hardware security - fault attackssoc.eurecom.fr/hwsec/lectures/faults/main_nb.pdfhardware security...
TRANSCRIPT
Hardware Security
Fault attacks
R. [email protected] 21, 2020
Outline
Introduction
Fault injection
Types of faults
Examples of fault attacksRSA signatureRSA decryptionFiat-ShamirDESNon Volatile Memory (NVM)
Conclusion
2/50 Institut Mines-Telecom R. Pacalet April 21, 2020
Faults, errors, flaws and attacks
Eventually, security always implemented in hardware (microprocessors, smartcardsare hardware)Hardware devices subject to (usually) rare hardware or software faultsFaults can cause errorsOn unprotected systems errors can be exploited to expose secretsFaults can be induced to increase error probability or/and focus effectTypes of fault attacks:
• Passive: exploit purely accidental faults (side channel?)• Semi-active: no package removal (power supply or clock glitches)• Active: package removal (laser, light, probe...)
4/50 Institut Mines-Telecom R. Pacalet April 21, 2020
History
April 1978 T. May and M. Woods publish ”A New Physical Mechanism for Soft Errorsin Dynamic Memories” (Proceedings of the 16th International Reliability PhysicsSymposium)Radio elements (Uranium) in packaging release particles which create charges insilicon and cause bits flips
5/50 Institut Mines-Telecom R. Pacalet April 21, 2020
History
1979: discovery of effect of cosmic rays on computer memoriesAerospace industry (NASA, Boeing) launch research programs on these problemsResearch result in:
• Hardening techniques• Simulators• Fault induction methods
– Most have similar effect on chips– Laser is good imitation of charged particles
Fault induction used to characterize hardening techniques and other protections
6/50 Institut Mines-Telecom R. Pacalet April 21, 2020
History
09/1996: Dan Boneh, Richard A. DeMillo, and Richard J. Lipton (Bellcore labs.)publish new attack against RSA exploiting accidental faults
• Fault causing error exploited to expose P and Q
Lenstra, Quisquater, Joye improve attackSince then, lot of papers
• Improving original attack• On various algorithms (DES, AES...)• On countermeasures
Countermeasures actively and efficiently deployed
7/50 Institut Mines-Telecom R. Pacalet April 21, 2020
Toy example of active fault attackCharlie (consumer) buys toys from Sam (shopkeeper)
• 2 toys: Mister Potato Head ($3), BuzzLightyear ($5)
• Sam does not charge broken toys
Patrick (postman) wants to know what Charliebought for $15
• 5 Mister Potato Head?• 3 Buzz Lightyear?
Patrick kicks opaque parcel to break 1 toyPatrick monitors postal order Charlie sendsSam
• $12⇒ Mister Potato Head• $10⇒ Buzz Lightyear
Source: Pr. David Naccache
8/50 Institut Mines-Telecom R. Pacalet April 21, 2020
More realistic example of semi-active attack
Old PayTV smartcards locked by infinite loopUnlooper hardware available on internetSpike attack (on voltage)Causes smartcard to leave infinite loop
Source: Infineon
9/50 Institut Mines-Telecom R. Pacalet April 21, 2020
Power, clock and temperature
Variations on power supply• Can cause microprocessor to skip or misinterpret instructions
Variations in clock frequency• Can cause errors in RAM reads or instruction execution
Temperature• Random bit flips in RAMs• Read and not Write in NVMs (or Write and not read)
11/50 Institut Mines-Telecom R. Pacalet April 21, 2020
White light
Causes photoelectriceffectCurrent induced byphotonsCurrent can causefaults and errorsUsually intense lightand short durationInexpensive
Source: Gemplus
12/50 Institut Mines-Telecom R. Pacalet April 21, 2020
Laser
Similar to white light butdirectionalAllows attacks on verysmall portions of chipEasier to control intensity,wave length, duration, spotsize, etc.Already in use forsimulation of particlesMore expensive than whitelight
Source: Vision Systems Design
13/50 Institut Mines-Telecom R. Pacalet April 21, 2020
X-rays and ion beams
X-rays• De-packaging the chip
not always necessary
Ion beams• De-packaging the chip
not always necessary• Very expensive
equipment• Very complex setup• Perfect focus• Can even be used to
modify the devices
Source: Technical Sales Solutions
14/50 Institut Mines-Telecom R. Pacalet April 21, 2020
Provisional vs permanent faults
Provisional:• Transient, reversible• Caused by a temporary action that induces a temporary current• The current is interpreted by the chip as an internal signal / event• The current ceases when the action ceases and the chip goes back to its normal state /
behavior
Destructive faults• Permanent, irreversible faults• Created by modifying the structure of the chip
Provisional faults are preferable when attacking a device• They allow several experiments on the same device• The system remains functional after the attack’s completion• Destructive faults usually imply clones
16/50 Institut Mines-Telecom R. Pacalet April 21, 2020
Event Upsets
Single Event Upsets (SEUs)• Provisional faults• Bit flips• Can become permanent if on static parts• First noticed in 1975 during a space mission• Can also cause a continuous variation in a signal (clock or supply voltage)
Multiple Event Upsets (MEUs)• Several simultaneous SEUs• High integration densities increase their probability• Usually a drawback for fault attacks
Dose Rate Faults: cumulative effect of particles whose individual effect is negligible
17/50 Institut Mines-Telecom R. Pacalet April 21, 2020
Destructive faults
Single Event Latchup (SELs)• Power–ground short circuit that remains
after removal of triggering event• High currents are induced• Metal traces vaporize, bond wires fuse
open, silicon regions melted• Causes permanent failures
Single Event Burnout faults (SEBs)• Destroy a power transistor• Localized very high power densities• Produces incandescent temperatures• Destroy a large volume of material• Causes permanent failures
Source: Stassinopoulos
Figure: SEB in a hex powerMOSFET
18/50 Institut Mines-Telecom R. Pacalet April 21, 2020
Destructive faults
Single Event Gate Rupture (SEGRs)• Failure in gate dielectric• First observed in NVMs, then in power and logic transistors• Current increases beyond threshold of dielectric• Gate oxide destruction
Single Event Snap Back faults (SESBs)• Similar to Latchup• NMOS transistors only• Generally observed on I/O circuits
Total Dose Rate faults: progressive degradation until failure
19/50 Institut Mines-Telecom R. Pacalet April 21, 2020
The BDL attack on RSA signature
Eurocrypt’97 by Boneh, DeMillo, LiptonBlack box attackThe RSA implementation uses the Chinese Remainder Theorem (more on this later)On some rare occasions errors in the black box cause it to output incorrect resultsThe erroneous result discloses the RSA private key!
22/50 Institut Mines-Telecom R. Pacalet April 21, 2020
RSA signature
Client sends m, message to signServer computes s =md mod n and sends result (n = p×q)Anybody knows (n,e) and can compute se mod n =m (Fermat)Nobody knows d but serverAttacker wants d to sign any document
23/50 Institut Mines-Telecom R. Pacalet April 21, 2020
The Chinese Remainder Theorem
Let p and q be relatively prime numbers and a, b two integersx mod p = a mod p and x mod q = b mod q has one and only one solution modulon = p×qx = a×u+b×vWith any u,v such that:
• u = 1 mod p, u = 0 mod q, e.g. u = q× (q−1 mod p)• v = 0 mod p, v = 1 mod q, e.g. v = p× (p−1 mod q)
x = a×q× (q−1 mod p)+b×p× (p−1 mod q)Or with any u = q× (q−1 mod p), v = 1−q× (q−1 mod p)x = a×q× (q−1 mod p)+b× (1−q× (q−1 mod p))= (a−b)×q× (q−1 mod p)+b
24/50 Institut Mines-Telecom R. Pacalet April 21, 2020
The Chinese Remainder Theorem
Use in modular exponentiation:• Let sp =md mod p• Let sq =md mod q• Let s =md mod (p×q) (that is, ∃k ∈Z,s =md +k ×p×q)• Then, s mod p =md mod p = sp• And, s mod q =md mod q = sq• CRT: s = (sp ×q× (q−1 mod p)+sq ×p× (p−1 mod q)) mod (p×q)• Or: s = ((sp −sq)×q× (q−1 mod p)+sq) mod (p×q)
? Exercise #1: why would we use the CRT?
25/50 Institut Mines-Telecom R. Pacalet April 21, 2020
The BDL attack on RSA
Let s and s be two signatures of the same message; s being the faulty oneSuppose only sp is faulty
s− s = (sp − sp)×q× (q−1 mod p)⇒ gcd(s− s,n)= q!!Lenstra observed that s is not even needed:
• Let s =md mod n be a signature of m and s be a faulty signature of m• Then m mod q = se mod q but m mod p = se mod p where e is the public exponent• And gcd(m− se ,n)= q
? Exercise #2: identify the hypothesis for BDL attack? Exercise #3: design countermeasures
26/50 Institut Mines-Telecom R. Pacalet April 21, 2020
Shamir’s countermeasure
Choose a random short prime rCompute:
• p′ = p× r• d ′
p = d mod (p−1)× (r −1)• q′ = q× r• d ′
q = d mod (q−1)× (r −1)
• s′p = (m mod p′)d′p mod p′
• s′q = (m mod q′)d′q mod q′
Then sp = s′p mod p and sq = s′
q mod q
And s = ((sp −sq)× (q−1 mod p)×q+sq
Check s′p mod r = s′
q mod r before sending s
27/50 Institut Mines-Telecom R. Pacalet April 21, 2020
Practical BDL attack
Experiments by Infineon on a smartcard using CRTEvery hardware countermeasures switched offFault attacks against unprotected RSAFault attacks against software Shamir-protected RSAVery complete analysis:
• Kind of fault• Countermeasure recognize fault or not• Countermeasure works or not
28/50 Institut Mines-Telecom R. Pacalet April 21, 2020
Practical BDL attack
First, SPA tounderstandprocessing (withsoftwarecountermeasure)
Source: Infineon
Firstexponentiation
Loadcoefficients
Check andload
coefficientsSecond
exponentiation
Check,CRT,check
Core
IO
29/50 Institut Mines-Telecom R. Pacalet April 21, 2020
Practical BDL attack
Next, attack at different times without software countermeasureFirst conclusion: attack can target any step or data
Observed error scenarios Mainly due to
Modification of p, q Moving data from E2 to coprocessorModification of dp , dq Handling data within CPUWrong exponentiation modp, q Error within CPU or coprocessorModification of q−1 mod p Moving data from E2 to coprocessorWrong combination of sp and sq All listed errors
Faulty signature modp and modq Moving data from coprocessorWrong answer of smartcard Fatal error within CPU
30/50 Institut Mines-Telecom R. Pacalet April 21, 2020
Practical BDL attack
Next, attack with software Shamir countermeasure• Recog.: fault recognized• Leak: faulty signature reveals secret• Works: Shamir’s software countermeasure works
Observed error scenarios Recog. Leak Works
1 Modification of p′,q′ Time dep. Time dep. No2 Modification of d Time dep. Time dep. Yes3 Modification of d ′
p , d ′q Yes Yes Yes
4 Modification of r Time dep. Time dep. Yes5 Wrong exponentiation modp, q prob. 1−1/r Yes Yes6 Modification of sp or sq Time dep. Yes No7 Modification of q−1 mod p No Yes No8 Wrong combination of sp and sq No Yes No
9 Faulty signature modp and modq No No Yes
31/50 Institut Mines-Telecom R. Pacalet April 21, 2020
Post verification efficiency
Trust only values stored in ROM or EEPROMCheck every intermediate resultCheck by relying on trusted values onlyBut... correct answer vs error message is already an information
32/50 Institut Mines-Telecom R. Pacalet April 21, 2020
Homework on Fault Attack
Have a look at at least one of these papers• Hardware countermeasures in ”The Sorcerer’s Apprentice Guide to Fault Attacks”
(Gemplus, ...)• ”Optical fault induction attack” by Skorobogatov and Anderson• Reconstructing unknown ciphers in ”Differential Fault Analysis of Secret Key
Cryptosystems” by Eli Biham and Adi Shamir
Prepare questions
33/50 Institut Mines-Telecom R. Pacalet April 21, 2020
Failure analysis of RSA
Modular multiplications (lines 5 to9) use double and addAfter computation of a×b mod nthe result is assigned to register aIf d(i)= 1 and an error isintroduced in bits a(k) while j < k(correct a(k) already used) thenthe faulty a is overwritten (line 9)and the result is correctIf d(i)= 0, the faulty a is notoverwritten and generates a faultyresult and an error messageThe faulty result is not evenneeded
x =∑i=w−1i=0
(x(i)×2i )
1: procedure MODEXP(m, d, n)2: a← 1;b ←m;3: for i ← 0,w −1 do4: if d(i)= 1 then5: r ← 0;6: for j ←w −1,0 do7: r ← (2× r +a(j)×b) mod n;8: end for9: a← r ;
10: end if11: r ← 0;12: for j ←w −1,0 do13: r ← (2× r +b(j)×b) mod n;14: end for15: b ← r ;16: end for17: return a=md mod n;18: end procedure
34/50 Institut Mines-Telecom R. Pacalet April 21, 2020
Fault attack on RSA decryption
RSA decryption: m = cd mod n
One bit d(i) of exponent d flips (d(i)→ d(i)), the faulty bit is randomly locatedThe attacker knows c, m and m, the ciphertext, the correct and the faulty plaintext;she tries to recover d , the secret exponentThe attacker computes:
mm
= c2i×d(i)+∑j =i 2j×d(j)
c2i×d(i)+∑j =i 2j×d(j)
= c2i×d(i)
c2i×d(i)mod n
Then:mm
= 1c2i ⇒ d(i)= 1,
mm
= c2i ⇒ d(i)= 0
Repeat until enough bits are known
36/50 Institut Mines-Telecom R. Pacalet April 21, 2020
Exercices on fault attacks against RSA decryption
? Exercise #4: evaluate the complexity with a 1024 bits exponent? Exercise #5: evaluate the complexity with a 1024 bits exponent and 3 bits flips? 4 bits
flips?
37/50 Institut Mines-Telecom R. Pacalet April 21, 2020
The Fiat-Shamir zero-knowledge identification scheme
Alice’s private key: PKpr = {si ,1≤ i ≤ a} where n = p×q and s1,s2, ...,sa are invertiblemod nAlice’s public key: PKpu = {ui = s2
i mod n,1≤ i ≤ a}
Alice and Bob choose t ≤ aAlice chooses 0< r < n random and sends r2 mod n to BobBob chooses a random subset S ⊂ {1, ...,a} of size t and sends it to AliceAlice computes y = (r ×∏
i∈S si) mod n and sends y to BobBob verifies y2 = (
r2 ×∏i∈S ui
)mod n
Computation of square roots mod n is (supposedly) a hard problem
39/50 Institut Mines-Telecom R. Pacalet April 21, 2020
The Bellcore attack on Fiat-Shamir
The targeted fault is a single random flip of bit b in rThe value of r is modified by Eb =±2b
When the flip occurs Alice calculates and sends y ′ = (r +Eb)×∏
i∈S si
From y ′ Bob can compute (for all possible values of Eb):
T (S )= 2×Eb ×y ′
y ′2∏i∈S ui
− r2 +E2b
=( ∏
i∈S
si
)mod n
Bob validates his guess on Eb by checking T (S )2 =∏i∈S ui
40/50 Institut Mines-Telecom R. Pacalet April 21, 2020
The Bellcore attack on Fiat-Shamir
Complexity: a independent identificationsComplexity: O(w ×a+a2) modular multiplications where w = |r |If Alice accepts singleton sets the post-processing is trivial: Bob can choose S = {k }and then T (S )= sk
If Alice filters out singleton sets Bob must choose a linearly independent sets andpost process by solving the equations (easy)
41/50 Institut Mines-Telecom R. Pacalet April 21, 2020
DES algorithm
+ f
f+
f+
16 rounds
Output
FP
IP
Input
R0L0Permuted input
Kn
L15 =R14 R15 = L14⊕ f (R14,K15)
K16
K1
R1 = L0⊕ f (R0,K1)L1 =R0
R16 = L15⊕ f (R15,K16) L16 =R15Preoutput
32
48
32
3232
64
Inverse initial permutation64
Initial permutation64
32 32
43/50 Institut Mines-Telecom R. Pacalet April 21, 2020
Biham Shamir attack on DES
Last round:
R16 = f (R15,K16)⊕L15 = f (L16,K16)⊕L15 =P(S(E(L16)⊕K16))⊕L15
If a fault occurs during 15th round:
R′15 = L′
16 = L16 =R15
R′16 =P(S(E(L′
16)⊕K16))⊕L15
P−1 (R16 ⊕R′
16)=S(E(L16)⊕K16)⊕L15 ⊕S(E(L′
16)⊕K16)⊕L15
=S(E(L16)⊕K16)⊕S(E(L′16)⊕K16)
Each faulty SBox discloses about 4 bits of K16
Eight faulty SBoxes ⇒ exhaustive search reduced to approximately 256−4×8 = 224
44/50 Institut Mines-Telecom R. Pacalet April 21, 2020
Biham Shamir attack on DES
Several optimizations proposed by authors and other papersThe same kind of attack can target most cryptosystems
45/50 Institut Mines-Telecom R. Pacalet April 21, 2020
Fault attack on NVM
Biham and Shamir (CRYPTO’97) propose an attack based on partial 1 to 0 bit flip ofkey (EEPROM)Assumption: a physical stress occasionally flip one of the 1 bits in the key register to a0Let k0 be the unknown keyRepeatedly encrypt the same cleartext m and store the ciphertext c0, applying thephysical stress after each encryptionFrom time to time ci changes to ci+1 until it stabilizes to cf
cf is the result of encrypting m under the all-zero key kf
Extract kf−1 (one bit of k0) by exhaustive search on cf−1
Repeat until k0 is entirely exposed
47/50 Institut Mines-Telecom R. Pacalet April 21, 2020
Fault attack on NVM
Biham and Shamir attack on NVM can be applied on any cryptosystemIt has been noted that smartcard EEPROMs store programs and that errors will likelycorrupt instructions instead of key materialProgram modification attacks?Gemplus discovered a practical similar attack on DES
• OS provides a ”erase” instruction to delete a key• ”erase” instruction in two steps, 32 bits at a time• Cut power after first step• Exhaustive search on 228 remaining keys• OS now associate a security bit to keys
48/50 Institut Mines-Telecom R. Pacalet April 21, 2020
Questions?
50/50 Institut Mines-Telecom R. Pacalet April 21, 2020