Embed Size (px)
Citation preview
Side-Channel & Fault
Attacks
Ruggero Susella
System Research & Applications – Security Rodmap
STMicroelectronics
2018/12/06
ST – Who are we ?
2
STMicroelectronics 3
Front-End
Back-End
Research & Development
Main Sales & Marketing
As of December 31, 2017
• Approximately 45,500 employees worldwide
• Approximately 7,400 people working in R&D
• 11 manufacturing sites
• Over 80 sales & marketing offices
• A global semiconductor leader
• 2017 revenues of $8.35B with year-
on-year growth of 19.7%
• Listed: NYSE, Euronext Paris and
Borsa Italiana, Milan
Smart Things Smart Home & City Smart Industry Smart Driving
Application Strategic Focus 4
The leading provider of products and solutions
for Smart Driving and the Internet of Things
Product Family Focus 5
The leading provider of products and solutions
for Smart Driving and the Internet of Things
Portfolio delivering complementarity for target end markets, and synergies in R&D and manufacturing
Dedicated
Automotive ICs
Analog, Industrial &
Power Conversion
ICs
General Purpose &
Secure MCUs
EEPROM
MEMS &
Specialized
Imaging Sensors
Discrete &
Power
Transistors
Digital
ASICs
An Unwavering Commitment to R&D 6
Advanced research and development centers around the globe
~ 17,000 patents; ~9,500 patent families; ~ 500 new filings (in 2017)
~ 7,400 people working in R&D and product design
As of December 31, 2017
IoT connected devices 7
Very-high and sustained growth potential
01020304050607080
Number of IoT connected devices worldwide 2015-
2025 (in billions)
Secure Solutions
A broad range of secure solutions for different applications
8
Secure storage:
Encryption
Key generation and
management
Credential / Device life
Cycle management
Platform integrity
Assurance
Roots of trust
Secure updates:
Software & firmware
Secure
communications
Authentication
Security should comply to a challenging mix requirements to match the targeted applications
Security Challenges and Opportunities 9
Ultra low power
devices
Compact
electronics
Always
connected
solutions
Cost effective
platformLimited memory Physical access
Efficient solutions 10
Cryptography might be expensive for resource-constrained devices
• Compact hardware implementations
• Embedded software implementations with
low RAM and ROM usage
• Negligible impact on overall performance
• Low power/energy consumption
Challenging requirements
End-to-end protection 11
• Released on Aug.15th
• Lighter: from 300 to 5 cipher suites
available
• Faster: optimized protocol with
halved round-trip time during the
key generation
• More secure: obsolete algorithms
removed, most recent added (e.g.
Ed25519, RSA PSS)
TLS 1.3• Real time analytics
• Managed APIs
• Internet scale awareness
Cloud
Things
Without end-to-end security, someone might gain access to your IoT commands, notifications and other data
Side Channel Attacks and Fault
Countermeasures12
• Possible to retrieve the secrets by
analysing side channels
• Can be mitigate by system level
countermeasures
• Making secrets not appealing
• A secret per chip
• Frequent re-keying
• Not always possible
• Requires ad-hoc countermeasures
• Which comes with associated costs
Side Channel Attacks
Most devices are under control of the users, side channel becomes feasible!
System Research & Applications – Shared Innovation
Security Roadmap13
Italy
(Agrate Brianza)France
(Rousset)
Strong synergy with University
• Student internships/thesis
• PhD sponsorship
• Research contracts
Security Roadmap
“Backbone” Security R&D
Deliveries to ST divisions
System Security
Anticipation
System Expertise
System
Architectures
ProposalsExpertise
Support
HW & SW
Security IPs
Platform Security
Functionality & Performance
Security Robustness
14
Expectations
• After the training you should be able to understand the basics of:
• Side Channel & Fault Attacks
• With applications to AES
15
Agenda
• Side Channel Attacks
• Introduction
• Symmetric Key Cryptography:
• Introduction
• AES
• Side Channel Attacks on AES
• Fault Attacks
• Fault Attacks on AES
16
Side Channel Attacks
Attacking Crypto Algorithms
Cryptanalysis is the art and science of analyzing
information systems in order to study the hidden aspects of
the systems
• Mathematical analysis of cryptographic algorithms
• Side Channel Attacks
18
What is a “Side Channel”?
Based on information gained from the physical
implementation of a cryptosystem
• No theoretical weaknesses in the algorithm
• No brute force
19
Example 20
21Example 2
A little bit of history [1]
The first official information related to SCA attack dates back to the year 1965.
P. Wright (a scientist with GCHQ at that time) reported in [2] that MI5, the British
intelligence agency, was trying to break a cipher used by the Egyptian Embassy in
London, but their efforts were stymied by the limits of their computational power.
Wright suggested placing a microphone near the rotor-cipher machine used by the
Egyptian to spy the click-sound the machine produced. By listening to the clicks of
the rotors as cipher clerks reset them each morning, MI5 successfully deduced the
core position of 2 or 3 of the machine’s rotors.
This additional information reduced the computation effort needed to break the
cipher, and MI5 could spy on the embassy’s communication for years.
On the other hand, the original seminal works, as well as many subsequent
pioneering ideas, on SCA attacks in public cryptography research community are all
due to Paul Kocher, and start appearing from 1996 on.
[1] YongBin Zhou, DengGuo Feng. Side-Channel Attacks: Ten Years After Its Publication and the Impacts on
Cryptographic Module Security Testing. IACR Eprint archive, 2005.
[2] P. Wright. Spy Catcher: The Candid Autobiography of a Senior Intelligence Officer. Viking Press, 1987.
22
Why “Side Channel”?
• More effective against modern cryptosystems
• In some applications the attacker does actually have
physical access to the device
• Electronic passports, identity cards, driver licenses…
• IoT devices
• Point Of Sale
• Access Control/Badges
• Pay TV
23
Use Case: Pay TV
• The key that protects the content is stored within the
smartcard
• The smartcard is provided to the end user
• No more in the hands of the owner of the contents
• Extracting one key from a single smartcard allows to
program several new smartcards with the same key →
clones
• One broken smartcard means broken system
24
How to do a “Side Channel”?
• The attacker must have physical access to the device
under attack (not always… we will see later)
• The attacker knows the algorithm under attack
• The only secret is the key
• 1st stage → Measurements
• 2nd stage → Analysis of the measurements
• Statistical analysis
• Application of cryptanalysis
25
Power Analysis
• Instantaneous power consumption of a device depends
on the data it processes and on the operation it performs
26
Timing Attacks
• Cryptosystems often take slightly different amounts of
time to process different inputs
• Timing attacks can be launched
against a workstation running
a protocol such as SSL
with RSA over
a local network
27
Electromagnetic Analysis
• The flow of current through a CMOS device induces
electromagnetic emanations and causes electromagnetic
leakage
28
Power Analysis
Basic Idea
• There must be some relationship between the device’s power
consumption and what it’s doing
• Try to exploit it to get the secret key
• Introduced by P. Kocher, J. Jaffe, and B. Jun in 1999
30
Simple Power Analysis
• Observation on a single power trace during the computation of the crypto algorithm
• Try to distinguish between different operations related to the value of the secret key (patterns)
• Example: RSA algorithms scans the private key bit by bit• Performs a Square if bit is 0, otherwise performs a Square and a Multiplication
• If the attacker can distinguish operations, she will get the key
31
RSA squareRSA multiplication
Limit of Simple Power Analysis
• Requires to analyze a single power trace with very high accuracy
• Usually noise is high and it is not possible to perform this kind of
analysis
• Noise is due to several factors but mainly due to other activity linked to power
consumption and measurement
32
Differential Power Analysis
• Requires a large amount of power traces
• Each trace corresponds to a single execution
• Each execution is done with a different input/plaintext value
• But same key
• Therefore we obtain different power traces corresponding to execution with different input/plaintext values but same key
• Plaintext and/or ciphertext should be known by the attacker
• A common assumption which is also true in most real applications
• No detailed knowledge of the cryptographic device is required
• Can work even with noisy power traces
• More power traces means less noise
33
Consumption Model
• Instantaneous power consumption in digital CMOS devices:
• P(t) = Pconst (t) + Pinstr (t) + Pdata(t) + Pnoise (t)
• Pconst (t) is unimportant for DPA
• Pinstr (t) is fixed by the particular instruction executed
• Pdata(t) is due to the currently processed data
• Pnoise (t) has to be minimized
• DPA exploits the difference of P(t) due to the Pdata(t)
• The basic idea is to associate the device power consumption with the
values processed
34
Hamming Weight Model
• Try to estimate Pdata(t)
• Based on the fact that a bit set to 1 consumes more than a bit set to 0
• Very simple model
• Yet still in use today
• Sometimes the Hamming Distance Model is preferable
• It measure the transitions of a signal or register
• Transitions are bit changing their values
35
Sensitive Variable
• A DPA attack works if a relation exists between the power
consumption and a target “sensitive variable”
• A sensitive variable is a value:
• Actually computed during the execution
• Made by a combination of:
• A portion of the key (i.e. 1 bit, 1 byte)
• A value known to the attacker and that changes every execution (i.e. the input)
36
DPA: (1/3)
• Collect the side channel of the execution of the algorithm providing
different inputs
• Input0 Trace0 = =
• Input1 Trace1 = =
• Inputn Tracen = =
• Identify a sensitive variable in the algorithm
• E.g. SV = Input[0] XOR Key[0]
• Our target will be Key[0]
• For all Input0…n, and for all possible m values of Key[0] compute
• HW(Inputi[0] XOR j). Create a table of guesses:
37
HW(Input0[0] XOR 0) HW(Input0[0] XOR 1) HW(Input0[0] XOR …) HW(Input0[0] XOR m)
HW(Input1[0] XOR 0) HW(Input1[0] XOR 1) HW(Input1[0] XOR …) HW(Input1[0] XOR m)
HW(Input…[0] XOR 0) HW(Input…[0] XOR 1) HW(Input…[0] XOR …) HW(Input…[0] XOR m)
HW(Inputn[0] XOR 0) HW(Inputn[0] XOR 1) HW(Inputn[0] XOR …) HW(Inputn[0] XOR m)
Key Guess
Input
DPA: Basic Idea (2/3)
• Create a matrix with the traces
• For each column (time sample) compute the correlation coefficient
with every column in the guess table
38
Time/Samples per trace
n
Time/Samples per trace
Ke
y G
ue
ss
Corr
DPA: Basic Idea (3/3)
• Result is a matrix of correlation traces (1 per each key guess)
• In (m-1) correlation traces we correlated side channel traces with
intermediate variables which are never computed
• Because the key is wrong
• So it’s like correlating with a random vector
• Expected correlation is close to zero
• But in 1 correlation traces we correlated side channel traces with
intermediate variables that are actually computed
• At some point in time, when our sensitive variable is computed, we expect a peak
towards 1
39
Time/Samples per trace
Ke
y G
ue
ss
Workbench for Power Analysis
SPEAr board 41
New Resistance R in series to SoC Power
Supply
GPIO used for trigger
42
• Agilent Infiniium
• Features:
• max 40 Gsa/s
• max 2M samples
• 4 channels
• Differential probe
• Voltage difference
measurement on a
resistor
• Simple probe
• Trigger detection
Oscilloscope 42
PC Linux
• Commands the board
• Cross-compiles for ARM
Oscilloscope
• Waits for trigger
• Averages out the trace
• Saves the trace SPEAr board
• Runs crypto algorithm• Generates trigger
Workbench 43
Single Power Trace 44
Mean of 1000 Power Traces 45
Workbench for EM Analysis
• Digital scope : lecroy
wavepro 40 GS/s 6Ghz
bandwidth
• XY stage (resolution up to
0.1µm)
• Wideband amplifier (Miteq
+Femto)
• EM probes (langer
+handmade)
46
Timing Attacks
What is a Timing Attack
• A side channel attack in which the attacker attempts to compromise
a cryptosystem by analyzing the time taken to execute cryptographic
algorithms
• In some cases, exploitable from remote locations
• Effective if computational timings depends on secret
• Need to have encryption timings with high accuracy
• Noise and sensitivity must be lower than the timing difference we want to measure
48
Vulnerability comes from…
• Sometimes is a matter of algorithm
• Often, algorithms leaks information through timings difference because
computational steps depend on data values
• Choose a constant-time algorithm to avoid these attacks
• E.g. Modular exponentiation (we will see it later) can be done with Square&Multiply
algorithm (variable-time) or with Square&Multiply Always (constant-time)
• Otherwise, can be a matter of implementation
• Cache-Timing Attack takes advantage of data-dependent timing variations during
accesses into the cache (greater computational time for cache miss)
• It exploits implementations in which secret data is used as an array index (e.g. AES
Sbox)
• Almost every implementation can be made constant-time in order to avoid these
attacks
49
Timing attack chart example 50
Agenda
• Side Channel Attacks
• Introduction
• Symmetric Key Cryptography:
• Introduction
• AES
• Side Channel Attacks on AES
• Fault Attacks
• Fault Attacks on AES
51
Symmetric Key Algorithms
Data Encryption
• Scrambling of data with an algorithm and a secret key
• Decryption requires having the same secret key
• The encryption algorithm is not required to be secret
• In fact, Kerckhoffs’s principle states that:
• Security must fully rely only on the secrecy of the key
• Violating this principle is called: security by obscurity
• Knowledge of plaintext ciphertext pairs should be useless for the
attacker
• Some information leaks independently of encryption:
• Number of messages exchanged
• Length of messages
53
Symmetric Key Cryptography 54
Encryption Decryption
Encryption key is also used for decryption
It must be kept secret !
AES
AES Standardization
• The Advanced Encryption Standard (AES) is the result of a
competition about symmetric algorithm, which has been requested by
NIST for replacing the DES.
• After a 4 year competition run by NIST, among 15 candidates, an
algorithm has been selected, named Rijndael, designed by two
Belgian cryptographer Vincent Rijmen and Joan Daemen
56
AES Overview
• Substitution-permutation network block cipher
• Iterates several time a “round”
• A round is made by a series of round operations
• Decryption is done by doing, in reverse order, the inverted round operations
• 128 bit of state (viewed as 4 x 4 byte matrix)
• Key sizes of 128, 192, 256 bit
• With respectively 10, 12, 14 number of rounds
• Each round uses a different round key generated by a key schedule procedure
• Round keys are always 128 bit
57
AES Block Cipher 58
58
128 bits
128 bits
128 or 192 or 256 bits
AES Input Mapping
• Input is a block of 128 bits which gets mapped into a 4x4 byte matrix
00 04 1208
01 05 1309
02 06 1410
03 07 1511
Plaintext = 0x00010203040506070809101112131415
59
AES AlgorithmAddRoundKey
SubBytes
ShiftRows
MixColumns
AddRoundKey
SubBytes
ShiftRows
AddRoundKey
Key Schedule
Ro
un
dL
ast
Ro
un
d
PLAINTEXT
CIPHERTEXT
KEY
Key Schedule is a
separate part of the
AES algorithms which,
given a key
(128,192,256 bit)
generates (10,12,14)
128 bit round keys.
Each round key is used
in a different round
AES SubBytes
• Byte by Byte Substitution (Permutation)
• Highly non-linear
• Most often implemented as look up table
• Invertible, by using another look up table
61
AES ShiftRows
• Simply rotate rows
• The inverted operation rotates rows in the opposite way
• Provides diffusion by mixing contributions of different columns
62
AES MixColumns
• Every output byte depends on all 4 input bytes• Provides diffusion
• Linear and invertible transformation
63
AES AddRoundKey 64
AddRoundKey is a XOR
between the 128 bit state and
the 128 bit round key
Implementations
• SW
• Key Schedule computed in advance and all round keys stored in RAM
• Trade-Off between size and speed
• Only SubBytes LUT, no LUT for MixColumns (256B + 256B)
• LUT SubBytes + MixColumns (1024B + 1024B)
• LUT SubBytes + ShiftRows + MixColumns (4096B + 4096B)
• And dedicated CPU instructions
• Intel’s AES-NI
• ARM Neon Crypto Extension (ARMv8-A)
• HW
• Key Schedule computed on the fly in parallel to AES round
• AES round can have 8, 32 or 128 bit DataPath
• Requires 1 SubBytes , 4 SubBytes or 16 SubBytes
• Sbox can be a LUT or combinatorial (with different options)
65
Power Analysis on AES
66
DPA on AES (1/3)
• We need to identify our sensitive variable
• We need a value based on a part of the key and something we know
• What we know ?
• Only plaintexts and/or ciphertexts
• We can focus on first round Sbox
• Which is Sbox(Plaintext XOR Key)
• Sbox(P[0] XOR Key[0]) depends on the plaintext and a single byte of
the Key
• We only need 28 = 256 hypothesis
67
AddRoundKey
SubBytes
PLAINTEXT
KEY
DPA on AES: (1/3)
• Collect the side channel of the execution of the algorithm providing
different Plaintexts P
• P0 Trace0 = =
• P1 Trace1 = =
• Pn Tracen = =
• Identify a sensitive variable in the algorithm: P[0] xor Key[0]
• For all P0…n, and for all possible m values of Key[0] (=0..256) compute
• HW(Pi[0] XOR j). Create a table of guesses:
68
HW(P0[0] XOR 0) HW(P0[0] XOR 1) HW(P0[0] XOR …) HW(P0[0] XOR m)
HW(P1[0] XOR 0) HW(P1[0] XOR 1) HW(P1[0] XOR …) HW(P1[0] XOR m)
HW(P…[0] XOR 0) HW(P…[0] XOR 1) HW(P…[0] XOR …) HW(P…[0] XOR m)
HW(Pn[0] XOR 0) HW(Pn[0] XOR 1) HW(Pn[0] XOR …) HW(Pn[0] XOR m)
Key Guess
Input
DPA: Basic Idea (2/3)
• Create a matrix with the traces
• For each column (time sample) compute the correlation coefficient
with every column in the guess table
69
Time/Samples per trace
n
Time/Samples per trace
Ke
y G
ue
ss
Corr
DPA: Basic Idea (3/3)
• Result is a matrix of correlation traces (1 per each key guess)
• In (m-1) correlation traces we correlated side channel traces with
intermediate variables which are never computed
• Because the key is wrong
• So it’s like correlating with a random vector
• Expected correlation is close to zero
• But in 1 correlation traces we correlated side channel traces with
intermediate variables that are actually computed
• At some point in time, when our sensitive variable is computed, we expect a peak
towards 1
70
Time/Samples per trace
Ke
y G
ue
ss
First Round Attack (1/2) 71
First Round Attack (2/2) 72
Countermeasures
• Dual Rail Logic
• Introduces different implementation of logic gates
• Goal is to have a power consumption independent of the data
• Drawbacks: complex, ad-hoc EDA tools, size, glitches
• Execution Time Randomization
• Introduces random delays in the computation
• Goal is to mess with the trace synchronization required by DPA
• Drawbacks: random generation, slow, can be resynchronized
• Data Randomization (Masking)
• The input (plaintext) is randomly masked at each execution
• Goal is to have SV depending of unknown random
• Drawbacks: random generation, slow, second order attacks
73
Agenda
• Side Channel Attacks
• Introduction
• Symmetric Key Cryptography:
• Introduction
• AES
• Side Channel Attacks on AES
• Fault Attacks
• Fault Attacks on AES
74
Fault Attacks
50s 60s 70s 80s 90s 00s 10s 20s
Accidental Faults
• Electronic devices are subject to (usually) rare faults
• Caused by environment
• Unexpected temperature, ionizing particles, power grid glitches, electrostatic discharges…
76
Ground Nuclear Testing
Anomalies in electronic
monitoring equipment
Aerospace Industry
Problems in space
electronics
Super Computers
Errors appear in
large memories
Critical systems
Problems in cars,
health, voting devices
Smaller systems
Half of embedded
designs safety relevant
Random bit flips in memory Random errors in logic
as transistor size decreases
From Accidental to Intentional Faults
• Attacker idea : provoke & control fault to perturb
device at the right time
• And exploit the fault to break security !
• Bypass secure boot, secure firmware upgrade checks
• Change device state, get cryptographic algorithms keys, …
• Usually HW is trusted, SW does not expect it to fail
• Can bypass SW protections this way
• Often only way to attack bug-free SW
• Brief History
• Late 1990s : unlock pay TV smart cards
• 2000s : bypass game protection on console
• Late 2000s : protection mandatory for set-top-boxes
• Late 2010s : more on more public attacks on IoT devices
• Labs trained on smart cards looking for new targets
77
Is PIN
OK?
ContinueIncrement
Counter
Error
yes no
Skip check
Bad result
Faults Exploitation 78
Source
https://wp-systeme.lip6.fr/jaif/wp-content/uploads/sites/8/2018/05/KH-29-05-2018-JAIF.pdf
• Fault Model
• Registers, Logic, Flash, RAM…
• Single bit, few bits, word..
• Stuck at 0 or 1, flip, random
• Precise/loose/random control on
location & timing
• Transient, permanent, destructive
• Multiple faults
• Instruction skip, force jump…
• Target
• Stored Data
• Computations
• Crypto
• Program Flow
How to Inject Faults ?
• Non-invasive methods
• No physical damage to chip
• Modify working conditions
• Moderate knowledge/equipment
• Semi-invasive methods
• Chip de-capsulation
• Milling, etching, cleaning
• Affordable equipment
• Often requires building custom boards
• Invasive methods
• Establish electrical contact to chip
• Modification, destruction, …
• Expensive equipment, e.g semiconductor
diagnostics
79
source: https://www.cosic.esat.kuleuven.be/summer_school_sardinia_2015/slides/Balasch.pdf
Temperature
Voltage Undersupply
Clock glitch
Voltage glitch
Electromagnetic Pulses
Laser
(FIB)
Temperature & Particles
• Temperature
• Heating causes combinatorial logic to slow down
• Data not yet ready when sampled
• Maybe used to increase sensibility to other injections methods
• Particles “toy” example
• Smoke detector used to perturb Smart Cards
• Getting harder for particles to go through package
• Both are not precise at all, and never used in practice
80
Voltage Undersupply
• Low voltage causes combinatorial logic to slow down
• Data not yet ready when sampled !
• Not very precise in time & space (location)
• Can be used to get out of infinite loops for instance
• Used to unlock Pay TV Smart Cards in 1990s
81
source: https://www.cosic.esat.kuleuven.be/summer_school_sardinia_2015/slides/Balasch.pdf
Clock Glitch
• Requires simple signal generator
• Attack precise clock cycle of targeted instruction
• Like if instruction had less time to complete
• Data not ready when latched
• Affects everything synchronized by this clock
• But only works if CPU runs from external clock
82
Clock
ins N-1 ins N ins N+1 ins N+2ins N-2
CLOCK
Voltage Glitch
• Affects everything powered by perturbed VCC pin
• Attack target instruction when it is executed
• Combinatorial logic slowed down by low voltage
• Data not yet ready when sampled
• Must explore to find right glitch parameters
• Width, depth, time
• Board and chip capacitors may filter or degrade glitch
• Can be deployed through mod-chips to solder on board
• Usually most dangerous noninvasive fault injection method
83
VCC
ins N-1 ins N ins N+1 ins N+2ins N-2
VCC
Effects
• Wrong data is sampled
• Fault slows down combinatorial logic
• Or provokes early latch
• => Result sampled before it’s ready
• Critical path violation
• Global impact (whole chip)
• Time may be finely adjusted
• Perturb logic when it’s used
84
Electromagnetic Pulses
• Shot location on chip (not very precise)
• Internal clock & power line
• Random Number Generator
• Specific security IP
• Processor, memory, bus…
• Probably broader fault model
• Not fully understood yet
• Many configurable parameters
• Probe (coil area, core magnetic permeability)
• Position (X,Y,Z)
• Pulse amplitude and width
85
Our Bench: Electromagnetic Fault Injection
• Pulse generator
• 6 ns-100ns
duration
• 400 v(single
polarity)
• XYZ stages
• EM
probe(analysis)
• STM32F103
Discovery board
86
• DSO
• 2.5GHZ
• 40 MS
• WB amplifier
• 1GHz
Laser (1/2)
• Shoot very precise location on chip
• Down to 1 µm
• Many configurable parameters
• Position (X,Y)
• Wavelength, Spot size
• Energy / Peak power
• Pulse vs Continuous
• …
• Space search grows exponentially
• Require to know where to shoot
• Or exhaustive tries on all chip surface
87
Laser (2/2)
• Very localized effect
• Very broad range of possible effects
• Bit(s) flips/stuck in RAM, registers, logic, flash …
• => Harder to protect against
• But usually attack is expensive
• De-capsuling chips, including thinning
• Complex synchronization HW
• Very often requires attacking from backside
• Custom HW & boards
• Few months to setup HW, SW
• Target critical assets
• Retrieve global secrets (global keys, sensitive FW IP…)
• “Break one break all”
• First used to break smart cards, then set-top boxes, micros are next ?
88
Our Bench: Laser Fault Injection
• Quicklaze-50 STII (ESI)
• Nd-YAG laser crystal
• 3 wavelengths :
• UV3(355nm) Green(532nm)
IR(1064nm)
• fixed pulse duration : 5ns
• Mitutoyo lens:
• IR : x50; Green : X20; UV : x50
• Min spotsize : 1µm x 1µm
• XY stage : min step=0.1µm
89
Few Exploitation Examples
• Retrieving cryptographic keys
• Electromagnetic pulse on AES round number [Dehbaoui and al, COSADE 2013]
• Usually attacks on crypto require access to few faulted results
• Bypassing secure boot
• Laser shot on Android phone TrustZone NS bit [Alphanov, FDTC 2017]
• Taking over a device
• Voltage glitch to control Program Counter on STM32 [Riscure FDTC 2016]
• Privilege escalation
• Voltage glitch to get root on Linux [Riscure, FDTC 2017]
• Voltage glitch “Chip Whisperer” practice platform for students
• Based on STM32, can also be used to attack STM32s with provided boards
90
Fault Attack against AES
Differential Fault Analysis
• The device under attack executes a cryptographic operation
• It involves a secret key (target of the attack)
• The comparison between correct data and faulted data may allow to
derive information about the secret key
• The attacker needs the output of:
• Normal operation involving an input and the secret key
• Faulted operation with the same input and same secret key
92
Giraud’s Attack
• Goal: recover the last round key
• Use the last round key to recover the cipher key of AES-128
• Fault model: random single-bit corruption at the beginning of the last
round
• Before SubBytes
93
0 4 8 12
1 5 9 13
2 6 10 14
3 7 11 15
0 4 8 12
1 5 9 13
2 6 10 14
3 7 11 15
0 4 8 12
1 5 9 13
2 6 10 14
3 7 11 15
SB
SR ARK
0 4 8 12
1 5 9 13
2 6 10 14
3 7 11 15
0 4 8 12
1 5 9 13
2 6 10 14
3 7 11 15
Giraud’s Attack
𝑨 𝑩
𝑪 𝑫
𝑲𝑵𝒓
94
0 4 8 12
1 5 9 13
2 6 10 14
3 7 11 15
0 4 8 12
1 5 9 13
2 6 10 14
3 7 11 15
0 4 8 12
1 5 9 13
2 6 10 14
3 7 11 15
SB
SR ARK
0 4 8 12
1 5 9 13
2 6 10 14
3 7 11 15
0 4 8 12
1 5 9 13
2 6 10 14
3 7 11 15
𝜺
Giraud’s Attack
𝑨 𝑩
𝑪 𝑫
𝑲𝑵𝒓
95
0 4 8 12
1 5 9 13
2 6 10 14
3 7 11 15
0 4 8 12
1 5 9 13
2 6 10 14
3 7 11 15
0 4 8 12
1 5 9 13
2 6 10 14
3 7 11 15
SB
SR ARK
0 4 8 12
1 5 9 13
2 6 10 14
3 7 11 15
0 4 8 12
1 5 9 13
2 6 10 14
3 7 11 15
𝜺 𝜺′
Giraud’s Attack
𝑨 𝑩
𝑪 𝑫
𝑲𝑵𝒓
96
0 4 8 12
1 5 9 13
2 6 10 14
3 7 11 15
0 4 8 12
1 5 9 13
2 6 10 14
3 7 11 15
0 4 8 12
1 5 9 13
2 6 10 14
3 7 11 15
SB
SR ARK
0 4 8 12
1 5 9 13
2 6 10 14
3 7 11 15
0 4 8 12
1 5 9 13
2 6 10 14
3 7 11 15
𝜺 𝜺′
𝜺′
Giraud’s Attack
𝑨 𝑩
𝑪 𝑫
𝑲𝑵𝒓
97
0 4 8 12
1 5 9 13
2 6 10 14
3 7 11 15
0 4 8 12
1 5 9 13
2 6 10 14
3 7 11 15
0 4 8 12
1 5 9 13
2 6 10 14
3 7 11 15
SB
SR ARK
0 4 8 12
1 5 9 13
2 6 10 14
3 7 11 15
0 4 8 12
1 5 9 13
2 6 10 14
3 7 11 15
𝜺 𝜺′
𝜺′𝜺′
Giraud’s Attack
𝑨 𝑩
𝑪 𝑫
𝑲𝑵𝒓
98
0 4 8 12
1 5 9 13
2 6 10 14
3 7 11 15
0 4 8 12
1 5 9 13
2 6 10 14
3 7 11 15
0 4 8 12
1 5 9 13
2 6 10 14
3 7 11 15
SB
SR ARK
0 4 8 12
1 5 9 13
2 6 10 14
3 7 11 15
0 4 8 12
1 5 9 13
2 6 10 14
3 7 11 15
𝜺 𝜺′
𝜺′𝜺′
Giraud’s Attack
𝑨 𝑩
𝑪 𝑫
𝑲𝑵𝒓
99
Giraud’s Attack
• Pre-compile the table
For each 𝒗𝒂𝒍 = (0𝑥00: 0𝑥𝐹𝐹) of the byte
For each fault 𝜺 = (0𝑥01,0𝑥02,0𝑥04,0𝑥08,0𝑥10,0𝑥20,0𝑥40,0𝑥80)
Compute 𝜟 = 𝑆𝑢𝑏𝐵𝑦𝑡𝑒𝑠(𝑣𝑎𝑙) ⊕ 𝑆𝑢𝑏𝐵𝑦𝑡𝑒𝑠(𝑣𝑎𝑙 ⊕ 𝜀)
• For each fault, looking for 𝒗𝒂𝒍 where 𝜺′ = 𝜟 provides 8 entries in
average
• 3 faults on one byte allows to identify the correct 𝒗𝒂𝒍 of the state
• 𝑲𝒆𝒚 = 𝑐𝑖𝑝ℎ𝑒𝑟𝑡𝑒𝑥𝑡 ⊕ 𝑆𝑢𝑏𝐵𝑦𝑡𝑒𝑠(𝑣𝑎𝑙)
• The sequence must be repeated for each byte
100
Other Faults: on the Control Flow
• Skip some operations
• Reduce the number of rounds
• Apply cryptanalysis techniques to a reduced version of the algorithm
101
Countermeasures
Physical Level
• Shielding: prevent physical access to the device
• Including electromagnetic fields and radiations
• Sensors: in order to detect environmental conditions (temperature,
voltage) out of range
• Filters: stabilized power supply, stabilized clock
• De-synchronization: random delays in order to lower temporal
precision of the fault
103
Algorithmic Level
• Redundancy: the operation is executed twice and the results are
compared
• Sequence of Encryption + Decryption, checking that the final result
is equal to the input
• Error Detection/Correction Codes
104
Protocol Level
• Message randomization: the input is XORed with a random value
• The attacker has no control on the input
• Fresh re-keying: a new fresh key is used for each operation
105
107
