TRUDEVICE Training School on Trustworthy Manufacturing...

Countermeasures against Fault AttacksTRUDEVICE Training School on Trustworthy Manufacturing and

Utilization of Secure Devices

Victor LOMNE

ANSSI (French Network and Information Security Agency)

Monday, July 14th, 2014 - Lisbon, Portugal

Introduction| Overview of Countermeasures| Application to Cryptography| Practical Cases| Conclusion|

Agenda1 Introduction

a. Fault Zoologyb. Countermeasures

2 Overview of Countermeasuresa. Analog Levelb. Digital Level

3 Application to Cryptographya. Generalitiesb. Redundancyc. Infection

4 Practical Casesa. Examplesb. Real World Attacks

5 Conclusion

1/59 Victor LOMNE - ANSSI / Countermeasures against Fault Attacks


Fault Zoology| Countermeasures|






5 Conclusion




Fault Zoology (1/2)

Different ways to generate a fault:

I glitch on pins (VCC, I/O, : : :)

I glitch on the die (FBBI)

I laser injection

I EM injection

The duration of the fault can be:

I transient

I permanent




Fault Zoology (2/2)

Different effects:

I modification of operation flow

I modification of operands

Different goals:

I Bypassing access/right control verification

I Generating faulty encryptions/signatures

I : : :









5 Conclusion




Prevent or Detect ? (1/3)

Two approaches can be used to thwart fault injectionattacks:

I Prevent from the fault injection attack

I Detect the fault injection attack

Prevent from a fault injection attack can consists in:

I make the adversary job harder

I render the attacked functionnality resilient to faults








Detect a fault injection:

I analog level: detect the fault injection through itsphysical stress

I digital level: detect the fault injection through itsdigital consequence








In practice, both are used !




Adversary Model

Design a fault attack countermeasure requires to definean Adversary Model:

I Which kind of fault is he able to perform ?

I What precision does he have on the data he can disturb ?bit-accuracy, byte-accuracy, : : :

I What is the maximum order of the attack ?single fault ! 1st order fault attackdouble fault ! 2st order fault attack: : :



Analog Level| Digital Level|






5 Conclusion




(De)synchronization

A fault injection requires a precise timing to beeffective

Adding temporal randomness makes the timing of the faultharder to set

Classical ways to add temporal randomness:

I jittered clock

I dummy instructions

I randomize operation flow

I : : :




IC Package as Countermeasure

Several kind of fault injection techniques require toexpose the die of the IC to perform the attackFBBI, laser, : : :

Depending on the type of package, it can be more or lesseasy to expose the die:

I smartcard packages are easy to open

I metallic packages can be mechanically opened

I epoxy packages require a chemical attack

I Package-on-Package or 3D IC technology make the chipopening a nightmare




IC Package as Countermeasure: example 1

Figure: Epoxy package opened with fuming nitric acid13/59 Victor LOMNE - ANSSI / Countermeasures against Fault Attacks




Figure: Application processor with RAM stacked above14/59 Victor LOMNE - ANSSI / Countermeasures against Fault Attacks




Figure: Application processor with RAM stacked above - X-ray view




Glitch Detectors

The historical way to inject a fault in an IC is tounder/over-power it during a short time

IC manufacturers add glitch detectors on IC pins, checkingthat the current signal voltage stays in a defined range

If a signal voltage is outside from the defined range, aflag is set in a status register




Laser Detectors

Laser injection requires to disturb only a small area ofthe IC

It requires to perform a spatial cartography to find hotspotsCPU or co-processor registers, memory decoders, : : :

Laser detectors can be seen as analog blocs convertinglight energy into current

If the current light energy is outside a defined range, aflag is set in a status register

Laser detectors do not cover the whole suface of the IC,but make the job of the adversary harder









5 Conclusion




Redundancy

Redundancy consists in:I performing two times an operationI comparing results of both operation executions) require a conditionnal test

From a code theory point-of-view, it corresponds to themost obvious code one can constructduplication code

A variant consists in performing the operation and theinverse operation, then checking that the obtainedresults is equal to the initial data




Examples of Redundancy

Redundancy can be used in different ways:

I Sequential redundancy for a software function

I Sequential or Parallel redundancy for a hardware function

I Use of redundant logics (Dual Rail logic ! SABL, WDDL,STTL, : : :)

I Securization of special registers by duplication or bystoring a value and its inverse2 flip-flops are necessary to store one bit




Error Detection Codes

Error Detection Codes are efficient tools to check theintegrity of data

ECC can protect linear operations (they are based onlinear applications)

ECC cannot protect non-linear operationsin particular they are not well suited to protectcryptographic primitives




Examples of Error Detection Codes

Error Correcting Codes can be used in different ways:

I Ensure the integrity of a secret data stored in NVM

I Protect a memory decoder! ensure the integrity of opcodes

I Protect linear parts of cryptographic algorithms

I : : :




Infection

Infection consists in mixing a diffusion scheme with theoperation to protect such that:

1. if the processed data are not modified by a fault, thediffusion scheme has no effect on the final result

2. if the processed data are modified by a fault, thediffusion scheme expands the erroenous data such that thefinal result is no more exploitable by the adversary




Memory Protection Unit (MPU)

Some microcontrollers have a Memory Protection Unitcan be seen as a HW co-processor

MPU works similarly to a MMU (Memory Management Unit):

I For a given function to protect, the progammer defines amemory address range

I The MPU ensures that the instructions of the function willbe located in the defined memory address range

I If a fault induces a code jump outside the defined memoryaddress range, the MPU sets a flag




Code Signature

Some microcontrollers have a Code Signature featurecan be seen as a HW co-processor

Code Signature works as follows:

I For a given function to protect, the progammer computes adigest and stores it in NVM

I Each time the function is executed, the code signaturefeature computes the current digest and compares it to thereference one

I If they are different, a flag is set



Generalities| Redundancy| Infection|






5 Conclusion




Symmetric vs. Asymmetric crypto.

Symmetric Cryptography:

I few algebraic structure

I hard to use algebraic properties as FA countermeasure

Asymmetric Cryptography:

I based on strong algebraic structures

I easy to use algebraic properties as FA countermeasure




Attacks and Countermeasure levels

The different Fault based Cryptanalysis techniques:

I Safe Error Attacks

I Differential Fault Analysis

I Statistical Fault Attacks

The different levels to include countermeasures:

I gate level (dual rail logic, redundancy of registers)

I basic operation level (ECC)

I crypto algorithm level (redundancy, infection)

I protocol level




Classification of Fault Models

One can define a Fault Model as a function f such that:

f : x ! x ? e (1)

x target variable, e fault logical effect and ? a logicaloperation

Any Fault-based Cryptanalysis requires an Invariant) new classification of FA based on the Invariant:

I FA based on a Fixed Fault Diffusion PatternDFA - e.g. [Piret+ 2003], [Mukhopadhyay+ 2009] : : :

I FA based on a Fixed Fault Logical EffectSafe Error Attacks, Statistical Fault Attacks




Safe Error Attacks (SEA)

SEA are similar to Template Attacks, they require an copyof the target device that the adversary can fully controls

SEA require the ability to encrypt/sign two times thesame message

Ways to thwart SEA:

I gate leveldual rail logics, redundancy of registers

I basic operation levelrandomization the key at each encryption/signature

I protocol leveladding randomn padding to the message




Differential Fault Analysis (DFA)

DFA require the ability to encrypt/sign two times thesame message

DFA require to have one or several pairs of correct/wrongciphertext/signature corresponding to the same message

Ways to thwart DFA:


I basic operation level


I protocol leveladding random padding to the message




Statistical Fault Attacks

Statistical Fault Attacks have the property to work evenwith a set of faulty ciphertexts corresponding todifferent unknown plaintexts

Nevertheless they require a Fixed Fault Logical Effect

Statistical Fault Attacks cannot be thwarted at theprotocol level !!!

Ways to thwart Statistical Fault Attacks:


I basic operation level










5 Conclusion




Classical Detection Schemes For Block Ciphers

CC = C 0 ?

C 0 CP = P 0 ?

C CC = C 0 ?

C 0

I I

PP 0PPP

Figure: Three classical detection countermeasures. From left toright : Full Duplication, Encrypt/Decrypt, and Partial Duplication




Weaknesses of Classical Detection Schemes (1/3)

Full Duplication can be broken by:

I Combined Fault and Side-Channel Attack (DFSCA)

I Double Fault Attack (bypass the comparison)





Encrypt/Decrypt can be broken by:







Partial Duplication can be broken by:

I Fault on early rounds + ability to decrypt






Combined Attacks (1/2)

Consider a secure AES implementation using:I A masking scheme such that SCA are unpracticable

I A duplication countermeasure to avoid FA

Is such an implementation really secure ?I If one takes each attack path alone yes . . .

I But if one mixes both attack paths . . .

Combined Attacks exploit the side-channel leakageof a faulty encryption to bypass both SCA and FA CM

I Combined Attack of [Clavier+ 2010]I Combined Attack of [Roche+ 2011]




Combined Attacks (2/2)

Example: Combined Attack of [Roche+ 2011]

I Encrypt N plaintexts P1 : : :PN andkeep the N ciphertexts C1 : : :CN

I Encrypt the N plaintexts once again by injecting a faultduring the penultimate round of the Key-Schedule andrecord the leakage traces 1 : : :N

I Exploit the side-channel leakage of the faulty ciphertext:

k = argmax (�(HW (SB(SB�1(C ij � k)� e9)� k � e10);i ))

I The attack will work if the fault has theeffect of a XOR with a non negligible rate

Interestingly enough, up to now only FA based on aFixed Fault Logical Effect have been extended to CA




Improving Classical Detection Schemes (1/2)

Algorithm 1 Secure ComparisonInput: two masked States S �M1 and S 0 �M2, their respectivemasks M1 and M2 and a fresh random mask M3 6= 0.Output: S if S = S 0, 0 otherwise

1. do a = M3 � (S �M1)

2. do b = M3 � (S 0 �M2)

3. do c = a � b[= M3 � (S �M1 � S 0 �M2)]

4. do d = M1 �M2

5. do e = M3 � d[= M3 � (M1 �M2)]

6. if e = c then return (S �M1)�M1

7. else return 0




Improving Classical Detection Schemes (2/2)

I = I 0 = I 00 ?I = I 0 ?

P P P

I II 0 I 0

I 00

C C C C

Figure: Two countermeasures based on unpredictability. On the left :Encrypt/Partial Decrypt. On the right : Encrypt/PartialEncrypt/Partial Decrypt









5 Conclusion




Classical Infection Schemes For Block Ciphers

Generic sketch exhibiting the Infection CM:

I S, S 0 the two States

I D the diffusion function (such as D(0) = 0)

�D()

�S 0

S




Weaknesses of Classical Infection Schemes (1/3)

Any Deterministic Infection CM is inefficient:

I If Infection placed before last MixColumns

) inject a fault between Infection and last MixColumns) case of a classical Piret Attack

I If Infection placed between last MixColumns & last SubBytes

) inject a fault before the Infection) leads to a modified Piret Attackexploit the Infection instead of the MixColumns

I If Infection placed after the last SubBytes

) inject a fault before the MixColumns) leads to a modified Piret Attackmake an hypothesis on 5 bytes instead of 4




Weaknesses of Classical Infection Schemes (2/3)AddRoundKey SubBytes ShiftRows AddRoundKey

correctciphertext

K9

AddRoundKey SubBytes ShiftRows

K10

AddRoundKey

wrongciphertext

K9 K10

E9 E10

correctencryption

wrongencryption

SubBytes-1

K10 E9

SubBytes

K10 E10

correctciphertext

wrongciphertext

Figure: DFA of [Roche+ 2011]




Weaknesses of Classical Infection Schemes (3/3)

DFA of [Roche+ 2011] breaks any Deterministic Infection CM

As the fault model:

I has to affect the Key-Schedule during its penultimate round(thus round keys 9 and 10 will be affected)

I could be of any kind, and affect all the bytes at the sametime

I must have a good repeatability(two faults have a good chance to induce the same error)

Any Deterministic Infection CM will have no effectagainst this attack




Improving Classical Infection Schemes

Algorithm 2 Secure InfectionInput: two masked States S �M1 and S 0 �M2, their respectivemasks M1 and M2 and a fresh random mask M3 6= 0 and 6= 1.Output: the infected States S �M1 � � and S 0 �M2 � �

1. do a = M3 � (S �M1)

2. do b = M3 � (S 0 �M2)

3. do c = a � b4. do d = M1 �M2

5. do e = M3 � d6. do f = (S �M1)� c7. do g = f � e8. do h = (S 0 �M2)� c9. do i = h � e10. return (g ; i)



Examples| Real World Attacks|






5 Conclusion




Protecting an AES implementation

One considers:

I an AES implementation

I ability to encrypt/decrypt

I the master key is stored in NVM

One has to secure:

I loading of master key from NVM into RAM or key registerthreat: SEA

I processing of datathreat: DFA, Statistical Fault Attacks

I operation flowthreat: Round Counter Attacks




Protecting an RSA implementation

One considers:

I an RSA implementation

I ability to sign/verify

I the private key is stored in NVM

I the public key is known and stored in NVM

One has to secure:

I loading of secret key from NVM into RAM or key registerthreat: SEA

I processing of datathreat: SEA, DFA

I operation flowthreat: DFA









5 Conclusion




Bug Attack

Pentium FDIV bug was a bug in the Intel P5 Pentiumfloating point unit (FPU)

Because of the bug, the processor would return incorrectresults for many calculations

Nevertheless, bug is hard to detect1 in 9 billion floating point divides with randomparameters would produce inaccurate results

Shamir proposed a modified version of the Bellcore attackwhich exploits this bug to retrieve a RSA private key

More dangerous than a classical fault attack because canbe perfomed remotely




PS3 Hack

George Hotz (a.k.a. Geohot) published in 2009 a hack ofthe Sony PS3

The otherOS functionnality of the PS3 allows to boot aLinux OS

A bus glitch allows him to gain control of the hypervisor) ring 0 access) full memory access

In consequence Sony took George Hotz to court

Sony and Hotz had settled the lawsuit out of court, onthe condition that Hotz would never again resume anyhacking work on Sony products








5 Conclusion



Conclusion (1/2)

Fault Attacks are a very powerful attack path:

I they allow to modify the normal behaviour of a HW or SWfunction

I they allow to extract cryptographic secrets

Nevertheless FA require several skills:

I knowledge of computer science, electronics, optics, : : :

I knowledge of IC architecture

I knowledge of fault-based cryptanalysis



Conclusion (2/2)

A lot of Fault Attack Countermeasures have been proposedin the litterature

They are generally mixed to increase the security levelof the product) principle of defense in depth

No countermeasure is perfect !

A developper has firstly to define the level of theadversary he wants to thwart, and then choose theadequate tradeoff between efficiency and security



Certification Schemes

Procedure to evaluate the security level of a product

Three actors:the developper / the security lab / the scheme

Some certification schemes:

I Common Critera

I EMVCo

I CSPN

I : : :



To go further

book Fault Analysis in CryptographyMarc Joye and Michael Tunstall - SPRINGER



Questions ?

contact: [email protected]


TRUDEVICE Training School on Trustworthy Manufacturing...

Documents

Transcript of TRUDEVICE Training School on Trustworthy Manufacturing...