ELECTROMAGNETIC GLITCH ON THE AES ROUND COUNTER

Transcription

1 ELECTROMAGNETIC GLITCH ON THE AES ROUND COUNTER Amine DEHBAOUI ¹, Amir-Pasha Mirbaha ², Nicolas MORO¹, Jean-Max DUTERTRE ², Assia TRIA ¹ COSADE 2013 Paris, France (1) (2)

2 OUTLINE! Context! Round Modification Analysis on AES! Proposed Round Modification Analysis on AES! Electromagnetic Glitch Injection Technique! Concrete Results with EMG! Conclusion 1 NOVEMBRE 2014 PAGE 2

3 CONTEXT : FAULT INJECTION Plaintext Correct Ciphertext Faulty Ciphertext Fault injection means : Power supply glitch, Clock glitch, EM glitch, Laser shot disturb the encryption/decryption process through unusual environmental conditions in order to : reduce the encryption complexity (e.g. round reduction analysis), differential fault analysis = comparison between correct and faulty ciphertexts. 1 NOVEMBRE 2014 retrieve information on the encryption process (i.e. information leakage) PAGE 3

4 Round Modification Analysis on AES CEA 10 AVRIL 2012 PAGE 4 1 NOVEMBRE 2014

5 ADVANCED ENCRYPTION STANDARD 128 BITS REMINDER M Initial round cipher key K Final round Rounds 1..9 round key K i round key K 10 C PAGE 5

6 STATE-OF-THE-ART OF ROUND MODIFICATIONS ANALYSIS M Round Modification Analysis Initial round cipher key K! Round Reduction Analysis decrease the number of executed rounds Final round Rounds 1..9 round key K i round key K 10! Round Increase Analysis increase the number of executed rounds! Round Alteration Analysis modification of the round order C PAGE 6

7 STATE-OF-THE-ART OF ROUND MODIFICATIONS ANALYSIS M Round Modification Analysis Initial round cipher key K! Round Reduction Analysis H. Choukri et al. [2005] J.H. Park et al. [2011] Final round Rounds 1..9 round key K i RC comp with RCMAX round key K 10 K.S. Bae et al.[2011]! Round Increase Analysis J.M. Dutertre et al. #3 [2012]! Round Alteration Analysis J.M. Dutertre et al. #2 [2012] C PAGE 7

8 STATE-OF-THE-ART OF ROUND MODIFICATIONS ANALYSIS Attack Target Mean Type Encryption sequence Req. texts H. Choukri et al. [FDTC 05] J.H. Park et al. [ETRI 11] K.S. Bae et al. [ICCIT 11] J.M. Dutertre et al. #2 [HOST 12] J.M. Dutertre et al. #3 [HOST 12] PIC16F877 8-bit ATmega128 8-bit ATmega128 8-bit Unknown mcu 0.35µm 8-bit Unknown mcu 0.35µm 8-bit Power Glitch Laser Laser Laser Laser Round Reduction Round Reduction Round Reduction Round Alteration Round Addition Key search average time R 0 -R m 2 1 second R 0 -R 1 -R hours R 0..R 8 -R second R 0..R 8 -R m -R f 3 1 second R 0..R 9 -R m=10 -R f= hour & 30 minutes PAGE 8

9 Proposed Round Modification Analysis on AES CEA 10 AVRIL 2012 PAGE 9 1 NOVEMBRE 2014

10 PROPOSED ROUND MODIFICATIONS ANALYSIS Round 9 K 9! ARK! Alteration of the operation SB! M 9!! CR++ CR=9 CR=10 Round 10 KS! SR! ARK! K 10! C!! C (correct ciphertext) = SR o SB(M 9 ) K 10 C (correct ciphertext) = FR (M 9 ) K 10 PAGE 10 10

11 PROPOSED ROUND MODIFICATIONS ANALYSIS Round 9 K 9! ARK! Alteration of the operation SB! M 9!! CR++ RC=9 RC=10 Round m=9 CR++ RC=9 RC=10 Round f=10 K 9! K 10! Round 10 KS! K 10! SR! C!! MC! ARK! KS! MCoSRoSB(M 9 )% ARK! SB! SR! KS! M 9! SB(M 9 )% SRoSB(M 9 )% ARK! D (faulty ciphertext) = SR o SB [MC o SR o SB(M 9 ) K 9 ] K 10 D (faulty ciphertext) = FR [ MR[M 9 ] K 9 ] K 10 D!! C (correct ciphertext) = SR o SB(M 9 ) K 10 C (correct ciphertext) = FR (M 9 ) K 10 11

12 PROPOSED ROUND MODIFICATIONS ANALYSIS 1 plaintext D (faulty ciphertext) = FR [MR(M 9 ) K 9 ] K 10 C (correct ciphertext) = FR (M 9 ) K 10 2 plaintexts M a M b FR -1 (D a K 10 ) FR -1 (D b K 10 )= MC(C a C b ) 2 hypothese on each K 10 byte Calculation time : < 1 second Alternative solution : 3 plaintexts, instead of 2 thus, 1 hypothesis for each K 10 byte PAGE 12

13 Electromagnetic Glitch injection Technique CEA 10 AVRIL 2012 PAGE 13 1 NOVEMBRE 2014

14 PRACTICAL ELECTROMAGNETIC GLITCH SETUP Control computer The target device Motorized stage Pulse generator Coil antenna. Pulse width : 10 ns Rise and fall transition time : 2ns Pulse amplitude : -200V / +200V The computer controls both the pulse generator (through a rs-232 link) and the target board (through a usb link). PAGE 14

15 PRACTICAL ELECTROMAGNETIC GLITCH SETUP Target Description Up-to-date 32-bit microcontroller Designed in a cmos130nm technology Based on the arm Cortex-M3 processor. Operating frequency is set to 24MHz. PAGE 15

16 Concrete Results with EMG CEA 10 AVRIL 2012 PAGE 16 1 NOVEMBRE 2014

17 EMG PROFILE OF THE TARGET 180V injected EMG during 20ns negative spike of less than 50ns width and 300mV amplitude. Fault Model instruction alteration PAGE 17

18 EXPERIMENTAL OUTLINE PAGE 18

19 TIMING CARTOGRAPHY OF EMG EFFECT PAGE 19

20 Conclusion CEA 10 AVRIL 2012 PAGE 20 1 NOVEMBRE 2014

21 Conclusion! Round Modification Analysis by targeting the round counter! Fault induced at the end of the penultimate round! Execution of a second penultimate round! EMG Fault model : instruction alteration! High occurrence rate / without triggering hardware interrupts 1 NOVEMBRE 2014 PAGE 21

22 Attack Target Mean Type Encryption sequence Req. texts H. Choukri et al. [FDTC 05] J.H. Park et al. [ETRI 11] PIC16F877 8-bit ATmega128 8-bit Power Glitch Laser Round Reduction Round Reduction Key search average time R 0 -R m 2 1 second R 0 -R 1 -R hours K.S. Bae et al. [ICCIT 11] ATmega128 8-bit Laser Round Reduction R 0..R 8 -R second J.M. Dutertre et al. #2 [HOST 12] Unknown mcu 0.35µm 8-bit Laser Round Alteration R 0..R 8 -R m -R f 3 1 second J.M. Dutertre et al. #3 [HOST 12] Unknown mcu 0.35µm 8-bit Laser Round Addition R 0..R 9 -R m=10 -R f= hour & 30 minutes Our experiment [COSADE 13] ARM Cortex-M3 based 130nm 32-bit EM Glitch Round Addition R 0..R 9 -R m=9 -R f= second

23 Any questions? PAGE 23 CEA 10 AVRIL NOVEMBRE 2014 Direction de la Recherche Technologique DSIS / LCS Systèmes et Architectures Sécurisés Commissariat à l énergie atomique et aux énergies alternatives Centre de Microélectronique de Provence Gardanne T. +33 (0) F. +33 (0) Etablissement public à caractère industriel et commercial RCS Paris B

24 Annexe : RMA Exceptionnel case CEA 10 AVRIL 2012 PAGE 24 1 NOVEMBRE 2014

25 RMA!!AN!EXCEPTIONAL!CASE! Round 9 K 9! ARK! An exceptional case may happen when a byte value in D a is equal to the corresponding byte on the second encryption; i.e. D a [byte i] = D b [byte i] EMG SB! M 9!! CR++ CR=9 CR=1 Round m=9 0 CR++ CR=9 CR=1 0 Round f=10 K 9! K 10! Round 10 KS! SR! KS! MC! ARK! MCoSRoSB(M 9 )% ARK! KS! SB! SR! M 9! SB(M 9 )% SRoSB(M 9 )% ARK! D!! K 10! C!! D"(faulty(ciphertext)(=(SRoSB[MCoSRoSB(M 9 )" (K 9 ]( (K 10" C"(correct(ciphertext)(="SRoSB(M 9 )" (K 10 ( 25

26 RMA!!AN!EXCEPTIONAL!CASE! An exceptional case may happen when a byte value in D a is equal to the corresponding byte on the second encryption; i.e. D a [byte i] = D b [byte i] 34% 5E% 32%43%F6%A8%88%5A%30%8D%31%31%98%A2%E0%37%07% 19%84%B0%92%95%C8%B1%D9%C4%4E%4D%1E%F2%C0%36% Round f=10 K 10! 39%25%84%1D%02%DC%09%FB%DC%11%85%97%19%6A%0B%32% 13%AB%D8%4B%7B%EA%FA%58%47%58%48%A5%50%B3%B2%DC% 49%4a%b5%1f%3b%08%83%e0%d1%21%34%6b%32%cd%31%cb% 8c%fc%54%6b%3a%46%9e%e0%b7%65%6d%0a%92%7b%a0%e1% SR! SRoSB(M 9 )% ARK! D!! 26

27 RMA!!AN!EXCEPTIONAL!CASE! Ronde 9 SB +1 osr +1 (D a " (K 10 ) SB +1 osr +1 (D b " (K 10 )=(MC(C a " (C b )! 2 8!hypotheses!! on(k 10" [7]"(byte([7](of(K 10 )( and(2!hypotheses!! on(each(other(k 10" byte( 2 8!x!2 15!=!2 23! hypotheses!! on(the(whole4k 10 " to(be(examined(by(using(c a (and(d a,(( and(by(calcula=ng(k 9 (and(k 10 " calculadon!dme!:!sdll!less!than!1!second! 27

28 RMA!!AN!EXCEPTIONAL!CASE! Ronde 9 Probability(of(this(excep=onal(case(=( 255( 1" (( 1@((((((((((((((x((((((((((((((x((((((((((((((((((((((=((1@((((((((((((((((((( ((%6.070( 256( 1" (( )( )( 255( 1" (( 256( 1" (( )( )( 255( 1" (( 256( 1" (( )( )( 255( 256( (( )( 16( with(1,(2(or(even(3(equal(byte(values(on(d a" (and( D b,(the(cryptanalysis(has(an(answer(in(a(short( calcula=on(=me( In(any(case,(there(is(a(faster(solu=on(:( using(3(plaintexts,(instead(of(2( 28

29 Annexe : Digital IC CEA 10 AVRIL 2012 PAGE 29 1 NOVEMBRE 2014

30 Synchronous Digital IC Timing Constraints n m data Logic D Q D pmax D Q Dff i Dff i+1 clk D clk->q T clk + T skew - T setup data arrival time = D clk->q + D pmax data required time = T clk + T skew - T setup T clk > D clk->q + D pmax - T skew + T setup F(Vdd) Violating this timing constraint results in fault injection. Usually IC are designed to tolerate : Vdrops < 0.1 x Vdd PAGE 30