Hardware Security and Trust Giorgio Di Natale, CNRS 1 License Information This work is licensed under the Creative Commons BY-NC License To view a copy of the license, visit: http://creativecommons.org/licenses/by-nc/3.0/legalcode 2 Disclaimer • We disclaim any warranties or representations as to the accuracy or completeness of this material. • Materials are provided “as is” without warranty of any kind, either express or implied, including without limitation, warranties of merchantability, fitness for a particular purpose, and non-infringement. • Under no circumstances shall we be liable for any loss, damage, liability or expense incurred or suffered which is claimed to have resulted from use of this material. 3 Scenario • Security is all around… – Identification, private communication, electronic signature, access control, electronic purse, digital right management, software protection... 4 Motivation • Hardware security and trust now play critical roles as computing is intimately integrated into many infrastructures that we depend on • Hardware Security – dealing with (secret) data in hardware devices • Hardware Trust – dealing with design and manufacturing of devices 5 Outline • Hardware Security – Side-Channel Attacks – Fault Attacks – Manufacturing Test Issues • Hardware Trust – Counterfeiting – Hardware Trojan Horses 6 HARDWARE SECURITY 7 Scenario • How to protect a (digital) secret: – Secure storage of confidential data – Cryptographic capabilities • Implementation: – Crypto algorithms integrated as hardware devices – E.g., smartcards, crypto-cores, crypto- processors, hardware security module 8 Encryption/Decryption Encryption K2 Plaintext Ciphering Cipher Deciphering Plaintext text K1 Decryption • Algorithms: – Symmetric: K1=K2 – Asymmetric: K1≠K2 9 Advanced Encryption Standard (AES) - 2001 10 AES: Generic HW Implementation Plain Text First Operaon Round Key Generator Round Round Register Last Operaon Controller Output Register Cipher Text 11 Motivation • Crypto-algorithms very strong, but… • New threat: hardware implementation!! Side Channel Attacks • Power • Electromagnetic • Light • … Fault Attacks • Laser • Electromagnetic • … Test Infrastructures 12 Side-Channel Attacks • Based on information gained from the non-primary interface of the physical implementation of a cryptosystem – Timing information Side – Power consumption Channel – Electromagnetic leaks – Sound – Light Brute – … Force 13 Simple Power Analysis on RSA Introduction Le TEMPEST Le clavier PS/2 Le RSA Perspectives... Conclusion Input:Impl´ementation:!X, N, K=(k Exponentiationj-1, …, k1, k0)2! Modulaire Output: !Z = XK mod N! ! Input: X , N, E =(ek 1,...,e1, e0)2 1: !Z = 1;! Output: Z = X E−mod N 2: !for i=j-11: downtoZ := 1; 0 {! 3: ! !Z = Z2: *for Zi =modk 1Ndownto //Square0 ! 3: Z := Z−* Z mod N;–squaring 4: ! !if (ki==1) {! 4: if (ei =1)then 5: ! ! !Z5: = Z Z*:= XZ mod* X modN //MultiplyN;–multiplication! 6: ! !}! 6: end if 7: !}! 7: end for Key Bits 1 0 1 0 0 0 Operation Square Mutiply Square Square Mutiply Square Square Square Waveform Figure 6: Principe de la SEMA sur le RSA. 14 O. Meynard, < [email protected] > GDR SoC-SiP 37/62 Differential Power Analsys • Differential Power Analysis (DPA) attacks – it requires the knowledge of the algorithm but not its physical implementation – it is cheap and easy to perform • The basic idea is to correlate the power consumed by the device and the encryption data including the key 15 Power Consumption of CMOS IN Vdd Idd OUT (a) Idd IN (b) OUT (a) (b) C Switching Through + Through current current Current that flows from Vdd to GND when the p- channel transistor and n-channel transistor turn on briefly at the same time during the logic transition 16 Power attack on XOR gate Vdd OUT = 0 Din Idd OUT = 1 Din Idd = 0 = 1 17 Input patterns • Target node: output of a gate within the circuit • Sequence of input patterns: – P0, P1, …, Pn – T1(P0àP1), T2(P1àP2), ..., Tn(Pn-1àPn) • Logic simulation to create two sets: – (PA) transitions that make the target node to commute from 0 to 1 and therefore that make the target gate to consume – (PB) transitions that do not lead the target gate to participate to the power consumed by the circuit 18 DPA: Basic Principle • We classified the two sets in such a way that the set PA always leads to a component of power consumption that Average is not present in Vectors belonging to PA the set PB Average Vectors belonging to PB à Power(PA) > Power(PB) 19 DPA: Performing the Attack • Target node: – output of a gate whose value depends on both the plain text under ciphering (primary inputs) and the secret key • Basic idea: – All the key suppositions – For each key guess, creation of the two sets PA and PB 20 DPA: Target Node 128 128 Input I1 I2 8 8 f O = f (I1, I2) 21 Data Inputs: T , T , ..., T f O = f (Key, Data) 1 2 12 Key Key: Kx (8 bits) T1 PA) T T1 T3 T5 T6 7 0 K1 Average PA – PB ≅ 0 T1 PB) T2 T4 T8 T9 1 T12 ... T PA) 1 T1 T4 T6 T8 T12 0 Kx Average PA – PB = T1 PB) T2 T3 T5 T7 T9 1 ... T T PA) 1 1 T2 T3 T8 T6 1 0 Average PA – PB ≅ 0 K256 PB) T1 T4 T5 T9 T7 T12 22 DPA: Result 23 Light Emission Optical detector system http://www.vvku.eu/cv/efa/background.html 24 Countermeasures • Goal: removing the correlation between processed data and the physical interface • Methods: – Adding noise (random power consumption, clock jitter, logic masking, random dummy calculations, …) – Making constant the physical interface (dual logic, triple logic, …) 25 Motivation • Crypto-algorithms very strong, but… • New threat: hardware implementation!! Side Channel Attacks • Power • Electromagnetic • Light • … Fault Attacks • Laser • Electromagnetic • … Test Infrastructures 26 Fault Attacks 1 0 1 1 0 0 1 1 … Hypothesis: Injection forces a ‘0’ on a single bit of the secret key 1) COK=E(P) 2) Calculate C’=E(P), Encryption while injecting a fault Input Output 3) If C’ = COK à target bit is ‘0’ else à target bit is ‘1’ 27 Differential Fault Attacks D Hypothesis: Single-bit fault in byte j 9 9 ! = SubByte ! SubByte ! C SR( j) D SR( j) (M j ) (M j e j) 28 Fault Attacks 29 # !l2 t % # ! % % e 4"D(t) ! n (t) = % % LET(t). dldS S % % 3/2 % ".D(t).t % $ ( ) $ l Fault Attacks S drain I(t) = nS (t)× q × vxd (t) SEE induced current lower than that collected by a drain junction current diminished to 200µA, whereas PMOS-BIVS, and (b) the current it collects is lower a 6mA current flowed through the Pwell-deep Nwell than the current generating the SEE. junction. These figures are similar to those of the PMOS. Using triple-well CMOS creates more than an 4. Improving BBICS efficiency order of magnitude difference between the lower cur- rent contributing to SEE generation and the higher From the analyses drawn in section 3, we derived current potentially monitored by a BBICS. On basis two solutions to improve BBICS efficiency (4.1 and of these experiments we recommend the use of triple- 4.2). well CMOS to obtain an optimal use of BBICS. 4.1. Use of triple-well CMOS 4.2. Single BBICS architecture Modern CMOS technologies generally offer a triple- We also developed a new BBICS architecture well well option. It consists in embedding the NMOS tran- suited for the monitoring of triple-well CMOS logic: sistors into P-type well (or Pwell) isolated from the the ’single BBICS’ pictured in Fig. 7. It is de- Psubstrate. The Pwell containment is made laterally signed to monitor simultaneously NMOS and PMOS: with Nwell implants and with a deep Nwell implant its NMOS bulk and PMOS bulk inputs are respec- underneath.Information The deep Nwell and Nwell are electri- tively connectedDetectors to the corresponding Pwell and Nwell cally connected, both normally biased at 1.2V. biasing contacts. RedundancyG Vdd ! out_d S D (1.2V) B (gnd) DNwell bias (floating) LVT Gnd Vdd Mp1 HVT out_d reset Mn_reset Mp4 Gnd Validation via Fault Simulation: tLifting Mp_t Vdd HVT N+ N+ P+ N+ Mn1 LVT HVT Gnd Mp3 Nwell Pwell Nwell outb Gnd out PMOS_bulk e . Vdd Tabl 2 ! :;<&5*4&!$+,#5&'),$'#=>#-?/@?AB#+!"#-./011# NMOS_bulk LVT ’0’ => ’1’ ! Deep Nwell ’1’ => ’0’ Q*#+5*1)! Mn3 HVT P−substrate Mp2 Vdd HVT Mn_t outb_d !!!!!!!!!"#$%&#'!#()*$+,'#*(! !!-,&.'!/#+&.,'#*(!0/1! !! laser Gnd Vdd Mn4 resetb Mp_reset %#$%&#'! 2#34! 54%'*$/! 6&.'#78494.!! !:/;#%4! -,%'*$! Mn2 HVT Vdd LVT Gnd %<=>! ??>! @@! AB??C! DDB@E! <EAF! Gnd outb_d %<GG! ?==! @@! AB?=>! EGBAD! C@<F! G D (1.2V) B (gnd) DNwell bias (1.2V) %?=DD! ?C>! @>! AB?=>! ECB<E! CDDF! S Figure 7: Architecture of the single BBICS. %?GAE! ?CG! EA! AB>>E! ?>GB?>! DCCF! %EEA! >A<! @@! AB<A<! ??GB>>! >GDF! N+ N+ P+ N+ %>C@A! >G>! ?=C! >BAD>! =G=B@E! ?G?F! Nwell The core part of the single BBICS is a latch made %=D<A! <@C! ?@?! ?BG?C! C@CB@! =D=F! Pwell Nwell Deep Nwell of two cross-coupled inverters. In monitoring state, %D=?D! CAE! ??=! <B>A<! @ADBAD! ?C@F! P−substrate node out is at low level while node outb is high. Node %@DD>! @AD! ?C@! GB<>E! ?=DCBDC! ?<=F! laser %C>EE! ?>EC! C=! EB=AE! ?><EB@D! ?DAF! out goes high to indicate the detection of any SEE HA?! =?! ?=! ABA=! C! >AAF! Figure 6: View of the laser induced currents in the Pwell-N+ induced bulk current. The BBICS connection to the HA<! <?! ?C! ABA<! DBA=! ?>DF! and Pwell-Nwell junctions of a triple-well NMOS: deep Nwell Pwell (resp. Nwell) of the monitored NMOS (resp. ! H?A! EG! ?>E! ABAG! >DBG@! >EEF! unbiased (top), deep Nwell biased at 1.2V (bottom). PMOS) (node NMOS bulk,resp.nodePMOS bulk) e .