Static Fault Attack on Hardware DES Registers Philippe Loubet-Moundi, Francis Olivier, and David Vigilant Gemalto, Security Labs, France {philippe.loubet-moundi,david.vigilant,francis.olivier}@gemalto.com http://www.gemalto.com Abstract. In the late nineties, Eli Biham and Adi Shamir published the first paper on Differential Fault Analysis on symmetric key algorithms. More specifically they introduced a fault model where a key bit located in non-volatile memory is forced to 0=1 with a fault injection. In their scenario the fault was permanent, and could lead the attacker to full key recovery with low complexity. In this paper, another fault model is considered: forcing a key bit to 0=1 in the register of a hardware block implementing Data Encryption Stan- dard. Due to the specific location of the fault, the key modification is not permanent in the life of the embedded device, and this leads to apply a powerful safe-error like attack. This paper reports a practical validation of the fault model on two actual circuits, and discusses limitations and efficient countermeasures against this threat. Keywords: Hardware DES, fault attacks, safe-error, register attacks 1 Introduction Fault attacks against embedded systems exploit the disturbed execution of a given program to infer sensitive data, or to execute unauthorized parts of this program. Usually a distinction is made between permanent faults and transient faults.A permanent fault alters the behavior of the device from the moment it is injected, and even if the device is powered off [8]. On the other hand, a transient fault has an effect limited in time, only a few cycles of the process are affected. This paper deals with static faults which lie in between. A static fault modifies a value loaded in a volatile storage, until the next power off or sooner if the effect is erased and repaired by the device itself, or if the value is electrically re-programmed. In 1996, Boneh et al. published the first paper on Differential Fault Analy- sis (DFA) against cryptographic implementations [5]. Targeting the RSA-CRT, they demonstrated that exploiting a faulted cryptographic result could lead to a recovery of the private key. This sort of attack has been widely applied to other cryptographic algorithms during the last two decades. Naturally, a block cipher such as the famous Data Encryption Standard (DES), standardized in 1977 [13], quickly became a privileged target for DFA. 2 Static Fault Attacks on Hardware DES Registers Indeed a few weeks later, Eli Biham and Adi Shamir published a very com- plete and interesting paper [3] presenting a large coverage of DFA applied to DES. More particularly, they imagined a strong fault model applicable to any secret key algorithm. Forcing key bits in non-volatile memory (NVM) to 0 one by one by fault injections, they were able to recover the key. Their fault model has been identified as very realistic, because of the NVM memory structure. In this paper, a fault model slightly different is considered and validated by the practice on two hardware DES engines. This fault model allows mounting a "Safe-Error"(SE)-like attack. The "Safe-Error" naming has been introduced by Sung-Ming Yen and Marc Joye and then mainly applied to public key algorithms (RSA, DH, ECC). This attack technique was already used but it has been for- mally identified and well described in their paper [20]. Indeed their attack mainly targets the "square-and-multiply always" algorithm [6]. By disturbing the ith multiplication in the exponentiation, the attacker is able to recover the ith bit of the secret exponent. If the result is good, it means that the multiplication is fake (bit = 0) otherwise it is a true one (bit = 1). Each exponent bit can be disclosed by repeating this process. Even if there is a specific reaction from the device when the faulty result is detected, the attacker has the information. They pointed out in their paper that this approach can also be applied to symmetric key algorithms. Indeed, whatever the algorithm, if an attacker is able to guess a bit value from an error-free and a faulty result, or even a fault reaction, this attack remains very powerful. However they admitted that the theoretical work on the extension and exact cryptanalytic process for specific systems are still under construction. Only a few concrete scenarios of SE attacks on symmetric key algorithm have already been published so far [4]. Considering a new fault model, this paper shows another powerful SE attack scenario on a TDES implementation, even with actual countermeasures. Organization of the paper: This paper first briefly reminds the context of hardware DES, related fault attacks and existing countermeasures. In the next part, after having defined the fault model and the static fault attack on key registers, experimental results validating our fault model are reported. These experiments are described from the set-up phase, through the fault injection and the results observed. Finally in the last section, presenting the required success conditions in an objective manner, the limitations of the attack in the real world, as well as efficient countermeasures are discussed. 2 Hardware DES, DFA and Existing Countermeasures 2.1 Hardware DES After its standardization in 1977, DES has been widely deployed. It has been revoked and replaced by the Advanced Encryption Standard (AES) in 2001 [15]. Static Fault Attack on Hardware DES Registers 3 However, under its Triple DES (TDES) version using 3 56-bit keys [14], the Data Encryption Standard is still approved by NIST until 2030 [16]. As the main block cipher algorithm in the late nineties, it has been the objects of many hardware implementations. Today, most smart cards host a hardware DES engine by default because it is intensively used in many cryptographic applications. Today's hardware DES engines usually implement the whole algorithm and an interface between software and hardware which consists of: { A key register dedicated to the key value. This register is write-only { A data register dedicated to the input data block. This register is write-only { A configuration register dedicated to configure the performed calculation (encryption, decryption, 3DES key length, DES start engine, DES comple- tion notification) Implementing TDES using a dedicated hardware engine is user-friendly, and it significantly improves timing performances. 2.2 DFA on DES and Existing Countermeasures Many vulnerabilities against fault attacks have been identified in DES, as for example the DFA in the 14th round [3], or in other rounds [17,11]. As a con- sequence, protections have also been developed to counter DFA. Several of the most popular ones (software or hardware) are described below: DES hiding: One may hide the DES signal on the power trace. If the at- tacker faces difficulty to recognize with side-channels means where the DES is performed, it should be more difficult to inject a fault. Random timing jitter: One may add random timing jitter during DES phases to make synchronization (hence fault injection) more complex. Rounds redundancy: One also may perform several times some of or all the rounds, and compare the intermediate results. This may impact performances. Reverse computation: The ciphertext block may be decrypted just after an encryption, and the result compared with the original plain text. Code tracing: Automatic increment of flag bits in the code can be useful to trace the DES execution flow and guarantee that all critical steps of the code have been executed. Logic gates modification: Multiple rails logic (custom cells) with forbid- den states may be used to detect perturbations. Even if the resistance needs to be improved [19], the main drawbacks of these technologies is the effective cost of hardwired macro blocks compared to a standard implementation of cells in advanced semiconductor technologies. 4 Static Fault Attacks on Hardware DES Registers 3 The Attack: Description and Experiments 3.1 The Attack Description Fault Model A strong fault model is considered for our attack. We assume that a fault injection is able to force the key bit value stored in the DES hardware key register described in 2.1, until the next update, the next reset, or the next start up of the device. These registers are the basic elements of a microcontroller's circuit. They are used to store volatile data that are manipulated by the device close to the processing unit. At start up, the register can be fixed to a default value, or can remain uninitialized. Each bit structure is made of a basic combination of a few gates to build a storage element. Most frequently, latches or flip-flops are used to store the bit value. This value is changed on a master signal depending on the input value. The latch is sensitive to a level applied on the master signal, the flip-flop reacts on the edge of the master signal. The number of gates used in a latch or a flip-flop can vary from 4 to 8 in simple designs. A huge work has been undertaken for years to evaluate the resistance of latches and flip-flops against perturbations [12]. Single event upset or single event transient can be prevented with hardware redundancy techniques. But, for cost reasons, it is a real constraint to duplicate or triplicate all the registers of a secure chip used in commercial devices (e.g. smart card). Attack Scenario The fault is induced after the key loading and before the DES/3DES computation. Let us consider that the ith key bit can be forced to a specific value 0 (resp. 1) in the DES hardware key register. The attacker runs an encryption of an unknown block, without injecting any perturbation, and gets the result.
Details
-
File Typepdf
-
Upload Time-
-
Content LanguagesEnglish
-
Upload UserAnonymous/Not logged-in
-
File Pages17 Page
-
File Size-