[liberationtech] Android Full-Disk Encryption Cracked

Richard Brooks rrb at acm.org
Mon Apr 29 12:56:01 PDT 2013 

We did some work on power analysis sidechannels. The NSA solution
is to physically isolate anything that does crypto from
anything else. Separate power supplies and Faraday cages are used.
This is effective, but not practical for mobile devices.

Another alternative is to use dual rail instructions in hardware,
for each computation in the code, it also computes the complement.
This produces a flat power consumption profile, but consumes 1.9 times
the power and produces 1.9 times the heat.

We added compiler support where secret variables (ex. crypto key)
had tags marking them as secret. Then instructions that used this
data, or anything derived from them, would use the dual rail
instructions. This consumes 15% more power than normal.

Other people try to just add random fluctuations to the power
consumption profile. That never works. You just have to increase the
amount of data that you collect. You would be amazed at how many
people try to pass this off as an effective solution.

The power analysis attack(especially differential power analysis)
is really easy to do. We gave the grad student a paper. He had
the attack running after about 1 day of work.

On 04/29/2013 03:29 PM, Steve Weis wrote:
> To add to the list of issues here, crypto implementations on mobile
> devices may be vulnerable to power analysis side-channel attacks.
> Attackers may be able to measure RF signal strength to infer power
> consumption during crypto operations, then derive key material. I think
> Cryptography Research Inc. has been researching these attacks and
> working on countermeasures.
> 
> On Mon, Apr 29, 2013 at 12:09 PM, Seth David Schoen <schoen at eff.org
> <mailto:schoen at eff.org>> wrote:
> 
>     ... 
> 
>     There are a lot of problems about disk encryption on small
>     mobile devices.  One that was highlighted by Belenko and
>     Sklyarov at Black Hat EU 2012 is that mobile device CPUs are
>     relatively slow, so it's difficult to do very large numbers of
>     iterations of key derivation functions, which would make
>     brute-force cracking slower.
> 
> 
> 
> --
> Too many emails? Unsubscribe, change to digest, or change password by emailing moderator at companys at stanford.edu or changing your settings at https://mailman.stanford.edu/mailman/listinfo/liberationtech
> 


-- 
===================
R. R. Brooks

Associate Professor
Holcombe Department of Electrical and Computer Engineering
Clemson University

313-C Riggs Hall
PO Box 340915
Clemson, SC 29634-0915
USA

Tel.   864-656-0920
Fax.   864-656-5910
email: rrb at acm.org
web:   http://www.clemson.edu/~rrb

More information about the liberationtech mailing list