Feasibility of Fault Analysis Based on Intentional Electromagnetic Interference
Total Page:16
File Type:pdf, Size:1020Kb
Feasibility of Fault Analysis Based on Intentional Electromagnetic Interference Junko Takahashi #1, Yu-ichi Hayashi ∗2, Naofumi Homma ∗3, Hitoshi Fuji #4, and Takafumi Aoki ∗5 # NTT Secure Platform Laboratories, Nippon Telegraph and Telephone Corporation, 3-9-11 Midori-cho, Musashino-shi, Tokyo 180-8585, Japan f1takahashi.junko, [email protected] ∗ Tohoku University, 6-6-05, Aramaki Aza Aoba, Aoba-ku, Sendai-shi, 980-8579, Japan f2yu-ichi@m, [email protected], [email protected] Abstract—This paper presents the feasibility of fault analysis test capabilities to generate waveforms, and understanding the using intentional electromagnetic interference (IEMI). Fault anal- effects of IEMI on equipment, systems, communications, and ysis (FA) is a kind of implementation attack that intentionally measurements [4]. extracts a secret key embedded in a secure device such as a smart card. An attacker injects a computational fault during Previous studies of IEMI showed that devices can be the cryptographic calculation and he can extract a secret key. permanently damaged or destroyed by the effects of IEMI [4], Recently, Hayashi et al. showed that temporal faults could be [5]. On the other hand, Hayashi et al. recently showed that remotely injected during the cryptographic calculation using temporal faults could be remotely injected into a target device IEMI. They showed a case study in which an Advanced Standard of an attack without any damage to the device using IEMI Encryption (AES) secret key could be extracted through fault analysis. However, the characteristics of faults that can be techniques [6], [7], [8]. They showed that the temporal faults induced by IEMI were not described. And, a threat of various could be induced during the cryptographic calculation of the FAs was not clear. In this paper, we examine in detail how the target device by adjusting the frequency of the electromagnetic IEMI fault injection affects the fault occurrence of intermediate wave. They also presented a case study in which an Advanced states in a cryptographic module and investigate the distribution Encryption Standard (AES) [9] secret key could be extracted of the IEMI generated faults. Furthermore, we classify previous FAs with respect to an attack model such as the type of faults through fault analysis (FA). FA is a kind of implementation needed to achieve a successful attack, and discuss the feasibility attack in which an attacker intentionally injects faults into of FAs using IEMI based on the experimental results. a device during the cryptographic calculation and extracts a secret key using the faulty outputs. FA represents a major ntroduction I. I threat to embedded security devices because more efficient Electromagnetic interference (EMI) is a major problem in attacks with lower attack costs have become possible and a the field of Electromagnetic Compatibility (EMC) and many secret key can be extracted within a feasible calculation time. studies on EMI suppression or reduction have been conducted In the field of IEMI, the effects of electromagnetic interfer- in order to protect the origin device or other electronic ence on the occurrence of faults in devices are a major concern devices [1]. EMI is usually considered as a disturbance noise and the feasibility of FA using the faulty outputs obtained that affects an electrical circuit due to either conducted or through IEMI must be investigated. However, characteristics radiated emissions from other devices. As a result, some EMC- of the temporal faults induced through IEMI such as the related committees have set standards regarding the immunity distribution of the number of the faulty bytes or the faulty against radiated and conducted noise and established voluntary bits in the intermediate states and the type of faults were not compliance programs [2], [3]. Current electronic devices are described in previous studies [6], [7], [8]. Also, the feasibility usually implemented in such a way as to satisfy such EMC of various types of FAs has not yet been examined in detail. standards, which basically ensures that electric devices are In this paper, we examine the type of faults induced through immune to unintentional EMI. IEMI and present which FAs can be applied if the attacker On the other hand, intentional EMI (IEMI) is an emerging exploits faults induced using IEMI. This is the first study in EMC topic and has drawn much attention from researchers and which the feasibility of various types of FAs is examined. designers of electronic circuits. IEMI is defined as intentional In order to examine fault occurrences during a cryptographic malicious generation of electromagnetic energy that introduces calculation on a device, we evaluate a type of fault such as noise or signals into electric and electronic systems, thus dis- a single byte fault (1-byte fault) or a multi-byte fault (more- rupting, confusing or damaging these systems for the purpose than-2-byte fault) during the cryptographic calculation. Then, of terrorism or crime [4], [5]. IEMI can cause severe damage we classify previous FAs with respect to the kind of attack, and or disorder even to devices that comply with the existing public evaluate the feasibility of the FAs using IEMI. The results of standards. In an attempt to address this issue, many efforts this study give perspective to which FA yields a higher threat have been made toward classification of IEMI waveforms, level using the IEMI techniques. 978-1-4673-2060-3/12/$31.00 ©2012 IEEE 782 TABLE I The remainder of this paper is organized as follows. We Typical Types of FAs describe the previous FAs in Section II. In Section III, we describe the experimental results of the IEMI fault injection. Attack Method Location of Fault Injection We present the feasibility of the previous FAs based on the Differential fault analysis Data calculation part experimental results in Section IV. Finally, we conclude the Safe-error attack Data calculation part ff paper in Section V. Ine ective fault analysis Data calculation part Round reduced fault analysis Instruction part II. Description of Previous Fault Analysis In this section, we overview previous FAs. FA comprises two attack steps. The first step is to inject cryptanalysis, a cryptanalytic technique against block a fault into the target device to induce a temporal fault or ciphers that was proposed by Biham and Shamir [16]. a permanent fault during the cryptographic calculation. The Most DFA methods employ a random fault model, i. e., an second step is to analyze the faulty outputs obtained based intermediate state is randomly corrupted by the injected on the injected fault in the first step to extract a secret key. faults. The attacker needs to induce faults in the first step in order • Safe-Error Attack (SEA) is an attack that targets the to satisfy the attack conditions, such as the type of fault and cryptographic algorithm with a dummy operation such as location of the injected fault, used in the analysis in the second the add-and-double-always algorithm [17], [18]. A SEA step. We describe three typical fault injection methods below. is based on the observation that some faults will not change the results if faults are induced during the dummy • Laser beam is a powerful but expensive method for operations. The attacker needs to extract the bits of the injecting faults such as one-bit flips at the exact timing secret key one-by-one using this attack method. of the cryptographic calculation. As an example, in [10], • Ineffective Fault Analysis (IFA) is an attack that exploits fault injection using laser beam was shown and the simple information whether or not the injected fault yields authors showed that laser beam enables a precise and a faulty output [19], [20], [21]. IFA employs a stuck-at localized fault injection. Using a laser beam, it can cause fault model. An attacker sets an intermediate variable to a the stuck-at fault that an intermediate variable to a fixed fixed value such as zero. The fixed value is either known value. to the attacker or it can be guessed. If the output has • Supplying underpowered voltage is a simple and in- a fault or if a fault occurrence is detected, the attacker expensive method for injecting faults [11]. It provokes knows that the original value of an intermediate state was byte-oriented faults because it takes a longer time to fix different from the induced value. Using this information, the output of a combinational logic circuit than usual and the attacker can guess the secret key. it causes a set-up time violation in which the processed • Round Reduced Fault Analysis is an attack that is values are not fixed before one set-up time point ahead executed against round reduced block ciphers using a of the next clock edge. In [11], approximately 16 % of fault injection [22], [23]. The attacker needs to induce the collected faulty outputs were suitable for application faults into the instruction step such as the counter for to FA on AES [12]. Using an underpowered voltage, the number of rounds of block ciphers and skip the transient faults can be induced, i.e., we can reset the round operation of the cryptographic algorithm. Using the device to its original state, and then induce faults into output after reducing the number of rounds, the attacker the same device. applies differential cryptanalysis [16] and he can guess • Supplying over-clocking is also a simple and inexpensive the secret key. method that employs underpowered voltage. It induces byte-oriented faults at the exact timing during the cryp- In Table I, we categorize the attack methods in terms of tographic calculation through a set-up time violation. the location of the fault injection during the cryptographic Some experimental methods for the fault injection into the calculation.