Differential Analysis of Round-Reduced AES Faulty Ciphertexts

International audienceThis paper describes new Round Reduction analysis attacks on an Advanced Encryption Standard (AES) implemen- tation by laser fault injection. The previous round reduction attacks require both of spatial and temporal accuracies in order to execute only one, two or nine rounds. We present new attacks by more flexible fault injection conditions. Our experiments are carried out on an 8-bit microcontroller which embeds a software AES with pre-calculated round keys. Faults are injected either into the round counter itself or into the reference of its total round number. The attacks may result to the use of a faulty round key at the last one or two executed rounds. The cryptanalysis of the obtained round-reduced faulty ciphertexts resorts to the differentiation techniques used by Differential Fault Analysis

Cryptanalyse physique de circuits cryptographiques à l'aide de sources LASER

Les circuits cryptographiques, parce qu'ils contiennent des informations confidentielles, font l'objet de manipulations frauduleuses, appelées communément attaques, de la part de personnes mal intentionnées. Plusieurs attaques ont été répertoriées et analysées. L'une des plus efficaces actuellement, appelée cryptanalyse DFA (Differential Fault Analysis), exploite la présence de fautes, injectées volontairement par l attaquant par exemple à l aide d un laser, dans les calculs. Cependant, les modèles de fautes utilisés dans ces attaques sont parfois très restrictifs et conditionnent leur efficacité. Il est donc important de bien connaître quel modèle de faute est pertinent ou réalisable en fonction du circuit cible et du moyen d'injection (dans notre cas le laser). Un première étude portant sur le type de fautes (Bit-set, Bit-reset ou Bit-flip) injectées sur des points mémoires SRAM a mis en évidence la forte dépendance des fautes injectées vis à vis des données manipulées et la quasi inexistence de fautes de type Bit-flip. Ce dernier résultat favorise grandement les attaques de type Safe Error et engendre donc un réel problème de sécurité. La mise en évidence de tels résultats a été possible grâce à des cartographies de sensibilité au laser réalisées sur une cellule SRAM isolée puis sur la mémoire RAM d'un micro-contrôleur 8 bits. Pour confirmer ces résultats expérimentaux, des simulations SPICE d'injection de fautes laser ont été réalisées à partir d'un modèle développé dans l équipe. Ce modèle prend en compte la topologie de la cible. Des tests ont ensuite été réalisés sur un circuit ASIC implémentant l'algorithme AES. L'analyse des fautes a montré la présence des trois types de fautes mais aussi un faible taux d'injection. En revanche, le taux de répétabilité des fautes était particulièrement élevé. Cela nous a permis d'améliorer une attaque existante et d'obtenir au final une attaque plus efficace que les attaques classiques, nécessitant moins de chiffrements fautés et une analyse des résultats réduite pour retrouver la clef secrète. Enfin, une évaluation des contre-mesures embarquées dans ce circuit a montré leurs inefficacités vis à vis des attaques en fautes par laser. Des pistes d'amélioration ont ensuite été proposées.Cryptographic circuits, because they contain confidential informations, are subject to fraud from malicious users, commonly known as attacks. Several attacks have been published and analysed. One of the most effective attack, called Differential Fault Analysis (DFA), uses some fault, voluntary injected by the attacker during the computations, for example with a laser. However, fault models used by these attacks can be restrictive and determine the effectiveness of the attack. Thus, it is important to know which fault model is useful or feasible according to the targeted device or injection means (in our case the laser).A first study about the injected fault types (Bit-set, Bit-reset or Bit-flip) on SRAM memory cells highlighted the strong data dependency of the injected faults and the irrelevance of the Bit-flip fault type. This last result allows to mount Safe Error attacks and creates a real security issue. These results were obtain thanks to sensitivity laser map performed on an isolated SRAM cell and on an 8-bits micro-controller RAM memory. To confirm these experimental results, SPICE simulations have been made with a model developed in the department. This model takes into account the topology of the target.Tests were then carried out on an ASIC implementing the AES algorithm. The fault analysis showed the presence of the three types of faults but also a low injection rates. In contrast, the error repeatability was particularly high. This allowed us to simplify an existing attack and to obtain an attack more effective than conventional attacks, requiring fewer faulted cipher text and reducing the complexity of the analysis to find the secret key. Finally, an assessment of the countermeasure of this circuit showed their ineffectiveness with respect to fault laser attacks. Areas for improvement were then proposed.ST ETIENNE-ENS des Mines (422182304) / SudocSudocFranceF

Investigation of Near-Field Pulsed EMI at IC Level

International audienceThis article describes the use of a near-field electromagnetic pulse EMP injection technique in order to perform a hardware cryptanalysis of the AES algorithm. This characterization technique is based on the fact that conductors, such as the rails of a Power Distribution Network PDN which is one of the primary EMI risk factors, act as antennas for the radiated EMP energy. This energy induces high electrical currents in the PDN responsible for the violation of the integrated circuit's timing constraints. This modification of the chip's behavior is then exploited in order to recover the AES key by using cryptanalysis techniques based on Differential Fault Analysis (DFA)

A unified formalism for side-channel and fault attacks on cryptographic circuits

National audienceSecurity is a key component for information technologies and communication. Security is a very large research area involved in the whole information technology, related to both hardware and software. This paper focuses on hardware security, and more specifically on hardware cryptanalysis whose aim is to extract confidential information (such as encryption keys) from cryptographic circuits. Many physical cryptanalysis techniques have been proposed in the last ten years but they always belong to one of those very distinct categories: fault and side channel attacks. In this article, a formal link between these two categories is proposed. To the best of our knowledge, this is the first time that a wide class of attacks is described in such a generic manner

Electromagnetic glitch on the AES round counter

International audienceThis article presents a Round Addition Analysis on a software implementation of the Advanced Encryption Standard (AES) algorithm. The round keys are computed on-the-fly during each encryption. A non-invasive transient fault injection is achieved on the AES round counter. The attack is performed by injecting a very short electromagnetic glitch on a 32-bit microcontroller based on the arm Cortex-M3 processor. Using this experimental setup, we are able to disrupt the round counter increment at the end of the penultimate round and execute one additional round. This faulty execution enables us to recover the encryption key with only two pairs of corresponding correct and faulty ciphertexts

ElectroMagnetic Analysis (EMA) of Software AES on Java Mobile Phones

International audienceSmartphones, whose market share has increased by 54% between 2009 and 2010, is one of the favored platform for "Convergence Computing". Convergence Computing is a technology in which a single device can provide various services without any restrictions from external devices or networks. Today, smartphones as convergent single device have diverse functions and features such as calling, Internet surfing, game playing, banking, storage of personal and professional data, etc. Some of these use encryption algorithms such as AES (Advanced Encryption Standard). For example, this algorithm is used to authenticate server protocols or to encrypt confidential information. This paper shows that an Electromagnetic Analysis (EMA) on AES is possible on a Java mobile phone to extract secret keys. The latter can then be used for forensic purposes or to recover encrypted data stored in the device. Experiments involving two successful approaches are described and compared : Spectral Density based Approach (SDA) and Template based Resynchronisation Approach (TRA)

A Unified Formalism for Physical Attacks

Technical reportThe security of cryptographic algorithms can be considered in two contexts. On the one hand, these algorithms can be proven secure mathematically. On the other hand, physical attacks can weaken the implementation of an algorithm yet proven secure. Under the common name of physical attacks, different attacks are regrouped: side channel attacks and fault injection attacks. This paper presents a common formalism for these attacks and highlights their underlying principles. All physical attacks on symmetric algorithms can be described with a 3-step process. Moreover it is possible to compare different physical attacks, by separating the theoretical attack path and the experimental parts of the attacks

Integrated Evaluation Platform for Secured Devices

International audienceIn this paper, we describe the structure of a FPGAsmart card emulator. The aim of such an emulator is to improvethe behaviour of the whole architecture when faults occur. Withinthis card, an embedded Advanced Encryption Standard (AES)protected against DFA is inserted as well as a fault injectionblock. We also present the microprocessor core which controlsthe whole card

Design of a duplicated fault-detecting AES chip and yet using clock set-up time violations to extract 13 out of 16 bytes of the secret key

International audienceThe secret keys manipulated by cryptographic circuits can be extracted using fault injections associated with differential cryptanalysis techniques [1]. Such faults can be induced by different means such as lasers, voltage glitches, electromagnetic perturbations or clock skews. Several counter-measures have been proposed such as random delay insertions, circuit duplications or error correcting codes. In this paper, we focus on an AES chip in which the circuit duplication principle has been implemented to detect fault injection. We show that faults based on clock set-up time violations can nevertheless be used to defeat the implemented counter-measure

Safe design methodologies against fault attacks

International audienc