15 octobre 2015 1 attacks on smart cards: an introduction lyrics– may 28th, 2015 philippe andouard...
TRANSCRIPT
19 avril 2023 1
Attacks on smart cards: an introduction
Lyrics– May 28th, 2015
Philippe Andouard
19 avril 2023 2
• Introduction• Passive analysis• Active analysis• Conclusion
Overview
19 avril 2023 3
• Introduction• Passive analysis• Active analysis• Conclusion
Overview
19 avril 2023 4
Unsecure Communication
Come to see my latest invention!
See you at 3pm at the library.
Gaston
Come to see my latest invention!
See you at 3pm at the library.
Gaston
19 avril 2023 5
Confidential Communication
Come to see my latest invention!
See you at 3pm at the library.
Gaston
Come to see my latest invention!
See you at 3pm at the library.
Gaston
Decryption
8!9g1gofj nù@f s54d sfkj*ndf
vnze88kd ^vssv3s8df15m%µ$4&’8(6-d_sf_s
8!9g1gofj nù@f s54d sfkj*ndf
vnze88kd ^vssv3s8df15m%µ$4&’8(6-d_sf_s
Encryption
19 avril 2023 6
Traditional Cryptanalysis
PlaintextEncryption
Ciphertext
19 avril 2023 7
Traditional Cryptanalysis
Plaintext CiphertextBlack Box
Find from (plaintext, ciphertext)
19 avril 2023 8
Attacks on smart cards
Plaintext CiphertextFaultyCiphertext
19 avril 2023 9
Two ways of performing attacks
• Passive Analysis (or Side Channel Attacks)– Observe the behaviour of the chip– Use the physical properties of the component : variation of timing (TA), consumption (PA),
radio frequency field (RFA) or electromagnetic radiations (EMA).
• Active Analysis (or Fault Attacks)– Disturbance of some variables in order to obtain information on sensitive values– Disturbance of code execution to force the chip to execute some forbidden operations or
to skip some sensitive ones.– Use the physical properties of the component : electrical disturbances (glitch), light, heat,
electromagnetic radiation
19 avril 2023 10
Three ways of physically attacking a smart card
• Non invasive attacks : the smart card is not damaged– Advantages :
• Fast to implement• The card can be returned to the owner without noticing• The card is still functional
– Disadvantage :• Limit the number of possible attacks
• Semi-invasive attacks : the packaging is modified, the chip is exposed.– Advantages :
• Remains inexpensive: household products can remove the plastic layer and the epoxy resin.
• Quite fast to implement• The card is still functional
– Disadvantage :• Can hardly be concealed from the cardholder.
• Invasive attacks : the packaging is destroyed, the physical integrity of the chip is modified:
– Advantage :• With time, can break any system.
– Disadvantages :• Very costly : laboratory equipment and a strong design expertise.• The chip will no longer be functional in most cases.• Can take a very long time.
19 avril 2023 11
Passive Analysis Active Analysis
Non invasive attacks TA, PA, RFA Glitch and EM attacks
Semi invasive attacks EMA Light attacks
Invasive attacks FIB, reverse engineering, etc…
Summary
19 avril 2023 12
Overview
• Introduction• Passive analysis
• Introduction• Simple Analysis• Differential Analysis
• Active analysis• Conclusion
19 avril 2023 13
Passive Analysis: a bit of history
• Passive attacks have been used for a long time by secret services• This phenomena has been observed for the first time in 1943 :
– Bell Telephone provided Army and Navy encrypted teletype terminal but…• Spike appeared on a freestanding oscilloscope each time a letter was
encrypted.• The shape of the spike provides the corresponding letter!
– So Bell told the Army which asked for proof:• The Bell engineers were place in a building across the street and 80
feet away was Signal Corps Cryptocenter in New York. • After 1 hour of recording and 4 hours of analysis, 75% of the plaintext
was recovered.
19 avril 2023 14
Passive Analysis: a bit of history
• First published exploitation: 1956: MI5 tries to break encryption used by Egyptian embassy
• Encryption system: Hagelin
• Every morning, the position of the 7 wheels are re-initialised• MI5 Peter Wright suggested to put a microphone into the cipher room• Noise produced during the initialisation allows MI5 to recover the position
of the wheels.• This supplemental information was enough for the English cryptanalysts
to break the encryption.
19 avril 2023 15
• First publication for smart card environment : 1996 • Three main kinds of passive attacks:
– Timing Attacks– Power Analysis– Electromagnetic Analysis
Passive Analysis
19 avril 2023 16
Passive Analysis
• Principle: time execution of a command is dependent on the number of operations performed inside the chip
Question
Answer
Time difference
19 avril 2023 17
• How to measure the time execution of a command?
Timing attacks
19 avril 2023 18
Timing attacks: Example
PIN verification :
19 avril 2023 1919/04/23© Oberthur Technologies
2013
No byte identical
NOK
1st byte identical
NOK
First 2 bytes identical
NOK
First 3 bytes identical
NOK
All bytes identical
OK
Timing attacks: Example
19 avril 2023 20
• The power consumption and the electromagnetic radiations of the card are dependent on:– the instructions performed inside the chip– the values of the variables manipulated by these instructions
Power and Electromagnetic attacks: Principle
19 avril 2023 21
Power Attacks
• How to measure the power consumption of the card?
19 avril 2023 22
• How to measure the power consumption of the card?
Power Attacks
19 avril 2023 23
Electromagnetic Attacks
• How to measure the electromagnetic radiations of the card?
19 avril 2023 24
• How to measure the electromagnetic radiations of the card?
Electromagnetic Attacks
19 avril 2023 25
• Power analysis allows us to observe the behaviour of the whole chip
• Whereas electromagnetic analysis allows us to observe the behaviour of a very small part of the chip
The latter is very useful when analyzing specific parts of the chip such as the hardware DES
Power vs. Electromagnetic Attacks
19 avril 2023 26
Power vs. Electromagnetic Attacks
19 avril 2023 27
Electromagnetic Attacks
• Advantage: gives two dimensions for the analysis
• Inconvenient: measurement more difficult than power analysis due to the parameter of the localisation of the probe on the surface of the chip
19 avril 2023 28
In the contactless environment
Smart card contactless
reader
Substract
19 avril 2023 29
PA RFA
PA vs. RFA
19 avril 2023 30
• Divided into two groups:– Simple analysis
• Obtain information through direct interpretation of one measurement curve
– Differential analysis• Used when the noise is too important to obtain direct
information• Applied statistical analysis allowing us to find the low
correlation between the secret stored inside the card and the power consumption or the electromagnetic radiations
Power and Electromagnetic Attacks
19 avril 2023 31
Overview
• Introduction• Passive analysis
• Introduction• Simple Analysis• Differential Analysis
• Active analysis• Conclusion
19 avril 2023 32
Simple Analysis
• Try to obtain information about the operations process into the card as well as the values of the manipulated variables
• We can distinguish two kinds of simple analysis:– Attacks which try to observe an event which
depends of the value of a secret key– Attacks which try to obtain directly information
about the values of the secret variables
19 avril 2023 33
Simple Analysis: 1st kind
19 avril 2023 34
• Simple Analysis which observes an event : attacking RSA decryption:
Simple Analysis: 1st kind
0 1 0 1 0 1 0 0 0 0 0 0 1 1 1 0 0 0 1 1 1 1 0 1 0 1 1 0 0 0 0 1 0 0 1 1
19 avril 2023 35
• Counteracting Simple Analysis during RSA decryption:
Simple Analysis: 1st kind
19 avril 2023 36
• Simple Analysis which observes an event : Can also be used to do reverse engineering
Simple Analysis: 1st kind
19 avril 2023 37
• Sometimes, the difference of behaviour when manipulating a 0x00 or a 0xFF can’t be observed by using only one measurement
Use Differential Analysis!
Simple Analysis: 2nd kind
19 avril 2023 38
• Introduction• Passive analysis
• Introduction• Simple Analysis• Differential Analysis
• Active analysis• Conclusion
Overview
19 avril 2023 39
Differential analysis
Statistical treatment
Several measurements
Secret key
19 avril 2023 40
Differential analysis: Principle
19 avril 2023 41
Differential analysis: Principle
Key HypothesisModelisation of physical module
Choose a variable Hypothesis (subkey) Message
Hypothetical value of the manipulated variable
Hypothesis (Power consumption model)
Hypothetical consumption of the manipulated value
19 avril 2023 42
Differential analysis: Principle
Key HypothesisModelisation of physical module
Statistical treatment
Decision
Hypothetical power consumption of a value manipulated by the module
19 avril 2023 43
• Step 1: Measurements of the card’s behaviour for several inputs
…
Message 1 Message 2 Message n-1 Message n
Message n°i
Example with Distance Of Means (DOM)
19 avril 2023 44
Message 1Message 2Message 3 Partitioning
Group 0 Group 1
– Step 2: For each possible value for the secret key:• Step 2.1: Create two groups depending of a value manipulated by the algorithm:
SboxFor instance use the
lsb :Message i
Example with Distance Of Means (DOM)
• Step 2.2: Compute the distance of means :
19 avril 2023 45
Example with Distance Of Means (DOM)
– For the correct subkey • Group 0 contains curves representing the manipulation of values with lsb = 0• Group 1 contains curves representing the manipulation of values with lsb = 1Mean of Group 1 > Mean of Group 0A difference will appear when computing the distance of means
– For the other hypotheses • Group 0 contains half of the curves randomly selected• Group 1 contains the other halfMean of Group 1 ≈ Mean of Group 0No difference will appear when computing the distance of means
19 avril 2023 46
Example with Distance Of Means (DOM)
Correlation with correct hypothesis
Correlation with wrong hypothesis
19 avril 2023 47
Message n°i
• Step 1: Measurements of the card’s behaviour for several inputs
…
Message 1 Message 2 Message n-1 Message n
Example with Pearson Coefficient
19 avril 2023 48
– Step 2: For each possible value for the secret key:• Step 2.1: Predict the corresponding consumption of the card when manipulating a
sensitive value
P1
P2
…
Sbox
Example with Pearson Coefficient
Hypothesis on the card power
consumptionPi
19 avril 2023 49
Example with Pearson Coefficient
• Step 2.2: Compute the linear dependency between curves Ci and predictions Pi:
• Coefficient will be maximal for the correct hypothesis
P1
P2
…
C2
Pn
Cn
C1
19 avril 2023 50
Wich varibales can be targeted by differential analysis?
SubBytes ShiftRows MixColumns
19 avril 2023 51
Differential analysis: countermeasures
• Main countermeasures against SCA:– Add noise: Increase the global consumption / radiation of the chip:
• Activate the various hardware modules even if they are not used:– DES, AES, RSA, RNG
19 avril 2023 52
Differential analysis: countermeasures
• Add desynchronisation:– Hardware: variable clock, random dummy instructions, …– Software: random loops, ...
19 avril 2023 53
Differential analysis: countermeasures
… …
19 avril 2023 54
Differential analysis: countermeasures
19 avril 2023 55
Differential analysis: countermeasures
19 avril 2023 56
Differential analysis: countermeasures
19 avril 2023 57
Differential analysis: countermeasures
19 avril 2023 58
• Introduction• Passive analysis• Active analysis
– Introduction– Attack during key transfer– Attack on CRT RSA– Attack on DES– Attack on AES
• Conclusion
Overview
19 avril 2023 59
Active analysis: a bit of history
• Could be used for a long time but no proof until 1993• Some teenagers used
• Also work on video game stations• But manufacturers included piezo detectors • Nowadays, it could work on food distributors, coffee machines, electrical
gates, …
+or = Free credits
19 avril 2023 60
• Objective :– Retrieving some sensitive information by using
• Faulty outputs• Unauthorized results
• How : Generate faults during code execution – Electrical disturbances (glitchs)– Light disturbances – Electromagnetic disturbances
Active analysis
19 avril 2023 61
Glitch attacks
VccRstClk
Gnd
Erroneous behaviour !!!
3V
0V
0V
3V
19 avril 2023 62
Silicon is sensitive to light
Energy
Conductance band
Valence band
Gap
e h
x
Iphoto
Photoelectric current :
19 avril 2023 63
NMOS PMOS
BULK
N N
NP
P P
VCCVCC
‘1’ ‘0’
VCC
GND
• The most conductive transistor impose his output.
e-
Unknown state
Unknown State
Silicon is sensitive to light
19 avril 2023 64
Backside Frontside
Die preparation
19 avril 2023 65
Frontside attack
19 avril 2023 66
Backside attack
19 avril 2023 67
Backside attack
19 avril 2023 68
• High energy level is available (several Joules) and illumination can be easily adjusted by moving the lamp up or down
• The flash can be triggered at a precise time by an external signal• The component’s area to illuminate can be selected by masking with paint
other areas
EDSI light attack bench at the beginning of the 2000’s
19 avril 2023 69
EDSI light attack bench in 2006
19 avril 2023 70
The micro-packs light attack bench in 2007
19 avril 2023 71
Fault modeling
0 1 1 0 1 0 11 0 0 1 1 0 1 0 1 0 0 0 1 0 1 1
1 0 0 1 1 0 1 0 1 0 0 0 1 0 1 1
0
0
1 0 0 1 1 0 1 0 1 0 0 0 1 0 1 1 0
0 1 1 0 1 0 1
0 1 1 0 1 0 1
1 0 0 1 1 0 1 0 1 0 0 0 1 0 1 1 0 0 1 1 0 1 0 1
1 0 0 1 1 0 1 0 1 0 0 0 1 0 1 1 0 0 1 1 0 1 0 1
Can impact :
• Error:• Location : bit / byte / word (16-32 bits) / full
19 avril 2023 72
0 0 0 0 0 0 0 0 1 0 0 0 1 0 1 1 0 0 1 1 0 1 0 1
1 1 1 1 1 1 1 1 1 0 0 0 1 0 1 1 0 0 1 1 0 1 0 1
0 1 0 1 0 0 0 1 1 0 0 0 1 0 1 1 0 0 1 1 0 1 0 1
With an error on 1 byte, we can obtain :
1 0 0 1 1 0 1 0 1 0 0 0 1 0 1 1 0 0 1 1 0 1 0 1
• Error:• Location : bit / byte / word (16-32 bits) / full• Modification : stuck-at 0 / stuck-at 1 / random
Fault modeling
19 avril 2023 73
Fault modeling
0 0 0 0 0 0 0 0 1 0 0 0 1 0 1 1 0 0 1 1 0 1 0 1
1 0 0 1 1 0 1 0 1 0 0 0 1 0 1 1 0 0 0 0 0 0 0 0
With an stuck-at 0 error on 1 byte, we can obtain :
1 0 0 1 1 0 1 0 1 0 0 0 1 0 1 1 0 0 1 1 0 1 0 1
1 0 0 1 1 0 1 0 0 0 0 0 0 0 0 0 0 0 1 1 0 1 0 1
• Error:• Location : bit / byte / word (16-32 bits) / full• Modification : stuck-at 0 / stuck-at 1 / random• Time : chosen / period of time more or less precise
19 avril 2023 74
Statistical treatmentSeveral couples
correct / faulty outputsSecret key
(0x8E..46, 0x74…54)
(0x8E..46, 0x96…BC)
(0x8E..46, 0xAB…EC)
…
Differential Fault Analysis
19 avril 2023 75
• Introduction• Passive analysis• Active analysis
– Introduction– Attack during key transfer– Attack on CRT RSA– Attack on DES– Attack on AES
• Attacking smart card applications• JIL quotation
Overview
19 avril 2023 76
• A DES key is transferred from EEPROM to RAM• A part of the key is set to 0 (stuck at fault model)
• Exhaustive search on C7 amongst 256 possibilities to recover K7
• By using K7, exhaustive search on C6 amongst 256 possibilities to recover K6
• And so on…• Countermeasure: add a checksum to the key
Attack during key transfer
19 avril 2023 77
Attack during key transfer
19 avril 2023 78
• Introduction• Passive analysis• Active analysis
– Introduction– Attack during key transfer– Attack on CRT RSA– Attack on DES– Attack on AES
• Attacking smart card applications• JIL quotation
Overview
19 avril 2023 79
Instead of computing straightforwardly
Active analysis: RSA-CRT
19 avril 2023 80
Active analysis: RSA-CRT
19 avril 2023 81
Active analysis: RSA-CRT
19 avril 2023 82
• How to counteract such a powerful attack?• The easiest solution is to verify the signature by using the public
exponent:Se = m mod N ?
• However e is not always available in practice…
Active analysis: RSA-CRT
19 avril 2023 83
Active analysis: RSA-CRT
19 avril 2023 84
Active analysis: RSA-CRT
19 avril 2023 85
Active analysis: RSA-CRT
19 avril 2023 86
A Countermeasure against one physical cryptanalysis may benefit another attack:
• If attack detected : bit = 0Else bit = 1
Active analysis: RSA-CRT
19 avril 2023 87
• Introduction• Passive analysis• Active analysis
– Introduction– Attack during key transfer– Attack on CRT RSA– Attack on DES– Attack on AES
• Attacking smart card applications• JIL quotation
Overview
19 avril 2023 88
Active analysis: DES
19 avril 2023 89
Active analysis: DES
19 avril 2023 90
Active analysis: DES
19 avril 2023 91
Active analysis on DES: fault on the last round
19 avril 2023 92
Active analysis on DES: fault on the last round
19 avril 2023 93
• Countermeasure:– Perform the DES twice and compare the corresponding
results.
DES
M
DES
=?
C C
DES
M
DES-1
=?
C’
Active analysis : DES
19 avril 2023 94
• Conclusion:– DES can be broken by using DFA– The most efficient attacks:
• In terms of errors: only requires 2 faulty ciphertexts with fault injected during round 14
• In terms of rounds : works if faults are injected from round 10
Active analysis : DES
19 avril 2023 95
• Introduction• Passive analysis• Active analysis
– Introduction– Attack during key transfer– Attack on CRT RSA– Attack on DES– Attack on AES
• Conclusion
Overview
19 avril 2023 96
• 16-byte block cipher using a 128, 192 or 256-bit key.
Active analysis : AES
19 avril 2023 97
Active analysis : AES (SubBytes)
19 avril 2023 98
Active analysis : AES (ShiftRows)
19 avril 2023 99
Active analysis : AES (MixColumns)
19 avril 2023 100
Active analysis : AES (AddRoundKey)
19 avril 2023 101
Active analysis : AES
19 avril 2023 102
MC
K9
SB SR
K10
MC
K9
SB SR
K10
SB-1 SR-1
SB-1 SR-1 K10 ?
K10 ?
Ciphertext
4 bytes
• If our guess on 4 bytes of K10 is correct, then must belong to
Active analysis : AES
19 avril 2023 103
Active analysis : AES
Description of the statistical analysis:– Guess 4 bytes of K10
– From C and Ĉ, compute .– If belongs to then indicates the guess as a possible value for the
correct subkey, otherwise discard our guess.– With 1 faulty ciphertext, the number of possible values for the
corresponding 4 bytes of K10 will be reduced to 210, since # = 210 .
– With 2 faulty ciphertexts with faults induced on the same column, the corresponding 4 bytes of K10 will be uniquely identified with high probability.
19 avril 2023 104
MC
K9
SB SR
K10
Belong to ?
Active analysis : AES
19 avril 2023 105
MC
K9
SB SR
K10
Belong to ?
Active analysis : AES
19 avril 2023 106
MC
K9
SB SR
K10
Belong to ?
K8
MCSB
SR
Active analysis : AES (Advanced attacks)
19 avril 2023 107
• Countermeasure:– Same as DES
• Conclusion:– AES can be broken by using DFA– The most efficient attacks:
• In terms of errors: – 128 bits: 1 faulty ciphertext– 192 bits: 2 faulty ciphertexts– 256 bits: 3 faulty ciphertexts
• In terms of rounds : works if faults are injected during round r-4
Active analysis : AES
19 avril 2023 108
Conclusion
• Overview of attacks on smartcards• Attacks presented here are “standard”
• More powerfull attacks exist• Passive: template, high order• Active: multiple laser sources, FIB
• These attacks are for real and must not be underestimated !
• If quantum cryptography does not solve these problems then we have work for the next decade!
19 avril 2023 110110
NVM or ROM{…
MOV A,toto
XRL A,#02H
JZ label1
INC toto
label1 :
MOV DCNTRL,#032H …}
PC
PC’
JZ titi
JZ label1 MOV R0, label1
if(toto != 2)
toto ++;
DCNTRL = 0x32;
• To understand a disturbance : think in assembly
Consequence of a fault
JZ label1
19 avril 2023 111
Active analysis on DES: fault before the last round
19 avril 2023 112
Active analysis on DES: fault on middle rounds
19 avril 2023 113
Active analysis on DES: fault on middle rounds
19 avril 2023 114
MC
K9
SB SR
K10
Belong to ?
K8
MCSB
SR
Active analysis : AES (Advanced attacks)