Evidence of an information leakage between logically independent blocks HiPEAC 2015

CS2

CEA

-TEC

H/E

MSE

| 1

9/0

1/2

01

5

1 Loic Zussa, Ingrid Exurville Jean-Max Dutertre, Jean-Baptiste Rigaud, Jessy Clediere, Bruno Robisson and Assia Tria

General context An integrated circuit (IC) may contain critical information.

pay TV, bank….

Several attacks do exist to extract these information.

side channel, fault attack, …

Countermeasures (CM) have been designed to secure these ICs against attacks.

redundancy, masking, perturbation sensors, …

This works focus on fault attacks. The studied design is an AES-128, and its secret key constitute the critical information.

CEA

-TEC

H/E

MSE

| 1

9/0

1/2

01

5

2

Cryptographic fault attack

CEA

-TEC

H/E

MSE

| 1

9/0

1/2

01

5

3

AES IC

AES (CM)

CM is “data dependent”

Safe error sensible

CM: Redundancy example:

Plaintext

Ciphertext

Differential Fault Analysis: Correct/uncorrect ciphertext based

+

Cryptographic fault attack

CEA

-TEC

H/E

MSE

| 1

9/0

1/2

01

5

4

AES IC CM is “data independent”

Safe error robust

(in theory)

CM: External sensor example:

Plaintext

Ciphertext

Safe Error: Correct/uncorrect behavior based

Sensor (CM)

Agenda

• Timing constraint violations based fault injection

• Delay based countermeasure

• Evidence of an information leakage between logically

independent blocks

• Experimental results

• Conclusion

CEA

-TEC

H/E

MSE

| 1

9/0

1/2

01

5

5

Agenda

• Timing constraint violations based fault injection

• Delay based countermeasure

• Evidence of an information leakage between logically

independent blocks

• Experimental results

• Conclusion

CEA

-TEC

H/E

MSE

| 1

9/0

1/2

01

5

6

Path lengths of intermediate values depend on the inputs D1, D2, D3.

: timing constraint violation

Clock glitch attack

D Q SubByte D Q

D1

D2 D3

D1

D2

D3

CEA

-TEC

H/E

MSE

| 1

9/0

1/2

01

5

7

Clock glitch attack – Injection bench

Target : AES-128 implemented on a FPGA Spartan 3A.

External Clock

AES-128

Trigger

CEA

-TEC

H/E

MSE

| 1

9/0

1/2

01

5

8

Agenda

• Timing constraint violations based fault injection

• Delay based countermeasure

• Evidence of an information leakage between logically

independent blocks

• Experimental results

• Conclusion

CEA

-TEC

H/E

MSE

| 1

9/0

1/2

01

5

9

Delay based countermeasure Under attacks, the alarm of the countermeasure is triggered before any fault appears into AES calculations.

Critical path for every inputs < CM guarding delay

Data independent (theoretically) Clock period <

CM guarding delay

D1

D2 D3

CEA

-TEC

H/E

MSE

| 1

9/0

1/2

01

5

10

« 1 » is sampled

Delay based countermeasure Under attacks, the alarm of the countermeasure is triggered before any fault appears into AES calculations.

Critical path for every inputs < CM guarding delay

Data independent (theoretically) Clock period <

CM guarding delay

D1

D2 D3

CEA

-TEC

H/E

MSE

| 1

9/0

1/2

01

5

11

« 0 » is sampled

Agenda

• Timing constraint violations based fault injection

• Delay based countermeasure

• Evidence of an information leakage between logically

independent blocks

• Experimental results

• Conclusion

CEA

-TEC

H/E

MSE

| 1

9/0

1/2

01

5

12

Evidence of a practical physical dependencies

Assumptions :

• AES power consummation is data dependent. There are little and located variations in the supply voltage due to AES’ calculations.

• The CM guarding delay depends on the supply voltage.

As a result, may the CM guarding delay threshold has data dependencies ?

Are there leakages of critical information ?

CEA

-TEC

H/E

MSE

| 1

9/0

1/2

01

5

13

CM guarding delay D1

D2

D3

CM guarding delay

CM guarding delay

CM guarding delay variations ?

Evidence of a practical physical dependencies

Measure of the alarm CM sensitivity (fault attack)

Time (in ns)

Tclk = 10 ns

CM guarding delay

Stress = 1 Alarm sensitivity = 0 %

Stress = 2 Alarm sensitivity = 0 %

Stress = 3 Alarm sensitivity = 45 %

Stress = 4 Alarm sensitivity = 100 %

For any input, the value of the CM guarding delay is not supposed to change.

One period of the clock Tclk is decreased step by step until the alarm of the CM detects this modification C

EA-T

ECH

/EM

SE |

19

/01

/20

15

14

Evidence of a practical physical dependencies

Input #120

CEA

-TEC

H/E

MSE

| 1

9/0

1/2

01

5

15

Alarm sensitivity variations

Stress Steps

Input #169

Evidence of a practical physical dependencies

Alarm sensitivity variations

Input #139

CEA

-TEC

H/E

MSE

| 1

9/0

1/2

01

5

16

Alarm sensibility IS data dependent

Are there dependences which enable to retrieve the key?

Input #120

Agenda

• Timing constraint violations based fault injection

• Delay based countermeasure

• Evidence of an information leakage between logically

independent blocks

• Experimental results

• Conclusion

CEA

-TEC

H/E

MSE

| 1

9/0

1/2

01

5

17

Attack on one byte

Clock glitch attack on the 1st AES round CM sensitivity measurements

• 256 different input values (1 byte) were tested

• The detection rate was measured for 15 different stresses

• For every input and stress the experiment has been performed 1000 times

Hypothesis on the secret key

D Q SubByte D Q 256

inputs

256 key hypothesis

256*256 intermediate values (output of the Sboxes)

CEA

-TEC

H/E

MSE

| 1

9/0

1/2

01

5

18

Calculation of the correlation coefficient between the hypotheses of intermediate values for a key value and the countermeasure sensitivity measurements.

Attack on one byte (one stress)

0 255

Key hypothesis

Correlation coefficient

128

Good key hypothesis

256 input values 256 CM sensitivity measurements

256 hypothesis of key byte values 256*256 intermediate values hypothesis

8 selection functions: Value of one bit of the intermediate value (ie. The value at the output of the SubBytes function)

0 1

Slope Correlation coefficient

CM sensibility

Selection function results

CEA

-TEC

H/E

MSE

| 1

9/0

1/2

01

5

19

Experimental results (one byte) 256 messages x 15 stress x 1000 = 3 840 000 measurements

2B

Stress

Pearson Correlation

The behavior of the good key hypothesis differs from the other hypothesis.

CEA

-TEC

H/E

MSE

| 1

9/0

1/2

01

5

20

Experimental results (16 bytes) The same principle is repeated to recover the 16 bytes of the secret key.

Key hypothesis

Pearson Correlation

CEA

-TEC

H/E

MSE

| 1

9/0

1/2

01

5

21

Agenda

• Timing constraint violations based fault injection

• Delay based countermeasure

• Evidence of an information leakage between logically

independent blocks

• Experimental results

• Conclusion

CEA

-TEC

H/E

MSE

| 1

9/0

1/2

01

5

22

Conclusion However small these consumption variations may be, it is could be sufficient to have impact on all the IC blocks, and involve a leak of information to recover secret information. Optimization: Reduce the total number of iteration or the number of detection is possible by choosing the adapted stress. Perspectives: Where do the leakages come from ? From the implementation ? From the chip itself ?

CEA

-TEC

H/E

MSE

| 1

9/0

1/2

01

5

23

Alarm sensibility IS data dependent

And enables an attacker to retrieve the secret key

Thank you for your attention

CEA

-TEC

H/E

MSE

| 1

9/0

1/2

01

5

24

Questions

Loic Zussa, Ingrid Exurville Jean-Max Dutertre, Jean-Baptiste Rigaud, Jessy Clediere, Bruno Robisson and Assia Tria