Practical DFA on AES. Marc Witteman CTO June 13, 2013

Transcription

1 Practical DFA on AES Marc Witteman CTO June 13, 2013

2 DFA on AES, how hard is that? 2003 Gilles Piret and Jean-Jacques Quisquater 2 faults 2013 Christophe Giraud and Adrian Thillard 1 fault 2013 Riscure up to 50 faults Is Riscure stupid? 2

3 Outline How does single fault DFA on AES work? What s wrong with single fault DFA? So, how does Riscure do DFA? Demo 3

4 Fault impact on AES Substitute ShiftRow MixColumn AddKey Fault 9 th round 10 th round Inject fault before ultimate MixColumn Fault randomly changes chosen byte MixColumn propagates fault in column Substitute ShiftRow ShiftRow propagates fault to 4 cells AddKey One fault affects 4 output bytes Output 4

5 Finding the fault value Fault in specific byte propagates to 4 output bytes Each fault pair of correct and faulty output bytes halves the number of values for the random fault Out 0 on fault Out 7 on fault Out 10 on fault Out 13 on fault Out all on fault Group of 4 affected output bytes reduces possible fault values in known byte to about 15

6 Finding the key value A specific fault value matches with two key values Fault value Mapping Key value K 0 K 7 K 10 K 13 Group key space reduced from 32 bits to ~8 bits 2 * 4 faults 2 can * break 2 the * key * 24 x 32 * reduced 2 to 4 x * 8 bits * 2 Remaining * entropy 2 is * 32 bits * 2 Can be * brute 2 forced * * 2 * 2 * 2 = 240

7 MixColumn AddKey Substitute 8 th round 9 th round Fault One fault catches all Inject fault before in round 8 Fault randomly changes chosen byte ShiftRow MixColumn AddKey Substitute ShiftRow AddKey Output 9 th round 10 th round MixColumn propagates fault in column ShiftRow propagates fault to 4 cells MixColumn propagates 4 faults in 4 columns ShiftRow propagates 4 faults to 16 cells, exposing 16 key bytes So, one correct + fault pair + 32 bit brute force reveals 128 bit key! 7

8 What s wrong with single-fault DFA? Fault model must be known Unknown byte hit? Faults in same column are non-distinguishable 8

9 What s wrong with single-fault DFA? Fault model must be known Unknown byte hit? blind byte hit multiplies search space by 4 Unknown round hit? blind round hit multiplies search space by 10 Unknown operation hit? void mix_column( unsigned char* column ) { unsigned char a = column[0]; unsigned char b = column[1]; unsigned char c = column[2]; unsigned char d = column[3]; column[0] = mul2[ a ] ^ mul3[ b ] ^ c ^ d; column[1] = mul2[ b ] ^ mul3[ c ] ^ d ^ a; column[2] = mul2[ c ] ^ mul3[ d ] ^ a ^ b; column[3] = mul2[ d ] ^ mul3[ a ] ^ b ^ c; } Alternative faults change effect 9

10 What s wrong with single-fault DFA? Fault model must be known Unknown byte hit? blind byte hit multiplies search space by 4 Unknown round hit? blind round hit multiplies search space by 10 Unknown operation hit? out-of-model faults mess up the key search Practice 32 bit AES brute force takes 20 minutes With unknowns this can grow to days Brute force key search impossible when input missing We hate waiting 10

11 Our approach We replace single-fault DFA by single-minute DFA Experience If a target is vulnerable to fault injection, it s relatively easy to collect multiple faults Procedure 1. acquire outputs while injecting faults (almost a minute) 2. select faults that match the fault model (few ms) 3. use voting and exclusion to reduce key space to bits using faults (few ms) 4. brute force to match input or fault model (few sec) 11

12 1. Acquisition Glitch parameters command response trigger glitch

13 2. Fault selection Hit Key addition, Substitute, Shift row, or Mix column Check that only 4 output bytes change Accept that some faults have alternative fault model Usable void mix_column( unsigned char* column ) { } unsigned char a = column[0]; unsigned char b = column[1]; unsigned char c = column[2]; Too little unsigned char d = column[3]; column[0] = mul2[ a ] ^ mul3[ b ] ^ c ^ d; column[1] = mul2[ b ] ^ mul3[ c ] ^ d ^ a; column[2] = mul2[ c ] ^ mul3[ d ] ^ a ^ b; Too much column[3] = mul2[ d ] ^ mul3[ a ] ^ b ^ c; 13

14 3. Key space reduction (one fault) 4 potential fault bytes per group join possible key values A E I M B F J N C G K O D H L P Fault in A Fault in B Fault in C Fault in D Fault in ANY Almost half of all key bytes match Frequency = probability 14

15 3. Key space reduction (multi fault) Voting sum(8) sum(12) Voting and Exclusion 1 2 1*2*(1+2) prodsum(4) prodsum(8) Full key extraction takes 32 up to 50 unique faults 15

16 4. Brute force When to brute force? Verify correctness of candidates Only few faults available Can be efficient when 24 bits (or less) missing Too little variation in faults How to brute force? Match keys with input/output Reverse last round and detect earlier faults 16

17 Conclusion Prior AES DFA work not practical due to Unknowns Out-of-model faults DFA practical when Fault selection on format Candidates selected by voting Practical DFA on AES can be fast replace single-fault by single-minute Remaining research questions Attack skipped rounds? Attack without duplicate plaintext? 17

18 Contact: Marc Witteman CTO Riscure B.V. Frontier Building, Delftechpark XJ Delft The Netherlands Phone: Riscure North America 71 Stevenson Street, Suite 400 San Francisco, CA USA Phone: