Attack on DFA protected AES by Simultaneous Laser Fault...
Transcript of Attack on DFA protected AES by Simultaneous Laser Fault...
Attack on DFA protected AES by Simultaneous LaserFault Injections
Bodo Selmkea, Johann Heyszla, Georg Siglb, 08 / 16 / 2016
aFraunhofer Institue AISECbTechnische Universität München
� Laser Fault Injection
� Protected Hardware Implementation
� Symmetric algorithm (AES)
2xLFI on AES | Bodo Selmke | 08 / 16 / 2016 | 1
© Fraunhofer
FA Countermeasures
1. Direct detection by specialized sensors
2. Handling of faults with various forms of redundancy (Time, Space)
Detection Raise an alarm (interrupt signal)→ Discard output of faulty ciphertext
Infection Transform ("infect") ciphertext→ Render analysis of output by DFA impossible
2xLFI on AES | Bodo Selmke | 08 / 16 / 2016 | 2
© Fraunhofer
Our practical Investigation
Demonstrate successful attack against AES with duplication-basedcountermeasure using two simultaneous laser shots
� AES on FPGA
� Protection by a countermeasure based on hardware duplication
� Determine locations for Laser Fault Injection→ AES state registers
� Carry out Fault Injections into AES
� Apply DFA on record of output data→ Determine if attack is feasible (We used the DFA by Saha et al.)
2xLFI on AES | Bodo Selmke | 08 / 16 / 2016 | 3
© Fraunhofer
Redundant AES DesignFeatures
AES core
� 2 AES instances, one clock cycle per round
� Infection Countermeasure based on the design by Lomné et al.
� 48 MHz clock frequency
2xLFI on AES | Bodo Selmke | 08 / 16 / 2016 | 4
© Fraunhofer
Redundant AES DesignInfection Scheme
state 0
Δ state
outputstate 0
state 1
I state
mask
state 1
2xLFI on AES | Bodo Selmke | 08 / 16 / 2016 | 5
© Fraunhofer
Redundant AES DesignInfection Scheme
state 0
Δ state
outputstate 0
I state
mask
state 1 outputstate 1
2xLFI on AES | Bodo Selmke | 08 / 16 / 2016 | 6
© Fraunhofer
Redundant AES DesignInfection Scheme
state 0
Δ state
outputstate 0
state 1
I state
mask
state 1
2xLFI on AES | Bodo Selmke | 08 / 16 / 2016 | 7
© Fraunhofer
Redundant AES DesignFeatures cont’d
AES core
� 2 AES instances, one clock cycle per round
� Infection Countermeasure based on the design by Lomné et al.
� 48 MHz clock frequency
Generation of Trigger Signal
� Implemented on FPGA
� Adjustable delay counters, initiated with the start-signal of the AES
Device Under Test
� Xilinx Spartan-6 FPGA
� 45 nm feature size
2xLFI on AES | Bodo Selmke | 08 / 16 / 2016 | 8
© Fraunhofer
Used Laser System
� 2× infrared (1064 nm) laserwith 800 ps pulse length
� Beams independentlypositionable by laser scanners
� Combination of both beamsby beam splitter
� 4 µm spot size
2xLFI on AES | Bodo Selmke | 08 / 16 / 2016 | 9
© Fraunhofer
Preliminary InvestigationLocating the AES State Registers
� Attack requires knowledge of register location
� Use of dedicated FPGA-design to locate individual flip-flops
� Precision of the Laser sufficient to inject matching fault?
� 3-Step Approach to find the flip-flops of interest:1. Locate a BRAM near the area where the relevant slices are assumed2. Evaluate optimal focal plane for maximum precision3. Scan area to locate the specific flip-flops
2xLFI on AES | Bodo Selmke | 08 / 16 / 2016 | 10
© Fraunhofer
Preliminary InvestigationFF-Verification Design
Slice n
D5FF DFF
C5FF CFF
B5FF BFF
A5FF AFF
Slice n +1
D5FF DFF
C5FF CFF
B5FF BFF
A5FF AFF
2xLFI on AES | Bodo Selmke | 08 / 16 / 2016 | 11
© Fraunhofer
Preliminary InvestigationFF-Verification Design
Slice #527
-30.0 -25.0 -20.0 -15.0 -10.0 -5.0 0.0 5.0 10.0 15.0 20.0 25.0 30.0x [µm]
-15.0
-10.0
-5.0
0.0
5.0
10.0
15.0
y [µ
m]
no faultslogic errordifferent slicebit 0bit 1bit 2bit 3bit 4bit 5bit 6bit 7
� scan field 60 µm×30 µm
� step size 200 nm
� 2 laser shots per location:flip-flops initialized to 0 and 1
2xLFI on AES | Bodo Selmke | 08 / 16 / 2016 | 12
© Fraunhofer
Preliminary InvestigationFF-Verification Design
Slice #526
-30.0 -25.0 -20.0 -15.0 -10.0 -5.0 0.0 5.0 10.0 15.0 20.0 25.0 30.0x [µm]
-15.0
-10.0
-5.0
0.0
5.0
10.0
15.0
y [µ
m]
no faultslogic errordifferent slicebit 0bit 1bit 2bit 3bit 4bit 5bit 6bit 7
� scan field 60 µm×30 µm
� step size 200 nm
� 2 laser shots per location:flip-flops initialized to 0 and 1
2xLFI on AES | Bodo Selmke | 08 / 16 / 2016 | 13
© Fraunhofer
Preliminary InvestigationFF-Verification Design
Set (0→ 1) and Reset (1→ 0) sensitive areas
-30.0 -25.0 -20.0 -15.0 -10.0 -5.0 0.0 5.0 10.0 15.0 20.0 25.0 30.0x [µm]
-15.0
-10.0
-5.0
0.0
5.0
10.0
15.0
y [µ
m]
no faults
logic error
set
rst
flip
� scan field 60 µm×30 µm
� step size 200 nm
� 2 laser shots per location:flip-flops initialized to 0 and 1
2xLFI on AES | Bodo Selmke | 08 / 16 / 2016 | 14
© Fraunhofer
Performing the attack on the AESProcedure
Preparation
� Positioning of both lasers according to the previous results
� Evaluation of correct timing for the fault injection
Attack
� Start AES computation
� Inject fault into state registers during round 7
� Record output
� Test if attack was successful (Perform DFA based on ciphertext pair)
2xLFI on AES | Bodo Selmke | 08 / 16 / 2016 | 15
© Fraunhofer
Performing the attack on the AESResults
Shots Non-ExploitableFaults
Exploitable Faults Attack SuccessRatio
80000 21845 229 0.29 %
� Low success rate
� Single successful FI is sufficient
� Time to success: ≈ 5min
Problems:
� Jitter of laser shot
� Drift of laser spot location
2xLFI on AES | Bodo Selmke | 08 / 16 / 2016 | 16
© Fraunhofer
Performing the attack on the AESFeasibility of the Attack in practice
� The attack required knowledge of the location of the state registers� Activity-Analysis can reveal location of the AES cores
� Reverse-Engineering Methods can identify locations of registers
� Matching flip-flops can be found by exhaustive search(128 combinations)
� Stress on the device is low enough (All FI on single DUT)
2xLFI on AES | Bodo Selmke | 08 / 16 / 2016 | 17
© Fraunhofer
DiscussionCountermeasures
Prevent this attack on state registers:� Fault Space Transformation (Patranabis et al.a)
� Add an additional MixColumns / InvMixColumns Operation to one branch� The associated state register stores MixColumns-transformed version of
state� FI in the combinatorial path might be feasible
� Parity Check for altered register contents
Raising attack complexity:
� Scrambling of the flip-flop locations
� Varying timing between both AES cores
aUsing State Space Encoding To Counter Biased Fault Attacks on AES Countermeasures,2015
2xLFI on AES | Bodo Selmke | 08 / 16 / 2016 | 18
© Fraunhofer
Conclusion
� We successfully show how two lasers can be used in an attack
� As example, broke duplication-based infective countermeasures
� Results principally affect most hardware duplication-basedcountermeasures!
2xLFI on AES | Bodo Selmke | 08 / 16 / 2016 | 19
© Fraunhofer
Thank your for your attentionQuestions?
2xLFI on AES | Bodo Selmke | 08 / 16 / 2016 | 20
© Fraunhofer
Contact Information
Dipl.-Ing. Bodo Selmke
Department Hardware Security (HWS)
Fraunhofer-Institute forApplied and Integrated Security (AISEC)
Address: Parkring 485748 Garching (near Munich)Germany
Internet: http://www.aisec.fraunhofer.de
Phone: +49 89 3229986-132Fax: +49 89 3229986-222E-Mail: [email protected]
2xLFI on AES | Bodo Selmke | 08 / 16 / 2016 | 21
© Fraunhofer
Backup Slides
-100.0 -80.0 -60.0 -40.0 -20.0 0.0 20.0 40.0 60.0 80.0 100.0x [µm]
-30.0
-10.0
10.0
30.0
y [µ
m]
no data
no faults
logic error
#562
other flipflop
-100.0 -80.0 -60.0 -40.0 -20.0 0.0 20.0 40.0 60.0 80.0 100.0x [µm]
-30.0
-10.0
10.0
30.0
y [µ
m]
no data
no faults
logic error
#527
other flipflop
2xLFI on AES | Bodo Selmke | 08 / 16 / 2016 | 22
© Fraunhofer
Backup Slides
Slice #562
-30.0 -25.0 -20.0 -15.0 -10.0 -5.0 0.0 5.0 10.0 15.0 20.0 25.0 30.0x [µm]
-15.0
-10.0
-5.0
0.0
5.0
10.0
15.0
y [µ
m]
no faultslogic errordifferent slicebit 0bit 1bit 2bit 3bit 4bit 5bit 6bit 7
2xLFI on AES | Bodo Selmke | 08 / 16 / 2016 | 23
© Fraunhofer
Backup Slides
Total number of bit faults
-30.0 -25.0 -20.0 -15.0 -10.0 -5.0 0.0 5.0 10.0 15.0 20.0 25.0 30.0x [µm]
-15.0
-10.0
-5.0
0.0
5.0
10.0
15.0
y [µ
m]
no faults
logic error
1 flip-flop
2 flip-flops
2xLFI on AES | Bodo Selmke | 08 / 16 / 2016 | 24
© Fraunhofer
Backup Slides
state
key
plaintext
ciphertext
'0'
SubBytes ShiftRows MixColumns
roundkey
Key-Schedule
2xLFI on AES | Bodo Selmke | 08 / 16 / 2016 | 25
© Fraunhofer
Backup Slides
2xLFI on AES | Bodo Selmke | 08 / 16 / 2016 | 26
© Fraunhofer
Backup Slides
-4.0 -3.0 -2.0 -1.0 0.0 1.0 2.0 3.0 4.0x in µm
-4.0
-3.0
-2.0
-1.0
0.0
1.0
2.0
3.0
4.0
y in
µm
Address = 0, Bit = 0
set
set + other bit(s)
rst
rst + other bit(s)
toggle
toggle + other bit(s)
other bit(s)
no faults
-4.0 -3.0 -2.0 -1.0 0.0 1.0 2.0 3.0 4.0x in µm
-4.0
-3.0
-2.0
-1.0
0.0
1.0
2.0
3.0
4.0
y in
µm
Address = 4, Bit = 0
set
set + other bit(s)
rst
rst + other bit(s)
toggle
toggle + other bit(s)
other bit(s)
no faults
-4.0 -3.0 -2.0 -1.0 0.0 1.0 2.0 3.0 4.0x in µm
-4.0
-3.0
-2.0
-1.0
0.0
1.0
2.0
3.0
4.0
y in
µm
Address = 4, Bit = 0
set
set + other bit(s)
rst
rst + other bit(s)
toggle
toggle + other bit(s)
other bit(s)
no faults
Pulse energy 1.0 nJ
2xLFI on AES | Bodo Selmke | 08 / 16 / 2016 | 27
© Fraunhofer