 December 2021, https://www.commoncriteriaportal.org/files/epfiles/NSCIB-CC-0227918-CR.pdf Advanced SCA April 29th, 2024 60 / 85 The industry perspective Inside a CC certificate Qualcomm Secure Processor Unit SPU250 (Version: 4.1) in SM8350 SoC (Qualcomm® Snapdragon™ 888) with symmetric and asymmetric crypto support, 2 December 2021, https://www.commoncriteriaportal.org/files/epfiles/NSCIB-CC-0227918-CR.pdf Advanced SCA April 29th, 2024 61 / 85 The industry perspective Inside a CC certificate Qualcomm Secure Processor Unit SPU250 (Version: 4.1) in SM8350 SoC (Qualcomm® Snapdragon™ 888) with symmetric and asymmetric crypto support, 2 December 2021, https://www.commoncriteriaportal.org/files/epfiles/NSCIB-CC-0227918-CR.pdf Advanced SCA April 29th, 2024 62 / 85 The industry perspective Inside a CC certificate Qualcomm Secure Processor Unit SPU250 (Version: 4.1) in SM8350 SoC (Qualcomm® Snapdragon™ 888) with symmetric and asymmetric crypto support, 2 December 2021, https://www.commoncriteriaportal.org/files/epfiles/NSCIB-CC-0227918-CR.pdf Advanced SCA April 29th, 2024 63 / 85 The industry perspective Inside a CC certificate Certification Report H1D3 Secure Microcontroller with Crypto Library v0.1.4, 12 November 2021, https://www.commoncriteriaportal.org/files/epfiles/NSCIB-CC-0228971-CR.pdf Advanced SCA April 29th, 2024 64 / 85 The industry perspective Inside a CC certificate Certification Report H1D3 Secure Microcontroller with Crypto Library v0.1.4, 12 November 2021, https://www.commoncriteriaportal.org/files/epfiles/NSCIB-CC-0228971-CR.pdf Advanced SCA April 29th, 2024 65 / 85 The industry perspective Inside a CC certificate Certification Report H1D3 Secure Microcontroller with Crypto Library v0.1.4, 12 November 2021, https://www.commoncriteriaportal.org/files/epfiles/NSCIB-CC-0228971-CR.pdf Advanced SCA April 29th, 2024 66 / 85 The industry perspective Inside a CC certificate Certification Report H1D3 Secure Microcontroller with Crypto Library v0.1.4, 12 November 2021, https://www.commoncriteriaportal.org/files/epfiles/NSCIB-CC-0228971-CR.pdf Advanced SCA April 29th, 2024 67 / 85 The industry perspective Inside a CC certificate Certification Report H1D3 Secure Microcontroller with Crypto Library v0.1.4, 12 November 2021, https://www.commoncriteriaportal.org/files/epfiles/NSCIB-CC-0228971-CR.pdf Advanced SCA April 29th, 2024 68 / 85 The industry perspective What are the merits/criticism of a CC evaluation? Advanced SCA April 29th, 2024 69 / 85 The industry perspective CC evaluations in a nutshell A CC certificate cannot guarantee security, but ensures that claims about security are independently verified. Merits: White-box evaluations; Attack based evaluation; Recognized in multiple markets; Vetted evaluation labs; Criticism: Static, certificate valid for the version of HW and SW that was evaluated; Formal, a lot of documentation to be reviewed; Expensive; A CC certificate can only be withdrawn when it was issued under misconception, e.g., when it turns out that wrong evidence was submitted, not if a vulnerability is found. Advanced SCA April 29th, 2024 70 / 85 The industry perspective What is EMVco? https://www.youtube.com/watch?v=g1aSWgq0l8s Advanced SCA April 29th, 2024 71 / 85 The industry perspective EMV chip Europay Mastercard Visa - first published in 1996 EMVchip has three key elements: 1 it can perform processing 2 can store confidential information very securely 3 can perform cryptographic processing EMV certification similar to CC certification keyword: secure composability: chip, OS, application; accredited labs; manufacturers are sponsors of an evaluation certification body are private companies Advanced SCA April 29th, 2024 72 / 85 The industry perspective Beyond EMV chip Notes: Online payment world, the Chip&Pin are becoming obsolete Support for different integrated payment methods Mobile Payment, Payment Tokenization, Wearables, EMV3D Technology evolves: HCE, TEE, etc.; Secure storage of credentials is hardware related; Advanced SCA April 29th, 2024 73 / 85 The industry perspective Evaluating Hardware attacks Evaluating Hardware Attacks Joint Interpretation Library describes how to objectively express the effort required to mount a successful attack.8 8 SOG-IS: Attack methods for smartcards and similar devices (2020), https://www.sogis.eu/documents/ cc/domains/sc/JIL-Application-of-Attack-Potential-to-Smartcards-v3-1.pdf Advanced SCA April 29th, 2024 74 / 85 The industry perspective Evaluating Hardware attacks The cost of a (potential) DPA attack Identification Exploitation Elapsed time < one week 2