Preventing Timing Analysis Attacks with Random and Controlled Waiting Times

Abstract

Along with the widespread concept of the Internet of things, it became more important to prevent various security weaknesses. These weaknesses can occur directly or indirectly. Any unintended information leakage is a danger to whole system. Timing analysis attacks with the use of timing information obtained from a system; they aim to obtain information about the system by interpreting the response of a process or algorithm to variable conditions. In this study, it was aimed to make the information about the observed processing time meaningless by randomly delaying the communication function by looking at the processing times in the best and worst state. As a result of the experimental study, it was observed that the linear relationship between timing information and the key match ratio and the presented method can be an important alternative to hiding this linear relationship.

Keywords

• Side-channel Attacks
• Internet of Things
• Timing Analysis Attacks
• Cryptography
• Cryptographic Analysis
• Random Number Generator

Nesnelerin İnternetinde Rassal ve Kontrollü Bekleme Süresi İle Zamanlama Analizi Saldırılarının Önlenmesi

Abstract

Yaygınlaşan Nesnelerin Interneti konsepti ile birlikte çeşitli güvenlik zaafiyetlerinin önlenmesi daha fazla önem arz etmektedir. Bu zaafiyetler doğrudan veya dolaylı olarak ortaya çıkabilmektedir. Her türlü istenmeyen veri sızıntısı bütün sistem için tehlike teşkil etmektedir. Bir sistemden elde edilen zamanlama bilgisinden faydalanılarak yapılan Zamanlama Analizi Saldırıları; bir işlemin veya algoritmanın değişken şartlara verdiği tepkinin yorumlanmasıyla, sistem hakkında bilgi edinmeyi amaçlar. Bu çalışmada, bir haberleşme fonksiyonunun en iyi ve en kötü durumdaki işleme sürelerine bakılarak rassal olarak geciktirilmesi ile gözlemlenen işlem süresi bilgisinin anlamsız hale getirilmesi amaçlanmıştır. Yapılan deneysel çalışma sonucunda zamanlama bilgisi ile anahtar eşleşme oranında doğrusal ilişki ve sunulan yöntemin bu doğrusal ilişkinin gizlenmesi için önemli bir alternatif olabileceği görülmüştür.

Keywords

• Yan-kanal Saldırıları
• Nesnelerin İnterneti
• Zamanlama Analizi Saldırıları
• Kriptografik Analiz
• Rassal Sayı Üreteci

References

1. Samani, A., Ghenniwa, H. H., & Wahaishi, A. (2015). Privacy in Internet of Things: A model and protection framework. Procedia Computer Science, 52, 606-613.
2. Kocher, P. C. (1996, August). Timing attacks on implementations of Diffie-Hellman, RSA, DSS, and other systems. In Annual International Cryptology Conference (pp. 104-113). Springer, Berlin, Heidelberg.
3. Janke, M., & Laackmann, P. (2002). Power and timing analysis attacks against security controllers. Infineon Technologies AG, Technology Update, Smart Cards.
4. Anderson, R., & Kuhn, M. (1996, November). Tamper resistance-a cautionary note. In Proceedings of the second Usenix workshop on electronic commerce (Vol. 2, pp. 1-11).
5. Ordu, L., & Yalçın, S. B. Ö. (2016, December) Yan-Kanal Analizi Saldırılarına Genel Bakış.
6. Popp, T., Mangard, S., & Oswald, E. (2007). Power analysis attacks and countermeasures. IEEE Design & test of Computers, 24(6), 535-543.
7. Birkel, H. S., & Hartmann, E. (2020). Internet of Things–the future of managing supply chain risks. Supply Chain Management: An International Journal.
8. Abbass, W., Bakraouy, Z., Baina, A., & Bellafkih, M. (2019). Assessing the Internet of Things Security Risks. J. Commun., 14(10), 958-964.

9. Zhao, K., & Ge, L. (2013, December). A survey on the internet of things security. In 2013 Ninth international conference on computational intelligence and security (pp. 663-667). IEEE.
10. Joy Persial, G., Prabhu, M., & Shanmugalakshmi, R. (2011). Side channel attack-survey. Int J Adva Sci Res Rev, 1(4), 54-57.
11. Perianin, T., Carré, S., Dyseryn, V., Facon, A., & Guilley, S. (2020). End-to-end automated cache-timing attack driven by machine learning. Journal of Cryptographic Engineering, 1-12.
12. Lerman, L., Bontempi, G., & Markowitch, O. (2011). Side channel attack: an approach based on machine learning. Center for Advanced Security Research Darmstadt, 29.
13. Won, Y. S., Chatterjee, S., Jap, D., Bhasin, S., & Basu, A. (2021). Time to Leak: Cross-Device Timing Attack On Edge Deep Learning Accelerator. In 2021 International Conference on Electronics, Information, and Communication (ICEIC) (pp. 1-4). IEEE.
14. Käsper, E., & Schwabe, P. (2009, September). Faster and timing-attack resistant AES-GCM. In International Workshop on Cryptographic Hardware and Embedded Systems (pp. 1-17). Springer, Berlin, Heidelberg.
15. Ambrose, J. A., Parameswaran, S., & Ignjatovic, A. (2008, November). MUTE-AES: A multiprocessor architecture to prevent power analysis based side channel attack of the AES algorithm. In 2008 IEEE/ACM International Conference on Computer-Aided Design (pp. 678-684). IEEE.
16. Dhem, J. F. (1998). Design of an efficient public-key cryptographic library for RISC-based smart cards (Doctoral dissertation, UCL-Université Catholique de Louvain).
17. Walter, C. D. (1999). Montgomery exponentiation needs no final subtractions. Electronics letters, 35(21), 1831-1832.
18. Walter, C. D. (2002, February). MIST: An efficient, randomized exponentiation algorithm for resisting power analysis. In Cryptographers’ Track at the RSA Conference (pp. 53-66). Springer, Berlin, Heidelberg.
19. Hachez, G., & Quisquater, J. J. (2000, August). Montgomery exponentiation with no final subtractions: Improved results. In International Workshop on Cryptographic Hardware and Embedded Systems (pp. 293-301). Springer, Berlin, Heidelberg.
20. Schindler, W. (2015, September). Exclusive exponent blinding may not suffice to prevent timing attacks on RSA. In International Workshop on Cryptographic Hardware and Embedded Systems (pp. 229-247). Springer, Berlin, Heidelberg.
21. Mukherjee, A. (2015). Physical-layer security in the Internet of Things: Sensing and communication confidentiality under resource constraints. Proceedings of the IEEE, 103(10), 1747-1761.
22. Kim, J. T. (2017, May). Analyses of secure authentication scheme for smart home system based on internet on things. In 2017 International Conference on Applied System Innovation (ICASI) (pp. 335-336). IEEE.
23. Katagi, M., & Moriai, S. (2008). Lightweight cryptography for the internet of things. Sony Corporation, 2008, 7-10.
24. Kaps, J. P. (2008, December). Chai-tea, cryptographic hardware implementations of xtea. In International Conference on Cryptology in India (pp. 363-375). Springer, Berlin, Heidelberg.
25. Kim, Y., & Yoon, H. (2014). First Experimental Result of Power Analysis Attacks on a FPGA Implementation of LEA. IACR Cryptol. ePrint Arch., 2014, 999.
26. Williams, D. (2008). The tiny encryption algorithm (tea). Network Security, 1-14.
27. Zhao, X. J., Wang, T., & Zheng, Y. (2009). Cache Timing Attacks on Camellia Block Cipher. IACR Cryptol. ePrint Arch., 2009, 354.
28. Walter, C. D., & Thompson, S. (2001, April). Distinguishing exponent digits by observing modular subtractions. In Cryptographers’ Track at the RSA Conference (pp. 192-207). Springer, Berlin, Heidelberg.
29. Kocher, P., Jaffe, J., & Jun, B. (1999, August). Differential power analysis. In Annual international cryptology conference (pp. 388-397). Springer, Berlin, Heidelberg.
30. Tiri, K., & Verbauwhede, I. (2003, September). Securing encryption algorithms against DPA at the logic level: Next generation smart card technology. In International Workshop on Cryptographic Hardware and Embedded Systems (pp. 125-136). Springer, Berlin, Heidelberg.
31. Coron, J. S. (1999, August). Resistance against differential power analysis for elliptic curve cryptosystems. In International workshop on cryptographic hardware and embedded systems (pp. 292-302). Springer, Berlin, Heidelberg.
32. Goubin, L., & Patarin, J. (1999, August). DES and differential power analysis the “Duplication” method. In International Workshop on Cryptographic Hardware and Embedded Systems (pp. 158-172). Springer, Berlin, Heidelberg.