English | 中文

手机二维码
 
【打印本页】      【下载PDF全文】   查看/发表评论  下载PDF阅读器  关闭
←前一篇|后一篇→ 过刊浏览    高级检索
本文已被:浏览 246次   下载 296 本文二维码信息
码上扫一扫!
针对增强型旋转S盒掩码方案的侧信道安全漏洞系统研究
刘泽艺,王彤彤,尹芷仪,高能,查达仁,屠晨阳
分享到: 微信 更多
(中国科学院信息工程研究所, 北京 100093;中国科学院大学网络空间安全学院, 北京 100049)
摘要:
增强型旋转S盒掩码方案(简称RSM2.0)是一种全球知名的抗能量分析防御方案。该方案由DPA Contest国际侧信道大赛组委会首次提出并实现,旨在为高级加密标准AES-128提供高标准的安全防护。通过结合一阶掩码方案与乱序防御这两类经典的侧信道防御技术,组委会宣称RSM2.0具备非模板攻击免疫力并且能够抵抗多种已知的模板类攻击。为了验证RSM2.0方案的实际安全性,本文首先提出了一种通用的漏洞检测方法用以系统性的定位RSM2.0中存在的潜在安全漏洞,并且随后从模板类与非模板类分析两个角度展开研究。模板类研究方面,本文提出了一种泄露指纹利用技术从而能够以近乎100%的概率破解RSM2.0方案的随机掩码防护。为了进一步降低计算以及存储开销,本文又对泄露指纹技术进行优化并首次提出了"最邻近指纹距离均值"评价指标(MOND指标)来客观地衡量不同泄露位置选取条件下泄露指纹攻击方案的性能优劣。在非模板类研究方面,我们设计了4种不同类型的非模板类二阶攻击方案,这些方案利用RSM2.0中乱序防护的设计缺陷,能够有效绕开乱序S盒的能量泄露,从而高效的破解全部128比特的算法主密钥。在实验验证阶段,我们向DPA Contest官方组委会提交了2套模板类攻击代码以及4套非模板类攻击代码。官方评估结果表明,我们提交的模板类最优方案只需使用4条能量曲线以及每条曲线100ms的时间开销即可达到80%的密钥破解全局成功率(GSR),而非模板类最优方案只需257条能量曲线以及每条曲线50ms的处理时间开销即可破解RSM2.0方案。为了进一步提升RSM2.0方案的实际安全性,本文还对RSM2.0的改进对策进行了一系列讨论,以便能够有效应对本文中提出的多种类型的安全威胁。
关键词:  能量分析攻击  国际侧信道竞赛  模板攻击方案  非模板攻击方案  增强型旋转S盒掩码方案
DOI:10.19363/J.cnki.cn10-1380/tn.2019.07.03
投稿时间:2017-10-18修订日期:2018-02-13
基金项目:本课题得到优秀青年科学基金(No.Y710061103)项目资助。
Systematic Research on the Side Channel Vulnerabilities of Improved Rotating S-box Masking Scheme
LIU Zeyi,WANG Tongtong,YIN Zhiyi,GAO Neng,ZHA Daren,TU Chenyang
Institute of Information Engineering, Chinese Academy of Sciences, Beijing 100093, China;School of Cyber Security, University of Chinese Academy of Sciences, Beijing 100049, China
Abstract:
Improved Rotating S-box Masking Scheme (RSM2.0 for short) is a world-famous countermeasure against power analysis attacks. This scheme was first proposed and implemented by the committee of DPA Contest, aiming at providing advanced encryption standard AES-128 with high standard security protection. By combining both first order masking scheme and shuffling technique, the contest committee claims that RSM2.0 gains the resistance of non-profiled attacks and is capable to resist several kinds of existing profiled attacks. To study the practical security of RSM2.0, this paper first proposes a general detecting method to systematically locate the potential vulnerabilities in RSM2.0 and then conducts the research from both profiled and non-profiled perspectives. For research on profiled attacks, the paper proposes a "leakage fingerprint" exploitation technique to crack the random masks used in RSM2.0 with nearly 100% accuracy. To further reduce the computation and storage overhead, this technique is further optimized and we put forward for the first time an objective matric "Mean of Nearest Distance" (MOND) to evaluate the performance of fingerprint exploitation under the condition of selecting different leakage positions. For research on non-profiled attacks, we devise 4 kinds of second order schemes which can bypass the shuffling countermeasure to crack the whole 128-bit master key with high efficiency. In the phase of experimental validation, we upload to the official committee two profiled attacks and four non-profiled attacks. The official evaluation results show that the best profiled attack of ours needs only 4 traces and 100ms processing time per trace to reach 80% Global Success Rate (GSR), and the best non-profiled attack requires 257 traces and 50ms per trace to compromise RSM2.0. To further improve the practical security level of RSM2.0, this paper also make a series of discussions on possible improvement strategies, thus setting obstacles for the threats proposed in this paper.
Key words:  power analysis attack  DPA contest  profiled attacks  non-profiled attacks  improved rotating s-box masking scheme