ebook img

Implementation and Side-Channel Analysis of Anonymous - COSIC PDF

97 Pages·2009·4.53 MB·English
by  
Save to my drive
Quick download
Download
Most books are stored in the elastic cloud where traffic is expensive. For this reason, we have a limit on daily download.

Preview Implementation and Side-Channel Analysis of Anonymous - COSIC

Faculteit Ingenieurswetenschappen Departement Elektrotechniek – ESAT KATHOLIEKE UNIVERSITEIT LEUVEN Implementatie en nevenkanaalanalyse van anonieme legitimatiebewijzen op Java Card platformen Eindwerk voorgedragen tot het behalen van het diploma van Master in de Ingenieurswetenschap- pen: Elektrotechniek (ICT), optie ICT-multimedia en signaalverwerking (Burgerlijk elektrotechnisch ingenieur) Micha¨el Sterckx Promotors: Prof.Dr.Ir.Ingrid Verbauwhede Prof.Dr.Ir.Bart Preneel Prof.Dipl.-Ing.Dr.techn.Karl C. Posch Begeleiders: Ir.Elke De Mulder Dipl.-Ing.Benedikt Gierlichs 2008—2009 Faculteit Ingenieurswetenschappen Departement Elektrotechniek – ESAT KATHOLIEKE UNIVERSITEIT LEUVEN Implementation and Side-Channel Analysis of Anonymous Credentials on Java Card Platforms Thesis submitted in partial fulfilment of the require- ments for the degree of Master in de Ingenieurs- wetenschappen: Elektrotechniek (ICT), optie ICT- multimedia en signaalverwerking (Burgerlijk elek- trotechnisch ingenieur) Micha¨el Sterckx Promotors: Prof.Dr.Ir.Ingrid Verbauwhede Prof.Dr.Ir.Bart Preneel Prof.Dipl.-Ing.Dr.techn.Karl C. Posch Daily supervision: Ir.Elke De Mulder Dipl.-Ing.Benedikt Gierlichs 2008—2009 c Copyright K.U.Leuven (cid:13) Zonder voorafgaande schriftelijke toestemming van zowel de promotor(en) als de auteur(s) is overnemen, kopi¨eren, gebruiken of realiseren van deze uitgave of gedeelten ervan verboden. Voor aanvragen tot, of informatie i.v.m. het overnemen en/of gebruik en/of realisatie van gedeelten uit deze publicatie, wend U tot de K.U.Leuven, Departement Elektrotechniek – ESAT, Kasteelpark Arenberg 10, B-3001 Heverlee (Belgi¨e). Telefoon +32-16-32 11 30 & Fax. +32-16-32 19 86 of via email: [email protected]. Voorafgaande schriftelijke toestemming van de promotor(en) is eveneens vereist voor het aanwenden van deinditafstudeerwerkbeschreven(originele)methoden,producten,schakelingenenprogramma’svoorin- dustrieelofcommercieelnutenvoordeinzendingvandezepublicatieterdeelnameaanwetenschappelijke prijzen of wedstrijden. c Copyright by K.U.Leuven (cid:13) Withoutwrittenpermissionofthepromotorsandtheauthorsitisforbiddentoreproduceoradaptinany formorbyanymeansanypartofthispublication. Requestsforobtainingtherighttoreproduceorutilize parts of this publication should be addressed to K.U.Leuven, Departement Elektrotechniek – ESAT, Kasteelpark Arenberg 10, B-3001 Heverlee (Belgium). Tel. +32-16-32 11 30 & Fax. +32-16-32 19 86 or by email: [email protected]. A written permission of the promotor is also required to use the methods, products, schematics and programs described in this work for industrial or commercial use, and for submitting this publication in scientific contests. i Acknowledgements Having arrived at the end of my thesis period, it is my pleasure to gratefully acknowledge the many people who were in some way involved in making it possible. First of all I would like to sincerely thank my daily supervisors Elke and Benedikt for having their door open for me whenever I needed help. I also want to thank them for the many useful comments they gave while writing this text. I would like to thank my promotors Prof.Ingrid Verbauwhede, Prof.Bart Preneel, and Prof.Karl Posch for giving me the opportunity to develop my thesis both at COSIC and at IAIK. Thank you all for introducing me to the exciting field of cryptology. Furthermore I would like to thank my family and friends for their moral and/or financial support and for understanding my absence over the past nine months. Above all I want to thank Ay¸se for supporting and motivating me during this time. Te¸sekku¨r ederim a¸skım. Last but not least, a special thanks goes out to my dictionary, to do-not-touch-notes for safeguarding my measurement setup, my fellow thesis students at ESAT, and of course our coffee room 01.55. Micha¨el Sterckx Leuven, May 2009 iii Abstract Anonymous credential systems allow users to authenticate to organisations while preserving their anonymity. We implement a simplified version of the Direct Anonymous Attestation (DAA) scheme for the remote authentication of a trusted platform module. As a platform for the implementation we choose a Java Card smart card, to allow code portability and integration in a multi-application system. Java programming is inherently inefficient however, and the DAA protocols are based on complex mathematical operations. This means that a complete implementation in Java code would be far too slow for practical application. Therefore we present workarounds which allow to obtain a reasonably fast implementation through clever usage of the functionality available on Java Card platforms. We show how a cryptographic coprocessor and/or an optimised cryptographic library available on Java Card smart cards can be used to speed up the implementation of operations not directly offered through a Java Card application programming interface. Side-channel cryptanalysis considers all vulnerabilities of a cryptographic system related to its implementation. To assess the security of our implementation we apply existing side- channel analysis techniques to Java Card platforms. Since Java Card smart cards are real commercialproducts, avarietyofcountermeasuresagainstknownside-channelattacksispresent on most of these cards. The countermeasures however mainly protect the built-in cryptographic functionality. On the cards we investigate the most important countermeasure stopping attacks on code implemented in Java is an unstable internal clock frequency. This causes misalignment of power traces. Therefore we first present our methods to align traces in the presence of a varying internal clock on the cards. Our “peak alignment method” is based on extracting cycle information out of traces and matching this information among different traces. WeusethetracesalignedinthiswayforpoweranalysisandtimingattacksonthebasicJavaCard operations used for the DAA implementation. Although the cryptographic functionality on the platforms we investigate was evaluated as secure, attacks are still possible on Java Card code running on the cards. We show that the different countermeasures on the cards mainly make these attacks harder, but do not essentially prevent them. We present our results for timing attacks and power analysis with different power models, including the template and stochastic model. v Contents Acknowledgements iii Abstract v Contents vi List of Abbreviations ix List of Figures x List of Tables xi List of Algorithms xiii 1 Introduction 1 1.1 Goals . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1 1.2 Previous Work . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2 1.3 Notational Conventions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2 1.4 Structure . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3 2 The (Simplified) DAA Protocol 5 2.1 Anonymous Credentials . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5 2.2 Direct Anonymous Attestation . . . . . . . . . . . . . . . . . . . . . . . . . . . 5 2.3 Simplified DAA Protocols . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7 2.4 Smart Card Side of the Scheme . . . . . . . . . . . . . . . . . . . . . . . . . . . 8 2.4.1 Join Protocol . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8 2.4.2 Signing Protocol . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9 3 Smart Cards and the Java Card Standard 11 3.1 Smart Card Basics . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 11 3.1.1 Hardware . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 12 3.1.2 Communication Model . . . . . . . . . . . . . . . . . . . . . . . . . . . . 13 3.2 Java Card . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 14 3.2.1 Java Language Subset . . . . . . . . . . . . . . . . . . . . . . . . . . . . 15 3.2.2 Java Card Converter . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 15 3.2.3 Java Card Memory . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 16 3.2.4 Java Card Crypto API . . . . . . . . . . . . . . . . . . . . . . . . . . . . 16 4 Implementation 19 4.1 Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 19 4.1.1 Functionality Description . . . . . . . . . . . . . . . . . . . . . . . . . . 19 4.1.2 Problems . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 20 4.1.3 Development Tools . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 21 4.1.4 Platforms . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 21 4.2 Large Number Addition and Subtraction . . . . . . . . . . . . . . . . . . . . . . 21 4.3 Modular Multi-Exponentiation . . . . . . . . . . . . . . . . . . . . . . . . . . . 23 vi

Description:
informatie i.v.m. het overnemen en/of gebruik en/of realisatie van gedeelten uit usage of the functionality available on Java Card platforms. parameters lφ.
See more

The list of books you might like

Most books are stored in the elastic cloud where traffic is expensive. For this reason, we have a limit on daily download.