Side-Channel & Fault Attacks Ruggero Susella System Research - - PowerPoint PPT Presentation

Side-Channel & Fault Attacks

Ruggero Susella System Research & Applications – Security Rodmap STMicroelectronics 2018/12/06

ST – Who are we ?

2

STMicroelectronics

3

Front-End Back-End Research & Development Main Sales & Marketing

As of December 31, 2017

• Approximately 45,500 employees worldwide
• Approximately 7,400 people working in R&D
• 11 manufacturing sites
• Over 80 sales & marketing offices
• A global semiconductor leader
• 2017 revenues of $8.35B with year-
• n-year growth of 19.7%
• Listed: NYSE, Euronext Paris and

Borsa Italiana, Milan

Smart Things Smart Home & City Smart Industry Smart Driving

Application Strategic Focus

4

The leading provider of products and solutions for Smart Driving and the Internet of Things

Product Family Focus

5

The leading provider of products and solutions for Smart Driving and the Internet of Things Portfolio delivering complementarity for target end markets, and synergies in R&D and manufacturing

Dedicated Automotive ICs Analog, Industrial & Power Conversion ICs General Purpose & Secure MCUs EEPROM MEMS & Specialized Imaging Sensors Discrete & Power Transistors Digital ASICs

An Unwavering Commitment to R&D

6

Advanced research and development centers around the globe ~ 17,000 patents; ~9,500 patent families; ~ 500 new filings (in 2017) ~ 7,400 people working in R&D and product design

As of December 31, 2017

IoT connected devices

7

Very-high and sustained growth potential

10 20 30 40 50 60 70 80

Number of IoT connected devices worldwide 2015- 2025 (in billions)

Secure Solutions

A broad range of secure solutions for different applications

8

Secure storage: Encryption Key generation and management Credential / Device life Cycle management Platform integrity Assurance Roots of trust Secure updates: Software & firmware Secure communications Authentication

Security should comply to a challenging mix requirements to match the targeted applications

Security Challenges and Opportunities

9

Ultra low power devices Compact electronics Always connected solutions Cost effective platform Limited memory Physical access

Efficient solutions

10

Cryptography might be expensive for resource-constrained devices

• Compact hardware implementations
• Embedded software implementations with

low RAM and ROM usage

• Negligible impact on overall performance
• Low power/energy consumption

Challenging requirements

End-to-end protection

11

• Released on Aug.15th
• Lighter: from 300 to 5 cipher suites

available

• Faster: optimized protocol with

halved round-trip time during the key generation

• More secure: obsolete algorithms

removed, most recent added (e.g. Ed25519, RSA PSS) TLS 1.3

• Real time analytics
• Managed APIs
• Internet scale awareness

Cloud Things Without end-to-end security, someone might gain access to your IoT commands, notifications and other data

Side Channel Attacks and Fault Countermeasures

12

• Possible to retrieve the secrets by

analysing side channels

• Can be mitigate by system level

countermeasures

• Making secrets not appealing
• A secret per chip
• Frequent re-keying
• Not always possible
• Requires ad-hoc countermeasures
• Which comes with associated costs

Side Channel Attacks Most devices are under control of the users, side channel becomes feasible!

System Research & Applications – Shared Innovation Security Roadmap

13

Italy (Agrate Brianza) France (Rousset)

Strong synergy with University

• Student internships/thesis
• PhD sponsorship
• Research contracts

Security Roadmap

“Backbone” Security R&D Deliveries to ST divisions System Security  Anticipation  System Expertise System Architectures Proposals Expertise Support HW & SW Security IPs Platform Security  Functionality & Performance  Security Robustness

14

Expectations

• After the training you should be able to understand the basics of:
• Side Channel & Fault Attacks
• With applications to AES

15

Agenda

• Side Channel Attacks
• Introduction
• Symmetric Key Cryptography:
• Introduction
• AES
• Side Channel Attacks on AES
• Fault Attacks
• Fault Attacks on AES

16

Side Channel Attacks

Attacking Crypto Algorithms

Cryptanalysis is the art and science of analyzing information systems in order to study the hidden aspects of the systems

• Mathematical analysis of cryptographic algorithms
• Side Channel Attacks

18

What is a “Side Channel”?

Based on information gained from the physical implementation of a cryptosystem

• No theoretical weaknesses in the algorithm
• No brute force

19

Example

20

21

Example 2

A little bit of history [1]

The first official information related to SCA attack dates back to the year 1965.

• P. Wright (a scientist with GCHQ at that time) reported in [2] that MI5, the British

intelligence agency, was trying to break a cipher used by the Egyptian Embassy in London, but their efforts were stymied by the limits of their computational power. Wright suggested placing a microphone near the rotor-cipher machine used by the Egyptian to spy the click-sound the machine produced. By listening to the clicks of the rotors as cipher clerks reset them each morning, MI5 successfully deduced the core position of 2 or 3 of the machine’s rotors. This additional information reduced the computation effort needed to break the cipher, and MI5 could spy on the embassy’s communication for years. On the other hand, the original seminal works, as well as many subsequent pioneering ideas, on SCA attacks in public cryptography research community are all due to Paul Kocher, and start appearing from 1996 on.

[1] YongBin Zhou, DengGuo Feng. Side-Channel Attacks: Ten Years After Its Publication and the Impacts on Cryptographic Module Security Testing. IACR Eprint archive, 2005. [2] P. Wright. Spy Catcher: The Candid Autobiography of a Senior Intelligence Officer. Viking Press, 1987. 22

Why “Side Channel”?

• More effective against modern cryptosystems
• In some applications the attacker does actually have

physical access to the device

• Electronic passports, identity cards, driver licenses…
• IoT devices
• Point Of Sale
• Access Control/Badges
• Pay TV

23

Use Case: Pay TV

• The key that protects the content is stored within the

smartcard

• The smartcard is provided to the end user
• No more in the hands of the owner of the contents
• Extracting one key from a single smartcard allows to

program several new smartcards with the same key → clones

• One broken smartcard means broken system

24

How to do a “Side Channel”?

• The attacker must have physical access to the device

under attack (not always… we will see later)

• The attacker knows the algorithm under attack
• The only secret is the key
• 1st stage → Measurements
• 2nd stage → Analysis of the measurements
• Statistical analysis
• Application of cryptanalysis

25

Power Analysis

• Instantaneous power consumption of a device depends
• n the data it processes and on the operation it performs

26

Timing Attacks

• Cryptosystems often take slightly different amounts of

time to process different inputs

• Timing attacks can be launched

against a workstation running a protocol such as SSL with RSA over a local network

27

Electromagnetic Analysis

• The flow of current through a CMOS device induces

electromagnetic emanations and causes electromagnetic leakage

28

Power Analysis

Basic Idea

• There must be some relationship between the device’s power

consumption and what it’s doing

• Try to exploit it to get the secret key
• Introduced by P. Kocher, J. Jaffe, and B. Jun in 1999

30

Simple Power Analysis

• Observation on a single power trace during the computation of the

crypto algorithm

• Try to distinguish between different operations related to the value of

the secret key (patterns)

• Example: RSA algorithms scans the private key bit by bit
• Performs a Square if bit is 0, otherwise performs a Square and a Multiplication
• If the attacker can distinguish operations, she will get the key

31

RSA square RSA multiplication

Limit of Simple Power Analysis

• Requires to analyze a single power trace with very high accuracy
• Usually noise is high and it is not possible to perform this kind of

analysis

• Noise is due to several factors but mainly due to other activity linked to power

consumption and measurement

32

Differential Power Analysis

• Requires a large amount of power traces
• Each trace corresponds to a single execution
• Each execution is done with a different input/plaintext value
• But same key
• Therefore we obtain different power traces corresponding to

execution with different input/plaintext values but same key

• Plaintext and/or ciphertext should be known by the attacker
• A common assumption which is also true in most real applications
• No detailed knowledge of the cryptographic device is required
• Can work even with noisy power traces
• More power traces means less noise

33

Consumption Model

• Instantaneous power consumption in digital CMOS devices:
• P(t) = Pconst (t) + Pinstr (t) + Pdata(t) + Pnoise (t)
• Pconst (t) is unimportant for DPA
• Pinstr (t) is fixed by the particular instruction executed
• Pdata(t) is due to the currently processed data
• Pnoise (t) has to be minimized
• DPA exploits the difference of P(t) due to the Pdata(t)
• The basic idea is to associate the device power consumption with the

values processed

34

Hamming Weight Model

• Try to estimate Pdata(t)
• Based on the fact that a bit set to 1 consumes more than a bit set to 0
• Very simple model
• Yet still in use today
• Sometimes the Hamming Distance Model is preferable
• It measure the transitions of a signal or register
• Transitions are bit changing their values

35

Sensitive Variable

• A DPA attack works if a relation exists between the power

consumption and a target “sensitive variable”

• A sensitive variable is a value:
• Actually computed during the execution
• Made by a combination of:
• A portion of the key (i.e. 1 bit, 1 byte)
• A value known to the attacker and that changes every execution (i.e. the input)

36

DPA: (1/3)

• Collect the side channel of the execution of the algorithm providing

different inputs

• Input0  Trace0 = =
• Input1  Trace1 = =
• Inputn  Tracen = =
• Identify a sensitive variable in the algorithm
• E.g. SV = Input[0] XOR Key[0]
• Our target will be Key[0]
• For all Input0…n, and for all possible m values of Key[0] compute
• HW(Inputi[0] XOR j). Create a table of guesses:

37 HW(Input0[0] XOR 0) HW(Input0[0] XOR 1) HW(Input0[0] XOR …) HW(Input0[0] XOR m) HW(Input1[0] XOR 0) HW(Input1[0] XOR 1) HW(Input1[0] XOR …) HW(Input1[0] XOR m) HW(Input…[0] XOR 0) HW(Input…[0] XOR 1) HW(Input…[0] XOR …) HW(Input…[0] XOR m) HW(Inputn[0] XOR 0) HW(Inputn[0] XOR 1) HW(Inputn[0] XOR …) HW(Inputn[0] XOR m)

Key Guess Input

DPA: Basic Idea (2/3)

• Create a matrix with the traces
• For each column (time sample) compute the correlation coefficient

with every column in the guess table

38 Time/Samples per trace n Time/Samples per trace Key Guess

Corr

DPA: Basic Idea (3/3)

• Result is a matrix of correlation traces (1 per each key guess)
• In (m-1) correlation traces we correlated side channel traces with

intermediate variables which are never computed

• Because the key is wrong
• So it’s like correlating with a random vector
• Expected correlation is close to zero
• But in 1 correlation traces we correlated side channel traces with

intermediate variables that are actually computed

• At some point in time, when our sensitive variable is computed, we expect a peak

towards 1

39 Time/Samples per trace Key Guess

Workbench for Power Analysis

SPEAr board

41

New Resistance R in series to SoC Power Supply GPIO used for trigger

42

• Agilent Infiniium
• Features:
• max 40 Gsa/s
• max 2M samples
• 4 channels
• Differential probe
• Voltage difference

measurement on a resistor

• Simple probe
• Trigger detection

Oscilloscope

42

PC Linux

• Commands the board
• Cross-compiles for ARM

Oscilloscope

• Waits for trigger
• Averages out the trace
• Saves the trace

SPEAr board

• Runs crypto algorithm
• Generates trigger

Workbench

43

Single Power Trace

44

Mean of 1000 Power Traces

45

Workbench for EM Analysis

• Digital scope : lecroy

wavepro 40 GS/s 6Ghz bandwidth

• XY stage (resolution up to

0.1µm)

• Wideband amplifier (Miteq

+Femto)

• EM probes (langer

+handmade)

46

Timing Attacks

What is a Timing Attack

• A side channel attack in which the attacker attempts to compromise

a cryptosystem by analyzing the time taken to execute cryptographic algorithms

• In some cases, exploitable from remote locations
• Effective if computational timings depends on secret
• Need to have encryption timings with high accuracy
• Noise and sensitivity must be lower than the timing difference we want to measure

48

Vulnerability comes from…

• Sometimes is a matter of algorithm
• Often, algorithms leaks information through timings difference because

computational steps depend on data values

• Choose a constant-time algorithm to avoid these attacks
• E.g. Modular exponentiation (we will see it later) can be done with Square&Multiply

algorithm (variable-time) or with Square&Multiply Always (constant-time)

• Otherwise, can be a matter of implementation
• Cache-Timing Attack takes advantage of data-dependent timing variations during

accesses into the cache (greater computational time for cache miss)

• It exploits implementations in which secret data is used as an array index (e.g. AES

Sbox)

• Almost every implementation can be made constant-time in order to avoid these

attacks

49

Timing attack chart example

50

Agenda

• Side Channel Attacks
• Introduction
• Symmetric Key Cryptography:
• Introduction
• AES
• Side Channel Attacks on AES
• Fault Attacks
• Fault Attacks on AES

51

Symmetric Key Algorithms

Data Encryption

• Scrambling of data with an algorithm and a secret key
• Decryption requires having the same secret key
• The encryption algorithm is not required to be secret
• In fact, Kerckhoffs’s principle states that:
• Security must fully rely only on the secrecy of the key
• Violating this principle is called: security by obscurity
• Knowledge of plaintext ciphertext pairs should be useless for the

attacker

• Some information leaks independently of encryption:
• Number of messages exchanged
• Length of messages

53

Symmetric Key Cryptography

54

Encryption Decryption Encryption key is also used for decryption It must be kept secret !

AES

AES Standardization

• The Advanced Encryption Standard (AES) is the result of a

competition about symmetric algorithm, which has been requested by NIST for replacing the DES.

• After a 4 year competition run by NIST, among 15 candidates, an

algorithm has been selected, named Rijndael, designed by two Belgian cryptographer Vincent Rijmen and Joan Daemen

56

AES Overview

• Substitution-permutation network block cipher
• Iterates several time a “round”
• A round is made by a series of round operations
• Decryption is done by doing, in reverse order, the inverted round operations
• 128 bit of state (viewed as 4 x 4 byte matrix)
• Key sizes of 128, 192, 256 bit
• With respectively 10, 12, 14 number of rounds
• Each round uses a different round key generated by a key schedule procedure
• Round keys are always 128 bit

57

AES Block Cipher

58

58

128 bits 128 bits 128 or 192 or 256 bits

AES Input Mapping

• Input is a block of 128 bits which gets mapped into a 4x4 byte matrix

00 04 12 08 01 05 13 09 02 06 14 10 03 07 15 11

Plaintext = 0x00010203040506070809101112131415

59

AES Algorithm

AddRoundKey SubBytes ShiftRows MixColumns AddRoundKey SubBytes ShiftRows AddRoundKey

Key Schedule

Round Last Round

PLAINTEXT CIPHERTEXT KEY

Key Schedule is a separate part of the AES algorithms which, given a key (128,192,256 bit) generates (10,12,14) 128 bit round keys. Each round key is used in a different round

AES SubBytes

• Byte by Byte Substitution (Permutation)
• Highly non-linear
• Most often implemented as look up table
• Invertible, by using another look up table

61

AES ShiftRows

• Simply rotate rows
• The inverted operation rotates rows in the opposite way
• Provides diffusion by mixing contributions of different columns

62

AES MixColumns

• Every output byte depends on all 4 input bytes
• Provides diffusion
• Linear and invertible transformation

63

AES AddRoundKey

64

AddRoundKey is a XOR between the 128 bit state and the 128 bit round key

Implementations

• SW
• Key Schedule computed in advance and all round keys stored in RAM
• Trade-Off between size and speed
• Only SubBytes LUT, no LUT for MixColumns (256B + 256B)
• LUT SubBytes + MixColumns (1024B + 1024B)
• LUT SubBytes + ShiftRows + MixColumns (4096B + 4096B)
• And dedicated CPU instructions
• Intel’s AES-NI
• ARM Neon Crypto Extension (ARMv8-A)
• HW
• Key Schedule computed on the fly in parallel to AES round
• AES round can have 8, 32 or 128 bit DataPath
• Requires 1 SubBytes , 4 SubBytes or 16 SubBytes
• Sbox can be a LUT or combinatorial (with different options)

65

Power Analysis on AES

66

DPA on AES (1/3)

• We need to identify our sensitive variable
• We need a value based on a part of the key and something we know
• What we know ?
• Only plaintexts and/or ciphertexts
• We can focus on first round Sbox
• Which is Sbox(Plaintext XOR Key)
• Sbox(P[0] XOR Key[0]) depends on the plaintext and a single byte of

the Key

• We only need 28 = 256 hypothesis

67

AddRoundKey SubBytes PLAINTEXT KEY

DPA on AES: (1/3)

• Collect the side channel of the execution of the algorithm providing

different Plaintexts P

• P0  Trace0 = =
• P1  Trace1 = =
• Pn  Tracen = =
• Identify a sensitive variable in the algorithm: P[0] xor Key[0]
• For all P0…n, and for all possible m values of Key[0] (=0..256) compute
• HW(Pi[0] XOR j). Create a table of guesses:

68 HW(P0[0] XOR 0) HW(P0[0] XOR 1) HW(P0[0] XOR …) HW(P0[0] XOR m) HW(P1[0] XOR 0) HW(P1[0] XOR 1) HW(P1[0] XOR …) HW(P1[0] XOR m) HW(P…[0] XOR 0) HW(P…[0] XOR 1) HW(P…[0] XOR …) HW(P…[0] XOR m) HW(Pn[0] XOR 0) HW(Pn[0] XOR 1) HW(Pn[0] XOR …) HW(Pn[0] XOR m)

Key Guess Input

DPA: Basic Idea (2/3)

• Create a matrix with the traces
• For each column (time sample) compute the correlation coefficient

with every column in the guess table

69 Time/Samples per trace n Time/Samples per trace Key Guess

Corr

DPA: Basic Idea (3/3)

• Result is a matrix of correlation traces (1 per each key guess)
• In (m-1) correlation traces we correlated side channel traces with

intermediate variables which are never computed

• Because the key is wrong
• So it’s like correlating with a random vector
• Expected correlation is close to zero
• But in 1 correlation traces we correlated side channel traces with

intermediate variables that are actually computed

• At some point in time, when our sensitive variable is computed, we expect a peak

towards 1

70 Time/Samples per trace Key Guess

First Round Attack (1/2)

71

First Round Attack (2/2)

72

Countermeasures

• Dual Rail Logic
• Introduces different implementation of logic gates
• Goal is to have a power consumption independent of the data
• Drawbacks: complex, ad-hoc EDA tools, size, glitches
• Execution Time Randomization
• Introduces random delays in the computation
• Goal is to mess with the trace synchronization required by DPA
• Drawbacks: random generation, slow, can be resynchronized
• Data Randomization (Masking)
• The input (plaintext) is randomly masked at each execution
• Goal is to have SV depending of unknown random
• Drawbacks: random generation, slow, second order attacks

73

Agenda

• Side Channel Attacks
• Introduction
• Symmetric Key Cryptography:
• Introduction
• AES
• Side Channel Attacks on AES
• Fault Attacks
• Fault Attacks on AES

74

Fault Attacks

50s 60s 70s 80s 90s 00s 10s 20s

Accidental Faults

• Electronic devices are subject to (usually) rare faults
• Caused by environment
• Unexpected temperature, ionizing particles, power grid glitches, electrostatic discharges…

76 Ground Nuclear Testing Anomalies in electronic monitoring equipment Aerospace Industry Problems in space electronics Super Computers Errors appear in large memories Critical systems Problems in cars, health, voting devices Smaller systems Half of embedded designs safety relevant Random bit flips in memory Random errors in logic as transistor size decreases

From Accidental to Intentional Faults

• Attacker idea : provoke & control fault to perturb

device at the right time

• And exploit the fault to break security !
• Bypass secure boot, secure firmware upgrade checks
• Change device state, get cryptographic algorithms keys, …
• Usually HW is trusted, SW does not expect it to fail
• Can bypass SW protections this way
• Often only way to attack bug-free SW
• Brief History
• Late 1990s : unlock pay TV smart cards
• 2000s : bypass game protection on console
• Late 2000s : protection mandatory for set-top-boxes
• Late 2010s : more on more public attacks on IoT devices
• Labs trained on smart cards looking for new targets

77

Is PIN OK? Continue Increment Counter Error yes no Skip check Bad result

Faults Exploitation

78

Source https://wp-systeme.lip6.fr/jaif/wp-content/uploads/sites/8/2018/05/KH-29-05-2018-JAIF.pdf

• Fault Model
• Registers, Logic, Flash, RAM…
• Single bit, few bits, word..
• Stuck at 0 or 1, flip, random
• Precise/loose/random control on

location & timing

• Transient, permanent, destructive
• Multiple faults
• Instruction skip, force jump…
• Target
• Stored Data
• Computations
• Crypto
• Program Flow

How to Inject Faults ?

• Non-invasive methods
• No physical damage to chip
• Modify working conditions
• Moderate knowledge/equipment
• Semi-invasive methods
• Chip de-capsulation
• Milling, etching, cleaning
• Affordable equipment
• Often requires building custom boards
• Invasive methods
• Establish electrical contact to chip
• Modification, destruction, …
• Expensive equipment, e.g semiconductor

diagnostics

79 source: https://www.cosic.esat.kuleuven.be/summer_school_sardinia_2015/slides/Balasch.pdf

Temperature Voltage Undersupply Clock glitch Voltage glitch Electromagnetic Pulses Laser (FIB)

Temperature & Particles

• Temperature
• Heating causes combinatorial logic to slow down
• Data not yet ready when sampled
• Maybe used to increase sensibility to other injections methods
• Particles “toy” example
• Smoke detector used to perturb Smart Cards
• Getting harder for particles to go through package
• Both are not precise at all, and never used in practice

80

Voltage Undersupply

• Low voltage causes combinatorial logic to slow down
• Data not yet ready when sampled !
• Not very precise in time & space (location)
• Can be used to get out of infinite loops for instance
• Used to unlock Pay TV Smart Cards in 1990s

81 source: https://www.cosic.esat.kuleuven.be/summer_school_sardinia_2015/slides/Balasch.pdf

Clock Glitch

• Requires simple signal generator
• Attack precise clock cycle of targeted instruction
• Like if instruction had less time to complete
• Data not ready when latched
• Affects everything synchronized by this clock
• But only works if CPU runs from external clock

82

Clock ins N-1 ins N ins N+1 ins N+2 ins N-2 CLOCK

Voltage Glitch

• Affects everything powered by perturbed VCC pin
• Attack target instruction when it is executed
• Combinatorial logic slowed down by low voltage
• Data not yet ready when sampled
• Must explore to find right glitch parameters
• Width, depth, time
• Board and chip capacitors may filter or degrade glitch
• Can be deployed through mod-chips to solder on board
• Usually most dangerous noninvasive fault injection method

83

VCC ins N-1 ins N ins N+1 ins N+2 ins N-2 VCC

Effects

• Wrong data is sampled
• Fault slows down combinatorial logic
• Or provokes early latch
• => Result sampled before it’s ready
• Critical path violation
• Global impact (whole chip)
• Time may be finely adjusted
• Perturb logic when it’s used

84

Electromagnetic Pulses

• Shot location on chip (not very precise)
• Internal clock & power line
• Random Number Generator
• Specific security IP
• Processor, memory, bus…
• Probably broader fault model
• Not fully understood yet
• Many configurable parameters
• Probe (coil area, core magnetic permeability)
• Position (X,Y,Z)
• Pulse amplitude and width

85

Our Bench: Electromagnetic Fault Injection

• Pulse generator
• 6 ns-100ns

duration

• 400 v(single

polarity)

• XYZ stages
• EM

probe(analysis)

• STM32F103

Discovery board

86

• DSO
• 2.5GHZ
• 40 MS
• WB amplifier
• 1GHz

Laser (1/2)

• Shoot very precise location on chip
• Down to 1 µm
• Many configurable parameters
• Position (X,Y)
• Wavelength, Spot size
• Energy / Peak power
• Pulse vs Continuous
• …
• Space search grows exponentially
• Require to know where to shoot
• Or exhaustive tries on all chip surface

87

Laser (2/2)

• Very localized effect
• Very broad range of possible effects
• Bit(s) flips/stuck in RAM, registers, logic, flash …
• => Harder to protect against
• But usually attack is expensive
• De-capsuling chips, including thinning
• Complex synchronization HW
• Very often requires attacking from backside
• Custom HW & boards
• Few months to setup HW, SW
• Target critical assets
• Retrieve global secrets (global keys, sensitive FW IP…)
• “Break one break all”
• First used to break smart cards, then set-top boxes, micros are next ?

88

Our Bench: Laser Fault Injection

• Quicklaze-50 STII (ESI)
• Nd-YAG laser crystal
• 3 wavelengths :
• UV3(355nm) Green(532nm)

IR(1064nm)

• fixed pulse duration : 5ns
• Mitutoyo lens:
• IR : x50; Green : X20; UV : x50
• Min spotsize : 1µm x 1µm
• XY stage : min step=0.1µm

89

Few Exploitation Examples

• Retrieving cryptographic keys
• Electromagnetic pulse on AES round number [Dehbaoui and al, COSADE 2013]
• Usually attacks on crypto require access to few faulted results
• Bypassing secure boot
• Laser shot on Android phone TrustZone NS bit [Alphanov, FDTC 2017]
• Taking over a device
• Voltage glitch to control Program Counter on STM32 [Riscure FDTC 2016]
• Privilege escalation
• Voltage glitch to get root on Linux [Riscure, FDTC 2017]
• Voltage glitch “Chip Whisperer” practice platform for students
• Based on STM32, can also be used to attack STM32s with provided boards

90

Fault Attack against AES

Differential Fault Analysis

• The device under attack executes a cryptographic operation
• It involves a secret key (target of the attack)
• The comparison between correct data and faulted data may allow to

derive information about the secret key

• The attacker needs the output of:
• Normal operation involving an input and the secret key
• Faulted operation with the same input and same secret key

92

Giraud’s Attack

• Goal: recover the last round key
• Use the last round key to recover the cipher key of AES-128
• Fault model: random single-bit corruption at the beginning of the last

round

• Before SubBytes

93

4 8 12 1 5 9 13 2 6 10 14 3 7 11 15 4 8 12 1 5 9 13 2 6 10 14 3 7 11 15 4 8 12 1 5 9 13 2 6 10 14 3 7 11 15

SB SR ARK

4 8 12 1 5 9 13 2 6 10 14 3 7 11 15 4 8 12 1 5 9 13 2 6 10 14 3 7 11 15

Giraud’s Attack

𝑩 𝑪 𝑫 𝑬 𝑳𝑶𝒔

94

4 8 12 1 5 9 13 2 6 10 14 3 7 11 15 4 8 12 1 5 9 13 2 6 10 14 3 7 11 15 4 8 12 1 5 9 13 2 6 10 14 3 7 11 15

SB SR ARK

4 8 12 1 5 9 13 2 6 10 14 3 7 11 15 4 8 12 1 5 9 13 2 6 10 14 3 7 11 15

𝜻

Giraud’s Attack

𝑩 𝑪 𝑫 𝑬 𝑳𝑶𝒔

95

4 8 12 1 5 9 13 2 6 10 14 3 7 11 15 4 8 12 1 5 9 13 2 6 10 14 3 7 11 15 4 8 12 1 5 9 13 2 6 10 14 3 7 11 15

SB SR ARK

4 8 12 1 5 9 13 2 6 10 14 3 7 11 15 4 8 12 1 5 9 13 2 6 10 14 3 7 11 15

𝜻 𝜻′

Giraud’s Attack

𝑩 𝑪 𝑫 𝑬 𝑳𝑶𝒔

96

4 8 12 1 5 9 13 2 6 10 14 3 7 11 15 4 8 12 1 5 9 13 2 6 10 14 3 7 11 15 4 8 12 1 5 9 13 2 6 10 14 3 7 11 15

SB SR ARK

4 8 12 1 5 9 13 2 6 10 14 3 7 11 15 4 8 12 1 5 9 13 2 6 10 14 3 7 11 15

𝜻 𝜻′ 𝜻′

Giraud’s Attack

𝑩 𝑪 𝑫 𝑬 𝑳𝑶𝒔

97

4 8 12 1 5 9 13 2 6 10 14 3 7 11 15 4 8 12 1 5 9 13 2 6 10 14 3 7 11 15 4 8 12 1 5 9 13 2 6 10 14 3 7 11 15

SB SR ARK

4 8 12 1 5 9 13 2 6 10 14 3 7 11 15 4 8 12 1 5 9 13 2 6 10 14 3 7 11 15

𝜻 𝜻′ 𝜻′ 𝜻′

Giraud’s Attack

𝑩 𝑪 𝑫 𝑬 𝑳𝑶𝒔

98

4 8 12 1 5 9 13 2 6 10 14 3 7 11 15 4 8 12 1 5 9 13 2 6 10 14 3 7 11 15 4 8 12 1 5 9 13 2 6 10 14 3 7 11 15

SB SR ARK

4 8 12 1 5 9 13 2 6 10 14 3 7 11 15 4 8 12 1 5 9 13 2 6 10 14 3 7 11 15

𝜻 𝜻′ 𝜻′ 𝜻′

Giraud’s Attack

𝑩 𝑪 𝑫 𝑬 𝑳𝑶𝒔

99

Giraud’s Attack

• Pre-compile the table

For each 𝒘𝒃𝒎 = (0𝑦00: 0𝑦𝐺𝐺) of the byte For each fault 𝜻 = (0𝑦01,0𝑦02,0𝑦04,0𝑦08,0𝑦10,0𝑦20,0𝑦40,0𝑦80) Compute 𝜠 = 𝑇𝑣𝑐𝐶𝑧𝑢𝑓𝑡(𝑤𝑏𝑚) ⊕ 𝑇𝑣𝑐𝐶𝑧𝑢𝑓𝑡(𝑤𝑏𝑚 ⊕ 𝜁)

• For each fault, looking for 𝒘𝒃𝒎 where 𝜻′ = 𝜠 provides 8 entries in

average

• 3 faults on one byte allows to identify the correct 𝒘𝒃𝒎 of the state
• 𝑳𝒇𝒛 = 𝑑𝑗𝑞ℎ𝑓𝑠𝑢𝑓𝑦𝑢 ⊕ 𝑇𝑣𝑐𝐶𝑧𝑢𝑓𝑡(𝑤𝑏𝑚)
• The sequence must be repeated for each byte

100

Other Faults: on the Control Flow

• Skip some operations
• Reduce the number of rounds
• Apply cryptanalysis techniques to a reduced version of the algorithm

101

Countermeasures

Physical Level

• Shielding: prevent physical access to the device
• Including electromagnetic fields and radiations
• Sensors: in order to detect environmental conditions (temperature,

voltage) out of range

• Filters: stabilized power supply, stabilized clock
• De-synchronization: random delays in order to lower temporal

precision of the fault

103

Algorithmic Level

• Redundancy: the operation is executed twice and the results are

compared

• Sequence of Encryption + Decryption, checking that the final result

is equal to the input

• Error Detection/Correction Codes

104

Protocol Level

• Message randomization: the input is XORed with a random value
• The attacker has no control on the input
• Fresh re-keying: a new fresh key is used for each operation

105

The END

106

Contacts:

• ruggero.susella@st.com
• valeria.riva@st.com (HR)

Thanks for the attention! Questions?

107