Upload
others
View
11
Download
0
Embed Size (px)
Citation preview
Electromagnetic Transient Fault Injection on AES
Fault Diagnosis and Tolerance in CryptographyLeuven, Belgium
Sunday, September 9, 2012
Amine DEHBAOUI ¹, Jean-Max DUTERTRE ²,
Bruno ROBISSON ¹, Assia TRIA ¹
(1) (2)
Outline
17 septembre 2012 | PAGE 2
Context
Electromagnetic pulse injection Bench
Transient electromagnetic fault on a software implementation of the AES
Transient electromagnetic fault on a hardware implementation of the AES
Transient electromagnetic fault on a hardware implementation of the AES with countermeasure
Conclusion
D Q D Q
Logic
clk
data1 1 1 1
Dff i Dff i+1
n m
Dclk->Q
DpMax
Tclk + Tskew - Tsetup
data required time = Tclk + Tskew - Tsetupdata arrival time = Dclk->Q + DpMax
Violating this timing constraint results in fault injection.Usually IC are designed to tolerate : Vdrops < 0.1 x Vdd
Context : Synchronous Digital IC Timing Constraints
| PAGE 3
Tclk > Dclk->Q + DpMax - Tskew + Tsetup
F(Vdd)
CONTEXT : Fault Injection
17 septembre 2012 | PAGE 4
1100101010101010101000001010101010101010
00001010101010100010
Plaintext
CorrectCiphertext
FaultyCiphertext
Modifying the behavior of the chip and recovering sensitive data
Various experimental setups are used
Underpowering / overclocking a device
A rise in temperature may also induce faults
The use of optical radiations : flash bulb, laser beam
The use of EM radiations : harmonic, pulse
CONTEXT : Fault Injection and the EM Channel
17 septembre 2012 | PAGE 5
EM Channel : main strengths
Does not require depackaging the target.
Does target the upper metal Layer (Power/Ground or Clock networks).
May bypass some countermeasures (light sensors, global power filtering …).
Low cost and no specific countermeasures.
Our objectives :
Report actual fault injections on two typical targets (HW/SW) .
Explain the behavior of the faults induced by a very short EM pulse (EMP).
Analyze whether the effect of the EMP on the target is global or local.
Find out the mechanism involved in the injection of a fault by an EMP.
Electromagnetic pulse injection Bench
17 septembre 2012
| PAGE 6
CEA | 10 AVRIL 2012
Electromagnetic pulse injection Bench
17 septembre 2012 | PAGE 7
Pulse gen.
Motorized stage
Target
Trigger signal
GP
IB
I/O
Pulse generatorRohde & Schwartz magnetic antenna
(500µm diameter)X-Y-Z motorized stageControl PC (GPIB + RS232 )
Pulse generator characteristics
Platform built of :
Amplitude : 1-100 VPulse width : 9 ns – 1 msRising / Falling times : 5 nsLow jitter : < 45 ps
FPGAMCU
Transient electromagnetic faults on a software implementation of the AES
17 septembre 2012
| PAGE 8
CEA | 10 AVRIL 2012
Transient electromagnetic faults on a software implementation of the AES
17 septembre 2012 | PAGE 9
Smartcard emulation board8-bits AVR Atmega 128 MCU (techno 0,35µm)Harvard architecture128 KB Flash program memory4 KB SRAMOperating voltage : 4.5 – 5.5 VOperating frequency : 3.57 MHz => Tclk = 280 nsSoftware AES implementation
Power supply trace during EMP injection
Z position EMP
amplitude
EMP
width
Clk
period
Rise/fall
times
< 500 µm 100V 50ns 280ns 5ns
EMP parameters
Voltage drop ofabout 200 mV
Is this voltage drop induces faults ???
S0,0 S0,1 S0,2 S0,3
S1,0 S1,1 S1,2 S1,3
S2,0 S2,1 S2,2 S2,3
S3,0 S3,1 S3,2 S3,3
AES encryption : Round 10 (90µs)
S0,0
S3,0S1,0 S2,0
S2,3 S3,3S3,2S2,1S1,1S0,3
S0,1S0,2 S2,2 S1,3
0,28 5,53 6,53 9,78 12,4 19,3 25,5 33,7 55,7 63,4 65,9 69,5 74,5 75 87,5 87,9
S3,1
S1,2
µs
AES state
Powered chip : 5VExecution of the AES-128Trigger signal at the beginning of the 10th roundWe swept the instant of the EMP by steps of 100nsAt each step => 1000 encryptions with and without EMPThe faulty byte is determined
Transient electromagnetic faults on a software implementation of the AES
| PAGE 10
1 LDD R26 , Y+ i load state address2 LDI R27 , 0x003 SUBI R26 , 0x004 SBCI R27 , 0xF55 LD R24 , X load state i6 STD Y+k , R24 store state i7 LDI R31 , 0x008 SUBI R30 , 0x009 SBCI R31 , 0xF510 LD R24 , Z load state i+111 STD Y+i , R24 store state i+1
1 LDD R24 , Y+ i load subkey2 LD R25 , X load state3 EOR R24 , R25 Exclusive OR4 STD Z+i , R24 store result
AddRoundKey opcodes
SubBytes ans ShiftRows opcodes
Transient electromagnetic faults on a software implementation of the AES
Sla
ck =
0 (
+/-)
ξ
Occurrence rate of the induced faults versus EMP amplitude
Sla
ck <
0
Sla
ck >
0
Deterministic and reproducible effectEMP injection prevents the CPU from executing some instructionsby violating the timing constraints
| PAGE 11
Transient electromagnetic faults on a hardware implementation of the AES
17 septembre 2012
| PAGE 12
CEA | 10 AVRIL 2012
FPGA Spartan 3Techno 130nmOperating voltage : 1.2 voltsOperating frequency : 100 MHzHardware AES implementation
Z position EMP
amplitude
EMP
width
Clk
period
Rise/fall
times
< 500 µm 100V 10ns 10ns 5ns
EMP parameters
Round Exe
Key Exp
FSM
Transient electromagnetic faults on a hardware implementation of the AES
| PAGE 13
Transient electromagnetic faults on a hardware implementation of the AES
17 septembre 2012 | PAGE 14
Round Exe
Key Exp
FSM
At each position, an EMP is injected 100V-10nsThe corresponding faulted ciphertext is retrieved 1,000 encryptions of the same plaintext30x30 different locationsAntenna diameter : 500 µmDisplacement step : 500 µm
7 mm
7 m
m
Localized effect of the EMP Good correlation between the Floorplan and the cartographyDeterministic and reproducible effect
0 5 10 15 20 25 30
0
5
10
15
20
25
30 0
1
2
3
4
5
6
7
8
Faultedbytes
Faults cartography
occurrence
occurrence
0 5 10 15 20 25 30
0
5
10
15
20
25
30
Faults cartographyY
X
0% 10% 20% 30% 40% 50% 60%
byte 0
byte 1
byte 2
byte 3
byte 4
byte 5
byte 6
byte 7
byte 8
byte 9
byte 10
byte 11
byte 12
byte 13
byte 14
byte 15
Position 3 (X3, Y3, Z)0% 10% 20% 30% 40% 50% 60%
byte 0
byte 1
byte 2
byte 3
byte 4
byte 5
byte 6
byte 7
byte 8
byte 9
byte 10
byte 11
byte 12
byte 13
byte 14
byte 15
Position 1(X1, Y1, Z)
0% 10% 20% 30% 40% 50% 60%
byte 0
byte 1
byte 2
byte 3
byte 4
byte 5
byte 6
byte 7
byte 8
byte 9
byte 10
byte 11
byte 12
byte 13
byte 14
byte 15
single-bit faultsmulti-bit faults
Position 2
(X2, Y2, Z)
Transient electromagnetic faults on a hardware implementation of the AES
Ability to inject single-bit and multi-bits faults into AES calculationsInduced faults are timing faultsMay fault any paths (even subcritical paths)
| PAGE 15
Transient electromagnetic faults on a hardware implementation of the AES with countermeasure
17 septembre 2012
| PAGE 16
CEA | 10 AVRIL 2012
Transient electromagnetic faults on a hardware implementation of the AES with countermeasure
| PAGE 17
FPGA Spartan 3Techno 130nmOperating voltage : 1.2 volts
CLK 1
Programmable monitoring delay
CLK 1delayed
Operating frequency : 100 MHzHardware AES implementationCountermeasure (detection of timing violations )
compalarm
0 5 10 15 20 25 30
0
5
10
15
20
25
30 0
1
2
3
4
5
6
7
8
Faults cartography
At each position, an EMP is injected The corresponding faulted ciphertext (if any) is retrieved The value of the alarm flag is stored 1,000 encryptions of the same plaintext30x30 different locations of the injection probe (step 500 µm)
Localized effect of the EMP The EMP is detected only in some positionsPossibility to induce faults without triggering the alarm
0 5 10 15 20 25 30
0
5
10
15
20
25
30
Alarms cartography
alarm
no alarm
Transient electromagnetic faults on a hardware implementation of the AES with countermeasure
| PAGE 18
Conclusion
17 septembre 2012
| PAGE 19
CEA | 10 AVRIL 2012
Conclusion
17 septembre 2012 | PAGE 20
Ability to inject single-bit and multi-bits faults into AES calculations
Induced faults are timing faults due to voltage dro ps
Localized effect : the coupling depends of the IC Layout
May bypass power supply low-pass filtering
May fault any paths (even subcritical paths)
Direction de la Recherche TechnologiqueDSIS / LCS Systèmes et Architectures Sécurisés
Commissariat à l’énergie atomique et aux énergies al ternativesCentre de Microélectronique de Provence | 13541 GardanneT. +33 (0) 4.42.61.67.31| F. +33 (0) 4.42.61.65.92
Etablissement public à caractère industriel et comme rcial | RCS Paris B 775 685 01917 septembre 2012
| PAGE 21
CEA | 10 AVRIL 2012
Any questions ?
Email : [email protected]