Application of Physical Attacks

(1)

Application

of

Physical

Attacks

to Real World Systems

to

Real

World

Systems

Workshop Provable Security against Physical Attacks Lorentz Center, Leiden

February 17, 2010 Christof Paar

i

Timo Kasper

Embedded Security Group

Horst Görtz Institute for IT Security Horst Görtz Institute for IT Security Ruhr‐University Bochum

(2)

Acknowledgement

• Thomas Eisenbarth • Thomas Eisenbarth • Markus Kasper • Timo Kasper • Amir Moradi • David Oswald Christof Paar, 17.02.2010

(3)

A

d

Agenda

• Remote Access Control with

Remote

Access

Control

with

KeeLoq

• Contactless Smartcards

with

3DES

• Contactless Payments with

Mifare Classic

• Positive Applications of SCA:

Watermarking

• Positive

Applications of SCA:

Watermarking

• Conclusions &

Auxiliary Stuff

(4)

Remote

Access

Control

with

KeeLoq

q

Christof Paar, 17.02.2010

(5)

KeeLoq

• Introduction to Remote Keyless Entry (RKE) Systems • Introduction to Remote Keyless Entry (RKE) Systems • Phase 1 – Analysis & Frustration

• Phase 1 Analysis & Frustration

• Phase 2 – Breakthrough & EuphoriaPhase 2 Breakthrough & Euphoria • Phase 3 – Optimization &p Routine

(6)

KeeLoq

• Introduction to Remote Keyless Entry (RKE) Systems

KeeLoq

• Introduction to Remote Keyless Entry (RKE) Systems

• Phase 1 – Analysis & Frustration • Phase 1 Analysis & Frustration

• Phase 2 – Breakthrough & EuphoriePhase 2 Breakthrough & Euphorie • Phase 3 – Optimizationp & Routine

(7)

Remote

Keyless

Entry

Systems

(8)

Modern

Keyless Entry

Systems

advanced theft control: rolling code advanced theft control: rolling code

code = e_k(n_i)

rolling code (or hopping code) rolling code (or hopping code)

protects against replay attacks:

1. code = e_k(n) e_k() is often a block cipher k( ) 2. code = e_k(n+1) 3. code = e_k(n+2) 11 _{Christof Paar, 17.02.2010} ….

(9)

Popular Remote

Keyless Entry

Cipher:

KeeLoq

• KeeLoq is used in rolling code mode or in a challenge-response protocol

• widely used for garage doors in US & Europe

• Wikipedia (?):

Chrysler, Daewoo, Fiat, GM, Honda, Toyota, Volvo, Jaguar, ...

Q: How secure is KeeLoq?

(10)

KeeLoq

• Introduction to Remote Keyless Entry (RKE) Systems • Introduction to Remote Keyless Entry (RKE) Systems • Phase 1 – Analysis & Frustration

• Phase 1 – Analysis & Frustration

• Phase 2 – Breakthrough & EuphoriaPhase 2 Breakthrough & Euphoria • Phase 3 – Optimizationp & Routine

(11)

KeeLoq

+

Side

‐

Channel

Attacks

O th ht 2006 ( tl t) Our thoughts ca. 2006 (mostly correct)

G f l ld k

√

• Great target for real‐world attack ld h

√

• Old cipher

√

• Implementation probably also 10+ years old

√

• SCA countermeasures very unlikely

√

• Running DPA or SPA should be a piece of cake

(a few weeks)

† † †

(12)

Power

Analysis

of

a

Remote

Control

?

t k f t t l (HCS XXX Chi ) !

secret key of remote control (HCS XXX Chip) !

(13)

Performing

the

Side

‐

Channel

Attack

1. Find a suited predictable

intermediate value in the cipher

2 M th ti

2. Measure the power consumption

3. Align and reduce size of acquired data

4. Correlate measurements with model

(14)

KeeLoq

– Algorithm

State Register, y 0 2 1 3 1 1 7 2 4 0 0 NLF XOR Key Register, _k 7 6 5 4 3 2 1 0 0 y g , _k

• 64 bit key, 32 bit block length

• NLFSR comprising a 5x1 non‐linear function

• Simple key management: key is rotated in every clock cycle

p y g y y y

• 528 rounds, each round one key bit is read

 Lightweight cipher – cheap and efficient in hardware

(15)

KeeLoq

– Attack

0 2 1 3 State Register, _y 0 2 1 3 1 1 7 2 4 0 0 NLF XOR 7 6 5 4 3 2 1 0 XOR Key Register, _k 7 6 5 4 3 2 1 0 0 Christof Paar, 17.02.2010

 knowing the state directly reveals one key bit per clock cycle

(16)

Performing

the

Side

‐

Channel

Attack

2 M th ti

(17)

Measuring

the

Power

Consumption

• Digital oscilloscope (max. 1 GS/s sample rate) • Measure electric current or electromagnetic field

(18)

Power

Trace

of

a

remote

control:

Finding the KEELOQ

‐

Encryption

Finding

the

KEELOQ

‐

Encryption

write EEPROM

send hopping code

KEELOQ

36 _{Christof Paar, 17.02.2010}

(19)

Performing

the

Side

‐

Channel

Attack

2 M th ti

(20)

Performing

the

Side

‐

Channel

Attack

Key

Recovery

1

Recovery

C l t l ti 0.8 1

• Correlate real power consumption I_i with predicted value D = f (X_i, K_h) • Divide‐and‐conquer approach

0.4 0.6 Co rre la tio n • Best‐matching

key candidates “survive“

0 0.2 0 10 20 30 40 50 60 70 80 90 round Christof Paar, 17.02.2010 40

(21)

KeeLoq

• Introduction to Remote Keyless Entry (RKE) Systems • Introduction to Remote Keyless Entry (RKE) Systems • Phase 1 – Analysis & Frustration

• Phase 1 Analysis & Frustration

• Phase 2 – Breakthrough & EuphoriaPhase 2 Breakthrough & Euphoria

• Phase 3 – Optimizationp & Routine

(22)

…

15 months later

(23)

Side

‐

Channel

Attack

Results

for

KeeLoq

A) H d i l t ti (“ k “)

A) Hardware implementation (“car key“)

• Total attack time (for known device family): 5‐30 traces,, ≈ minutes

B) Software implementation (“car door“)

• Total attack time (for known device family): 1000 5000 traces ≈ hours

1000‐5000 traces, ≈ hours

• reveals Manufacturer Key for ALL key derivation modes

(24)

So

what

can

we

do

now

(1)

?

1. If we have access to a remote: 1. If we have access to a remote:

Recover Device Key and clone the remote

2. If we have access to a receiver:

Recover Manufacturer Key & generate new remotesy g

(25)

So

what

can

we

do

now

(2)

?

3. After step 2 ( i.e., possessing the Manufacturer Key):

Remotely eavesdrop on 1-2 communications & clone remote!

#ser KeeLoq(n+1) #ser, KeeLoq(n+1)

• works for all key derivation schemes

i t tl f k d i ti f i l b

• instantly for key derivation from serial number

• otherwise use PC (short seed) or COPACOBANA (long seed)

www.copacobana.org

(26)

KeeLoq

q

• Introduction to Remote Keyless Entry (RKE) Systems • Phase 1 – Analysis & Frustration

• Phase 2 – Breakthrough & Euphoria • Phase 3 – Optimization & Routine

(27)

After

the

Attack

3 ti f i d t 3 reactions from industry

1 C i i ( )

1. Companies ignore us (many)

h ( l l )

2. Companies hate us (also popular)

3. Companies want to improve their products with us (few)

(28)

Since

2008

• We analyze several KeeLoq products • All are breakable

• But efforts for manufacturing key recovery varies

f h k

from hours … weeks

• We gain much experience and start to improve

(29)

Software

DPA:

needs 1000s of Measurements

C l ti f DPA d ith # d (b d)

needs 1000s

of Measurements

Correlation for DPA decreases with #rounds (bad)

Duration of one round seems to be dependent on input

(30)

SPA

Attack

against

KeeLoq

State Register,_y 0 2 1 3 1 1 7 2 4 0 0 y NLF XOR 7 6 5 4 3 2 1 0 0 XOR Key Register, _k 0 3 5 6

 knowing the state directly reveals one key bit per clock cycle

 A l i i ti f th t t ill l th t k

(31)

KeeLoq

Decryption

Program

Code

Data dependent code Data dependent code in red

(32)

SPA

by

CrossCorrelation

ern rence Patt e Refe r ation C rossCorrel C

(33)

KeeLoq and SPA:

q

What can we do

now?

• Manufacturing key recovery with 1 single power trace

• No need to profile the leakage (unlike template attacks) • Countermeasure: fix execution time of rounds

But: Better alignment of traces will make DPA easier … • Further details: our Africacrypt `09 paper

Important lesson

Do not educate your attacker, i.e., build rock solid systems from the beginning

(34)

Contactless Payments

with

Mifare Classic

(35)

Case

Study

contactless

payments:

Let’s investigate one large scale system !

Let’s investigate

one

large

‐

scale

system

!

• contactless employee ID card, e.g., of a large corporate enterprise • more than 1 million users according to the manufacturer

• payments (max. 150 €), access control, recording of working time, … • Based on Mifare Classic 1K chip

(36)

Mifare Classic

and its Security

(37)

Mifare Classic 1K

Mifare Classic

1K

• “more than 1 billion“ cards used worldwide e g for public transport • “more than 1 billion“ cards used worldwide, e.g, for public transport • basically a (contactless) memory card with encryption, cheap (≈ 0,50 €)

• each card contains a factory‐programmed, read‐only Unique Identifier (UID)

• access to each sector can be secured with two cryptographic keys A and B

UID

Key A, sector 0 Key B, sector 0

Key A, sector 15 Key B, sector 15

(38)

Security

Issues

of

Mifare Classic

1 Weak Cipher

1. Weak

Cipher

i h k l

• proprietary stream cipher CRYPTO1 kept secret until 2007 • reverse engineering

 small cipher state weak non‐linear functions  small cipher state, weak non‐linear functions • cipher published on the Internet (CRAPTO1)

• researchers instantly reveal severe flawsresearchers instantly reveal severe flaws

(39)

Security

Issues

of

Mifare Classic

2 Weak Random Number Generator

2. Weak

Random

Number

Generator

• generates 32‐bit nonces n_X and responses a_X for the authentication • entropy: obviously only 16 bit instead of possible 32 bit

“ d “ d d l h l d !

• “randomness“ depends only on the time elapsed since power‐up ! AUTH (sector) n_C n_R || a_R Christof Paar, 17.02.2010 a_C 73

(40)

Security

Issues

of

Mifare Classic

3 Weak Implementation / Protocol

3. Weak

Implementation

/

Protocol

• bad practice: keystream bits reused

i l l d l i i d f ll i d d

• parity calculated over plaintext instead of actually transmitted data • bug/feature: card replies with 4 encrypted bits (NACK 0x05) if the • bug/feature: card replies with 4 encrypted bits (NACK = 0x05), if the parity bits for the encrypted n_R || a_R are correct, but a_R is wrong *  can be used as covert channel to recover parts of the keystreamp y

*) guess parity bits: 1 out of 28 _tries_will_be_successful 74

(41)

Analyzing a

Real

World

Contactless Payment System

Contactless Payment

System

(42)

Special RFID Tools

Special

RFID

Tools

Special Reader: Precise control of the timing (accuracy: 75 ns)

Special Reader: Precise control of the timing (accuracy: 75 ns)  FIX the the card’s random nonce to exactly one value!

Fake Tag:g Can completelyp y emulate anyy ISO14443 transponderp (e.g., Mifare cards) including an arbitrary UID

(43)

Our Combined Attack

Our

Combined

Attack

1 diff ti l tt k t t t th 1st _{t k}

1. differential attack to extract the 1st _secret_key

2. nested authentication attack for the remaining keys ! card nonce fixed to exactly one value !

! card nonce fixed to exactly one value !

 crack all keys of a Mifare 1K card in < 10 Min

(44)

Analysis of the ID Card 1/2

Analysis

of

the

ID

‐

Card

1/2

k d

• test our attack on one ID‐Card  extraction of all secret keys • try ID‐Card of another employee

 card contains the same keys

• try ID‐Card of a third employee  card contains the same keys

...

• Surprising discovery:

All ID C d h

identical ke s

!

All

ID

‐

Cards

have

identical

keys

!

(45)

Analysis of the ID Card 2/2

Analysis

of

the

ID

‐

Card

2/2

1. one‐time extraction of the secret keys ofy anyy ID‐Card

duration: < 10 minutes

2. reverse‐engineer the card’s content (repeated „pay‐and‐compare“ ) 2. reverse engineer the card s content (repeated „pay and compare )

• card number: integrity ”ensured“ with XOR checksum(UID&card number)

• credit balance: € in plain w/o any protection

h d d f d i l i l

• other data: date of card issuance, last payment terminal, …

3 kno ing the abo e wireless manip lating of all cards in the s stem 3. knowing the above: wireless manipulating of all cards in the system

from 10 … 25 cm (depending on antenna)

duration: milliseconds (!)

(46)

Impersonation:

Duplicate an ID Card

Duplicate

an

ID

‐

Card

• read out relevant data in 100 milliseconds from a distance

• copy content of victim’s ID‐Card to blank Mifare Classic (ebay: < 0,50 € ) • card number and credit balance remain unchanged*

 pay with a duplicate of a card that is known to the system

*) note: funny XOR checkbyte has to be adapted

(47)

Impersonation:

Increase Credit Balance

Increase

Credit

Balance

+

• top‐up the credit balance of the cloned card

• or: restore previous content when money is used up

 financial losses for the payment institution

(money is used that has never been paid into the system)

(48)

Impersonation:

Wireless Pickpocketing

Wireless

Pickpocketing

+

‐

• attacker in addition lowers the credit on the victim’s card

• advantage: difficult to detect (no additional money in the system)

 losses only on the side of the victims,

f d i d b h

fraud not noticed by the payment institution

(49)

Selling Pre Charged Cards

Selling

Pre

‐

Charged

Cards

• dump the content of a valid ID‐Card to a PC

• generate new card number and write to new (blank) card • optionally: modify credit balance

ll h d ( )

• sell the cards (or top‐up service: pay 1€ get 3€)

 poor issuing institution, rich criminal _{Christof Paar, 17.02.2010}

(50)

Denial Of Service

Denial

‐

Of

‐

Service

• cards can be manipulated unnoticed by the owners

• disguised reader e g near a waiting line at the cash desk • disguised reader, e.g., near a waiting line at the cash desk

• automatically sets credit of any card in its proximity to 0€ (in 40 ms)  financial losses for the concerned customers ; no direct damage but  financial losses for the concerned customers ; no direct damage but

image loss and cost for customer service for the issuing institution

(51)

Distributed All You Can Eat

Distributed

All

‐

You

‐

Can

‐

Eat

• disguised reader, this time charges cards of “victims” • will you complain about a 100€ ‐ voucher?

• will you complain about a 100€ voucher?

• in court: can you be sued for s.o. else charging your card?

 very high losses for the issuing institution / happy customer 

(52)

Emulate an arbitrary ID Card

Emulate

an

arbitrary

ID

‐

Card

NFC ‐ mobile

• ID‐Card may stay in wallet when paying

• electronic emulation of an arbitrary card is possible

• generate a new UID, card number, and credit balance for each payment

d i / diffi l (bl kli i i ibl )

• detection/countermeasures difficult (blacklisting impossible)

 high losses for the issuing institution

(53)

Real

‐

World

Tests

with

the

ID

‐

Card

Contactless Payment System

Contactless

Payment

System

• Clone ID‐Cards (note: duplicates except for the UID)



Clone ID Cards (note: duplicates, except for the UID)

 can payments be carried out with clones ?

! UID not checked !



• Modify the credit balances of the clones



Modify the credit balances of the clones

 are payments with “counterfeit money” possible ?

! Iff shadow accounts exist,, theyy are not used !



• Production of “new” cards (new card number etc.)



( )

 can we pay with arbitrary generated cards ?



b i

l

ff ti

i th b k

d

!





obviously

no

effective

measures

in

the

back

‐

end

!

(54)

Summary of the Analyses

Summary

of

the

Analyses

• most efficient practical card‐only attack on Mifare to date • successful attacks on a real‐world system:

 wirelessly manipulate any ID‐Card in milliseconds !

• worst realization of a contactless payment system ever

• unfortunately this is not a single occurence • realization on the system level does matter,

mistakes can become very painful for the issuing institution • system integrators:

please check your systems ask any cryptographer for help

Christof Paar, 17.02.2010 please check your systems, ask any cryptographer for help

(55)

Intermezzo

Ah Mif

Cl

i i i

• Aha.

Mifare Classic

is

insecure.

• I’ve

heard

about

these

3DES

contactless

cards!



let’s exchange the cards of our payment



let s

exchange

the

cards

of

our

payment

system

&

make

the

same

errors

(identical

keys…)

Good

idea?

Christof Paar, 17.02.2010 98

(56)

SCA

on

secure Contactless

Smartcards

using

3DES

(57)

RFID

Side

Channel

Measurement:

Mutual Authentication Protocol

Measure EM emanation

Mutual

Authentication

Protocol

Measure EM

emanation

??

Reader:

Send

protocol

Smartcard:

Encrypt

X

Send

protocol

value

X

yp

with 3DES

St

EM fi ld f RFID hi d

t i htf

d DEMA

(58)

Measurement

Setup

(59)

Measurement

Setup

• ISO14443‐compatible • Freely Programmable • Low Cost (< 40 €) • Low Cost (< 40 €) Christof Paar, 17.02.2010 105

(60)

Measurement

Setup

• 1 GS/s, 128 MB Memory • ± 100 mV • USB 2.0 Interface Christof Paar, 17.02.2010 106

(61)

Measurement

Setup

Aim: Reduce Carrier Wave Influence

vs.

EM

leakage

Reader

of smartcard

(62)

Side Channel Analysis

Side

Channel

Analysis

Step

1:

Raw

measurements

(63)

EM

Trace

(

without

analogue filter)

(

without

analogue filter)

(64)

EM

Trace

(

without

analogue filter)

(

without

analogue filter)

(65)

EM

Trace

(

without

analogue filter)

(

without

analogue filter)

?

(66)

Side Channel Analysis

Side

Channel

Analysis

Step 2 Analog e filter

Step

2:

Analogue

filter

(67)

Carrier

Dampening

from

t tl

d

contactless card

after subtraction

from reader’s

oscillator

(68)

EM

Trace

(

with

analogue filter)

(

with

analogue filter)

(69)

EM

Trace

(

with

analogue filter)

(

with

analogue filter)

(70)

EM

Trace

(

with

analogue filter)

(

with

analogue filter)

?

(71)

Side Channel Analysis

Side

Channel

Analysis

Step

p

3:

Digital

g

Demodulation

(72)

Digital

Demodulation

Digital Demodulator

Rectifier

Digital

Filter

(73)

Digital

Demodulation

(74)

Digital

Demodulation

?!

(75)

Side Channel Analysis

Side

Channel

Analysis

Step

4:

Alignment

(76)

Alignment

Pick

Reference

Pattern

(77)

Alignment

Pick

Reference

Pattern

(78)

Alignment

(79)

Alignment

Varies

for

identical

Plaintext

(80)

Side Channel Analysis

Side

Channel

Analysis

Step

5:

Location

of 3DES

(

fili

i h fi d k

k )

(Profiling with fixed,

known key)

(81)

Data

Bus

Locate

Plain

‐

&

Ciphertext

Transfer

(82)

Data

Bus

DPA:

Plaintext

8 Bit

Hamming

Weight

(5000 traces) Christof Paar, 17.02.2010 130

(83)

Data

Bus

DPA:

Ciphertext

8 Bit

Hamming

Weight

(5000 traces) Christof Paar, 17.02.2010 131

(84)

Trace

Overview

Plaintext 3DES Ciphertext ... Other processing

(85)

Assumptions

?!

?

!



C

3DES

(86)

Side Channel Analysis

Side

Channel

Analysis

Step

6:

Attack

(87)

3DES

‐

Engine

DPA

But:

Only

for

S

‐

Box

1 &

3

(88)

3DES

Engine

DPA:

Peak

Extraction

(89)

3DES

Engine

DPA:

Peak

Extraction

(90)

3DES

Engine

DPA:

Binwise

(91)

3DES

Engine

DPA:

Binwise

Apply

DPA

binwise

(92)

DES Full Key Recovery

DES

Full

Key

Recovery

(93)

Summary

• Measurement

Setup

built



• Profiling

done



D t B

l d



• Data

Bus

revealed



• Full 3DES

key revealed

y



(94)

Conclusion

Ah Mif

Cl

i i i

• Aha.

Mifare Classic

is

insecure.

• I’ve

heard

about

these

3DES

contactless

cards!



let’s exchange the cards of our payment



let s

exchange

the

cards

of

our

payment

system

&

make

the

same

errors

(identical

keys…)

Good

idea?

NO.

(95)

SCA

is so

destructive.

Can‘t we find some positive use ?

Can t we find

some positive

use ?

(96)

Side

‐

Channel

based Watermarks

ffor IP

Protection

(97)

Motivation:

IP Cores (Intellectual Property)

IP

Cores

(Intellectual

Property)

• Hardware blocks for certain functions (e.g., CPUs, coders…)Hardware blocks for certain functions (e.g., CPUs, coders…) • Increased re‐use of previous implementations

• Parts of the development can be bought from another partyParts of the development can be bought from another party



Faster and cheaper hardware design

(98)

Motivation:

IP Cores + Security?

IP

Cores

+

Security?

• Copyright

violations

of

IP

cores

• IP

cores

may

have

embedded

Trojans

(99)

The question we want to solve:

The

question

we

want

to

solve:

Is our IP core in there?

(Did they pay the $0,10 royality?)

(100)

Watermarks

Classical watermark

Digital watermark

Goal: Impossible to forge Goal: Impossible to remove

(101)

Watermarking

for

IP

protection

G l f IP t ki Goals of IP watermarking:

1. Detectability: The owner can detect whether or not his code is used in an

IC.

2. Non–repudiation: The owner can prove towards a third party that his

code was used in an IC.

Possible attacks on IP watermarking:

1. Removing attack: The attacker removes the watermark from his IC design.

2. Impersonation attack: The attacker tries to detect a watermark in a

foreign design and claims that this watermark is his own. foreign design and claims that this watermark is his own.

(102)

A

side

‐

channel

based

watermark

Main

idea

of

a

side

‐

channel

based

watermark:

• Insert an artificial side

‐

channel into the IP core

• Insert

an

artificial

side

‐

channel

into

the

IP

core

• This

side

‐

channel

leaks

out

a

unique

ID

f



IP

owner

can

check

ICs

for

their

unique

ID



IP

owner

can

proof

copyright

violations



Our spread spectrum based watermark



Our spread

spectrum

based

watermark

,

based

on

side

‐

channel

hardware

Trojan

from

CHES

2009

(103)

Spread

spectrum

based

watermarks

Two Components that are added to the IP core: Two Components that are added to the IP core:

1. A PRNG that generates a pseudo-random bit sequence

sequence

2. A Leakage Circuit (LC) that is attached to the PRNG and that leaks out the bitstream

(104)

Detecting

a

spread

spectrum

based watermark

based

watermark

1 Measure a single long power trace of the targeted device 1. Measure a single long power trace of the targeted device

2. From this power trace derive exactly one power‐value p_i for each of the

n measured clock cycles. (e.g. by averaging the points of one clock cycle) 3. Compute the expected watermarking bit stream B=b₁,…,b_n

4. Generate different Hypotheses H_i by shifting the bit stream B:

b b

H₁=b₁,…,b_n H₂=b₂,…,b_n,b₁

…

5. Correlate the Hypotheses H_i with the power‐values P=p₁,…,p_n

6. If the un‐shifted bit stream (H₁) generates a significant correlation peak,

the watermark is embedded in the targeted device.

(105)

Practical

results

I

l

t d

A 1

st

_d

_DPA

_{i t}

_{t AES}

Implemented

:

A

1

st

_order

_DPA

_resistant

_AES

implementation

with

an

embedded

spread

‐

spectrum

watermark

watermark.

i

ili

i

Device

:

Xilinx Virtex

‐

2 PRO

XC2VP7

‐

5 FPGA

@

24MHz

(106)

Practical

results

The

used

PRNG:

A 32

‐

bit LFSR with X

₃₂

+X

₂₂

+X

₂

+X

₁

and a fixed initial state.

A

32 bit

LFSR

with

X

₃₂

+X

₂₂

+X

₂

+X

₁

and

a

fixed

initial

state.

The

used

Leakage

g

Circuit:

• 16

‐

bit

Shift

‐

Register

• initialized with 0xAAAA

• initialized

with

0xAAAA

• shifted only if output of the PRNG

is „1“

(107)

Measurements

Correlation for 500.000

_{clock cycles while the AES}

clock cycles while the AES

implementation was

idle.

clock cycles while the AES

implementation was

constantly running

constantly running.

(108)

Conclusions &

Auxiliary Stuff

(109)

Conclusions

E

i

f

l

ld tt k

l

bl

• Experience

from real

‐

world attacks are very valuable

for the scientific community

• Real

‐

world impact of (physical)

attacks sometimes

hard to assess

• Evolution

of physical attacks are an

interesting (and

scary)

y p

phenomenon

• Is

there a

metric for measuring the hardness of

physical attacks?

(110)

Workshops

SECSI – Secure Component and Systems Identification

April 2010, Cologne, Germany

CHES – Cryptographic Hardware and Embedded Systems

A t 2010 UCSB August 2010, UCSB

escar – Embedded Security in Cars

(111)

Post

‐

Doc

Position

in

Embedded

Security Group @ U Bochum

Security

Group

@

U

Bochum

W k

th

ti l

d/

ti l

t

f

• Work

on

theoretical and/or practical aspect s

of

physical attacks

• 1+

year position

• Full scientific position,

p

great working atmosphere

g

p

• Please contact Christof

Paar,

[email protected]

(112)

…

and

yet

another

textbook

on

Cryptography

• Hopefully helpful for people without PhD`s in mathematics without PhD s in mathematics • Quite comprehensive