hardware security - fault attackssoc.eurecom.fr/hwsec/lectures/faults/main_nb.pdfhardware security...

Hardware Security

Fault attacks

R. [email protected] 21, 2020

Outline

Introduction

Fault injection

Types of faults

Examples of fault attacksRSA signatureRSA decryptionFiat-ShamirDESNon Volatile Memory (NVM)

Conclusion

2/50 Institut Mines-Telecom R. Pacalet April 21, 2020

Faults, errors, flaws and attacks

Eventually, security always implemented in hardware (microprocessors, smartcardsare hardware)Hardware devices subject to (usually) rare hardware or software faultsFaults can cause errorsOn unprotected systems errors can be exploited to expose secretsFaults can be induced to increase error probability or/and focus effectTypes of fault attacks:

• Passive: exploit purely accidental faults (side channel?)• Semi-active: no package removal (power supply or clock glitches)• Active: package removal (laser, light, probe...)


History

April 1978 T. May and M. Woods publish ”A New Physical Mechanism for Soft Errorsin Dynamic Memories” (Proceedings of the 16th International Reliability PhysicsSymposium)Radio elements (Uranium) in packaging release particles which create charges insilicon and cause bits flips


History

1979: discovery of effect of cosmic rays on computer memoriesAerospace industry (NASA, Boeing) launch research programs on these problemsResearch result in:

• Hardening techniques• Simulators• Fault induction methods

– Most have similar effect on chips– Laser is good imitation of charged particles

Fault induction used to characterize hardening techniques and other protections


History

09/1996: Dan Boneh, Richard A. DeMillo, and Richard J. Lipton (Bellcore labs.)publish new attack against RSA exploiting accidental faults

• Fault causing error exploited to expose P and Q

Lenstra, Quisquater, Joye improve attackSince then, lot of papers

• Improving original attack• On various algorithms (DES, AES...)• On countermeasures

Countermeasures actively and efficiently deployed


Toy example of active fault attackCharlie (consumer) buys toys from Sam (shopkeeper)

• 2 toys: Mister Potato Head ($3), BuzzLightyear ($5)

• Sam does not charge broken toys

Patrick (postman) wants to know what Charliebought for $15

• 5 Mister Potato Head?• 3 Buzz Lightyear?

Patrick kicks opaque parcel to break 1 toyPatrick monitors postal order Charlie sendsSam

• $12⇒ Mister Potato Head• $10⇒ Buzz Lightyear

Source: Pr. David Naccache


More realistic example of semi-active attack

Old PayTV smartcards locked by infinite loopUnlooper hardware available on internetSpike attack (on voltage)Causes smartcard to leave infinite loop

Source: Infineon


Power, clock and temperature

Variations on power supply• Can cause microprocessor to skip or misinterpret instructions

Variations in clock frequency• Can cause errors in RAM reads or instruction execution

Temperature• Random bit flips in RAMs• Read and not Write in NVMs (or Write and not read)


White light

Causes photoelectriceffectCurrent induced byphotonsCurrent can causefaults and errorsUsually intense lightand short durationInexpensive

Source: Gemplus


Laser

Similar to white light butdirectionalAllows attacks on verysmall portions of chipEasier to control intensity,wave length, duration, spotsize, etc.Already in use forsimulation of particlesMore expensive than whitelight

Source: Vision Systems Design


X-rays and ion beams

X-rays• De-packaging the chip

not always necessary

Ion beams• De-packaging the chip

not always necessary• Very expensive

equipment• Very complex setup• Perfect focus• Can even be used to

modify the devices

Source: Technical Sales Solutions


Provisional vs permanent faults

Provisional:• Transient, reversible• Caused by a temporary action that induces a temporary current• The current is interpreted by the chip as an internal signal / event• The current ceases when the action ceases and the chip goes back to its normal state /

behavior

Destructive faults• Permanent, irreversible faults• Created by modifying the structure of the chip

Provisional faults are preferable when attacking a device• They allow several experiments on the same device• The system remains functional after the attack’s completion• Destructive faults usually imply clones


Event Upsets

Single Event Upsets (SEUs)• Provisional faults• Bit flips• Can become permanent if on static parts• First noticed in 1975 during a space mission• Can also cause a continuous variation in a signal (clock or supply voltage)

Multiple Event Upsets (MEUs)• Several simultaneous SEUs• High integration densities increase their probability• Usually a drawback for fault attacks

Dose Rate Faults: cumulative effect of particles whose individual effect is negligible


Destructive faults

Single Event Latchup (SELs)• Power–ground short circuit that remains

after removal of triggering event• High currents are induced• Metal traces vaporize, bond wires fuse

open, silicon regions melted• Causes permanent failures

Single Event Burnout faults (SEBs)• Destroy a power transistor• Localized very high power densities• Produces incandescent temperatures• Destroy a large volume of material• Causes permanent failures

Source: Stassinopoulos

Figure: SEB in a hex powerMOSFET


Destructive faults

Single Event Gate Rupture (SEGRs)• Failure in gate dielectric• First observed in NVMs, then in power and logic transistors• Current increases beyond threshold of dielectric• Gate oxide destruction

Single Event Snap Back faults (SESBs)• Similar to Latchup• NMOS transistors only• Generally observed on I/O circuits

Total Dose Rate faults: progressive degradation until failure


The BDL attack on RSA signature

Eurocrypt’97 by Boneh, DeMillo, LiptonBlack box attackThe RSA implementation uses the Chinese Remainder Theorem (more on this later)On some rare occasions errors in the black box cause it to output incorrect resultsThe erroneous result discloses the RSA private key!


RSA signature

Client sends m, message to signServer computes s =md mod n and sends result (n = p×q)Anybody knows (n,e) and can compute se mod n =m (Fermat)Nobody knows d but serverAttacker wants d to sign any document


The Chinese Remainder Theorem

Let p and q be relatively prime numbers and a, b two integersx mod p = a mod p and x mod q = b mod q has one and only one solution modulon = p×qx = a×u+b×vWith any u,v such that:

• u = 1 mod p, u = 0 mod q, e.g. u = q× (q−1 mod p)• v = 0 mod p, v = 1 mod q, e.g. v = p× (p−1 mod q)

x = a×q× (q−1 mod p)+b×p× (p−1 mod q)Or with any u = q× (q−1 mod p), v = 1−q× (q−1 mod p)x = a×q× (q−1 mod p)+b× (1−q× (q−1 mod p))= (a−b)×q× (q−1 mod p)+b


The Chinese Remainder Theorem

Use in modular exponentiation:• Let sp =md mod p• Let sq =md mod q• Let s =md mod (p×q) (that is, ∃k ∈Z,s =md +k ×p×q)• Then, s mod p =md mod p = sp• And, s mod q =md mod q = sq• CRT: s = (sp ×q× (q−1 mod p)+sq ×p× (p−1 mod q)) mod (p×q)• Or: s = ((sp −sq)×q× (q−1 mod p)+sq) mod (p×q)

? Exercise #1: why would we use the CRT?


The BDL attack on RSA

Let s and s be two signatures of the same message; s being the faulty oneSuppose only sp is faulty

s− s = (sp − sp)×q× (q−1 mod p)⇒ gcd(s− s,n)= q!!Lenstra observed that s is not even needed:

• Let s =md mod n be a signature of m and s be a faulty signature of m• Then m mod q = se mod q but m mod p = se mod p where e is the public exponent• And gcd(m− se ,n)= q

? Exercise #2: identify the hypothesis for BDL attack? Exercise #3: design countermeasures


Shamir’s countermeasure

Choose a random short prime rCompute:

• p′ = p× r• d ′

p = d mod (p−1)× (r −1)• q′ = q× r• d ′

q = d mod (q−1)× (r −1)

• s′p = (m mod p′)d′p mod p′

• s′q = (m mod q′)d′q mod q′

Then sp = s′p mod p and sq = s′

q mod q

And s = ((sp −sq)× (q−1 mod p)×q+sq

Check s′p mod r = s′

q mod r before sending s


Practical BDL attack

Experiments by Infineon on a smartcard using CRTEvery hardware countermeasures switched offFault attacks against unprotected RSAFault attacks against software Shamir-protected RSAVery complete analysis:

• Kind of fault• Countermeasure recognize fault or not• Countermeasure works or not



First, SPA tounderstandprocessing (withsoftwarecountermeasure)

Source: Infineon

Firstexponentiation

Loadcoefficients

Check andload

coefficientsSecond

exponentiation

Check,CRT,check

Core

IO



Next, attack at different times without software countermeasureFirst conclusion: attack can target any step or data

Observed error scenarios Mainly due to

Modification of p, q Moving data from E2 to coprocessorModification of dp , dq Handling data within CPUWrong exponentiation modp, q Error within CPU or coprocessorModification of q−1 mod p Moving data from E2 to coprocessorWrong combination of sp and sq All listed errors

Faulty signature modp and modq Moving data from coprocessorWrong answer of smartcard Fatal error within CPU



Next, attack with software Shamir countermeasure• Recog.: fault recognized• Leak: faulty signature reveals secret• Works: Shamir’s software countermeasure works

Observed error scenarios Recog. Leak Works

1 Modification of p′,q′ Time dep. Time dep. No2 Modification of d Time dep. Time dep. Yes3 Modification of d ′

p , d ′q Yes Yes Yes

4 Modification of r Time dep. Time dep. Yes5 Wrong exponentiation modp, q prob. 1−1/r Yes Yes6 Modification of sp or sq Time dep. Yes No7 Modification of q−1 mod p No Yes No8 Wrong combination of sp and sq No Yes No

9 Faulty signature modp and modq No No Yes


Post verification efficiency

Trust only values stored in ROM or EEPROMCheck every intermediate resultCheck by relying on trusted values onlyBut... correct answer vs error message is already an information


Homework on Fault Attack

Have a look at at least one of these papers• Hardware countermeasures in ”The Sorcerer’s Apprentice Guide to Fault Attacks”

(Gemplus, ...)• ”Optical fault induction attack” by Skorobogatov and Anderson• Reconstructing unknown ciphers in ”Differential Fault Analysis of Secret Key

Cryptosystems” by Eli Biham and Adi Shamir

Prepare questions


Failure analysis of RSA

Modular multiplications (lines 5 to9) use double and addAfter computation of a×b mod nthe result is assigned to register aIf d(i)= 1 and an error isintroduced in bits a(k) while j < k(correct a(k) already used) thenthe faulty a is overwritten (line 9)and the result is correctIf d(i)= 0, the faulty a is notoverwritten and generates a faultyresult and an error messageThe faulty result is not evenneeded

x =∑i=w−1i=0

(x(i)×2i )

1: procedure MODEXP(m, d, n)2: a← 1;b ←m;3: for i ← 0,w −1 do4: if d(i)= 1 then5: r ← 0;6: for j ←w −1,0 do7: r ← (2× r +a(j)×b) mod n;8: end for9: a← r ;

10: end if11: r ← 0;12: for j ←w −1,0 do13: r ← (2× r +b(j)×b) mod n;14: end for15: b ← r ;16: end for17: return a=md mod n;18: end procedure


Fault attack on RSA decryption

RSA decryption: m = cd mod n

One bit d(i) of exponent d flips (d(i)→ d(i)), the faulty bit is randomly locatedThe attacker knows c, m and m, the ciphertext, the correct and the faulty plaintext;she tries to recover d , the secret exponentThe attacker computes:

mm

= c2i×d(i)+∑j =i 2j×d(j)

c2i×d(i)+∑j =i 2j×d(j)

= c2i×d(i)

c2i×d(i)mod n

Then:mm

= 1c2i ⇒ d(i)= 1,

mm

= c2i ⇒ d(i)= 0

Repeat until enough bits are known


Exercices on fault attacks against RSA decryption

? Exercise #4: evaluate the complexity with a 1024 bits exponent? Exercise #5: evaluate the complexity with a 1024 bits exponent and 3 bits flips? 4 bits

flips?


The Fiat-Shamir zero-knowledge identification scheme

Alice’s private key: PKpr = {si ,1≤ i ≤ a} where n = p×q and s1,s2, ...,sa are invertiblemod nAlice’s public key: PKpu = {ui = s2

i mod n,1≤ i ≤ a}

Alice and Bob choose t ≤ aAlice chooses 0< r < n random and sends r2 mod n to BobBob chooses a random subset S ⊂ {1, ...,a} of size t and sends it to AliceAlice computes y = (r ×∏

i∈S si) mod n and sends y to BobBob verifies y2 = (

r2 ×∏i∈S ui

)mod n

Computation of square roots mod n is (supposedly) a hard problem


The Bellcore attack on Fiat-Shamir

The targeted fault is a single random flip of bit b in rThe value of r is modified by Eb =±2b

When the flip occurs Alice calculates and sends y ′ = (r +Eb)×∏

i∈S si

From y ′ Bob can compute (for all possible values of Eb):

T (S )= 2×Eb ×y ′

y ′2∏i∈S ui

− r2 +E2b

=( ∏

i∈S

si

)mod n

Bob validates his guess on Eb by checking T (S )2 =∏i∈S ui


The Bellcore attack on Fiat-Shamir

Complexity: a independent identificationsComplexity: O(w ×a+a2) modular multiplications where w = |r |If Alice accepts singleton sets the post-processing is trivial: Bob can choose S = {k }and then T (S )= sk

If Alice filters out singleton sets Bob must choose a linearly independent sets andpost process by solving the equations (easy)


DES algorithm

+ f

f+

f+

16 rounds

Output

FP

IP

Input

R0L0Permuted input

Kn

L15 =R14 R15 = L14⊕ f (R14,K15)

K16

K1

R1 = L0⊕ f (R0,K1)L1 =R0

R16 = L15⊕ f (R15,K16) L16 =R15Preoutput

32

48

32

3232

64

Inverse initial permutation64

Initial permutation64

32 32


Biham Shamir attack on DES

Last round:

R16 = f (R15,K16)⊕L15 = f (L16,K16)⊕L15 =P(S(E(L16)⊕K16))⊕L15

If a fault occurs during 15th round:

R′15 = L′

16 = L16 =R15

R′16 =P(S(E(L′

16)⊕K16))⊕L15

P−1 (R16 ⊕R′

16)=S(E(L16)⊕K16)⊕L15 ⊕S(E(L′

16)⊕K16)⊕L15

=S(E(L16)⊕K16)⊕S(E(L′16)⊕K16)

Each faulty SBox discloses about 4 bits of K16

Eight faulty SBoxes ⇒ exhaustive search reduced to approximately 256−4×8 = 224


Biham Shamir attack on DES

Several optimizations proposed by authors and other papersThe same kind of attack can target most cryptosystems


Fault attack on NVM

Biham and Shamir (CRYPTO’97) propose an attack based on partial 1 to 0 bit flip ofkey (EEPROM)Assumption: a physical stress occasionally flip one of the 1 bits in the key register to a0Let k0 be the unknown keyRepeatedly encrypt the same cleartext m and store the ciphertext c0, applying thephysical stress after each encryptionFrom time to time ci changes to ci+1 until it stabilizes to cf

cf is the result of encrypting m under the all-zero key kf

Extract kf−1 (one bit of k0) by exhaustive search on cf−1

Repeat until k0 is entirely exposed


Fault attack on NVM

Biham and Shamir attack on NVM can be applied on any cryptosystemIt has been noted that smartcard EEPROMs store programs and that errors will likelycorrupt instructions instead of key materialProgram modification attacks?Gemplus discovered a practical similar attack on DES

• OS provides a ”erase” instruction to delete a key• ”erase” instruction in two steps, 32 bits at a time• Cut power after first step• Exhaustive search on 228 remaining keys• OS now associate a security bit to keys


Questions?


hardware security - fault attackssoc.eurecom.fr/hwsec/lectures/faults/main_nb.pdfhardware security...

Documents