Electromagnetic Transient Fault Injection on AESdutertre/doc_recherche/P_2012_2_talk_FDTC2… · Electromagnetic Transient Fault Injection on AES Fault Diagnosis and Tolerance in

Electromagnetic Transient Fault Injection on AES

Fault Diagnosis and Tolerance in CryptographyLeuven, Belgium

Sunday, September 9, 2012

Amine DEHBAOUI ¹, Jean-Max DUTERTRE ²,

Bruno ROBISSON ¹, Assia TRIA ¹

(1) (2)

Outline

17 septembre 2012 | PAGE 2

Context

Electromagnetic pulse injection Bench

Transient electromagnetic fault on a software implementation of the AES

Transient electromagnetic fault on a hardware implementation of the AES

Transient electromagnetic fault on a hardware implementation of the AES with countermeasure

Conclusion

D Q D Q

Logic

clk

data1 1 1 1

Dff i Dff i+1

n m

Dclk->Q

DpMax

Tclk + Tskew - Tsetup

data required time = Tclk + Tskew - Tsetupdata arrival time = Dclk->Q + DpMax

Violating this timing constraint results in fault injection.Usually IC are designed to tolerate : Vdrops < 0.1 x Vdd

Context : Synchronous Digital IC Timing Constraints

| PAGE 3

Tclk > Dclk->Q + DpMax - Tskew + Tsetup

F(Vdd)

CONTEXT : Fault Injection


1100101010101010101000001010101010101010

00001010101010100010

Plaintext

CorrectCiphertext

FaultyCiphertext

Modifying the behavior of the chip and recovering sensitive data

Various experimental setups are used

Underpowering / overclocking a device

A rise in temperature may also induce faults

The use of optical radiations : flash bulb, laser beam

The use of EM radiations : harmonic, pulse

CONTEXT : Fault Injection and the EM Channel


EM Channel : main strengths

Does not require depackaging the target.

Does target the upper metal Layer (Power/Ground or Clock networks).

May bypass some countermeasures (light sensors, global power filtering …).

Low cost and no specific countermeasures.

Our objectives :

Report actual fault injections on two typical targets (HW/SW) .

Explain the behavior of the faults induced by a very short EM pulse (EMP).

Analyze whether the effect of the EMP on the target is global or local.

Find out the mechanism involved in the injection of a fault by an EMP.


17 septembre 2012

| PAGE 6

CEA | 10 AVRIL 2012



Pulse gen.

Motorized stage

Target

Trigger signal

GP

IB

I/O

Pulse generatorRohde & Schwartz magnetic antenna

(500µm diameter)X-Y-Z motorized stageControl PC (GPIB + RS232 )

Pulse generator characteristics

Platform built of :

Amplitude : 1-100 VPulse width : 9 ns – 1 msRising / Falling times : 5 nsLow jitter : < 45 ps

FPGAMCU

Transient electromagnetic faults on a software implementation of the AES

17 septembre 2012

| PAGE 8

CEA | 10 AVRIL 2012



Smartcard emulation board8-bits AVR Atmega 128 MCU (techno 0,35µm)Harvard architecture128 KB Flash program memory4 KB SRAMOperating voltage : 4.5 – 5.5 VOperating frequency : 3.57 MHz => Tclk = 280 nsSoftware AES implementation

Power supply trace during EMP injection

Z position EMP

amplitude

EMP

width

Clk

period

Rise/fall

times

< 500 µm 100V 50ns 280ns 5ns

EMP parameters

Voltage drop ofabout 200 mV

Is this voltage drop induces faults ???

S0,0 S0,1 S0,2 S0,3

S1,0 S1,1 S1,2 S1,3

S2,0 S2,1 S2,2 S2,3

S3,0 S3,1 S3,2 S3,3

AES encryption : Round 10 (90µs)

S0,0

S3,0S1,0 S2,0

S2,3 S3,3S3,2S2,1S1,1S0,3

S0,1S0,2 S2,2 S1,3

0,28 5,53 6,53 9,78 12,4 19,3 25,5 33,7 55,7 63,4 65,9 69,5 74,5 75 87,5 87,9

S3,1

S1,2

µs

AES state

Powered chip : 5VExecution of the AES-128Trigger signal at the beginning of the 10th roundWe swept the instant of the EMP by steps of 100nsAt each step => 1000 encryptions with and without EMPThe faulty byte is determined


| PAGE 10

1 LDD R26 , Y+ i load state address2 LDI R27 , 0x003 SUBI R26 , 0x004 SBCI R27 , 0xF55 LD R24 , X load state i6 STD Y+k , R24 store state i7 LDI R31 , 0x008 SUBI R30 , 0x009 SBCI R31 , 0xF510 LD R24 , Z load state i+111 STD Y+i , R24 store state i+1

1 LDD R24 , Y+ i load subkey2 LD R25 , X load state3 EOR R24 , R25 Exclusive OR4 STD Z+i , R24 store result

AddRoundKey opcodes

SubBytes ans ShiftRows opcodes


Sla

ck =

0 (

+/-)

ξ

Occurrence rate of the induced faults versus EMP amplitude

Sla

ck <

0

Sla

ck >

0

Deterministic and reproducible effectEMP injection prevents the CPU from executing some instructionsby violating the timing constraints

| PAGE 11

Transient electromagnetic faults on a hardware implementation of the AES

17 septembre 2012

| PAGE 12

CEA | 10 AVRIL 2012

FPGA Spartan 3Techno 130nmOperating voltage : 1.2 voltsOperating frequency : 100 MHzHardware AES implementation

Z position EMP

amplitude

EMP

width

Clk

period

Rise/fall

times

< 500 µm 100V 10ns 10ns 5ns

EMP parameters

Round Exe

Key Exp

FSM


| PAGE 13



Round Exe

Key Exp

FSM

At each position, an EMP is injected 100V-10nsThe corresponding faulted ciphertext is retrieved 1,000 encryptions of the same plaintext30x30 different locationsAntenna diameter : 500 µmDisplacement step : 500 µm

7 mm

7 m

m

Localized effect of the EMP Good correlation between the Floorplan and the cartographyDeterministic and reproducible effect

0 5 10 15 20 25 30

0

5

10

15

20

25

30 0

1

2

3

4

5

6

7

8

Faultedbytes

Faults cartography

occurrence

occurrence

0 5 10 15 20 25 30

0

5

10

15

20

25

30

Faults cartographyY

X

0% 10% 20% 30% 40% 50% 60%

byte 0

byte 1

byte 2

byte 3

byte 4

byte 5

byte 6

byte 7

byte 8

byte 9

byte 10

byte 11

byte 12

byte 13

byte 14

byte 15

Position 3 (X3, Y3, Z)0% 10% 20% 30% 40% 50% 60%

byte 0

byte 1

byte 2

byte 3

byte 4

byte 5

byte 6

byte 7

byte 8

byte 9

byte 10

byte 11

byte 12

byte 13

byte 14

byte 15

Position 1(X1, Y1, Z)

0% 10% 20% 30% 40% 50% 60%

byte 0

byte 1

byte 2

byte 3

byte 4

byte 5

byte 6

byte 7

byte 8

byte 9

byte 10

byte 11

byte 12

byte 13

byte 14

byte 15

single-bit faultsmulti-bit faults

Position 2

(X2, Y2, Z)


Ability to inject single-bit and multi-bits faults into AES calculationsInduced faults are timing faultsMay fault any paths (even subcritical paths)

| PAGE 15

Transient electromagnetic faults on a hardware implementation of the AES with countermeasure

17 septembre 2012

| PAGE 16

CEA | 10 AVRIL 2012


| PAGE 17

FPGA Spartan 3Techno 130nmOperating voltage : 1.2 volts

CLK 1

Programmable monitoring delay

CLK 1delayed

Operating frequency : 100 MHzHardware AES implementationCountermeasure (detection of timing violations )

compalarm

0 5 10 15 20 25 30

0

5

10

15

20

25

30 0

1

2

3

4

5

6

7

8

Faults cartography

At each position, an EMP is injected The corresponding faulted ciphertext (if any) is retrieved The value of the alarm flag is stored 1,000 encryptions of the same plaintext30x30 different locations of the injection probe (step 500 µm)

Localized effect of the EMP The EMP is detected only in some positionsPossibility to induce faults without triggering the alarm

0 5 10 15 20 25 30

0

5

10

15

20

25

30

Alarms cartography

alarm

no alarm


| PAGE 18

Conclusion

17 septembre 2012

| PAGE 19

CEA | 10 AVRIL 2012

Conclusion


Ability to inject single-bit and multi-bits faults into AES calculations

Induced faults are timing faults due to voltage dro ps

Localized effect : the coupling depends of the IC Layout

May bypass power supply low-pass filtering

May fault any paths (even subcritical paths)

Direction de la Recherche TechnologiqueDSIS / LCS Systèmes et Architectures Sécurisés

Commissariat à l’énergie atomique et aux énergies al ternativesCentre de Microélectronique de Provence | 13541 GardanneT. +33 (0) 4.42.61.67.31| F. +33 (0) 4.42.61.65.92

Etablissement public à caractère industriel et comme rcial | RCS Paris B 775 685 01917 septembre 2012

| PAGE 21

CEA | 10 AVRIL 2012

Any questions ?

Email : [email protected]

Documents

Electromagnetic Transient Fault Injection on AESdutertre/doc_recherche/P_2012_2_talk_FDTC2… · Electromagnetic Transient Fault Injection on AES Fault Diagnosis and Tolerance in