D.VAM.1 Report on Physical Security of Contact-less … · 2009-08-17 · Thomas Eisenbarth, Timo...

ECRYPT II ECRYPT II

ICT-2007-216676

ECRYPT II

European Network of Excellence in Cryptology II

Network of Excellence

Information and Communication Technologies

D.VAM.1

Report on Physical Security of Contact-less CryptographicDevices

Due date of deliverable: 31. July 2009Actual submission date: 10. August 2009

Start date of project: 1 August 2008 Duration: 4 years

Lead contractor: Katholieke Universiteit Leuven (KUL)

Revision 1.1

Project co-funded by the European Commission within the 7th Framework Programme

Dissemination Level

PU Public X

PP Restricted to other programme participants (including the Commission services)

RE Restricted to a group specied by the consortium (including the Commission services)

CO Condential, only for members of the consortium (including the Commission services)

Report on Physical Security of Contact-less

Cryptographic Devices

Editor

Elisabeth Oswald (BRIS)

Contributors

Mike Tunstall (BRIS)Thomas Eisenbarth, Timo Kasper, Amir Moradi,

and Christof Paar (RUB)Michael Hutter, Marcel Medwed, Daniel Hein,

and Johannes Wolkerstorfer (IAIK)Benedikt Gierlichs (KUL)

10. August 2009Revision 1.1

The work described in this report has in part been supported by the Commission of the European Com-munities through the ICT program under contract ICT-2007-216676. The information in this document isprovided as is, and no warranty is given or implied that the information is t for any particular purpose. Theuser thereof uses the information at its sole risk and liability.

i

Contents

1 Introduction 1

2 Physical Attacks and Contact-less Devices 1

2.1 Physical Attacks Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 12.2 Invasive Attacks . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 22.3 Non-Invasive Attacks . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 22.4 Non-Invasive but Active Attacks . . . . . . . . . . . . . . . . . . . . . . . . . . 22.5 Invasive but Passive Attacks . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 32.6 Specic Attacks on Proximity Identication Systems . . . . . . . . . . . . . . . 3

3 Attacking Keeloq 3

3.1 Background about Keeloq . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 43.1.1 Code Hopping Protocol . . . . . . . . . . . . . . . . . . . . . . . . . . . 43.1.2 Key Derivation Schemes . . . . . . . . . . . . . . . . . . . . . . . . . . . 5

3.2 DPA on KeeLoq . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 53.2.1 Building a Powerful DPA for KeeLoq . . . . . . . . . . . . . . . . . . . 63.2.2 Details of the Hardware Attack . . . . . . . . . . . . . . . . . . . . . . . 73.2.3 Details of the Software Attack . . . . . . . . . . . . . . . . . . . . . . . . 8

3.3 Real World Implications . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 93.3.1 Cloning a Transmitter . . . . . . . . . . . . . . . . . . . . . . . . . . . . 103.3.2 Recovering a Manufacturer Key . . . . . . . . . . . . . . . . . . . . . . . 103.3.3 Cloning a Transmitter without Physical Access . . . . . . . . . . . . . . 113.3.4 Denial of Service . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 12

4 Attacks on ECDSA-enabled RFID devices 13

4.1 Power Analysis Attacks on ECDSA Implementations . . . . . . . . . . . . . . . 134.2 Attack Environment . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 15

4.2.1 The Analog Front-End . . . . . . . . . . . . . . . . . . . . . . . . . . . . 164.2.2 The Digital ECDSA-Enabled RFID Controller . . . . . . . . . . . . . . 164.2.3 The Measurement Setup . . . . . . . . . . . . . . . . . . . . . . . . . . . 16

4.3 Practical Results . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 17

ii

D.VAM.1 Report on Physical Security of Contact-less Cryptographic Devices 1

1 Introduction

Contact-less cryptographic devices, such as contact-less smart cards or RFID devices, are atthe core of many real-world applications. Prominent examples thereof include RFID-enabledkeys (e.g. car keys, garage-door openers, door openers), e-passports (based on contact-lesssmart cards), or cards for public transport (e.g. the London Oyster card).

Physical security comprises all attacks (and countermeasures) that work based on exploit-ing physical properties of a device. Prominent examples of such attacks are side-channelattacks and fault attacks. Side-channel attacks are typically seen as passive in the sense thatthe adversary only monitors the cryptographic devices. The most successful attacks in thisarea so far have been conducted using power consumption information (acquired contact-basedor contact-less). Fault attacks are typically classied as active attacks in the sense that theadversary actively interferes with the computations taking place inside the device by causingfaults during the computations. There are dierent ways of causing faults some of whichrequire de-packaging the cryptographic device (invasive methods). Generally speaking, inva-sive methods require a technically more sophisticated adversary but also promise to be morepowerful.

In this deliverable we report on some of the recent developments of conducting physicalattacks on contact-less devices. There has been plenty of (academic) work in both physicalattacks and countermeasures recently. However, as the eld is new and very much in a processof change, the countermeasures-side is less developed and stable. Consequently, we focus inthis deliverable on the state-of-the-art of attacks (rather than countermeasures).

The structure of this deliverable is as follows. In the second section, we review some basicattack principles and relate them to contact-less smart cards and RFID devices. In sectionthree, we report on the work by [4], which shows how to completely break a widely used RFIDbased garage-door opening system. In section four, we report on cutting edge research of [6]into the (in)security of ECDSA-enabled RFID devices.

2 Physical Attacks and Contact-less Devices

Contact-less devices are typically either based on a microprocessor or a memory chip. Com-munication is performed using an antenna glued inside the plastic body of the chip. Thereare two types, referred to as vicinity cards, which have a communication range up to a meter,and proximity cards, which have a range of approximately ten centimeters, see [8, 9] for spec-ications. To date, these cards have mostly been used for access control and public-transportticketing schemes. Examples of large deployments include, e.g. the London Oyster card andHong Kong Octopus card. With the increasing security demands on border control, contact-less travel documents are also becoming more prevalent. Note that some devices are able tocommunicate both contact-based and contact-less. These devices are typically designed tosupport more than one application, e.g. contact payment and contact-less transport ticketing.

2.1 Physical Attacks Overview

Cryptographic devices typically serve two means. First, they are able to calculate crypto-graphic algorithms. Second, they protect cryptographic keys. Consequently, attacks targetingcryptographic devices aim either at revealing information about the keys, or at reverse engi-neering (proprietary) cryptographic algorithms (with the next goal of then also revealing the

2 ECRYPT II European NoE in Cryptology II

keys). Provided that the logical channels (I/O commands) do not allow to extract key or al-gorithm information, physical attacks are the remaining option for attackers. Physical attackscan be distinguished along dierent dimensions, see [13] for an authoritative overview. Therst dimension along which attacks can be distinguished is whether they are non-invasive orinvasive. The second dimension is whether they require active involvement during the deviceis working or whether they are purely passive.

2.2 Invasive Attacks

Invasive attacks attacks allow gaining access to, and inspecting, the microchip embeddedin a device. Possible aims of such attacks are trying to reverse engineer implementationsand attempting to read the contents o Read Only Memory (ROM). This has recently beenconducted on a MiFare classic chip [11], where the proprietary cryptographic algorithm usedwas reverse engineered and subsequently successfully cryptanalysed [12].

Another example of an invasive attack technique is to place a probe on bus lines. Whenvalues are transferred between memory locations and the processor core, the probing needlescan be used to read o these values in conjunction with an oscilloscope or a logic analyzer.Depending on what is transferred over the bus, attackers might be able to read of informationincluding cryptographic keys and/or the operating system (which might be present in ROM).

Academia (and industry) have been well aware of these threats as early articles such as [1]and [10] prove.

2.3 Non-Invasive Attacks

A non-invasive method of attack that can be conducted by purely observing a device while itprocesses information is called a side channel attack. For example, the simplest form of sidechannel analysis is to observe how long a given process takes to execute. The length of timethat a process takes to complete can leak information about the data being processed [44]. Forexample, the digits of a Personal Identication Number (PIN) might be checked subsequentlyand a negative result might be immediately returned when a wrong digit is encountered. Con-sequently, an attacker could use this to determine how many digits of a guessed PIN are correct.The next side channel that was discussed in the scientic community was the power consump-tion [45]. Dierent versions of side channel analysis (simple, dierential, proled/template)where discovered, see [48] for an extensive treatment.

2.4 Non-Invasive but Active Attacks

An example for this category is to inject a fault during the working of a cryptographic device.A simple way of achieving this would be to change a ciphertext input to the device. In somecases, this would allow information to be derived on the key being used. These types of attackshave been shown to work with both symmetric and asymmetric cryptographic algorithms, see[2, 3].

Dierent mechanisms can be used to inject faults, e.g. a glitch on the power supply ora fast clock for a short period of time. The exact response of a smart card will depend onhow it is designed. A ash of either white or laser light over an exposed chip surface canalso be used to inject a fault [2]. There are further mechanisms for injecting faults, such astemperature, X-rays or gamma radiation. However, it is hard to control the source of theinjection mechanism with sucient nesse that a fault can be reliably injected.


2.5 Invasive but Passive Attacks

Power and EM analysis attacks are the currently most popular side-channel attacks (whenmeasured according to the number of papers published). Whilst power analysis attacks havethe drawback that an attacker needs to work with the power consumption of an entire chip,EM analysis has the potential to focus in on the power consumption of a specic part of thechip (the EM probe can be placed accordingly). The size and shape of the EM probe deneswhich frequencies can be picked up and the distance to surface of the chip is a crucial factor inthe success of the whole analysis. Consequently, a common strategy is to remove the packagefrom the chip in order to be able to place the EM probe as close as possible to the chip.

2.6 Specic Attacks on Proximity Identication Systems

The attacks in the previous sections all targeted physical properties of chips embedded incryptographic devices. All of these attacks work for contact-based and contact-less devices.Attacks that are more specic for contact-based systems are briey described now.

Contact-less technology is a prevalent method for providing proximity identication sys-tems. Most of these systems operate on the assumption that a token, and its owner, are inclose proximity to a reader because of the limited range of the near-eld communication chan-nel. This simple method can be easily defeated if an attacker can relay the communicationbetween a legitimate reader and a token over a greater distance. In this case the attackerwould use two devices that act as a "proxy" token and a "proxy" reader respectively.

A successful relay attack, therefore, allows an attacker to temporarily possess a "clone"of a legitimate token, thereby allowing him to gain the associated benets. Relay attacks arenot that easy to defend against and even though physical mechanisms, such as the shieldingof contact-less tokens, could prevent certain attack scenarios, any application layer securityis eectively circumvented. Hardware designs capable of performing a relay attack have beendescribed in [5] and [7].

3 Attacking Keeloq

The KeeLoq block cipher is widely used for security relevant applications, e.g., remote key-less entry (RKE) systems for car or building access, and passive radio frequency identi-cation (RFID) transponders for car immobilizers [25]. In the course of the last year, theKeeLoq algorithm has moved into the focus of the international cryptographic research com-munity. Shortly after the rst cryptanalysis of the cipher [14], more analytical attacks wereproposed [17, 18], revealing mathematical weaknesses of the cipher. The best known analyt-ical attacks target the identify friend or foe (IFF) mode of KeeLoq and require at least 216

plaintext-ciphertext pairs from one transponder. This allows, after several days of compu-tations, for a simple cloning of the transponder and, only in case of a weak key derivationmethod1, for obtaining the manufacturer key that is required to generate keys for new validtransponders. Despite the impressive contribution to the cryptanalysis of the cipher, thereal-world impacts of the previous attacks are somewhat limited.

In this section, we present three very practical key recovery attacks and a denial of serviceattack with severe implications for RKE systems that are currently used in the eld. These

1If the key of the transmitter is derived from XORing a simple function of the device serial number withthe manufacturer key, the latter can easily be obtained.


1 17 02 4 0

XOR

Key Register,

State Register,

k

y

07

Figure 1: Block diagram of the KeeLoq encryption

32

Synchronization Counter

Secret Key

Discrimination Value

Func.

Hopping Code

KEELOQ Encryption

32

64

Figure 2: Generation of KeeLoqhopping codes

new attacks which combine dierential power analysis (DPA) with the extend-and-prunestrategy of [16] can be applied to various implementations of KeeLoq. In particular,we have been able to successfully attack hardware realizations, i.e., the Microchip HCSXXXfamily of integrated circuits (ICs), as well as software implementations running on MicrochipPIC microcontrollers. In contrast to the hitherto existing attacks, the techniques proposed byus are also applicable in case of more sophisticated key derivation schemes (cf. Sect. 3.1.2)and are suitable for breaking both the KeeLoq code hopping mode and the IFF mode.

3.1 Background about Keeloq

KeeLoq is a block cipher with a 64 bit key and a block size of 32 bits. As illustrated in Fig. 1,it can be viewed as a non-linear feedback shift register (NLFSR) where the feedback dependslinearly on two register bits, one key bit, and a non-linear function (NLF). The NLF mapsve other register bits to a single bit [14, 17, 18]. Prior to an encryption, the secret key andplaintext are loaded in the key register and the state register, respectively. In each clock cycle,the key register is rotated to the right and the state register is shifted to the right so that thefresh bit prepared by the XOR function becomes part of the state. After 528 clock cycles,the state register contains the ciphertext. The decryption process is similar to the encryption,except for the direction of the shifts and the taps for the NLF and the XOR function.

3.1.1 Code Hopping Protocol

In addition to KeeLoq IFF systems which provide authentication of a transmitter to themain system using a simple challenge-response protocol, KeeLoq is used in code hopping (orrolling code) applications [22]. In this mechanism, which is widely used, e.g., in car anti-theftsystems and garage door openers, the transmitter is equipped with an encoder and the receiverwith a decoder. Both share a secret key and a xed discrimination value, disc, with 10 or12 bits. In addition, they are synchronized with a 16 bit or 18 bit synchronization counter,cnt, which is incremented in the encoder each time a hopping code is transmitted. Accordingto Fig. 2, the transmitter constructs a hopping code by encrypting a 32 bit message formed


of disc, cnt and a 4 bit function information. The latter determines the task desired by aremote control, for instance, it enables to open or close more than one door in a garage openersystem.

One message sent via the radio frequency (RF) interface consists of a hopping code followedby the serial number of the transmitter. The receiver decrypts the hopping code using theshared secret key to obtain disc and the current cnt. The transmitter is authenticated if discis identical to the shared one and cnt ts in a window of valid values. Three windows aredened for the counter. If the dierence between a received cnt and the last stored value iswithin the rst window, i.e., 16 codes, the intended function will be executed after a singlebutton press. Otherwise, the second window containing up to 215 codes2 is examined. In thisso-called resynchronization window, the desired function is carried out only if two consecutivecounter values are within it, i.e., after pressing the button twice. The third window containsthe rest of the counter space. Any transmission with a cnt value within this window will beignored, to exclude the repetition of a previous code and thus prevent replay attacks.

3.1.2 Key Derivation Schemes

There are two types of keys involved in a typicalKeeLoq application. The device key is uniquefor each remote control and is shared by the transmitter and the receiver. It is establishedduring a learning phase. The manufacturer key is mainly used for deriving device keys. It is toour knowledge identical for all receivers of a given manufacturer and hence enables producingtransmitters that cannot be cloned by competitors. Since the manufacturer's key is criticalfor the security of the product, it is stored in a read protected memory of the receiver. Theknown key derivation schemes are reviewed in the following:

(a) According to Fig. 3.a, the device key is obtained by two KeeLoq decryptions. Thetwo functions F1 and F2 (which are usually simple paddings) are applied to the serialnumber of the transmitter to form the plaintexts for the decryptions.

(b) The next key derivation scheme is similar to the previous one, except for a randomlygenerated seed value which is stored in the transmitter and is used instead of the serialnumber to generate the device key. During the learning phase, a transmitter can beforced to send its seed value.

(c) As presented in Fig. 3.b, sometimes the device key is generated from an XOR of a simplefunction of the serial number with the manufacturer key.

(d) The last scheme is similar to the third one. The device key is derived from an XOR ofthe manufacturer key and a simple function of the seed value of the transmitter.

Note that a manufacturer may develop a proprietary key derivation scheme not included inthe above list.

3.2 DPA on KeeLoq

The analysis of targets using KeeLoq exposes an attacker to a classical situation for physicalattacks: while some information about the cryptographic device is known much more informa-tion needed to be established via experimenting with the device(s). For instance, transmitters

2These window sizes are recommended by Microchip, but they can be altered to t the needs of a particularsystem.


132

32

64

2

Device Key

32ManufacturerKey

32

64

Serial Number/SEED

(a)

132

2

Device Key

32

Serial Number/SEED

64

64ManufacturerKey

64

(b)

Figure 3: Key derivation schemes

usually employ HCSXXX modules of Microchip, featuring a hardware implementation of thecipher. The receivers are typically equipped with a read-protected PIC microcontroller onwhich a KeeLoq decryption routine is implemented in software. In [4] a full description oftechnical details about the obstacles encountered and solved in the case of Keeloq imple-mentations can be found.

3.2.1 Building a Powerful DPA for KeeLoq

It is known that for successfully performing a DPA attack, some intermediate value of thecipher has to be identied that (i) depends on known data (like the plaintext or the ciphertext),(ii) depends on the key bits, and (iii) is easy to predict. Furthermore, it is advisable to choosea value that has a high degree of nonlinearity with respect to the key, to avoid so-called ghostpeaks for similar keys [15]. For every DPA, a model for estimating the power consumptionis needed. Compared to the two shift registers, the power consumption of the combinationalpart, i.e., a few XORs and the 5 × 1 non-linear function, is small and can be neglected.Note that the Hamming distance of the key register does not change, since the key is simplyrotated. This leads to a theoretically constant power consumption of the key register in eachclock cycle. Hence, one focuses on the state register ~y. The DPA attack is then based on thefollowing hypothetical power model

P(i)Hyp = HD

(~y(i), ~y(i−1)

)= HW

(~y(i) ⊕ ~y(i−1)

)(1)

where P(i)Hyp denotes the hypothetical power consumption in the ith round, HD and HW

are Hamming distance and Hamming weight, respectively, ~y(i) indicates the content of thestate register in the ith round, and ⊕ is a 32 bit XOR function. As mentioned before, theknown ciphertext attack on the encryption is identical to the known plaintext attack on thedecryption3.

A known ciphertext attack on the encryption can be described as follows. Starting from

the 528th round, 32 bits of the nal state ~y(528) =(y

(528)0 , . . . , y

(528)31

), are known. Fur-

thermore, 31 bits of ~y(527), i.e.,(y

(527)1 , . . . , y

(527)31

), are known because they are identical to(

y(528)0 , . . . , y

(528)30

). Therefore, just y(527)

0 is unknown. According to Fig. 1, we can write

y(i+1)31 = k

(i)0 ⊕ y

(i)16 ⊕ y

(i)0 ⊕NLF

(y

(i)31 , y

(i)26 , y

(i)20 , y

(i)9 , y

(i)1

)(2)

3Both attacks target state ~y(l) of the decryption, which is the same as state ~y(528−l) of the encryption.


where k(i)0 is the rightmost bit of the key register in the ith round. Knowing that k(i)

j =k(i+j) mod 64, one can rewrite Eq. (2) as

y(527)0 = k15 ⊕ y(527)

16 ⊕ y(528)31 ⊕NLF

(y

(527)31 , y

(527)26 , y

(527)20 , y

(527)9 , y

(527)1

)(3)

Thus, recovering y(527)0 directly reveals one bit of the key register. This process is the same

for recovering the LSB of the state register of the previous rounds, i.e., y(i)0 , i = (526, 525, . . .).

However, Eq. (3),depends linearly on the key bit k15. Above we stated that nonlinearity helpsdistinguishing correct key hypotheses from wrong ones. Hence, recovering the key bit-by-bitmight not be the best choice4. Fortunately, according to Fig. 1, the LSB of the round state,y

(i)0 , enters the NLF leading to a nonlinear relation between the key bit k15 and the state~y(526). Accordingly, the nonlinearity for one key bit kj increases in each round after it wasclocked into the state.

Taking the increased nonlinearity in the successive rounds into account, one can mounta successful DPA attack that allows for nding a subset n of surviving key candidates byguessing m bits of the key in an instant.

3.2.2 Details of the Hardware Attack

For attacking commercial KeeLoq code hopping encoders one rst has to nd the points intime in the power traces (Fig. 4.a) that correspond to the encryption function. It turns outthat the encryption happens after writing to the EEPROM5, i.e., in the time interval between20.5ms and 24ms (Fig. 4.b). The power traces reveal that the frequency of the internaloscillators of the ICs is approximately 1.25MHz.

(a) From power up to start sending (b) Encryption part

Figure 4: Power consumption traces of a HCS module

The attack described in Sect. 3.2.1 was modied to correlate all known and predictedrounds to the corresponding power peaks. The modied attack was performed on HCS200,HCS201, HCS300, HCS301, HCS361, HCS362, and HCS410 [23, 24] in both DIP and SOICpackages. In the best case we were able to recover the secret key of DIP package ICs from onlysix power traces when sampling at a rate of 200MS/s. At most 30 power traces are sucientto reveal the secret key of an HCS module in an SOIC package, which has a lower power

4Simulations show that an attack recovering the key bit by bit is much weaker than an attack that recoversseveral key bits at a time. Still, the key can also be recovered for single bit key guesses in other words evena classical DPA on the LSB of the state register is feasible.

5The high amplitude periods of the power trace correspond to writing to the internal EEPROM.


5 10 15 20 25 30 35 40 45 50

0.4

0.2

0

0.2

0.4

0.6

0.8

Number of traces

Co

rrel

atio

n C

oef

fici

ent

(a) DIP

5 10 15 20 25 30 35 40 45 50

0.4

0.2

0

0.2

0.4

0.6

0.8

Number of traces

Co

rrel

atio

n C

oef

fici

ent

(b) SOIC

Figure 5: Correlation coecients of key hypotheses of HCS201 ICs as a function of the numberof measured traces.

consumption, resulting in a worse signal-to-noise ratio (SNR) of the measurements. Fig. 5compares the correlation coecients of the correct key of HCS201 chips in DIP and SOICpackages as a function of the number of traces. The sudden increase of the correlation is dueto the error-correcting property of our attack, and also due to the fact that we repeated theattack for all 528 rounds of the algorithm in order to verify the revealed key.

We repeated the above experiments with an EM near eld probe RF-U 5-2 [20] to directlymonitor the electromagnetic emanation, instead of measuring the electric current via a shuntresistor. The probe was positioned close to the ground pin of the HCS201 IC in a DIPpackage, in order to acquire the peaks of the EM eld that are caused by the change ofelectric current. Compared to inserting a resistor in series to the device, this dierentialelectromagnetic analysis (DEMA) can be regarded as non-invasive, as no modication of thePCB is necessary. Contrary to our assumption that the SNR would suer from environmentalnoise and thus much more traces would be required to recover the key, the results obtainedand the number of traces needed are very comparable to the case of power traces acquired bymeans of a resistor (Fig. 4). In the best case, we succeeded with recovering the key after only10 DEMA measurements.

To estimate the minimum technical requirements for the SCA, we performed experimentswith varying sampling rates and evaluated the number of power traces required for recoveringthe correct key. Fig. 6 shows the results for attacking a HCS201 chip in a DIP package in thecase of current measurements via a resistor. We conclude that our attack can be carried outeectively even with low-cost equipment, e.g., an oscilloscope with a maximum sample rateas low as 50MS/s enables nding the secret key from only 60 power traces.

3.2.3 Details of the Software Attack

The next target is the code hopping decoder implemented in the receiver. We recall that thereceiver contains the manufacturer key, which is an attractive target for a complete breakof the system. A PIC microcontroller handles the key management, controls for instancethe motor of the garage door or the locking system of the car, and performs the KeeLoqdecryption in software.

Receivers usually oer a so-called learning mode. In this learning mode the user canregister new transmitters to cooperate with the receiver. We were able to identify the keyderivation scheme of the target receiver as scheme (a) of Sect. 3.1.2. Hence we can recover themanufacturer key kM by performing a DPA key recovery on the KeeLoq decryption that isperformed during learning mode.


(125, 10)(100, 30)(50, 60) (200, 10)(40, 90)

(25, 135)

(20, 160)

(10, 1250)

0

250

500

750

1000

1250

0 50 100 150 200Sampling Rate [MS/s]

Num

ber o

f the

nee

ded

trac

es

Figure 6: Number of measurements required for revealing the secret key of a HCS201 IC in aDIP package as a function of the sampling rate. The numbers in parentheses give the exactcoordinates of the points.

Before executing the DPA, we adapted the power model of the attack of Sect. 3.2.1 to aPIC software implementation. Typically, PIC microcontrollers leak the Hamming weight ofthe processed data [27]. Furthermore, one can assume that the state is stored in the 8 bitregisters of the PIC microcontroller which are regularly accessed. Hence, instead of predictingthe Hamming distance HD

(~y(i), ~y(i−1)

)of the whole state as was done for the hardware

attack in Sect. 3.2.2 we predict the Hamming weight of the least signicant byte (LSB) ofthe KeeLoq state register:

P(i)Hyp = HW

(~y

(i)LSB

)=

7∑k=0

y(i)k

The attack was performed by putting the receiver into learning mode and sending hoppingcode messages with random serial numbers to the receiver6. Lacking any information in thepower consumption of the PIC that could have been used as trigger, we triggered the scopedirectly after transmitting the last bit via the RF interface. This results in our traces notbeing well-aligned, leading to a high number of power samples needed to perform a successfulDPA attack.

3.3 Real World Implications

Now we detail four dierent attack scenarios, which allow for breaking basically any systemusing KeeLoq with modest eorts. We focus on code hopping applications, since they aremore commonly used and, due to the lack of known plaintexts, harder to cryptanalyze thanIFF systems. Still, IFF systems are just as vulnerable to our DPA attacks as the code hoppingdevices. Some of the transmitters we analyzed even oer both operating modes. The successof some of our attacks depends on the knowledge about the particular key derivation scheme,as described in Sect. 3.1.2. However, they are appropriate for all key derivation schemes weare aware of.

Note that for all the attack scenarios described below it is very dicult, e.g., for aninsurance or a prosecutor, to nd evidence that a crime has been committed, as typically notraces are left when electronically circumventing an RKE system.

6We emulated a remote control by connecting the RF interface of a transmitter to the parallel port of aPC.


3.3.1 Cloning a Transmitter

For cloning a transmitter using power analysis, an adversary needs physical access to it toacquire at least 10 to 30 power traces. Hence, the button of the remote control has to bepressed several times, while measuring the power consumption and monitoring the transmittedhopping code messages. After recovering the device key kDev with the side-channel attackdescribed in Sect. 3.2.2, the recorded messages can be decrypted, disclosing the discriminationand counter values of the original transmitter at the time of the attack. Now, the HCS moduleof a spare remote control can be programmed with the serial number, counter value anddiscrimination value of the master. Consequently, the freshly produced transmitter appearsto be genuine to a receiver and allows for accessing the same target as the original.

Implications This attack applies to scenarios in which a transmitter is handed over to anuntrustworthy person for some minutes, e.g., car rental or cleaning personnel. While possessingthe transmitter, an attacker could clone it for future reuse. Depending on the time intervalbetween recovering the key and using the reproduced remote control, the attacker will haveto press the button of the transmitter several times, for catching up with the counter value inthe receiver which might have been increased meanwhile by the legitimate operator.

Given that a technically demanding SCA has to be carried out in order to clone just oneremote control, and physical access to it is required, it can be speculated that the impact ofthis attack is limited. The cost-benet ratio is typically too low, except for the case that veryhigh monetary values are involved, e.g., rental of expensive cars. In most cases it is easier,e.g., to smash a window, unless an attacker intends to remain unnoticed or to gain accessto an object repeatedly. It is important to stress that in most modern cars the door accessmechanism and the immobilizer are separate systems. Thus, even if a car can be opened withour attack, this does not imply that a criminal can equally easily drive away with it.

3.3.2 Recovering a Manufacturer Key

The key recovery of the manufacturer key kM depends on the particular key derivation scheme.If scheme (c) or (d) of Sect. 3.1.2 is used, i.e., an XOR of a known input and the manufacturerkey kM , disclosing the latter is trivial. After a successful key recovery attack on one transmitter(see above) of the same brand, kM is found by reversing the XOR function. The known inputis either part of each hopping code message, in case of the serial number, or can be obtainedfrom the remote control, in case of a seed. The derived kM can be veried with a secondtransmitter.

An adversary targeting the manufacturer key kM for scheme (a) or (b) of Sect. 3.1.2 requiresphysical access to one receiver of that manufacturer. The key of the KeeLoq decryptionperformed inside the receiver during the learning phase is recovered with an SCA requiringseveral thousand power traces, as described in Sect. 3.2.3. The kM obtained from the DPAcan be veried with a single hopping code message.

Knowing the manufacturer key kM , valid device keys for producing transmitters with arbi-trary serial numbers can be generated, just by applying the key derivation. The counterfeitedremote controls will be recognized as genuine by all receivers of that manufacturer.

Implications The described key recovery requires access to a transmitter (key derivation byXOR) or a receiver (key derivation by KeeLoq) of the manufacturer to be attacked and, in


case of a key derivation employing KeeLoq, a very skilled adversary for performing the SCA.The RKE devices can be simply purchased, e.g., from a hardware store, and even returnedafter extracting the key. The recovered kM does not directly permit to unauthorizedly open adoor secured by KeeLoq, because the newly produced transmitters need to be registered bythe receiver rst, implying physical access. Still, the described key recovery is highly relevantin the context of product piracy: the economic function of kM is customer retention, e.g.,a business model could comprise making the main prot on selling spare transmitters thatoperate with the receivers of that manufacturer. Without knowledge of the manufacturerkey, valid transmitters cannot be produced to work with the receiver. However, a competitorpossessing kM could produce transmitters compatible to those receivers, or even produce wholeRKE systems bearing the brand and being compatible to those of the original manufacturer,and hence severely aect the business of the latter. Due to the depicted high economic impact,it is very conceivable that this attack will be carried out by criminals sooner or later. In theworst case, this might result in publicly available lists of manufacturer keys on the web.

3.3.3 Cloning a Transmitter without Physical Access

Knowing the manufacturer key kM , e.g., by performing the previous attack, and the keyderivation method of a target device family, a remote control can be cloned by eavesdropping.The adversary has to intercept at most two hopping code messages, c1 and c2, sent by thetarget transmitter of the same brand. The process of nding the secret key of the eavesdroppedtransmitter depends on the key derivation schemes detailed in Sect. 3.1.2.

If the key is derived from the serial number of the transmitter (schemes (a) and (c)), ndingits device key is straightforward, since the intercepted messages contain the serial number. Theadversary can simply perform the key derivation using the known manufacturer key to obtainthe device key. After decrypting one message ci and thereby disclosing the current countervalue, the adversary is able to generate valid hopping code messages for spoong the receiverand gain access to a protected site. The computational complexity of this attack is a singleKeeLoq decryption.

However, if a seed value is used during the key derivation (schemes (b) and (d)), recoveringthe secret key of the eavesdropped transmitter is more dicult. An exhaustive search needsto be performed to nd the seed value. For recovering kDev, the adversary calculates kseed

Dev =KeyDerivation (kM , seed) for each possible value of seed and decrypts the two interceptedmessages c1 and c2 using kseed

Dev :

(cnt1, disc1) = KeeLoq−1(c1, k

seedDev

)(cnt2, disc2) = KeeLoq

−1(c2, k

seedDev

)Once both messages have the same discrimination value, i.e., disc1 = disc2, and similarcounter values7 cnt1 and cnt2, the correct device key is found8.

There are three dierent seed sizes possible for KeeLoq systems, depending on the chipfamily. If a 32 bit seed value is used (e.g., HCS200), the adversary has to run on average 232

KeeLoq decryptions to nd the correct seed. According to our software implementations,this takes less than two hours on a 2.4GHz Intel Core2 Quad PC. On a special-purpose

7Similar counters means that the dierence cnt2 − cnt1 is less than a small threshold, e.g., 16, dependingon the period between the two eavesdrops.

8With a small probability we get false positives. These can easily be identied by sending one message tothe target receiver.


computing machine such as COPACOBANA [19], the correct 32 bit seed value and hence thekey can be recovered in just one second. In case of a 48 bit seed value (e.g., HCS360) it is notpromising to recover the correct seed value using standard PCs. Still, it is possible to performthe 248 required KeeLoq decryptions on average in about nine hours using COPACOBANA.However, chips like the HCS410, using a 60 bit seed, are not vulnerable to this attack. Running260 KeeLoq decryptions is not feasible in a reasonable time with currently existing equipment.We would like to mention that none of the real-world KeeLoq systems we analyzed used anyseed. Moreover, if physical access to the transmitter is given, even 60 bit seed values areobtained by pressing one button.

Implications This attack has the most devastating impact and it scales very well. It aectsall KeeLoq RKE systems of a manufacturer, as soon as the respective kM is known. Extract-ing kM , as described in Sect. 3.3.2, can be outsourced to criminal cryptographers who mayconstruct (and sell) an easy-to-use machine that eavesdrops on two messages, automaticallyrecovers the device key, and opens the target. Thus it enables a completely unskilled personto gain illicit access to objects secured with KeeLoq, at little cost and without leaving anytraces. Building such an eavesdropping device is simple once the manufacturer key is available.It is sucient to connect a legitimate receiver to a (laptop) PC and to monitor hopping codesfrom a range of up to several hundred meters, depending on the targeted RKE system.

3.3.4 Denial of Service

As detailed in Sect. 3.1.1 and in [22], the counters of a receiver and a transmitter are syn-chronized with every valid hopping code message received. This behavior can be exploited forputting an RKE system out of operation. We assume that the adversary has recovered thedevice key kDev of a target transmitter, e.g., by performing one of the attacks described above,and is thus able to generate valid hopping code messages. She sets the counter value to themaximum value inside the resynchronization window and sends two consecutive valid hoppingcodes. The receiver resynchronizes its counter to the new value. Consequently, the counter ofthe original transmitter is now considered to be outdated and the respective hopping codesare ignored by the receiver. Finally, the owner of the original transmitter needs to press thebutton very often, namely 215 times, to increase the counter value back into the rst window,where the transmitter produces valid hopping code messages.

Implications This attack allows for locking out a legitimate user, leaving the impressionthat the KeeLoq RKE device is out of service. It can be performed by an unskilled adversaryin the following scenario. Similarly to the eavesdropping device mentioned in Sect. 3.3.3,a spare transmitter enables a standard PC to transmit self-generated hopping codes. Theprogram code for generating valid hopping codes could be provided by a skilled criminal,e.g., via the internet. Hence, this attack can have dramatic consequences, especially for theautomotive industry, where reliability is of paramount importance. Apart from compromisingthe corporate image, the additional costs for increased customer support, e.g., xing thespoofed devices, have to be considered.


4 Attacks on ECDSA-enabled RFID devices

Side-channel analysis of passive RFID devices is a challenging task due to several reasons. Wegive a brief overview on various issues regarding the acquisition and analysis of side-channelinformation that are exploited from passive RFID tags.

Passive tags dier from conventional contact-based devices in several ways. First, passivetags only possess two antenna connections. Indeed, there are no dedicated power-supplypins available where a resistor can be placed in series to measure the consumed power. Analternative way of side-channel extraction is the sensing of electromagnetic emanation. Thecurrent ow within the microchip of the RFID tag produces an electromagnetic eld. Thiseld contains dierent signals such as the square-wave clock or signals that are caused bydata-dependent processing. These signals can be sensed by magnetic near-eld probes thatare placed directly on the surface of the chip [29]. However, while such attacks will succeed formany contact-based devices, this may not be the case for passive RFID tags. Passive tags havebeen designed for low-power operation and consume only a few micro Watts of power. Specialmeasurement equipment is therefore necessary to separate and amplify the weak side-channelsignals that are emitted from the tags.

In RFID environments, we are actually concerned with another source of electromagneticemanation. There is not only the weak emanation of the tags but also the emanation of thereader device. This reader eld is typically between 40 dB and 80 dB higher than the signalsemitted by the tags. As a result, interesting signal emissions of the tags may be unintentionallyoverwhelmed by the occurring interferences of the reader. The data-acquisition resolution ofthe measurement equipment is thus inevitably reduced since the weak signals of the tag aresuperimposed onto the much higher reader eld. In addition to the lower acquisition resolution,this reader eld is not synchronized with the measurement equipment which causes power-trace misalignments in both the time and the amplitude dimension. The reader is a high noisesource and therefore makes side-channel analysis dicult to perform. The main challengeof electromagnetic measurements in this context is therefore to minimize the impact of thisreader signal and to overcome the resulting misalignment of measured power traces.

Another issue which is of major concern in RFID environments is the compression ofside-channel traces. Passive RFID tags are powered by the electromagnetic eld of a reader.Most of these tags also extract the clock signal out of this eld. In order to comply withthe low-power requirement, they often use a low clock frequency in the kHz range. Theprocessing of data and especially the computation of asymmetric functions therefore takesa long time (up to several milliseconds). Side-channel attacks on public-key enabled RFIDdevices require compression techniques to reduce the complexity of storing and subsequentprocessing of millions of sample points that are acquired throughout the tag computation.

4.1 Power Analysis Attacks on ECDSA Implementations

ECDSA is the elliptic curve-based variant of the digital signature algorithm, see [52]. Inorder to generate a digital signature using ECDSA, a message m is given as an input. Byusing the domain parameters D = (q, FR, S, a, b, P, n, h), a random number k is rst chosenin the interval from 1 to n. This random number is often referred to as ephemeral key.Then, an elliptic-curve point multiplication is performed using k and the base point P . Theresult is converted to an integer x1 in order to compute the intermediate value r. After that,the message m is hashed using the SHA-1 algorithm [54]. The signature generation is then


r d*r0 d0

r0 d1r1 d0

r1 d1r0 d2r2 d0

r2 d1r1 d2

r2 d2

p5 p4 p3 p2 p1 p0

r d*r0 d0

r1 d0r2 d0

r0 d1r1 d1

r2 d1r0 d2

r1 d2r2 d2

p5 p4 p3 p2 p1 p0

Figure 7: Operand scanning form (left) and product scanning form (right)

performed within two steps. First, the private key d is multiplied with the intermediate valuer. The result is then added to the output of the hashed message e = h(m). Second, the values is calculated by inverting the ephemeral key k and multiplying it with the output of stepone. The generated ECDSA signature that is returned consists of the tuple (r, s). Algorithm1shows the signature-generation scheme.

Algorithm 1 Signature-generation scheme using ECDSARequire: Domain parameters D = (q, FR, S, a, b, P, n, h), private key d, message m.Ensure: Signature (r, s)1: Select k ∈ [1, n− 1]2: Compute [k]P = (x1, y1) and convert x1 to an integer x1

3: Compute r = x1 mod n. If r = 0 then go back to step 1.4: Compute e = H(m).5: Compute s = k−1(e+ dr) (mod n). If s = 0 then go back to step 1.6: Return (r, s)

In the following, we describe a DPA attack that reveals the private key during signaturegeneration. The target of the attack is an intermediate value that depends on the private keyon the one hand and that depends on some random value on the other hand. Regarding theECDSA scheme described in Algorithm1, the private key d is multiplied with the output ofthe scalar multiplication r. The private key is static and the output of the scalar multiplica-tion is random since the ephemeral key k is chosen randomly for each signature generation.Furthermore, r is publicly known because it is part of the signature. In the light of thesefacts, we are able to perform a DPA attack on intermediate values that are processed duringthe calculation of the multi-precision integer multiplication d ∗ r.

Common hardware implementations for multi-precision multiplication are the operandscanning and the product scanning (Comba) algorithm which are depicted in Figure 7. Bothalgorithms multiply the words of two n-word long operands. In our case, those are ri (theinput) and dj (the key). The resulting partial products are then added to a cumulative sump. This results in n2 partial products. Note that one word of the private key is processed ntimes during the whole integer multiplication.


What seems obvious at rst glance turns out to be more complex in practice. The integermultiplication is a linear function that multiplies a constant value with a random input value.That means that shifted bit combinations of a key word have a linear impact to the multipli-cation result. When the key is shifted x times, the result is also shifted x times. Therefore,it is evident that in power-analysis attacks, one or more correlation peaks occur for only onekey word. This is due to the fact that all bit combinations of the key word will result in thesame Hamming-weight9 value of the multiplication output. The number of possible shifts s ofthe key word di can be calculated as follows:

s(di, l) = log2(gcd(di, 2l)) + l − blog2(di) + 1c, (4)

where l represents the word size. Note that the maximum number of key shifts is equalto the word size, i.e. 16 for a device using 16 bit operands (in this case the key word has aHamming weight of one and the value of the shifted key combinations are a multiple of 2x

where x = 0..15). Due to these facts, the decision of which hypothetical key is the correctone and which are incorrect keys seems therefore infeasible. It is clear that this makes a DPAattack much more inecient compared to attacks on intermediate values that occur afternon-linear functions such as the S-box in DES [51] or AES [53].

The attack can be separated into two steps. In the rst step, we target the output ofall partial products and perform a DPA attack on that intermediate value. For each partialproduct, we obtain one or more promising key candidates due to the reasons described above.For a device with a 16 bit word size, for example, we obtain up to 16 promising key candidates.Hence, we get up to 16 key candidates for each private-key word di. In the second step, wetarget the output of the nal multiplication product p. Each word of this product dependson one or more dierent key words. Thus, we can use the information obtained from the rststep and use all obtained key candidates di to perform an attack on the nal product wordspi. After revealing the key candidates for d0 and d1, for example, we can attack the secondproduct word p1 to obtain the correct key word d0. Incorrect key hypotheses will show lowcorrelation peaks so that they can be eliminated from the correct key hypothesis that causesa higher correlation. By following this way, a DPA attack on each of these product words pi

will yield all private-key words di successively.

4.2 Attack Environment

In this section, we briey show the design and implementation of the passively powered RFID-tag prototype that has been used throughout our experiments. The prototype consists ofan antenna, an analog front-end, and a low-power digital controller. The antenna has fourwindings and has been designed according to ISO7816 [40]. The antenna is connected to ananalog front-end that transforms the received analog signals of the reader to the digital worldof the digital controller. The controller includes a digital RFID front-end and a low-powerhardware implementation of ECDSA. In the following, we describe the analog front-end andthe digital controller in a more detail.


Power supply

D-Type

FF

IC

A

B

Clock extraction

Voltage regulator Demodulator

Rectifier

Modulator

Ant

enna

pad

s

Tuning

Figure 8: Schematic of the analog front-end ofour passively powered RFID-tag prototype.

Figure 9: A passively powered RFID-tag pro-totype that is capable of generating digital sig-natures using ECDSA.

4.2.1 The Analog Front-End

The analog front-end is composed of the seven parts shown in the schematic view in Figure 8.In the rst stage, the antenna is connected to a matching circuit which tunes the antenna tothe 13.56MHz carrier frequency of the reader. After that, a bridge rectier has been assembledusing low-voltage drop schottky diodes. The rectied signal is then smoothed and fed into aslow envelope detector to provide a stable power supply for the digital controller.

4.2.2 The Digital ECDSA-Enabled RFID Controller

The digital controller is an elliptic-curve point multiplication device with an ISO15693 [41]compatible digital RFID front-end. It is capable of computing the multiplication of a scalarvalue with a point on the NIST standardized elliptic curve B-163 [52]. The controller wasfabricated by the UMC L180 GII 1P/6M 1.8V/3.3V CMOS process. The controller hasa total area of 15 630 Gate Equivalents (GE) while an overhead of 654GE is incurred bycomponents for production testing. The digital RFID front-end requires 1 726GE and theECC core 13 250GE. This includes 1 346GE for a memory slot to enable the separate settingof the ephemeral key k.

The controller must be operated at a xed frequency of 6.78MHz. This is half of thecarrier frequency. Internally, this frequency supplies two dierent clock domains. One of themis used for the RFID interface and has a frequency of 106 kHz. The other one clocks the ECCcore at 847.5 kHz. The whole chip has an estimated power consumption of about 176µW.

4.2.3 The Measurement Setup

The measurement setup is composed of several parts. We used a PC, an RFID reader, theRFID-tag prototype, a digital sampling oscilloscope (DSO), a dierential probe, and a near-eld measurement probe. The PC controls the overall measurement process. It is connectedto the DSO and the RFID reader. An 8-bit oscilloscope is used that oers an acquisitionbandwidth of up to 1GHz. As a reference measurement, an active dierential probe has beenconnected in parallel to a 1Ω resistor that is placed in series to the VDD core power supply.For electromagnetic measurements, we used a tiny magnetic near-eld probe that allows the

9The Hamming weight power model is often used in practice and is further used in order to describe theattack.


Figure 10: RFID measurement setup involv-ing our tag prototype lying on the reader an-tenna.

0 50 100 150−0.06

−0.04

−0.02

0

0.02

0.04

0.06

Time [µs]

Vol

tage

[V]

Figure 11: Power trace (black) and (30-timesmagnied) EM trace (gray) during the calcu-lation of the private-key multiplication.

sensing of signals only up to a few millimeters. This already reduces the noisy reader signalin an early stage of the acquisition process. The sensed signals are then amplied by a 30 dBpre-amplier before they are sampled by the oscilloscope. The sampling rate has been set to1GS/s for all measurements. Figure 10 shows the RFID measurement setup involving our tagprototype that lies on the antenna of a reader.

We have used a standard RFID reader that supports mandatory ISO15693 commandssuch as Inventory or Select. It is also able to send custom commands that are needed to startthe ECDSA signature generation. We dened three custom commands. The rst command(0xE0) performs a hardware reset and loads initial data (like the base point) from Read OnlyMemory (ROM) into the internal Static Random Access Memory (SRAM) of the tag controller.The second command (0xE1) starts the scalar multiplication and the third command (0xE2)evaluates the signing equation given in Algorithm1.

The RFID controller inverts the ephemeral key k in about 11.8ms. The private-key multi-plication needs about 150µs, the hash-value addition and the nal multiplication need around600µs. In our setup, the power consumption as well as the electromagnetic emanation ofour device were acquired simultaneously throughout the private-key multiplication. Figure 11shows one measured power trace (drawn in black) and a 30-times magnied electromagnetictrace (drawn in gray).

4.3 Practical Results

The rst attack targets the rst partial product of the multi-precision multiplication unit ofour RFID controller. The controller implements a 16-bit Comba-multiplication unit so thatwe have to test 216 key hypotheses that are multiplied with the known intermediate value r.The target has been the 32-bit output of the multiplication. However, our experiments haveshown that our device does not leak all bits of this 32-bit output with same amount. Hence,we have modeled the power consumption by weighting the Hamming weight of the higher 16bits and the lower 16 bits dierently to obtain the highest correlation.

Figure 12 and Figure 13 show the result of the power and EM attack. For both attacks,2 000 traces have been used. The x-axis represents all possible key hypotheses and the y-axisrepresents the maximum absolute correlation of each resulting correlation trace. It is clearly


1 2 3 4 5 6

x 104

0

0.2

0.4

0.6

0.8

216 key hypotheses

Max

imum

cor

rela

tion

Figure 12: Maximum correlation coecient ofall 216 key hypotheses for the rst private-keyword d0 using 2 000 power traces.

1 2 3 4 5 6

x 104

0

0.2

0.4

0.6

0.8

216 key hypotheses

Max

imum

cor

rela

tion

Figure 13: Maximum correlation coecient ofall 216 key hypotheses for the rst private-keyword d0 using 2 000 EM traces.

discernable that the results obtained from the EM traces reach only half the correlation valueas they have been obtained from the power traces. The reason for this is the lower SNR ofthe EM measurement calculated in the previous section. Furthermore, it can be observedthat the highest peak has been obtained for the key word 1901 and reached a correlationcoecient of 0.75 for the power traces and 0.33 for the EM traces. However, there exist alsove other key hypotheses which result in a high correlation10. These are 3802, 7604, 15208,30416, and 60832 (marked as black lines in the gures). Obviously, these values have the samebit representation as 1901 but are gradually shifted to the left. This is due to the fact thatinteger multiplication is a linear function where shifted bit combinations of the correct keyhave a linear impact to the multiplication result.

Next, we perform the same attacks on all other partial products that involve the rstprivate-key word d0. Figure 14 and Figure 15 show the result of the attacks. The correlationresults of the correct key-hypothesis d0 of all partial products are plotted on top of eachother. Eleven peaks are observable that occur at locations in time when the output of thepartial products is stored into the internal registers of the controller. Due to the structure ofthe Comba multiplication-unit, the distance between these results becomes larger the morepartial products are calculated. The rst partial product is calculated after about 10µs andthe last one after about 140µs. The power-analysis attacks lead to a mean correlation of 0.72.The EM attacks yielded a mean correlation of 0.22.

After revealing the promising key candidates of the rst private-key word d0, we performedattacks on all partial products that involve the second private-key word d1. The attacks led usto two promising key candidates: 24027 and 48054. Now we perform an attack on the secondresult of the nal multiplication product p1. This product word involves the calculation of therst and the second private-key word. Thus, we have to test 12 promising key hypotheses.A high correlation will occur when both hypotheses are correct. Incorrect hypotheses willshow no peak. In Figure 16, the result of the power-analysis attack is given using 2 000 powertraces. The correct key hypotheses (drawn in black) 1901 for d0 and 48054 for d1 yield a high

10The peaks do not have the same correlation value since our power model weighted the lower and higherbits of the 32-bit multiplication output dierently.


0 50 100 150

−0.5

0

0.5

Time [µs]

Cor

rela

tion

coef

ficie

nt

Figure 14: Correlation traces of all partialproducts ri ∗ d0 using 2 000 power traces.

0 50 100 150

−0.5

0

0.5

Time [µs]

Cor

rela

tion

coef

ficie

nt

Figure 15: Correlation traces of all partialproducts ri ∗ d0 using 2 000 EM traces.

0 50 100 150

−0.2

−0.1

0

0.1

0.2

Time [µs]

Cor

rela

tion

coef

ficie

nt

Figure 16: Result of the power-analysis attackon the nal multiplication product p1 using2 000 traces.

0 50 100 150

−0.05

0

0.05

Time [µs]

Cor

rela

tion

coef

ficie

nt

Figure 17: Result of the EM attack on the nalmultiplication product p1 using 10 000 traces.

correlation while all other key hypotheses (drawn in gray) show no peak in time when thenal product is stored into the internal register of the controller. Figure 17 shows the resultof the EM attack using 10 000 traces. It provides a much smaller correlation as compared tothe result of the power-analysis attack. Nevertheless, the correct key can be easily discoveredfrom the incorrect ones.

Both power and electromagnetic attacks have been successful. The attacks revealed theentire private key of the ECDSA implementation which enables us to forge digital signaturesand therefore to impersonate any entity and person by cloning the extracted key.

References

[1] R. Anderson and M. Kuhn, Tamper resistance - a cautionary note., In Proceedings of theSecond USENIX Workshop of Electronic Commerce, p. 111, 1996.

[2] H. Bar-El, H. Choukri, D. Naccache, M. Tunstall, and C. Whelan. The sorcerer's apprenticeguide to fault attacks., Proceedings of the IEEE, 94(2):370382, 2006.


[3] D. Boneh, R. A. DeMillo, and R. J. Lipton. On the importance of checking computations.,In proceedings of Advances in Cryptology, LNCS, vol. 1233, p. 3751. Springer-Verlag,1997.

[4] T. Eisenbarth, T. Kasper, A. Moradi, C Paar, M. Salmasizadeh and M. T. M. Shalmani,On the Power of Power Analysis in the Real World: A Complete Break of the KeeLoqCodeHopping Scheme, in the proceedings of Crypto 2008, p. 203220, LNCS 5157, Springer

[5] G.P. Hancke, Security of Proximity Identication Systems. PhD Dissertation, Universityof Cambridge, February 2008.

[6] M. Hutter, M. Medwed, D. Hein, and J. Wolkerstorfer, Attacking ECDSA-Enabled RFIDDevices, In proceedings of Applied Cryptography and Network Security, LNCS, vol. 5536,p. 519534. Springer-Verlag, 2009

[7] T. Kasper. Embedded Security Analysis of RFID Devices. Diploma Thesis, Ruhr-UniversityBochum, July 2006.

[8] International Organization for Standardization, ISO/IEC 15693 Identication cards Con-tactless integrated circuit(s) cards Vicinity cards, 2000

[9] International Organization for Standardization, ISO/IEC 14443 Identication cards Con-tactless integrated circuit(s) cards Proximity cards, 2000

[10] O. Kommerling and M. Kuhn. Design principles for tamper resistant smartcard proces-sors., In proceedings of USENIX Workshop on Smartcard Technology, p. 920, 1999.

[11] NXP Semiconductors Austria GmbH Styria, MIFARE, http://www.mifare.net, visitedJuly 21st, 2009

[12] K. Nohl and D. Evans, Reverse-engineering a cryptographic RFID tag. In proceedings ofthe 17th USENIX Security Symposium, p. 185193, 2008

[13] W. Rankl and W. Eng. Smart Card Handbook Wiley, 2003.

[14] A. Bogdanov. Attacks on the KeeLoq Block Cipher and Authentication Systems. In 3rdConference on RFID Security 2007 (RFIDSec 2007). http://rfidsec07.etsit.uma.es/slides/papers/paper-22.pdf.

[15] E. Brier, C. Clavier, and F. Olivier. Correlation Power Analysis with a Leakage Model.In M. Joye and J.-J. Quisquater, editors, Cryptographic Hardware and Embedded Systems- CHES 2004, volume 3156 of Lecture Notes in Computer Science, pages 1629. Springer,2004.

[16] S. Chari, J. Rao, and P. Rohatgi. Template Attacks. Cryptographic Hardware and Embed-ded Systems-Ches 2002: 4th International Workshop, Redwood Shores, CA, USA, August13-15, 2002: Revised Papers, 2002.

[17] N. T. Courtois, G. V. Bard, and D. Wagner. Algebraic and Slide Attacks on KeeLoq. InFast Software Encryption - FSE 2008, Lecture Notes in Computer Science, vol. 5086, p.97115. Springer-Verlag, 2008.


[18] S. Indesteege, N. Keller, O. Dunkelman, E. Biham, and B. Preneel. A Practical Attackon KeeLoq. In Advances in Cryptology - EUROCRYPT 2008, Lecture Notes in ComputerScience, vol. 4965, p. 118. Springer-Verlag, 2008.

[19] S. Kumar, C. Paar, J. Pelzl, G. Pfeier, and M. Schimmler. Breaking Ciphers withCOPACOBANA - A Cost-Optimized Parallel Code Breaker. In L. Goubin and M. Matsui,editors, Cryptographic Hardware and Embedded Systems - CHES 2006, volume 4249 ofLecture Notes in Computer Science, pages 101118. Springer, 2006.

[20] Langer EMV-Technik. Details of Near Field Probe Set RF 2. http://www.langer-emv.de/en/produkte/prod_rf2.htm.

[21] S. Mangard, N. Pramstaller, and E. Oswald. Successfully Attacking Masked AES Hard-ware Implementations. In Cryptographic Hardware and Embedded Systems - CHES 2005,volume 3659 of Lecture Notes in Computer Science, pages 157171. Springer, 2005.

[22] Microchip. An Introduction to KeeLoq Code Hopping. http://ww1.microchip.com/

downloads/en/AppNotes/91002a.pdf.

[23] Microchip. HCS200, KeeLoq Code Hopping Encoder. http://ww1.microchip.com/

downloads/en/DeviceDoc/40138c.pdf.

[24] Microchip. HCS410, KeeLoq Code Hopping Encoder and Transponder. http://ww1.

microchip.com/downloads/en/DeviceDoc/40158e.pdf.

[25] Microchip. HCS410/WM, KeeLoq Crypto Read/Write Transponder Module. http:

//ww1.microchip.com/downloads/en/DeviceDoc/41116b.pdf.

[26] S. B. Örs, E. Oswald, and B. Preneel. Power-Analysis Attacks on an FPGA - FirstExperimental Results. In CHES, volume 2779 of Lecture Notes in Computer Science,pages 3550. Springer, 2003.

[27] E. Peeters, F. Standaert, and J. Quisquater. Power and Electromagnetic Analysis: Im-proved Model, Consequences and Comparisons. Integration, the VLSI Journal, 40(1):5260, 2007.

[28] K. Schramm, G. Leander, P. Felke, and C. Paar. A Collision-Attack on AES: CombiningSide Channel- and Dierential-Attack. In Cryptographic Hardware and Embedded Systems- CHES 2004, volume 3156 of Lecture Notes in Computer Science, pages 163175. Springer,2004.

[29] D. Agrawal, B. Archambeault, J. R. Rao, and P. Rohatgi. The EM Side-channel(s). InB. S. K. Jr., Çetin Kaya Koç, and C. Paar, editors, Cryptographic Hardware and EmbeddedSystems CHES 2002, 4th International Workshop, Redwood Shores, CA, USA, August13-15, 2002, Revised Papers, volume 2523 of Lecture Notes in Computer Science, pages2945. Springer, 2003.

[30] American National Standards Institute (ANSI). AMERICAN NATIONAL STANDARDX9.62-2005. Public Key Cryptography for the Financial Services Industry, The EllipticCurve Digital Signature Algorithm (ECDSA), 2005.


[31] A. Bogdanov, L. R. Knudsen, G. Leander, C. Paar, A. Poschmann, M. J. B. Robshaw,Y. Seurinand, and C. Vikkelsoe. PRESENT: An Ultra-Lightweight Block Cipher. InP. Paillier and I. Verbauwhede, editors, Cryptographic Hardware and Embedded Systems CHES 2007, 9th International Workshop, Vienna, Austria, September 10-13, 2007, Pro-ceedings, volume 4727 of Lecture Notes in Computer Science, pages 450466. Springer,September 2007. ISBN 978-3-540-74734-5.

[32] J.-S. Coron. Resistance against Dierential Power Analysis for Elliptic Curve Cryptosys-tems. In Çetin Kaya Koç and C. Paar, editors, Cryptographic Hardware and EmbeddedSystems CHES'99, First International Workshop, Worcester, MA, USA, August 12-13,1999, Proceedings, volume 1717 of Lecture Notes in Computer Science, pages 292302.Springer, 1999.

[33] M. Feldhofer, S. Dominikus, and J. Wolkerstorfer. Strong Authentication for RFID Sys-tems using the AES Algorithm. In M. Joye and J.-J. Quisquater, editors, CryptographicHardware and Embedded Systems CHES 2004, 6th International Workshop, Cambridge,MA, USA, August 11-13, 2004, Proceedings, volume 3156 of Lecture Notes in ComputerScience, pages 357370. Springer, August 2004.

[34] K. Gandol, C. Mourtel, and F. Olivier. Electromagnetic Analysis: Concrete Results. InÇetin Kaya Koç, D. Naccache, and C. Paar, editors, Cryptographic Hardware and EmbeddedSystems CHES 2001, Third International Workshop, Paris, France, May 14-16, 2001,Proceedings, volume 2162 of Lecture Notes in Computer Science, pages 251261. Springer,2001.

[35] C. H. Gebotys, S. Ho, and C. C. Tiu. EM Analysis of Rijndael and ECC on a WirelessJava-Based PDA. In J. R. Rao and B. Sunar, editors, Cryptographic Hardware and Em-bedded Systems CHES 2005, 7th International Workshop, Edinburgh, UK, August 29 -September 1, 2005, Proceedings, volume 3659 of Lecture Notes in Computer Science, pages250264. Springer, 2005.

[36] J. Hostein, J. Pipher, and J. H. Silverman. NTRU: A Ring-Based Public Key Cryptosys-tem. In J. Buhler, editor, Algorithmic Number Theory, Third International Symposium,ANTS-III, Portland, Oregon, USA, June 21-25, 1998, Proceedings, volume 1423 of LectureNotes in Computer Science, pages 267288. Springer, 1998.

[37] D. Hong, J. Sung, S. Hong, J. Lim, S. Lee, B. Koo, C. Lee, D. Chang, J. Lee, K. Jeong,H. Kim, J. Kim, and S. Chee. HIGHT: A New Block Cipher Suitable for Low-ResourceDevice. In L. Goubin and M. Matsui, editors, Cryptographic Hardware and Embedded Sys-tems CHES 2006, 8th International Workshop, Yokohama, Japan, October 10-13, 2006,Proceedings, volume 4249 of Lecture Notes in Computer Science, pages 4659. SpringerVerlag, 2006.

[38] M. Hutter, S. Mangard, and M. Feldhofer. Power and EM Attacks on Passive 13.56 MHzRFID Devices. In P. Paillier and I. Verbauwhede, editors, Cryptographic Hardware andEmbedded Systems CHES 2007, 9th International Workshop, Vienna, Austria, September10-13, 2007, Proceedings, volume 4727 of Lecture Notes in Computer Science, pages 320333. Springer, September 2007.


[39] IEEE. IEEE Standard 1363a-2004: IEEE Standard Specications for Public-Key Cryp-tography, Amendment 1: Additional Techniques. Available online at http://ieeexplore.ieee.org/servlet/opac?punumber=9276, September 2004.

[40] International Organisation for Standardization (ISO). ISO/IEC 7816: Identication cards- Integrated circuit(s) cards with contacts, 1989.

[41] International Organisation for Standardization (ISO). ISO/IEC 15693-3: Identicationcards - Contactless integrated circuit(s) cards - Vicinity cards Part 3: Anticollision andtransmission protocol, 2001.

[42] International Organisation for Standardization (ISO). ISO/IEC 14888-3: Informationtechnology Security techniques Digital signatures with appendix Part 3: Discretelogarithm based mechanisms, 2006.

[43] M. Joye. Advances In Elliptic Curve Cryptography, volume 317 of London MathematicalSociety Lecture Note Series, chapter V, Defences Against Side-Channel Analysis, pages87100. Cambridge University Press, 2005.

[44] P. C. Kocher. Timing Attacks on Implementations of Die-Hellman, RSA, DSS, andOther Systems. In N. Koblitz, editor, Advances in Cryptology - CRYPTO '96, 16th An-nual International Cryptology Conference, Santa Barbara, California, USA, August 18-22,1996, Proceedings, number 1109 in Lecture Notes in Computer Science, pages 104113.Springer, 1996.

[45] P. C. Kocher, J. Jae, and B. Jun. Dierential Power Analysis. In M. Wiener, editor,Advances in Cryptology - CRYPTO '99, 19th Annual International Cryptology Conference,Santa Barbara, California, USA, August 15-19, 1999, Proceedings, volume 1666 of LectureNotes in Computer Science, pages 388397. Springer, 1999.

[46] G. Leander, C. Paar, A. Poschmann, and K. Schramm. New Lightweight DES Variants.In A. Biryukov, editor, 14th International Workshop on Fast Software Encryption (FSE2007), Luxembourg, Luxembourg, March 26-28, 2007, Proceedings, volume 4593 of LectureNotes in Computer Science, pages 196210. Springer, 2007.

[47] A. K. Lenstra and E. R. Verheul. The XTR Public Key System. In M. Bellare, editor,20th Annual International Cryptology Conference Santa Barbara, California, USA, August2024, 2000 Proceedings, volume 1880 of Lecture Notes in Computer Science, pages 119.Springer, 2000.

[48] S. Mangard, E. Oswald, and T. Popp. Power Analysis Attacks Revealing the Secrets ofSmart Cards. Springer, 2007. ISBN 978-0-387-30857-9.

[49] M. Medwed and E. Oswald. Template Attacks on ECDSA. In K.-I. Chung, M. Yung,and K. Sohn, editors, 9th International Workshop on Information Security Applications(WISA 2008), Jeju Island, Korea, September 23-25, 2008, Pre-Proceedings, 2008.

[50] P. L. Montgomery. Speeding the Pollard and Elliptic Curve Methods of Factorization.Mathematics of Computation, 48(177):243264, January 1987. ISSN 0025-5718.

[51] National Institute of Standards and Technology (NIST). FIPS-46-3: Data EncryptionStandard, October 1999. Available online at http://www.itl.nist.gov/fipspubs/.


[52] National Institute of Standards and Technology (NIST). FIPS-186-2: Digital Signa-ture Standard (DSS), January 2000. Available online at http://www.itl.nist.gov/

fipspubs/.

[53] National Institute of Standards and Technology (NIST). FIPS-197: Advanced EncryptionStandard, November 2001. Available online at http://www.itl.nist.gov/fipspubs/.

[54] National Institute of Standards and Technology (NIST). FIPS-180-2: Secure Hash Stan-dard, August 2002. Available online at http://www.itl.nist.gov/fipspubs/.

[55] Y. Oren and A. Shamir. Remote Power Analysis of RFID Tags. Master's thesis, WeizmannInstitute of Science, Rehovot, Israel, August 2006. Further information on http://www.

wisdom.weizmann.ac.il/~yossio/rfid/.

[56] T. Plos. Susceptibility of UHF RFID Tags to Electromagnetic Analysis. In T. Malkin,editor, Topics in Cryptology - CT-RSA 2008, The Cryptographers' Track at the RSA Con-ference 2008, San Francisco, CA, USA, April 8-11, 2008, Proceedings, volume 4964 ofLecture Notes in Computer Science, pages 288300. Springer, April 2008.

[57] J.-J. Quisquater and D. Samyde. ElectroMagnetic Analysis (EMA): Measures andCounter-Measures for Smart Cards. In I. Attali and T. P. Jensen, editors, Smart Card Pro-gramming and Security, International Conference on Research in Smart Cards, E-smart2001, Cannes, France, September 19-21, 2001, Proceedings, volume 2140 of Lecture Notesin Computer Science, pages 200210. Springer, 2001.

[58] R. L. Rivest, A. Shamir, and L. Adleman. A Method for Obtaining Digital Signaturesand Public-Key Cryptosystems. Communications of the ACM, 21(2):120126, February1978. ISSN 0001-0782.

Date post:	31-Jul-2020
Category:	Documents
Upload:	others
View:	1 times
Download:	0 times

D.VAM.1 Report on Physical Security of Contact-less … · 2009-08-17 · Thomas Eisenbarth, Timo...

Documents