CN101924600B - Method for detecting capability of resisting energy analysis attacks of cryptographic module - Google Patents
Method for detecting capability of resisting energy analysis attacks of cryptographic module Download PDFInfo
- Publication number
- CN101924600B CN101924600B CN 201010241607 CN201010241607A CN101924600B CN 101924600 B CN101924600 B CN 101924600B CN 201010241607 CN201010241607 CN 201010241607 CN 201010241607 A CN201010241607 A CN 201010241607A CN 101924600 B CN101924600 B CN 101924600B
- Authority
- CN
- China
- Prior art keywords
- reference value
- module
- crypto module
- sub
- delta
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Active
Links
Images
Landscapes
- Storage Device Security (AREA)
Abstract
The present invention discloses a kind of method for detecting capability of resisting energy analysis attacks of cryptographic module, includes the following steps: 1) to implement power analysis to crypto module, obtains the reference value of each candidate sub-key si
2) reference value based on all sub-keys calculates reference value span delta t; 3) crypto module power analysis resilience factor of safety r is calculated according to reference value span delta t; 4) ability of resisting energy analysis attacks of cryptographic module is measured according to the size of r value. Resilience and factor of safety r are positively correlated. Based on the present invention, the safety and safe coefficient of the anti-power analysis of the calculating equipment containing crypto module can be accurately and rapidly measured, provides necessary basic methods and branch stake tool for the design and analysis and assessment of crypto module.
Description
Technical field
The present invention relates to field of information security technology, especially the physical security aspect of crypto module; Can be applicable to crypto module and realize the detection of capability of resisting energy analysis attacks, be mainly used in design and analysis and the test and appraisal of cryptographic system.
Background technology
Crypto module is widely used in the various electronic products that relate to cryptosecurity, such as smart card, Net silver key, RFID tag etc.And in practice, a large amount of attacks of carrying out for crypto module, decode the analysis and research activity, be directly connected to the fail safe of the electronic product of the module that accesses to your password.
Side-channel attack is an important branch of cryptanalysis research.It is by obtaining and analyze the signal of telecommunication or the variation of electromagnetic signal and the relation of intermediate value or executable operations in the crypto module operating process, then obtaining a kind of cryptographic attack means of key information.Research practice shows, even cryptographic algorithm is safe under mathematical meaning, the side channel information that any inappropriate realization is leaked still can cause serious potential safety hazard.Power analysis is exactly a kind of so powerful typical side-channel attack.This attack method actual effect is remarkable, is subject to extensive concern, has become the hot issue in side-channel attack field.The ability of resisting energy analysis attacks of cryptographic module has directly determined a little less than the high safety of corresponding electronic products.The present invention proposes a cover and detect crypto module to flow process and the basic skills of the defence capability of power analysis, for design and analysis and the assessment of cryptographic system provides necessary basic methods and supporting tool.
Summary of the invention
The invention provides a kind of method that detects capability of resisting energy analysis attacks of cryptographic module, use this appraisal procedure to carry out quantitative evaluation to the power of capability of resisting energy analysis attacks of cryptographic module.
In the energy spectrometer process, each candidate's sub-key s
i(1≤i≤n) (n is the number of candidate's sub-key) is corresponding to the numerical value that is used for characterizing the correct possibility of this sub-key, and this numerical value is called as candidate's sub-key s
iReference value
Basic ideas of the present invention are with all candidate's sub-key s
iCorresponding reference value
Be converted to the stochastic variable sample of Gaussian distributed
If all reference values
Obey same or very approximate distribution, then the opponent is difficult to distinguish correct sub-key by the reference value of candidate's sub-key, and namely crypto module is safe to power analysis.
Based on above-mentioned thinking, technical scheme of the present invention is: a kind of method that detects capability of resisting energy analysis attacks of cryptographic module comprises following key step:
3) calculate crypto module power analysis defensive ability/resistance ability factor of safety r according to reference value span delta t;
4) according to the big or small ability of assessing resisting energy analysis attacks of cryptographic module of r, factor of safety r and this ability positive correlation.
The below is described further the concrete operations of each step.At first, the 1st) the implementation flow and method in step is:
I. the plaintext of random generating cipher module;
Ii. will expressly input one by one crypto module, and carry out Password Operations and gather the energy mark (energy consumption curve) of crypto module;
Iii. guess one by one the sub-key of crypto module and utilize circuit sectionalizer to obtain each candidate's sub-key s
iCorresponding reference value
Wherein, ii goes on foot the method for described collection crypto module energy mark and is:
A) setting up password module;
B) crypto module is carried out cryptographic algorithm, and sends triggering signal to oscilloscope;
C) energy consumption values of oscilloscope sampled measurements crypto module and sampled result is transferred to computer;
D) repeating step b) to c), until satisfying, the energy mark quantity of sampling attacks needs.
The 2nd) step in, at first need according to selected circuit sectionalizer reference value
Do corresponding conversion.If adopt equal value difference check as circuit sectionalizer, then to reference value
Do identical transformation; If adopt Pearson correlation coefficient as circuit sectionalizer, then to reference value
Do the Fisher conversion.Reference value after the conversion is designated as
Follow computing reference value span delta t, method is:
Wherein,
With
It is respectively the statistical estimate of reference value with the reference value of minimum of maximum; S is the statistical estimate of the standard deviation of all reference values, namely
Be the statistical estimate of the average of all reference values, namely
N is the number of candidate's sub-key.
The 3rd) computational methods of crypto module power analysis defensive ability/resistance ability factor of safety r are in the step:
Wherein, h (t) is the probability density function that t (n-1) distributes.T is Distribution Statistics.
Because crypto module power analysis defensive ability/resistance ability is stronger, maximum reference value then
And minimum reference value
Difference more not remarkable.Be that reference value span delta t is less, factor of safety r is larger; Otherwise reference value span delta t is larger, and then factor of safety r is less.
The 4th) step is judged the ability of resisting energy analysis attacks of cryptographic module according to r.Concrete, the threshold value r of setting r
t, think greater than r
tCrypto module be safe to power analysis, factor of safety r is less than threshold value r
tCrypto module be unsafe for power analysis.r
tValue between preferred 0.01~0.05.
Method of the present invention quantizes crypto module to the defensive ability/resistance ability of power analysis, fail safe and the safe coefficient of the safety product that is provided with the cryptographic calculations function of can helping to test and assess accurately and rapidly.Concrete, the present invention can be applied to smart card etc. based on embedded microprocessor, is widely used in special use or the universal computing device of the numerous areas such as finance, government, community service.By the present invention, ability that can the fast detecting resisting energy analysis attacks of cryptographic module.The present invention is that the anti-power analysis ability of the different crypto module products of same type is carried out across comparison, and the safety determination of the encryption device of wide range of types under power analysis provides effective basic support instrument.
Description of drawings
Fig. 1 is the flow chart of the method for detection capability of resisting energy analysis attacks of cryptographic module of the present invention
Fig. 2 is the power analysis schematic diagram
Fig. 3 is the fundamental measurement allocation plan of energy mark in the power analysis
Fig. 4 is the interaction sequences of each equipment room in the power analysis basic configuration
Embodiment
Detect the method for capability of resisting energy analysis attacks of cryptographic module, comprising:
3) calculate crypto module power analysis defensive ability/resistance ability factor of safety r according to reference value span delta t;
4) according to the big or small ability of assessing resisting energy analysis attacks of cryptographic module of r, factor of safety r and this ability positive correlation.
Referring to Fig. 1, its concrete flow and method is as follows:
S101: obtain each candidate's sub-key s by crypto module is implemented power analysis
iReference value
S103: calculate the standard deviation of all reference values, namely
Wherein,
Be the average of all reference values, namely
N is the number of candidate's sub-key.
S105: calculate crypto module power analysis defensive ability/resistance ability factor of safety r:
Wherein, h (t) is the probability density function that t (n-1) distributes.
S106: the ability of assessing resisting energy analysis attacks of cryptographic module according to the size of factor of safety.Factor of safety r is larger, shows that then crypto module power analysis defensive ability/resistance ability is stronger; Factor of safety r is less, shows that then crypto module power analysis defensive ability/resistance ability is more weak.If crypto module power analysis defensive ability/resistance ability is greater than given secure threshold r
t, think that then this crypto module is safe to power analysis, otherwise be unsafe.Usually, secure threshold r
tValue is 0.01 to 0.05.
Wherein, step S101 obtains each candidate's sub-key s by crypto module is implemented power analysis
iReference value
This process is exactly to carry out the process of power analysis.Its concrete principle comprises the steps: referring to Fig. 2
I. the plaintext of random generating cipher module;
Ii. at key s
cEffect under, when target device was carried out q cryptographic operation, the opponent sampled and obtains q bar energy mark L
q=[l
1, l
2, K, l
q].For each bar energy mark l
i(i=1,2, K, q), opponent preserve corresponding plaintext x
iTo vectorial X
q=[x
1, x
2, K, x
q] in.
Iii. for each sub-key conjecture s
i∈ S is done as follows:
A) for vectorial X
q=[x
1, x
2, K, x
q] in each x expressly
iWith sub-key conjecture s, the median in opponent's target of prediction equipment
And be kept at vector
In.
B) in the vector
Each median
The opponent calculates its corresponding energy consumption according to the energy leakage model and leaks
And deposit it in vector
C) opponent calculates sub-key conjecture s according to statistical method
iCorresponding reference value
Iiii. use and reference value is done corresponding conversion (when adopting equal value difference check to distinguish device, reference value is done identical transformation; When adopting the Pearson came associated safety factor to distinguish device, reference value is done the Fisher conversion) so that reference value corresponding to each sub-key conjecture can be portrayed with normal distribution, the result who establishes after the adjustment is
Energy mark when ii goes on foot the execution Password Operations that needs the measurement crypto module need to be built the special-purpose energy consumption measurement environment of a cover.
The critical piece of measuring configuration comprises: power supply, clock generator, crypto module, measuring circuit (EM probe/probe), a number of units word oscilloscope and a PC, as shown in Figure 3.Measuring circuit provides signal for the digital sample oscilloscope, and this signal is directly proportional with the instantaneous energy consumption of encryption device.PC is used for the energy mark of measuring acquisition is controlled, stored to crypto module and digital oscilloscope, and the energy mark is analyzed.
When crypto module was carried out Password Operations, for the energy consumption of measuring equipment, above-mentioned basic module need to carry out alternately according to following basic procedure, as shown in Figure 4.At first, step (1) crypto module powers on and the receive clock signal.At this moment, the module starting state that has been in operable state and can have taken orders.Next, in step (2), PC is configured oscilloscope.In step (3), the input of crypto module is set expressly, crypto module begins to carry out cryptographic algorithm, and sends triggering signal to oscilloscope.The term of execution of algorithm, the energy consumption values of execution in step (4) oscilloscope measurement crypto module, energy consumption values is measured by measuring circuit.In step (5), PC obtains the output of cryptographic algorithm from module, and last execution in step (6) PC obtains the energy mark that samples from oscilloscope.Constantly repeating step (2) is attacked needs to step (6) until the energy mark quantity of sampling satisfies.
Need the ben the present invention of being to be equally applicable to the attack of the other types such as Electromagnetic attack.Although disclose for the purpose of illustration instantiation of the present invention and accompanying drawing, its purpose is to help to understand content of the present invention and implemented, but it will be appreciated by those skilled in the art that: without departing from the spirit and scope of the invention and the appended claims, various replacements, variation and modification all are possible.The present invention should not be limited to this specification most preferred embodiment and the disclosed content of accompanying drawing, and the scope of protection of present invention is as the criterion with the scope that claims define.
Claims (6)
1. detect the method for capability of resisting energy analysis attacks of cryptographic module, comprise the steps:
1) crypto module is implemented power analysis, obtain each candidate's sub-key s
iReference value
Its step comprises:
1-1) the plaintext of random generating cipher module;
1-2) will expressly input one by one crypto module, and carry out Password Operations and gather the energy mark of crypto module;
1-3) guess one by one the sub-key of crypto module and utilize circuit sectionalizer to obtain each candidate's sub-key s
iCorresponding reference value
2) based on the reference value of all candidate's sub-keys
Computing reference value span delta t; Its step comprises:
2-2) computing reference value span delta t:
Wherein,
With
It is respectively the statistical estimate of reference value with the reference value of minimum of maximum;
Statistical estimate for the standard deviation of all reference values;
Statistical estimate for the average of all reference values; N is the number of candidate's sub-key;
3) calculate crypto module power analysis defensive ability/resistance ability factor of safety according to reference value span delta t
Wherein, h (t) is the probability density function that t (n-1) distributes;
4) according to the big or small ability of assessing resisting energy analysis attacks of cryptographic module of r.
4. the method for detection capability of resisting energy analysis attacks of cryptographic module according to claim 2 is characterized in that adopting Pearson correlation coefficient as circuit sectionalizer, to reference value
Do the Fisher conversion.
5. the method for detection capability of resisting energy analysis attacks of cryptographic module according to claim 1 is characterized in that the described the 4th) the threshold value r of factor of safety r is set in the step
t, determine that factor of safety r is greater than threshold value r
tCrypto module be safe for power analysis; Factor of safety r is less than threshold value r
tCrypto module be unsafe for power analysis.
6. the method for detection capability of resisting energy analysis attacks of cryptographic module according to claim 5 is characterized in that described threshold value r
tIt is the value between 0.01~0.05.
Priority Applications (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CN 201010241607 CN101924600B (en) | 2010-07-30 | 2010-07-30 | Method for detecting capability of resisting energy analysis attacks of cryptographic module |
Applications Claiming Priority (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CN 201010241607 CN101924600B (en) | 2010-07-30 | 2010-07-30 | Method for detecting capability of resisting energy analysis attacks of cryptographic module |
Publications (2)
Publication Number | Publication Date |
---|---|
CN101924600A CN101924600A (en) | 2010-12-22 |
CN101924600B true CN101924600B (en) | 2013-01-02 |
Family
ID=43339271
Family Applications (1)
Application Number | Title | Priority Date | Filing Date |
---|---|---|---|
CN 201010241607 Active CN101924600B (en) | 2010-07-30 | 2010-07-30 | Method for detecting capability of resisting energy analysis attacks of cryptographic module |
Country Status (1)
Country | Link |
---|---|
CN (1) | CN101924600B (en) |
Families Citing this family (9)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN102546150A (en) * | 2012-02-07 | 2012-07-04 | 中国科学院软件研究所 | Cryptographic-equipment-oriented energy leakage acquisition method and system |
CN103199983B (en) * | 2013-01-31 | 2016-04-27 | 国家密码管理局商用密码检测中心 | N rank local energy model in the channel energy analysis of side and application thereof |
CN103973651B (en) * | 2013-02-01 | 2018-02-27 | 腾讯科技(深圳)有限公司 | Setting, querying method and device are identified based on the account password of salt cryptographic libraries is added |
CN104572541B (en) * | 2013-10-10 | 2017-09-29 | 上海华虹集成电路有限责任公司 | Gather the system and method that USBKEY runs power consumption |
CN103516509B (en) * | 2013-10-24 | 2016-05-11 | 中国科学院信息工程研究所 | Side information leakage segmented acquisition approach and the system of cryptographic-equipment-oriented |
CN105205016A (en) * | 2015-10-22 | 2015-12-30 | 成都芯安尤里卡信息科技有限公司 | Instrument for extracting energy trace of CPU smart card |
CN106936561B (en) * | 2015-12-29 | 2020-06-02 | 航天信息股份有限公司 | Side channel attack protection capability assessment method and system |
DE102016205183A1 (en) * | 2016-03-30 | 2017-10-05 | Robert Bosch Gmbh | Method for generating a cryptographic key, device and electrical system |
CN106301755B (en) * | 2016-08-12 | 2019-08-27 | 中国科学院信息工程研究所 | A kind of noise-reduction method and system of the energy leakage signal based on wavelet analysis |
Citations (4)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
WO2004112306A3 (en) * | 2003-06-12 | 2005-02-10 | Philips Intellectual Property | Method for defence against differential power analysis attacks |
CN101197668A (en) * | 2007-12-06 | 2008-06-11 | 上海交通大学 | Elliptic curve anti-bypass attack method based on randomizing multiplication with symbol scalar |
CN101494537A (en) * | 2009-02-27 | 2009-07-29 | 深圳先进技术研究院 | Quantification and evaluation method for cipher safe chip side channel safe degree |
CN101562522A (en) * | 2009-05-06 | 2009-10-21 | 深圳先进技术研究院 | Realization method of elliptic curve cryptosystem for preventing side-channel attack |
-
2010
- 2010-07-30 CN CN 201010241607 patent/CN101924600B/en active Active
Patent Citations (4)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
WO2004112306A3 (en) * | 2003-06-12 | 2005-02-10 | Philips Intellectual Property | Method for defence against differential power analysis attacks |
CN101197668A (en) * | 2007-12-06 | 2008-06-11 | 上海交通大学 | Elliptic curve anti-bypass attack method based on randomizing multiplication with symbol scalar |
CN101494537A (en) * | 2009-02-27 | 2009-07-29 | 深圳先进技术研究院 | Quantification and evaluation method for cipher safe chip side channel safe degree |
CN101562522A (en) * | 2009-05-06 | 2009-10-21 | 深圳先进技术研究院 | Realization method of elliptic curve cryptosystem for preventing side-channel attack |
Also Published As
Publication number | Publication date |
---|---|
CN101924600A (en) | 2010-12-22 |
Similar Documents
Publication | Publication Date | Title |
---|---|---|
CN101924600B (en) | Method for detecting capability of resisting energy analysis attacks of cryptographic module | |
Wang et al. | Dynamic data injection attack detection of cyber physical power systems with uncertainties | |
CN106789955A (en) | A kind of network security situation evaluating method | |
Kang et al. | False data injection attacks on contingency analysis: Attack strategies and impact assessment | |
KR20170098732A (en) | Method of testing the resistance of a circuit to a side channel analysis of second order or more | |
CN108604981A (en) | Method and apparatus for estimating secret value | |
CN109064018A (en) | A kind of information security risk evaluation system and method | |
CN101494537B (en) | Quantification and evaluation method for cipher safe chip side channel safe degree | |
CN103199983B (en) | N rank local energy model in the channel energy analysis of side and application thereof | |
CN103679008B (en) | A kind of efficient secure chip power consumption attack test method | |
Soltan et al. | EXPOSE the line failures following a cyber-physical attack on the power grid | |
Sreenath et al. | A recursive state estimation approach to mitigate false data injection attacks in power systems | |
EP2919148A1 (en) | Privacy measurement and quantification | |
CN106375344A (en) | Intelligent grid load integrity attack detection method for cloud storage | |
Cui et al. | Multifractal characterization of distribution synchrophasors for cybersecurity defense of smart grids | |
KR20110060570A (en) | Analysis method of side-chnnel analyzer | |
CN108011707B (en) | Frequency security analysis system and method for hardware encryption equipment | |
Jiang et al. | Retrospective forecasting test of a statistical physics model for earthquakes in Sichuan-Yunnan region | |
Díaz et al. | Security estimation in wireless sensor network simulator | |
Duan et al. | Research on the grouping method of side-channel leakage detection | |
Jiang et al. | A lightweight defense scheme for industrial data transmission against eavesdropping attacks and integrity attacks | |
Melzani et al. | Enhancing fault sensitivity analysis through templates | |
CN107947969A (en) | Integrated circuit fault-resistant injection attacks safety evaluation method based on comentropy | |
Agosta et al. | Design space extension for secure implementation of block ciphers | |
Gong et al. | Anybody home? Keeping user presence privacy for advanced metering in future smart grid |
Legal Events
Date | Code | Title | Description |
---|---|---|---|
C06 | Publication | ||
PB01 | Publication | ||
C10 | Entry into substantive examination | ||
SE01 | Entry into force of request for substantive examination | ||
C14 | Grant of patent or utility model | ||
GR01 | Patent grant |