Countermeasures against Fault AttacksTRUDEVICE Training School on Trustworthy Manufacturing and
Utilization of Secure Devices
Victor LOMNE
ANSSI (French Network and Information Security Agency)
Monday, July 14th, 2014 - Lisbon, Portugal
Introduction| Overview of Countermeasures| Application to Cryptography| Practical Cases| Conclusion|
Agenda1 Introduction
a. Fault Zoologyb. Countermeasures
2 Overview of Countermeasuresa. Analog Levelb. Digital Level
3 Application to Cryptographya. Generalitiesb. Redundancyc. Infection
4 Practical Casesa. Examplesb. Real World Attacks
5 Conclusion
1/59 Victor LOMNE - ANSSI / Countermeasures against Fault Attacks
Introduction| Overview of Countermeasures| Application to Cryptography| Practical Cases| Conclusion|
Fault Zoology| Countermeasures|
Agenda1 Introduction
a. Fault Zoologyb. Countermeasures
2 Overview of Countermeasuresa. Analog Levelb. Digital Level
3 Application to Cryptographya. Generalitiesb. Redundancyc. Infection
4 Practical Casesa. Examplesb. Real World Attacks
5 Conclusion
2/59 Victor LOMNE - ANSSI / Countermeasures against Fault Attacks
Introduction| Overview of Countermeasures| Application to Cryptography| Practical Cases| Conclusion|
Fault Zoology| Countermeasures|
Fault Zoology (1/2)
Different ways to generate a fault:
I glitch on pins (VCC, I/O, : : :)
I glitch on the die (FBBI)
I laser injection
I EM injection
The duration of the fault can be:
I transient
I permanent
3/59 Victor LOMNE - ANSSI / Countermeasures against Fault Attacks
Introduction| Overview of Countermeasures| Application to Cryptography| Practical Cases| Conclusion|
Fault Zoology| Countermeasures|
Fault Zoology (2/2)
Different effects:
I modification of operation flow
I modification of operands
Different goals:
I Bypassing access/right control verification
I Generating faulty encryptions/signatures
I : : :
4/59 Victor LOMNE - ANSSI / Countermeasures against Fault Attacks
Introduction| Overview of Countermeasures| Application to Cryptography| Practical Cases| Conclusion|
Fault Zoology| Countermeasures|
Agenda1 Introduction
a. Fault Zoologyb. Countermeasures
2 Overview of Countermeasuresa. Analog Levelb. Digital Level
3 Application to Cryptographya. Generalitiesb. Redundancyc. Infection
4 Practical Casesa. Examplesb. Real World Attacks
5 Conclusion
5/59 Victor LOMNE - ANSSI / Countermeasures against Fault Attacks
Introduction| Overview of Countermeasures| Application to Cryptography| Practical Cases| Conclusion|
Fault Zoology| Countermeasures|
Prevent or Detect ? (1/3)
Two approaches can be used to thwart fault injectionattacks:
I Prevent from the fault injection attack
I Detect the fault injection attack
Prevent from a fault injection attack can consists in:
I make the adversary job harder
I render the attacked functionnality resilient to faults
6/59 Victor LOMNE - ANSSI / Countermeasures against Fault Attacks
Introduction| Overview of Countermeasures| Application to Cryptography| Practical Cases| Conclusion|
Fault Zoology| Countermeasures|
Prevent or Detect ? (2/3)
Two approaches can be used to thwart fault injectionattacks:
I Prevent from the fault injection attack
I Detect the fault injection attack
Detect a fault injection:
I analog level: detect the fault injection through itsphysical stress
I digital level: detect the fault injection through itsdigital consequence
7/59 Victor LOMNE - ANSSI / Countermeasures against Fault Attacks
Introduction| Overview of Countermeasures| Application to Cryptography| Practical Cases| Conclusion|
Fault Zoology| Countermeasures|
Prevent or Detect ? (3/3)
Two approaches can be used to thwart fault injectionattacks:
I Prevent from the fault injection attack
I Detect the fault injection attack
In practice, both are used !
8/59 Victor LOMNE - ANSSI / Countermeasures against Fault Attacks
Introduction| Overview of Countermeasures| Application to Cryptography| Practical Cases| Conclusion|
Fault Zoology| Countermeasures|
Adversary Model
Design a fault attack countermeasure requires to definean Adversary Model:
I Which kind of fault is he able to perform ?
I What precision does he have on the data he can disturb ?bit-accuracy, byte-accuracy, : : :
I What is the maximum order of the attack ?single fault ! 1st order fault attackdouble fault ! 2st order fault attack: : :
9/59 Victor LOMNE - ANSSI / Countermeasures against Fault Attacks
Introduction| Overview of Countermeasures| Application to Cryptography| Practical Cases| Conclusion|
Analog Level| Digital Level|
Agenda1 Introduction
a. Fault Zoologyb. Countermeasures
2 Overview of Countermeasuresa. Analog Levelb. Digital Level
3 Application to Cryptographya. Generalitiesb. Redundancyc. Infection
4 Practical Casesa. Examplesb. Real World Attacks
5 Conclusion
10/59 Victor LOMNE - ANSSI / Countermeasures against Fault Attacks
Introduction| Overview of Countermeasures| Application to Cryptography| Practical Cases| Conclusion|
Analog Level| Digital Level|
(De)synchronization
A fault injection requires a precise timing to beeffective
Adding temporal randomness makes the timing of the faultharder to set
Classical ways to add temporal randomness:
I jittered clock
I dummy instructions
I randomize operation flow
I : : :
11/59 Victor LOMNE - ANSSI / Countermeasures against Fault Attacks
Introduction| Overview of Countermeasures| Application to Cryptography| Practical Cases| Conclusion|
Analog Level| Digital Level|
IC Package as Countermeasure
Several kind of fault injection techniques require toexpose the die of the IC to perform the attackFBBI, laser, : : :
Depending on the type of package, it can be more or lesseasy to expose the die:
I smartcard packages are easy to open
I metallic packages can be mechanically opened
I epoxy packages require a chemical attack
I Package-on-Package or 3D IC technology make the chipopening a nightmare
12/59 Victor LOMNE - ANSSI / Countermeasures against Fault Attacks
Introduction| Overview of Countermeasures| Application to Cryptography| Practical Cases| Conclusion|
Analog Level| Digital Level|
IC Package as Countermeasure: example 1
Figure: Epoxy package opened with fuming nitric acid13/59 Victor LOMNE - ANSSI / Countermeasures against Fault Attacks
Introduction| Overview of Countermeasures| Application to Cryptography| Practical Cases| Conclusion|
Analog Level| Digital Level|
IC Package as Countermeasure: example 2
Figure: Application processor with RAM stacked above14/59 Victor LOMNE - ANSSI / Countermeasures against Fault Attacks
Introduction| Overview of Countermeasures| Application to Cryptography| Practical Cases| Conclusion|
Analog Level| Digital Level|
IC Package as Countermeasure: example 2
Figure: Application processor with RAM stacked above - X-ray view
15/59 Victor LOMNE - ANSSI / Countermeasures against Fault Attacks
Introduction| Overview of Countermeasures| Application to Cryptography| Practical Cases| Conclusion|
Analog Level| Digital Level|
Glitch Detectors
The historical way to inject a fault in an IC is tounder/over-power it during a short time
IC manufacturers add glitch detectors on IC pins, checkingthat the current signal voltage stays in a defined range
If a signal voltage is outside from the defined range, aflag is set in a status register
16/59 Victor LOMNE - ANSSI / Countermeasures against Fault Attacks
Introduction| Overview of Countermeasures| Application to Cryptography| Practical Cases| Conclusion|
Analog Level| Digital Level|
Laser Detectors
Laser injection requires to disturb only a small area ofthe IC
It requires to perform a spatial cartography to find hotspotsCPU or co-processor registers, memory decoders, : : :
Laser detectors can be seen as analog blocs convertinglight energy into current
If the current light energy is outside a defined range, aflag is set in a status register
Laser detectors do not cover the whole suface of the IC,but make the job of the adversary harder
17/59 Victor LOMNE - ANSSI / Countermeasures against Fault Attacks
Introduction| Overview of Countermeasures| Application to Cryptography| Practical Cases| Conclusion|
Analog Level| Digital Level|
Agenda1 Introduction
a. Fault Zoologyb. Countermeasures
2 Overview of Countermeasuresa. Analog Levelb. Digital Level
3 Application to Cryptographya. Generalitiesb. Redundancyc. Infection
4 Practical Casesa. Examplesb. Real World Attacks
5 Conclusion
18/59 Victor LOMNE - ANSSI / Countermeasures against Fault Attacks
Introduction| Overview of Countermeasures| Application to Cryptography| Practical Cases| Conclusion|
Analog Level| Digital Level|
Redundancy
Redundancy consists in:I performing two times an operationI comparing results of both operation executions) require a conditionnal test
From a code theory point-of-view, it corresponds to themost obvious code one can constructduplication code
A variant consists in performing the operation and theinverse operation, then checking that the obtainedresults is equal to the initial data
19/59 Victor LOMNE - ANSSI / Countermeasures against Fault Attacks
Introduction| Overview of Countermeasures| Application to Cryptography| Practical Cases| Conclusion|
Analog Level| Digital Level|
Examples of Redundancy
Redundancy can be used in different ways:
I Sequential redundancy for a software function
I Sequential or Parallel redundancy for a hardware function
I Use of redundant logics (Dual Rail logic ! SABL, WDDL,STTL, : : :)
I Securization of special registers by duplication or bystoring a value and its inverse2 flip-flops are necessary to store one bit
20/59 Victor LOMNE - ANSSI / Countermeasures against Fault Attacks
Introduction| Overview of Countermeasures| Application to Cryptography| Practical Cases| Conclusion|
Analog Level| Digital Level|
Error Detection Codes
Error Detection Codes are efficient tools to check theintegrity of data
ECC can protect linear operations (they are based onlinear applications)
ECC cannot protect non-linear operationsin particular they are not well suited to protectcryptographic primitives
21/59 Victor LOMNE - ANSSI / Countermeasures against Fault Attacks
Introduction| Overview of Countermeasures| Application to Cryptography| Practical Cases| Conclusion|
Analog Level| Digital Level|
Examples of Error Detection Codes
Error Correcting Codes can be used in different ways:
I Ensure the integrity of a secret data stored in NVM
I Protect a memory decoder! ensure the integrity of opcodes
I Protect linear parts of cryptographic algorithms
I : : :
22/59 Victor LOMNE - ANSSI / Countermeasures against Fault Attacks
Introduction| Overview of Countermeasures| Application to Cryptography| Practical Cases| Conclusion|
Analog Level| Digital Level|
Infection
Infection consists in mixing a diffusion scheme with theoperation to protect such that:
1. if the processed data are not modified by a fault, thediffusion scheme has no effect on the final result
2. if the processed data are modified by a fault, thediffusion scheme expands the erroenous data such that thefinal result is no more exploitable by the adversary
23/59 Victor LOMNE - ANSSI / Countermeasures against Fault Attacks
Introduction| Overview of Countermeasures| Application to Cryptography| Practical Cases| Conclusion|
Analog Level| Digital Level|
Memory Protection Unit (MPU)
Some microcontrollers have a Memory Protection Unitcan be seen as a HW co-processor
MPU works similarly to a MMU (Memory Management Unit):
I For a given function to protect, the progammer defines amemory address range
I The MPU ensures that the instructions of the function willbe located in the defined memory address range
I If a fault induces a code jump outside the defined memoryaddress range, the MPU sets a flag
24/59 Victor LOMNE - ANSSI / Countermeasures against Fault Attacks
Introduction| Overview of Countermeasures| Application to Cryptography| Practical Cases| Conclusion|
Analog Level| Digital Level|
Code Signature
Some microcontrollers have a Code Signature featurecan be seen as a HW co-processor
Code Signature works as follows:
I For a given function to protect, the progammer computes adigest and stores it in NVM
I Each time the function is executed, the code signaturefeature computes the current digest and compares it to thereference one
I If they are different, a flag is set
25/59 Victor LOMNE - ANSSI / Countermeasures against Fault Attacks
Introduction| Overview of Countermeasures| Application to Cryptography| Practical Cases| Conclusion|
Generalities| Redundancy| Infection|
Agenda1 Introduction
a. Fault Zoologyb. Countermeasures
2 Overview of Countermeasuresa. Analog Levelb. Digital Level
3 Application to Cryptographya. Generalitiesb. Redundancyc. Infection
4 Practical Casesa. Examplesb. Real World Attacks
5 Conclusion
26/59 Victor LOMNE - ANSSI / Countermeasures against Fault Attacks
Introduction| Overview of Countermeasures| Application to Cryptography| Practical Cases| Conclusion|
Generalities| Redundancy| Infection|
Symmetric vs. Asymmetric crypto.
Symmetric Cryptography:
I few algebraic structure
I hard to use algebraic properties as FA countermeasure
Asymmetric Cryptography:
I based on strong algebraic structures
I easy to use algebraic properties as FA countermeasure
27/59 Victor LOMNE - ANSSI / Countermeasures against Fault Attacks
Introduction| Overview of Countermeasures| Application to Cryptography| Practical Cases| Conclusion|
Generalities| Redundancy| Infection|
Attacks and Countermeasure levels
The different Fault based Cryptanalysis techniques:
I Safe Error Attacks
I Differential Fault Analysis
I Statistical Fault Attacks
The different levels to include countermeasures:
I gate level (dual rail logic, redundancy of registers)
I basic operation level (ECC)
I crypto algorithm level (redundancy, infection)
I protocol level
28/59 Victor LOMNE - ANSSI / Countermeasures against Fault Attacks
Introduction| Overview of Countermeasures| Application to Cryptography| Practical Cases| Conclusion|
Generalities| Redundancy| Infection|
Classification of Fault Models
One can define a Fault Model as a function f such that:
f : x ! x ? e (1)
x target variable, e fault logical effect and ? a logicaloperation
Any Fault-based Cryptanalysis requires an Invariant) new classification of FA based on the Invariant:
I FA based on a Fixed Fault Diffusion PatternDFA - e.g. [Piret+ 2003], [Mukhopadhyay+ 2009] : : :
I FA based on a Fixed Fault Logical EffectSafe Error Attacks, Statistical Fault Attacks
29/59 Victor LOMNE - ANSSI / Countermeasures against Fault Attacks
Introduction| Overview of Countermeasures| Application to Cryptography| Practical Cases| Conclusion|
Generalities| Redundancy| Infection|
Safe Error Attacks (SEA)
SEA are similar to Template Attacks, they require an copyof the target device that the adversary can fully controls
SEA require the ability to encrypt/sign two times thesame message
Ways to thwart SEA:
I gate leveldual rail logics, redundancy of registers
I basic operation levelrandomization the key at each encryption/signature
I protocol leveladding randomn padding to the message
30/59 Victor LOMNE - ANSSI / Countermeasures against Fault Attacks
Introduction| Overview of Countermeasures| Application to Cryptography| Practical Cases| Conclusion|
Generalities| Redundancy| Infection|
Differential Fault Analysis (DFA)
DFA require the ability to encrypt/sign two times thesame message
DFA require to have one or several pairs of correct/wrongciphertext/signature corresponding to the same message
Ways to thwart DFA:
I gate leveldual rail logics, redundancy of registers
I basic operation level
I crypto algorithm level (redundancy, infection)
I protocol leveladding random padding to the message
31/59 Victor LOMNE - ANSSI / Countermeasures against Fault Attacks
Introduction| Overview of Countermeasures| Application to Cryptography| Practical Cases| Conclusion|
Generalities| Redundancy| Infection|
Statistical Fault Attacks
Statistical Fault Attacks have the property to work evenwith a set of faulty ciphertexts corresponding todifferent unknown plaintexts
Nevertheless they require a Fixed Fault Logical Effect
Statistical Fault Attacks cannot be thwarted at theprotocol level !!!
Ways to thwart Statistical Fault Attacks:
I gate leveldual rail logics, redundancy of registers
I basic operation level
I crypto algorithm level (redundancy, infection)
32/59 Victor LOMNE - ANSSI / Countermeasures against Fault Attacks
Introduction| Overview of Countermeasures| Application to Cryptography| Practical Cases| Conclusion|
Generalities| Redundancy| Infection|
Agenda1 Introduction
a. Fault Zoologyb. Countermeasures
2 Overview of Countermeasuresa. Analog Levelb. Digital Level
3 Application to Cryptographya. Generalitiesb. Redundancyc. Infection
4 Practical Casesa. Examplesb. Real World Attacks
5 Conclusion
33/59 Victor LOMNE - ANSSI / Countermeasures against Fault Attacks
Introduction| Overview of Countermeasures| Application to Cryptography| Practical Cases| Conclusion|
Generalities| Redundancy| Infection|
Classical Detection Schemes For Block Ciphers
CC = C 0 ?
C 0 CP = P 0 ?
C CC = C 0 ?
C 0
I I
PP 0PPP
Figure: Three classical detection countermeasures. From left toright : Full Duplication, Encrypt/Decrypt, and Partial Duplication
34/59 Victor LOMNE - ANSSI / Countermeasures against Fault Attacks
Introduction| Overview of Countermeasures| Application to Cryptography| Practical Cases| Conclusion|
Generalities| Redundancy| Infection|
Weaknesses of Classical Detection Schemes (1/3)
Full Duplication can be broken by:
I Combined Fault and Side-Channel Attack (DFSCA)
I Double Fault Attack (bypass the comparison)
35/59 Victor LOMNE - ANSSI / Countermeasures against Fault Attacks
Introduction| Overview of Countermeasures| Application to Cryptography| Practical Cases| Conclusion|
Generalities| Redundancy| Infection|
Weaknesses of Classical Detection Schemes (2/3)
Encrypt/Decrypt can be broken by:
I Combined Fault and Side-Channel Attack (DFSCA)
I Double Fault Attack (bypass the comparison)
36/59 Victor LOMNE - ANSSI / Countermeasures against Fault Attacks
Introduction| Overview of Countermeasures| Application to Cryptography| Practical Cases| Conclusion|
Generalities| Redundancy| Infection|
Weaknesses of Classical Detection Schemes (3/3)
Partial Duplication can be broken by:
I Fault on early rounds + ability to decrypt
I Combined Fault and Side-Channel Attack (DFSCA)
I Double Fault Attack (bypass the comparison)
37/59 Victor LOMNE - ANSSI / Countermeasures against Fault Attacks
Introduction| Overview of Countermeasures| Application to Cryptography| Practical Cases| Conclusion|
Generalities| Redundancy| Infection|
Combined Attacks (1/2)
Consider a secure AES implementation using:I A masking scheme such that SCA are unpracticable
I A duplication countermeasure to avoid FA
Is such an implementation really secure ?I If one takes each attack path alone yes . . .
I But if one mixes both attack paths . . .
Combined Attacks exploit the side-channel leakageof a faulty encryption to bypass both SCA and FA CM
I Combined Attack of [Clavier+ 2010]I Combined Attack of [Roche+ 2011]
38/59 Victor LOMNE - ANSSI / Countermeasures against Fault Attacks
Introduction| Overview of Countermeasures| Application to Cryptography| Practical Cases| Conclusion|
Generalities| Redundancy| Infection|
Combined Attacks (2/2)
Example: Combined Attack of [Roche+ 2011]
I Encrypt N plaintexts P1 : : :PN andkeep the N ciphertexts C1 : : :CN
I Encrypt the N plaintexts once again by injecting a faultduring the penultimate round of the Key-Schedule andrecord the leakage traces 1 : : :N
I Exploit the side-channel leakage of the faulty ciphertext:
k = argmax (�(HW (SB(SB�1(C ij � k)� e9)� k � e10);i ))
I The attack will work if the fault has theeffect of a XOR with a non negligible rate
Interestingly enough, up to now only FA based on aFixed Fault Logical Effect have been extended to CA
39/59 Victor LOMNE - ANSSI / Countermeasures against Fault Attacks
Introduction| Overview of Countermeasures| Application to Cryptography| Practical Cases| Conclusion|
Generalities| Redundancy| Infection|
Improving Classical Detection Schemes (1/2)
Algorithm 1 Secure ComparisonInput: two masked States S �M1 and S 0 �M2, their respectivemasks M1 and M2 and a fresh random mask M3 6= 0.Output: S if S = S 0, 0 otherwise
1. do a = M3 � (S �M1)
2. do b = M3 � (S 0 �M2)
3. do c = a � b[= M3 � (S �M1 � S 0 �M2)]
4. do d = M1 �M2
5. do e = M3 � d[= M3 � (M1 �M2)]
6. if e = c then return (S �M1)�M1
7. else return 0
40/59 Victor LOMNE - ANSSI / Countermeasures against Fault Attacks
Introduction| Overview of Countermeasures| Application to Cryptography| Practical Cases| Conclusion|
Generalities| Redundancy| Infection|
Improving Classical Detection Schemes (2/2)
I = I 0 = I 00 ?I = I 0 ?
P P P
I II 0 I 0
I 00
C C C C
Figure: Two countermeasures based on unpredictability. On the left :Encrypt/Partial Decrypt. On the right : Encrypt/PartialEncrypt/Partial Decrypt
41/59 Victor LOMNE - ANSSI / Countermeasures against Fault Attacks
Introduction| Overview of Countermeasures| Application to Cryptography| Practical Cases| Conclusion|
Generalities| Redundancy| Infection|
Agenda1 Introduction
a. Fault Zoologyb. Countermeasures
2 Overview of Countermeasuresa. Analog Levelb. Digital Level
3 Application to Cryptographya. Generalitiesb. Redundancyc. Infection
4 Practical Casesa. Examplesb. Real World Attacks
5 Conclusion
42/59 Victor LOMNE - ANSSI / Countermeasures against Fault Attacks
Introduction| Overview of Countermeasures| Application to Cryptography| Practical Cases| Conclusion|
Generalities| Redundancy| Infection|
Classical Infection Schemes For Block Ciphers
Generic sketch exhibiting the Infection CM:
I S, S 0 the two States
I D the diffusion function (such as D(0) = 0)
�D()
�S 0
S
43/59 Victor LOMNE - ANSSI / Countermeasures against Fault Attacks
Introduction| Overview of Countermeasures| Application to Cryptography| Practical Cases| Conclusion|
Generalities| Redundancy| Infection|
Weaknesses of Classical Infection Schemes (1/3)
Any Deterministic Infection CM is inefficient:
I If Infection placed before last MixColumns
) inject a fault between Infection and last MixColumns) case of a classical Piret Attack
I If Infection placed between last MixColumns & last SubBytes
) inject a fault before the Infection) leads to a modified Piret Attackexploit the Infection instead of the MixColumns
I If Infection placed after the last SubBytes
) inject a fault before the MixColumns) leads to a modified Piret Attackmake an hypothesis on 5 bytes instead of 4
44/59 Victor LOMNE - ANSSI / Countermeasures against Fault Attacks
Introduction| Overview of Countermeasures| Application to Cryptography| Practical Cases| Conclusion|
Generalities| Redundancy| Infection|
Weaknesses of Classical Infection Schemes (2/3)AddRoundKey SubBytes ShiftRows AddRoundKey
correctciphertext
K9
AddRoundKey SubBytes ShiftRows
K10
AddRoundKey
wrongciphertext
K9 K10
E9 E10
correctencryption
wrongencryption
SubBytes-1
K10 E9
SubBytes
K10 E10
correctciphertext
wrongciphertext
Figure: DFA of [Roche+ 2011]
45/59 Victor LOMNE - ANSSI / Countermeasures against Fault Attacks
Introduction| Overview of Countermeasures| Application to Cryptography| Practical Cases| Conclusion|
Generalities| Redundancy| Infection|
Weaknesses of Classical Infection Schemes (3/3)
DFA of [Roche+ 2011] breaks any Deterministic Infection CM
As the fault model:
I has to affect the Key-Schedule during its penultimate round(thus round keys 9 and 10 will be affected)
I could be of any kind, and affect all the bytes at the sametime
I must have a good repeatability(two faults have a good chance to induce the same error)
Any Deterministic Infection CM will have no effectagainst this attack
46/59 Victor LOMNE - ANSSI / Countermeasures against Fault Attacks
Introduction| Overview of Countermeasures| Application to Cryptography| Practical Cases| Conclusion|
Generalities| Redundancy| Infection|
Improving Classical Infection Schemes
Algorithm 2 Secure InfectionInput: two masked States S �M1 and S 0 �M2, their respectivemasks M1 and M2 and a fresh random mask M3 6= 0 and 6= 1.Output: the infected States S �M1 � � and S 0 �M2 � �
1. do a = M3 � (S �M1)
2. do b = M3 � (S 0 �M2)
3. do c = a � b4. do d = M1 �M2
5. do e = M3 � d6. do f = (S �M1)� c7. do g = f � e8. do h = (S 0 �M2)� c9. do i = h � e10. return (g ; i)
47/59 Victor LOMNE - ANSSI / Countermeasures against Fault Attacks
Introduction| Overview of Countermeasures| Application to Cryptography| Practical Cases| Conclusion|
Examples| Real World Attacks|
Agenda1 Introduction
a. Fault Zoologyb. Countermeasures
2 Overview of Countermeasuresa. Analog Levelb. Digital Level
3 Application to Cryptographya. Generalitiesb. Redundancyc. Infection
4 Practical Casesa. Examplesb. Real World Attacks
5 Conclusion
48/59 Victor LOMNE - ANSSI / Countermeasures against Fault Attacks
Introduction| Overview of Countermeasures| Application to Cryptography| Practical Cases| Conclusion|
Examples| Real World Attacks|
Protecting an AES implementation
One considers:
I an AES implementation
I ability to encrypt/decrypt
I the master key is stored in NVM
One has to secure:
I loading of master key from NVM into RAM or key registerthreat: SEA
I processing of datathreat: DFA, Statistical Fault Attacks
I operation flowthreat: Round Counter Attacks
49/59 Victor LOMNE - ANSSI / Countermeasures against Fault Attacks
Introduction| Overview of Countermeasures| Application to Cryptography| Practical Cases| Conclusion|
Examples| Real World Attacks|
Protecting an RSA implementation
One considers:
I an RSA implementation
I ability to sign/verify
I the private key is stored in NVM
I the public key is known and stored in NVM
One has to secure:
I loading of secret key from NVM into RAM or key registerthreat: SEA
I processing of datathreat: SEA, DFA
I operation flowthreat: DFA
50/59 Victor LOMNE - ANSSI / Countermeasures against Fault Attacks
Introduction| Overview of Countermeasures| Application to Cryptography| Practical Cases| Conclusion|
Examples| Real World Attacks|
Agenda1 Introduction
a. Fault Zoologyb. Countermeasures
2 Overview of Countermeasuresa. Analog Levelb. Digital Level
3 Application to Cryptographya. Generalitiesb. Redundancyc. Infection
4 Practical Casesa. Examplesb. Real World Attacks
5 Conclusion
51/59 Victor LOMNE - ANSSI / Countermeasures against Fault Attacks
Introduction| Overview of Countermeasures| Application to Cryptography| Practical Cases| Conclusion|
Examples| Real World Attacks|
Bug Attack
Pentium FDIV bug was a bug in the Intel P5 Pentiumfloating point unit (FPU)
Because of the bug, the processor would return incorrectresults for many calculations
Nevertheless, bug is hard to detect1 in 9 billion floating point divides with randomparameters would produce inaccurate results
Shamir proposed a modified version of the Bellcore attackwhich exploits this bug to retrieve a RSA private key
More dangerous than a classical fault attack because canbe perfomed remotely
52/59 Victor LOMNE - ANSSI / Countermeasures against Fault Attacks
Introduction| Overview of Countermeasures| Application to Cryptography| Practical Cases| Conclusion|
Examples| Real World Attacks|
PS3 Hack
George Hotz (a.k.a. Geohot) published in 2009 a hack ofthe Sony PS3
The otherOS functionnality of the PS3 allows to boot aLinux OS
A bus glitch allows him to gain control of the hypervisor) ring 0 access) full memory access
In consequence Sony took George Hotz to court
Sony and Hotz had settled the lawsuit out of court, onthe condition that Hotz would never again resume anyhacking work on Sony products
53/59 Victor LOMNE - ANSSI / Countermeasures against Fault Attacks
Introduction| Overview of Countermeasures| Application to Cryptography| Practical Cases| Conclusion|
Agenda1 Introduction
a. Fault Zoologyb. Countermeasures
2 Overview of Countermeasuresa. Analog Levelb. Digital Level
3 Application to Cryptographya. Generalitiesb. Redundancyc. Infection
4 Practical Casesa. Examplesb. Real World Attacks
5 Conclusion
54/59 Victor LOMNE - ANSSI / Countermeasures against Fault Attacks
Introduction| Overview of Countermeasures| Application to Cryptography| Practical Cases| Conclusion|
Conclusion (1/2)
Fault Attacks are a very powerful attack path:
I they allow to modify the normal behaviour of a HW or SWfunction
I they allow to extract cryptographic secrets
Nevertheless FA require several skills:
I knowledge of computer science, electronics, optics, : : :
I knowledge of IC architecture
I knowledge of fault-based cryptanalysis
55/59 Victor LOMNE - ANSSI / Countermeasures against Fault Attacks
Introduction| Overview of Countermeasures| Application to Cryptography| Practical Cases| Conclusion|
Conclusion (2/2)
A lot of Fault Attack Countermeasures have been proposedin the litterature
They are generally mixed to increase the security levelof the product) principle of defense in depth
No countermeasure is perfect !
A developper has firstly to define the level of theadversary he wants to thwart, and then choose theadequate tradeoff between efficiency and security
56/59 Victor LOMNE - ANSSI / Countermeasures against Fault Attacks
Introduction| Overview of Countermeasures| Application to Cryptography| Practical Cases| Conclusion|
Certification Schemes
Procedure to evaluate the security level of a product
Three actors:the developper / the security lab / the scheme
Some certification schemes:
I Common Critera
I EMVCo
I CSPN
I : : :
57/59 Victor LOMNE - ANSSI / Countermeasures against Fault Attacks
Introduction| Overview of Countermeasures| Application to Cryptography| Practical Cases| Conclusion|
To go further
book Fault Analysis in CryptographyMarc Joye and Michael Tunstall - SPRINGER
58/59 Victor LOMNE - ANSSI / Countermeasures against Fault Attacks
Introduction| Overview of Countermeasures| Application to Cryptography| Practical Cases| Conclusion|
Questions ?
contact: [email protected]
59/59 Victor LOMNE - ANSSI / Countermeasures against Fault Attacks