Page 1
Copyright 2007 Koren & Krishna, Morgan-Kaufman Part.21.1
FAULT TOLERANT SYSTEMS
http://www.ecs.umass.edu/ece/koren/FaultTolerantSystems
Part 21 – Cryptograpgy
Chapter 9 – Fault Detection in Cryptographic Systems
Copyright 2007 Koren & Krishna, Morgan-Kaufman Part.21.2
Need for Fault Detection
♦Hardware implementations of ciphers are very sensitive to faults – a single fault results in a totally scrambled output
♦More importantly, by injecting faults and observing the outputs the secret key can be extracted
∗ Example of side-channel information – from the specific hardware/software implementation rather than crypto-analysis of the cipher
∗ Other examples of side-channel information: » power » timing
Page 2
Copyright 2007 Koren & Krishna, Morgan-Kaufman Part.21.3
Types of Ciphers
♦A cipher encrypts a plaintext using a secret key and generating a ciphertext
♦The keys for encryption and decryption can be∗ Identical – symmetric key ciphers∗ Different – asymmetric key (or public key) ciphers
♦Symmetric key ciphers – simpler algorithm but shared key may be discovered
∗ Key must be changed periodically – new keys generated using a pseudo-random generator
∗ New keys must be distributed securely using a more secure cipher
♦Public key ciphers – more complex algorithm and harder to break
Copyright 2007 Koren & Krishna, Morgan-Kaufman Part.21.4
Symmetric key ciphers
♦DES (Data Encryption Standard)∗ 64-bit plaintext and 56-bit key
♦AES (Advanced Encryption Standard)∗ 128-bit plaintext and 128- to 256-bit key
♦Higher security provided by∗ Longer key∗ Longer plaintext
♦Encryption process must be reversible to allow decryption
♦Encryption attempts to scramble the plaintext as much as possible
Page 3
Copyright 2007 Koren & Krishna, Morgan-Kaufman Part.21.5
Data Encryption Standard (DES)♦Encryption has 16 identical
rounds, each uses a different 48-bit round-key K
♦Round – Feistel function:∗ Divide plaintext to 2 halves B1
and B2
∗ B1 unchanged, B2 added (mod-2) to F(B1,K)
∗ One-way hash function that takes a long input and produces a fixed-length output and is hard to reverse
∗ B1 and B2 are swapped
1`212
`1 );,( BBKBFBB =+=
Copyright 2007 Koren & Krishna, Morgan-Kaufman Part.21.6
Key Schedule for DES
♦Original 64-bit key has 8 parity bits
∗ "Permuted Choice 1 " selects 56
∗ Split to 2 28-bit, each rotated to the left (<<<) by 1 or 2 bits
∗ "Permuted Choice 2 " selects 24 from each half to generate the round key
Page 4
Copyright 2007 Koren & Krishna, Morgan-Kaufman Part.21.7
Feistel Function in DES
♦(1) Expansion: 32 to 48 bits – permutation that duplicates some bits
♦(2) Add Key – add mod-2 the 48-bit round key♦(3) Substitution – 8 groups of 6 bits into Sboxes
(lookup table) each generating 4 bits using a non-linear transformation
♦(4) Permutation
Copyright 2007 Koren & Krishna, Morgan-Kaufman Part.21.8
Triple DES
♦A specially designed circuit succeeded in breaking DES in less than 24 hours
♦The security can be increased by using Triple DES – applying DES 3 times
∗ Version 1 – use 3 different keys for total of 168 bits∗ Version 2 – use 112-bit key
♦Has been replaced by AES in 2002♦Still, often used in the Triple DES form
Page 5
Copyright 2007 Koren & Krishna, Morgan-Kaufman Part.21.9
Advanced Encryption Standard (AES)♦128-bit plaintext represented as 4×4 matrix of
bytes♦Four steps each round
∗ 9, 11, 13 rounds ⇔ 129-, 192-, 256-bit key
)3,2,1,0,(, =jiS ji
Plain Text
Initial Round
XorRoundKey
¹ Number of iterations depends on key size
9, 11 or 13 times¹
SubBytes
ShiftRows
MixColumns
XorRoundKey
Inner RoundKey Scheduler(or round key table)
SubBytes
ShiftRows
XorRoundKey
Final Round
Encrypted Text
Copyright 2007 Koren & Krishna, Morgan-Kaufman Part.21.10
Four steps in a Round
♦SubBytes: 8-bit lookup table – SBox♦ShiftRows: shifting rows by 0,1,2,3
bytes –♦MixColumns: α=x=0216; β=x+1=0316 ,
⊗ and ⊕ are mod-2 multiply and add modulo AES generator polynomial
♦AddRoundKey: Adding round subkey mod-2 ♦In the last round MixColumns omitted♦Prior to 1st round – 1st subkey is added
=
2,31,30,33,3
1,20,23,22,2
0,13,12,11,1
3,02,01,00,0
ssss
ssssssss
ssss
S
)()(
)()(
)()(
)()(
,3,2,1,,3
,3,2,1,,2
,3,2,1,,1
,3,2,1,,
jjjjoj
jjjjoj
jjjjoj
jjjjojo
sssss
sssss
sssss
sssss
⊗⊕⊕⊕⊗=
⊗⊕⊗⊕⊕=
⊕⊗⊕⊗⊕=
⊕⊕⊗⊕⊗=
αβ
βα
βα
βα
1)( 348 ++++= xxxxxg
Page 6
Copyright 2007 Koren & Krishna, Morgan-Kaufman Part.21.11
AES key Schedule
♦ Nr=10,12,14 rounds
♦ Nk=4,6,8 words in plaintext
]00,00,00,[][ 1−= jcon xjR
Copyright 2007 Koren & Krishna, Morgan-Kaufman Part.21.12
Example
♦ MixColumns:
Plaintext = 32 43 f6 a8 88 5a 30 8d 31 31 98 a2 e0 37 07 34128-bit key = 2b 7e 15 16 28 ae d2 a6 ab f7 15 88 09 cf 4f 3c
deed
dbfd
ssss
17307174
30)503()02(4
)()( 0,30,20,10,00,1
=⊕⊕⊕=⊕⊗⊕⊗⊕=
⊕⊗⊕⊗⊕= βα
043051181
305)03()402(
)()( 0,30,20,10,00,0
=⊕⊕⊕=⊕⊕⊗⊕⊗=
⊕⊕⊗⊕⊗=
dcb
dbfd
sssss βα
6617)1(7)(mod17 34 =⊕=+++⊕= bdxxxbxgd
Page 7
Copyright 2007 Koren & Krishna, Morgan-Kaufman Part.21.13
Effect of Errors♦ Plaintext:
32 43 f6 a8 88 5a 30 8d 31 31 98 a2 e0 37 07 34♦ 128-bit key:
2b 7e 15 16 28 ae d2 a6 ab f7 15 88 09 cf 4f 3c♦ Ciphertext:
39 25 84 1d 02 dc 09 fb dc 11 85 97 19 6a 0b 32
♦ A single error in the plaintext: 30 43 f6 a8 88 5a 30 8d 31 31 98 a2 e0 37 07 34
♦ Results in the ciphertext: c0 06 27 d1 8b d9 e1 19 d5 17 6d bc ba 73 37 c1
♦ A single error in the key: 2a 7e 15 16 28 ae d2 a6 ab f7 15 88 09 cf 4f 3c
♦ Results in the ciphertext: c4 61 97 9e e4 4d e9 7a ba 52 34 8b 39 9d 7f 84
♦ A single-bit error results in a totally scrambled output
Copyright 2007 Koren & Krishna, Morgan-Kaufman Part.21.14
Public Key Ciphers♦ Instead of a shared secret key, the sender and recipient have
a public key and a private key∗ Private key remains secret while the public key distributed∗ One key locks a safe, the other key is needed to unlock∗ A uses B's public key to encrypt a message which B decrypts with
his private key♦ Another application – sender authentication
∗ A encrypts a message with her private key∗ If B succeeds in decrypting the message B is assured that A sent
it ♦ Two commonly used ciphers
∗ RSA (Rivest, Shamir, Adelman) – based on the difficulty of factoring a large integer into prime factors
∗ ECC (Elliptic Curve Cryptography) – based on the difficulty of calculating the discrete logarithm – calculate b from
∗ Security provided relies of difficulty of finding the secret keyand having to use exhaustive search
cab =
Page 8
Copyright 2007 Koren & Krishna, Morgan-Kaufman Part.21.15
RSA Cipher♦A generate keys:
∗ Select p,q large prime numbers (at least hundred digits) and denote N=pq
∗ Select a small odd integer c relatively prime (only common factor is 1) to
∗ Find integer d so that∗ (e,N) – public key; (d,N) – private key
♦B wants to send A a message M∗ B encrypts M using A's public key
» M is restricted to 0 ≤ M ≤ N-1∗ A decrypts using private key d -
)1)(1()( −−= qpNφ
)(mod1 Nde φ=
NMS e mod=
MNMNS ded == modmod
Copyright 2007 Koren & Krishna, Morgan-Kaufman Part.21.16
RSA Cipher - Example♦p=7; q=11 ⇒ N=77;♦Select e=7 (relatively prime to 60)♦d=43 since 7×43=301=1 mod 60♦B wants to send M=9
∗ B encrypts using the public key (e,N)=(7,77) –
♦We decrypt using the private key (d,N)=(43,77) -
60610)( =×=Nφ
3777mod478296977mod97 ==
977mod3743 =
Page 9
Copyright 2007 Koren & Krishna, Morgan-Kaufman Part.21.17
Security Attacks using Side-Channel Information♦ Information obtained from physical implementation:
∗ Timing – time needed to encrypt may depend on bits of key∗ Power – power profile may depend on bits of the key∗ Attacker narrows the range of values to be attempted
♦ Protection schemes∗ Inject random # of useless instructions scrambling relation
between key & time – also helps against power attacks∗ Designs with data-independent delay or dual-rail logic
(consume same power for all keys)∗ These techniques incur delay and/or power penalties
♦ Another attack – by injecting faults∗ Vary the supply voltage – generate a spike∗ Vary the clock frequency – generate a glitch∗ Overheat the device∗ Expose to intense light – camera flash or precise laser beam∗ Faults injected into a byte or a few bits
Copyright 2007 Koren & Krishna, Morgan-Kaufman Part.21.18
Faults Attacks on Symmetric Cipher - DES♦Assume:
∗ Secret key transferred from EEPROM to memory∗ Attacker can reset an entire byte of the key ∗ Fault can be injected at precise time (use power profile)
♦8 steps ∗ Encrypt known plaintext with a number of bytes forced to 0∗ Based on 1st byte of key found (trying 128 combinations) 7S
♦Another attack:∗ Cause instruction to fail
using clock glitch∗ E.g., execute only one or
two rounds simplifying key extraction
∗ Can also be used against AES (even software implementation)
Page 10
Copyright 2007 Koren & Krishna, Morgan-Kaufman Part.21.19
Fault Attacks on RSA♦Only decryption is subject to attacks♦Assume:
∗ 1. Attacker can flip a single bit in key d 2. S and corresponding message M known to attacker
∗ Decryption device generates satisfying∗ If then∗ If then ∗ Similarly – flip a bit in S or flip two or more bits
♦ Example: (e,N)=(7,77), d=43∗ Ciphertext=37 producing M=9 if no fault is injected
and if a fault is injected ∗ Search for i such that i=3
since
M̂ NS
SMM
ii
ii
d
dmod
ˆ2
2=
NSMMi
mod1ˆ 2=NSMM
i
modˆ 2= 0=id1=id
2012345 101011=dddddd
67ˆ =M77mod)3767(9 2 i
⋅=
977mod)5367(77mod)3767( 8 =⋅=⋅
)1( 3 =d
Copyright 2007 Koren & Krishna, Morgan-Kaufman Part.21.20
Countermeasures
♦Must first detect injected fault, then prevent attacker from observing the erroneous output
∗ Block the output (e.g., generate all zeroes output)∗ Produce a random output misleading the attacker
♦Two approaches:∗ 1. Duplicate encryption (decryption) process (hardware or
time redundancy) and compare results – injected faults transient and will manifest differently
∗ Spatial duplication – redundant encryption unit or use decryption unit & compare to original plaintext
∗ Temporal duplication – reuse hardware or re-execute software
∗ 2. Use error-detection codes – require smaller overhead but possibly a lower coverage
Page 11
Copyright 2007 Koren & Krishna, Morgan-Kaufman Part.21.21
Error Detecting Codes (EDCs)♦ First generate check bits♦ For each operation within encryption predict check bits♦ Periodically compare predicted check bits to generated ones♦ Predicting check bits for each operation - most complex step
∗ Should be compared to duplication♦ Examples of EDC – parity based and residue checks♦ Can be applied at
different levels –word, byte, nibble
Copyright 2007 Koren & Krishna, Morgan-Kaufman Part.21.22
Parity-based Code for AES♦ Operations operate on bytes so byte-level parity is natural♦ ShiftRows: rotating the parity bits♦ AddRoundKey: add parity bits of state to those of key♦ SubBytes: Expand Sbox to 256×9 – add output parity bit;
to propagate incoming errors (rather than having to check) expand to 512×9 – put incorrect parity bit for inputs with incorrect parity
♦ MicColumns: The expressions are: where is the msb of the state byte in position i,j
)7(,0
)7(,3,3,2,1,3
)7(,3
)7(,2,2,1,0,2
)7(,2
)7(,1,3,1,0,1
)7(,1
)7(,0,3,2,0,0
jjjjjj
jjjjjj
jjjjjj
jjjjjj
SSpppp
SSpppp
SSpppp
SSpppp
⊕⊕⊕⊕=
⊕⊕⊕⊕=
⊕⊕⊕⊕=
⊕⊕⊕⊕=
)7(, jis
Transformation
Transformation Input(input state matrix)
Transformation Result(output state matrix)
Parity Bit(s)
Parity Prediction
PredictedParity Bit(s)
Page 12
Copyright 2007 Koren & Krishna, Morgan-Kaufman Part.21.23
AES – Scheduling of Checks♦Comparing predicted to generated
parity bits∗ After each operation∗ After each round∗ At end of encryption – smallest
hardware & time overheads» Does not mask error indication
SubBytes
ShiftRows
MixColumns
XorRoundKey
Encryption level
Round level
Transformation level
Copyright 2007 Koren & Krishna, Morgan-Kaufman Part.21.24
AES - Coverage♦Coverage – parity
codes detect odd-order faults
∗ Even-order faults in same byte – not detected
∗ If multiple faults are injected –overall coverage > 99%
♦EDCs can be used for other ciphers including public key ciphers
∗ RSA uses modular arithmetic – residue check is most appropriate
Page 13
Copyright 2007 Koren & Krishna, Morgan-Kaufman Part.21.25
Fault Detection is not always sufficient♦ Example – RSA♦ Can be protected
against fault injection using residue check or encrypting M & comparing to S
♦ Is Vulnerable to power analysis – more power consumed if
♦ Modified to use same power and has fault detection
♦ Still vulnerable to fault injection
♦ Inject fault in calculation of b – if correct M, one bit of d is deduced
1=id
Copyright 2007 Koren & Krishna, Morgan-Kaufman Part.21.26
Montgomery-step Algorithm
♦ Intermediate values of a & b are used and an injected fault will be detected
♦ Provides another way to detect faults: a & b must be of form (M,SM)
♦ Checking this relation detects most faults except – bits of d or number of loop iterations – these can be check with EDC
Page 14
Copyright 2007 Koren & Krishna, Morgan-Kaufman Part.21.27
AES - Successful Attack even if Faults detected
♦Provide all-zero input to AES encryption♦In initial round key is added – state=key♦Before SubBytes inject a stuck-at-0 fault into
bit l∗ If result is correct then bit l of key is 0
♦Attack is complicated – exact timing and precise location of fault and fault type
♦Even if strict timing and location are not practical – repeating the experiment many times will allow extracting the secret key