Fault injection attacks on cryptographic devices and countermeasures Part 2

Transcription

1 Fult injection ttcks on cryptogrphic devices nd countermesures Prt Isrel Koren Deprtment of Electricl nd Computer Engineering University of Msschusetts Amherst, MA Countermesures - Exmples Must first detect injected fult, then prevent ttcker from observing erroneous output Block the output (e.g., generte ll zeroes output), or Produce rndom output misleding the ttcker, or/nd Erse the secret key fter certin number of ttcks 1. Active protection use sensors to detect vritions in voltge, frequency, light etc IBM 4764 crypto processor. Duplicte encryption (decryption) process (hrdwre or time redundncy) nd compre results injected fults trnsient nd will mnifest differently Sptil dupliction redundnt encryption unit or use decryption unit & compre to originl plintext Temporl dupliction reuse hrdwre or re-execute softwre Above techniques my incur high hrdwre nd/or time penlty

2 3. Error Detecting Codes (EDCs( EDCs) Error-detection codes my require less overhed but possibly hve lower coverge Code genertor, prediction circuits nd comprtor(s) Common Codes (seprble): 1. Prity codes. Residue codes 3. Error correcting codes (e.g., Hmming code) Specilized codes AES liner code for the liner prt nd inverse clcultion for the non-liner prt (S-Box) A nonliner code llowing fult coverge vs. hrdwre overhed trdeoff Performnce nd re overheds Performnce 30% - 100% Are 15% - 170% 3 Error Detecting Codes (EDCs( EDCs) First generte check bits For ech opertion within encryption predict check bits Periodiclly compre predicted check bits to generted ones Predicting check bits for ech opertion - most complex step Should be compred to dupliction 4

3 Exmple: Prity prediction for AES Byte-level prity is nturl - totl of 16 prity bits ShiftRows: rotting the prity bits AddRoundKey: dd prity bits of stte to those of key SubBytes: Expnd Sbox to 56 9 dd output prity bit; to propgte incoming errors (rther thn hving to check) expnd to 51 9 put incorrect prity bit for inputs with incorrect prity ( 7) MixColumns: Expressions below where s i, j is msb of stte byte i,j (7) Trnsformtion Input p0, j= p0, j p, j p3, j S0, j S Prity Bit(s) (input stte mtrix) (7) p = p p p S S Prity Prediction Trnsformtion p p 1, j, j 3, j = p = p 0, j 0, j 1, j p p 1, j 1, j, j p p 3, j, j 3, j S S 1, j (7), j (7) 3, j S S (7) 1, j (7), j (7) 3, j (7) 0, j Predicted Prity Bit(s) Trnsformtion Result (output stte mtrix) 5 AES Scheduling of Checks Compring predicted to generted prity bits After ech opertion After ech round At end of encryption smllest hrdwre & time overheds should not msk error indiction (Error propgtion mtrix) Trnsformtion level SubBytes ShiftRows MixColumns Round level XorRoundKey Encryption level 6

4 Error Coverge Prity bits 100 % coverge of single fults1 7 Error Detection Overheds Design I (S-Box) Are (µm ) Ltency (ns) AT Bse 33, ,069,883 w/error Detection 71, ,999,969 Overhed % +4.55% % Design II (S-Box) Are (µm ) Ltency (ns) AT Bse 6, ,107,4 w/error Detection 59, ,185,67 Overhed % +31.6% % Ltency overhed is minly due to the code comprtor Cn be reduced by moving comprtor out of the criticl pth Common design improvements cn be followed E.g., pipelining to hide ltency 8

5 Reducing the Performnce Overhed Apply complete temporl redundncy to AES but Drsticlly reduce the performnce penlty Double-Dt-Rte (DDR) technique Perform the two encryptions rounds (tht would be compred) during the sme clock cycle Use rising nd flling clock edge Lower mximum clock frequency No penlty if embedded in slow system Detection relies on the two computtions not ffected by the sme fult which cn be multi-cycle one Authors clim: smll percentge (~6%) of undetected fults; goes up to 39% for 6-cycle fults Mistri nd Leveugle, EDCs for other Block Ciphers Other ciphers use different bsic opertions, e.g., Bit-oriented opertions (DES) Modulr rithmetic with unusul modulus (IDEA) Determine the best EDC for given cipher, for exmple: Cipher DES IDEA MARS RC5 RC6 Rijndel (AES) Twofish Suggested Code Prity Residue, but expensive Residue, but expensive Prity or residue Residue Prity, per byte Prity, per byte 10

6 Detection Coverge - RC5 (Residue) 11 Protecting RSA Rndomized multiplictive msking use rndom integers M p = S d p d p mod( p r1) modϕ ( r ) 1 M1 = S mod r1 = S mod( q r) If nd M1 = M p mod r 1 M = M q mod r output M CRT ( M, M ) else Error detected p = q A fult injected during the CRT combintion not detected M q d q d q modϕ ( r ) M = S mod r r1 r Shmir, 1999 Another option: Use Residue codes Fits modulr rithmetic The result residue check bits of ny opertion cn be esily obtined from the check bits of the opernds 1

7 Residue code for RSA: Overheds The residue modulus is 16 1 The lising probbility (i.e., error not detected) is Countermesures - pssive SCAs

8 Countermesures - pssive SCAs Countermesures - pssive SCAs

9 Countermesures - pssive SCAs Countermesures - pssive SCAs

10 Countermesures - pssive SCAs Countermesures - pssive SCAs

11 Countermesures - pssive SCAs Countermesures - pssive SCAs

12 Countermesures - pssive SCAs Countermesures - pssive SCAs

13 Countermesures - pssive SCAs Fult Detection not lwys sufficient Exmple RSA Cn be protected ginst fult injection using residue check or encrypting M & compring to S Is vulnerble to power nlysis more power consumed if d i =1 Modified to use sme power + fult detection Still vulnerble to fult injection Inject fult in clcultion of b if correct M, one bit of d is deduced Fulty result not needed! Shut down if severl fults detected! Yen nd Joye, 000 6

14 Montgomery-step Algorithm Intermedite vlues of & b re used nd n injected fult will be detected Provides nother wy to detect fults: & b must be of form (M,SM) Checking this reltion detects most fults except bits of d or number of loop itertions these must be checked seprtely (e.g., EDC) Joye nd Yen, 00 7 Sfe-error error Resistnt Algorithm Avoid decision tests Check errors in d nd loop counter Error detected if 1 S 0 mod N Girud, 005 Algorithm_4 0 = S S for i from n- to 1 do if (loop counter nd d not modified) then else 1 = = return return error ( S, N, dn 1,..., d0) mod N = mod N 1 0 d d i 1 i 0 = = 0 d mod N i i d ( 1 d 0, ) i mod N mod N 8

15 AES - Successful ttck even if fults detected Provide ll-zero input to AES encryption An initil round key is dded (XOR) : stte=key Before SubBytes inject stuck-t-0 fult into bit j If result is correct then bit j of key is 0 Even duplicting the encryption will not help it does not mtter whether the fult ws detected or not Unless the number of llowed fults is limited Attck is complicted exct timing nd precise loction of fult nd fult type If strict timing nd loction re not prcticl repeting the experiment mny times will llow extrcting the secret key Attck cn be done if byte (or severl bytes) re reset to 0 If key byte j is reset to 0, perform 56 encryptions with byte j of messge ssuming vlues 0 to 55 the one tht mtches the fulty ciphertext revels byte j of key (.k. Collision Fult ttck) Blomer nd Seifert, Combining Pssive nd Active Attcks Mny current cryptogrphic devices include seprte countermesures ginst power ttcks nd fult injection ttcks Two new questions/chllenges Cn countermesure ginst one type of ttcks mke the other one simpler to execute? Wht hppens if the ttcker uses combintion of pssive nd ctive ttcks? 30

16 Cn the presence of error checking circuitry mke power ttck simpler? Correltion Power Anlysis (CPA) Bsed on liner reltionship between power nd Hmming weight of dt processed AES implementtion with no error check circuit Correct key distinguishble fter 160 trces 31 Differentil Power Anlysis 1. Collect mny ciphertexts nd the power trces for the lst round. Guess byte of the finl round key 3. Clculte the trget byte bsed on the guess 4. Select one bit of the trget byte B 5. Divide the power trces into sets: those for B=1 nd those for B=0 6. Clculte the verges of the sets nd the difference between the verges 7. If the verge depends on B there will be spike in the dt indicting correltion 8. If the guess (of the key byte) is correct the power should depend on the vlue of B 3

17 33 34

18 Correltion Power nlysis * Construct power model to estimte the power for every vlue of one byte of the lst round key * Clculte the correltion between the estimted power nd the power trces * The highest correltion indictes the correct key byte 35 Power Attcks in the presence of error checking AES with prity bit per byte Correct key distinguishble fter 130 trces For residue mod 3 code correct key distinguishble fter 100 trces 36

19 Fult Injections tht mke DPA fesible Circuit techniques to protect HW implementtions ginst DPA hve been developed Specilly designed blnced gtes for which the power consumption is equl for ll dt Fults injected in the blncing prt of the circuit will imblnce it but will not cuse logicl error Cn not be detected by ny redundncy scheme If 4 out of 137 gtes were mde imblnced (through fult injection) the protected circuit ws s vulnerble to DPA s n unprotected circuit A possible countermesure is dding differentil current comprtors tht would detect the imblnces Kulikowski, Krpovsky nd Tubin, Protecting RSA ginst DPA nd Fults The fult resistnt lgorithm is multiplictively blinded by rndom number r mking it DPA resistnt s well The increse in execution time vs. Algorithm_4 is bout 45% A fult is not detected if injected during the computtion of = mod N Modified lgorithm developed in 008 by Kim & Quisquter Algorithm_5 Select rndom number r 0 r; 1 = rs; for i from n-1 to 1 do return ( S, N, dn 1,..., d0) = = r 1 = 10 mod N 0 = 0 mod N = mod N d d i i = N i d mod d i = d mod N i = mod N ( 0, 1) Fumroli nd Vigilnt,

20 Protecting AES ginst DPA nd Fults To protect n fult-resistnt AES implementtion ginst DPA one cn msk ll 16 dt bytes with rndom number r1 nd ll key bytes with r Injecting fults in the first XOR opertion using the Collision Fult Attck llowed recovering the key with 11 fult injections (Amiel, Clvier nd Tunstl, 006) To protect ginst the bove use 16 different rndom msks insted of one Cn not use S-Boxes (would need 16 tbles for ech vlue of ri) This implementtion incresed the re by ~40% nd the ltency by ~50% 39 AES DPA nd DFA Recent results Recently (010) modified collision fult ttck ws developed requiring ~1568 fults to be injected One countermesure tht hs been suggested duplicte the AES rounds tht re exposed to the ttck The duplicted rounds should be performed with two different msks Bytes should be processed in rndom order The first 3 nd lst 3 rounds duplicted leding to Ltency overhed of bout 400% vs. the previous 50% 40

21 Conclusions The need to protect cryptogrphic devices ginst pssive nd ctive side chnnel ttcks is well estblished A strong cipher is insufficient Hrdwre nd/or softwre ids must be included in the design to counterct side chnnel ttcks Current techniques incur high overhed Interctions mong different side chnnel ttcks must be further investigted Seprtely protecting ginst individul side chnnel ttcks is insufficient The currently known techniques to counter both pssive nd ctive ttcks hve high overhed 41