ROUND MODIFICATION ANALYSIS ON AES USING ELECTROMAGNETIC GLITCH - - PowerPoint PPT Presentation

ROUND MODIFICATION ANALYSIS ON AES USING ELECTROMAGNETIC GLITCH

COSADE 2013

Paris, France

Amine DEHBAOUI ¹, Amir-Pasha MIRBAHA ², Nicolas MORO¹, Jean-Max DUTERTRE ², Assia TRIA ¹

(1) (2)

Context Round Modification Analysis on AES Proposed Round Modification Analysis on AES OUTLINE

19 MARS 2013 | PAGE 2

Proposed Round Modification Analysis on AES Electromagnetic Glitch Injection Technique Concrete Results with EMG Conclusion

CONTEXT : FAULT INJECTION

11001010101010101010 00001010101010101010 10011011101010100011

Plaintext Correct Ciphertext Faulty Ciphertext

19 MARS 2013

Ciphertext disturb the encryption/decryption process through unusual environmental conditions in

• rder to :
• reduce the encryption complexity (e.g. round reduction analysis),
• differential fault analysis = comparison between correct and faulty ciphertexts.

retrieve information on the encryption process (i.e. information leakage)

| PAGE 3

Fault injection means : Power supply glitch, Clock glitch, EM glitch, Laser shot …

• safe errors, HW/SW reverse engineering , …

Round Modification Analysis on AES

19 MARS 2013 | PAGE 4 CEA | 10 AVRIL 2012

cipher key

K M

Initial round

ADVANCED ENCRYPTION STANDARD 128 BITS REMINDER

| PAGE 5

Ki

round key

K10

round key

C

Final round Rounds 1..9

Round Modification Analysis

STATE-OF-THE-ART OF ROUND MODIFICATIONS ANALYSIS

cipher key

K M

Initial round

Round Reduction Analysis

decrease the number of executed rounds

Round Addition Analysis

increase the number of executed rounds

| PAGE 6

Ki

round key

K10

round key

C

Final round Rounds 1..9

increase the number of executed rounds

Round Alteration Analysis

modification of the round order

cipher key

K M

Round Modification Analysis

STATE-OF-THE-ART OF ROUND MODIFICATIONS ANALYSIS

Initial round

Round Reduction Analysis

• H. Choukri et al. [2005]

J.H. Park et al. [2011] K.S. Bae et al.[2011]

iteration

Ki

round key

K10

round key

C

| PAGE 7

Final round Rounds 1..9

Round Addition Analysis Round Alteration Analysis

K.S. Bae et al.[2011] J.M. Dutertre et al. #3 [2012] J.M. Dutertre et al. #2 [2012]

COMP ( RC , RCMAX )

iteration

Attack Target Mean Type Encryption sequence Req. texts Key search average time

• H. Choukri et al.

[FDTC’05] PIC16F877 8-bit Power Glitch Round Reduction

R0-Rm

2 ≈ 1 second

STATE-OF-THE-ART OF ROUND MODIFICATIONS ANALYSIS

J.H. Park et al. [ETRI’11] ATmega128 8-bit Laser Round Reduction

R0-R1-R10

10 ≈ 10 hours K.S. Bae et al. [ICCIT’11] ATmega128 8-bit Laser Round Reduction

R0..R8-R10

2 ≈ 1 second J.M. Dutertre et al. #2 [HOST’12] Unknown mcu 0.35µm 8-bit Laser Round Alteration

R0..R8-Rm-Rf

3 ≈ 1 second J.M. Dutertre et al. #3 [HOST’12] Unknown mcu 0.35µm 8-bit Laser Round Addition

R0..R9-Rm=10-Rf=11’

3 ≈ 1 hour & 30 minutes

| PAGE 8

Proposed Round Modification Analysis on AES

19 MARS 2013 | PAGE 9 CEA | 10 AVRIL 2012

SB

⊕ ⊕ ⊕ ⊕ ARK

K9 Round 9… M9

CR=9 CR=9 CR=9 CR=9 CR=10 CR=10 CR=10 CR=10 CR++ CR++ CR++ CR++ Fault model : Instruction alteration

PROPOSED ROUND MODIFICATIONS ANALYSIS

K10

⊕ ⊕ ⊕ ⊕

C

ARK SR

10

Round 10

KS

| PAGE 10

C (correct ciphertext)= SR o SB(M9) ⊕ K10 C (correct ciphertext)= FR (M9) ⊕ K10

K’ K’ Round m=9’ Round f=10’

SB

⊕ ⊕ ⊕ ⊕ ARK

K9 Round 9… M9

RC=9 RC=9 RC=9 RC=9 RC=10 RC=10 RC=10 RC=10 CR++ CR++ CR++ CR++ RC=9 RC=9 RC=9 RC=9 RC=10 RC=10 RC=10 RC=10 CR++ CR++ CR++ CR++

PROPOSED ROUND MODIFICATIONS ANALYSIS

Fault model : Instruction alteration

K’9

SB SR

K’10

MC

⊕ ⊕ ⊕ ⊕ ⊕ ⊕ ⊕ ⊕

D M9’

SB(M9’) SRoSB(M9’)

ARK ARK

MCoSRoSB(M9)

K10

⊕ ⊕ ⊕ ⊕

C

ARK SR

11

Round 10

KS KS KS D (faulty ciphertext) = SR o SB [MC o SR o SB(M9) ⊕ K’9] ⊕ K’10 D (faulty ciphertext) = FR [ MR[M9] ⊕ K’9] ⊕ K’10 C (correct ciphertext)= SR o SB(M9) ⊕ K10 C (correct ciphertext)= FR (M9) ⊕ K10

D (faulty ciphertext) = FR [MR(M9) ⊕ K’9] ⊕ K’10 C (correct ciphertext)= FR (M9) ⊕ K10

2 plaintexts M a M b

FR-1(Da⊕K’10) ⊕ FR-1(Db⊕K’10) = MC(Ca⊕Cb)

PROPOSED ROUND MODIFICATIONS ANALYSIS

1 plaintext 2 hypothese on each K’10 byte (2^16for a 128-bits AES key) Calculation time : < 1 second Alternative solution : 3 plaintexts, instead of 2 thus, 1 hypothesis for each K’10 byte

| PAGE 12

Electromagnetic Glitch injection Technique

19 MARS 2013 | PAGE 13 CEA | 10 AVRIL 2012

• Control computer
• The target device
• Motorized stage
• Pulse generator
• Coil antenna.

PRACTICAL ELECTROMAGNETIC GLITCH SETUP

• Pulse width : 10 ns
• Rise and fall transition time : 2ns
• Pulse amplitude : -200V / +200V

The computer controls both the pulse generator (through a rs-232 link) and the target board (through a usb link).

| PAGE 14

Target Description

• Up-to-date 32-bit microcontroller
• Designed in a cmos 130nm technology
• Based on the arm Cortex-M3 processor.
• Operating frequency is set to 24MHz.
• Can detect several types of hardware faults.

PRACTICAL ELECTROMAGNETIC GLITCH SETUP

• Can detect several types of hardware faults.
• When a specific type of hardware fault is detected, the processor raises its associated interrupt.

| PAGE 15

Concrete Results with EMG

19 MARS 2013 | PAGE 16 CEA | 10 AVRIL 2012

EMG PROFILE OF THE TARGET

• 180V injected EMG during 20ns
• negative spike of less than 50ns width and

300mV amplitude. Logical Effect : instruction alteration EM Channel : main strengths Does not require depackaging the target. Does target the upper metal Layer (Power/Ground or Clock networks).

| PAGE 17

EXPERIMENTAL OUTLINE

| PAGE 18

TIMING CARTOGRAPHY OF EMG EFFECT

| PAGE 19

Conclusion

19 MARS 2013 | PAGE 20 CEA | 10 AVRIL 2012

Conclusion

Round Modification Analysis by targeting the round counter Fault induced at the end of the penultimate round Execution of a second penultimate round EMG Fault model : instruction alteration

19 MARS 2013 | PAGE 21

EMG Fault model : instruction alteration High occurrence rate / without triggering hardware interrupts

Attack Target Mean Type Encryption sequence Req. texts Key search average time

• H. Choukri et al.

[FDTC’05] PIC16F877 8-bit Power Glitch Round Reduction

R0-Rm

2 ≈ 1 second J.H. Park et al. [ETRI’11] ATmega128 8-bit Laser Round Reduction

R0-R1-R10

10 ≈ 10 hours [ETRI’11] 8-bit Reduction hours K.S. Bae et al. [ICCIT’11] ATmega128 8-bit Laser Round Reduction

R0..R8-R10

2 ≈ 1 second J.M. Dutertre et al. #2 [HOST’12] Unknown mcu 0.35µm 8-bit Laser Round Alteration

R0..R8-Rm-Rf

3 ≈ 1 second J.M. Dutertre et al. #3 [HOST’12] Unknown mcu 0.35µm 8-bit Laser Round Addition

R0..R9-Rm=10-Rf=11’

3 ≈ 1 hour & 30 minutes Our experiment [COSADE’13] ARM Cortex-M3 based 130nm 32-bit EM Glitch Round Addition

R0..R9-Rm=9’-Rf=10’

2 ≈ 1 second

Annexe : RMA Exceptionnel case

19 MARS 2013 | PAGE 23 CEA | 10 AVRIL 2012

RMA – An Exceptional Case

K’ K’ Round m=9’ Round f=10’

SB

⊕ ⊕ ⊕ ⊕ ARK

K9 Round 9… M9

CR=9 CR=9 CR=9 CR=9 CR=10 CR=10 CR=10 CR=10 CR++ CR++ CR++ CR++ EMG CR=9 CR=9 CR=9 CR=9 CR=10 CR=10 CR=10 CR=10 CR++ CR++ CR++ CR++

An exceptional case may happen when a byte value in Da is equal to the corresponding byte on the second encryption; i.e. Da [byte i] = Db [byte i]

K’9

SB SR

K’10

MC

⊕ ⊕ ⊕ ⊕ ⊕ ⊕ ⊕ ⊕

D M9’

SB(M9’) SRoSB(M9’)

ARK ARK

MCoSRoSB(M9)

K10

⊕ ⊕ ⊕ ⊕

C

ARK SR

Round 10

KS KS KS

D (faulty ciphertext) = SRoSB[MCoSRoSB(M9)⊕ K’9]⊕K’10 C (correct ciphertext)= SRoSB(M9)⊕ K10

| PAGE 24

RMA – An Exceptional Case

K’ Round f=10’

32 43 F6 A8 88 5A 30 8D 31 31 98 A2 E0 37 07 34 19 84 B0 92 95 C8 B1 D9 C4 4E 4D 1E F2 C0 36 5E 39 25 84 1D 02 DC 09 FB DC 11 85 97 19 6A 0B 32

An exceptional case may happen when a byte value in Da is equal to the corresponding byte on the second encryption; i.e. Da [byte i] = Db [byte i] SR

K’10

⊕ ⊕ ⊕ ⊕

D

SRoSB(M9’)

ARK

39 25 84 1D 02 DC 09 FB DC 11 85 97 19 6A 0B 32 13 AB D8 4B 7B EA FA 58 47 58 48 A5 50 B3 B2 DC 49 4a b5 1f 3b 08 83 e0 d1 21 34 6b 32 cd 31 cb 8c fc 54 6b 3a 46 9e e0 b7 65 6d 0a 92 7b a0 e1

| PAGE 25

RMA – An Exceptional Case

Ronde 9…

49 4a b5 1f 3b 08 83 e0 d1 21 34 6b 32 cd 31 cb 8c fc 54 6b 3a 46 9e e0 b7 65 6d 0a 92 7b a0 e1

SB-1oSR-1(Da⊕K’10) ⊕ SB-1oSR-1(Db⊕K’10)=MC(Ca⊕Cb) 28 hypotheses

• n K’10 [7] (byte [7] of K’10)

28 x 215 = 223 hypotheses

• n K’10 [7] (byte [7] of K’10)

and 2 hypotheses

• n each other K’10 byte

28 x 215 = 223 hypotheses

• n the whole-K’10

to be examined by using Ca and Da, and by calculating K’9 and K10 calculation time : still less than 1 second

| PAGE 26

RMA – An Exceptional Case

Ronde 9…

Probability of this exceptional case = 1- x x = 1- ≈ %6.070

255 1 256 1

( ( ) )

255 1 256 1

( ( ) )

255 1 256 1

( ( ) )

255 256

( )

16

with 1, 2 or even 3 equal byte values on Da and Db, the cryptanalysis has an answer in a short calculation time In any case, there is a faster solution : using 3 plaintexts, instead of 2

| PAGE 27

Any questions ?

Direction de la Recherche Technologique DSIS / LCS Systèmes et Architectures Sécurisés

Commissariat à l’énergie atomique et aux énergies alternatives Centre de Microélectronique de Provence | 13541 Gardanne

• T. +33 (0) 4.42.61.67.31| F. +33 (0) 4.42.61.65.92

Etablissement public à caractère industriel et commercial | RCS Paris B 775 685 019

19 MARS 2013 | PAGE 28 CEA | 10 AVRIL 2012

Annexe : Digital IC

19 MARS 2013 | PAGE 29 CEA | 10 AVRIL 2012

D Q D Q

Logic clk data

1 1 1 1

Dffi Dffi+1

n m

Dclk->Q DpMax

Synchronous Digital IC Timing Constraints

T

clk + T skew - T setup

data required time =

T

clk + T skew - T setup

data arrival time

=

Dclk->Q + DpMax Violating this timing constraint results in fault injection. Usually IC are designed to tolerate : Vdrops < 0.1 x Vdd

| PAGE 30

Tclk > Dclk->Q + DpMax - Tskew + Tsetup

F(Vdd)