![]() ![]() ![]() IACR Cryptology ePrint Archive, 501 (2009)īrier, E., Clavier, C., Olivier, F.: Correlation power analysis with a leakage model. Springer, Heidelberg (2012)īos, J.W., Osvik, D.A., Stefan, D.: Fast Implementations of AES on Various Platforms. Springer, Heidelberg (2003)īardou, R., Focardi, R., Kawamoto, Y., Simionato, L., Steel, G., Tsay, J.-K.: Efficient padding oracle attacks on cryptographic hardware. KeywordsĪgrawal, D., Archambeault, B., Rao, J.R., Rohatgi, P.: The EM Side-Channel(s). ![]() In consequence, an adversary is able to generate valid OTPs, even after the Yubikey 2 has been returned to the owner. The attack leaves no physical traces on the device and can be performed using low-cost equipment. We show that by non-invasively measuring the power consumption and the electro-magnetic emanation of the device, an adversary is able to extract the full 128-bit AES key with approximately one hour of access to the Yubikey 2. In this paper, we analyse the susceptibility of the Yubikey 2 to side-channel attacks. This device employs an open-source protocol based on the mathematically secure AES and emulates a USB keyboard to enter the OTP in a platform-independent manner. A relatively new yet wide-spread example for an OTP token is the Yubikey 2 produced by Yubico. The token itself comprises a secret cryptographic key that, together with timestamps and counters, is used to derive a fresh OTP for each authentication. A particularly wide-spread approach provides each user with a hardware token that generates a One-Time Password (OTP) in addition to the traditional credentials. To overcome this problem, numerous solutions incorporating a second factor in the authentication process have been proposed. ![]() The classical way of authentication with a username-password pair is often insufficient: an adversary can choose from a multitude of methods to obtain the credentials, e.g., by guessing passwords using a dictionary, by eavesdropping on network traffic, or by installing malware on the system of the target user. ![]()
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |