Transcript Timing Attacks

Timing Attacks
7/21/2015
Bull CP8 Patents
What are Timing Attacks ?
• The term “Timing Attack” was first introduced at CRYPTO'96
in Paul Kocher's paper
• Few other theoretical approaches without practical
experiments up to the end of 97’
• Theory was put into practice in early 98’
• Timing attacks belong to the large family of "side channel"
attacks
2
Timing Attacks - © Gemplus S.A. All rights reserved
What are Timing Attacks ?
• Principle of Timing Attacks :
 Secret data are processed in the card
 Processing time
• depends on the value of the secret data
• leaks information about the secret data
• can be measured (or at least their differences)
• Practical attack conditions
 Possibility to monitor the processing of the secret data
 Have a way to record processing times
 Have basic computational & statistical tools
 Have some knowledge of the implementation
3
Timing Attacks - © Gemplus S.A. All rights reserved
What are Timing Attacks ?
Everything performed unconditionally before the test
Start
True
t1
Process 1
Decision

end
4
A test based on secret data is performed
that leads to a boolean decision
False
Process 2
t2
Depending on the boolean condition,
the process may be long (t1) or short (t2)
Everything performed unconditionally after the test
Timing Attacks - © Gemplus S.A. All rights reserved
Case Study
Attack on a PIN Code
Verification
5
Timing Attacks - © Gemplus S.A. All rights reserved
PIN Code Verification
• Secret data are stored in the smart card
 Example : a PIN code, 8 bytes long
• Like passwords on a PC, authentication is based on this
secret
 A dedicated function exists in the smart card software :
The ‘VerifySecret’ command which:
• Receives the challenge (proposed value for the PIN
code)
• Compares the challenge with the stored PIN
• Grants access rights if the comparison is successful
6
Timing Attacks - © Gemplus S.A. All rights reserved
PIN Code Verification
LEVEL 1
Pseudo-code for the "VerifySecret" command
 IN
• P = PIN code value stored in the card
• C = Challenge (proposed value for the PIN)
 OUT
• ‘KO’ or ‘OK’
 VERIFY SECRET
• For b = 0 to 7
 If C[b] != P[b]
• then return ‘KO’
• Return 'OK’
7
Timing Attacks - © Gemplus S.A. All rights reserved
PIN Code Verification
LEVEL 1
• Attack implementation
 Propose the n possible values of C[0] (256 values)
 Measure [n] the corresponding command duration
 Compute the maximum command duration [n0]
 [n0] = max([n]), n  {0, …, 255}
• n0 is the solution P[0] for the first byte of the PIN
code
 C[0] being known, iterate successively for all C[i]
• Complexity
 Number of comparisons: 8 * 256 = 2048 (instead of
2568)
8
Timing Attacks - © Gemplus S.A. All rights reserved
PIN Code Verification
LEVEL 2
Possible counter-measure
• To defeat this attack one may think of adding a random
delay during the execution:
 Generate a random delay a uniformly distributed
 a {0, , 2, 3, …, r} with 0  r  255
  is an elementary time unit
 Wait a time units whatever the command status 'KO' or
'OK'
 Follow the same implementation as the previous one
9
Timing Attacks - © Gemplus S.A. All rights reserved
PIN Code Verification
LEVEL 2
Start
True
t1
Decision
Process 2
Process 1
r*
Added
random delay
end
10
False
Timing Attacks - © Gemplus S.A. All rights reserved
t2
r : uniformly distributed
random variable
PIN Code Verification
LEVEL 2
• Attack idea
 It is possible to know what would be the duration for
processing a challenge as if there were no delay
Wrong candidates
if (C[0]=P[0]) ; return KO
t1 + …
Right candidate
 2 3 4
254 255
…
time
if (C[0]=P[0]) ; if (C[1]=P[1]) ; ...
t2 + …
11
… 0
… 0
Timing Attacks - © Gemplus S.A. All rights reserved
 2 3 4
…
254 255
time
PIN Code Verification
LEVEL 2
• Random delay elimination
 For each n (n is the candidate C[0] for the first PIN code byte)
• Acquire a series of N command execution durations i[n]
• The minimum duration corresponds to a a = 0 random delay
(with high probability, if N is chosen large enough)
 Consider the corresponding min [n] run time value
• Attack implementation
 Get rid of the random delay for each candidate (min [n])
 Apply the previous attack scheme
• Complexity
 Number of comparisons: 8*256*N
efficient than 2568)
12
Timing Attacks - © Gemplus S.A. All rights reserved
(still much more
PIN Code Verification
LEVEL n
• More complicated counter-measures may be thought of...
 Add a binomial (rather than uniform) random delay
…
• …but they also may be defeated by more clever attacks !!
13
Timing Attacks - © Gemplus S.A. All rights reserved
PIN Code Verification
CONCLUSION
• A typical example of insecure smart card software
 Can happen in any routine processing secret data
• Secret values comparison
• Memory scanning and loading
• Checksum computation
• Counter-measures evaluation
 Adding a delay is definitely not the good alternative
 Good counter-measure
• Check all bytes at all times
• decrease/increase ratification counter with backup
• Dynamic enciphered PIN
14
Timing Attacks - © Gemplus S.A. All rights reserved
Power Analysis
Attacks
7/21/2015
Bull CP8 Patents
Summary
• Introduction to Power Analysis
 Experimental equipment
 Information leakage through the power
• Example : reverse engineering of an algorithm
 The algorithm structure
 Electrical signatures
• Single Power Analysis (SPA)
 Attack against the DES key schedule
 Attack against RSA
• Conclusion
 Counter-measures
16
Timing Attacks - © Gemplus S.A. All rights reserved
Power Analysis
Basic Principles
• ICC's Power Consumption leaks information about data processing
 Power Consumption = f(processing, data)
• Deduce information about secret data and processing
 empirical methods
 statistical treatment
• Example : reverse engineering of an algorithm
 The algorithm structure
 Electrical signatures
• Single Power Analysis (SPA)
 Attack against the DES key schedule
 Attack against RSA
17
Timing Attacks - © Gemplus S.A. All rights reserved
Power Analysis Tools

5V
18
Timing Attacks - © Gemplus S.A. All rights reserved
Experimental equipment
Oscilloscope
file transfer
Arm scope
retrieve file
Scope trigger
on IO
Current w aveform
acquisition
Serv er
stores files
and runs T reatment
software
Main PC
runs Acquisition
software
R
GCR
Card extention
command emission
Card
reader
Protection box
Devices for monitoring the current consumption of a
chip
19
Timing Attacks - © Gemplus S.A. All rights reserved
Information leakage
• The power consumption of a chip depends on
 the manipulated data
 the executed instruction
• Leakage models
 Hamming Weight of the data, address, code Op
• HW(0) = 0
• HW(1) = HW(2) = HW(4) = HW(2n) = 1
• HW(3) = HW(5) = HW(6) = HW(9) = 2
•…
• HW(255) = HW(0xFF) = 8
 Transitions weight (flipping bits on a bus state) :
• HW (statei statei-1)
 Other models, chips & technologies …
20
Timing Attacks - © Gemplus S.A. All rights reserved
Information leakage
Load P1 and XOR with P2 = 0 (P1 P2 with P1 = 0, 1, 7, 255)
P1 = 0 = 0x00
Signatures
P1 = 1 = 0x01
P1 = 7 = 0x07
P1 = 255 = 0xFF
1
cycle
1
cycle
1
cycle
Load P1 into accumulator (3 cycles)
21
Timing Attacks - © Gemplus S.A. All rights reserved
1
cycle
1
cycle
P1 P2 (3 cycles)
1
cycle
Information leakage
HW (P1 184), for P1 = 0, 255
Hamming weight
Consumption (instant slice on 256 traces)
22
Timing Attacks - © Gemplus S.A. All rights reserved
Power trace of an algorithm
• Typical SK block cipher
 key schedule
 Feistel scheme
 16 rounds
PLAIN TEXT
KEY (64 bits)
INITIAL PERMUTATION (IP)
PC1 PERMUTATION
L0
REDUCED KEY (56
bits)
R0
f
K1
KeySchedule
1
R1 = L0  f (R0 , K1)
L1 = R0
f
K2
Data
Encryption
L2 = R1
R2 = L1  f (R1 , K2)
L15 = R14
R15 = L14  f (R14 , K15)
Standard
f
K16
R16 = L15  f (R15 , K16)
L16 = R15
IP-1
CIPHER TEXT
23
KeySchedul
e2
Timing Attacks - © Gemplus S.A. All rights reserved
Key
Schedule16
Power trace of an algorithm
• Content of a DES round (with key schedule)
Li-1
Ri-1
32 bits
Key
56 bits
32 bits
Key Shift
Expansive Permutation
Key Shift
28 bits 28 bits
PC2 Permutation
48 bits
48 bits
Substitution Boxes
(8 LUT)
32 bits
P Permutation
56 bits
Li
24
Ri
Timing Attacks - © Gemplus S.A. All rights reserved
Key
Power trace of an algorithm :
DES
MAX
IP PC1
16 rounds
AVERAGE
16 patterns
Duration = 5 ms
MIN
25
IP-1
Timing Attacks - © Gemplus S.A. All rights reserved
Power Analysis Profiles
Power
• Raw data
Time
26
Timing Attacks - © Gemplus S.A. All rights reserved
Power Analysis Profiles
Power
• Raw data, zoomed in
1m
s
27
Time
Time
Timing Attacks - © Gemplus S.A. All rights reserved
Power Analysis Profiles
Power
• Raw data, zoomed out
1m
s
28
Time
Timing Attacks - © Gemplus S.A. All rights reserved
Simple Power Analysis
• Simple (Single) Power Analysis context
 Find out a secret or private key
 Known algorithm
 Unknown implementation (background culture recommended)
• Conditions
 1 card available
 Learning phase required (signature location)
 Key inference on a single curve (with relevant height of view)
 Possibly known plain or ciphertext
29
Timing Attacks - © Gemplus S.A. All rights reserved
Case Study
SPA attack on RSA
• SPA against RSA private exponentiation
s = md mod n
 n large modulus, say 1024 bits (n = p * q, with p & q
large primes)
 m message : slightly smaller than n (say 1023 bits)
 s signature
 d private exponent such that : e * d  1 mod (p-1)(q-1),
with e public exponent
• The attacker aims at retrieving d
30
Timing Attacks - © Gemplus S.A. All rights reserved
SPA attack on RSA
• basic “square and multiply” algorithm
• exponent bits scanned from MSB to LSB (left to right)
Let k = bitsize of d (say 1024)
Let s = m
For i = k-2 down to 0
Let s = s*s mod n (SQUARE)
Example :
s = m9 = m1001b
init (MSB 1)
s=m
round 2 (bit 0) s = m2
If (bit i of d) is 1 then
Let s = s*m mod n (MULTIPLY)
End if
End for
31
Timing Attacks - © Gemplus S.A. All rights reserved
round 1 (bit 0) s = (m2 )2 = m4
round 0 (bit 1) s = (m4 )2 * m =
m9
SPA attack on RSA
Test key value : 0F 00 F0 00 FF 00
SSSS SSSS
SSSS SSSS
1 1 1 1 0000
1 1 1 1
0F
0000 0000
00
32
SMSMSMSMSMSMSMSM
SMSMSMSMSSSS
SMSMSM
F0
SSSS SSSS
1 1 1 1 1 1 1 1
0000 0000
00
Timing Attacks - © Gemplus S.A. All rights reserved
FF
0000 0000
00
SPA attack on RSA
2
E
C
6
9
1
5
B
F
9
4
A
0010 1 1 10 1 1000 1 10100 1000 10 10 1 10 1 11 1 1 1 100 10 100 10 10
Key value : 2E C6 91 5B F9 4A
33
Timing Attacks - © Gemplus S.A. All rights reserved
What you can do with SPA
• SPA uses implementation related patterns
• SPA strategy
 algorithm knowledge
 reverse engineering phase (signature location)
 representation tuning (height of view, zoom, visualisation)
 then play with implementation assumptions...
• SPA is always specific due to
 the algorithm implementation
 the applicative constraints
 the chip’s technology (electrical properties)
 possible counter-measures...
34
Timing Attacks - © Gemplus S.A. All rights reserved
Counter-measures
• Counter-measure : anything that foils the attack !
• Trivial counter-measure
 prohibit code branches conditioned by the secret bits
• Advanced counter-measures
 algorithm specification refinement
• code structure
• data whitening
 implementation design based on the chip’s resources
• play with instructions set
• hardware electrical behaviour (current scrambler,
desynchronisation, cryptoprocessor…)
35
Timing Attacks - © Gemplus S.A. All rights reserved
Effects of Counter-measures
Non
significant
bits
processing
d = 01 00 01
S
M
Non
significant
bits
processing
d = 01 00 01
S
M
One bit processing
d = FF 0A
FF
Relevant
information
d = FF 0A
FF
d = 00 00 00
d = 00 00 00
SPA resistant !
Although same specified
RSA !
Timing Attacks - © Gemplus S.A. All rights reserved
SPA possible
36
Differential Power Analysis
• required number of acquisitions : 500 to 10,000
• prerequisite
 physical access to the card under attack
 access to either plaintext M or ciphertext C
 varying plaintext and constant key
 algorithm specifications (MANDATORY)
• cost
 A few dollars (to a few thousands)
 A few days training
 Average good level of expertise
 Chip and implementation independent
37
Timing Attacks - © Gemplus S.A. All rights reserved
Differential Power Analysis
• description :
 choose a subset (subKi) of n bits of K
1
n
K
subKi
 perform a statistical test for each possible value of a
subKi
0
1
2
2n-1
 Choose the best guess
2
 Iterate on all possible subKi's
38
Timing Attacks - © Gemplus S.A. All rights reserved
Differential Power Analysis
• DPA statistical test :
• a batch of data acquisitions for various messages Mk
0
1
k
• the corresponding plaintext Mk or the cipher text Ck
dfdsffb
fdgcxv
lklkjlsdq
M0
M1
Mk
2
2n-1
• the values of the subKi
0
39
1
Timing Attacks - © Gemplus S.A. All rights reserved
Differential Power Analysis
• DPA statistical test :
 selection function D :
• sort curves according to Mk or Ck for each value of
a subKi
• output = image of a target bit of the algorithm
Key
process
Message
process
subKi
target bit
40
process
Timing Attacks - © Gemplus S.A. All rights reserved
process
Differential Power Analysis
• data processing for a value x of a subKi :
x
D
-
n
0
1
lklkjlsdq
fdgcxv
Mn
dfdsffb
M1
M0
Average
41
Timing Attacks - © Gemplus S.A. All rights reserved
Differential Power Analysis
• Choosing the right guess
0
42
1
Timing Attacks - © Gemplus S.A. All rights reserved
2n-1
Differential Power Analysis
• iterate on all possible sub-keys :
1
n 1
n
1
n
1
n
K
subK1
subK2
subK3
subK4
• find the remaining bits through exhaustive search
K
43
Timing Attacks - © Gemplus S.A. All rights reserved
Differential Power Analysis
• How does it work ?
D=1
D=1
Average for subKeyi
D=0
D=0
Average for subKeyi
DPA peak
Difference for subKeyi
44
Timing Attacks - © Gemplus S.A. All rights reserved
Differential Power Analysis
M (Message)
Key
IPerm
Shift
• example : DES
 first round
 S-BOX ouput
 subKi : 6bits of the key
L0 (32 bits)
R0 (32 bits)
CPerm
EPerm
6 bits x 8
Ki (6 bits)
6 bits
S-Box
4 bits ( any of them is
a valid target bit )
PPerm
4 bits
4 bits x 8
4 bits
L1 (32 bits)
45
Timing Attacks - © Gemplus S.A. All rights reserved
R1 (32 bits)
Differential Power Analysis
 wrong subKi
 right subKi
46
Timing Attacks - © Gemplus S.A. All rights reserved
Countermeasures
• Add noise
• Scramble power consumption or stabilize it
• Randomize all sensitive data variables with a fresh mask for
every execution of an algorithm
• Randomize, randomize, randomize …
• Secret keys
• Messages
• Private exponents
• Bases
• Moduli
47
Timing Attacks - © Gemplus S.A. All rights reserved
Case study on a Combi Card
• Suppose all power consumption curves are flat and
identical despite different secret RSA exponents
(hardware countermeasure).
48
Timing Attacks - © Gemplus S.A. All rights reserved
Electromagnetic Analysis on
RSA
• Tests require a de-capsulation of chip with semi
invasive method.
• A scanning of surface is needed to find the
« good » area where electromagnetic analysis is
possible.
• The chip is powered by contact reader
49
Timing Attacks - © Gemplus S.A. All rights reserved
RSA Signature Algorithm
Power and Electromagnetic
First semi exponentiation (Sq)
Second semi exponentiation (Sp)
Power
combination
Em
50
Timing Attacks - © Gemplus S.A. All rights reserved
Electromagnetic Analysis
Zoom in
One byte processed
Power
One bit processed
Sq
Mult
0
0
1
1
0
0
0
0
d=..30...
Em1
Em2
1
0
1
1
1
1
1
1
d=..bf...
51
Timing Attacks - © Gemplus S.A. All rights reserved
Radio Frequency Analysis
(Contactless Cards)
• Tests are non-invasive.
• A simple magnetic loop made with copper wire is
needed.
• An image of the magnetic field, modified by the
card’s consumption, is collected.
• The chip is powered by a contactless reader.
52
Timing Attacks - © Gemplus S.A. All rights reserved
Equipment (1/2)
53
Timing Attacks - © Gemplus S.A. All rights reserved
Equipment (2/2)
54
Timing Attacks - © Gemplus S.A. All rights reserved
RSA Signature Algorithm
Radio Frequency Analysis
First semi exponentiation
55
Second semi exponentiation
Timing Attacks - © Gemplus S.A. All rights reserved
combination
Zoom on first
semi exponentiation
RF
1
0
0
9
56
1
0
1
1
7
1
0
0
1
3
dq= ….9 73 6..
Timing Attacks - © Gemplus S.A. All rights reserved
1
0
1
1
6
0
0
Conclusion
• There are many potential ways to try to attack a
smart card
• But there are also many ways to counteract and
efficiently protect your secrets
• Smart Cards achieve the best possible trade-off
between cost and security
• We try to keep it that way 
57
Timing Attacks - © Gemplus S.A. All rights reserved
(Differential)
Fault Attacks
7/21/2015
Bull CP8 Patents
Introduction
• Fault Attacks where first published as a way of
jeopardising computations of cryptographic algorithms
(RSA, DSA, DES).
• However, you can imagine to implement fault attacks on
other processes inside a microprocessor.
• Fault attacks are real industrial security concern:
 To pass some certification, like FIPS140-1 level 3 (US
government security certification), you should prove that
your system resists to fault attacks.
59
Timing Attacks - © Gemplus S.A. All rights reserved
Different types of faults
• Transients Faults.
 Appear randomly in a system, have various unpredictable
causes.
• Latent or Internal Faults.
 Are the result of hardware or low level software default
(floating point unit on Pentium chips,...).
 Rarely controllable
• Induced Faults.
 Appear after intentional stress (E2) or hardware
"mutilation”, can be transient or permanent.
 Sometimes controllable with knowledge of the
physical/chemical/electrical behaviour of the chip.
60
Timing Attacks - © Gemplus S.A. All rights reserved
The DFA crisis: 1996
• September 96
 Attack on RSA CRT by Bellcore (EuroCrypt’97)
 Attack improvements by Lenstra
• October 96
 18: DFA on DES by Biham et Shamir
 29: Attack on RSA and ElGamal
 30: DFA on unknown cryptosystems by Biham & Shamir.
«Differential Fault Analysis of Secret Key Cryptosystems»
(Crypto’97)
• November 96
 Attack of CRT on LUC and Demytko by Marc Joye and JJ
Quisquater
61
Timing Attacks - © Gemplus S.A. All rights reserved
From theory to practice
• We will detail major DFA ideas with associated countermeasures concerning:
 RSA
 DES
 Card processes
• Note that some of these attacks does not seem really
practical.
• Some others are quite realistic if the hardware can be
tampered with...
62
Timing Attacks - © Gemplus S.A. All rights reserved
Attack on standard signature
• Hypothesis:
 the message m and its signature s= md are known
 a fault is injected on one bit i of d
 this results in a wrong signature s’=md’
Then :
or
s’/s =
i
d’-d
2
m =m
mod n if bit i was 0
s’/s =
i
d’-d
-2
m =m
mod n if bit i was 1
• One bit in random position of the secret exponent is
discovered every round.
63
Timing Attacks - © Gemplus S.A. All rights reserved
Attack on standard signature
• Faults can be induced on more than one bit, making
analysis slightly more difficult.
• This attack is compatible with transient or permanent
faults.
64
Timing Attacks - © Gemplus S.A. All rights reserved
Recall on CRT
• The Chinese Remainder Theorem is used in RSA in order
to speed up exponentiation by a factor of 4.
• Exponentiation is performed in three steps
 sp = md mod p is computed (in fact, dp is used)
 sq = md mod q is computed
(in fact, dq is used)
 the signature is recombined with CRT as
s = a.sp + b.sq mod n,
• The constants a and b are precomputed such that
a = 1 mod p,
b = 0 mod p,
a = 0 mod q,
b = 1 mod q.
65
Timing Attacks - © Gemplus S.A. All rights reserved
Attack on CRT exponentiation
• This attack was first published by Lenstra.
• Hypothesis:
 s, signature of a message m is known.
 a fault is injected in the exponentiation mod p.
• Due to error injection, sp becomes sp’
s’ = a.sp’ + b.sq mod n,
s’-s= (a.sp’+ b.sq) - (a.sp+ b.sq) mod n
s’-s= a.(sp’- sp) mod n
the prime q divides a and can be retrieved by
Gcd.
66
Timing Attacks - © Gemplus S.A. All rights reserved
Counter-measures on RSA
• Applicative counter-measures
 Use a random padding with sufficient variability
 Compute the result twice and compare
 Verify that se = m mod n when e is known
• e is usually a small number, verification is very fast
• Algorithmic counter-measures
 Gemplus counter-measure on RSA-CRT (patented) intends
to protect both half-exponentiations by:
• choosing a small random number r
• computing spr = md mod pr et sr = md mod r
• checking whether spr mod r = sr
67
Timing Attacks - © Gemplus S.A. All rights reserved
DES and fault attack
• This attack was first published by Biham & Shamir.
• The idea is to:
 Stress the card in order to erase key bits in E²
 Record all the wrong ciphertexts
 Compute backwards the initial key
• This attack remains theoretical and is based on
permanent faults.
• However, this attack can be applied to any cryptographic
algorithm.
68
Timing Attacks - © Gemplus S.A. All rights reserved
DES and fault attack
• There are no published counter-measures against this
attack.
• The classical ways of dealing with fault attacks on secret
keys algorithms are:
 Self-tests against permanent faults
 Check-sums where available
 Just Do It Twice
69
Timing Attacks - © Gemplus S.A. All rights reserved
Card processes and fault attacks
• Fault attacks can be extended to non mathematical
processes.
• Need some knowledge about the code embedded to
synchronise stresses and computations
 To localise the sensible place where the fault should happen
 To know the probable effect of the fault
• These attacks are mainly fought by hardware countermeasures.
70
Timing Attacks - © Gemplus S.A. All rights reserved
Hardware aspects of fault attacks
• Flaw injection in this case is a hardly controllable and
reproducible process.
• Implementation is not that easy:
 Stress on memories, during read/writing/retention
• By means of variations on power supply, frequency
• Through various types of radiation
 Modifications on hardware mechanism
• Using probing or FIB




71
Buses
Random generators
Crypto-coprocessors
Hardware DES
Timing Attacks - © Gemplus S.A. All rights reserved
Fault attacks and smart cards
• Need expertise in measurements and hardware to
implement efficient fault attacks.
• Smart cards give many tools to defeat fault attacks:
 Tamper-evidence
• Security sensors, security mechanisms
 Software counter-measures
• On algorithms, on secret storage
• GEMPLUS is actually researching on that topic, covering
attack implementation and counter-measures.
72
Timing Attacks - © Gemplus S.A. All rights reserved
Hardware
Security
7/21/2015
Bull CP8 Patents
Attacks on Smart Cards
Wide range of techniques, requiring
various skills, equipment and time:
• Invasive Attacks
• Side Channel Attacks
• Fault Generation
• INVASIVE ATTACK: when the
card or the chip are physically and
irreversibly modified the attack can
be consider as an invasive attack.
• Find useful additional information
• Find secret etched in silicon
• Bypass hardware counter-measure
74
Timing Attacks - © Gemplus S.A. All rights reserved
Side Channel Attacks
Monitor analog signals on all
interfaces, and analyze:
• Time
• Power
• Electromagnetic
signals
• ...
75
Timing Attacks - © Gemplus S.A. All rights reserved
Fault Generation
Apply combinations of
environmental conditions
• Vcc
• Clock
• Temperature
• UV
• Light
• X-Rays
• ...
key
input
error
and bypass or infer secrets
76
Timing Attacks - © Gemplus S.A. All rights reserved
Smart card attacks : state of the art
Smart card attack : Physical Security
77
Timing Attacks - © Gemplus S.A. All rights reserved
Invasive Attacks
 Deposit probe pads on a
bus
 Deposit probe pads
through conductive grid
 Expose hardwired ROM
links
 Defeat blown fuse links
 Connect tracks
 Cut tracks
78
Timing Attacks - © Gemplus S.A. All rights reserved
Mechanical Probing
• Probe the bus with needles and probe
station with micro-manipulators
 After FIB modification: pads added
to probe buried buses
 Probe the bus directly
(for >0.5µm technologies)
DATA BUS
Si
79
Timing Attacks - © Gemplus S.A. All rights reserved
E-beam Probing
• Use e-beam tester to access submicron technologies
• Analysis of the secondary electrons gives the voltage
value
• Top metal layers can be probe with or without adding
probe pad with FIB
detector
e-beam
e-
e-
e-
DATA BUS
SI
80
Timing Attacks - © Gemplus S.A. All rights reserved
Reverse ROM content
• Reverse the content of the ROM
 Remove the top layers of the component by chemical
etching or mechanical polishing
 Use a microscope to retrieve the content of the ROM
 Can always be done for ROM metal, implant or diffusion
 The difficulty is: reverse the scrambling and decipher the
ROM array
81
Timing Attacks - © Gemplus S.A. All rights reserved
ROM Diffusion
Connections à la masse
Acces ligne (polysililicium)
Acces colonne (metal)
82
Timing Attacks - © Gemplus S.A. All rights reserved
Attack on ROM : Diffusion MOS
NOR ROM
• Remove the top layers
• Read the content of the array
WL
83
Timing Attacks - © Gemplus S.A. All rights reserved
0 0 0 1
1 1 1 1
ROM IMPLANT
Ionic implantation ROM at
low level
84
Timing Attacks - © Gemplus S.A. All rights reserved
Implantation ROM after
staining
Example 2: Metal ROM
Unused area
filled with ‘0’
85
Timing Attacks - © Gemplus S.A. All rights reserved
Chip feature modifications
• Shunt parts of the circuit
 Disconnect sensors
•  Fault attacks, Contrast Voltage...
 Disconnect the RNG
• modify the output of the RNG (stuck at the same value)
 Reconstruct polysilicon fuse
• Make probing possible to tape data on the bus
 Bypass active shield
 Add probe pads
 Drill holes to probe buried metal lines
86
Timing Attacks - © Gemplus S.A. All rights reserved
Circuit modification
• Connect or disconnect security mechanism
 disconnect sensors
 RNG stuck at a fixed value
 Reconstruct poly-silicon fuse
Metal
strap
Cut
• Add probe pads
 make micro-probing of the buried layers possible
• Equipment
Laser
87
Timing Attacks - © Gemplus S.A. All rights reserved
FIB
Chip modification tools
• Laser
 Local material removal, cut lines
• only top layers
• bad resolution (2x2µm min)
 Availability: FA labs, university
• FIB (Focus Ion Beam)
 remove or cut metal lines
 good resolution & accuracy (10nm)
 metal deposition (strap lines, add pads)
 can reach buried layers
88
Timing Attacks - © Gemplus S.A. All rights reserved
Layout analysis
EEPROM
ROM
RAM
CPU
• Shield
• Glue logic
• No Buses visible
•
•
•
•
89
Blocks can be easily identified
No shield
No glue logic
Buses clearly visible
Timing Attacks - © Gemplus S.A. All rights reserved
After metal removing
90
Timing Attacks - © Gemplus S.A. All rights reserved
(0,18 µm)
91
Timing Attacks - © Gemplus S.A. All rights reserved
Hardware security feature evolution
Frequency,Voltage
Integrity sensor
1 µm technology
Passive shield
UV,Light sensors
0.6 µm technology
3 metal layers
2 metal layers
CPU Freq = 5 MHz
8 bit CPU
CPU Freq = 10 MHz
ROM encryption
Fast Erase of memory
Temperature, Glitch
sensors
Sensor improvement
Active shield
0.18 µm technology
0.35 µm technology
5 metal layers
5 metal layers
Internal free oscillator
Glue logic
CPU Freq = 66 MHz
Internal free oscillator
32-bit CPU
CPU Freq = 16 MHz
Complemented logic
16-bit CPU
Dynamic encryption
Dummy cycles
Encryption of Memories
1996
92
1998
2000
Timing Attacks - © Gemplus S.A. All rights reserved
2002
Chip Security Features
• The following items are carefully analyzed :
 Security Sensors
 Clock
 Reset
 Design & Layout
 ROM, RAM, EEPROM
 CPU
 Buses
 RNG
 Memory Management Unit
 Crypto Coprocessor
 ...
93
Timing Attacks - © Gemplus S.A. All rights reserved
Security Sensors
protect against …
• Voltage: fault attacks
• Frequency: fault attack, contrast voltage
• Temperature: fault attack
• UV: fault attack
• Light: fault attack, invasive attack
• Physical Integrity Sensors: invasive attack
94
Timing Attacks - © Gemplus S.A. All rights reserved
Clock
• Internal Clock based on free running oscillator
• PLL/Multiplier/Divider
• Use external clock for I/O and Timer only
• Interesting against Side-Channel and Fault attacks
95
Timing Attacks - © Gemplus S.A. All rights reserved
Design & Layout
• Planarization is recommended
• The smaller the techno, the better (0.18 µm)
• The more metal layers, the better (5)
• No accessible test pads
• Sensitive parts should be in low and separate levels
• Bloc connections should not be obvious (local buses)
• Glue logic should be used
96
Timing Attacks - © Gemplus S.A. All rights reserved
RAM
• Dynamic Ciphering: Side-Channel attacks
• @ and Data dynamic scrambling: Invasive and Fault
attacks
• Fast Erase: Fault attacks
97
Timing Attacks - © Gemplus S.A. All rights reserved
Non Volatile Memory
(EEprom, Flash)
• Ciphering
• @ and Data scrambling
• Automatic verify
• Checksum
• Error Correction Code
• Independent charge pump
98
Timing Attacks - © Gemplus S.A. All rights reserved
Buses
• Ciphering: Side-channel and Invasive attacks
• Scrambling: Invasive and Fault attacks
• Should be in low and separate levels: Invasive attacks
99
Timing Attacks - © Gemplus S.A. All rights reserved
RNG
• RNG: is the basis of many HW and SW security
measures
• Should be carefully checked with several external
conditions (Vcc, Temp, etc...)
• User application code should handle the RNG correctly
(enough delay, refresh)
100
Timing Attacks - © Gemplus S.A. All rights reserved
CONCLUSION
• Current platforms require additional SW Security
Measures
• HW Security Measures or Designs are to be the right
mid-term solutions, for performance reasons: e.g. SW
DES = 30 ms, HW DES within few µs
• Chips provide different solutions and security levels
101
Timing Attacks - © Gemplus S.A. All rights reserved