Electromagnetic Transient Fault Injection on AES

Similar documents
ELECTROMAGNETIC GLITCH ON THE AES ROUND COUNTER

ELECTROMAGNETIC FAULT INJECTION ON MICROCONTROLLERS

SIDE CHANNEL ANALYSIS : LOW COST PLATFORM. ETSI SECURITY WEEK Driss ABOULKASSIM Jacques FOURNIERI

Faults are often modeled according two fault models: Bit-set (resp. Bit-reset) Bit-flip

FAULT ATTACKS ON TWO SOFTWARE COUNTERMEASURES

Fault Injection Attacks and Countermeasures

Countermeasures against EM Analysis

When Clocks Fail On Critical Paths And Clock Faults

«Safe (hardware) design methodologies against fault attacks»

Fault Attacks on Embedded Software: Threats, Design, and Mitigation

Electromagnetic glitch on the AES round counter

Fault-based Cryptanalysis on Block Ciphers

Clock Glitch Fault Injection Attacks on an FPGA AES Implementation

AVR Microcontrollers Architecture

WhoamI. Attacking WBC Implementations No con Name 2017

Sho Endo1, Naofumi Homma1, Yu-ichi Hayashi1, Junko Takahashi2, Hitoshi Fuji2 and Takafumi Aoki1

FPGAhammer: Remote Voltage Fault Attacks on Shared FPGAs, suitable for DFA on AES

Flash Memory Bumping Attacks

Electromagnetic Compatibility ( EMC )

Fault injection attacks on cryptographic devices and countermeasures Part 1

The Design and Evaluation Methodology of Dependable VLSI for Tamper Resistance

THE MULTIPLE WAYS TO AUTOMATE THE APPLICATION OF SOFTWARE COUNTERMEASURES AGAINST PHYSICAL ATTACKS: PITFALLS AND GUIDELINES

How microprobing can attack encrypted memory

Dissecting Leakage Resilient PRFs with Multivariate Localized EM Attacks

SIDE CHANNEL ATTACKS AGAINST IOS CRYPTO LIBRARIES AND MORE DR. NAJWA AARAJ HACK IN THE BOX 13 APRIL 2017

AVR MICROCONTROLLER ARCHITECTURTE

Pump-probe. probe optical laser systems at FLASH. S. Düsterer

Masking as a Side-Channel Countermeasure in Hardware

GX5296 DIGITAL I/O DYNAMIC DIGITAL I/O WITH PER CHANNEL TIMING, PROGRAMMABLE LOGIC LEVELS AND PMU PXI CARD DESCRIPTION FEATURES

BLIND FAULT ATTACK AGAINST SPN CIPHERS FDTC 2014

Liverage Technology Product Specification. 3Gbps Video Single TX or RX. SFP Optical Transmitter or Receiver

POWER4 Test Chip. Bradley D. McCredie Senior Technical Staff Member IBM Server Group, Austin. August 14, 1999

How multi-fault injection. of smart cards. Marc Witteman Riscure. Session ID: RR-201 Session Classification: Advanced

CSE 466 Exam 1 Winter, 2010

DIGITAL CONTROL/COMMAND DEDICATED TO CONVERTERS GLOBAL OVERVIEW

AVR XMEGA Product Line Introduction AVR XMEGA TM. Product Introduction.

JUST ONE FAULT Persistent Fault Analysis on Block Ciphers

External Encodings Do not Prevent Transient Fault Analysis

Testing Gated Mode on Hybrid 4.1

Functional Specification

SO-QSFP-SR-BD QSFP+, 40G, BIDI, duplex MM, LC

HT1628 RAM Mapping LCD Driver

A Non-Volatile Microcontroller with Integrated Floating-Gate Transistors

Using Error Detection Codes to detect fault attacks on Symmetric Key Ciphers

TRiCAM APPLICATIONS KEY FEATURES. Time Resolved intensified CAMera. TRiCAM 13001A01 31/10/2013

PARAMETRIC TROJANS FOR FAULT-BASED ATTACKS ON CRYPTOGRAPHIC HARDWARE

Chosen-IV Correlation Power Analysis on KCipher-2 and a Countermeasure

CCS Technical Documentation NHL-2NA Series Transceivers. Camera Module

Electromagnetic Interference (EMI) FCC Part 15 Class B Compatible with standards. FDA 21CFR and EN60950, EN (IEC) ,2

Physical Implementation

Symbol Parameter Min Typ Max VDD_CORE Core power 0.9V 1.0V 1. 1V. VDD33 JTAG/FLASH power 2.97V 3.3V 3.63V

TFS 2100 Traveling Wave Fault Location System

Clock and Fuses. Prof. Prabhat Ranjan Dhirubhai Ambani Institute of Information and Communication Technology, Gandhinagar

Optical SerDes Test Interface for High-Speed and Parallel Testing

CODE ANALYSES FOR NUMERICAL ACCURACY WITH AFFINE FORMS: FROM DIAGNOSIS TO THE ORIGIN OF THE NUMERICAL ERRORS. Teratec 2017 Forum Védrine Franck

Product Specification. 10Gbps 2KM XFP Transceiver PLXFP1310GLR02

AVR ISA & AVR Programming (I)

Crosstalk Noise Avoidance in Asynchronous Circuits

ATICE10... User Guide

Application Note AN105 A1. PCB Design and Layout Considerations for Adesto Memory Devices. March 8, 2018

250 Mbps Transceiver in LC FB2M5LVR

AVR ISA & AVR Programming (I) Lecturer: Sri Parameswaran Notes by: Annie Guo

ELCT501 Digital System Design Winter Tutorial #11 FPGA Complete Design Flow with LCD Example

Title Laser testing and analysis of SEE in DDR3 memory components

PI6CEQ PCIe Gen2 / Gen3 Buffer. Features. Description. Applications. Block Diagram. Pin Configuration (20-Pin TSSOP & 20-Pin QSOP)

Analysis and Design of Clock-glitch Fault Injection within an FPGA

Detector Control System board for FAIR. J. A. Lucio Martínez Infrastructure and Computer Systems in Data Processing (IRI) Goethe University Frankfurt

Description of the JRA1 Trigger Logic Unit (TLU), v0.2c

3.3V ZERO DELAY CLOCK BUFFER

System Architecture Directions for Networked Sensors[1]

CN310 Microprocessor Systems Design

MM23SC8128RM Flash Security Turbo Microcontroller Smart Card Chip With 1024 bit RSA & Maths Co-processor

STM8 platform 8-bit microcontrollers

AVR ISA & AVR Programming (I) Lecturer: Sri Parameswaran Notes by: Annie Guo

FIFTH SEMESTER DIPLOMA EXAMINATION IN ENGINEERING/ TECHNOLOGY-MARCH 2014 EMBEDDED SYSTEMS (Common for CT,CM) [Time: 3 hours] (Maximum marks : 100)

SEE Tolerant Self-Calibrating Simple Fractional-N PLL

Fault Sensitivity Analysis

Description OUT0 1 OUTA1 OUTA1 2 OUTA2 3 OUTA3 OUTA4 OUTB1 6 OUTB2 7 OUTB2 OUTB3 OUTB4. All trademarks are property of their respective owners.

Embedded Systems Security

Area Array Probe Card Interposer. Raphael Robertazzi IBM Research 6/4/01. 6/4/01 IBM RESEARCH Page [1]

HOST Differential Power Attacks ECE 525

Development Tools. 8-Bit Development Tools. Development Tools. AVR Development Tools

Introduction. SDIO Bus

This document is downloaded from DR-NTU, Nanyang Technological University Library, Singapore.

VLSI Test Technology and Reliability (ET4076)

Agilent High Performance Laser Interferometer Positioning for VMEbus Systems

High-speed, high-bandwidth DRAM memory bus with Crosstalk Transfer Logic (XTL) interface. Outline

4-Megabit 2.7-volt Only Serial DataFlash AT45DB041. Features. Description. Pin Configurations

Session 4a. Burn-in & Test Socket Workshop Burn-in Board Design

NOVOHALL Rotary Sensor touchless transmissiv. Series RFC4800 SSI, SPI, Incremental

ECE 574: Modeling and Synthesis of Digital Systems using Verilog and VHDL. Fall 2017 Final Exam (6.00 to 8.30pm) Verilog SOLUTIONS

GPP SRC 10Gbps SFP+ Optical Transceiver, 300m Reach

One Plus One is More than Two: A Practical Combination of Power and Fault Analysis Attacks on PRESENT and PRESENT-like Block Ciphers

EE 308: Microcontrollers

A PRACTICAL APPROACH TO POWER TRACE MEASUREMENT FOR DIFFERENTIAL POWER ANALYSIS BASED ATTACKS

TORCH: A large-area detector for precision time-of-flight measurements at LHCb

STM32F3. Cuauhtémoc Carbajal ITESM CEM 12/08/2013

Outline. Trusted Design in FPGAs. FPGA Architectures CLB CLB. CLB Wiring

SAN FRANCISCO, CA, USA. Ediz Cetin & Oliver Diessel University of New South Wales

Multi-Stage Fault Attacks

Transcription:

Electromagnetic Transient Fault Injection on AES Amine DEHBAOUI ¹, Jean-Max DUTERTRE ², Bruno ROBISSON ¹, Assia TRIA ¹ Fault Diagnosis and Tolerance in Cryptography Leuven, Belgium Sunday, September 9, 2012 (1) (2)

Outline Context Electromagnetic pulse injection Bench Transient electromagnetic fault on a software implementation of the AES Transient electromagnetic fault on a hardware implementation of the AES Transient electromagnetic fault on a hardware implementation of the AES with countermeasure Conclusion 17 septembre 2012 PAGE 2

Context : Synchronous Digital IC Timing Constraints n m data Logic 1 1 1 1 D pmax D Q D Q Dff i Dff i+1 clk D clk->q T clk + T skew - T setup data arrival time = D clk->q + D pmax data required time = T clk + T skew - T setup T clk > D clk->q + D pmax - T skew + T setup F(Vdd) Violating this timing constraint results in fault injection. Usually IC are designed to tolerate : Vdrops < 0.1 x Vdd PAGE 3

CONTEXT : Fault Injection Plaintext 11001010101010101010 Correct Ciphertext 00001010101010101010 00001010101010100010 Faulty Ciphertext Modifying the behavior of the chip and recovering sensitive data Various experimental setups are used Underpowering / overclocking a device A rise in temperature may also induce faults The use of optical radiations : flash bulb, laser beam 17 septembre 2012 PAGE 4 The use of EM radiations : harmonic, pulse

CONTEXT : Fault Injection and the EM Channel EM Channel : main strengths Does not require depackaging the target. Does target the upper metal Layer (Power/Ground or Clock networks). May bypass some countermeasures (light sensors, global power filtering ). Low cost and no specific countermeasures. Our objectives : Report actual fault injections on two typical targets (HW/SW). Explain the behavior of the faults induced by a very short EM pulse (EMP). Analyze whether the effect of the EMP on the target is global or local. Find out the mechanism involved in the injection of a fault by an EMP. 17 septembre 2012 PAGE 5

Electromagnetic pulse injection Bench CEA 10 AVRIL 2012 PAGE 6 17 septembre 2012

Electromagnetic pulse injection Bench Platform built of : I/O Pulse generator Rohde & Schwartz magnetic antenna (500µm diameter) X-Y-Z motorized stage Control PC (GPIB + RS232 ) GPIB Pulse generator characteristics Amplitude : 1-100 V Pulse width : 9 ns 1 ms Rising / Falling times : 5 ns Low jitter : < 45 ps Target Motorized stage Trigger signal Pulse gen. MCU FPGA 17 septembre 2012 PAGE 7

Transient electromagnetic faults on a software implementation of the AES CEA 10 AVRIL 2012 PAGE 8 17 septembre 2012

Transient electromagnetic faults on a software implementation of the AES Smartcard emulation board 8-bits AVR Atmega 128 MCU (techno 0,35µm) Harvard architecture 128 KB Flash program memory 4 KB SRAM Operating voltage : 4.5 5.5 V Operating frequency : 3.57 MHz => Tclk = 280 ns Software AES implementation Power supply trace during EMP injection Is this voltage drop induces faults??? EMP parameters Z position EMP EMP Clk Rise/fall amplitude width period times < 500 µm 100V 50ns 280ns 5ns Voltage drop of about 200 mv 17 septembre 2012 PAGE 9

Transient electromagnetic faults on a software implementation of the AES AES state S0,0 S0,1 S0,2 S0,3 Powered chip : 5V Execution of the AES-128 Trigger signal at the beginning of the 10th round We swept the instant of the EMP by steps of 100ns At each step => 1000 encryptions with and without EMP The faulty byte is determined S1,0 S1,1 S1,2 S1,3 S2,0 S2,1 S2,2 S2,3 S3,0 S3,1 S3,2 S3,3 AES encryption : Round 10 (90µs) S0,2 S1,0 S2,0 S3,0 S0,1 S3,1 S2,2 S1,3 S0,0 S0,3 S1,1 S2,3 S2,1 S1,2 S3,2 S3,3 PAGE 10 0,28 5,53 6,53 9,78 12,4 19,3 25,5 33,7 55,7 63,4 65,9 69,5 74,5 75 87,5 87,9 µs

Transient electromagnetic faults on a software implementation of the AES Occurrence rate of the induced faults versus EMP amplitude Deterministic and reproducible effect EMP injection prevents the CPU from executing some instructions by violating the timing constraints AddRoundKey opcodes 1 LDD R24, Y+ i load subkey 2 LD R25, X load state 3 EOR R24, R25 Exclusive OR 4 STD Z+i, R24 store result Slack > 0 SubBytes ans ShiftRows opcodes 1 LDD R26, Y+ i load state address 2 LDI R27, 0x00 3 SUBI R26, 0x00 4 SBCI R27, 0xF5 5 LD R24, X load state i 6 STD Y+k, R24 store state i 7 LDI R31, 0x00 8 SUBI R30, 0x00 9 SBCI R31, 0xF5 10 LD R24, Z load state i+1 11 STD Y+i, R24 store state i+1 Slack = 0 (+/-) ξ PAGE 11 Slack < 0

Transient electromagnetic faults on a hardware implementation of the AES CEA 10 AVRIL 2012 PAGE 12 17 septembre 2012

Transient electromagnetic faults on a hardware implementation of the AES Round Exe FPGA Spartan 3 Techno 130nm Operating voltage : 1.2 volts Operating frequency : 100 MHz Hardware AES implementation FSM Key Exp EMP parameters Z position < 500 µm EMP EMP Clk Rise/fall amplitude width period times 100V 10ns 10ns 5ns PAGE 13

Transient electromagnetic faults on a hardware implementation of the AES At each position, an EMP is injected 100V-10ns The corresponding faulted ciphertext is retrieved 1,000 encryptions of the same plaintext 30x30 different locations Antenna diameter : 500 µm Displacement step : 500 µm Faults cartography 0 7 mm 8 7 5 6 Round Exe 10 7 mm 5 15 FSM 4 3 20 2 Key Exp 25 1 30 0 5 10 15 20 25 0 30 Faulted bytes Localized effect of the EMP Good correlation between the Floorplan and the cartography 17 septembre 2012 Deterministic and reproducible effect PAGE 14

Transient electromagnetic faults on a hardware implementation of the AES byte 15 byte 14 byte 13 Y 0 Faults cartography byte 12 byte 11 byte 10 byte 9 byte 8 byte 7 byte 6 byte 5 Position 1 (X1, Y1, Z) 5 10 15 20 byte 4 25 byte 3 byte 2 byte 1 byte 0 byte 15 byte 14 30 0 5 10 15 20 25 30 Ability to inject single-bit and multi-bits faults into AES calculations Induced faults are timing faults occurrence May fault any paths (even subcritical paths) 0% 10% 20% 30% 40% 50% 60% Position 2 byte 15 (X2, Y2, Z) byte 14 Position 3 (X3, Y3, Z) X byte 13 byte 12 byte 11 byte 10 byte 9 byte 8 byte 7 byte 6 single-bit faults multi-bit faults byte 13 byte 12 byte 11 byte 10 byte 9 byte 8 byte 7 byte 6 byte 5 byte 4 byte 3 byte 2 byte 1 byte 0 0% 10% 20% 30% 40% 50% 60% occurrence byte 5 byte 4 byte 3 byte 2 byte 1 byte 0 PAGE 15 0% 10% 20% 30% 40% 50% 60%

Transient electromagnetic faults on a hardware implementation of the AES with countermeasure CEA 10 AVRIL 2012 PAGE 16 17 septembre 2012

Transient electromagnetic faults on a hardware implementation of the AES with countermeasure FPGA Spartan 3 Techno 130nm Operating voltage : 1.2 volts Operating frequency : 100 MHz Hardware AES implementation Countermeasure (detection of timing violations) CLK 1 Programmable monitoring delay CLK 1 delayed comp alarm PAGE 17

Transient electromagnetic faults on a hardware implementation of the AES with countermeasure At each position, an EMP is injected The corresponding faulted ciphertext (if any) is retrieved The value of the alarm flag is stored 1,000 encryptions of the same plaintext 30x30 different locations of the injection probe (step 500 µm) 0 0 8 5 5 7 6 alarm no alarm 10 15 20 10 15 20 5 4 3 2 25 25 1 30 0 5 10 15 20 25 30 Alarms cartography 30 0 0 5 10 15 20 25 30 Faults cartography Localized effect of the EMP The EMP is detected only in some positions Possibility to induce faults without triggering the alarm PAGE 18

Conclusion CEA 10 AVRIL 2012 PAGE 19 17 septembre 2012

Conclusion Ability to inject single-bit and multi-bits faults into AES calculations Induced faults are timing faults due to voltage drops Localized effect : the coupling depends of the IC Layout May bypass power supply low-pass filtering May fault any paths (even subcritical paths) 17 septembre 2012 PAGE 20

Any questions? PAGE 21 CEA 10 AVRIL 2012 17 septembre 2012 Email : amine.dehbaoui@cea.fr Direction de la Recherche Technologique DSIS / LCS Systèmes et Architectures Sécurisés Commissariat à l énergie atomique et aux énergies alternatives Centre de Microélectronique de Provence 13541 Gardanne T. +33 (0) 4.42.61.67.31 F. +33 (0) 4.42.61.65.92 Etablissement public à caractère industriel et commercial RCS Paris B 775 685 019

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback