DTIS Review of Fault Injection Mechanisms and Consequences on Countermeasures Design. Bruno Robisson Jean-Baptiste Rigaud Assia Tria

Size: px

Start display at page:

Download "DTIS Review of Fault Injection Mechanisms and Consequences on Countermeasures Design. Bruno Robisson Jean-Baptiste Rigaud Assia Tria"

Edwin Gallagher
5 years ago
Views:

DTIS 2011 6 th International Conference on Design & Technology of

Mechanisms and Consequences on Countermeasures Design Jean-Max

Fournier Amir-Pasha Mirbaha Bruno Robisson Jean-Baptiste Rigaud

Équipe mixte CEA-LETI/ENSMSE Site Georges Charpak Centre

1 DTIS th International Conference on Design & Technology of Integrated Systems in Nanoscale Era Review of Fault Injection Mechanisms and Consequences on Countermeasures Design Jean-Max Dutertre Jacques J.A. Fournier Amir-Pasha Mirbaha Bruno Robisson Jean-Baptiste Rigaud Assia Tria David Naccache Ecole normale supérieure Département SAS Équipe mixte CEA-LETI/ENSMSE Site Georges Charpak Centre Microélectronique de Provence 880, route de Mimet Gardanne Département d Informatique Équipe de cryptographie 45, rue d Ulm Paris

2 Outline! Focus " Fault attacks on cryptosystems.! Outline " Introduction " Fault injection means Laser Timing constraints violation (clock, voltage, temperature) " Countermeasures " Security evaluation of hardware duplication " Conclusion 2 / 22

Introduction " Fault attacks on physical implementation of cryptosystems M K 0110010101100001 010110000110011 C 110101000101101 Faulty cipher text Disturb the ciphering process through unusual

3 Introduction " Fault attacks on physical implementation of cryptosystems M K C Faulty cipher text Disturb the ciphering process through unusual environmental conditions in order to : reduce the ciphering complexity (e.g. round reduction number) Differential Fault Attack = comparison between correct and faulty cipher texts retrieve information on the encryption process (i.e. information leakage) 3 / 22

4 Introduction " DFA s requirements (strong) Fine control on: location, timing (choice of the injection cycle), focalization (i.e. number of faulted bits). C. Giraud: DFA on AES, Lecture Notes in Computer Science, 2005, Springer Berlin / Heidelberg, Volume 3373 G. Piret, J.- J. Quisquater: A DifferenMal Fault ANack Technique Against SPN Structures, with ApplicaMon to the AES, CHES 2003, LNCS 2779, Springer- Verlag 4 / 22

! Laser as a fault injection means Fault

injection mechanism: photoelectric effect (hν >

5 ! Laser as a fault injection means Fault injection means Semi-invasive: chemical/mechanical opening while preserving functionality Rear side Front side Fault injection mechanism: photoelectric effect (hν > E bandgap ) reversed biased PN junction data dependent sensitive areas 5 / 22

6 Fault injection means " Photoelectric effect Laser Drain ( V DD ) current (ma) E Diffusion n + depletion region Substrate P (Gnd) Instant response Delayed response time (ns) Current transient beam energy pulse duramon voltage transient 6 / 22

7 Fault injection means " Voltage transient: propagates through combinational logic without memorization propagates through combinational logic with memorization Single Event Transient - SET memory flip (SRAM, register) Single Event Upset - SEU fault injection " Experimental results single-bit and single-byte fault injection control of the injection time (~ 10ns) focalization : 1µm M. Agoyan, J.- M. Dutertre, A.- P. Mirbaha, D. Naccache, A.- L. RiboNa, A. Tria: How to flip a bit?, 16th InternaMonal On- Line TesMng Symposium, / 22

8 Fault injection means! Timing constraints violation Non-invasive " Synchronous IC principle (reminder) propagation delay n-1 m-1 data Combinational D Q logic D Q Dff i Dff i+1 clk data are captured on the clock s rising edge time between two rising edges (i.e. clock period) depends on the propagation delay 8 / 22

9 Fault injection means n-1 m-1 data clk Combinational D Q logic D pmax D Q Dff i Dff i+1 D clk#q T clk + T skew - δ su Timing constraint: T clk > D clk!q + D pmax - T skew + δ su Violating this timing constraint results in fault injection 9 / 22

10 Fault injection means " Clock glitches over clocking A well known approach decreasing the clock period until faults appear by setup time violation T clk clk propagation delay + setup time T clk fault clk drawback : faults are injected at each clock cycle no timing control 10 / 22

11 Fault injection means local over clocking (or clock glitching) timing constraint violation by modifying one clock cycle T clk clk T clk - Δ clk fault injection cycle choice fault-nature fine tuning through Δ fine control (one-bit, two-bits faults) 11 / 22

12 Experimental results on an AES cryptosystem Fault injection means Test campaign pseudo-code : send random key K and plaintext T to the test chip Δ 0 first reported fault T clk - Δ = critical time (K, T) single bit fault > 90% M. Agoyan, J.- M. Dutertre, D. Naccache, B. Robisson, A. Tria: When Clocks Fail: On CriMcal Paths and Clock Faults, CARDIS / 22

13 Fault injection mechanism Step by step T clk decrease (δ t = 35 ps) Fault injection means Byte index ps T clk - Δ 200ps 9140ps No fault One-bit fault Two-bits fault Other fault Byte nb. 6 D 0 D 1 D 2 D 3 D 4 D 5 No fault D 6 D 7 T clk = ps 13 / 22

14 Fault injection mechanism Step by step T clk decrease (δ t = 35 ps) Fault injection means Byte index ps T clk - Δ 200ps 9140ps No fault One-bit fault Two-bits fault Other fault Byte nb. 6 D 0 D 1 D 2 D 3 D 4 D 5 No fault D 6 D 7 T clk -Δ 13 / 22

15 Fault injection mechanism Step by step T clk decrease (δ t = 35 ps) Fault injection means Byte index ps T clk - Δ 200ps 9140ps No fault One-bit fault Two-bits fault Other fault Byte nb. 6 D 0 D 1 D 2 D 3 D 4 D 5 No fault D 6 D 7 T clk -Δ 13 / 22

16 Fault injection mechanism Step by step T clk decrease (δ t = 35 ps) Fault injection means Byte index ps T clk - Δ 200ps 9140ps No fault One-bit fault Two-bits fault Other fault Byte nb. 6 D 0 D 1 D 2 D 3 D 4 D 5 No fault D 6 D 7 T clk -Δ 13 / 22

17 Fault injection mechanism Step by step T clk decrease (δ t = 35 ps) Fault injection means Byte index ps T clk - Δ 200ps 9140ps No fault One-bit fault Two-bits fault Other fault Byte nb. 6 D 0 D 1 D 2 D 3 D 4 D 5 Single bit fault D 6 D 7 T clk -Δ 13 / 22

18 Fault injection mechanism Step by step T clk decrease (δ t = 35 ps) Fault injection means Byte index ps T clk - Δ 200ps 9140ps No fault One-bit fault Two-bits fault Other fault Byte nb. 6 D 0 D 1 D 2 D 3 D 4 D 5 2 faulted bits D 6 D 7 T clk -Δ 13 / 22

19 Fault injection mechanism Step by step T clk decrease (δ t = 35 ps) Fault injection means Byte index ps T clk - Δ 200ps 9140ps No fault One-bit fault Two-bits fault Other fault Byte nb. 6 D 0 D 1 D 2 D 3 D 4 D 5 3 faulted bits D 6 D 7 T clk -Δ 13 / 22

20 Fault injection means " Voltage deprivation at nominal frequency V DD D pmax ( D clk!q, δ su, T skew ) T clk < D clk!q + D pmax - T skew + δ su D pmax + δ su + slack n inputs combinational logic D 0 D 1 D m-1 m outputs T clk 14 / 22

21 Fault injection means " Voltage deprivation at nominal frequency V DD D pmax ( D clk!q, δ su, T skew ) T clk < D clk!q + D pmax - T skew + δ su D pmax + δ su + slack n inputs D 0 combinational D 1 logic D m-1 m outputs T clk 14 / 22

22 Fault injection means " Voltage deprivation: experimental results critical time increases as V DD decreases picoseconds T clk 1 st fault (V DD = 1.07V) 15 / 22

23 Fault injection means " Temperature increase at nominal frequency 16 / 22

24 " Temperature increase: experimental results D pmax ( D clk!q, δ su, T skew ) Fault injection means T clk 1 st fault (210 C) 17 / 22

25 Countermeasures! Countermeasures against fault attacks " Cutting the access point " Environment monitoring " Fault detection/correction 18 / 22

26 Countermeasures " Cutting the access point Internal clock Power lines filtering Metallic shielding Glue logic 18 / 22

27 Countermeasures " Environment monitoring Internal clock Power lines filtering Metallic shielding Glue logic Voltage sensor Light sensor Temperature sensor Frequency sensor 18 / 22

28 Countermeasures " Fault detection/correction Internal clock Power lines filtering Metallic shielding Glue logic Hardware redundancy Duplication Triplication with vote ECC Parity bits Timing redundancy Voltage sensor Light sensor Temperature sensor Frequency sensor 18 / 22

29 Security evaluation of hardware duplication! Security evaluation of hardware duplication " Laser attacks against hardware duplication input AES RoundExe AES RoundExe comp. output AES output AES M. Doulcier, J.- M. Dutertre, J. J.- A. Fournier, J.- B. Rigaud, B. Robisson, A. Tria: A Side- Channel and Fault- ANack Resistant AES Circuit Working on Duplicated Complemented Values, In Solid State Circuits Conference (ISSCC 2011) 19 / 22

30 Security evaluation of hardware duplication! Security evaluation of hardware duplication " Laser attacks against hardware duplication input laser spot AES RoundExe AES RoundExe comp. faulty output AES faulty output AES faulty output AES alarm M. Doulcier, J.- M. Dutertre, J. J.- A. Fournier, J.- B. Rigaud, B. Robisson, A. Tria: A Side- Channel and Fault- ANack Resistant AES Circuit Working on Duplicated Complemented Values, In Solid State Circuits Conference (ISSCC 2011) 19 / 22

31 Security evaluation of hardware duplication! Security evaluation of hardware duplication " Laser attacks against hardware duplication input laser spot AES RoundExe AES RoundExe faulty output AES comp. alarm faulty output AES faulty output AES high fault nb. inconsistent with DFA s requirements M. Doulcier, J.- M. Dutertre, J. J.- A. Fournier, J.- B. Rigaud, B. Robisson, A. Tria: A Side- Channel and Fault- ANack Resistant AES Circuit Working on Duplicated Complemented Values, In Solid State Circuits Conference (ISSCC 2011) 19 / 22

32 Security evaluation of hardware duplication " Timing constraint violation attacks on hardware duplication Clock alteration fault location = critical paths input single bit fault AES RoundExe AES RoundExe comp. faulty output AES faulty output AES faulty output AES alarm M. Agoyan, S. Bouquet, M. Doulcier, J.- M. Dutertre, J. J.- A. Fournier, J.- B. Rigaud, B. Robisson, and A. Tria: Design of a duplicated fault detecmng aes chip and yet using clock set- up Mme violamons to extract 13 out of 16 bytes of the secret key, SMART SYSTEMS INTEGRATION to be published, / 22

33 Security evaluation of hardware duplication " Timing constraint violation attacks on hardware duplication Clock alteration fault location = critical paths input single bit fault Probability of CM dismiss: AES RoundExe AES RoundExe comp. faulty output AES = faulty output AES faulty output AES alarm Hardware duplication is broken: DFA s schemes apply M. Agoyan, S. Bouquet, M. Doulcier, J.- M. Dutertre, J. J.- A. Fournier, J.- B. Rigaud, B. Robisson, and A. Tria: Design of a duplicated fault detecmng aes chip and yet using clock set- up Mme violamons to extract 13 out of 16 bytes of the secret key, SMART SYSTEMS INTEGRATION to be published, / 22

34 Conclusion! Overview of faults attacks on cryptosystems " Strong requirements regarding the injected faults " Laser as a fault injection means " Fault injection through timing constraint violation! Overview of countermeasures against fault attacks! Security evaluation of hardware duplication broken by clock alteration! General conclusion: " Take care of properties of fault injection means " CM design is still research work dutertre@emse.fr 21 / 22

35 Experimental results on an AES cryptosystem (con t) critical time distribution (10,000 tries) Fault injection means 22 / 22

A DFA ON AES BASED ON THE ENTROPY OF ERROR DISTRIBUTIONS

A DFA ON AES BASED ON THE ENTROPY OF ERROR DISTRIBUTIONS FDTC2012 Ronan Lashermes, Guillaume Reymond, Jean-Max Dutertre, Jacques Fournier, Bruno Robisson and Assia Tria 9 SEPTEMBER 2012 INTRODUCTION Introduction