CN101924600A - Method for detecting capability of resisting energy analysis attacks of cryptographic module - Google Patents
Method for detecting capability of resisting energy analysis attacks of cryptographic module Download PDFInfo
- Publication number
- CN101924600A CN101924600A CN2010102416070A CN201010241607A CN101924600A CN 101924600 A CN101924600 A CN 101924600A CN 2010102416070 A CN2010102416070 A CN 2010102416070A CN 201010241607 A CN201010241607 A CN 201010241607A CN 101924600 A CN101924600 A CN 101924600A
- Authority
- CN
- China
- Prior art keywords
- reference value
- energy
- module
- analysis attacks
- crypto module
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Granted
Links
Images
Landscapes
- Storage Device Security (AREA)
Abstract
The present invention discloses a kind of method for detecting capability of resisting energy analysis attacks of cryptographic module, includes the following steps: 1) to implement power analysis to crypto module, obtains the reference value of each candidate sub-key si
; 2) reference value based on all sub-keys calculates reference value span delta t; 3) crypto module power analysis resilience factor of safety r is calculated according to reference value span delta t; 4) ability of resisting energy analysis attacks of cryptographic module is measured according to the size of r value. Resilience and factor of safety r are positively correlated. Based on the present invention, the safety and safe coefficient of the anti-power analysis of the calculating equipment containing crypto module can be accurately and rapidly measured, provides necessary basic methods and branch stake tool for the design and analysis and assessment of crypto module.
Description
Technical field
The present invention relates to field of information security technology, especially the physical security aspect of crypto module; Can be applicable to crypto module and realize the detection of capability of resisting energy analysis attacks, be mainly used in design, analysis and the test and appraisal of cryptographic system.
Background technology
Crypto module is widely used in the various electronic products that relate to cryptosecurity, as smart card, Net silver key, RFID tag etc.And in practice, a large amount of attacks of carrying out at crypto module, decode the analysis and research activity, be directly connected to the fail safe of the electronic product of the module that accesses to your password.
Side-channel attack is an important branch of cryptanalysis research.It is by obtaining and analyze the signal of telecommunication or the variation of electromagnetic signal and the relation of intermediate value or executable operations in the crypto module operating process, obtaining a kind of cryptographic attack means of key information then.Research practice shows, even cryptographic algorithm is safe under mathematical meaning, the side channel information that any inappropriate realization is leaked still can cause serious potential safety hazard.Energy spectrometer is attacked a kind of powerful typical side-channel attack that comes to this.This attack method actual effect is remarkable, is subjected to extensive concern, has become the hot issue in side-channel attack field.The ability of resisting energy analysis attacks of cryptographic module has directly determined a little less than the high safety of corresponding electronic products.The present invention proposes flow process and basic skills that a cover detects the defence capability that crypto module attacks energy spectrometer, for design, analysis and the assessment of cryptographic system provides necessary base method and supporting tool.
Summary of the invention
The invention provides a kind of method that detects capability of resisting energy analysis attacks of cryptographic module, use this appraisal procedure to carry out quantitative evaluation the power of capability of resisting energy analysis attacks of cryptographic module.
In the energy spectrometer process, each candidate's sub-key s
i(corresponding to the numerical value that is used to characterize the correct possibility of this sub-key, this numerical value is called as candidate's sub-key s to 1≤i≤n) (n is the number of candidate's sub-key)
iReference value
Basic ideas of the present invention are with all candidate's sub-key s
iThe corresponding reference value
Be converted to the stochastic variable sample of Gaussian distributed
If all reference values
Obey same or very approximate distribution, then the opponent is difficult to distinguish correct sub-key by the reference value of candidate's sub-key, and promptly attack is safe to crypto module to energy spectrometer.
Based on above-mentioned thinking, technical scheme of the present invention is: a kind of method that detects capability of resisting energy analysis attacks of cryptographic module comprises following key step:
1) crypto module is implemented energy spectrometer and attack, obtain each candidate's sub-key s
iReference value
3) calculate the crypto module energy spectrometer according to reference value span delta t and attack defensive ability/resistance ability factor of safety r;
4) according to the big or small ability of assessing resisting energy analysis attacks of cryptographic module of r, factor of safety r and this ability positive correlation.Concrete operations to each step are described further below.At first, the 1st) Bu concrete implementing procedure method is:
I. generate the plaintext of cipher key module at random;
Ii. will expressly import crypto module one by one, and carry out Password Operations and gather the energy mark (energy consumption curve) of crypto module;
Iii. guess the sub-key of crypto module one by one and utilize circuit sectionalizer to obtain each candidate's sub-key s
iThe corresponding reference value
Wherein, ii goes on foot the method for described collection crypto module energy mark and is:
A) start the encryption device that comprises crypto module;
B) input that encryption device is set expressly;
C) encryption device is carried out cryptographic algorithm, and sends triggering signal to oscilloscope;
D) energy consumption values of oscilloscope sampled measurements encryption device and sampled result is transferred to computer;
E) repeating step b) to d), till the energy mark quantity of being sampled satisfies the attack needs.
The 2nd) step in, at first need according to selected circuit sectionalizer reference value
Do corresponding conversion.If adopt equal value difference check as circuit sectionalizer, then to reference value
Do identical transformation; If adopt Pearson correlation coefficient as circuit sectionalizer, then to reference value
Do the Fisher conversion.Reference value after the conversion is designated as
Then calculate reference value span delta t, method is:
Wherein,
With
It is respectively the statistical estimate of reference value with the reference value of minimum of maximum; S is the statistical estimate of the standard deviation of all reference values, promptly
Be the statistical estimate of the average of all reference values, promptly
N is the number of candidate's sub-key.
The 3rd) computational methods of crypto module energy spectrometer attack defensive ability/resistance ability factor of safety r are in the step:
Wherein, h (t) is the probability density function that t (n-1) distributes.T is a Distribution Statistics.
Because it is strong more that the crypto module energy spectrometer is attacked defensive ability/resistance ability, then maximum reference value
And minimum reference value
Difference more not remarkable.Be that reference value span delta t is more little, factor of safety r is big more; Otherwise reference value span delta t is big more, and then factor of safety r is more little.
The 4th) step is judged the ability of resisting energy analysis attacks of cryptographic module according to r.Concrete, the threshold value r of setting r
t, think greater than r
tCrypto module energy spectrometer is attacked is safe, factor of safety r is less than threshold value r
tCrypto module to attack for energy spectrometer be unsafe.r
tValue between preferred 0.01~0.05.
Method of the present invention is attacked crypto module to energy spectrometer defensive ability/resistance ability quantizes, the fail safe and the safe coefficient of the safety product that is provided with the cryptographic calculations function of can helping to test and assess accurately and rapidly.Concrete, the present invention can be applied to smart card etc. based on embedded microprocessor, is widely used in the special use or the universal computing device of numerous areas such as finance, government, community service.By the present invention, ability that can the fast detecting resisting energy analysis attacks of cryptographic module.The present invention laterally contrasts for the anti-energy spectrometer attacking ability of the different crypto module products of same type, and the fail safe test and appraisal of the encryption device of wide range of types under energy spectrometer is attacked provide effectively basic supporting tool.
Description of drawings
Fig. 1 is the flow chart of the method for detection capability of resisting energy analysis attacks of cryptographic module of the present invention
Fig. 2 is that energy spectrometer is attacked schematic diagram
Fig. 3 is the fundamental measurement allocation plan of energy mark during energy spectrometer is attacked
Fig. 4 is the interaction sequences that energy spectrometer is attacked each equipment room in the basic configuration
Embodiment
Detect the method for capability of resisting energy analysis attacks of cryptographic module, comprising:
1) crypto module is implemented energy spectrometer and attack, obtain each candidate's sub-key s
iReference value
3) calculate the crypto module energy spectrometer according to reference value span delta t and attack defensive ability/resistance ability factor of safety r;
4) according to the big or small ability of assessing resisting energy analysis attacks of cryptographic module of r, factor of safety r and this ability positive correlation.
Referring to Fig. 1, its concrete flow and method is as follows:
S101: obtain each candidate's sub-key s by crypto module being implemented the energy spectrometer attack
iReference value
S103: calculate the standard deviation of all reference values, promptly
Wherein,
Be the average of all reference values, promptly
N is the number of candidate's sub-key.
S105: calculate the crypto module energy spectrometer and attack defensive ability/resistance ability factor of safety r:
Wherein, h (t) is the probability density function that t (n-1) distributes.
S106: the ability of assessing resisting energy analysis attacks of cryptographic module according to the size of factor of safety.Factor of safety r is big more, and it is strong more to show that then the crypto module energy spectrometer is attacked defensive ability/resistance ability; Factor of safety r is more little, and it is weak more to show that then the crypto module energy spectrometer is attacked defensive ability/resistance ability.If the crypto module energy spectrometer is attacked defensive ability/resistance ability greater than given secure threshold r
t, think that then it is safe that this crypto module is attacked energy spectrometer, otherwise be unsafe.Usually, secure threshold r
tValue is 0.01 to 0.05.
Wherein, step S101 obtains each candidate's sub-key s by crypto module being implemented the energy spectrometer attack
iReference value
This process is exactly to carry out the process that energy spectrometer is attacked.Its concrete principle comprises the steps: referring to Fig. 2
I. generate the plaintext of crypto module at random;
Ii. at key s
cEffect under, when target device was carried out q cryptographic operation, the opponent sampled and obtains q bar energy mark L
q=[l
1, l
2..., l
q].For each bar energy mark l
i(i=1,2 ..., q), the opponent preserves corresponding plaintext x
iTo vectorial X
q=[x
1, x
2..., x
q] in.
Iii. for each sub-key conjecture s
i∈ S is done as follows:
A) for vectorial X
q=[x
1, x
2..., x
q] in each x expressly
iWith sub-key conjecture s, the median in opponent's target of prediction equipment
And be kept at vector
In.
B) in the vector
Each median
The opponent reveals its corresponding energy consumption of Model Calculation according to energy leaks
And deposit it in vector
C) opponent calculates sub-key conjecture s according to statistical method
iThe corresponding reference value
Iiii. use and reference value is done corresponding conversion (when adopting equal value difference check to do circuit sectionalizer, reference value is done identical transformation; When adopting the Pearson came associated safety factor to do circuit sectionalizer, reference value is done the Fisher conversion) make each sub-key conjecture corresponding reference be worth available normal distribution to portray, establish adjusted result and be
Energy mark when ii goes on foot the execution Password Operations that needs the measurement crypto module need be built the special-purpose energy consumption measurement environment of a cover.
The critical piece of measuring configuration comprises: power supply, clock generator, encryption device, measuring circuit (EM probe/probe), a digital oscilloscope and a PC, as shown in Figure 3.Measuring circuit provides signal for the digital sample oscilloscope, and this signal is directly proportional with the instantaneous energy consumption of encryption device.PC is used for the energy mark of measuring acquisition is controlled, stored to encryption device and digital oscilloscope, and the energy mark is analyzed.
When encryption device was carried out Password Operations, for the energy consumption of measuring equipment, above-mentioned basic module need carry out alternately according to following basic procedure, as shown in Figure 4.At first, step (1) encryption device powers on and the receive clock signal.At this moment, the equipment starting state that has been in operable state and can have taken orders.Next, in step (2), PC is configured oscilloscope.In step (3), the input plaintext of encryption device is set, encryption device begins to carry out cryptographic algorithm, and sends triggering signal to oscilloscope.The term of execution of algorithm, the energy consumption values of execution in step (4) oscilloscope measurement encryption device, energy consumption values is measured by measuring circuit.In step (5), the output of obtaining cryptographic algorithm in the PC slave unit, last execution in step (6) PC obtains the energy mark that samples from oscilloscope.Constantly repeating step (2) is to step (6), till the energy mark quantity of being sampled satisfies the attack needs.
Need the ben the present invention of being to be equally applicable to the attack of other types such as Electromagnetic attack.Although disclose instantiation of the present invention and accompanying drawing for the purpose of illustration, its purpose is to help to understand content of the present invention and implemented, but it will be appreciated by those skilled in the art that: without departing from the spirit and scope of the invention and the appended claims, various replacements, variation and modification all are possible.The present invention should not be limited to this specification most preferred embodiment and the disclosed content of accompanying drawing, and the scope of protection of present invention is as the criterion with the scope that claims define.
Claims (10)
1. detect the method for capability of resisting energy analysis attacks of cryptographic module, comprise the steps:
1) crypto module is implemented energy spectrometer and attack, obtain each candidate's sub-key s
iReference value
3) calculate the crypto module energy spectrometer according to statistic Δ t and attack defensive ability/resistance ability factor of safety r;
4) according to the big or small ability of assessing resisting energy analysis attacks of cryptographic module of r.
2. the method for detection capability of resisting energy analysis attacks of cryptographic module according to claim 1 is characterized in that described
1) concrete grammar of step is as follows:
I. generate the plaintext of cipher key module at random;
Ii will expressly import crypto module one by one, carry out Password Operations and gather the energy mark of crypto module;
3. the method for detection capability of resisting energy analysis attacks of cryptographic module according to claim 2 is characterized in that the method that ii goes on foot described collection crypto module energy mark is:
A) start the encryption device that comprises crypto module;
B) input that encryption device is set expressly;
C) encryption device is carried out cryptographic algorithm, and sends triggering signal to oscilloscope;
D) energy consumption values of oscilloscope sampled measurements encryption device and sampled result is transferred to computer;
E) repeating step b) to d), till the energy mark quantity of being sampled satisfies the attack needs.
4. the method for detection capability of resisting energy analysis attacks of cryptographic module according to claim 1 is characterized in that the 2nd) concrete grammar of step is:
At first to reference value
Do corresponding conversion, the reference value after the conversion is
Second step was calculated reference value span delta t:
Wherein,
With
It is respectively the statistical estimate of reference value with the reference value of minimum of maximum; S is the statistical estimate of the standard deviation of all reference values, promptly
Be the statistical estimate of the average of all reference values, promptly
N is the number of candidate's sub-key.
8. the method for detection capability of resisting energy analysis attacks of cryptographic module according to claim 1 is characterized in that: the 3rd) computational methods of crypto module energy spectrometer attack defensive ability/resistance ability factor of safety r are in the step:
Wherein, h (t) is the probability density function that t (n-1) distributes.
9. according to the method for claim 1 or 8 arbitrary described detection capability of resisting energy analysis attacks of cryptographic module, it is characterized in that the described the 4th) the threshold value r of factor of safety r is set in the step
t, determine that factor of safety r is greater than threshold value r
tCrypto module to attack for energy spectrometer be safe; Factor of safety r is less than threshold value r
tCrypto module to attack for energy spectrometer be unsafe.
10. the method for detection capability of resisting energy analysis attacks of cryptographic module according to claim 9 is characterized in that described threshold value r
tValue between preferred 0.01~0.05.
Priority Applications (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CN 201010241607 CN101924600B (en) | 2010-07-30 | 2010-07-30 | Method for detecting capability of resisting energy analysis attacks of cryptographic module |
Applications Claiming Priority (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CN 201010241607 CN101924600B (en) | 2010-07-30 | 2010-07-30 | Method for detecting capability of resisting energy analysis attacks of cryptographic module |
Publications (2)
Publication Number | Publication Date |
---|---|
CN101924600A true CN101924600A (en) | 2010-12-22 |
CN101924600B CN101924600B (en) | 2013-01-02 |
Family
ID=43339271
Family Applications (1)
Application Number | Title | Priority Date | Filing Date |
---|---|---|---|
CN 201010241607 Active CN101924600B (en) | 2010-07-30 | 2010-07-30 | Method for detecting capability of resisting energy analysis attacks of cryptographic module |
Country Status (1)
Country | Link |
---|---|
CN (1) | CN101924600B (en) |
Cited By (9)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN102546150A (en) * | 2012-02-07 | 2012-07-04 | 中国科学院软件研究所 | Cryptographic-equipment-oriented energy leakage acquisition method and system |
CN103199983A (en) * | 2013-01-31 | 2013-07-10 | 国家密码管理局商用密码检测中心 | N-order local area power model in side channel power analysis and application thereof |
CN103516509A (en) * | 2013-10-24 | 2014-01-15 | 中国科学院信息工程研究所 | Segmented acquisition method and system for side information leakage aiming at password device |
CN103973651A (en) * | 2013-02-01 | 2014-08-06 | 腾讯科技(深圳)有限公司 | Account password identification setting and inquiring method and device based on salt password bank |
CN104572541A (en) * | 2013-10-10 | 2015-04-29 | 上海华虹集成电路有限责任公司 | System and method for acquiring running power consumption of USBKEY |
CN105205016A (en) * | 2015-10-22 | 2015-12-30 | 成都芯安尤里卡信息科技有限公司 | Instrument for extracting energy trace of CPU smart card |
CN106301755A (en) * | 2016-08-12 | 2017-01-04 | 中国科学院信息工程研究所 | The noise-reduction method of a kind of energy leakage signal based on wavelet analysis and system |
CN106936561A (en) * | 2015-12-29 | 2017-07-07 | 航天信息股份有限公司 | A kind of side-channel attack protective capacities appraisal procedure and system |
CN108886467A (en) * | 2016-03-30 | 2018-11-23 | 罗伯特·博世有限公司 | For generating the method, equipment and electric system of encryption key |
Citations (4)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
WO2004112306A2 (en) * | 2003-06-12 | 2004-12-23 | Philips Intellectual Property & Standards Gmbh | Method for defence against differential power analysis attacks |
CN101197668A (en) * | 2007-12-06 | 2008-06-11 | 上海交通大学 | Elliptic curve anti-bypass attack method based on randomizing multiplication with symbol scalar |
CN101494537A (en) * | 2009-02-27 | 2009-07-29 | 深圳先进技术研究院 | Quantification and evaluation method for cipher safe chip side channel safe degree |
CN101562522A (en) * | 2009-05-06 | 2009-10-21 | 深圳先进技术研究院 | Realization method of elliptic curve cryptosystem for preventing side-channel attack |
-
2010
- 2010-07-30 CN CN 201010241607 patent/CN101924600B/en active Active
Patent Citations (4)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
WO2004112306A2 (en) * | 2003-06-12 | 2004-12-23 | Philips Intellectual Property & Standards Gmbh | Method for defence against differential power analysis attacks |
CN101197668A (en) * | 2007-12-06 | 2008-06-11 | 上海交通大学 | Elliptic curve anti-bypass attack method based on randomizing multiplication with symbol scalar |
CN101494537A (en) * | 2009-02-27 | 2009-07-29 | 深圳先进技术研究院 | Quantification and evaluation method for cipher safe chip side channel safe degree |
CN101562522A (en) * | 2009-05-06 | 2009-10-21 | 深圳先进技术研究院 | Realization method of elliptic curve cryptosystem for preventing side-channel attack |
Cited By (14)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN102546150A (en) * | 2012-02-07 | 2012-07-04 | 中国科学院软件研究所 | Cryptographic-equipment-oriented energy leakage acquisition method and system |
CN103199983A (en) * | 2013-01-31 | 2013-07-10 | 国家密码管理局商用密码检测中心 | N-order local area power model in side channel power analysis and application thereof |
CN103199983B (en) * | 2013-01-31 | 2016-04-27 | 国家密码管理局商用密码检测中心 | N rank local energy model in the channel energy analysis of side and application thereof |
CN103973651A (en) * | 2013-02-01 | 2014-08-06 | 腾讯科技(深圳)有限公司 | Account password identification setting and inquiring method and device based on salt password bank |
CN103973651B (en) * | 2013-02-01 | 2018-02-27 | 腾讯科技(深圳)有限公司 | Setting, querying method and device are identified based on the account password of salt cryptographic libraries is added |
CN104572541A (en) * | 2013-10-10 | 2015-04-29 | 上海华虹集成电路有限责任公司 | System and method for acquiring running power consumption of USBKEY |
CN104572541B (en) * | 2013-10-10 | 2017-09-29 | 上海华虹集成电路有限责任公司 | Gather the system and method that USBKEY runs power consumption |
CN103516509A (en) * | 2013-10-24 | 2014-01-15 | 中国科学院信息工程研究所 | Segmented acquisition method and system for side information leakage aiming at password device |
CN103516509B (en) * | 2013-10-24 | 2016-05-11 | 中国科学院信息工程研究所 | Side information leakage segmented acquisition approach and the system of cryptographic-equipment-oriented |
CN105205016A (en) * | 2015-10-22 | 2015-12-30 | 成都芯安尤里卡信息科技有限公司 | Instrument for extracting energy trace of CPU smart card |
CN106936561A (en) * | 2015-12-29 | 2017-07-07 | 航天信息股份有限公司 | A kind of side-channel attack protective capacities appraisal procedure and system |
CN108886467A (en) * | 2016-03-30 | 2018-11-23 | 罗伯特·博世有限公司 | For generating the method, equipment and electric system of encryption key |
CN106301755A (en) * | 2016-08-12 | 2017-01-04 | 中国科学院信息工程研究所 | The noise-reduction method of a kind of energy leakage signal based on wavelet analysis and system |
CN106301755B (en) * | 2016-08-12 | 2019-08-27 | 中国科学院信息工程研究所 | A kind of noise-reduction method and system of the energy leakage signal based on wavelet analysis |
Also Published As
Publication number | Publication date |
---|---|
CN101924600B (en) | 2013-01-02 |
Similar Documents
Publication | Publication Date | Title |
---|---|---|
CN101924600B (en) | Method for detecting capability of resisting energy analysis attacks of cryptographic module | |
Wang et al. | Dynamic data injection attack detection of cyber physical power systems with uncertainties | |
EP3220305B1 (en) | Method of testing the resistance of a circuit to a side channel analysis of second order or more | |
Kang et al. | False data injection attacks on contingency analysis: Attack strategies and impact assessment | |
CN106789955A (en) | A kind of network security situation evaluating method | |
CN101494537B (en) | Quantification and evaluation method for cipher safe chip side channel safe degree | |
EP3447509B1 (en) | Method of testing the resistance of a circuit to a side channel analysis | |
Sreenath et al. | A recursive state estimation approach to mitigate false data injection attacks in power systems | |
Aljuffri et al. | Applying thermal side-channel attacks on asymmetric cryptography | |
CN108155984B (en) | Reverse engineering analysis method for cryptographic algorithm cluster based on energy analysis | |
Wu et al. | Online detection of false data injection attacks to synchrophasor measurements: A data-driven approach | |
Cui et al. | Multifractal characterization of distribution synchrophasors for cybersecurity defense of smart grids | |
CN106375344A (en) | Intelligent grid load integrity attack detection method for cloud storage | |
KR20110060570A (en) | Analysis method of side-chnnel analyzer | |
Richter et al. | A Comparison of-Test and Mutual Information as Distinguisher for Side-Channel Analysis | |
CN108011707B (en) | Frequency security analysis system and method for hardware encryption equipment | |
Díaz et al. | Security estimation in wireless sensor network simulator | |
Melzani et al. | Enhancing fault sensitivity analysis through templates | |
Duan et al. | Research on the grouping method of side-channel leakage detection | |
CN107947969A (en) | Integrated circuit fault-resistant injection attacks safety evaluation method based on comentropy | |
Jiang et al. | A lightweight defense scheme for industrial data transmission against eavesdropping attacks and integrity attacks | |
Agosta et al. | Design space extension for secure implementation of block ciphers | |
CN109214173A (en) | Safety equipment and its attack resistance method | |
Sanchez et al. | Electromagnetic field level temporal variation in urban areas | |
Zhao et al. | An Optimization for Differential Power Analysis Based on Time Series Verification |
Legal Events
Date | Code | Title | Description |
---|---|---|---|
C06 | Publication | ||
PB01 | Publication | ||
C10 | Entry into substantive examination | ||
SE01 | Entry into force of request for substantive examination | ||
C14 | Grant of patent or utility model | ||
GR01 | Patent grant |