15 octobre 2015 1 attacks on smart cards: an introduction lyrics– may 28th, 2015 philippe andouard...

19 avril 2023 1

Attacks on smart cards: an introduction

Lyrics– May 28th, 2015

Philippe Andouard

[email protected]

19 avril 2023 2

• Introduction• Passive analysis• Active analysis• Conclusion

Overview

19 avril 2023 3

• Introduction• Passive analysis• Active analysis• Conclusion

Overview

19 avril 2023 4

Unsecure Communication

Come to see my latest invention!

See you at 3pm at the library.

Gaston



Gaston

19 avril 2023 5

Confidential Communication



Gaston



Gaston

Decryption

8!9g1gofj nù@f s54d sfkj*ndf

vnze88kd ^vssv3s8df15m%µ$4&’8(6-d_sf_s

8!9g1gofj nù@f s54d sfkj*ndf

vnze88kd ^vssv3s8df15m%µ$4&’8(6-d_sf_s

Encryption

19 avril 2023 6

Traditional Cryptanalysis

PlaintextEncryption

Ciphertext

19 avril 2023 7

Traditional Cryptanalysis

Plaintext CiphertextBlack Box

Find from (plaintext, ciphertext)

19 avril 2023 8

Attacks on smart cards

Plaintext CiphertextFaultyCiphertext

19 avril 2023 9

Two ways of performing attacks

• Passive Analysis (or Side Channel Attacks)– Observe the behaviour of the chip– Use the physical properties of the component : variation of timing (TA), consumption (PA),

radio frequency field (RFA) or electromagnetic radiations (EMA).

• Active Analysis (or Fault Attacks)– Disturbance of some variables in order to obtain information on sensitive values– Disturbance of code execution to force the chip to execute some forbidden operations or

to skip some sensitive ones.– Use the physical properties of the component : electrical disturbances (glitch), light, heat,

electromagnetic radiation

19 avril 2023 10

Three ways of physically attacking a smart card

• Non invasive attacks : the smart card is not damaged– Advantages :

• Fast to implement• The card can be returned to the owner without noticing• The card is still functional

– Disadvantage :• Limit the number of possible attacks

• Semi-invasive attacks : the packaging is modified, the chip is exposed.– Advantages :

• Remains inexpensive: household products can remove the plastic layer and the epoxy resin.

• Quite fast to implement• The card is still functional

– Disadvantage :• Can hardly be concealed from the cardholder.

• Invasive attacks : the packaging is destroyed, the physical integrity of the chip is modified:

– Advantage :• With time, can break any system.

– Disadvantages :• Very costly : laboratory equipment and a strong design expertise.• The chip will no longer be functional in most cases.• Can take a very long time.

19 avril 2023 11

Passive Analysis Active Analysis

Non invasive attacks TA, PA, RFA Glitch and EM attacks

Semi invasive attacks EMA Light attacks

Invasive attacks FIB, reverse engineering, etc…

Summary

19 avril 2023 12

Overview

• Introduction• Passive analysis

• Introduction• Simple Analysis• Differential Analysis

• Active analysis• Conclusion

19 avril 2023 13

Passive Analysis: a bit of history

• Passive attacks have been used for a long time by secret services• This phenomena has been observed for the first time in 1943 :

– Bell Telephone provided Army and Navy encrypted teletype terminal but…• Spike appeared on a freestanding oscilloscope each time a letter was

encrypted.• The shape of the spike provides the corresponding letter!

– So Bell told the Army which asked for proof:• The Bell engineers were place in a building across the street and 80

feet away was Signal Corps Cryptocenter in New York. • After 1 hour of recording and 4 hours of analysis, 75% of the plaintext

was recovered.

19 avril 2023 14

Passive Analysis: a bit of history

• First published exploitation: 1956: MI5 tries to break encryption used by Egyptian embassy

• Encryption system: Hagelin

• Every morning, the position of the 7 wheels are re-initialised• MI5 Peter Wright suggested to put a microphone into the cipher room• Noise produced during the initialisation allows MI5 to recover the position

of the wheels.• This supplemental information was enough for the English cryptanalysts

to break the encryption.

19 avril 2023 15

• First publication for smart card environment : 1996 • Three main kinds of passive attacks:

– Timing Attacks– Power Analysis– Electromagnetic Analysis

Passive Analysis

19 avril 2023 16

Passive Analysis

• Principle: time execution of a command is dependent on the number of operations performed inside the chip

Question

Answer

Time difference

19 avril 2023 17

• How to measure the time execution of a command?

Timing attacks

19 avril 2023 18

Timing attacks: Example

PIN verification :

19 avril 2023 1919/04/23© Oberthur Technologies

2013

No byte identical

NOK

1st byte identical

NOK

First 2 bytes identical

NOK

First 3 bytes identical

NOK

All bytes identical

OK

Timing attacks: Example

19 avril 2023 20

• The power consumption and the electromagnetic radiations of the card are dependent on:– the instructions performed inside the chip– the values of the variables manipulated by these instructions

Power and Electromagnetic attacks: Principle

19 avril 2023 21

Power Attacks

• How to measure the power consumption of the card?

19 avril 2023 22

• How to measure the power consumption of the card?

Power Attacks

19 avril 2023 23

Electromagnetic Attacks

• How to measure the electromagnetic radiations of the card?

19 avril 2023 24

• How to measure the electromagnetic radiations of the card?


19 avril 2023 25

• Power analysis allows us to observe the behaviour of the whole chip

• Whereas electromagnetic analysis allows us to observe the behaviour of a very small part of the chip

The latter is very useful when analyzing specific parts of the chip such as the hardware DES

Power vs. Electromagnetic Attacks

19 avril 2023 26

Power vs. Electromagnetic Attacks

19 avril 2023 27


• Advantage: gives two dimensions for the analysis

• Inconvenient: measurement more difficult than power analysis due to the parameter of the localisation of the probe on the surface of the chip

19 avril 2023 28

In the contactless environment

Smart card contactless

reader

Substract

19 avril 2023 29

PA RFA

PA vs. RFA

19 avril 2023 30

• Divided into two groups:– Simple analysis

• Obtain information through direct interpretation of one measurement curve

– Differential analysis• Used when the noise is too important to obtain direct

information• Applied statistical analysis allowing us to find the low

correlation between the secret stored inside the card and the power consumption or the electromagnetic radiations

Power and Electromagnetic Attacks

19 avril 2023 31

Overview




19 avril 2023 32

Simple Analysis

• Try to obtain information about the operations process into the card as well as the values of the manipulated variables

• We can distinguish two kinds of simple analysis:– Attacks which try to observe an event which

depends of the value of a secret key– Attacks which try to obtain directly information

about the values of the secret variables

19 avril 2023 33

Simple Analysis: 1st kind

19 avril 2023 34

• Simple Analysis which observes an event : attacking RSA decryption:


0 1 0 1 0 1 0 0 0 0 0 0 1 1 1 0 0 0 1 1 1 1 0 1 0 1 1 0 0 0 0 1 0 0 1 1

19 avril 2023 35

• Counteracting Simple Analysis during RSA decryption:


19 avril 2023 36

• Simple Analysis which observes an event : Can also be used to do reverse engineering


19 avril 2023 37

• Sometimes, the difference of behaviour when manipulating a 0x00 or a 0xFF can’t be observed by using only one measurement

Use Differential Analysis!

Simple Analysis: 2nd kind

19 avril 2023 38




Overview

19 avril 2023 39

Differential analysis

Statistical treatment

Several measurements

Secret key

19 avril 2023 40

Differential analysis: Principle

19 avril 2023 41


Key HypothesisModelisation of physical module

Choose a variable Hypothesis (subkey) Message

Hypothetical value of the manipulated variable

Hypothesis (Power consumption model)

Hypothetical consumption of the manipulated value

19 avril 2023 42


Key HypothesisModelisation of physical module

Statistical treatment

Decision

Hypothetical power consumption of a value manipulated by the module

19 avril 2023 43

• Step 1: Measurements of the card’s behaviour for several inputs

…

Message 1 Message 2 Message n-1 Message n

Message n°i

Example with Distance Of Means (DOM)

19 avril 2023 44

Message 1Message 2Message 3 Partitioning

Group 0 Group 1

– Step 2: For each possible value for the secret key:• Step 2.1: Create two groups depending of a value manipulated by the algorithm:

SboxFor instance use the

lsb :Message i


• Step 2.2: Compute the distance of means :

19 avril 2023 45


– For the correct subkey • Group 0 contains curves representing the manipulation of values with lsb = 0• Group 1 contains curves representing the manipulation of values with lsb = 1Mean of Group 1 > Mean of Group 0A difference will appear when computing the distance of means

– For the other hypotheses • Group 0 contains half of the curves randomly selected• Group 1 contains the other halfMean of Group 1 ≈ Mean of Group 0No difference will appear when computing the distance of means

19 avril 2023 46


Correlation with correct hypothesis

Correlation with wrong hypothesis

19 avril 2023 47

Message n°i

• Step 1: Measurements of the card’s behaviour for several inputs

…

Message 1 Message 2 Message n-1 Message n

Example with Pearson Coefficient

19 avril 2023 48

– Step 2: For each possible value for the secret key:• Step 2.1: Predict the corresponding consumption of the card when manipulating a

sensitive value

P1

P2

…

Sbox


Hypothesis on the card power

consumptionPi

19 avril 2023 49


• Step 2.2: Compute the linear dependency between curves Ci and predictions Pi:

• Coefficient will be maximal for the correct hypothesis

P1

P2

…

C2

Pn

Cn

C1

19 avril 2023 50

Wich varibales can be targeted by differential analysis?

SubBytes ShiftRows MixColumns

19 avril 2023 51

Differential analysis: countermeasures

• Main countermeasures against SCA:– Add noise: Increase the global consumption / radiation of the chip:

• Activate the various hardware modules even if they are not used:– DES, AES, RSA, RNG

19 avril 2023 52


• Add desynchronisation:– Hardware: variable clock, random dummy instructions, …– Software: random loops, ...

19 avril 2023 53


… …

19 avril 2023 54


19 avril 2023 55


19 avril 2023 56


19 avril 2023 57


19 avril 2023 58

• Introduction• Passive analysis• Active analysis

– Introduction– Attack during key transfer– Attack on CRT RSA– Attack on DES– Attack on AES

• Conclusion

Overview

19 avril 2023 59

Active analysis: a bit of history

• Could be used for a long time but no proof until 1993• Some teenagers used

• Also work on video game stations• But manufacturers included piezo detectors • Nowadays, it could work on food distributors, coffee machines, electrical

gates, …

+or = Free credits

19 avril 2023 60

• Objective :– Retrieving some sensitive information by using

• Faulty outputs• Unauthorized results

• How : Generate faults during code execution – Electrical disturbances (glitchs)– Light disturbances – Electromagnetic disturbances

Active analysis

19 avril 2023 61

Glitch attacks

VccRstClk

Gnd

Erroneous behaviour !!!

3V

0V

0V

3V

19 avril 2023 62

Silicon is sensitive to light

Energy

Conductance band

Valence band

Gap

e h

x

Iphoto

Photoelectric current :

19 avril 2023 63

NMOS PMOS

BULK

N N

NP

P P

VCCVCC

‘1’ ‘0’

VCC

GND

• The most conductive transistor impose his output.

e-

Unknown state

Unknown State

Silicon is sensitive to light

19 avril 2023 64

Backside Frontside

Die preparation

19 avril 2023 65

Frontside attack

19 avril 2023 66

Backside attack

19 avril 2023 67

Backside attack

19 avril 2023 68

• High energy level is available (several Joules) and illumination can be easily adjusted by moving the lamp up or down

• The flash can be triggered at a precise time by an external signal• The component’s area to illuminate can be selected by masking with paint

other areas

EDSI light attack bench at the beginning of the 2000’s

19 avril 2023 69

EDSI light attack bench in 2006

19 avril 2023 70

The micro-packs light attack bench in 2007

19 avril 2023 71

Fault modeling

0 1 1 0 1 0 11 0 0 1 1 0 1 0 1 0 0 0 1 0 1 1

1 0 0 1 1 0 1 0 1 0 0 0 1 0 1 1

0

0

1 0 0 1 1 0 1 0 1 0 0 0 1 0 1 1 0

0 1 1 0 1 0 1

0 1 1 0 1 0 1

1 0 0 1 1 0 1 0 1 0 0 0 1 0 1 1 0 0 1 1 0 1 0 1

1 0 0 1 1 0 1 0 1 0 0 0 1 0 1 1 0 0 1 1 0 1 0 1

Can impact :

• Error:• Location : bit / byte / word (16-32 bits) / full

19 avril 2023 72

0 0 0 0 0 0 0 0 1 0 0 0 1 0 1 1 0 0 1 1 0 1 0 1

1 1 1 1 1 1 1 1 1 0 0 0 1 0 1 1 0 0 1 1 0 1 0 1

0 1 0 1 0 0 0 1 1 0 0 0 1 0 1 1 0 0 1 1 0 1 0 1

With an error on 1 byte, we can obtain :

1 0 0 1 1 0 1 0 1 0 0 0 1 0 1 1 0 0 1 1 0 1 0 1

• Error:• Location : bit / byte / word (16-32 bits) / full• Modification : stuck-at 0 / stuck-at 1 / random

Fault modeling

19 avril 2023 73

Fault modeling

0 0 0 0 0 0 0 0 1 0 0 0 1 0 1 1 0 0 1 1 0 1 0 1

1 0 0 1 1 0 1 0 1 0 0 0 1 0 1 1 0 0 0 0 0 0 0 0

With an stuck-at 0 error on 1 byte, we can obtain :

1 0 0 1 1 0 1 0 1 0 0 0 1 0 1 1 0 0 1 1 0 1 0 1

1 0 0 1 1 0 1 0 0 0 0 0 0 0 0 0 0 0 1 1 0 1 0 1

• Error:• Location : bit / byte / word (16-32 bits) / full• Modification : stuck-at 0 / stuck-at 1 / random• Time : chosen / period of time more or less precise

19 avril 2023 74

Statistical treatmentSeveral couples

correct / faulty outputsSecret key

(0x8E..46, 0x74…54)

(0x8E..46, 0x96…BC)

(0x8E..46, 0xAB…EC)

…

Differential Fault Analysis

19 avril 2023 75



• Attacking smart card applications• JIL quotation

Overview

19 avril 2023 76

• A DES key is transferred from EEPROM to RAM• A part of the key is set to 0 (stuck at fault model)

• Exhaustive search on C7 amongst 256 possibilities to recover K7

• By using K7, exhaustive search on C6 amongst 256 possibilities to recover K6

• And so on…• Countermeasure: add a checksum to the key

Attack during key transfer

19 avril 2023 77

Attack during key transfer

19 avril 2023 78




Overview

19 avril 2023 79

Instead of computing straightforwardly

Active analysis: RSA-CRT

19 avril 2023 80


19 avril 2023 81


19 avril 2023 82

• How to counteract such a powerful attack?• The easiest solution is to verify the signature by using the public

exponent:Se = m mod N ?

• However e is not always available in practice…


19 avril 2023 83


19 avril 2023 84


19 avril 2023 85


19 avril 2023 86

A Countermeasure against one physical cryptanalysis may benefit another attack:

• If attack detected : bit = 0Else bit = 1


19 avril 2023 87




Overview

19 avril 2023 88

Active analysis: DES

19 avril 2023 89


19 avril 2023 90


19 avril 2023 91

Active analysis on DES: fault on the last round

19 avril 2023 92

Active analysis on DES: fault on the last round

19 avril 2023 93

• Countermeasure:– Perform the DES twice and compare the corresponding

results.

DES

M

DES

=?

C C

DES

M

DES-1

=?

C’

Active analysis : DES

19 avril 2023 94

• Conclusion:– DES can be broken by using DFA– The most efficient attacks:

• In terms of errors: only requires 2 faulty ciphertexts with fault injected during round 14

• In terms of rounds : works if faults are injected from round 10

Active analysis : DES

19 avril 2023 95



• Conclusion

Overview

19 avril 2023 96

• 16-byte block cipher using a 128, 192 or 256-bit key.

Active analysis : AES

19 avril 2023 97

Active analysis : AES (SubBytes)

19 avril 2023 98

Active analysis : AES (ShiftRows)

19 avril 2023 99

Active analysis : AES (MixColumns)

19 avril 2023 100

Active analysis : AES (AddRoundKey)

19 avril 2023 101


19 avril 2023 102

MC

K9

SB SR

K10

MC

K9

SB SR

K10

SB-1 SR-1

SB-1 SR-1 K10 ?

K10 ?

Ciphertext

4 bytes

• If our guess on 4 bytes of K10 is correct, then must belong to


19 avril 2023 103


Description of the statistical analysis:– Guess 4 bytes of K10

– From C and Ĉ, compute .– If belongs to then indicates the guess as a possible value for the

correct subkey, otherwise discard our guess.– With 1 faulty ciphertext, the number of possible values for the

corresponding 4 bytes of K10 will be reduced to 210, since # = 210 .

– With 2 faulty ciphertexts with faults induced on the same column, the corresponding 4 bytes of K10 will be uniquely identified with high probability.

19 avril 2023 104

MC

K9

SB SR

K10

Belong to ?


19 avril 2023 105

MC

K9

SB SR

K10

Belong to ?


19 avril 2023 106

MC

K9

SB SR

K10

Belong to ?

K8

MCSB

SR

Active analysis : AES (Advanced attacks)

19 avril 2023 107

• Countermeasure:– Same as DES

• Conclusion:– AES can be broken by using DFA– The most efficient attacks:

• In terms of errors: – 128 bits: 1 faulty ciphertext– 192 bits: 2 faulty ciphertexts– 256 bits: 3 faulty ciphertexts

• In terms of rounds : works if faults are injected during round r-4


19 avril 2023 108

Conclusion

• Overview of attacks on smartcards• Attacks presented here are “standard”

• More powerfull attacks exist• Passive: template, high order• Active: multiple laser sources, FIB

• These attacks are for real and must not be underestimated !

• If quantum cryptography does not solve these problems then we have work for the next decade!

19 avril 2023 109

Thank you for your attention

Any comments? [email protected]

mailto:[email protected]

19 avril 2023 110110

NVM or ROM{…

MOV A,toto

XRL A,#02H

JZ label1

INC toto

label1 :

MOV DCNTRL,#032H …}

PC

PC’

JZ titi

JZ label1 MOV R0, label1

if(toto != 2)

toto ++;

DCNTRL = 0x32;

• To understand a disturbance : think in assembly

Consequence of a fault

JZ label1

19 avril 2023 111

Active analysis on DES: fault before the last round

19 avril 2023 112

Active analysis on DES: fault on middle rounds

19 avril 2023 113

Active analysis on DES: fault on middle rounds

19 avril 2023 114

MC

K9

SB SR

K10

Belong to ?

K8

MCSB

SR

Active analysis : AES (Advanced attacks)

15 octobre 2015 1 attacks on smart cards: an introduction lyrics– may 28th, 2015 philippe andouard...

Documents

latest invention

smart cardnon invasive

long time

attackspassive analysis

hours of analysis

historypassive attacks

implementthe card

physical properties