side-channel & fault attackssecurity.di.unimi.it/sicurezza1819/slides/20181206... · spy...
TRANSCRIPT
![Page 1: Side-Channel & Fault Attackssecurity.di.unimi.it/sicurezza1819/slides/20181206... · Spy Catcher: The Candid Autobiography of a Senior Intelligence Officer. Viking Press, 1987. 22](https://reader033.vdocuments.us/reader033/viewer/2022060907/60a1d279bfd03071642d6be3/html5/thumbnails/1.jpg)
Side-Channel & Fault
Attacks
Ruggero Susella
System Research & Applications – Security Rodmap
STMicroelectronics
2018/12/06
![Page 2: Side-Channel & Fault Attackssecurity.di.unimi.it/sicurezza1819/slides/20181206... · Spy Catcher: The Candid Autobiography of a Senior Intelligence Officer. Viking Press, 1987. 22](https://reader033.vdocuments.us/reader033/viewer/2022060907/60a1d279bfd03071642d6be3/html5/thumbnails/2.jpg)
ST – Who are we ?
2
![Page 3: Side-Channel & Fault Attackssecurity.di.unimi.it/sicurezza1819/slides/20181206... · Spy Catcher: The Candid Autobiography of a Senior Intelligence Officer. Viking Press, 1987. 22](https://reader033.vdocuments.us/reader033/viewer/2022060907/60a1d279bfd03071642d6be3/html5/thumbnails/3.jpg)
STMicroelectronics 3
Front-End
Back-End
Research & Development
Main Sales & Marketing
As of December 31, 2017
• Approximately 45,500 employees worldwide
• Approximately 7,400 people working in R&D
• 11 manufacturing sites
• Over 80 sales & marketing offices
• A global semiconductor leader
• 2017 revenues of $8.35B with year-
on-year growth of 19.7%
• Listed: NYSE, Euronext Paris and
Borsa Italiana, Milan
![Page 4: Side-Channel & Fault Attackssecurity.di.unimi.it/sicurezza1819/slides/20181206... · Spy Catcher: The Candid Autobiography of a Senior Intelligence Officer. Viking Press, 1987. 22](https://reader033.vdocuments.us/reader033/viewer/2022060907/60a1d279bfd03071642d6be3/html5/thumbnails/4.jpg)
Smart Things Smart Home & City Smart Industry Smart Driving
Application Strategic Focus 4
The leading provider of products and solutions
for Smart Driving and the Internet of Things
![Page 5: Side-Channel & Fault Attackssecurity.di.unimi.it/sicurezza1819/slides/20181206... · Spy Catcher: The Candid Autobiography of a Senior Intelligence Officer. Viking Press, 1987. 22](https://reader033.vdocuments.us/reader033/viewer/2022060907/60a1d279bfd03071642d6be3/html5/thumbnails/5.jpg)
Product Family Focus 5
The leading provider of products and solutions
for Smart Driving and the Internet of Things
Portfolio delivering complementarity for target end markets, and synergies in R&D and manufacturing
Dedicated
Automotive ICs
Analog, Industrial &
Power Conversion
ICs
General Purpose &
Secure MCUs
EEPROM
MEMS &
Specialized
Imaging Sensors
Discrete &
Power
Transistors
Digital
ASICs
![Page 6: Side-Channel & Fault Attackssecurity.di.unimi.it/sicurezza1819/slides/20181206... · Spy Catcher: The Candid Autobiography of a Senior Intelligence Officer. Viking Press, 1987. 22](https://reader033.vdocuments.us/reader033/viewer/2022060907/60a1d279bfd03071642d6be3/html5/thumbnails/6.jpg)
An Unwavering Commitment to R&D 6
Advanced research and development centers around the globe
~ 17,000 patents; ~9,500 patent families; ~ 500 new filings (in 2017)
~ 7,400 people working in R&D and product design
As of December 31, 2017
![Page 7: Side-Channel & Fault Attackssecurity.di.unimi.it/sicurezza1819/slides/20181206... · Spy Catcher: The Candid Autobiography of a Senior Intelligence Officer. Viking Press, 1987. 22](https://reader033.vdocuments.us/reader033/viewer/2022060907/60a1d279bfd03071642d6be3/html5/thumbnails/7.jpg)
IoT connected devices 7
Very-high and sustained growth potential
01020304050607080
Number of IoT connected devices worldwide 2015-
2025 (in billions)
![Page 8: Side-Channel & Fault Attackssecurity.di.unimi.it/sicurezza1819/slides/20181206... · Spy Catcher: The Candid Autobiography of a Senior Intelligence Officer. Viking Press, 1987. 22](https://reader033.vdocuments.us/reader033/viewer/2022060907/60a1d279bfd03071642d6be3/html5/thumbnails/8.jpg)
Secure Solutions
A broad range of secure solutions for different applications
8
Secure storage:
Encryption
Key generation and
management
Credential / Device life
Cycle management
Platform integrity
Assurance
Roots of trust
Secure updates:
Software & firmware
Secure
communications
Authentication
![Page 9: Side-Channel & Fault Attackssecurity.di.unimi.it/sicurezza1819/slides/20181206... · Spy Catcher: The Candid Autobiography of a Senior Intelligence Officer. Viking Press, 1987. 22](https://reader033.vdocuments.us/reader033/viewer/2022060907/60a1d279bfd03071642d6be3/html5/thumbnails/9.jpg)
Security should comply to a challenging mix requirements to match the targeted applications
Security Challenges and Opportunities 9
Ultra low power
devices
Compact
electronics
Always
connected
solutions
Cost effective
platformLimited memory Physical access
![Page 10: Side-Channel & Fault Attackssecurity.di.unimi.it/sicurezza1819/slides/20181206... · Spy Catcher: The Candid Autobiography of a Senior Intelligence Officer. Viking Press, 1987. 22](https://reader033.vdocuments.us/reader033/viewer/2022060907/60a1d279bfd03071642d6be3/html5/thumbnails/10.jpg)
Efficient solutions 10
Cryptography might be expensive for resource-constrained devices
• Compact hardware implementations
• Embedded software implementations with
low RAM and ROM usage
• Negligible impact on overall performance
• Low power/energy consumption
Challenging requirements
![Page 11: Side-Channel & Fault Attackssecurity.di.unimi.it/sicurezza1819/slides/20181206... · Spy Catcher: The Candid Autobiography of a Senior Intelligence Officer. Viking Press, 1987. 22](https://reader033.vdocuments.us/reader033/viewer/2022060907/60a1d279bfd03071642d6be3/html5/thumbnails/11.jpg)
End-to-end protection 11
• Released on Aug.15th
• Lighter: from 300 to 5 cipher suites
available
• Faster: optimized protocol with
halved round-trip time during the
key generation
• More secure: obsolete algorithms
removed, most recent added (e.g.
Ed25519, RSA PSS)
TLS 1.3• Real time analytics
• Managed APIs
• Internet scale awareness
Cloud
Things
Without end-to-end security, someone might gain access to your IoT commands, notifications and other data
![Page 12: Side-Channel & Fault Attackssecurity.di.unimi.it/sicurezza1819/slides/20181206... · Spy Catcher: The Candid Autobiography of a Senior Intelligence Officer. Viking Press, 1987. 22](https://reader033.vdocuments.us/reader033/viewer/2022060907/60a1d279bfd03071642d6be3/html5/thumbnails/12.jpg)
Side Channel Attacks and Fault
Countermeasures12
• Possible to retrieve the secrets by
analysing side channels
• Can be mitigate by system level
countermeasures
• Making secrets not appealing
• A secret per chip
• Frequent re-keying
• Not always possible
• Requires ad-hoc countermeasures
• Which comes with associated costs
Side Channel Attacks
Most devices are under control of the users, side channel becomes feasible!
![Page 13: Side-Channel & Fault Attackssecurity.di.unimi.it/sicurezza1819/slides/20181206... · Spy Catcher: The Candid Autobiography of a Senior Intelligence Officer. Viking Press, 1987. 22](https://reader033.vdocuments.us/reader033/viewer/2022060907/60a1d279bfd03071642d6be3/html5/thumbnails/13.jpg)
System Research & Applications – Shared Innovation
Security Roadmap13
Italy
(Agrate Brianza)France
(Rousset)
Strong synergy with University
• Student internships/thesis
• PhD sponsorship
• Research contracts
![Page 14: Side-Channel & Fault Attackssecurity.di.unimi.it/sicurezza1819/slides/20181206... · Spy Catcher: The Candid Autobiography of a Senior Intelligence Officer. Viking Press, 1987. 22](https://reader033.vdocuments.us/reader033/viewer/2022060907/60a1d279bfd03071642d6be3/html5/thumbnails/14.jpg)
Security Roadmap
“Backbone” Security R&D
Deliveries to ST divisions
System Security
Anticipation
System Expertise
System
Architectures
ProposalsExpertise
Support
HW & SW
Security IPs
Platform Security
Functionality & Performance
Security Robustness
14
![Page 15: Side-Channel & Fault Attackssecurity.di.unimi.it/sicurezza1819/slides/20181206... · Spy Catcher: The Candid Autobiography of a Senior Intelligence Officer. Viking Press, 1987. 22](https://reader033.vdocuments.us/reader033/viewer/2022060907/60a1d279bfd03071642d6be3/html5/thumbnails/15.jpg)
Expectations
• After the training you should be able to understand the basics of:
• Side Channel & Fault Attacks
• With applications to AES
15
![Page 16: Side-Channel & Fault Attackssecurity.di.unimi.it/sicurezza1819/slides/20181206... · Spy Catcher: The Candid Autobiography of a Senior Intelligence Officer. Viking Press, 1987. 22](https://reader033.vdocuments.us/reader033/viewer/2022060907/60a1d279bfd03071642d6be3/html5/thumbnails/16.jpg)
Agenda
• Side Channel Attacks
• Introduction
• Symmetric Key Cryptography:
• Introduction
• AES
• Side Channel Attacks on AES
• Fault Attacks
• Fault Attacks on AES
16
![Page 17: Side-Channel & Fault Attackssecurity.di.unimi.it/sicurezza1819/slides/20181206... · Spy Catcher: The Candid Autobiography of a Senior Intelligence Officer. Viking Press, 1987. 22](https://reader033.vdocuments.us/reader033/viewer/2022060907/60a1d279bfd03071642d6be3/html5/thumbnails/17.jpg)
Side Channel Attacks
![Page 18: Side-Channel & Fault Attackssecurity.di.unimi.it/sicurezza1819/slides/20181206... · Spy Catcher: The Candid Autobiography of a Senior Intelligence Officer. Viking Press, 1987. 22](https://reader033.vdocuments.us/reader033/viewer/2022060907/60a1d279bfd03071642d6be3/html5/thumbnails/18.jpg)
Attacking Crypto Algorithms
Cryptanalysis is the art and science of analyzing
information systems in order to study the hidden aspects of
the systems
• Mathematical analysis of cryptographic algorithms
• Side Channel Attacks
18
![Page 19: Side-Channel & Fault Attackssecurity.di.unimi.it/sicurezza1819/slides/20181206... · Spy Catcher: The Candid Autobiography of a Senior Intelligence Officer. Viking Press, 1987. 22](https://reader033.vdocuments.us/reader033/viewer/2022060907/60a1d279bfd03071642d6be3/html5/thumbnails/19.jpg)
What is a “Side Channel”?
Based on information gained from the physical
implementation of a cryptosystem
• No theoretical weaknesses in the algorithm
• No brute force
19
![Page 20: Side-Channel & Fault Attackssecurity.di.unimi.it/sicurezza1819/slides/20181206... · Spy Catcher: The Candid Autobiography of a Senior Intelligence Officer. Viking Press, 1987. 22](https://reader033.vdocuments.us/reader033/viewer/2022060907/60a1d279bfd03071642d6be3/html5/thumbnails/20.jpg)
Example 20
![Page 21: Side-Channel & Fault Attackssecurity.di.unimi.it/sicurezza1819/slides/20181206... · Spy Catcher: The Candid Autobiography of a Senior Intelligence Officer. Viking Press, 1987. 22](https://reader033.vdocuments.us/reader033/viewer/2022060907/60a1d279bfd03071642d6be3/html5/thumbnails/21.jpg)
21Example 2
![Page 22: Side-Channel & Fault Attackssecurity.di.unimi.it/sicurezza1819/slides/20181206... · Spy Catcher: The Candid Autobiography of a Senior Intelligence Officer. Viking Press, 1987. 22](https://reader033.vdocuments.us/reader033/viewer/2022060907/60a1d279bfd03071642d6be3/html5/thumbnails/22.jpg)
A little bit of history [1]
The first official information related to SCA attack dates back to the year 1965.
P. Wright (a scientist with GCHQ at that time) reported in [2] that MI5, the British
intelligence agency, was trying to break a cipher used by the Egyptian Embassy in
London, but their efforts were stymied by the limits of their computational power.
Wright suggested placing a microphone near the rotor-cipher machine used by the
Egyptian to spy the click-sound the machine produced. By listening to the clicks of
the rotors as cipher clerks reset them each morning, MI5 successfully deduced the
core position of 2 or 3 of the machine’s rotors.
This additional information reduced the computation effort needed to break the
cipher, and MI5 could spy on the embassy’s communication for years.
On the other hand, the original seminal works, as well as many subsequent
pioneering ideas, on SCA attacks in public cryptography research community are all
due to Paul Kocher, and start appearing from 1996 on.
[1] YongBin Zhou, DengGuo Feng. Side-Channel Attacks: Ten Years After Its Publication and the Impacts on
Cryptographic Module Security Testing. IACR Eprint archive, 2005.
[2] P. Wright. Spy Catcher: The Candid Autobiography of a Senior Intelligence Officer. Viking Press, 1987.
22
![Page 23: Side-Channel & Fault Attackssecurity.di.unimi.it/sicurezza1819/slides/20181206... · Spy Catcher: The Candid Autobiography of a Senior Intelligence Officer. Viking Press, 1987. 22](https://reader033.vdocuments.us/reader033/viewer/2022060907/60a1d279bfd03071642d6be3/html5/thumbnails/23.jpg)
Why “Side Channel”?
• More effective against modern cryptosystems
• In some applications the attacker does actually have
physical access to the device
• Electronic passports, identity cards, driver licenses…
• IoT devices
• Point Of Sale
• Access Control/Badges
• Pay TV
23
![Page 24: Side-Channel & Fault Attackssecurity.di.unimi.it/sicurezza1819/slides/20181206... · Spy Catcher: The Candid Autobiography of a Senior Intelligence Officer. Viking Press, 1987. 22](https://reader033.vdocuments.us/reader033/viewer/2022060907/60a1d279bfd03071642d6be3/html5/thumbnails/24.jpg)
Use Case: Pay TV
• The key that protects the content is stored within the
smartcard
• The smartcard is provided to the end user
• No more in the hands of the owner of the contents
• Extracting one key from a single smartcard allows to
program several new smartcards with the same key →
clones
• One broken smartcard means broken system
24
![Page 25: Side-Channel & Fault Attackssecurity.di.unimi.it/sicurezza1819/slides/20181206... · Spy Catcher: The Candid Autobiography of a Senior Intelligence Officer. Viking Press, 1987. 22](https://reader033.vdocuments.us/reader033/viewer/2022060907/60a1d279bfd03071642d6be3/html5/thumbnails/25.jpg)
How to do a “Side Channel”?
• The attacker must have physical access to the device
under attack (not always… we will see later)
• The attacker knows the algorithm under attack
• The only secret is the key
• 1st stage → Measurements
• 2nd stage → Analysis of the measurements
• Statistical analysis
• Application of cryptanalysis
25
![Page 26: Side-Channel & Fault Attackssecurity.di.unimi.it/sicurezza1819/slides/20181206... · Spy Catcher: The Candid Autobiography of a Senior Intelligence Officer. Viking Press, 1987. 22](https://reader033.vdocuments.us/reader033/viewer/2022060907/60a1d279bfd03071642d6be3/html5/thumbnails/26.jpg)
Power Analysis
• Instantaneous power consumption of a device depends
on the data it processes and on the operation it performs
26
![Page 27: Side-Channel & Fault Attackssecurity.di.unimi.it/sicurezza1819/slides/20181206... · Spy Catcher: The Candid Autobiography of a Senior Intelligence Officer. Viking Press, 1987. 22](https://reader033.vdocuments.us/reader033/viewer/2022060907/60a1d279bfd03071642d6be3/html5/thumbnails/27.jpg)
Timing Attacks
• Cryptosystems often take slightly different amounts of
time to process different inputs
• Timing attacks can be launched
against a workstation running
a protocol such as SSL
with RSA over
a local network
27
![Page 28: Side-Channel & Fault Attackssecurity.di.unimi.it/sicurezza1819/slides/20181206... · Spy Catcher: The Candid Autobiography of a Senior Intelligence Officer. Viking Press, 1987. 22](https://reader033.vdocuments.us/reader033/viewer/2022060907/60a1d279bfd03071642d6be3/html5/thumbnails/28.jpg)
Electromagnetic Analysis
• The flow of current through a CMOS device induces
electromagnetic emanations and causes electromagnetic
leakage
28
![Page 29: Side-Channel & Fault Attackssecurity.di.unimi.it/sicurezza1819/slides/20181206... · Spy Catcher: The Candid Autobiography of a Senior Intelligence Officer. Viking Press, 1987. 22](https://reader033.vdocuments.us/reader033/viewer/2022060907/60a1d279bfd03071642d6be3/html5/thumbnails/29.jpg)
Power Analysis
![Page 30: Side-Channel & Fault Attackssecurity.di.unimi.it/sicurezza1819/slides/20181206... · Spy Catcher: The Candid Autobiography of a Senior Intelligence Officer. Viking Press, 1987. 22](https://reader033.vdocuments.us/reader033/viewer/2022060907/60a1d279bfd03071642d6be3/html5/thumbnails/30.jpg)
Basic Idea
• There must be some relationship between the device’s power
consumption and what it’s doing
• Try to exploit it to get the secret key
• Introduced by P. Kocher, J. Jaffe, and B. Jun in 1999
30
![Page 31: Side-Channel & Fault Attackssecurity.di.unimi.it/sicurezza1819/slides/20181206... · Spy Catcher: The Candid Autobiography of a Senior Intelligence Officer. Viking Press, 1987. 22](https://reader033.vdocuments.us/reader033/viewer/2022060907/60a1d279bfd03071642d6be3/html5/thumbnails/31.jpg)
Simple Power Analysis
• Observation on a single power trace during the computation of the crypto algorithm
• Try to distinguish between different operations related to the value of the secret key (patterns)
• Example: RSA algorithms scans the private key bit by bit• Performs a Square if bit is 0, otherwise performs a Square and a Multiplication
• If the attacker can distinguish operations, she will get the key
31
RSA squareRSA multiplication
![Page 32: Side-Channel & Fault Attackssecurity.di.unimi.it/sicurezza1819/slides/20181206... · Spy Catcher: The Candid Autobiography of a Senior Intelligence Officer. Viking Press, 1987. 22](https://reader033.vdocuments.us/reader033/viewer/2022060907/60a1d279bfd03071642d6be3/html5/thumbnails/32.jpg)
Limit of Simple Power Analysis
• Requires to analyze a single power trace with very high accuracy
• Usually noise is high and it is not possible to perform this kind of
analysis
• Noise is due to several factors but mainly due to other activity linked to power
consumption and measurement
32
![Page 33: Side-Channel & Fault Attackssecurity.di.unimi.it/sicurezza1819/slides/20181206... · Spy Catcher: The Candid Autobiography of a Senior Intelligence Officer. Viking Press, 1987. 22](https://reader033.vdocuments.us/reader033/viewer/2022060907/60a1d279bfd03071642d6be3/html5/thumbnails/33.jpg)
Differential Power Analysis
• Requires a large amount of power traces
• Each trace corresponds to a single execution
• Each execution is done with a different input/plaintext value
• But same key
• Therefore we obtain different power traces corresponding to execution with different input/plaintext values but same key
• Plaintext and/or ciphertext should be known by the attacker
• A common assumption which is also true in most real applications
• No detailed knowledge of the cryptographic device is required
• Can work even with noisy power traces
• More power traces means less noise
33
![Page 34: Side-Channel & Fault Attackssecurity.di.unimi.it/sicurezza1819/slides/20181206... · Spy Catcher: The Candid Autobiography of a Senior Intelligence Officer. Viking Press, 1987. 22](https://reader033.vdocuments.us/reader033/viewer/2022060907/60a1d279bfd03071642d6be3/html5/thumbnails/34.jpg)
Consumption Model
• Instantaneous power consumption in digital CMOS devices:
• P(t) = Pconst (t) + Pinstr (t) + Pdata(t) + Pnoise (t)
• Pconst (t) is unimportant for DPA
• Pinstr (t) is fixed by the particular instruction executed
• Pdata(t) is due to the currently processed data
• Pnoise (t) has to be minimized
• DPA exploits the difference of P(t) due to the Pdata(t)
• The basic idea is to associate the device power consumption with the
values processed
34
![Page 35: Side-Channel & Fault Attackssecurity.di.unimi.it/sicurezza1819/slides/20181206... · Spy Catcher: The Candid Autobiography of a Senior Intelligence Officer. Viking Press, 1987. 22](https://reader033.vdocuments.us/reader033/viewer/2022060907/60a1d279bfd03071642d6be3/html5/thumbnails/35.jpg)
Hamming Weight Model
• Try to estimate Pdata(t)
• Based on the fact that a bit set to 1 consumes more than a bit set to 0
• Very simple model
• Yet still in use today
• Sometimes the Hamming Distance Model is preferable
• It measure the transitions of a signal or register
• Transitions are bit changing their values
35
![Page 36: Side-Channel & Fault Attackssecurity.di.unimi.it/sicurezza1819/slides/20181206... · Spy Catcher: The Candid Autobiography of a Senior Intelligence Officer. Viking Press, 1987. 22](https://reader033.vdocuments.us/reader033/viewer/2022060907/60a1d279bfd03071642d6be3/html5/thumbnails/36.jpg)
Sensitive Variable
• A DPA attack works if a relation exists between the power
consumption and a target “sensitive variable”
• A sensitive variable is a value:
• Actually computed during the execution
• Made by a combination of:
• A portion of the key (i.e. 1 bit, 1 byte)
• A value known to the attacker and that changes every execution (i.e. the input)
36
![Page 37: Side-Channel & Fault Attackssecurity.di.unimi.it/sicurezza1819/slides/20181206... · Spy Catcher: The Candid Autobiography of a Senior Intelligence Officer. Viking Press, 1987. 22](https://reader033.vdocuments.us/reader033/viewer/2022060907/60a1d279bfd03071642d6be3/html5/thumbnails/37.jpg)
DPA: (1/3)
• Collect the side channel of the execution of the algorithm providing
different inputs
• Input0 Trace0 = =
• Input1 Trace1 = =
• Inputn Tracen = =
• Identify a sensitive variable in the algorithm
• E.g. SV = Input[0] XOR Key[0]
• Our target will be Key[0]
• For all Input0…n, and for all possible m values of Key[0] compute
• HW(Inputi[0] XOR j). Create a table of guesses:
37
HW(Input0[0] XOR 0) HW(Input0[0] XOR 1) HW(Input0[0] XOR …) HW(Input0[0] XOR m)
HW(Input1[0] XOR 0) HW(Input1[0] XOR 1) HW(Input1[0] XOR …) HW(Input1[0] XOR m)
HW(Input…[0] XOR 0) HW(Input…[0] XOR 1) HW(Input…[0] XOR …) HW(Input…[0] XOR m)
HW(Inputn[0] XOR 0) HW(Inputn[0] XOR 1) HW(Inputn[0] XOR …) HW(Inputn[0] XOR m)
Key Guess
Input
![Page 38: Side-Channel & Fault Attackssecurity.di.unimi.it/sicurezza1819/slides/20181206... · Spy Catcher: The Candid Autobiography of a Senior Intelligence Officer. Viking Press, 1987. 22](https://reader033.vdocuments.us/reader033/viewer/2022060907/60a1d279bfd03071642d6be3/html5/thumbnails/38.jpg)
DPA: Basic Idea (2/3)
• Create a matrix with the traces
• For each column (time sample) compute the correlation coefficient
with every column in the guess table
38
Time/Samples per trace
n
Time/Samples per trace
Ke
y G
ue
ss
Corr
![Page 39: Side-Channel & Fault Attackssecurity.di.unimi.it/sicurezza1819/slides/20181206... · Spy Catcher: The Candid Autobiography of a Senior Intelligence Officer. Viking Press, 1987. 22](https://reader033.vdocuments.us/reader033/viewer/2022060907/60a1d279bfd03071642d6be3/html5/thumbnails/39.jpg)
DPA: Basic Idea (3/3)
• Result is a matrix of correlation traces (1 per each key guess)
• In (m-1) correlation traces we correlated side channel traces with
intermediate variables which are never computed
• Because the key is wrong
• So it’s like correlating with a random vector
• Expected correlation is close to zero
• But in 1 correlation traces we correlated side channel traces with
intermediate variables that are actually computed
• At some point in time, when our sensitive variable is computed, we expect a peak
towards 1
39
Time/Samples per trace
Ke
y G
ue
ss
![Page 40: Side-Channel & Fault Attackssecurity.di.unimi.it/sicurezza1819/slides/20181206... · Spy Catcher: The Candid Autobiography of a Senior Intelligence Officer. Viking Press, 1987. 22](https://reader033.vdocuments.us/reader033/viewer/2022060907/60a1d279bfd03071642d6be3/html5/thumbnails/40.jpg)
Workbench for Power Analysis
![Page 41: Side-Channel & Fault Attackssecurity.di.unimi.it/sicurezza1819/slides/20181206... · Spy Catcher: The Candid Autobiography of a Senior Intelligence Officer. Viking Press, 1987. 22](https://reader033.vdocuments.us/reader033/viewer/2022060907/60a1d279bfd03071642d6be3/html5/thumbnails/41.jpg)
SPEAr board 41
New Resistance R in series to SoC Power
Supply
GPIO used for trigger
![Page 42: Side-Channel & Fault Attackssecurity.di.unimi.it/sicurezza1819/slides/20181206... · Spy Catcher: The Candid Autobiography of a Senior Intelligence Officer. Viking Press, 1987. 22](https://reader033.vdocuments.us/reader033/viewer/2022060907/60a1d279bfd03071642d6be3/html5/thumbnails/42.jpg)
42
• Agilent Infiniium
• Features:
• max 40 Gsa/s
• max 2M samples
• 4 channels
• Differential probe
• Voltage difference
measurement on a
resistor
• Simple probe
• Trigger detection
Oscilloscope 42
![Page 43: Side-Channel & Fault Attackssecurity.di.unimi.it/sicurezza1819/slides/20181206... · Spy Catcher: The Candid Autobiography of a Senior Intelligence Officer. Viking Press, 1987. 22](https://reader033.vdocuments.us/reader033/viewer/2022060907/60a1d279bfd03071642d6be3/html5/thumbnails/43.jpg)
PC Linux
• Commands the board
• Cross-compiles for ARM
Oscilloscope
• Waits for trigger
• Averages out the trace
• Saves the trace SPEAr board
• Runs crypto algorithm• Generates trigger
Workbench 43
![Page 44: Side-Channel & Fault Attackssecurity.di.unimi.it/sicurezza1819/slides/20181206... · Spy Catcher: The Candid Autobiography of a Senior Intelligence Officer. Viking Press, 1987. 22](https://reader033.vdocuments.us/reader033/viewer/2022060907/60a1d279bfd03071642d6be3/html5/thumbnails/44.jpg)
Single Power Trace 44
![Page 45: Side-Channel & Fault Attackssecurity.di.unimi.it/sicurezza1819/slides/20181206... · Spy Catcher: The Candid Autobiography of a Senior Intelligence Officer. Viking Press, 1987. 22](https://reader033.vdocuments.us/reader033/viewer/2022060907/60a1d279bfd03071642d6be3/html5/thumbnails/45.jpg)
Mean of 1000 Power Traces 45
![Page 46: Side-Channel & Fault Attackssecurity.di.unimi.it/sicurezza1819/slides/20181206... · Spy Catcher: The Candid Autobiography of a Senior Intelligence Officer. Viking Press, 1987. 22](https://reader033.vdocuments.us/reader033/viewer/2022060907/60a1d279bfd03071642d6be3/html5/thumbnails/46.jpg)
Workbench for EM Analysis
• Digital scope : lecroy
wavepro 40 GS/s 6Ghz
bandwidth
• XY stage (resolution up to
0.1µm)
• Wideband amplifier (Miteq
+Femto)
• EM probes (langer
+handmade)
46
![Page 47: Side-Channel & Fault Attackssecurity.di.unimi.it/sicurezza1819/slides/20181206... · Spy Catcher: The Candid Autobiography of a Senior Intelligence Officer. Viking Press, 1987. 22](https://reader033.vdocuments.us/reader033/viewer/2022060907/60a1d279bfd03071642d6be3/html5/thumbnails/47.jpg)
Timing Attacks
![Page 48: Side-Channel & Fault Attackssecurity.di.unimi.it/sicurezza1819/slides/20181206... · Spy Catcher: The Candid Autobiography of a Senior Intelligence Officer. Viking Press, 1987. 22](https://reader033.vdocuments.us/reader033/viewer/2022060907/60a1d279bfd03071642d6be3/html5/thumbnails/48.jpg)
What is a Timing Attack
• A side channel attack in which the attacker attempts to compromise
a cryptosystem by analyzing the time taken to execute cryptographic
algorithms
• In some cases, exploitable from remote locations
• Effective if computational timings depends on secret
• Need to have encryption timings with high accuracy
• Noise and sensitivity must be lower than the timing difference we want to measure
48
![Page 49: Side-Channel & Fault Attackssecurity.di.unimi.it/sicurezza1819/slides/20181206... · Spy Catcher: The Candid Autobiography of a Senior Intelligence Officer. Viking Press, 1987. 22](https://reader033.vdocuments.us/reader033/viewer/2022060907/60a1d279bfd03071642d6be3/html5/thumbnails/49.jpg)
Vulnerability comes from…
• Sometimes is a matter of algorithm
• Often, algorithms leaks information through timings difference because
computational steps depend on data values
• Choose a constant-time algorithm to avoid these attacks
• E.g. Modular exponentiation (we will see it later) can be done with Square&Multiply
algorithm (variable-time) or with Square&Multiply Always (constant-time)
• Otherwise, can be a matter of implementation
• Cache-Timing Attack takes advantage of data-dependent timing variations during
accesses into the cache (greater computational time for cache miss)
• It exploits implementations in which secret data is used as an array index (e.g. AES
Sbox)
• Almost every implementation can be made constant-time in order to avoid these
attacks
49
![Page 50: Side-Channel & Fault Attackssecurity.di.unimi.it/sicurezza1819/slides/20181206... · Spy Catcher: The Candid Autobiography of a Senior Intelligence Officer. Viking Press, 1987. 22](https://reader033.vdocuments.us/reader033/viewer/2022060907/60a1d279bfd03071642d6be3/html5/thumbnails/50.jpg)
Timing attack chart example 50
![Page 51: Side-Channel & Fault Attackssecurity.di.unimi.it/sicurezza1819/slides/20181206... · Spy Catcher: The Candid Autobiography of a Senior Intelligence Officer. Viking Press, 1987. 22](https://reader033.vdocuments.us/reader033/viewer/2022060907/60a1d279bfd03071642d6be3/html5/thumbnails/51.jpg)
Agenda
• Side Channel Attacks
• Introduction
• Symmetric Key Cryptography:
• Introduction
• AES
• Side Channel Attacks on AES
• Fault Attacks
• Fault Attacks on AES
51
![Page 52: Side-Channel & Fault Attackssecurity.di.unimi.it/sicurezza1819/slides/20181206... · Spy Catcher: The Candid Autobiography of a Senior Intelligence Officer. Viking Press, 1987. 22](https://reader033.vdocuments.us/reader033/viewer/2022060907/60a1d279bfd03071642d6be3/html5/thumbnails/52.jpg)
Symmetric Key Algorithms
![Page 53: Side-Channel & Fault Attackssecurity.di.unimi.it/sicurezza1819/slides/20181206... · Spy Catcher: The Candid Autobiography of a Senior Intelligence Officer. Viking Press, 1987. 22](https://reader033.vdocuments.us/reader033/viewer/2022060907/60a1d279bfd03071642d6be3/html5/thumbnails/53.jpg)
Data Encryption
• Scrambling of data with an algorithm and a secret key
• Decryption requires having the same secret key
• The encryption algorithm is not required to be secret
• In fact, Kerckhoffs’s principle states that:
• Security must fully rely only on the secrecy of the key
• Violating this principle is called: security by obscurity
• Knowledge of plaintext ciphertext pairs should be useless for the
attacker
• Some information leaks independently of encryption:
• Number of messages exchanged
• Length of messages
53
![Page 54: Side-Channel & Fault Attackssecurity.di.unimi.it/sicurezza1819/slides/20181206... · Spy Catcher: The Candid Autobiography of a Senior Intelligence Officer. Viking Press, 1987. 22](https://reader033.vdocuments.us/reader033/viewer/2022060907/60a1d279bfd03071642d6be3/html5/thumbnails/54.jpg)
Symmetric Key Cryptography 54
Encryption Decryption
Encryption key is also used for decryption
It must be kept secret !
![Page 55: Side-Channel & Fault Attackssecurity.di.unimi.it/sicurezza1819/slides/20181206... · Spy Catcher: The Candid Autobiography of a Senior Intelligence Officer. Viking Press, 1987. 22](https://reader033.vdocuments.us/reader033/viewer/2022060907/60a1d279bfd03071642d6be3/html5/thumbnails/55.jpg)
AES
![Page 56: Side-Channel & Fault Attackssecurity.di.unimi.it/sicurezza1819/slides/20181206... · Spy Catcher: The Candid Autobiography of a Senior Intelligence Officer. Viking Press, 1987. 22](https://reader033.vdocuments.us/reader033/viewer/2022060907/60a1d279bfd03071642d6be3/html5/thumbnails/56.jpg)
AES Standardization
• The Advanced Encryption Standard (AES) is the result of a
competition about symmetric algorithm, which has been requested by
NIST for replacing the DES.
• After a 4 year competition run by NIST, among 15 candidates, an
algorithm has been selected, named Rijndael, designed by two
Belgian cryptographer Vincent Rijmen and Joan Daemen
56
![Page 57: Side-Channel & Fault Attackssecurity.di.unimi.it/sicurezza1819/slides/20181206... · Spy Catcher: The Candid Autobiography of a Senior Intelligence Officer. Viking Press, 1987. 22](https://reader033.vdocuments.us/reader033/viewer/2022060907/60a1d279bfd03071642d6be3/html5/thumbnails/57.jpg)
AES Overview
• Substitution-permutation network block cipher
• Iterates several time a “round”
• A round is made by a series of round operations
• Decryption is done by doing, in reverse order, the inverted round operations
• 128 bit of state (viewed as 4 x 4 byte matrix)
• Key sizes of 128, 192, 256 bit
• With respectively 10, 12, 14 number of rounds
• Each round uses a different round key generated by a key schedule procedure
• Round keys are always 128 bit
57
![Page 58: Side-Channel & Fault Attackssecurity.di.unimi.it/sicurezza1819/slides/20181206... · Spy Catcher: The Candid Autobiography of a Senior Intelligence Officer. Viking Press, 1987. 22](https://reader033.vdocuments.us/reader033/viewer/2022060907/60a1d279bfd03071642d6be3/html5/thumbnails/58.jpg)
AES Block Cipher 58
58
128 bits
128 bits
128 or 192 or 256 bits
![Page 59: Side-Channel & Fault Attackssecurity.di.unimi.it/sicurezza1819/slides/20181206... · Spy Catcher: The Candid Autobiography of a Senior Intelligence Officer. Viking Press, 1987. 22](https://reader033.vdocuments.us/reader033/viewer/2022060907/60a1d279bfd03071642d6be3/html5/thumbnails/59.jpg)
AES Input Mapping
• Input is a block of 128 bits which gets mapped into a 4x4 byte matrix
00 04 1208
01 05 1309
02 06 1410
03 07 1511
Plaintext = 0x00010203040506070809101112131415
59
![Page 60: Side-Channel & Fault Attackssecurity.di.unimi.it/sicurezza1819/slides/20181206... · Spy Catcher: The Candid Autobiography of a Senior Intelligence Officer. Viking Press, 1987. 22](https://reader033.vdocuments.us/reader033/viewer/2022060907/60a1d279bfd03071642d6be3/html5/thumbnails/60.jpg)
AES AlgorithmAddRoundKey
SubBytes
ShiftRows
MixColumns
AddRoundKey
SubBytes
ShiftRows
AddRoundKey
Key Schedule
Ro
un
dL
ast
Ro
un
d
PLAINTEXT
CIPHERTEXT
KEY
Key Schedule is a
separate part of the
AES algorithms which,
given a key
(128,192,256 bit)
generates (10,12,14)
128 bit round keys.
Each round key is used
in a different round
![Page 61: Side-Channel & Fault Attackssecurity.di.unimi.it/sicurezza1819/slides/20181206... · Spy Catcher: The Candid Autobiography of a Senior Intelligence Officer. Viking Press, 1987. 22](https://reader033.vdocuments.us/reader033/viewer/2022060907/60a1d279bfd03071642d6be3/html5/thumbnails/61.jpg)
AES SubBytes
• Byte by Byte Substitution (Permutation)
• Highly non-linear
• Most often implemented as look up table
• Invertible, by using another look up table
61
![Page 62: Side-Channel & Fault Attackssecurity.di.unimi.it/sicurezza1819/slides/20181206... · Spy Catcher: The Candid Autobiography of a Senior Intelligence Officer. Viking Press, 1987. 22](https://reader033.vdocuments.us/reader033/viewer/2022060907/60a1d279bfd03071642d6be3/html5/thumbnails/62.jpg)
AES ShiftRows
• Simply rotate rows
• The inverted operation rotates rows in the opposite way
• Provides diffusion by mixing contributions of different columns
62
![Page 63: Side-Channel & Fault Attackssecurity.di.unimi.it/sicurezza1819/slides/20181206... · Spy Catcher: The Candid Autobiography of a Senior Intelligence Officer. Viking Press, 1987. 22](https://reader033.vdocuments.us/reader033/viewer/2022060907/60a1d279bfd03071642d6be3/html5/thumbnails/63.jpg)
AES MixColumns
• Every output byte depends on all 4 input bytes• Provides diffusion
• Linear and invertible transformation
63
![Page 64: Side-Channel & Fault Attackssecurity.di.unimi.it/sicurezza1819/slides/20181206... · Spy Catcher: The Candid Autobiography of a Senior Intelligence Officer. Viking Press, 1987. 22](https://reader033.vdocuments.us/reader033/viewer/2022060907/60a1d279bfd03071642d6be3/html5/thumbnails/64.jpg)
AES AddRoundKey 64
AddRoundKey is a XOR
between the 128 bit state and
the 128 bit round key
![Page 65: Side-Channel & Fault Attackssecurity.di.unimi.it/sicurezza1819/slides/20181206... · Spy Catcher: The Candid Autobiography of a Senior Intelligence Officer. Viking Press, 1987. 22](https://reader033.vdocuments.us/reader033/viewer/2022060907/60a1d279bfd03071642d6be3/html5/thumbnails/65.jpg)
Implementations
• SW
• Key Schedule computed in advance and all round keys stored in RAM
• Trade-Off between size and speed
• Only SubBytes LUT, no LUT for MixColumns (256B + 256B)
• LUT SubBytes + MixColumns (1024B + 1024B)
• LUT SubBytes + ShiftRows + MixColumns (4096B + 4096B)
• And dedicated CPU instructions
• Intel’s AES-NI
• ARM Neon Crypto Extension (ARMv8-A)
• HW
• Key Schedule computed on the fly in parallel to AES round
• AES round can have 8, 32 or 128 bit DataPath
• Requires 1 SubBytes , 4 SubBytes or 16 SubBytes
• Sbox can be a LUT or combinatorial (with different options)
65
![Page 66: Side-Channel & Fault Attackssecurity.di.unimi.it/sicurezza1819/slides/20181206... · Spy Catcher: The Candid Autobiography of a Senior Intelligence Officer. Viking Press, 1987. 22](https://reader033.vdocuments.us/reader033/viewer/2022060907/60a1d279bfd03071642d6be3/html5/thumbnails/66.jpg)
Power Analysis on AES
66
![Page 67: Side-Channel & Fault Attackssecurity.di.unimi.it/sicurezza1819/slides/20181206... · Spy Catcher: The Candid Autobiography of a Senior Intelligence Officer. Viking Press, 1987. 22](https://reader033.vdocuments.us/reader033/viewer/2022060907/60a1d279bfd03071642d6be3/html5/thumbnails/67.jpg)
DPA on AES (1/3)
• We need to identify our sensitive variable
• We need a value based on a part of the key and something we know
• What we know ?
• Only plaintexts and/or ciphertexts
• We can focus on first round Sbox
• Which is Sbox(Plaintext XOR Key)
• Sbox(P[0] XOR Key[0]) depends on the plaintext and a single byte of
the Key
• We only need 28 = 256 hypothesis
67
AddRoundKey
SubBytes
PLAINTEXT
KEY
![Page 68: Side-Channel & Fault Attackssecurity.di.unimi.it/sicurezza1819/slides/20181206... · Spy Catcher: The Candid Autobiography of a Senior Intelligence Officer. Viking Press, 1987. 22](https://reader033.vdocuments.us/reader033/viewer/2022060907/60a1d279bfd03071642d6be3/html5/thumbnails/68.jpg)
DPA on AES: (1/3)
• Collect the side channel of the execution of the algorithm providing
different Plaintexts P
• P0 Trace0 = =
• P1 Trace1 = =
• Pn Tracen = =
• Identify a sensitive variable in the algorithm: P[0] xor Key[0]
• For all P0…n, and for all possible m values of Key[0] (=0..256) compute
• HW(Pi[0] XOR j). Create a table of guesses:
68
HW(P0[0] XOR 0) HW(P0[0] XOR 1) HW(P0[0] XOR …) HW(P0[0] XOR m)
HW(P1[0] XOR 0) HW(P1[0] XOR 1) HW(P1[0] XOR …) HW(P1[0] XOR m)
HW(P…[0] XOR 0) HW(P…[0] XOR 1) HW(P…[0] XOR …) HW(P…[0] XOR m)
HW(Pn[0] XOR 0) HW(Pn[0] XOR 1) HW(Pn[0] XOR …) HW(Pn[0] XOR m)
Key Guess
Input
![Page 69: Side-Channel & Fault Attackssecurity.di.unimi.it/sicurezza1819/slides/20181206... · Spy Catcher: The Candid Autobiography of a Senior Intelligence Officer. Viking Press, 1987. 22](https://reader033.vdocuments.us/reader033/viewer/2022060907/60a1d279bfd03071642d6be3/html5/thumbnails/69.jpg)
DPA: Basic Idea (2/3)
• Create a matrix with the traces
• For each column (time sample) compute the correlation coefficient
with every column in the guess table
69
Time/Samples per trace
n
Time/Samples per trace
Ke
y G
ue
ss
Corr
![Page 70: Side-Channel & Fault Attackssecurity.di.unimi.it/sicurezza1819/slides/20181206... · Spy Catcher: The Candid Autobiography of a Senior Intelligence Officer. Viking Press, 1987. 22](https://reader033.vdocuments.us/reader033/viewer/2022060907/60a1d279bfd03071642d6be3/html5/thumbnails/70.jpg)
DPA: Basic Idea (3/3)
• Result is a matrix of correlation traces (1 per each key guess)
• In (m-1) correlation traces we correlated side channel traces with
intermediate variables which are never computed
• Because the key is wrong
• So it’s like correlating with a random vector
• Expected correlation is close to zero
• But in 1 correlation traces we correlated side channel traces with
intermediate variables that are actually computed
• At some point in time, when our sensitive variable is computed, we expect a peak
towards 1
70
Time/Samples per trace
Ke
y G
ue
ss
![Page 71: Side-Channel & Fault Attackssecurity.di.unimi.it/sicurezza1819/slides/20181206... · Spy Catcher: The Candid Autobiography of a Senior Intelligence Officer. Viking Press, 1987. 22](https://reader033.vdocuments.us/reader033/viewer/2022060907/60a1d279bfd03071642d6be3/html5/thumbnails/71.jpg)
First Round Attack (1/2) 71
![Page 72: Side-Channel & Fault Attackssecurity.di.unimi.it/sicurezza1819/slides/20181206... · Spy Catcher: The Candid Autobiography of a Senior Intelligence Officer. Viking Press, 1987. 22](https://reader033.vdocuments.us/reader033/viewer/2022060907/60a1d279bfd03071642d6be3/html5/thumbnails/72.jpg)
First Round Attack (2/2) 72
![Page 73: Side-Channel & Fault Attackssecurity.di.unimi.it/sicurezza1819/slides/20181206... · Spy Catcher: The Candid Autobiography of a Senior Intelligence Officer. Viking Press, 1987. 22](https://reader033.vdocuments.us/reader033/viewer/2022060907/60a1d279bfd03071642d6be3/html5/thumbnails/73.jpg)
Countermeasures
• Dual Rail Logic
• Introduces different implementation of logic gates
• Goal is to have a power consumption independent of the data
• Drawbacks: complex, ad-hoc EDA tools, size, glitches
• Execution Time Randomization
• Introduces random delays in the computation
• Goal is to mess with the trace synchronization required by DPA
• Drawbacks: random generation, slow, can be resynchronized
• Data Randomization (Masking)
• The input (plaintext) is randomly masked at each execution
• Goal is to have SV depending of unknown random
• Drawbacks: random generation, slow, second order attacks
73
![Page 74: Side-Channel & Fault Attackssecurity.di.unimi.it/sicurezza1819/slides/20181206... · Spy Catcher: The Candid Autobiography of a Senior Intelligence Officer. Viking Press, 1987. 22](https://reader033.vdocuments.us/reader033/viewer/2022060907/60a1d279bfd03071642d6be3/html5/thumbnails/74.jpg)
Agenda
• Side Channel Attacks
• Introduction
• Symmetric Key Cryptography:
• Introduction
• AES
• Side Channel Attacks on AES
• Fault Attacks
• Fault Attacks on AES
74
![Page 75: Side-Channel & Fault Attackssecurity.di.unimi.it/sicurezza1819/slides/20181206... · Spy Catcher: The Candid Autobiography of a Senior Intelligence Officer. Viking Press, 1987. 22](https://reader033.vdocuments.us/reader033/viewer/2022060907/60a1d279bfd03071642d6be3/html5/thumbnails/75.jpg)
Fault Attacks
![Page 76: Side-Channel & Fault Attackssecurity.di.unimi.it/sicurezza1819/slides/20181206... · Spy Catcher: The Candid Autobiography of a Senior Intelligence Officer. Viking Press, 1987. 22](https://reader033.vdocuments.us/reader033/viewer/2022060907/60a1d279bfd03071642d6be3/html5/thumbnails/76.jpg)
50s 60s 70s 80s 90s 00s 10s 20s
Accidental Faults
• Electronic devices are subject to (usually) rare faults
• Caused by environment
• Unexpected temperature, ionizing particles, power grid glitches, electrostatic discharges…
76
Ground Nuclear Testing
Anomalies in electronic
monitoring equipment
Aerospace Industry
Problems in space
electronics
Super Computers
Errors appear in
large memories
Critical systems
Problems in cars,
health, voting devices
Smaller systems
Half of embedded
designs safety relevant
Random bit flips in memory Random errors in logic
as transistor size decreases
![Page 77: Side-Channel & Fault Attackssecurity.di.unimi.it/sicurezza1819/slides/20181206... · Spy Catcher: The Candid Autobiography of a Senior Intelligence Officer. Viking Press, 1987. 22](https://reader033.vdocuments.us/reader033/viewer/2022060907/60a1d279bfd03071642d6be3/html5/thumbnails/77.jpg)
From Accidental to Intentional Faults
• Attacker idea : provoke & control fault to perturb
device at the right time
• And exploit the fault to break security !
• Bypass secure boot, secure firmware upgrade checks
• Change device state, get cryptographic algorithms keys, …
• Usually HW is trusted, SW does not expect it to fail
• Can bypass SW protections this way
• Often only way to attack bug-free SW
• Brief History
• Late 1990s : unlock pay TV smart cards
• 2000s : bypass game protection on console
• Late 2000s : protection mandatory for set-top-boxes
• Late 2010s : more on more public attacks on IoT devices
• Labs trained on smart cards looking for new targets
77
Is PIN
OK?
ContinueIncrement
Counter
Error
yes no
Skip check
Bad result
![Page 78: Side-Channel & Fault Attackssecurity.di.unimi.it/sicurezza1819/slides/20181206... · Spy Catcher: The Candid Autobiography of a Senior Intelligence Officer. Viking Press, 1987. 22](https://reader033.vdocuments.us/reader033/viewer/2022060907/60a1d279bfd03071642d6be3/html5/thumbnails/78.jpg)
Faults Exploitation 78
Source
https://wp-systeme.lip6.fr/jaif/wp-content/uploads/sites/8/2018/05/KH-29-05-2018-JAIF.pdf
• Fault Model
• Registers, Logic, Flash, RAM…
• Single bit, few bits, word..
• Stuck at 0 or 1, flip, random
• Precise/loose/random control on
location & timing
• Transient, permanent, destructive
• Multiple faults
• Instruction skip, force jump…
• Target
• Stored Data
• Computations
• Crypto
• Program Flow
![Page 79: Side-Channel & Fault Attackssecurity.di.unimi.it/sicurezza1819/slides/20181206... · Spy Catcher: The Candid Autobiography of a Senior Intelligence Officer. Viking Press, 1987. 22](https://reader033.vdocuments.us/reader033/viewer/2022060907/60a1d279bfd03071642d6be3/html5/thumbnails/79.jpg)
How to Inject Faults ?
• Non-invasive methods
• No physical damage to chip
• Modify working conditions
• Moderate knowledge/equipment
• Semi-invasive methods
• Chip de-capsulation
• Milling, etching, cleaning
• Affordable equipment
• Often requires building custom boards
• Invasive methods
• Establish electrical contact to chip
• Modification, destruction, …
• Expensive equipment, e.g semiconductor
diagnostics
79
source: https://www.cosic.esat.kuleuven.be/summer_school_sardinia_2015/slides/Balasch.pdf
Temperature
Voltage Undersupply
Clock glitch
Voltage glitch
Electromagnetic Pulses
Laser
(FIB)
![Page 80: Side-Channel & Fault Attackssecurity.di.unimi.it/sicurezza1819/slides/20181206... · Spy Catcher: The Candid Autobiography of a Senior Intelligence Officer. Viking Press, 1987. 22](https://reader033.vdocuments.us/reader033/viewer/2022060907/60a1d279bfd03071642d6be3/html5/thumbnails/80.jpg)
Temperature & Particles
• Temperature
• Heating causes combinatorial logic to slow down
• Data not yet ready when sampled
• Maybe used to increase sensibility to other injections methods
• Particles “toy” example
• Smoke detector used to perturb Smart Cards
• Getting harder for particles to go through package
• Both are not precise at all, and never used in practice
80
![Page 81: Side-Channel & Fault Attackssecurity.di.unimi.it/sicurezza1819/slides/20181206... · Spy Catcher: The Candid Autobiography of a Senior Intelligence Officer. Viking Press, 1987. 22](https://reader033.vdocuments.us/reader033/viewer/2022060907/60a1d279bfd03071642d6be3/html5/thumbnails/81.jpg)
Voltage Undersupply
• Low voltage causes combinatorial logic to slow down
• Data not yet ready when sampled !
• Not very precise in time & space (location)
• Can be used to get out of infinite loops for instance
• Used to unlock Pay TV Smart Cards in 1990s
81
source: https://www.cosic.esat.kuleuven.be/summer_school_sardinia_2015/slides/Balasch.pdf
![Page 82: Side-Channel & Fault Attackssecurity.di.unimi.it/sicurezza1819/slides/20181206... · Spy Catcher: The Candid Autobiography of a Senior Intelligence Officer. Viking Press, 1987. 22](https://reader033.vdocuments.us/reader033/viewer/2022060907/60a1d279bfd03071642d6be3/html5/thumbnails/82.jpg)
Clock Glitch
• Requires simple signal generator
• Attack precise clock cycle of targeted instruction
• Like if instruction had less time to complete
• Data not ready when latched
• Affects everything synchronized by this clock
• But only works if CPU runs from external clock
82
Clock
ins N-1 ins N ins N+1 ins N+2ins N-2
CLOCK
![Page 83: Side-Channel & Fault Attackssecurity.di.unimi.it/sicurezza1819/slides/20181206... · Spy Catcher: The Candid Autobiography of a Senior Intelligence Officer. Viking Press, 1987. 22](https://reader033.vdocuments.us/reader033/viewer/2022060907/60a1d279bfd03071642d6be3/html5/thumbnails/83.jpg)
Voltage Glitch
• Affects everything powered by perturbed VCC pin
• Attack target instruction when it is executed
• Combinatorial logic slowed down by low voltage
• Data not yet ready when sampled
• Must explore to find right glitch parameters
• Width, depth, time
• Board and chip capacitors may filter or degrade glitch
• Can be deployed through mod-chips to solder on board
• Usually most dangerous noninvasive fault injection method
83
VCC
ins N-1 ins N ins N+1 ins N+2ins N-2
VCC
![Page 84: Side-Channel & Fault Attackssecurity.di.unimi.it/sicurezza1819/slides/20181206... · Spy Catcher: The Candid Autobiography of a Senior Intelligence Officer. Viking Press, 1987. 22](https://reader033.vdocuments.us/reader033/viewer/2022060907/60a1d279bfd03071642d6be3/html5/thumbnails/84.jpg)
Effects
• Wrong data is sampled
• Fault slows down combinatorial logic
• Or provokes early latch
• => Result sampled before it’s ready
• Critical path violation
• Global impact (whole chip)
• Time may be finely adjusted
• Perturb logic when it’s used
84
![Page 85: Side-Channel & Fault Attackssecurity.di.unimi.it/sicurezza1819/slides/20181206... · Spy Catcher: The Candid Autobiography of a Senior Intelligence Officer. Viking Press, 1987. 22](https://reader033.vdocuments.us/reader033/viewer/2022060907/60a1d279bfd03071642d6be3/html5/thumbnails/85.jpg)
Electromagnetic Pulses
• Shot location on chip (not very precise)
• Internal clock & power line
• Random Number Generator
• Specific security IP
• Processor, memory, bus…
• Probably broader fault model
• Not fully understood yet
• Many configurable parameters
• Probe (coil area, core magnetic permeability)
• Position (X,Y,Z)
• Pulse amplitude and width
85
![Page 86: Side-Channel & Fault Attackssecurity.di.unimi.it/sicurezza1819/slides/20181206... · Spy Catcher: The Candid Autobiography of a Senior Intelligence Officer. Viking Press, 1987. 22](https://reader033.vdocuments.us/reader033/viewer/2022060907/60a1d279bfd03071642d6be3/html5/thumbnails/86.jpg)
Our Bench: Electromagnetic Fault Injection
• Pulse generator
• 6 ns-100ns
duration
• 400 v(single
polarity)
• XYZ stages
• EM
probe(analysis)
• STM32F103
Discovery board
86
• DSO
• 2.5GHZ
• 40 MS
• WB amplifier
• 1GHz
![Page 87: Side-Channel & Fault Attackssecurity.di.unimi.it/sicurezza1819/slides/20181206... · Spy Catcher: The Candid Autobiography of a Senior Intelligence Officer. Viking Press, 1987. 22](https://reader033.vdocuments.us/reader033/viewer/2022060907/60a1d279bfd03071642d6be3/html5/thumbnails/87.jpg)
Laser (1/2)
• Shoot very precise location on chip
• Down to 1 µm
• Many configurable parameters
• Position (X,Y)
• Wavelength, Spot size
• Energy / Peak power
• Pulse vs Continuous
• …
• Space search grows exponentially
• Require to know where to shoot
• Or exhaustive tries on all chip surface
87
![Page 88: Side-Channel & Fault Attackssecurity.di.unimi.it/sicurezza1819/slides/20181206... · Spy Catcher: The Candid Autobiography of a Senior Intelligence Officer. Viking Press, 1987. 22](https://reader033.vdocuments.us/reader033/viewer/2022060907/60a1d279bfd03071642d6be3/html5/thumbnails/88.jpg)
Laser (2/2)
• Very localized effect
• Very broad range of possible effects
• Bit(s) flips/stuck in RAM, registers, logic, flash …
• => Harder to protect against
• But usually attack is expensive
• De-capsuling chips, including thinning
• Complex synchronization HW
• Very often requires attacking from backside
• Custom HW & boards
• Few months to setup HW, SW
• Target critical assets
• Retrieve global secrets (global keys, sensitive FW IP…)
• “Break one break all”
• First used to break smart cards, then set-top boxes, micros are next ?
88
![Page 89: Side-Channel & Fault Attackssecurity.di.unimi.it/sicurezza1819/slides/20181206... · Spy Catcher: The Candid Autobiography of a Senior Intelligence Officer. Viking Press, 1987. 22](https://reader033.vdocuments.us/reader033/viewer/2022060907/60a1d279bfd03071642d6be3/html5/thumbnails/89.jpg)
Our Bench: Laser Fault Injection
• Quicklaze-50 STII (ESI)
• Nd-YAG laser crystal
• 3 wavelengths :
• UV3(355nm) Green(532nm)
IR(1064nm)
• fixed pulse duration : 5ns
• Mitutoyo lens:
• IR : x50; Green : X20; UV : x50
• Min spotsize : 1µm x 1µm
• XY stage : min step=0.1µm
89
![Page 90: Side-Channel & Fault Attackssecurity.di.unimi.it/sicurezza1819/slides/20181206... · Spy Catcher: The Candid Autobiography of a Senior Intelligence Officer. Viking Press, 1987. 22](https://reader033.vdocuments.us/reader033/viewer/2022060907/60a1d279bfd03071642d6be3/html5/thumbnails/90.jpg)
Few Exploitation Examples
• Retrieving cryptographic keys
• Electromagnetic pulse on AES round number [Dehbaoui and al, COSADE 2013]
• Usually attacks on crypto require access to few faulted results
• Bypassing secure boot
• Laser shot on Android phone TrustZone NS bit [Alphanov, FDTC 2017]
• Taking over a device
• Voltage glitch to control Program Counter on STM32 [Riscure FDTC 2016]
• Privilege escalation
• Voltage glitch to get root on Linux [Riscure, FDTC 2017]
• Voltage glitch “Chip Whisperer” practice platform for students
• Based on STM32, can also be used to attack STM32s with provided boards
90
![Page 91: Side-Channel & Fault Attackssecurity.di.unimi.it/sicurezza1819/slides/20181206... · Spy Catcher: The Candid Autobiography of a Senior Intelligence Officer. Viking Press, 1987. 22](https://reader033.vdocuments.us/reader033/viewer/2022060907/60a1d279bfd03071642d6be3/html5/thumbnails/91.jpg)
Fault Attack against AES
![Page 92: Side-Channel & Fault Attackssecurity.di.unimi.it/sicurezza1819/slides/20181206... · Spy Catcher: The Candid Autobiography of a Senior Intelligence Officer. Viking Press, 1987. 22](https://reader033.vdocuments.us/reader033/viewer/2022060907/60a1d279bfd03071642d6be3/html5/thumbnails/92.jpg)
Differential Fault Analysis
• The device under attack executes a cryptographic operation
• It involves a secret key (target of the attack)
• The comparison between correct data and faulted data may allow to
derive information about the secret key
• The attacker needs the output of:
• Normal operation involving an input and the secret key
• Faulted operation with the same input and same secret key
92
![Page 93: Side-Channel & Fault Attackssecurity.di.unimi.it/sicurezza1819/slides/20181206... · Spy Catcher: The Candid Autobiography of a Senior Intelligence Officer. Viking Press, 1987. 22](https://reader033.vdocuments.us/reader033/viewer/2022060907/60a1d279bfd03071642d6be3/html5/thumbnails/93.jpg)
Giraud’s Attack
• Goal: recover the last round key
• Use the last round key to recover the cipher key of AES-128
• Fault model: random single-bit corruption at the beginning of the last
round
• Before SubBytes
93
![Page 94: Side-Channel & Fault Attackssecurity.di.unimi.it/sicurezza1819/slides/20181206... · Spy Catcher: The Candid Autobiography of a Senior Intelligence Officer. Viking Press, 1987. 22](https://reader033.vdocuments.us/reader033/viewer/2022060907/60a1d279bfd03071642d6be3/html5/thumbnails/94.jpg)
0 4 8 12
1 5 9 13
2 6 10 14
3 7 11 15
0 4 8 12
1 5 9 13
2 6 10 14
3 7 11 15
0 4 8 12
1 5 9 13
2 6 10 14
3 7 11 15
SB
SR ARK
0 4 8 12
1 5 9 13
2 6 10 14
3 7 11 15
0 4 8 12
1 5 9 13
2 6 10 14
3 7 11 15
Giraud’s Attack
𝑨 𝑩
𝑪 𝑫
𝑲𝑵𝒓
94
![Page 95: Side-Channel & Fault Attackssecurity.di.unimi.it/sicurezza1819/slides/20181206... · Spy Catcher: The Candid Autobiography of a Senior Intelligence Officer. Viking Press, 1987. 22](https://reader033.vdocuments.us/reader033/viewer/2022060907/60a1d279bfd03071642d6be3/html5/thumbnails/95.jpg)
0 4 8 12
1 5 9 13
2 6 10 14
3 7 11 15
0 4 8 12
1 5 9 13
2 6 10 14
3 7 11 15
0 4 8 12
1 5 9 13
2 6 10 14
3 7 11 15
SB
SR ARK
0 4 8 12
1 5 9 13
2 6 10 14
3 7 11 15
0 4 8 12
1 5 9 13
2 6 10 14
3 7 11 15
𝜺
Giraud’s Attack
𝑨 𝑩
𝑪 𝑫
𝑲𝑵𝒓
95
![Page 96: Side-Channel & Fault Attackssecurity.di.unimi.it/sicurezza1819/slides/20181206... · Spy Catcher: The Candid Autobiography of a Senior Intelligence Officer. Viking Press, 1987. 22](https://reader033.vdocuments.us/reader033/viewer/2022060907/60a1d279bfd03071642d6be3/html5/thumbnails/96.jpg)
0 4 8 12
1 5 9 13
2 6 10 14
3 7 11 15
0 4 8 12
1 5 9 13
2 6 10 14
3 7 11 15
0 4 8 12
1 5 9 13
2 6 10 14
3 7 11 15
SB
SR ARK
0 4 8 12
1 5 9 13
2 6 10 14
3 7 11 15
0 4 8 12
1 5 9 13
2 6 10 14
3 7 11 15
𝜺 𝜺′
Giraud’s Attack
𝑨 𝑩
𝑪 𝑫
𝑲𝑵𝒓
96
![Page 97: Side-Channel & Fault Attackssecurity.di.unimi.it/sicurezza1819/slides/20181206... · Spy Catcher: The Candid Autobiography of a Senior Intelligence Officer. Viking Press, 1987. 22](https://reader033.vdocuments.us/reader033/viewer/2022060907/60a1d279bfd03071642d6be3/html5/thumbnails/97.jpg)
0 4 8 12
1 5 9 13
2 6 10 14
3 7 11 15
0 4 8 12
1 5 9 13
2 6 10 14
3 7 11 15
0 4 8 12
1 5 9 13
2 6 10 14
3 7 11 15
SB
SR ARK
0 4 8 12
1 5 9 13
2 6 10 14
3 7 11 15
0 4 8 12
1 5 9 13
2 6 10 14
3 7 11 15
𝜺 𝜺′
𝜺′
Giraud’s Attack
𝑨 𝑩
𝑪 𝑫
𝑲𝑵𝒓
97
![Page 98: Side-Channel & Fault Attackssecurity.di.unimi.it/sicurezza1819/slides/20181206... · Spy Catcher: The Candid Autobiography of a Senior Intelligence Officer. Viking Press, 1987. 22](https://reader033.vdocuments.us/reader033/viewer/2022060907/60a1d279bfd03071642d6be3/html5/thumbnails/98.jpg)
0 4 8 12
1 5 9 13
2 6 10 14
3 7 11 15
0 4 8 12
1 5 9 13
2 6 10 14
3 7 11 15
0 4 8 12
1 5 9 13
2 6 10 14
3 7 11 15
SB
SR ARK
0 4 8 12
1 5 9 13
2 6 10 14
3 7 11 15
0 4 8 12
1 5 9 13
2 6 10 14
3 7 11 15
𝜺 𝜺′
𝜺′𝜺′
Giraud’s Attack
𝑨 𝑩
𝑪 𝑫
𝑲𝑵𝒓
98
![Page 99: Side-Channel & Fault Attackssecurity.di.unimi.it/sicurezza1819/slides/20181206... · Spy Catcher: The Candid Autobiography of a Senior Intelligence Officer. Viking Press, 1987. 22](https://reader033.vdocuments.us/reader033/viewer/2022060907/60a1d279bfd03071642d6be3/html5/thumbnails/99.jpg)
0 4 8 12
1 5 9 13
2 6 10 14
3 7 11 15
0 4 8 12
1 5 9 13
2 6 10 14
3 7 11 15
0 4 8 12
1 5 9 13
2 6 10 14
3 7 11 15
SB
SR ARK
0 4 8 12
1 5 9 13
2 6 10 14
3 7 11 15
0 4 8 12
1 5 9 13
2 6 10 14
3 7 11 15
𝜺 𝜺′
𝜺′𝜺′
Giraud’s Attack
𝑨 𝑩
𝑪 𝑫
𝑲𝑵𝒓
99
![Page 100: Side-Channel & Fault Attackssecurity.di.unimi.it/sicurezza1819/slides/20181206... · Spy Catcher: The Candid Autobiography of a Senior Intelligence Officer. Viking Press, 1987. 22](https://reader033.vdocuments.us/reader033/viewer/2022060907/60a1d279bfd03071642d6be3/html5/thumbnails/100.jpg)
Giraud’s Attack
• Pre-compile the table
For each 𝒗𝒂𝒍 = (0𝑥00: 0𝑥𝐹𝐹) of the byte
For each fault 𝜺 = (0𝑥01,0𝑥02,0𝑥04,0𝑥08,0𝑥10,0𝑥20,0𝑥40,0𝑥80)
Compute 𝜟 = 𝑆𝑢𝑏𝐵𝑦𝑡𝑒𝑠(𝑣𝑎𝑙) ⊕ 𝑆𝑢𝑏𝐵𝑦𝑡𝑒𝑠(𝑣𝑎𝑙 ⊕ 𝜀)
• For each fault, looking for 𝒗𝒂𝒍 where 𝜺′ = 𝜟 provides 8 entries in
average
• 3 faults on one byte allows to identify the correct 𝒗𝒂𝒍 of the state
• 𝑲𝒆𝒚 = 𝑐𝑖𝑝ℎ𝑒𝑟𝑡𝑒𝑥𝑡 ⊕ 𝑆𝑢𝑏𝐵𝑦𝑡𝑒𝑠(𝑣𝑎𝑙)
• The sequence must be repeated for each byte
100
![Page 101: Side-Channel & Fault Attackssecurity.di.unimi.it/sicurezza1819/slides/20181206... · Spy Catcher: The Candid Autobiography of a Senior Intelligence Officer. Viking Press, 1987. 22](https://reader033.vdocuments.us/reader033/viewer/2022060907/60a1d279bfd03071642d6be3/html5/thumbnails/101.jpg)
Other Faults: on the Control Flow
• Skip some operations
• Reduce the number of rounds
• Apply cryptanalysis techniques to a reduced version of the algorithm
101
![Page 102: Side-Channel & Fault Attackssecurity.di.unimi.it/sicurezza1819/slides/20181206... · Spy Catcher: The Candid Autobiography of a Senior Intelligence Officer. Viking Press, 1987. 22](https://reader033.vdocuments.us/reader033/viewer/2022060907/60a1d279bfd03071642d6be3/html5/thumbnails/102.jpg)
Countermeasures
![Page 103: Side-Channel & Fault Attackssecurity.di.unimi.it/sicurezza1819/slides/20181206... · Spy Catcher: The Candid Autobiography of a Senior Intelligence Officer. Viking Press, 1987. 22](https://reader033.vdocuments.us/reader033/viewer/2022060907/60a1d279bfd03071642d6be3/html5/thumbnails/103.jpg)
Physical Level
• Shielding: prevent physical access to the device
• Including electromagnetic fields and radiations
• Sensors: in order to detect environmental conditions (temperature,
voltage) out of range
• Filters: stabilized power supply, stabilized clock
• De-synchronization: random delays in order to lower temporal
precision of the fault
103
![Page 104: Side-Channel & Fault Attackssecurity.di.unimi.it/sicurezza1819/slides/20181206... · Spy Catcher: The Candid Autobiography of a Senior Intelligence Officer. Viking Press, 1987. 22](https://reader033.vdocuments.us/reader033/viewer/2022060907/60a1d279bfd03071642d6be3/html5/thumbnails/104.jpg)
Algorithmic Level
• Redundancy: the operation is executed twice and the results are
compared
• Sequence of Encryption + Decryption, checking that the final result
is equal to the input
• Error Detection/Correction Codes
104
![Page 105: Side-Channel & Fault Attackssecurity.di.unimi.it/sicurezza1819/slides/20181206... · Spy Catcher: The Candid Autobiography of a Senior Intelligence Officer. Viking Press, 1987. 22](https://reader033.vdocuments.us/reader033/viewer/2022060907/60a1d279bfd03071642d6be3/html5/thumbnails/105.jpg)
Protocol Level
• Message randomization: the input is XORed with a random value
• The attacker has no control on the input
• Fresh re-keying: a new fresh key is used for each operation
105
![Page 107: Side-Channel & Fault Attackssecurity.di.unimi.it/sicurezza1819/slides/20181206... · Spy Catcher: The Candid Autobiography of a Senior Intelligence Officer. Viking Press, 1987. 22](https://reader033.vdocuments.us/reader033/viewer/2022060907/60a1d279bfd03071642d6be3/html5/thumbnails/107.jpg)
107