Re: [cryptography] side channel analysis on phones
It depends what sort of side channel attacks you are worried about and what sort of crypt algorithms you are using. My knowledge area is cache based side channel attacks. 1. ARM chips use trustzone which claims it prevents cache based side channel attacks when running in secure mode but probably amplifies them (I found this on a set of slides a crypto class a professor had put up on the web a few years back but have not verified it myself). 2. ARM v8 has the AES instruction set which you should use, some mobile libraries may not use so check your library. 3. Timers on ARM chips don't have the same resolution as timers on x86 so cache based attacks are very possible but harder. Other than using the AES instruction set which should completely mitigate the risk of cache based side channel attacks against an AES key I am not sure there is much else you can do. Noise can always be averaged away. On Fri, Mar 8, 2013 at 2:57 AM, ianG i...@iang.org wrote: Has anyone done any side channel analysis on phones? I'm working on an android crypto app at the moment, and an unanswered question from the threat model is how to limit the possibilities of attacking the keys from another app. I can see obvious techniques of adding additional camouflage crunching and delays, but as there might be smart apps sitting right there in another sandbox, it seems intuitively that just adding noise isn't going to cut it. iang __**_ cryptography mailing list cryptography@randombit.net http://lists.randombit.net/**mailman/listinfo/cryptographyhttp://lists.randombit.net/mailman/listinfo/cryptography ___ cryptography mailing list cryptography@randombit.net http://lists.randombit.net/mailman/listinfo/cryptography
Re: [cryptography] side channel analysis on phones
Since he's writing an Android client side app, TrustZone is probably not available to him. Also, the latest ARM chips are still ARMv7. We wont see any ARMv8 chips until at least next year. So the AES acceleration instructions are not available to him. Many SoC's have hardware crypto accelerators on them (separate from the CPU) and they may be accessible through the android crypto libraries. But this doesn't protect him on chips that don't have accelerators. Those will just use software implementations. On Mar 8, 2013 5:46 AM, Ethan Heilman eth...@gmail.com wrote: It depends what sort of side channel attacks you are worried about and what sort of crypt algorithms you are using. My knowledge area is cache based side channel attacks. 1. ARM chips use trustzone which claims it prevents cache based side channel attacks when running in secure mode but probably amplifies them (I found this on a set of slides a crypto class a professor had put up on the web a few years back but have not verified it myself). 2. ARM v8 has the AES instruction set which you should use, some mobile libraries may not use so check your library. 3. Timers on ARM chips don't have the same resolution as timers on x86 so cache based attacks are very possible but harder. Other than using the AES instruction set which should completely mitigate the risk of cache based side channel attacks against an AES key I am not sure there is much else you can do. Noise can always be averaged away. On Fri, Mar 8, 2013 at 2:57 AM, ianG i...@iang.org wrote: Has anyone done any side channel analysis on phones? I'm working on an android crypto app at the moment, and an unanswered question from the threat model is how to limit the possibilities of attacking the keys from another app. I can see obvious techniques of adding additional camouflage crunching and delays, but as there might be smart apps sitting right there in another sandbox, it seems intuitively that just adding noise isn't going to cut it. iang __**_ cryptography mailing list cryptography@randombit.net http://lists.randombit.net/**mailman/listinfo/cryptographyhttp://lists.randombit.net/mailman/listinfo/cryptography ___ cryptography mailing list cryptography@randombit.net http://lists.randombit.net/mailman/listinfo/cryptography ___ cryptography mailing list cryptography@randombit.net http://lists.randombit.net/mailman/listinfo/cryptography
Re: [cryptography] side channel analysis on phones
On Fri, Mar 08, 2013 at 07:45:55AM -0500, Ethan Heilman wrote: It depends what sort of side channel attacks you are worried about and what sort of crypt algorithms you are using. My knowledge area is cache based side channel attacks. 1. ARM chips use trustzone which claims it prevents cache based side channel attacks when running in secure mode but probably amplifies them (I found this on a set of slides a crypto class a professor had put up on the web a few years back but have not verified it myself). Some of the systems I have seen that use TrustZone flush the cache on entry and exist from the monitor. It's quite a performance hit. 2. ARM v8 has the AES instruction set which you should use, some mobile libraries may not use so check your library. Many ARM SoCs have AES blocks already integrated. 3. Timers on ARM chips don't have the same resolution as timers on x86 so cache based attacks are very possible but harder. The ARM has no timers as such; it's up to the SoC vendor to integrate them. And some of them are very high resolution. B. ___ cryptography mailing list cryptography@randombit.net http://lists.randombit.net/mailman/listinfo/cryptography
Re: [cryptography] side channel analysis on phones
On 08/03/2013 14:11, Rob Kendrick wrote: 3. Timers on ARM chips don't have the same resolution as timers on x86 so cache based attacks are very possible but harder. The ARM has no timers as such; it's up to the SoC vendor to integrate them. And some of them are very high resolution. At least some ARM cores have a System Timer, named SysTick http://infocenter.arm.com/help/index.jsp?topic=/com.arm.doc.dai0179b/ar01s02s08.html Francois Grieu ___ cryptography mailing list cryptography@randombit.net http://lists.randombit.net/mailman/listinfo/cryptography
Re: [cryptography] side channel analysis on phones
On Fri, Mar 8, 2013 at 2:57 AM, ianG i...@iang.org wrote: Has anyone done any side channel analysis on phones? I'm working on an android crypto app at the moment, and an unanswered question from the threat model is how to limit the possibilities of attacking the keys from another app. I can see obvious techniques of adding additional camouflage crunching and delays, but as there might be smart apps sitting right there in another sandbox, it seems intuitively that just adding noise isn't going to cut it. Somewhat related: a company called Riscure was doing it remotely. They did a BlackHat in 2008. I believe they now have a commercial product. http://www.google.com/#q=riscure+side+channel+analysis+filetype:pdf Jeff ___ cryptography mailing list cryptography@randombit.net http://lists.randombit.net/mailman/listinfo/cryptography
[cryptography] [ANN] RbNaCl 1.0.0: Cryptography for Ruby that doesn't suck
I'm happy to announce the first public release of RbNaCl, a Ruby binding to the Networking and Cryptography library by Daniel J. Bernstein: https://github.com/cryptosphere/rbnacl RbNaCl is actually a Ruby FFI binding to the shared library provided by Sodium, a more portable repackaging of NaCl based entirely on the reference C code in NaCl with all assembly removed: http://labs.umbrella.com/2013/03/06/announcing-sodium-a-new-cryptographic-library/ NaCl itself has been designed to be relatively easy-to-use, with many common cryptographic user errors eliminated from its algorithms by design. It provides APIs which seek to eliminate mistakes, and therefore has relatively simple requirements in order for users to utilize it securely. RbNaCl is one of the few Ruby crypto libraries which provides authenticated encryption modes, and wraps both the box (public-key) and secret_box (secret-key) encryption functions provided by NaCl. In addition, RbNaCl also exposes the Ed25519 digital signature algorithm, a fast and deterministic alternative to algorithms like (EC)DSA. Finally, RbNaCl also wraps the hash functions and HMAC support found in NaCl. If you're looking to do cryptography in Ruby, RbNaCl is one of your best options. Enjoy! -- Tony Arcieri ___ cryptography mailing list cryptography@randombit.net http://lists.randombit.net/mailman/listinfo/cryptography