How multi-fault injection. of smart cards. Marc Witteman Riscure. Session ID: RR-201 Session Classification: Advanced

Size: px

Start display at page:

Download "How multi-fault injection. of smart cards. Marc Witteman Riscure. Session ID: RR-201 Session Classification: Advanced"

Alfred Austin
5 years ago
Views:

1 How multi-fault injection breaks Title the of Presentation security of smart cards Marc Witteman Riscure Session ID: RR-201 Session Classification: Advanced

2 Imagine you could turn your BART EZ Rider fare card into a military CAC card 2

3 Objectives Get an overview of fault injection threats Learn about countermeasures Discover the possibilities of next generation fault injection methods 3

4 Agenda Fault Injection Countermeasures Method improvements Attacks in practice Wrap-up 4

5 Fault injection 5

6 Fault Attack channels Voltage glitching Clock glitching Optical glitching 6

7 Fault attack scenarios Some example attack scenarios Verification bypass Code dump Differential Fault Analysis 7

8 Tools Tools used for fault injection Hardware for glitch control Flash bulbs and lasers Software for experiment control 8

9 Countermeasures 9

10 Countermeasures Double checking Signature verification Traps Randomization Shields and sensors 10

11 Double checking short pin_check(byte* buffer) { if(pin_ctr > 0) { pin_ctr--; if(array_compare(pin,buffer,4) == 0) {// PIN ok at first check if(array_compare(pin,buffer,4)!= 0) { auth = FALSE; // PIN not ok at second check return 0x6986; } else { // PIN ok } } else { // PIN not ok at first check } 11

12 Double checking short pin_check(byte* buffer) { if(pin_ctr > 0) { pin_ctr--; if(array_compare(pin,buffer,4) == 0) {// PIN ok at first check if(array_compare(pin,buffer,4)!= 0) { Second check detects fault auth = FALSE; // PIN not ok at second check return 0x6986; } else { // PIN ok } } else { // PIN not ok at first check } Glitch forces acceptance of false PIN 12

13 Verify signatures short sign_and_verify(byte* buffer) { sign( buffer, signature ); if (verify( buffer, signature) { auth = TRUE; // signature verification success send( signature ); } // send signature return 0x9000; } // report success else { auth = FALSE; // signature verification fail return 0x6986; } // no signature transmission 13

14 Verify signatures short sign_and_verify(byte* buffer) { sign( buffer, signature ); if (verify( buffer, signature) { Glitch corrupts signature auth = TRUE; // signature verification success send( signature ); } // send signature return 0x9000; } // report success else { auth = FALSE; // signature verification fail return 0x6986; } // no signature transmission Verify detects corrupted signature 14

15 Traps byte result = SOME_VALUE; byte resultchecksum = ~SOME_VALUE; // create checksum if ((result ^ resultchecksum)!= 0xFF) fail(); // verify checksum 15

16 Traps Glitch corrupts value byte result = SOME_VALUE; byte resultchecksum = ~SOME_VALUE; // create checksum if ((result ^ resultchecksum)!= 0xFF) fail(); // verify checksum Trap may mute or kill card 16

17 short pin_check(byte* buffer) { // get random number in range int rnd = get_random( 256 ); while (rnd > 0) rnd--; // random delay if(pin_ctr > 0) { pin_ctr--; if(array_compare(pin,buffer,4) == 0) { Randomization Randomness introduced by Random delays (software loop) Cycle stealing (CPU skips clock cycle) Drifting clock 17

18 short pin_check(byte* buffer) { // get random number in range int rnd = get_random( 256 ); while (rnd > 0) rnd--; // random delay if(pin_ctr > 0) { pin_ctr--; if(array_compare(pin,buffer,4) == 0) { Random delay stops time-based glitches Randomization Randomness introduced by Random delays (software loop) Cycle stealing (CPU skips clock cycle) Drifting clock 18

19 Shields and Sensors Shields block optical glitches Sensors detect glitches 19

20 Method improvements 20

21 Limitations of common equipment Standard signal generators lack flexibility??? Laser cutters are coarse Diode lasers are divergent and weak Process control inefficient 21

22 Flexible glitch control hardware Improvements in design Smart triggering Effective diode lasers Efficient control software 22

23 m o d e v c c / c l k / l a s e r Glitch control hardware requirements and design Multi channel Clock, VCC (supply voltage) USB Control LCD Display Optical Precise low latency Trigger in Trigger out CPU + memory Glitch generator short pulses exact timing Adaptive configure remotely diverse triggers Smart card VCC Smart card CLK Smart card RST Smart card I / O Power monitor Glitch circuit with smart card CLK VCC Switch Monitor side channel Contact smart card Laser 23

24 Glitch control hardware implementation General-purpose high speed FPGA board mounted on top of dedicated PCB with analog and digital drivers and interfaces 24

25 Smart triggering, what for? Instruction to hit Variable delays stop time based glitch triggers 25

26 Smart triggering concept Real time comparison of signal arrays Use Sum of Absolute Differences 26

27 Smart triggering result Instruction to hit Trigger moment is now fixed to device behavior 27

28 Smart triggering on noisy signals? Noise hides useful signals 28

29 Spectrum of noisy signals Spectrum reveals signals obscured by noise High frequencies include distinguishing features 29

30 Frequency conversion of noisy signals High frequencies are difficult to sample Pattern matching easiest on DC components Frequency mixing and demodulation makes high frequent features detectable 30

31 Feature recognition in noisy signals Filtering produces detectable signal 31

32 Smart triggering architecture and implementation FPGA board combined with dedicated electronics Filter out Signal in Filter in Filter Trigger in Acquisition SAD processor (2 ) Trigger out (2 ) SAD out USB Control Reference signal (2x) 32

33 Diode laser requirements Lasers must support fast switching power control multiple colors Source: Sergei Skorobogatov 33 33

Correct beam divergence Small spot size (~1 µm) Remote

34 Diode laser system requirements System requirements Camera view Motorized XY stage Optics requirements Correct beam divergence Small spot size (~1 µm) Remote controllable parameters XY position Glitch timing & amplitude 34

35 Fault Injection Software Fault injection process requirements Configurable and repeatable Automated execution and logging 35

36 Attacks in practice 36

37 Attacks in practice Backside attacks Virtual imaging Real time multi glitching 37

38 38 Backside attacks (1)

39 39 Backside attacks (2)

40 Side channel observation after fault injection Behavior shifted in time 40

41 41 Virtual imaging

42 Diode lasers can switch at high frequency Multi glitch timing 42

43 Real time multi glitch process short pin_check(byte* buffer) { if(pin_ctr > 0) { random_delay(); if(pin_ctr <= 0) suicide(); pin_ctr--; Find end with smart triggering if(array_compare(pin,buffer,4) == 0) {// PIN ok at first check random_delay(); if(array_compare(pin,buffer,4)!= 0) suicide(); else { } // PIN ok } else { } // PIN not ok at first check 43

44 Real time multi glitch process short pin_check(byte* buffer) { if(pin_ctr > 0) { random_delay(); if(pin_ctr <= 0) suicide(); pin_ctr--; Glitch condition if(array_compare(pin,buffer,4) == 0) {// PIN ok at first check random_delay(); if(array_compare(pin,buffer,4)!= 0) suicide(); else { } // PIN ok } else { } // PIN not ok at first check 44

45 Real time multi glitch process short pin_check(byte* buffer) { if(pin_ctr > 0) { random_delay(); if(pin_ctr <= 0) suicide(); pin_ctr--; if(array_compare(pin,buffer,4) == 0) {// PIN ok at first check random_delay(); if(array_compare(pin,buffer,4)!= 0) suicide(); else { } // PIN ok } else { } // PIN not ok at first check Find begin with smart triggering and force power down 45

46 Real time multi glitch process short pin_check(byte* buffer) { if(pin_ctr > 0) { random_delay(); if(pin_ctr <= 0) suicide(); pin_ctr--; Glitch condition if(array_compare(pin,buffer,4) == 0) {// PIN ok at first check random_delay(); if(array_compare(pin,buffer,4)!= 0) suicide(); else { } // PIN ok } else { } // PIN not ok at first check 46

47 Real time multi glitch process short pin_check(byte* buffer) { if(pin_ctr > 0) { random_delay(); if(pin_ctr <= 0) suicide(); pin_ctr--; Find end with smart triggering if(array_compare(pin,buffer,4) == 0) {// PIN ok at first check random_delay(); if(array_compare(pin,buffer,4)!= 0) suicide(); else { } // PIN ok } else { } // PIN not ok at first check 47

48 Real time multi glitch process short pin_check(byte* buffer) { if(pin_ctr > 0) { random_delay(); if(pin_ctr <= 0) suicide(); pin_ctr--; Glitch condition if(array_compare(pin,buffer,4) == 0) {// PIN ok at first check random_delay(); if(array_compare(pin,buffer,4)!= 0) suicide(); else { } // PIN ok } else { } // PIN not ok at first check 48

49 Real time multi glitch process short pin_check(byte* buffer) { if(pin_ctr > 0) { random_delay(); if(pin_ctr <= 0) suicide(); pin_ctr--; if(array_compare(pin,buffer,4) == 0) {// PIN ok at first check random_delay(); if(array_compare(pin,buffer,4)!= 0) suicide(); else { } // PIN ok } else { } // PIN not ok at first check Find begin with smart triggering and force power down 49

50 Real time multi glitch user experience 50

51 Wrap-up 51

52 Multi glitch practical limitations Evaluation of many parameters is time consuming (timing, amplitude, xy position, etc) Sensors and traps slow down analysis careful tuning of equipment needed Navigation without design is cumbersome crypto core is needle in hay-stack 52

53 So can I turn my BART card into a CAC card? No, for dictating instructions and operands, you would need multiple controlled beams (32) But, an attacker wouldn t even want that: just shake out the keys and clone a victim Impact 53

54 Analysis & Mitigation How do I know if my smart card is vulnerable? Risk analysis Source code review Security testing How can I protect my smart cards? Use newest and certified chips Harden your code (OS & application) 54

55 Future research Automation Can we further automate the analysis and reduce user intervention? Can we reverse engineer code by analyzing fault impact? Multi beam attacks Can we by-pass multiple defenses if separate laser beams are used? Can we push specific values on a data bus? 55

56 Summary and conclusion Fault injection is most significant threat for smart cards Diode laser systems generate fast and precise pulses that modify CPU instructions Sophisticated new fault injection equipment defeats countermeasures Best defense by mix of strong hardware and software countermeasures 56

57 Questions & Discussion Marc Witteman Chief Technology Officer Riscure B.V. Frontier Building Delftechpark XJ Delft The Netherlands Phone: +31 (0) Thank you 57 57

Practical DFA on AES. Marc Witteman CTO June 13, 2013

Practical DFA on AES. Marc Witteman CTO June 13, 2013 Practical DFA on AES Marc Witteman CTO June 13, 2013 DFA on AES, how hard is that? 2003 Gilles Piret and Jean-Jacques Quisquater 2 faults 2013 Christophe Giraud and Adrian Thillard 1 fault 2013 Riscure