review of fault injection mechanisms and consequences on
TRANSCRIPT
Département SAS Équipe mixte CEA-LETI/ENSMSE Site Georges Charpak Centre Microélectronique de Provence 880, route de Mimet 13541 Gardanne
DTIS 2011
Bruno Robisson Jean-Baptiste Rigaud Assia Tria
Review of Fault Injection Mechanisms and Consequences on Countermeasures Design
6th International Conference on Design & Technology of Integrated Systems in Nanoscale Era
David Naccache Jean-Max Dutertre Jacques J.A. Fournier Amir-Pasha Mirbaha Ecole normale supérieure
Département d’Informatique Équipe de cryptographie 45, rue d’Ulm 75230 Paris
Outline
! Outline
" Fault attacks on cryptosystems.
2 / 22
" Introduction
! Focus
" Fault injection means • Laser • Timing constraints violation (clock, voltage, temperature)
" Countermeasures
" Security evaluation of hardware duplication
" Conclusion
Introduction
" Fault attacks on physical implementation of cryptosystems
K M C
0110010101100001 010110000110011
110101000101101
Faulty cipher text
Disturb the ciphering process through unusual environmental conditions in order to :
• reduce the ciphering complexity (e.g. round reduction number)
• Differential Fault Attack = comparison between correct and faulty cipher texts
retrieve information on the encryption process (i.e. information leakage)
3 / 22
Introduction
" DFA’s requirements (strong)
• location,
• timing (choice of the injection cycle),
• focalization (i.e. number of faulted bits).
Fine control on:
4 / 22
C. Giraud: DFA on AES, Lecture Notes in Computer Science, 2005, Springer Berlin / Heidelberg, Volume 3373
G. Piret, J.-‐J. Quisquater: A DifferenMal Fault ANack Technique Against SPN Structures, with ApplicaMon to the AES, CHES 2003, LNCS 2779, Springer-‐Verlag
Fault injection means
! Laser as a fault injection means Semi-invasive: chemical/mechanical opening while preserving functionality
Front side
Rear side
• photoelectric effect (hν > Ebandgap)
• reversed biased PN junction
data dependent sensitive areas
Fault injection mechanism:
5 / 22
Fault injection means
" Photoelectric effect
Diffusion n+
Substrate P (Gnd)
Laser
- + + +
+ + + + +
- +
- - -
- -
-
depletion region
E
Drain ( VDD )
Current transient
beam energy pulse duraMon
voltage transient
current (mA)
Instant response
Delayed response
time (ns)
6 / 22
Fault injection means
• propagates through combinational logic without memorization
• propagates through combinational logic with memorization
• memory flip (SRAM, register)
" Voltage transient:
fault injection
Single Event Transient - SET
Single Event Upset - SEU
" Experimental results
• single-bit and single-byte fault injection
• control of the injection time (~ 10ns)
• focalization : ∅ 1µm
7 / 22 M. Agoyan, J.-‐M. Dutertre, A.-‐P. Mirbaha, D. Naccache, A.-‐L. RiboNa, A. Tria: How to flip a bit?, 16th InternaMonal On-‐Line TesMng Symposium, 2010
Fault injection means
! Timing constraints violation Non-invasive
• data are captured on the clock’s rising edge
• time between two rising edges (i.e. clock period) depends on the
" Synchronous IC principle (reminder)
D Q D Q
Combinational logic
clk
data 1 1 1 1
propagation delay
Dffi Dffi+1
n-1 m-1
propagation delay 8 / 22
D Q D Q
Combinational logic
clk
data 1 1 1 1
Dffi Dffi+1
Dclk#Q
DpMax
Tclk + Tskew - δsu
Tclk > Dclk!Q + DpMax - Tskew + δsu
Timing constraint:
Violating this timing constraint results in fault injection
n-1 m-1
Fault injection means
9 / 22
A well known approach decreasing the clock period until faults appear by setup time violation
clk
Tclk
Tclk fault
clk’
propagation delay + setup time
drawback : faults are injected at each clock cycle no timing control
" Clock glitches
• over clocking
Fault injection means
10 / 22
clk
Tclk
Tclk - Δ
fault injection cycle choice
fault-nature fine tuning through Δ fine control
clk’
(one-bit, two-bits faults)
• local over clocking (or clock glitching)
Fault injection means
timing constraint violation by modifying one clock cycle
11 / 22
send random key K and plaintext T to the test chip Δ ← 0
Test campaign pseudo-code :
Fault injection means
• Experimental results on an AES cryptosystem
⇒ first reported fault → Tclk - Δ = critical time (K, T) single bit fault > 90%
12 / 22 M. Agoyan, J.-‐M. Dutertre, D. Naccache, B. Robisson, A. Tria: When Clocks Fail: On CriMcal Paths and Clock Faults, CARDIS 2010
No fault One-bit fault Two-bits fault Other fault
Fault injection mechanism
Step by step Tclk decrease (δt = 35 ps)
D0 D1
D2
D3 No fault
D4 D5
D6
D7
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15
200ps
Byte
ind
ex
Byte
nb.
6
0
9140ps 7940ps Tclk - Δ
Fault injection means
13 / 22
Tclk = 10000 ps
No fault One-bit fault Two-bits fault Other fault
Fault injection mechanism
Step by step Tclk decrease (δt = 35 ps)
D0 D1
D2
D3 No fault
D4 D5
D6
D7
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15
200ps
Byte
ind
ex
Byte
nb.
6
Tclk-Δ
0
9140ps 7940ps Tclk - Δ
Fault injection means
13 / 22
No fault One-bit fault Two-bits fault Other fault
Fault injection mechanism
Step by step Tclk decrease (δt = 35 ps)
D0 D1
D2
D3 No fault
D4 D5
D6
D7
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15
200ps
Byte
ind
ex
Byte
nb.
6
Tclk-Δ
0
9140ps 7940ps Tclk - Δ
Fault injection means
13 / 22
No fault One-bit fault Two-bits fault Other fault
Fault injection mechanism
Step by step Tclk decrease (δt = 35 ps)
D0 D1
D2
D3 No fault
D4 D5
D6
D7
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15
200ps
Byte
ind
ex
Byte
nb.
6
Tclk-Δ
0
9140ps 7940ps Tclk - Δ
Fault injection means
13 / 22
No fault One-bit fault Two-bits fault Other fault
Fault injection mechanism
Step by step Tclk decrease (δt = 35 ps)
D0 D1
D2
D3
D4 D5
D6
D7
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15
200ps
Byte
ind
ex
Byte
nb.
6
Single bit fault
Tclk-Δ
0
9140ps 7940ps Tclk - Δ
Fault injection means
13 / 22
No fault One-bit fault Two-bits fault Other fault
Fault injection mechanism
Step by step Tclk decrease (δt = 35 ps)
D0 D1
D2
D3
D4 D5
D6
D7
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15
200ps
Byte
ind
ex
Byte
nb.
6
2 faulted bits
Tclk-Δ
0
9140ps 7940ps Tclk - Δ
Fault injection means
13 / 22
No fault One-bit fault Two-bits fault Other fault
Fault injection mechanism
Step by step Tclk decrease (δt = 35 ps)
D0 D1
D2
D3
D4 D5
D6
D7
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15
200ps
Byte
ind
ex
Byte
nb.
6
3 faulted bits
Tclk-Δ
0
9140ps 7940ps Tclk - Δ
Fault injection means
13 / 22
combinational logic
VDD DpMax ( Dclk!Q, δsu, ⏐Tskew ⏐ )
Tclk < Dclk!Q + DpMax - Tskew + δsu
at nominal frequency
n m
D0
D1
Dm-1
Tclk
inputs
DpMax + δsu + slack
n m
D0
D1
Dm-1 outputs
Fault injection means
" Voltage deprivation
14 / 22
VDD DpMax ( Dclk!Q, δsu, ⏐Tskew ⏐ )
Tclk < Dclk!Q + DpMax - Tskew + δsu
at nominal frequency
n
Tclk
inputs n m
D0
Dm-1 outputs m
D0
Dm-1
DpMax + δsu + slack
Fault injection means
" Voltage deprivation
14 / 22
logic combinational D1
pico
seco
nds
critical time increases as VDD decreases
Tclk
1st fault (VDD = 1.07V)
Fault injection means
" Voltage deprivation: experimental results
15 / 22
DpMax ( Dclk!Q, δsu, ⏐Tskew ⏐ )
Fault injection means
" Temperature increase: experimental results
Tclk
1st fault (210°C)
17 / 22
Countermeasures
! Countermeasures against fault attacks " Cutting the access point
" Environment monitoring
" Fault detection/correction
18 / 22
" Cutting the access point
Power lines filtering
Metallic shielding
Glue logic
Internal clock
Countermeasures
18 / 22
Power lines filtering
Metallic shielding
Glue logic
Internal clock
Voltage sensor
Light sensor
Temperature sensor
Frequency sensor
Countermeasures
18 / 22
" Environment monitoring
Power lines filtering
Metallic shielding
Glue logic
Internal clock
Voltage sensor
Light sensor
Temperature sensor
Frequency sensor
Hardware redundancy
Duplication Duplication
Triplication with vote
ECC Parity bits
Timing redundancy
Countermeasures
18 / 22
" Fault detection/correction
Security evaluation of hardware duplication
! Security evaluation of hardware duplication " Laser attacks against hardware duplication
AES RoundExe
input
outputAES
AES RoundExe
outputAES comp.
19 / 22 M. Doulcier, J.-‐M. Dutertre, J. J.-‐A. Fournier, J.-‐B. Rigaud, B. Robisson, A. Tria: A Side-‐Channel and Fault-‐ANack Resistant AES Circuit Working on Duplicated Complemented Values, In Solid State Circuits Conference (ISSCC 2011)
Security evaluation of hardware duplication
! Security evaluation of hardware duplication " Laser attacks against hardware duplication
AES RoundExe
input
AES RoundExe
comp.
alarm
laser spot
19 / 22 M. Doulcier, J.-‐M. Dutertre, J. J.-‐A. Fournier, J.-‐B. Rigaud, B. Robisson, A. Tria: A Side-‐Channel and Fault-‐ANack Resistant AES Circuit Working on Duplicated Complemented Values, In Solid State Circuits Conference (ISSCC 2011)
faulty outputAES
faulty outputAES ≠ faulty outputAES
Security evaluation of hardware duplication
! Security evaluation of hardware duplication " Laser attacks against hardware duplication
AES RoundExe
input
AES RoundExe
comp.
alarm
laser spot
high fault nb. inconsistent with DFA’s requirements
19 / 22 M. Doulcier, J.-‐M. Dutertre, J. J.-‐A. Fournier, J.-‐B. Rigaud, B. Robisson, A. Tria: A Side-‐Channel and Fault-‐ANack Resistant AES Circuit Working on Duplicated Complemented Values, In Solid State Circuits Conference (ISSCC 2011)
faulty outputAES ≠ faulty outputAES
faulty outputAES
Security evaluation of hardware duplication
" Timing constraint violation attacks on hardware duplication
AES RoundExe
AES RoundExe
comp.
alarm
Clock alteration ⇒ fault location = critical paths
faulty outputAES
single bit fault input
20 / 22
M. Agoyan, S. Bouquet, M. Doulcier, J.-‐M. Dutertre, J. J.-‐A. Fournier, J.-‐B. Rigaud, B. Robisson, and A. Tria: Design of a duplicated fault detecMng aes chip and yet using clock set-‐up Mme violaMons to extract 13 out of 16 bytes of the secret key, SMART SYSTEMS INTEGRATION to be published, 2011
faulty outputAES ≠ faulty outputAES
Security evaluation of hardware duplication
" Timing constraint violation attacks on hardware duplication
AES RoundExe
AES RoundExe
comp.
alarm
Clock alteration ⇒ fault location = critical paths
faulty outputAES
single bit fault
Probability of CM dismiss:
input
Hardware duplication is broken:
DFA’s schemes apply
20 / 22
M. Agoyan, S. Bouquet, M. Doulcier, J.-‐M. Dutertre, J. J.-‐A. Fournier, J.-‐B. Rigaud, B. Robisson, and A. Tria: Design of a duplicated fault detecMng aes chip and yet using clock set-‐up Mme violaMons to extract 13 out of 16 bytes of the secret key, SMART SYSTEMS INTEGRATION to be published, 2011
faulty outputAES = faulty outputAES
Conclusion
! Overview of faults attacks on cryptosystems " Strong requirements regarding the injected faults
" Laser as a fault injection means " Fault injection through timing constraint violation
! Overview of countermeasures against fault attacks
! Security evaluation of hardware duplication broken by clock alteration
! General conclusion: " Take care of properties of fault injection means
" CM design is still research work
[email protected] 21 / 22