Monday, June 6, 2011

VAM2 workshop - day 2

Similar to the first day, the second day of ECRYPT II VAM2 Workshop on Practical Implementation Attacks was mostly dedicated to industry talks. The morning session started with a very interesting talk given by Steven Murdoch from Cambridge University who presented man-in-the middle attacks for chip and PIN payments. It was his second talk on this workshop and the second one being as interesting as the first one on the day before. He described possibilities how to use a fake terminal to perform an on-line attack and charge the user more for a transaction then he would expect.

Next, Benoit Feix from Inside Secure gave a talk about the Daily Life for a Secure Product in the Industry, where he introduced threats and countermeasures against physical attacks and a more general overview of how companies have to deal with it in their product and design life cycle. Afterwards, Lex Schoonen gave a talk about the Practical Aspects of Security Evaluation where he described the use and pitfalls of Common Criteria standards. He also presented a couple of practical evaluation examples which shown out-of-the-box thinking, e.g. use an UZI gun to shoot away a chip from the PCB board which was responsible for raising an alarm and erasing the key storage. The trick was to be quicker than the signal propagation time, chip setup time etc. So it seems that that the UZI has a new application.

The workshop ended with two talks given by Sergei Skorobogatov from Cambridge University in which he presented Fault Attacks on Secure Chips and Side-channel Attacks: New Directions and Horizons. Both talks were very interested, specially the second one where we could hear about new measurement setups with lower noise. This allows to perform power attacks quicker and with less traces. Unfortunately, to achieve lower noise, lots of design details have to be know in advance. The whole idea also suffers from randomization issues but nevertheless the overall performance improvement was significant.

No comments:

Post a Comment