Timing Attacks
Download
Report
Transcript Timing Attacks
Timing Attacks
7/21/2015
Bull CP8 Patents
What are Timing Attacks ?
• The term “Timing Attack” was first introduced at CRYPTO'96
in Paul Kocher's paper
• Few other theoretical approaches without practical
experiments up to the end of 97’
• Theory was put into practice in early 98’
• Timing attacks belong to the large family of "side channel"
attacks
2
Timing Attacks - © Gemplus S.A. All rights reserved
What are Timing Attacks ?
• Principle of Timing Attacks :
Secret data are processed in the card
Processing time
• depends on the value of the secret data
• leaks information about the secret data
• can be measured (or at least their differences)
• Practical attack conditions
Possibility to monitor the processing of the secret data
Have a way to record processing times
Have basic computational & statistical tools
Have some knowledge of the implementation
3
Timing Attacks - © Gemplus S.A. All rights reserved
What are Timing Attacks ?
Everything performed unconditionally before the test
Start
True
t1
Process 1
Decision
end
4
A test based on secret data is performed
that leads to a boolean decision
False
Process 2
t2
Depending on the boolean condition,
the process may be long (t1) or short (t2)
Everything performed unconditionally after the test
Timing Attacks - © Gemplus S.A. All rights reserved
Case Study
Attack on a PIN Code
Verification
5
Timing Attacks - © Gemplus S.A. All rights reserved
PIN Code Verification
• Secret data are stored in the smart card
Example : a PIN code, 8 bytes long
• Like passwords on a PC, authentication is based on this
secret
A dedicated function exists in the smart card software :
The ‘VerifySecret’ command which:
• Receives the challenge (proposed value for the PIN
code)
• Compares the challenge with the stored PIN
• Grants access rights if the comparison is successful
6
Timing Attacks - © Gemplus S.A. All rights reserved
PIN Code Verification
LEVEL 1
Pseudo-code for the "VerifySecret" command
IN
• P = PIN code value stored in the card
• C = Challenge (proposed value for the PIN)
OUT
• ‘KO’ or ‘OK’
VERIFY SECRET
• For b = 0 to 7
If C[b] != P[b]
• then return ‘KO’
• Return 'OK’
7
Timing Attacks - © Gemplus S.A. All rights reserved
PIN Code Verification
LEVEL 1
• Attack implementation
Propose the n possible values of C[0] (256 values)
Measure [n] the corresponding command duration
Compute the maximum command duration [n0]
[n0] = max([n]), n {0, …, 255}
• n0 is the solution P[0] for the first byte of the PIN
code
C[0] being known, iterate successively for all C[i]
• Complexity
Number of comparisons: 8 * 256 = 2048 (instead of
2568)
8
Timing Attacks - © Gemplus S.A. All rights reserved
PIN Code Verification
LEVEL 2
Possible counter-measure
• To defeat this attack one may think of adding a random
delay during the execution:
Generate a random delay a uniformly distributed
a {0, , 2, 3, …, r} with 0 r 255
is an elementary time unit
Wait a time units whatever the command status 'KO' or
'OK'
Follow the same implementation as the previous one
9
Timing Attacks - © Gemplus S.A. All rights reserved
PIN Code Verification
LEVEL 2
Start
True
t1
Decision
Process 2
Process 1
r*
Added
random delay
end
10
False
Timing Attacks - © Gemplus S.A. All rights reserved
t2
r : uniformly distributed
random variable
PIN Code Verification
LEVEL 2
• Attack idea
It is possible to know what would be the duration for
processing a challenge as if there were no delay
Wrong candidates
if (C[0]=P[0]) ; return KO
t1 + …
Right candidate
2 3 4
254 255
…
time
if (C[0]=P[0]) ; if (C[1]=P[1]) ; ...
t2 + …
11
… 0
… 0
Timing Attacks - © Gemplus S.A. All rights reserved
2 3 4
…
254 255
time
PIN Code Verification
LEVEL 2
• Random delay elimination
For each n (n is the candidate C[0] for the first PIN code byte)
• Acquire a series of N command execution durations i[n]
• The minimum duration corresponds to a a = 0 random delay
(with high probability, if N is chosen large enough)
Consider the corresponding min [n] run time value
• Attack implementation
Get rid of the random delay for each candidate (min [n])
Apply the previous attack scheme
• Complexity
Number of comparisons: 8*256*N
efficient than 2568)
12
Timing Attacks - © Gemplus S.A. All rights reserved
(still much more
PIN Code Verification
LEVEL n
• More complicated counter-measures may be thought of...
Add a binomial (rather than uniform) random delay
…
• …but they also may be defeated by more clever attacks !!
13
Timing Attacks - © Gemplus S.A. All rights reserved
PIN Code Verification
CONCLUSION
• A typical example of insecure smart card software
Can happen in any routine processing secret data
• Secret values comparison
• Memory scanning and loading
• Checksum computation
• Counter-measures evaluation
Adding a delay is definitely not the good alternative
Good counter-measure
• Check all bytes at all times
• decrease/increase ratification counter with backup
• Dynamic enciphered PIN
14
Timing Attacks - © Gemplus S.A. All rights reserved
Power Analysis
Attacks
7/21/2015
Bull CP8 Patents
Summary
• Introduction to Power Analysis
Experimental equipment
Information leakage through the power
• Example : reverse engineering of an algorithm
The algorithm structure
Electrical signatures
• Single Power Analysis (SPA)
Attack against the DES key schedule
Attack against RSA
• Conclusion
Counter-measures
16
Timing Attacks - © Gemplus S.A. All rights reserved
Power Analysis
Basic Principles
• ICC's Power Consumption leaks information about data processing
Power Consumption = f(processing, data)
• Deduce information about secret data and processing
empirical methods
statistical treatment
• Example : reverse engineering of an algorithm
The algorithm structure
Electrical signatures
• Single Power Analysis (SPA)
Attack against the DES key schedule
Attack against RSA
17
Timing Attacks - © Gemplus S.A. All rights reserved
Power Analysis Tools
5V
18
Timing Attacks - © Gemplus S.A. All rights reserved
Experimental equipment
Oscilloscope
file transfer
Arm scope
retrieve file
Scope trigger
on IO
Current w aveform
acquisition
Serv er
stores files
and runs T reatment
software
Main PC
runs Acquisition
software
R
GCR
Card extention
command emission
Card
reader
Protection box
Devices for monitoring the current consumption of a
chip
19
Timing Attacks - © Gemplus S.A. All rights reserved
Information leakage
• The power consumption of a chip depends on
the manipulated data
the executed instruction
• Leakage models
Hamming Weight of the data, address, code Op
• HW(0) = 0
• HW(1) = HW(2) = HW(4) = HW(2n) = 1
• HW(3) = HW(5) = HW(6) = HW(9) = 2
•…
• HW(255) = HW(0xFF) = 8
Transitions weight (flipping bits on a bus state) :
• HW (statei statei-1)
Other models, chips & technologies …
20
Timing Attacks - © Gemplus S.A. All rights reserved
Information leakage
Load P1 and XOR with P2 = 0 (P1 P2 with P1 = 0, 1, 7, 255)
P1 = 0 = 0x00
Signatures
P1 = 1 = 0x01
P1 = 7 = 0x07
P1 = 255 = 0xFF
1
cycle
1
cycle
1
cycle
Load P1 into accumulator (3 cycles)
21
Timing Attacks - © Gemplus S.A. All rights reserved
1
cycle
1
cycle
P1 P2 (3 cycles)
1
cycle
Information leakage
HW (P1 184), for P1 = 0, 255
Hamming weight
Consumption (instant slice on 256 traces)
22
Timing Attacks - © Gemplus S.A. All rights reserved
Power trace of an algorithm
• Typical SK block cipher
key schedule
Feistel scheme
16 rounds
PLAIN TEXT
KEY (64 bits)
INITIAL PERMUTATION (IP)
PC1 PERMUTATION
L0
REDUCED KEY (56
bits)
R0
f
K1
KeySchedule
1
R1 = L0 f (R0 , K1)
L1 = R0
f
K2
Data
Encryption
L2 = R1
R2 = L1 f (R1 , K2)
L15 = R14
R15 = L14 f (R14 , K15)
Standard
f
K16
R16 = L15 f (R15 , K16)
L16 = R15
IP-1
CIPHER TEXT
23
KeySchedul
e2
Timing Attacks - © Gemplus S.A. All rights reserved
Key
Schedule16
Power trace of an algorithm
• Content of a DES round (with key schedule)
Li-1
Ri-1
32 bits
Key
56 bits
32 bits
Key Shift
Expansive Permutation
Key Shift
28 bits 28 bits
PC2 Permutation
48 bits
48 bits
Substitution Boxes
(8 LUT)
32 bits
P Permutation
56 bits
Li
24
Ri
Timing Attacks - © Gemplus S.A. All rights reserved
Key
Power trace of an algorithm :
DES
MAX
IP PC1
16 rounds
AVERAGE
16 patterns
Duration = 5 ms
MIN
25
IP-1
Timing Attacks - © Gemplus S.A. All rights reserved
Power Analysis Profiles
Power
• Raw data
Time
26
Timing Attacks - © Gemplus S.A. All rights reserved
Power Analysis Profiles
Power
• Raw data, zoomed in
1m
s
27
Time
Time
Timing Attacks - © Gemplus S.A. All rights reserved
Power Analysis Profiles
Power
• Raw data, zoomed out
1m
s
28
Time
Timing Attacks - © Gemplus S.A. All rights reserved
Simple Power Analysis
• Simple (Single) Power Analysis context
Find out a secret or private key
Known algorithm
Unknown implementation (background culture recommended)
• Conditions
1 card available
Learning phase required (signature location)
Key inference on a single curve (with relevant height of view)
Possibly known plain or ciphertext
29
Timing Attacks - © Gemplus S.A. All rights reserved
Case Study
SPA attack on RSA
• SPA against RSA private exponentiation
s = md mod n
n large modulus, say 1024 bits (n = p * q, with p & q
large primes)
m message : slightly smaller than n (say 1023 bits)
s signature
d private exponent such that : e * d 1 mod (p-1)(q-1),
with e public exponent
• The attacker aims at retrieving d
30
Timing Attacks - © Gemplus S.A. All rights reserved
SPA attack on RSA
• basic “square and multiply” algorithm
• exponent bits scanned from MSB to LSB (left to right)
Let k = bitsize of d (say 1024)
Let s = m
For i = k-2 down to 0
Let s = s*s mod n (SQUARE)
Example :
s = m9 = m1001b
init (MSB 1)
s=m
round 2 (bit 0) s = m2
If (bit i of d) is 1 then
Let s = s*m mod n (MULTIPLY)
End if
End for
31
Timing Attacks - © Gemplus S.A. All rights reserved
round 1 (bit 0) s = (m2 )2 = m4
round 0 (bit 1) s = (m4 )2 * m =
m9
SPA attack on RSA
Test key value : 0F 00 F0 00 FF 00
SSSS SSSS
SSSS SSSS
1 1 1 1 0000
1 1 1 1
0F
0000 0000
00
32
SMSMSMSMSMSMSMSM
SMSMSMSMSSSS
SMSMSM
F0
SSSS SSSS
1 1 1 1 1 1 1 1
0000 0000
00
Timing Attacks - © Gemplus S.A. All rights reserved
FF
0000 0000
00
SPA attack on RSA
2
E
C
6
9
1
5
B
F
9
4
A
0010 1 1 10 1 1000 1 10100 1000 10 10 1 10 1 11 1 1 1 100 10 100 10 10
Key value : 2E C6 91 5B F9 4A
33
Timing Attacks - © Gemplus S.A. All rights reserved
What you can do with SPA
• SPA uses implementation related patterns
• SPA strategy
algorithm knowledge
reverse engineering phase (signature location)
representation tuning (height of view, zoom, visualisation)
then play with implementation assumptions...
• SPA is always specific due to
the algorithm implementation
the applicative constraints
the chip’s technology (electrical properties)
possible counter-measures...
34
Timing Attacks - © Gemplus S.A. All rights reserved
Counter-measures
• Counter-measure : anything that foils the attack !
• Trivial counter-measure
prohibit code branches conditioned by the secret bits
• Advanced counter-measures
algorithm specification refinement
• code structure
• data whitening
implementation design based on the chip’s resources
• play with instructions set
• hardware electrical behaviour (current scrambler,
desynchronisation, cryptoprocessor…)
35
Timing Attacks - © Gemplus S.A. All rights reserved
Effects of Counter-measures
Non
significant
bits
processing
d = 01 00 01
S
M
Non
significant
bits
processing
d = 01 00 01
S
M
One bit processing
d = FF 0A
FF
Relevant
information
d = FF 0A
FF
d = 00 00 00
d = 00 00 00
SPA resistant !
Although same specified
RSA !
Timing Attacks - © Gemplus S.A. All rights reserved
SPA possible
36
Differential Power Analysis
• required number of acquisitions : 500 to 10,000
• prerequisite
physical access to the card under attack
access to either plaintext M or ciphertext C
varying plaintext and constant key
algorithm specifications (MANDATORY)
• cost
A few dollars (to a few thousands)
A few days training
Average good level of expertise
Chip and implementation independent
37
Timing Attacks - © Gemplus S.A. All rights reserved
Differential Power Analysis
• description :
choose a subset (subKi) of n bits of K
1
n
K
subKi
perform a statistical test for each possible value of a
subKi
0
1
2
2n-1
Choose the best guess
2
Iterate on all possible subKi's
38
Timing Attacks - © Gemplus S.A. All rights reserved
Differential Power Analysis
• DPA statistical test :
• a batch of data acquisitions for various messages Mk
0
1
k
• the corresponding plaintext Mk or the cipher text Ck
dfdsffb
fdgcxv
lklkjlsdq
M0
M1
Mk
2
2n-1
• the values of the subKi
0
39
1
Timing Attacks - © Gemplus S.A. All rights reserved
Differential Power Analysis
• DPA statistical test :
selection function D :
• sort curves according to Mk or Ck for each value of
a subKi
• output = image of a target bit of the algorithm
Key
process
Message
process
subKi
target bit
40
process
Timing Attacks - © Gemplus S.A. All rights reserved
process
Differential Power Analysis
• data processing for a value x of a subKi :
x
D
-
n
0
1
lklkjlsdq
fdgcxv
Mn
dfdsffb
M1
M0
Average
41
Timing Attacks - © Gemplus S.A. All rights reserved
Differential Power Analysis
• Choosing the right guess
0
42
1
Timing Attacks - © Gemplus S.A. All rights reserved
2n-1
Differential Power Analysis
• iterate on all possible sub-keys :
1
n 1
n
1
n
1
n
K
subK1
subK2
subK3
subK4
• find the remaining bits through exhaustive search
K
43
Timing Attacks - © Gemplus S.A. All rights reserved
Differential Power Analysis
• How does it work ?
D=1
D=1
Average for subKeyi
D=0
D=0
Average for subKeyi
DPA peak
Difference for subKeyi
44
Timing Attacks - © Gemplus S.A. All rights reserved
Differential Power Analysis
M (Message)
Key
IPerm
Shift
• example : DES
first round
S-BOX ouput
subKi : 6bits of the key
L0 (32 bits)
R0 (32 bits)
CPerm
EPerm
6 bits x 8
Ki (6 bits)
6 bits
S-Box
4 bits ( any of them is
a valid target bit )
PPerm
4 bits
4 bits x 8
4 bits
L1 (32 bits)
45
Timing Attacks - © Gemplus S.A. All rights reserved
R1 (32 bits)
Differential Power Analysis
wrong subKi
right subKi
46
Timing Attacks - © Gemplus S.A. All rights reserved
Countermeasures
• Add noise
• Scramble power consumption or stabilize it
• Randomize all sensitive data variables with a fresh mask for
every execution of an algorithm
• Randomize, randomize, randomize …
• Secret keys
• Messages
• Private exponents
• Bases
• Moduli
47
Timing Attacks - © Gemplus S.A. All rights reserved
Case study on a Combi Card
• Suppose all power consumption curves are flat and
identical despite different secret RSA exponents
(hardware countermeasure).
48
Timing Attacks - © Gemplus S.A. All rights reserved
Electromagnetic Analysis on
RSA
• Tests require a de-capsulation of chip with semi
invasive method.
• A scanning of surface is needed to find the
« good » area where electromagnetic analysis is
possible.
• The chip is powered by contact reader
49
Timing Attacks - © Gemplus S.A. All rights reserved
RSA Signature Algorithm
Power and Electromagnetic
First semi exponentiation (Sq)
Second semi exponentiation (Sp)
Power
combination
Em
50
Timing Attacks - © Gemplus S.A. All rights reserved
Electromagnetic Analysis
Zoom in
One byte processed
Power
One bit processed
Sq
Mult
0
0
1
1
0
0
0
0
d=..30...
Em1
Em2
1
0
1
1
1
1
1
1
d=..bf...
51
Timing Attacks - © Gemplus S.A. All rights reserved
Radio Frequency Analysis
(Contactless Cards)
• Tests are non-invasive.
• A simple magnetic loop made with copper wire is
needed.
• An image of the magnetic field, modified by the
card’s consumption, is collected.
• The chip is powered by a contactless reader.
52
Timing Attacks - © Gemplus S.A. All rights reserved
Equipment (1/2)
53
Timing Attacks - © Gemplus S.A. All rights reserved
Equipment (2/2)
54
Timing Attacks - © Gemplus S.A. All rights reserved
RSA Signature Algorithm
Radio Frequency Analysis
First semi exponentiation
55
Second semi exponentiation
Timing Attacks - © Gemplus S.A. All rights reserved
combination
Zoom on first
semi exponentiation
RF
1
0
0
9
56
1
0
1
1
7
1
0
0
1
3
dq= ….9 73 6..
Timing Attacks - © Gemplus S.A. All rights reserved
1
0
1
1
6
0
0
Conclusion
• There are many potential ways to try to attack a
smart card
• But there are also many ways to counteract and
efficiently protect your secrets
• Smart Cards achieve the best possible trade-off
between cost and security
• We try to keep it that way
57
Timing Attacks - © Gemplus S.A. All rights reserved
(Differential)
Fault Attacks
7/21/2015
Bull CP8 Patents
Introduction
• Fault Attacks where first published as a way of
jeopardising computations of cryptographic algorithms
(RSA, DSA, DES).
• However, you can imagine to implement fault attacks on
other processes inside a microprocessor.
• Fault attacks are real industrial security concern:
To pass some certification, like FIPS140-1 level 3 (US
government security certification), you should prove that
your system resists to fault attacks.
59
Timing Attacks - © Gemplus S.A. All rights reserved
Different types of faults
• Transients Faults.
Appear randomly in a system, have various unpredictable
causes.
• Latent or Internal Faults.
Are the result of hardware or low level software default
(floating point unit on Pentium chips,...).
Rarely controllable
• Induced Faults.
Appear after intentional stress (E2) or hardware
"mutilation”, can be transient or permanent.
Sometimes controllable with knowledge of the
physical/chemical/electrical behaviour of the chip.
60
Timing Attacks - © Gemplus S.A. All rights reserved
The DFA crisis: 1996
• September 96
Attack on RSA CRT by Bellcore (EuroCrypt’97)
Attack improvements by Lenstra
• October 96
18: DFA on DES by Biham et Shamir
29: Attack on RSA and ElGamal
30: DFA on unknown cryptosystems by Biham & Shamir.
«Differential Fault Analysis of Secret Key Cryptosystems»
(Crypto’97)
• November 96
Attack of CRT on LUC and Demytko by Marc Joye and JJ
Quisquater
61
Timing Attacks - © Gemplus S.A. All rights reserved
From theory to practice
• We will detail major DFA ideas with associated countermeasures concerning:
RSA
DES
Card processes
• Note that some of these attacks does not seem really
practical.
• Some others are quite realistic if the hardware can be
tampered with...
62
Timing Attacks - © Gemplus S.A. All rights reserved
Attack on standard signature
• Hypothesis:
the message m and its signature s= md are known
a fault is injected on one bit i of d
this results in a wrong signature s’=md’
Then :
or
s’/s =
i
d’-d
2
m =m
mod n if bit i was 0
s’/s =
i
d’-d
-2
m =m
mod n if bit i was 1
• One bit in random position of the secret exponent is
discovered every round.
63
Timing Attacks - © Gemplus S.A. All rights reserved
Attack on standard signature
• Faults can be induced on more than one bit, making
analysis slightly more difficult.
• This attack is compatible with transient or permanent
faults.
64
Timing Attacks - © Gemplus S.A. All rights reserved
Recall on CRT
• The Chinese Remainder Theorem is used in RSA in order
to speed up exponentiation by a factor of 4.
• Exponentiation is performed in three steps
sp = md mod p is computed (in fact, dp is used)
sq = md mod q is computed
(in fact, dq is used)
the signature is recombined with CRT as
s = a.sp + b.sq mod n,
• The constants a and b are precomputed such that
a = 1 mod p,
b = 0 mod p,
a = 0 mod q,
b = 1 mod q.
65
Timing Attacks - © Gemplus S.A. All rights reserved
Attack on CRT exponentiation
• This attack was first published by Lenstra.
• Hypothesis:
s, signature of a message m is known.
a fault is injected in the exponentiation mod p.
• Due to error injection, sp becomes sp’
s’ = a.sp’ + b.sq mod n,
s’-s= (a.sp’+ b.sq) - (a.sp+ b.sq) mod n
s’-s= a.(sp’- sp) mod n
the prime q divides a and can be retrieved by
Gcd.
66
Timing Attacks - © Gemplus S.A. All rights reserved
Counter-measures on RSA
• Applicative counter-measures
Use a random padding with sufficient variability
Compute the result twice and compare
Verify that se = m mod n when e is known
• e is usually a small number, verification is very fast
• Algorithmic counter-measures
Gemplus counter-measure on RSA-CRT (patented) intends
to protect both half-exponentiations by:
• choosing a small random number r
• computing spr = md mod pr et sr = md mod r
• checking whether spr mod r = sr
67
Timing Attacks - © Gemplus S.A. All rights reserved
DES and fault attack
• This attack was first published by Biham & Shamir.
• The idea is to:
Stress the card in order to erase key bits in E²
Record all the wrong ciphertexts
Compute backwards the initial key
• This attack remains theoretical and is based on
permanent faults.
• However, this attack can be applied to any cryptographic
algorithm.
68
Timing Attacks - © Gemplus S.A. All rights reserved
DES and fault attack
• There are no published counter-measures against this
attack.
• The classical ways of dealing with fault attacks on secret
keys algorithms are:
Self-tests against permanent faults
Check-sums where available
Just Do It Twice
69
Timing Attacks - © Gemplus S.A. All rights reserved
Card processes and fault attacks
• Fault attacks can be extended to non mathematical
processes.
• Need some knowledge about the code embedded to
synchronise stresses and computations
To localise the sensible place where the fault should happen
To know the probable effect of the fault
• These attacks are mainly fought by hardware countermeasures.
70
Timing Attacks - © Gemplus S.A. All rights reserved
Hardware aspects of fault attacks
• Flaw injection in this case is a hardly controllable and
reproducible process.
• Implementation is not that easy:
Stress on memories, during read/writing/retention
• By means of variations on power supply, frequency
• Through various types of radiation
Modifications on hardware mechanism
• Using probing or FIB
71
Buses
Random generators
Crypto-coprocessors
Hardware DES
Timing Attacks - © Gemplus S.A. All rights reserved
Fault attacks and smart cards
• Need expertise in measurements and hardware to
implement efficient fault attacks.
• Smart cards give many tools to defeat fault attacks:
Tamper-evidence
• Security sensors, security mechanisms
Software counter-measures
• On algorithms, on secret storage
• GEMPLUS is actually researching on that topic, covering
attack implementation and counter-measures.
72
Timing Attacks - © Gemplus S.A. All rights reserved
Hardware
Security
7/21/2015
Bull CP8 Patents
Attacks on Smart Cards
Wide range of techniques, requiring
various skills, equipment and time:
• Invasive Attacks
• Side Channel Attacks
• Fault Generation
• INVASIVE ATTACK: when the
card or the chip are physically and
irreversibly modified the attack can
be consider as an invasive attack.
• Find useful additional information
• Find secret etched in silicon
• Bypass hardware counter-measure
74
Timing Attacks - © Gemplus S.A. All rights reserved
Side Channel Attacks
Monitor analog signals on all
interfaces, and analyze:
• Time
• Power
• Electromagnetic
signals
• ...
75
Timing Attacks - © Gemplus S.A. All rights reserved
Fault Generation
Apply combinations of
environmental conditions
• Vcc
• Clock
• Temperature
• UV
• Light
• X-Rays
• ...
key
input
error
and bypass or infer secrets
76
Timing Attacks - © Gemplus S.A. All rights reserved
Smart card attacks : state of the art
Smart card attack : Physical Security
77
Timing Attacks - © Gemplus S.A. All rights reserved
Invasive Attacks
Deposit probe pads on a
bus
Deposit probe pads
through conductive grid
Expose hardwired ROM
links
Defeat blown fuse links
Connect tracks
Cut tracks
78
Timing Attacks - © Gemplus S.A. All rights reserved
Mechanical Probing
• Probe the bus with needles and probe
station with micro-manipulators
After FIB modification: pads added
to probe buried buses
Probe the bus directly
(for >0.5µm technologies)
DATA BUS
Si
79
Timing Attacks - © Gemplus S.A. All rights reserved
E-beam Probing
• Use e-beam tester to access submicron technologies
• Analysis of the secondary electrons gives the voltage
value
• Top metal layers can be probe with or without adding
probe pad with FIB
detector
e-beam
e-
e-
e-
DATA BUS
SI
80
Timing Attacks - © Gemplus S.A. All rights reserved
Reverse ROM content
• Reverse the content of the ROM
Remove the top layers of the component by chemical
etching or mechanical polishing
Use a microscope to retrieve the content of the ROM
Can always be done for ROM metal, implant or diffusion
The difficulty is: reverse the scrambling and decipher the
ROM array
81
Timing Attacks - © Gemplus S.A. All rights reserved
ROM Diffusion
Connections à la masse
Acces ligne (polysililicium)
Acces colonne (metal)
82
Timing Attacks - © Gemplus S.A. All rights reserved
Attack on ROM : Diffusion MOS
NOR ROM
• Remove the top layers
• Read the content of the array
WL
83
Timing Attacks - © Gemplus S.A. All rights reserved
0 0 0 1
1 1 1 1
ROM IMPLANT
Ionic implantation ROM at
low level
84
Timing Attacks - © Gemplus S.A. All rights reserved
Implantation ROM after
staining
Example 2: Metal ROM
Unused area
filled with ‘0’
85
Timing Attacks - © Gemplus S.A. All rights reserved
Chip feature modifications
• Shunt parts of the circuit
Disconnect sensors
• Fault attacks, Contrast Voltage...
Disconnect the RNG
• modify the output of the RNG (stuck at the same value)
Reconstruct polysilicon fuse
• Make probing possible to tape data on the bus
Bypass active shield
Add probe pads
Drill holes to probe buried metal lines
86
Timing Attacks - © Gemplus S.A. All rights reserved
Circuit modification
• Connect or disconnect security mechanism
disconnect sensors
RNG stuck at a fixed value
Reconstruct poly-silicon fuse
Metal
strap
Cut
• Add probe pads
make micro-probing of the buried layers possible
• Equipment
Laser
87
Timing Attacks - © Gemplus S.A. All rights reserved
FIB
Chip modification tools
• Laser
Local material removal, cut lines
• only top layers
• bad resolution (2x2µm min)
Availability: FA labs, university
• FIB (Focus Ion Beam)
remove or cut metal lines
good resolution & accuracy (10nm)
metal deposition (strap lines, add pads)
can reach buried layers
88
Timing Attacks - © Gemplus S.A. All rights reserved
Layout analysis
EEPROM
ROM
RAM
CPU
• Shield
• Glue logic
• No Buses visible
•
•
•
•
89
Blocks can be easily identified
No shield
No glue logic
Buses clearly visible
Timing Attacks - © Gemplus S.A. All rights reserved
After metal removing
90
Timing Attacks - © Gemplus S.A. All rights reserved
(0,18 µm)
91
Timing Attacks - © Gemplus S.A. All rights reserved
Hardware security feature evolution
Frequency,Voltage
Integrity sensor
1 µm technology
Passive shield
UV,Light sensors
0.6 µm technology
3 metal layers
2 metal layers
CPU Freq = 5 MHz
8 bit CPU
CPU Freq = 10 MHz
ROM encryption
Fast Erase of memory
Temperature, Glitch
sensors
Sensor improvement
Active shield
0.18 µm technology
0.35 µm technology
5 metal layers
5 metal layers
Internal free oscillator
Glue logic
CPU Freq = 66 MHz
Internal free oscillator
32-bit CPU
CPU Freq = 16 MHz
Complemented logic
16-bit CPU
Dynamic encryption
Dummy cycles
Encryption of Memories
1996
92
1998
2000
Timing Attacks - © Gemplus S.A. All rights reserved
2002
Chip Security Features
• The following items are carefully analyzed :
Security Sensors
Clock
Reset
Design & Layout
ROM, RAM, EEPROM
CPU
Buses
RNG
Memory Management Unit
Crypto Coprocessor
...
93
Timing Attacks - © Gemplus S.A. All rights reserved
Security Sensors
protect against …
• Voltage: fault attacks
• Frequency: fault attack, contrast voltage
• Temperature: fault attack
• UV: fault attack
• Light: fault attack, invasive attack
• Physical Integrity Sensors: invasive attack
94
Timing Attacks - © Gemplus S.A. All rights reserved
Clock
• Internal Clock based on free running oscillator
• PLL/Multiplier/Divider
• Use external clock for I/O and Timer only
• Interesting against Side-Channel and Fault attacks
95
Timing Attacks - © Gemplus S.A. All rights reserved
Design & Layout
• Planarization is recommended
• The smaller the techno, the better (0.18 µm)
• The more metal layers, the better (5)
• No accessible test pads
• Sensitive parts should be in low and separate levels
• Bloc connections should not be obvious (local buses)
• Glue logic should be used
96
Timing Attacks - © Gemplus S.A. All rights reserved
RAM
• Dynamic Ciphering: Side-Channel attacks
• @ and Data dynamic scrambling: Invasive and Fault
attacks
• Fast Erase: Fault attacks
97
Timing Attacks - © Gemplus S.A. All rights reserved
Non Volatile Memory
(EEprom, Flash)
• Ciphering
• @ and Data scrambling
• Automatic verify
• Checksum
• Error Correction Code
• Independent charge pump
98
Timing Attacks - © Gemplus S.A. All rights reserved
Buses
• Ciphering: Side-channel and Invasive attacks
• Scrambling: Invasive and Fault attacks
• Should be in low and separate levels: Invasive attacks
99
Timing Attacks - © Gemplus S.A. All rights reserved
RNG
• RNG: is the basis of many HW and SW security
measures
• Should be carefully checked with several external
conditions (Vcc, Temp, etc...)
• User application code should handle the RNG correctly
(enough delay, refresh)
100
Timing Attacks - © Gemplus S.A. All rights reserved
CONCLUSION
• Current platforms require additional SW Security
Measures
• HW Security Measures or Designs are to be the right
mid-term solutions, for performance reasons: e.g. SW
DES = 30 ms, HW DES within few µs
• Chips provide different solutions and security levels
101
Timing Attacks - © Gemplus S.A. All rights reserved