{ "cells": [ { "cell_type": "markdown", "metadata": {}, "source": [ "# Side Channel Attaks : Timing Attack\n", "Ecole d'été ARCHI 2019\n", "\n", "authors : V. Lapotre / A. Tisserand\n", "\n", "1. Read and use the setup material for lab preparation (section 1)\n", "2. Execute the first experiments and analyze the behavior (section 2)\n", "3. Use the proposed material to guess the first letter of the small password (section 3)\n", "4. Propose a solution to guess the next letters (section 4)\n", "5. Merge all required steps into an attack function and use it (section 5)\n", "6. Propose a safer password comparison function and verify that the attack is not working anymore (section 6)\n" ] }, { "cell_type": "markdown", "metadata": {}, "source": [ "## 1. Setup\n", "\n", "Library for timing measurement of Python code snippets: [`timeit`](https://docs.python.org/2/library/timeit.html)\n", "\n", "**WORK**: quickly read the documentation of the `timeit` and `repeat` functions from the `timeit` library.\n", "\n", "```python\n", "timeit.timeit?\n", "timeit.repeat?\n", "```\n" ] }, { "cell_type": "code", "execution_count": 1, "metadata": {}, "outputs": [], "source": [ "import numpy as np\n", "import matplotlib\n", "import matplotlib.pyplot as plt\n", "import timeit\n", "import string\n", "import random" ] }, { "cell_type": "code", "execution_count": 2, "metadata": {}, "outputs": [ { "data": { "text/plain": [ "0.0408329963684082" ] }, "execution_count": 2, "metadata": {}, "output_type": "execute_result" } ], "source": [ "# test of timeit.timeit\n", "timeit.timeit('(2^200 + 1) % 2')" ] }, { "cell_type": "code", "execution_count": 3, "metadata": {}, "outputs": [], "source": [ "def test(a, b):\n", " return (a^b + 1) % 2" ] }, { "cell_type": "code", "execution_count": 4, "metadata": {}, "outputs": [], "source": [ "#timeit.timeit('test(2, 200)') # will produce a NameError!" ] }, { "cell_type": "markdown", "metadata": {}, "source": [ "The snippet to be timed (i.e. `test(2, 200)` function call) using `timeit` or `repeat` functions is executed and measured into an empty namespace (where `test` is not defined). The `setup` argument helps to integrate additional elements in this evaluation namespace. " ] }, { "cell_type": "code", "execution_count": 7, "metadata": {}, "outputs": [ { "data": { "text/plain": [ "0.0974278450012207" ] }, "execution_count": 7, "metadata": {}, "output_type": "execute_result" } ], "source": [ "timeit.timeit('test(2, 200)', setup='from __main__ import test')" ] }, { "cell_type": "code", "execution_count": 18, "metadata": {}, "outputs": [ { "data": { "text/plain": [ "([0.10078883171081543,\n", " 0.09974908828735352,\n", " 0.09797000885009766,\n", " 0.09736394882202148,\n", " 0.09742403030395508],\n", " 0.098659181594848627,\n", " 0.0013712397262414357)" ] }, "execution_count": 18, "metadata": {}, "output_type": "execute_result" } ], "source": [ "# test of timeit.repeat\n", "t = timeit.repeat('test(10, 20000)', setup='from __main__ import test', repeat=5)\n", "t, np.mean(t), np.std(t)" ] }, { "cell_type": "code", "execution_count": 20, "metadata": {}, "outputs": [], "source": [ "def mycmp(a, b):\n", " \"\"\"Compare strings 'a' and 'b'.\"\"\"\n", " if len(a) != len(b):\n", " return False\n", " for i in range(len(a)):\n", " if a[i] != b[i]:\n", " return False\n", " return True" ] }, { "cell_type": "code", "execution_count": 21, "metadata": {}, "outputs": [], "source": [ "# validation\n", "tests = [\n", " ('ABCD', 'ABCD', True), \n", " ('ABCZ', 'ABCD', False), \n", " ('ABC', 'ABCD', False),\n", " ('ABCDE', 'ABCD', False)\n", "]\n", "for (a, b, expected) in tests:\n", " assert mycmp(a,b) == expected, '{}({}, {}) -> {} ({} expected)'.format(\"mycmp\", a, b, mycmp(a,b), expected)" ] }, { "cell_type": "markdown", "metadata": {}, "source": [ "## 2. First Experiments" ] }, { "cell_type": "code", "execution_count": 31, "metadata": {}, "outputs": [ { "name": "stdout", "output_type": "stream", "text": [ "mycmp(\"TIMINGS\", \"TIMINGS\")\n" ] }, { "data": { "text/plain": [ "True" ] }, "execution_count": 31, "metadata": {}, "output_type": "execute_result" } ], "source": [ "password = \"TIMINGS\"\n", "function = 'mycmp'\n", "setup = 'from __main__ import ' + function\n", "\n", "command = function + '(\"TIMINGS\", \"' + password + '\")'\n", "print(command)\n", "eval(command)" ] }, { "cell_type": "code", "execution_count": 38, "metadata": {}, "outputs": [ { "data": { "text/plain": [ "0.6397109031677246" ] }, "execution_count": 38, "metadata": {}, "output_type": "execute_result" } ], "source": [ "timeit.timeit(command, setup)" ] }, { "cell_type": "markdown", "metadata": {}, "source": [ "Run the previous cell several times and analyze the situation. " ] }, { "cell_type": "code", "execution_count": 40, "metadata": {}, "outputs": [], "source": [ "def timings(command, setup='', repeat=5, warmup=0):\n", " \"\"\"Time 'command' passed as string with 'setup' string and 'repeat' executions after 'warmup' executions.\"\"\"\n", " if warmup:\n", " timeit.repeat(command, setup=setup, repeat=warmup)\n", " t = timeit.repeat(command, setup=setup, repeat=repeat)\n", " return np.array(t)" ] }, { "cell_type": "markdown", "metadata": {}, "source": [ "The previous cell provide a solution to :\n", "\n", "- gather several samples in variable `t`\n", "- perform a warmup for ingoring the first measurements impacted by microarchitectural effects (e.g. caches) \n", "\n", "**WORK** : Use the next cell to determine satisfactory values for variables `repeat` and `warmup`" ] }, { "cell_type": "code", "execution_count": 48, "metadata": {}, "outputs": [ { "data": { "image/png": "iVBORw0KGgoAAAANSUhEUgAAAYQAAAD8CAYAAAB3u9PLAAAABHNCSVQICAgIfAhkiAAAAAlwSFlzAAALEgAACxIB0t1+/AAAIABJREFUeJzt3Xl8VPX1//HXgbAIypogyiKLiQKiLAFFXNisaPsFtS6gVamI2l9RqNVWu31b2n5tv7bVtuKCgICKiMsXqVqpFRBF0QRBhQA2BtTIKkLYl8D5/TE3dhoDmcAkd5b38/HII5nP/dyZcy9MTs6dc+81d0dERKRW2AGIiEhiUEIQERFACUFERAJKCCIiAighiIhIQAlBREQAJQQREQkoIYiICKCEICIigYywA6iKzMxMb9euXdhhiIgklcWLF3/h7lmVzUuqhNCuXTvy8/PDDkNEJKmY2SexzNMhIxERAZQQREQkoIQgIiKAEoKIiASUEEREBFBCEBGRgBKCiIgAaZIQXlm2junvfBp2GCIiCS0tEsLs99dyz8sr2LprX9ihiIgkrLRICLcNzGb73lImv7k67FBERBJWWiSEU1s24uKuLXls4RpKdu0POxwRkYSUFgkB/l0lTFqoKkFEpCJpkxC+qhLeXK0qQUSkAjElBDMbbGarzKzQzO46xJwrzazAzJab2fSo8bZm9g8zWxEsbxeMPxk85zIzm2xmdeKxQYejKkFE5NAqTQhmVhsYD1wEdAaGm1nncnOygbuBvu7eBRgbtXgacK+7dwJ6AxuD8SeBU4GuwDHAjUe3KZU7tWUjLjpNVYKISEViqRB6A4XuXuTu+4AZwNByc0YB4919C4C7bwQIEkeGu78ajO9w913Bzy97AHgXaB2XLaqEqgQRkYrFkhBaAZ9FPS4OxqLlADlmttDMFpnZ4KjxrWb2vJktMbN7g4rjK8GhomuBV45sE6qm0wlBlbBwNSW7VSWIiJSJJSFYBWNe7nEGkA30A4YDE82sSTB+LnAH0AvoAIwot+6DwAJ3f6PCFze7yczyzSx/06ZNMYRbudsGZrN9j85LEBGJFktCKAbaRD1uDaytYM4L7r7f3VcDq4gkiGJgSXC4qRSYBfQoW8nM/hvIAm4/1Iu7+wR3z3X33KysSm8JGpNOJzRicJeWTFaVICLylVgSQh6QbWbtzawuMAyYXW7OLKA/gJllEjlUVBSs29TMyn6TDwAKgnk3AhcCw9394NFuSFWpShAR+U+VJoTgL/vRwBxgBTDT3Zeb2TgzGxJMmwNsNrMCYB5wp7tvdvcDRA4XvWZmHxI5/PRosM7DwPHA22a21Mx+Edctq0TnE1UliIhEs0iTT3LIzc31/Pz8uD1fwdptXPyXNxg7KJuxg3Li9rwiIonEzBa7e25l89LmTOWKlFUJk95UlSAiktYJAf79WcJjOi9BRNJc2ieEzic24sIux6tKEJG0l/YJAVQliIiAEgIAXU5szIVdjmeyqgQRSWNKCIHbBmazbU8pUxauCTsUEZFQKCEEupzYmG90Pp5JbxapShCRtKSEEEVVgoikMyWEKKe1+neVsG2PqgQRSS9KCOWoShCRdKWEUE5ZlTDxDVUJIpJelBAqoCpBRNKREkIFTmvVmAtUJYhImlFCOIQxqhJEJM0oIRyCqgQRSTdKCIdRViVMVZUgImlACeEwTmvVmEGdjmfim6tVJYhIylNCqMTYQdmU7N6vKkFEUl5MCcHMBpvZKjMrNLO7DjHnSjMrMLPlZjY9arytmf3DzFYEy9sF46OD53Mzy4zHxlQHVQkiki4qTQhmVhsYD1wEdAaGm1nncnOygbuBvu7eBRgbtXgacK+7dwJ6AxuD8YXAIOCTo92I6qYqQUTSQSwVQm+g0N2L3H0fMAMYWm7OKGC8u28BcPeNAEHiyHD3V4PxHe6+K/h5ibuvic9mVK/oKmG7qgQRSVGxJIRWwGdRj4uDsWg5QI6ZLTSzRWY2OGp8q5k9b2ZLzOzeoOJIOmMGBlXCW2vCDkVEpFrEkhCsgjEv9zgDyAb6AcOBiWbWJBg/F7gD6AV0AEZUJUAzu8nM8s0sf9OmTVVZNa66tm7MoE4tePQNVQkikppiSQjFQJuox62BtRXMecHd97v7amAVkQRRDCwJDjeVArOAHlUJ0N0nuHuuu+dmZWVVZdW4GzMwR1WCiKSsWBJCHpBtZu3NrC4wDJhdbs4soD9A0DGUAxQF6zY1s7Lf5AOAgngEHgZVCSKSyipNCMFf9qOBOcAKYKa7LzezcWY2JJg2B9hsZgXAPOBOd9/s7geIHC56zcw+JHL46VEAM7vNzIqJVBwfmNnEeG9cdSirEqa9nfDNUSIiVWLu5T8OSFy5ubmen58fdhiMnJLH4k+38MaP+nNc/TphhyMiclhmttjdcyubpzOVj8CYQdls3aUqQURSixLCETi9dRMGntqCR98o0mcJIpIylBCOkKoEEUk1SghHKLpK2LG3NOxwRESOmhLCUSirEnRegoikAiWEo3B66yYMUJUgIilCCeEojRmoKkFEUoMSwlE6o42qBBFJDUoIcaAqQURSgRJCHJzRpgn9T8lioqoEEUliSghxMmZQDlt27Wfa22vCDkVE5IgoIcRJt6BKeHSBqgQRSU5KCHGkKkFEkpkSQhxFVwk7VSWISJJRQoizf1cJusaRiCQXJYQ469amCf1OyWLCgo9VJYhIUlFCqAZjBmarShCRpBNTQjCzwWa2yswKzeyuQ8y50swKzGy5mU2PGm9rZv8wsxXB8nbBeHsze8fM/mVmTwf3a04J3ds2VZUgIkmn0oRgZrWB8cBFQGdguJl1LjcnG7gb6OvuXYCxUYunAfe6eyegN7AxGP89cJ+7ZwNbgJFHuS0JRVWCiCSbWCqE3kChuxe5+z5gBjC03JxRwHh33wLg7hsBgsSR4e6vBuM73H2XmRkwAHg2WH8qcMlRb00CKasSHn1DHUcikhxiSQitgM+iHhcHY9FygBwzW2hmi8xscNT4VjN73syWmNm9QcXRHNjq7qWHec6kN2ZgNl/u3Mfji1QliEjiiyUhWAVjXu5xBpAN9AOGAxPNrEkwfi5wB9AL6ACMiPE5Iy9udpOZ5ZtZ/qZNm2IIN3F0b9uU83OymKDzEkQkCcSSEIqBNlGPWwNrK5jzgrvvd/fVwCoiCaIYWBIcbioFZgE9gC+AJmaWcZjnBMDdJ7h7rrvnZmVlxbpdCWPMIFUJqe6Z/M+4+fF8XbJEkl4sCSEPyA66guoCw4DZ5ebMAvoDmFkmkUNFRcG6Tc2s7Df5AKDA3R2YB1wejF8PvHA0G5KoeqhKSGnzVm7kx899wJzlG7jtqSUcOFhhoSuSFCpNCMFf9qOBOcAKYKa7LzezcWY2JJg2B9hsZgVEftHf6e6b3f0AkcNFr5nZh0QOFT0arPNj4HYzKyTymcKkeG5YIimrEp5QlZBSCtZuY/T09+h0QiN+enEn5q7cyG9fWhF2WCJHLKPyKeDuLwMvlxv7RdTPDtwefJVf91Xg9ArGi4h0MKW8Hm2bcl5OFo8sKOLaPifRoG5Mu10S2PqSPdwwJY9Gx9Rh8oheHN+oPmtLdjN54WraZzXk2rNOCjtEkSrTmco15KuOI52XkPR27i1l5NQ8tu/Zz6TrI8kA4Gff7MyAU1vwy9nLef2j5GqAEAElhBrT86R/Vwm79umzhGR14KAzZsYSVqzbxgNX96DziY2+Wla7lvGX4d3JbnEso598j482bA8xUpGqU0KoQaoSkt9vXirgnys28sshXeh/aouvLT+2XgaTR/Sift3a3DAljy927A0hSpEjo4RQg8qqhAmqEpLS1LfW8NjCNdzQtz3X9Wl3yHknNjmGidfl8sWOvdw0LZ89+w/UXJAiR0EJoYaNGZjNZnUcJZ25Kzfwq78tZ1Cn4/npNztVOv+MNk24/6puvPfpVn707AdE+i5EEpsSQg3reVJTzs3O5JHXVSUki+VrS7h1+hI6n9iIPw/rRu1aFZ1o/3WDTzuBHw0+hdnvr+X+f/6rmqMUOXpKCCEYO0hVQrJYX7KHkVPyaXRMHSZd34uG9arWMvy98ztyRc/W/Pm1fzFryefVFKVIfCghhKDnSc1UJSSBQ7WXVoWZ8dtLu3Jm+2b86NkPyF/zZTVEKhIfSgghUZWQ2A7XXlpVdTNq8ci1PWnV9Bhuenwxn27eFcdIReJHCSEkZVWCOo4SU1l76a8O0V5aVU0a1GXyiF4cOOh8d8q7lOzeH4coReJLCSFEYwZm88WOfTy56NOwQ5Eo0e2l1x6mvbSq2mc25OHv9OTTL3fx/SffY/+Bg3F7bpF4UEIIUW674LOEBR+rSkgQVW0vrao+HZvz20u78mbhF/z37OVqR5WEooQQMlUJiWP52hJGB+2lfxkee3tpVV2Z24bv9evI9Hc+ZdKbq6vlNUSOhBJCyKKrhN37dEZrWMraSxsH7aXVfUXaO79xChed1pLfvryCVws2VOtricRKCSEBfFUlvKOOozBEt5eWXcq6utWqZfzpym50bdWYMTOWsHxtSbW/pkhllBASQG67ZpxzciYPv64qoaYdOOjc9lTQXnpNDzqdcOTtpVV1TN3aTLwulybH1GHklHw2bNtTY68tUhElhAQxZpCqhDD8+sUCXlsZtJeecvTtpVXVolF9Jl7fi+179jNyap6aCyRUSggJopeqhBo3ZeFqpry1hpHnxLe9tKoiH2J3p2DtNsbOWMpB3ZdZQhJTQjCzwWa2yswKzeyuQ8y50swKzGy5mU2PGj9gZkuDr9lR4wPM7D0zW2ZmU80s7e8rqSqh5sxduYFxLxYwqNPx/OTi+LeXVtXATsfzs2925h8FG/j9nJVhhyNpqtKEYGa1gfHARUBnYLiZdS43Jxu4G+jr7l2AsVGLd7t7t+BrSDC/FjAVGObupwGfANfHY4OSWa92zeh7cnMefr1IVUI1qqn20qr6bt92fOestjzyehFP56kNWWpeLBVCb6DQ3YvcfR8wAxhabs4oYLy7bwFw942VPGdzYK+7fxQ8fhX4duxhp64xA3P4YsdeVQnVpKbbS6vCzPjlf3Xh3OxMfvp/y3ir8IuwQ5I0E0tCaAV8FvW4OBiLlgPkmNlCM1tkZoOjltU3s/xg/JJg7AugjpnlBo8vB9ocQfwpp3d7VQnVJYz20qrKqF2L8df0oH1mQ255YjEfb9oRdkiSRmJJCBXV0+U/9coAsoF+wHBgopk1CZa1dfdc4GrgfjPr6JHz9YcB95nZu8B2oML2CjO7KUgo+Zs2bYoh3OSnKiH+wmwvrapG9esweUQv6tSuxQ1T8vhy576wQ5I0EUtCKOY//3pvDaytYM4L7r7f3VcDq4gkCNx9bfC9CJgPdA8ev+3u57p7b2ABUOEtpdx9grvnuntuVlZWzBuWzFQlxF/Y7aVV1aZZAyZcl8u6kj3c8vhi9pbq/4FUv1gSQh6QbWbtzawukb/sZ5ebMwvoD2BmmUQOIRWZWVMzqxc13hcoCB63CL7XA34MPHz0m5M6VCXET6K0l1ZVz5Oacu/lp/Pumi+5+/kPdSE8qXaVJgR3LwVGA3OAFcBMd19uZuPMbEgwbQ6w2cwKgHnAne6+GegE5JvZ+8H479y9IFjnTjNbAXwA/M3d58Z1y5Jc7/bNOLtjcx5ZUMSe/frr8EglWntpVQ3t1oofDMrh+fc+58H5H4cdjqQ4S6a/OnJzcz0/Pz/sMGrMO0WbuWrCIn7+rc6MPKd92OEkneVrS7ji4bfpkNWQmTf3SaiOoqpwd37w9FJmLV3L+Kt78M3TTwg7JEkyZrY4+Cz3sHSmcgI7s0Nzzu7YnIdf/1hVQhWtL9nDDVPyErK9tKrMjN99+3R6ntSU22cuZcmnW8IOSVKUEkKCGzMwm03b9/LkOzpRKVY795Zyw5Q8duwpTdj20qqqX6c2E67tSYtG9Rg1bTHFW3RfZok/JYQEd2aH5vTpoCohVmXtpSvXJ357aVU1P7Yek6/vxd7SA9w4NZ/te3RfZokvJYQkMGZQpEqYriqhUl+1lw49LSnaS6sq+/jjeOianvxr4w5ufWoJpbovs8SREkISOCuoEh5SlXBY/9FeetZJYYdTbc7JzmTc0C7MX7WJ37y0IuxwJIUoISQJVQmH99qKSHvpBZ2Ts720qq458yRGntOeKW+tYdrba8IOR1KEEkKSUJVwaMs+L+HWp5bQ5cTG/HlY4ly9tLr95OJODOrUgl/OXs78VZVdT1KkckoISURVwtetK9nNyKl5NDmmDhOvz03q9tKqql3L+POw7pzashGjpy9h1frtYYckSU4JIYmc1aE5Z3Vopo6jwM69pYycks/OvQeYlCLtpVXVsF4Gk0bk0qBubW6Yksem7XvDDkmSmBJCkhkzMIeN2/fy1LvpXSUcOOjc+tQSVm3YzgNXd0+p9tKqOqHxMUy6vhdf7tzHqGn5+mNBjpgSQpLp0zFSJTw0P72rhF+/WMDclRv55ZAu9EvB9tKq6tq6Mfdd1Y33i7dyxzPv677MckSUEJJQulcJjwXtpTemeHtpVQ0+rSU/HnwqL36wjvv++VHlK4iUo4SQhNK5SnhtxQZ+HbSX3p0G7aVVdfN5HbgytzV/nVvI8+8Vhx2OJBklhCRVViXMSKMqIV3bS6vCzPjNJV3p06E5dz33Ie+u/jLskCSJKCEkqT4dm3Nm+2Y8mCZVQnR76aQ0ay+tqroZtXj4Oz1p3fQYbn48nzVf7Aw7JEkSSghJbOyg9KgSdpRrL22Rhu2lVdW4QeS+zA7cMDWPkl26EJ5UTgkhiaVDlVB64CC3qb30iLTLbMgj3+nJZ1/u4ntPLma/LoQnlYgpIZjZYDNbZWaFZnbXIeZcaWYFZrbczKZHjR8ws6XB1+yo8YFm9l4w/qaZnXz0m5N+Ur1K+M1LK9ReehTO7NCcey47nbc+3szPZy3TfZnlsCpNCGZWGxgPXAR0BoabWedyc7KBu4G+7t4FGBu1eLe7dwu+hkSNPwRc4+7dgOnAz45uU9JTn47N6d2+WUpe40jtpfFxec/WfL9/R2bkfcajbxSFHY4ksFgqhN5AobsXufs+YAYwtNycUcB4d98C4O6xXGnLgbL6vzGwNraQpbyxg7LZsG0vT+d9FnYocfPPgkh76TfUXhoXP7zgFC7u2pJ7/r6SOcvXhx2OJKhYEkIrIPo3TXEwFi0HyDGzhWa2yMwGRy2rb2b5wfglUeM3Ai+bWTFwLfC7I4hfgD4dIlXCg/MLU6JKWPZ5CbfNiLSX3q/20rioVcv405XdOL11E8bOWMqyz0vCDkkSUCwJoaJ3Y/kDkRlANtAPGA5MNLMmwbK27p4LXA3cb2Ydg/EfABe7e2vgMeBPFb642U1BQsnftGlTDOGmHzNLmSpB7aXVp36d2jx6XU+aNazLyKl5rC/ZE3ZIkmBiSQjFQJuox635+uGdYuAFd9/v7quBVUQSBO6+NvheBMwHuptZFnCGu78TrP80cHZFL+7uE9w9191zs7KyYtuqNJQKVcKOvaXcELSXTv6u2kurQ4vj6jPx+lx27Cll5NQ8du4tDTskSSCxJIQ8INvM2ptZXWAYMLvcnFlAfwAzyyRyCKnIzJqaWb2o8b5AAbAFaGxmOcH6FwC6F+BRMDPGDkzeKqH0wEFunf4eH23YzvhrenBqS7WXVpdOJzTigat7sGLdNsY+vZQDuhCeBCpNCO5eCowG5hD5pT3T3Zeb2TgzK+samgNsNrMCYB5wp7tvBjoB+Wb2fjD+O3cvCJ5zFPBcsOxa4M54b1y66dOxOb3bJec1jn79YgHzVm3iV0O6cH6OKsHq1v/UFvziW515tWADv39lZdjhSIKwZOpLzs3N9fz8/LDDSGhvFX7B1RPfYdzQLlzXp13Y4cTksYWr+dXfChh1bnt++s3Ola8gcfOLF5Yx7e1PuOeyrgzv3TbscKSamNni4LPcw9KZyimmrEp4cF5yVAn/LNjAuKC99K6L1F5a037xrc6cn5PFz2ctY2HhF2GHIyFTQkgxZR1H67ftYWZ+Yn+WUHb10q6t1F4alozatfjr1d3pkNWQW55YTOFG3Zc5nSkhpKA+HZvTq11THpz3MXtLE7NKKGsvbdqgDhOvU3tpmBrVr8Ok63tRL6MWN0zJ58ud+8IOSUKihJCCIlVCTqRKSMCOI7WXJp42zRow4bpc1m/bw82P5yfsHxJSvZQQUtTZQZUwPsGqBLWXJq4ebZvyxyvOIG/NFu567kNdCC8NKSGkqESsEtydcUF76bihai9NRP91xon88IIc/m/J5zwwtzDscKSGKSGksESrEh5buIZpb3/CqHPbc82Zunppoho94GQu696KP776EX97X9ecTCdKCCnMzBgzMDGqhFcLNvDrlwq4sMvx3K320oRmZtzz7a70ateUHz7zPu99uiXskKSGKCGkuL4nNyf3pKY8OD+8KmHZ5yXcVtZeelV3aqm9NOHVy6jNI9fm0rJRfW6als9nX+4KOySpAUoIKa7ss4R1JXuYmV9c46+/dutubpiSR7OGdZl4fS7H1K1d4zHIkWnWsC6TR/Rib+lBRk7NY9se3Zc51SkhpIGvqoR5hTVaJUTaS/PYte8Ak0f0osVxai9NNie3OJaHv9OTok07GT19CaW6L3NKU0JIA2FUCWXtpf/auIPx1/TglJbH1cjrSvz1PTmTX19yGgs+2sS4FwvCDkeqkRJCmuh7cnN61lCVoPbS1DO8d1tGndueaW9/wpSFq8MOR6qJEkKaKLvG0bqSPTxTzVWC2ktT010XdeKCzscz7sUC5q7cEHY4Ug2UENLIOSdnVnuVoPbS1FW7lvHnYd3odEIjbp2+hBXrtoUdksSZEkIaKasS1lZTlaD20tTXoG4Gk67vxbH1Mxg5JY+N23Vf5lSihJBmqqtKUHtp+mjZuD6Tru/Fll37GTU1n937wj8LXuJDCSHNRM5ejm+VoPbS9HNaq8b8eVg3Pvi8hB8+s5SDui9zSogpIZjZYDNbZWaFZnbXIeZcaWYFZrbczKZHjR8ws6XB1+yo8Teixtea2ayj3xyJxbnZmfRo2yQuVYLaS9PXN7q05O6LTuXlD9fzx1dXhR2OxEGlCcHMagPjgYuAzsBwM+tcbk42cDfQ1927AGOjFu92927B15CyQXc/t2wceBt4/ug3R2JRdl7C2pI9PLv4yKsEtZfKqHM7MKxXG8bP+/io/i9JYoilQugNFLp7kbvvA2YAQ8vNGQWMd/ctAO6+MdYAzOw4YACgCqEGlVUJ4+cWsq/0yM4+LWsvvem8DmovTVNmxq8vOY2zOzbn7uc/YFHR5rBDkqMQS0JoBURfKrM4GIuWA+SY2UIzW2Rmg6OW1Tez/GD8kgqe/1LgNXevsIfNzG4K1s/ftGlTDOFKLKKrhGcWV/1KqNHtpXcNPrUaIpRkUad2LR66pidtmjXglicWs/qLnWGHJEcoloRQUe9g+U+QMoBsoB8wHJhoZk2CZW3dPRe4GrjfzDqWW3c48NShXtzdJ7h7rrvnZmXpkEQ8nZudSfcjqBI+LI60l56u9lIJNG5Qh8dG9MKAkVPy2LpL92VORrEkhGKgTdTj1kD5u2YUAy+4+353Xw2sIpIgcPe1wfciYD7QvWwlM2tO5JDUS0cYvxyFI6kS1m7dzcipkfbSR9VeKlFOat6QR67N5bMtu7jlicVHfChSwhNLQsgDss2svZnVBYYBs8vNmQX0BzCzTCKHkIrMrKmZ1Ysa7wtEXx3rCuBFd9fZLSE5L6gSHpz3caVv4LL20t1qL5VD6N2+Gb//9uksKvqSn83SfZmTTaUJwd1LgdHAHGAFMNPdl5vZODMr6xqaA2w2swJgHnCnu28GOgH5ZvZ+MP47d49OCMM4zOEiqX5lVcLnW3cftkuk9MBBRqu9VGJwWY/W3DrgZGbmF/PIgqKww5EqsGTK4Lm5uZ6fnx92GCnH3bnsobfYuG0v8+7oR92MWl9b/osXlvP4ok/4n0u7cvWZbUOKVJLFwYPOrTOW8PKH63jomh4MPu2EsENKa2a2OPgs97B0prJ8dfbyoaqEyQvX8PiiSHupkoHEolYt449XnMEZrZsw9umlfFC8NeyQJAZKCALA+TlZdGvThPHz/rPj6B/L1/OblwoY3KWl2kulSurXqc2j1+XSvGE9bpyaz7qS3WGHJJVQQhDg31dC/Xzrbp57L1IlfFhcwpgZSzm9VWPuu6qb2kulyrKOq8fkEb3Yte8AN0zJZ+fe0rBDksNQQpCvlFUJD8wt5JPNO9VeKnFxSsvjeODq7qxav43bnlrCAV0IL2EpIchXoquEb/31TbWXStz0O6UFvxzShddWbuR/Xl4RdjhyCEoI8h/KqoRd+w6ovVTi6ro+7RhxdjsmvbmaJxZ9EnY4UoGMsAOQxGJmTLi2J+tK9nBGmyaVryBSBT/7ZifWbN7Jz2YtY8mnW/nx4FNo0UgVaKJQhSBf06JRfSUDqRYZtWvx4DU9uPn8Dsx+/3P6/2E+j7xe+VnyUjOUEESkRjWom8HdF3XiHz84n7M6NOeev6/kwvsXMHflhrBDS3tKCCISivaZDZk0ohePfTdyldQbpuQz4rF3+XjTjrBDS1tKCCISqv6ntOCVsefx04s7kb9mC4PvX8D/vLyC7Xv2hx1a2lFCEJHQ1c2oxajzOjD3jvO5pFsrJiwoov8fXueZ/M84qPMWaowSgogkjBbH1efeK87ghe/3pU2zY7jz2Q+49KG3WPLplrBDSwtKCCKScM5o04TnbjmbP15xBmu37ubSB9/i9plL2bhNt06pTkoIIpKQatUyvt2zNfPu6Mct53fkxffX0f8P83lo/sfsLT0QdngpSQlBRBLasfUyuOuiU/nHD86jT8fm/P6VlVx43wJeW7FBd2SLMyUEEUkK7TIbMvH6Xkz5bi9q1TJGTs1nxGN5alONo5gSgpkNNrNVZlZoZncdYs6VZlZgZsvNbHrU+AEzWxp8zY4aNzP7rZl9ZGYrzOy2o98cEUl1/U5pwStjzuNn3+zEe59s4cL7FvDblwrYpjbVo1bpLTTNrDbwEXABUAzkAcOj741sZtnATGCAu28xsxbuvjFYtsPdj63geb8L9AdGuPsUuKEZAAALj0lEQVTB6HUORbfQFJFom7bv5d45K3lmcTHNG9blRxeeyuU9W+veHeXE8xaavYFCdy9y933ADGBouTmjgPHuvgWgsl/sge8B49z9YBXWERH5StZx9fjfyyNtqm2bNeBHz33ApQ8u5D21qR6RWBJCK+CzqMfFwVi0HCDHzBaa2SIzGxy1rL6Z5Qfjl0SNdwSuCpb9PagyRESq7PTWTXjue2dz31VnsK5kD5c9+Ba3P72UDWpTrZJYLn9dUe1V/jhTBpAN9ANaA2+Y2WnuvhVo6+5rzawDMNfMPnT3j4F6wB53zzWzy4DJwLlfe3Gzm4CbANq21Q3eRaRiZsal3VtzQeeWjJ9XyKQ3VvPK8vWMHnAyI89pT70M3fWvMrFUCMVAm6jHrYG1Fcx5wd33u/tqYBWRBIG7rw2+FwHzge5R6zwX/Px/wOkVvbi7T3D3XHfPzcrKiiFcEUlnx9bL4MeDI22qZ3fM5H9fWcU37lvAPwvUplqZWBJCHpBtZu3NrC4wDJhdbs4sIh8QY2aZRA4hFZlZUzOrFzXeFyiIWmdA8PP5RD64FhGJi0ibai5Tb+hNRi3jxmn5XP9YHoUb1aZ6KJUmBHcvBUYDc4AVwEx3X25m48xsSDBtDrDZzAqAecCd7r4Z6ATkm9n7wfjvorqTfgd828w+BO4BboznhomIQOS2sK+MjbSpLvkkcjXV37yoNtWKVNp2mkjUdioiR+OLHXu595VVzFz8Gc0b1uXOC0/hip5tUr5NNZ5tpyIiKSHz2Hr8/vLTmf39czipeUN+/NyHDB2/kMWffBl2aAlBCUFE0k7X1o159pY+3H9VNzZu38O3H3qbH6hNVQlBRNKTmXFJ91bM/WE/vt+/Iy99ELma6vh5hezZn55XU1VCEJG01rBeBndeeCqv3n4efU/O5N45kTbVV9OwTVUJQUQEOKl5Qx69LpdpN/SO3NJzWj7XTX6Xwo3bww6txighiIhEOS8ni7+POZeff6szSz/byuD732Dc3woo2Z36bapKCCIi5dSpXYuR57Rn3h39uCK3NY+9tZoBf5jPjHc/5cDB1D2MpIQgInIImcfW457LIm2q7TMbctfzHzJ0/Jvkr0nNNlUlBBGRSnRt3ZhnbunDn4d144vt+7j84bcZO2MJ60tSq01VCUFEJAZmxtBurXjth+czuv/JvLxsPQP+mFptqkoIIiJV0LBeBndceAr//MH5nBPVpjpn+fqkb1NVQhAROQJtmzdgwnW5PDHyTOpl1OLmxxdz3eR3+deG5G1TVUIQETkK52Rn8vKYc/lFWZvqn9/gV39bnpRtqkoIIiJHqU7tWtxwTnvm39GPK3PbMOWtNfT/w3yeSrI2VSUEEZE4aX5sPe65rCt/G30OHbMacvfzHzLkgeRpU1VCEBGJs9NaNWbmzX34y/DubN4RaVMdM2MJ60p2hx3aYSkhiIhUAzNjyBknMveO87l1wMn8fdl6BvzhdR6Y+6+EbVNVQhARqUYN6mbww2+cwmu3n895OZn84R8fccF9r/PKssRrU40pIZjZYDNbZWaFZnbXIeZcaWYFZrbczKZHjR8ws6XB1+yo8SlmtjpqWbej3xwRkcTUplkDHrk2lydvPJNj6tTmlicWc+2kxGpTrfSeymZWG/gIuAAoBvKA4e5eEDUnG5gJDHD3LWbWwt03Bst2uPuxFTzvFOBFd3821mB1T2URSQWlBw7yxKJP+NOrH7Fz3wGuPeskfjAoh8YN6lTL68Xznsq9gUJ3L3L3fcAMYGi5OaOA8e6+BaAsGYiIyNdl1K7FiL6Rq6le1asNU99eQ/8/zmf6O+G2qcaSEFoBn0U9Lg7GouUAOWa20MwWmdngqGX1zSw/GL+k3Hq/NbMPzOw+M6tX0Yub2U3B+vmbNm2KIVwRkeTQ/Nh6/M+lXXnx1nM4OetYfvJ/kTbVvJDaVGNJCFbBWPkUlgFkA/2A4cBEM2sSLGsblCpXA/ebWcdg/G7gVKAX0Az4cUUv7u4T3D3X3XOzsrJiCFdEJLl0ObExT998Fn8d3p0vd+7jioff5ranar5NNZaEUAy0iXrcGlhbwZwX3H2/u68GVhFJELj72uB7ETAf6B48XucRe4HHiByaEhFJS2bGf51xIq/98HxuG3AyryyPtKn+9bWaa1ONJSHkAdlm1t7M6gLDgNnl5swC+gOYWSaRQ0hFZta07FBQMN4XKAgenxB8N+ASYNnRb46ISHJrUDeD24M21X6nZPHHVz9i0J9eZ9X66u9GyqhsgruXmtloYA5QG5js7svNbByQ7+6zg2XfMLMC4ABwp7tvNrOzgUfM7CCR5PO7qO6kJ80si8ghqaXALXHfOhGRJNWmWQMe+k5P3ir8gocXFNGm2THV/pqVtp0mErWdiohUXTzbTkVEJA0oIYiICKCEICIiASUEEREBlBBERCSghCAiIoASgoiIBJQQREQESLIT08xsE/DJEa6eCXwRx3DiRXFVjeKqGsVVNaka10nuXunVQZMqIRwNM8uP5Uy9mqa4qkZxVY3iqpp0j0uHjEREBFBCEBGRQDolhAlhB3AIiqtqFFfVKK6qSeu40uYzBBERObx0qhBEROQwUi4hmNlgM1tlZoVmdlcFy+uZ2dPB8nfMrF2CxDXCzDaZ2dLg68YaiGmymW00swrvVmcRfwli/sDMelR3TDHG1c/MSqL21S9qKK42ZjbPzFaY2XIzG1PBnBrfZzHGVeP7zMzqm9m7ZvZ+ENevKphT4+/HGOOq8fdj1GvXNrMlZvZiBcuqd3+5e8p8Ebmj28dAB6Au8D7Qudyc/wc8HPw8DHg6QeIaATxQw/vrPKAHsOwQyy8G/k7krnZnAe8kSFz9gBdD+P91AtAj+Pk44KMK/h1rfJ/FGFeN77NgHxwb/FwHeAc4q9ycMN6PscRV4+/HqNe+HZhe0b9Xde+vVKsQegOF7l7k7vuAGcDQcnOGAlODn58FBgb3dQ47rhrn7guALw8zZSgwzSMWAU3K7oUdclyhcPd17v5e8PN2YAXQqty0Gt9nMcZV44J9sCN4WCf4Kv+hZY2/H2OMKxRm1hr4JjDxEFOqdX+lWkJoBXwW9biYr78xvprj7qVACdA8AeIC+HZwmOFZM2tTzTHFIta4w9AnKPn/bmZdavrFg1K9O5G/LqOFus8OExeEsM+Cwx9LgY3Aq+5+yP1Vg+/HWOKCcN6P9wM/Ag4eYnm17q9USwgVZcrymT+WOfEWy2v+DWjn7qcD/+TffwWEKYx9FYv3iJyKfwbwV2BWTb64mR0LPAeMdfdt5RdXsEqN7LNK4gpln7n7AXfvBrQGepvZaeWmhLK/Yoirxt+PZvYtYKO7Lz7ctArG4ra/Ui0hFAPRmbw1sPZQc8wsA2hM9R+eqDQud9/s7nuDh48CPas5pljEsj9rnLtvKyv53f1loI6ZZdbEa5tZHSK/dJ909+crmBLKPqssrjD3WfCaW4H5wOByi8J4P1YaV0jvx77AEDNbQ+Sw8gAze6LcnGrdX6mWEPKAbDNrb2Z1iXzoMrvcnNnA9cHPlwNzPfiEJsy4yh1nHkLkOHDYZgPXBZ0zZwEl7r4u7KDMrGXZcVMz603k//HmGnhdAyYBK9z9T4eYVuP7LJa4wthnZpZlZk2Cn48BBgEry02r8fdjLHGF8X5097vdvbW7tyPyO2Kuu3+n3LRq3V8Z8XqiRODupWY2GphDpLNnsrsvN7NxQL67zybyxnnczAqJZNZhCRLXbWY2BCgN4hpR3XGZ2VNEuk8yzawY+G8iH7Dh7g8DLxPpmikEdgHfre6YYozrcuB7ZlYK7AaG1UBSh8hfcNcCHwbHnwF+ArSNii2MfRZLXGHssxOAqWZWm0gCmunuL4b9fowxrhp/Px5KTe4vnaksIiJA6h0yEhGRI6SEICIigBKCiIgElBBERARQQhARkYASgoiIAEoIIiISUEIQEREA/j9WQvLOnmkhwgAAAABJRU5ErkJggg==\n", "text/plain": [ "" ] }, "metadata": { "needs_background": "light" }, "output_type": "display_data" } ], "source": [ "t = timings(command, setup, 1, 0)\n", "plt.plot(t)\n", "plt.show()" ] }, { "cell_type": "markdown", "metadata": {}, "source": [ "## 3. Guessing the First Letter of the Password" ] }, { "cell_type": "code", "execution_count": 45, "metadata": {}, "outputs": [ { "data": { "text/plain": [ "array(['A', 'B', 'C', 'D', 'E'], \n", " dtype='|S1')" ] }, "execution_count": 45, "metadata": {}, "output_type": "execute_result" } ], "source": [ "letters = np.array(list(string.ascii_uppercase[:5]))\n", "#letters = np.array(list(string.uppercase[:5])) ### for python 2\n", "letters" ] }, { "cell_type": "code", "execution_count": 49, "metadata": {}, "outputs": [], "source": [ "password = 'DEC'\n", "function = 'mycmp'\n", "setup = 'from __main__ import ' + function" ] }, { "cell_type": "code", "execution_count": 50, "metadata": {}, "outputs": [], "source": [ "repeat = 1\n", "warmup = 1\n", "t = np.zeros((len(letters), repeat))\n", "for i, l in enumerate(letters):\n", " guess = l * len(password)\n", " cmd = function + '(\"' + guess + '\", \"' + password + '\")'\n", " t[i] = timings(cmd, setup, repeat=repeat, warmup=warmup)" ] }, { "cell_type": "code", "execution_count": 51, "metadata": {}, "outputs": [ { "name": "stdout", "output_type": "stream", "text": [ "[[ 0.35237288]\n", " [ 0.35502005]\n", " [ 0.36898518]\n", " [ 0.40650392]\n", " [ 0.34397602]]\n" ] } ], "source": [ "print(t)" ] }, { "cell_type": "markdown", "metadata": {}, "source": [ "**WORK** : Determine a criteria allowing the decision on the first letter in the next cell" ] }, { "cell_type": "code", "execution_count": 54, "metadata": {}, "outputs": [], "source": [ "# TO DO : decision on the first letter" ] }, { "cell_type": "markdown", "metadata": {}, "source": [ "## 4. Guessing the Next Letters" ] }, { "cell_type": "markdown", "metadata": {}, "source": [ "**WORK** : You know the first letter of the password, well done ! \n", "\n", "You can now modify the previous cell code for guessing the next letters. \n", "For that purpose, you can add a variable called `prefix` initialized with the known part of the password. " ] }, { "cell_type": "code", "execution_count": 57, "metadata": {}, "outputs": [], "source": [ "# TO DO : guess the next letter" ] }, { "cell_type": "markdown", "metadata": {}, "source": [ "## 5. Attack Function\n", "\n", "**WORK**: write a complete attack function based on the principles proposed above and use it to attack the `verify_password` function below." ] }, { "cell_type": "code", "execution_count": 58, "metadata": {}, "outputs": [ { "data": { "text/plain": [ "(True, False)" ] }, "execution_count": 58, "metadata": {}, "output_type": "execute_result" } ], "source": [ "def verify_password(test_password):\n", " \"Verify that the test password is the reference one.\"\n", " reference_password = 'BAD'\n", " return mycmp(reference_password, test_password)\n", "\n", "verify_password('BAD'), verify_password('ABC')" ] }, { "cell_type": "code", "execution_count": 59, "metadata": {}, "outputs": [], "source": [ "#TO DO : Complete attack" ] }, { "cell_type": "markdown", "metadata": {}, "source": [ "## 6 Counter-Measure(s)\n", "\n", "**WORK**: propose a countermeasure to avoid this type of timing attack. Write a new, safer, password comparison function and evaluate it. If there is still a small leakage, propose improved protections." ] }, { "cell_type": "code", "execution_count": null, "metadata": {}, "outputs": [], "source": [] } ], "metadata": { "kernelspec": { "display_name": "Python 3", "language": "python", "name": "python3" }, "language_info": { "codemirror_mode": { "name": "ipython", "version": 2 }, "file_extension": ".py", "mimetype": "text/x-python", "name": "python", "nbconvert_exporter": "python", "pygments_lexer": "ipython2", "version": "2.7.13" } }, "nbformat": 4, "nbformat_minor": 2 }