• PDF / 234,178 Bytes
• 14 Pages / 430 x 660 pts Page_size
• 38 Downloads / 192 Views

DOWNLOAD

REPORT

Abstract. Cache based attacks (CBA) exploit the different access times of main memory and cache memory to determine information about internal states of cryptographic algorithms. CBAs turn out to be very powerful attacks even in practice. In this paper we present a general and strong model to analyze the security against CBAs. We introduce the notions of information leakage and resistance to analyze the security of several implementations of AES. Furthermore, we analyze how to use random permutations to protect against CBAs. By providing a successful attack on an AES implementation protected by random permutations we show that random permutations used in a straightforward manner are not enough to protect against CBAs. Hence, to improve upon the security provided by random permutations, we describe the property a permutation must have in order to prevent the leakage of some key bits through CBAs. Keywords: cache attacks, AES, threat model, countermeasures, random permutations.

1

Introduction

Modern computers use a hierarchical organization of different types of memories among them fast but small cache memory and slow but large main memory. In 2002 Page [14] presented a theoretical attack on DES that exploited timing information to deduce information about cache accesses, which in turn reveal information about secret keys being used. In the sequel we call attacks that exploit information about the cache behavior cache based attacks or CBAs. In particular, it turned out that large tables such as sboxes render an encryption algorithm susceptible to CBAs. Tsunoo et al. [17] published a practical CBA against DES. Further publications of Page [15], Percival [16], Bernstein [3], Osvik et al. [13] and Brickell et al. [7] disclosed the full power of CBAs. See [4,10,12,1,2] for further improvements of CBAs. In particular, the fast AES implementation [8] is susceptible to CBAs. Note that the fast implementation is used in virtually all crypto libraries. It is susceptible to CBAs since it depends heavily on the usage of 5 large sboxes T0 , . . . , T4 each of the size of 1024 bytes. 

This work was partially supported by grants from Intel Corporation, Portland.

C. Adams, A. Miri, and M. Wiener (Eds.): SAC 2007, LNCS 4876, pp. 96–109, 2007. c Springer-Verlag Berlin Heidelberg 2007 

Analysis of Countermeasures Against Access Driven Cache Attacks on AES

97

In this paper we present a strong model for CBAs. Within this model we propose and analyze countermeasures that although they are quite general we describe in detail only for AES. As was pointed out by Bernstein in [3], the threat model that is often implicitly used for CBAs may not be strong enough. In particular, often it is assumed that the adversary A only can extract information from the cache before and after the encryption. This assumption is wrong from the theoretical point of view due to the process switching of the operating system. Moreover, it also has been practically disproved in [11]. Hence, several of the countermeasures proposed in the literature so far ma

Recommend Documents

Classical Countermeasures Against Differential Fault Analysis

207 87 512KB

On Robustness and Countermeasures of Reliable Server Pooling Systems Against Denial of Service Attacks

176 16 30MB

Quantum Collision Attacks on AES-Like Hashing with Low Quantum Random Access Memories

151 2 24MB

Adaptive caches as a defense mechanism against cache side-channel attacks

170 100 2MB

IE-Cache: Counteracting Eviction-Based Cache Side-Channel Attacks Through Indirect Eviction

180 89 24MB

CacheZoom: How SGX Amplifies the Power of Cache Attacks

157 76 997KB

Certifying Decision Trees Against Evasion Attacks by Program Analysis

188 92 39MB

To infect or not to infect: a critical analysis of infective countermeasures in fault attacks

141 47 2MB

Robust Tracking Against Adversarial Attacks

191 105 235MB

Data Security in Wireless Sensor Networks: Attacks and Countermeasures

177 7 31MB

Cloud Computing Security: Hardware-Based Attacks and Countermeasures

189 76 9MB

After you, please: browser extensions order attacks and countermeasures

136 10 1MB