Abstract. Atmel CryptoMemory devices offer non-volatile memory with access control and authenticated encryption. They are used in commercial and military applications e.g. to prevent counterfeiting, to store secrets such as biometric data and cryptographic keys, and in electronic payment systems. Atmel advertises the devices as "secure against all the most sophisticated attacks, [...] including physical attacks". We developed a successful power analysis attack on the authentication step of CryptoMemory devices. Despite the physical security claims by Atmel we found that the devices are not protected against power analysis attacks, except for counters that limit the number of (failed) authentication attempts, and thus power traces, to at most three. We examined the handling of these counters and discovered a flaw that allows us to bypass them, and to obtain power traces from an unlimited number of failed authentication attempts. Our attacks need as few as 100 power traces to recover the secret 64-bit authentication keys. From measurements to full key extraction, the attacks can be carried out in less than 20 minutes on a standard laptop. Once the keys are known, an adversary can read protected contents, clone devices, and manipulate the memory at will, e.g. to set the balance of an electronic wallet. To our knowledge, this is the first power analysis attack on Atmel CryptoMemory products reported in the literature.
Introduction
In the past years, many commercial devices with security functionalities such as the KeeLoq-based remote keyless entry systems [19, 22] , the contactless Mifare DESFire MF3ICD40 card [29] , or the FPGA bitstream encryption used by Xilinx Virtex FPGAs [26] , were shown to be susceptible to power analysis attacks, e.g. DPA [23] .
The first "secure memories with authentication" [11, 12] manufactured by Atmel appeared in 1999 under the name SecureMemory. These devices are mainly formed by a piece of EEPROM memory with access control logic and a cryptographic unit. A valid authentication grants read/write permissions to the memory. Failed authentications are recorded by authentication attempt counters (AACs), effectively locking the device after four or more attempts. A newer version of Atmel secure memories, commonly known as CryptoMemory, was released in 2002 as part of the Atmel AT88SCxxxxC series [7] . The AT88SCxxxxCRF [9] family, referred to as CryptoRF, appeared in 2003 providing the same features as CryptoMemory but with a contactless RF interface.
At the core of all these devices lies a proprietary stream cipher with secret specification, that we refer to as Atmel cipher. This cipher is employed during the mutual authentication protocol, in which a host and a CryptoMemory device authenticate each other by proving knowledge of a 64-bit shared secret key. A session key resulting from the mutual authentication can be further used to provide authenticated encryption of the communication channel.
CryptoMemory's security features, low cost, and ease of deployment have allowed these devices to be widely used in plenty of commercial and military applications [10] . A typical example is the use of the AT88SCxxxxC series to store High Bandwidth Digital Content Protection (HDCP) keys in products such as NVIDIA graphics cards [28] , Labgear digital satellite receivers [4] , or the Microsoft Zune player [30] . CryptoMemory devices are also used to strengthen security in systems vulnerable to counterfeiting schemes. They are for instance used in printers and printer cartridges manufactured by Dell, Ricoh, Xerox, and Samsung [1] . Other potential applications include "appliances with smart batteries, set top boxes, video game consoles, video game cartridges, PDAs, GPS, and any system with proprietary algorithms or secrets" [13] , and storage of "biometric information" [10] . In smart card form, CryptoMemory devices are mainly used in vendor-specific electronic payments, e.g. in laundromats or parkings [2] . Further applications recommended by the manufacturer include "ID and access cards, health care cards, loyalty cards, internet kiosks, energy meters, and e-government " [14] .
Contribution. We show that the secret authentication keys used by a CryptoMemory device can be extracted using basic, well-understood power analysis techniques. We devise a practical, non-invasive approach to exploit a flaw in the handling of AACs and to collect any number of power traces corresponding to failed authentication attempts. We have fully implemented and tested our attack on CryptoMemory devices from Atmel development kits and real world products, both in smart card and packaged IC form. Our attacks need as few as 100 power measurements for key extraction and can be carried out, including trace collection, in less than 20 minutes on a standard laptop. We also discuss how to fix the flaw in a way that future revisions of this (or similar) products are not vulnerable to such practical attacks, while remaining backwards compatible 1 .
Paper Organization. In Section 2 we provide background information about CryptoMemory devices and their advertised security. We summarize previous work and we briefly sketch their security mechanisms. In Section 3 we develop an attack path for DPA attacks, and we provide the details and results of our attacks in Section 4. We discuss the implications of our findings as well as potential countermeasures in Section 5. We briefly conclude in Section 6.
Background
CryptoMemory devices are available either in plastic IC packages or as smart cards. The former communicate via a synchronous Two-Wire serial Interface (TWI), while the latter use the asynchronous T=0 protocol standardized in ISO 7816-3 [3] . CryptoMemory devices provide from 1 Kbit to 256 Kbits of memory divided into several user zones that are individually configurable with different access control policies. A separate configuration zone, customizable during the device personalization phase, is used to store such policies. A set of security fuses can be blown after the personalization phase in order to lock the configuration zone. CryptoMemory offers a total of three different security policies: a) In password mode, a host simply needs to provide a 24-bit password to gain access to the zone. This mode offers a limited level of security, as all exchanged data (including passwords) is transmitted in the clear, i.e. it is vulnerable to eavesdropping and replay attacks. b) In authentication mode, up to four 64-bit keys (in the following denoted by k) can be set during the personalization phase as shared secrets between host and device. An 8-bit AAC associated to each key controls the number of failed authentication attempts. The protected user zone(s) become inaccessible once AAC is set to x00
2 . Data transmitted to/from protected memory in this mode is in the clear but replay attacks do not apply. c) In encryption mode, the communication channel between host and device is protected by authenticated encryption. A 64-bit shared session key K s that is updated after each run of the mutual authentication protocol is used. Entering encryption mode requires the device to be already in authentication mode.
Regardless of the security policy, memory contents in the user zones are stored in the clear, i.e. CryptoMemory does not encrypt the data during the storage process.
Security of CryptoMemory devices. Atmel claims that CryptoMemory devices "can secure data against all the most sophisticated attacks, including algorithmic attacks, systematic attacks, and physical attacks." [6] . In particular, physical attacks are counteracted by the use of tamper-proof features including metal shield layers over the active circuitry, encrypted internal buses, highsecurity test procedures, and defenses against timing and power supply attacks (to be understood as active tampering attacks, e.g. fault injection via glitching).
CryptoMemory also provides anti-tearing functionalities, i.e. in the event of a power loss during an EEPROM writing cycle, data can be recovered at the next power-up and written to the intended address. This feature is however optional, and it needs to be requested by the host prior to a write operation. A typical scenario in which this mechanism enhances security is payment systems, e.g. a malicious customer could try to remove a CryptoMemory-based card from the terminal slot before a decreased balance has been written to memory.
Surprisingly, we could not find a single reference to countermeasures against power analysis attacks in Atmel's marketing material and technical documentation. However, given the effort made to protect against invasive probing attacks and non-invasive tampering attacks, it is reasonable to assume that also power analysis attacks were considered. After all, it is claimed that "CryptoMemory is designed to keep contents secure, whether operating in a system or removed from the board and sitting in the hacker's lab." [5] . In our view, it is likely that Atmel relies on the secrecy of the Atmel cipher and the AACs as countermeasures against basic power analysis attacks.
Previous Work.
As it has previously occurred with other products using proprietary cryptographic algorithms [16, 20, 27] , the security of CryptoMemory devices took a hit in 2010 when Garcia et al. [21] reverse-engineered the Atmel cipher and the authentication protocol used in the CryptoMemory family. The authors also cryptanalyzed these mechanisms and showed that an adversary could recover CryptoMemory authentication keys in 2 52 cipher ticks using 2640 eavesdropped keystream frames. Biryukov et al. recently proposed an improved attack [15] that requires 30 eavesdropped keystream frames and 2 50 cipher ticks to recover authentication keys. Other attacks against systems using CryptoMemory are known [24, 32] , but they exploit weaknesses in poorly designed protocols and mistakes during deployment rather than vulnerabilities of CrypoMemory devices.
Atmel Cipher. In the following, and for the sake of completeness, we briefly sketch the main functionality of the Atmel cipher. For a more formal and complete specification we refer the reader to [21] . composed by a total of 4 shift registers. We denote these elements as left register l, middle register m, right register r, and feedback register f. In particular: Mutual Authentication Protocol. The mutual authentication protocol between a CryptoMemory device and a host is illustrated in Figure 2 . Let n r ∈ (F 7 the device challenge authenticators. Both values are computed after feeding the values (n r , n t , k) into the Atmel cipher.
Fig. 2. CryptoMemory mutual authentication protocol
In the first phase of the protocol, the host reads the device randomness n t and uses it, together with its own randomness n r and the shared key k, to compute the authenticators (a r , a t ). In the second phase, the host sends an authentication command to the device, namely auth(n r , a r ), including the value n r and the first authenticator a r . The device computes its own authenticators (a r , a t ), and checks whether the provided a r equals the calculated a r . If the check fails, the value of AAC is decreased; otherwise, it is set to xFF. The device also updates the value of n t by concatenating the 8-bit AAC with the 56-bit authenticator a t . In the final phase, the host reads the recently updated value of n t . It first checks whether the authentication was successful (i.e. whether AAC holds the value xFF), and later compares the authenticator a t with the provided a t . If all checks are correct, then the mutual authentication protocol succeeds. The procedure to compute the authenticators (a r , a t ) resulting of feeding the values (n t , n r , k) into the Atmel cipher is intuitively depicted in Figure 3 . Each of the states s i indicates one tick of the cipher for which an input byte a is given and an output nibble output(s ) is obtained. At the start of the protocol all registers of the internal state are initialized to zero. In a first phase, ranging from states s 0 to s 55 , the three parameters (n t , n r , k) are scrambled into the cipher state. The output keystream nibbles generated by the cipher are for the moment ignored. In a second phase, from states s 56 to s 125 , all input bytes are set to zero. The output nibbles obtained after some of the ticks are used to form the authenticators a r and a t . In the final phase, the session key K s is computed during states s 126 to s 141 .
State

Input bytes Output nibbles
(s0−6) nt 0 nt 0 nt 0 nt 1 nt 1 nt 1 nr 0 - - - - - - - (s7−13) nt 2 nt 2 nt 2 nt 3 nt 3 nt 3 nr 1 - - - - - - - (s14−20) nt 4 nt 4 nt 4 nt 5 nt 5 nt 5 nr 2 - - - - - - - (s21−27) nt 6 nt 6 nt 6 nt 7 nt 7 nt 7 nr 3 - - - - - - - (s28−34) k0 k0 k0 k1 k1 k1 nr 4 - - - - - - - (s35−41) k2 k2 k2 k3 k3 k3 nr 5 - - - - - - - (s42−48) k4 k4 k4 k5 k5 k5 nr 6 - - - - - - - (s49−55) k6 k6 k6 k7 k7 k7 nr 7 - - - - - - - (s56−62) 0 0 0 0 0 0 0 - - - - ar 0 ar 1 - (s63−69) 0 0 0 0 0 0 0 - - - - ar 2 ar 3 - (s70−76) 0 0 0 0 0 0 0 - - - - ar 4 ar 5 - (s77−83) 0 0 0 0 0 0 0 - - - - ar 6 ar 7 - (s84−90) 0 0 0 0 0 0 0 - - - - ar 8 ar 9 - (s91
Developing an Attack Path
Attack Goal. The aim of an adversary targeting CryptoMemory devices may vary depending on the deployment setting, but typically the objective will be to either read protected information (e.g. to manufacture clone chips) or to overwrite memory contents (e.g. to increase the balance in payment scenarios).
In the following we will assume an adversary that possesses a CryptoMemory device configured either in authentication mode or encryption mode. Note that the first security operation in either of these modes is always the mutual authentication protocol. In other words, their security relies on the secrecy of the authentication key (or keys) k. If an attacker knew k, he could easily compute session keys K s and encrypt/decrypt valid communications. Therefore, we define the goal of the adversary as the recovery of k.
Attack Approach. Previous work has already pointed out cryptographic weaknesses in the Atmel cipher, but the most efficient attack still requires substantial computational effort, e.g. two to six days computation on a cluster with 200 cores [15] . We focus on power analysis attacks as they are often more practical. Note that in the case of deployed CryptoMemory devices, eavesdropping the communication line for later cryptanalysis requires physical access to the target device. Thus, physical access for power analysis does not imply an additional requirement.
Target Devices. We have tested three different models of the CryptoMemory family, namely the chips AT88SC0404C, AT88SC1616C, and the newer AT88SC0808CA. These devices differ in the amount of user zone slots and/or size available to the end application, but the protocol to carry out the mutual authentication is identical for all of them.
Given that CryptoMemory devices do not contain a microcontroller, we can assume that the cryptographic unit, including the Atmel cipher, is fully implemented as a hardware module. We further assume that the implementation computes one cipher tick in one or two clock cycles, which gives us an idea of the type of pattern to look for in the power traces.
In the following we describe the experimental setup used in our analysis and the steps followed to evaluate the smart card versions of CryptoMemory. We summarize the slightly different approach required for CryptoMemory ICs, leading to the same results, at the end of the section.
Experimental Setup
The main element of our experimental setup is a Virtex-II FPGA [33] that communicates with a PC (user interface) and a target device (CryptoMemory). The FPGA can be configured to communicate with either of the CryptoMemory device forms, i.e. as a T=0 compatible smart card reader or as a TWI master device. Apart from the communication line, the FPGA fully controls all external signals provided to the target device. For instance, the reset signal (RST), the external clock (CLK), and even the power supply (VCC) can be manipulated at will and at any point in time. A 50 Ohm resistor is inserted in series in the ground (GND) line of the target device. We use a Tektronix DPO7254 [31] oscilloscope to measure the voltage drop over this resistor, thus obtaining a trace proportional to the device's power consumption. Note that we do not exhaust the capabilities of the oscilloscope and that a low-cost model could be used just as well. For all experiments we used a sampling rate of 100 MS/s and 20 MHz bandwidth. In addition to the power consumption we also use the oscilloscope to monitor RST, CLK, and I/O lines.
Initial Investigation of Power Traces
The first step in a power analysis attack is to determine in which part of the protocol the secret key is used by the target device, i.e. at which points in time are the key bytes fed as input to the Atmel cipher. An overview of the I/O and a power trace obtained during the processing of a mutual authentication command is shown in Figure 4 . Figure 4 (a) represents a successful authentication, Figure 4 (b) represents a failed authentication, and Figure 4 (c) represents an authentication attempt when the AAC is set to x00. The leftmost part of the figures start with the host sending 5 bytes corresponding to an authentication command. After receiving these bytes, the card can reply either with an acknowledgement ACK, indicating that it accepts the command, or with a negative acknowledgement NACK, refusing to process the command. The latter is shown in Figure 4(c) , where the CryptoMemory device has locked access to the associated user zones. If the device acknowledges the command then the host sends the payload data, i.e. 16 bytes corresponding to the values n r and a r . Upon reception, the card performs a series of operations to determine whether the authenticator provided by the host is correct. Finally, the card sends a response to the host indicating the outcome of the authentication attempt.
The most interesting part of the figure corresponds to the card calculations upon reception of the payload data. One can clearly notice that the calculation interval in Figure 4 (b) is significantly shorter than in Figure 4(a) . Further, a clearly distinguishable pattern with higher power consumption appears twice for the valid authentication and only once for the invalid authentication. This pattern corresponds to EEPROM writings in configuration memory: the first one, present for both valid and invalid attempts, corresponds to decreasing the value of AAC; the second one, only present for the valid authentication, corresponds to writing the new value of n t and the session key K s . Note that writing a new value n t implies a valid authentication, and thus AAC is restored back to xFF.
Although not visible in these overview plots, we noticed that the cryptographic unit appears to run at a clock frequency slower than that we provided externally. Further investigations showed that the device internally derives this slower clock signal by dividing the external clock by approximately a factor 200.
The card's calculation of the values (a r , a t ) must happen before the second EEPROM write operation, simply because the n t cannot be updated without having computed a t beforehand. Our experiments have shown that the device computes the authenticators (a r , a t ) on-the-fly, i.e. while the payload data (n r , a r ) is being received from the host. Similarly, the calculation of the session key K s is performed between the two EEPROM writings, only after the device has authenticated the host by verifying that a r and a r are equal. Figure 5 shows a zoomed version of the I/O and power traces during the transmission of the value n r = (n r0 , . . . , n r7 ) to the card. A clearly distinguishable peak in the power trace is visible at the end of each byte transmission, while a total of six high peaks are also identifiable during the transmission of a byte. As explained in Section 2 the calculation of (a r , a t ) requires 126 cipher ticks. The pattern in the power traces has a perfect mapping with the cipher behavior illustrated in Figure 3 considering a hardware implementation. In fact, the first peak in Figure 5 corresponds to the state s 6 , i.e. when the value n r0 is fed to the cipher. The following six peaks correspond to states s 7 to s 12 , in which the card uses its own randomness (values n t2 and n t3 ) as inputs. Once n r1 has been received over the I/O line, a new peak corresponding to state s 13 appears in the power trace, and the pattern is repeated for every transmitted byte. In summary, each of the 50 peaks highlighted in Figure 5 corresponds to a cipher state ranging from s 6 to s 55 in Figure 3 .
Since the key k is scrambled into the cipher states s 6 to s 55 , the device might leak sensitive information through its power consumption. We could not immediately identify a visible pattern in the power consumption that could relate to k (SPA leak) but we also did not expect that from a hardware implementation of a stream cipher. Therefore, we focused our attention on attacks that use statistical post-processing of the collected power traces. Recall that DPA attacks require the processing of multiple power traces corresponding to multiple authentication attempts. For each attempt the device must use the same (unknown) k and varying input data.
Overcoming Authentication Attempt Counters
Even though we have identified the parts in the power traces that correspond to processing of the secret key k, an important practical issue still remains. In our adversarial model, the adversary possesses a CryptoMemory device that is already configured. Thus, he does not know the secret key k. In order to run the mutual authentication protocol, an adversary needs to provide an authenticator a r to the device. However, as the attacker cannot compute this value correctly, the CryptoMemory device will not authenticate the host and, as a consequence, it will decrease the associated AAC. Given that the user zones become inaccessible to the host after four failed authentication attempts, an adversary can collect at most three power traces before permanently locking the device. The issue is that three traces are clearly not sufficient to carry out a successful DPA attack.
There are several ways to try to deal with this limitation. If the application under attack were to use the same key in all deployed CryptoMemory devices, then it would suffice to collect power measurements from several devices. One could also try to take many measurements from a single device, effectively sacrificing it. But as can be seen in Figure 4 (c), once the AAC value is set to x00 the device no longer computes the authenticators and measurements would thus be worthless. Therefore, an adversary could obtain at most four power traces per device tested. However, a scenario in which all devices share a single key k seems unlikely to be found in secure deployments
3 . An alternative could be to use template attacks as introduced by Chari et al. [18] . The devices provided by Atmel in evaluation kits, completely configurable by the user, could be used to build such templates. We expect template attacks to require very few power traces from the target device, but it is not clear if three traces would suffice, due to the large cipher state. We did not investigate this approach further as we were interested in more simple attack paths.
We followed a more intuitive approach to overcome the limitation imposed by the AACs. Recall from Figure 4 that all the information required to perform DPA, i.e. key-dependent information in power measurements, is obtained while the value n r is being sent to the card. In other words, the information is available to the attacker before the card actually decreases the value of AAC. Our approach consists in injecting a negative pulse in the RST signal of the device before the new value of AAC is written into configuration memory. Doing so forces the device to reset its state before beginning the EEPROM write operation.
A successful implementation of this simple procedure is shown in Figure 6 . Besides the I/O and power traces, the figure also shows the RST signal input to the device. Injecting a pulse on the RST line right after sending the payload data successfully resets the device. This can be observed on the I/O line, as the device sends its Answer-To-Reset (ATR) value to the host device right after the rising edge in RST. Note also that the first EEPROM write pattern indicating AAC being decreased does not appear in the power trace. The timing of the RST pulse is far from critical as the adversary can inject it at any point after the reception of n r and before the first EEPROM writing, i.e. during the transmission of the value a r . Recall that the transmission of a bit in the I/O line requires 372 clock cycles, and a byte transmission requires a total of 12 bits (1 start bit, 8 data bits, 1 parity bit, and 2 stop bits) [3] . Taking that into account, the adversary has an interval of 35 712 clock cycles in which the RST pulse can be sent to the card.
Note that resetting the device before the EEPROM writings implies that the value n t can never be updated. As a consequence, all power measurements collected using this approach will correspond to the same device randomness n t . Although in other scenarios this characteristic could be problematic, in our case it does not limit the success or applicability of DPA attacks. This is because an attacker can still provide varying values of n r for each authentication attempt, which is fed into the Atmel cipher some ticks before the key k.
Differences with CryptoMemory Packaged ICs. Besides some particularities caused by the use of TWI instead of T=0, the overall behavior of CryptoMemory packaged ICs resembles what we have presented until now. Most important is the fact that the calculation of the parameters (a r , a t ) is done in exactly the same way as in the smart card, i.e. on-the-fly while the host sends the values (n r , a r ). It is thus possible to identify which zones of the power measurements correspond to which states of the Atmel cipher during the feeding of the values (n t , n r , k).
The main physical difference between CryptoMemory packaged ICs and smart cards is that the former do not have an external RST pin. This could have been a problem, but an "equivalent" mechanism to overcome the AACs consists in cutting the supply voltage (VCC) before the counters are decreased. Similarly to the RST mechanism the timing accuracy to cut the voltage is not critical, and the adversary has plenty of time to perform it 4 . Once the power traces are obtained, the attacks on CryptoMemory in smart card form and in IC form are identical and lead to very similar results.
Power Analysis Attack
We obtained a set of 1000 power traces sampled during executions of the mutual authentication protocol, for which we provided random nonces n r to the device and, each time, reset it as described above.
We processed the traces with a simple routine that extracts the peaks highlighted in Figure 5 , yielding a new set of highly compressed and well aligned traces. Contrary to typical attacks on block cipher implementations, the key bytes can not be recovered independently but should be recovered in the order in which they are fed into the Atmel cipher implementation, i.e. first k 0 , then k 1 , etc.
We first investigated the feasibility of basic DPA attacks that recover k one byte at a time. We used a Hamming distance power model on the full cipher state, i.e. the total number of bit flips in the transition from state s to state s , and Pearson's correlation coefficient as distinguisher [17] .
As explained in Section 2, each key byte is fed into the cipher three times in consecutive cipher ticks. Our basic attack worked best when we attacked the last cipher tick that fed in a given key byte, e.g. for byte k 0 the transition from state s 29 to s 30 . Figure 7 exemplarily shows the results we obtained when attacking k 6 (the worst case). The left part of the figure shows the correlation coefficients for all 256 hypotheses, plotted over "time", computed using all 1000 measurements. The right part of the figure shows the evolution of the maximum and minimum correlation peaks per key hypothesis, plotted over the number of traces used. We verified that all key bytes can be recovered in this way using less than 500 traces.
Our slightly more elaborate attack additionally exploits two simple facts. First, we know exactly which sample in the power traces corresponds to which cipher tick. Thus, the attack focuses on the correct sample in the traces and ignores all other samples that appear as noise. Second, each key byte is fed into the cipher three times. Thus, the attack targets all three transitions and adds up the obtained correlation coefficients, per key hypothesis.
In addition, the attack further exploits that the dependence of the cipher state on k grows only slowly and byte per byte. Similar to the strategy described in [19] , the attack does not aim to immediately identify the exact value of a key byte, but it maintains a list of the best candidate values and re-evaluates them when attacking the next key bytes.
We verified that this enhanced attack recovers the correct key k using less than 100 measurements. We note that both attacks, from measurements to full key recovery, can be carried out in less than 20 minutes on a standard laptop. Algebraic side-channel analysis would perhaps allow to work with even fewer traces, but it requires to build templates.
Implications and Countermeasures
We have shown that an adversary can easily extract the secret authentication key(s) k from CryptoMemory devices using basic, well-understood power analysis techniques. As a consequence, the adversary can perform all actions that any authenticated host could perform. This includes reading the memory, which allows to clone the device, and manipulating its memory contents at will.
The success of our attack is due to two design flaws in CryptoMemory. First, the implementation of the Atmel cipher is not protected by countermeasures against power analysis attacks, except for the AACs that limit the number of traces that can be obtained from a device before it locks itself to at most three. And second, an inadequate handling of the AACs that allows an adversary to bypass this limitation and to obtain any number of measurements from a given device without locking it.
A simple way to prevent our attack would be to modify the handling of the AACs. As learned from our experiments, CryptoMemory performs the authentication procedure as follows: compute the authenticators, decrease the value of AAC, compare the authenticators, and update the value of AAC according to success/failure when writing n t in memory. This sequence can also be extracted from Figures 4(a) and 4(b) . Atmel explicitely states that this procedure is used "to prevent attacks" [7] . In fact, the method protects only the comparison operation and is often used e.g. in SIM cards during PIN verification. Our attacks do, however, not target the comparison operation but the time instants when the secrets are manipulated. Since CryptoMemory manipulates the secret key(s) before it decreases AAC, the counters can be easily bypassed with a reset. A more secure handling of the AACs could be to decrease the counter right upon reception of a mutual authentication command, and prior to the reception of the payload data and computation of the authenticators.
Protecting against more sophisticated attacks than ours may require to implement some of the well-known countermeasures against power analysis attacks, e.g. noise generators and power filters at the hardware level, or masking, random delays, and shuffling at the circuit level [25] .
Conclusions
CryptoMemory is advertised to be used as a secure element in larger systems, in a way that only authorized hosts with knowledge of the correct authentication keys can have access to the protected memory contents. It is ensured that CryptoMemory "permanently lock these values [secret keys] after device personalization and guarantee these values can never be read " [8] .
In this work we have shown how to extract such keys by using well-understood power analysis techniques. CryptoMemory uses fuses to lock access control policies, access control to protect memory contents, and AACs to strengthen access control. Therefore, a large part of CryptoMemory's security relies on the AACs, that we identified as a not sufficiently protected point of failure.
