HAL Id: emse-00742726

HAL Id: emse-00742726

https://hal-emse.ccsd.cnrs.fr/emse-00742726

Submitted on 9 Mar 2015

HAL

is a multi-disciplinary open access archive for the deposit and dissemination of sci- entific research documents, whether they are pub- lished or not. The documents may come from teaching and research institutions in France or abroad, or from public or private research centers.

L’archive ouverte pluridisciplinaire

destinée au dépôt et à la diffusion de documents scientifiques de niveau recherche, publiés ou non, émanant des établissements d’enseignement et de recherche français ou étrangers, des laboratoires publics ou privés.

Security characterisation of a hardened AES cryptosystem using a laser

Cyril Roscian, Florian Praden, Jean-Max Dutertre, Jacques Jean-Alain Fournier, Assia Tria

To cite this version:

Cyril Roscian, Florian Praden, Jean-Max Dutertre, Jacques Jean-Alain Fournier, Assia Tria. Security

characterisation of a hardened AES cryptosystem using a laser. ”Technical Sciences”, University of

Warmia and Mazury publishing„ 2012. �emse-00742726�

S

AES

Cyril Roscian¹, Florian Praden^1,2, Jean-Max Dutertre¹, Jacques Fournier² and Assia Tria^1,2

1ENSM.SE ²CEA-LETI CMP Georges Charpak,

880, route de Mimet, 13541 Gardanne, France

Email: [email protected] or [email protected]

Abstract

The AES is a standard encryption algorithm used in numerous cryptographic systems like smart cards, TPMs as well as in protocols like WPA2 or OpenSSL. Measuring the robustness of AES implementations against physical attacks is of utmost importance in order to guarantee the security of the system into which the AES is used. In this article, we describe how a hardware AES, embedding countermeasures against physical attacks, has been characterized using a laser. With the latter, we tried to implement a class of physical attacks called fault attacks which, when successful, could have helped us retrieve the secret key used by the AES module. Our experiments have allowed us to validate the efficiency of some of the countermeasures implemented in this AES implementation and have given us hints on how to further improve them.

Keywords:

1. Introduction

Security, through the authenticity, confidentiality and integrity of communication systems, has become an essential component of all electronic systems. The vulnerability to attacks of the devices implementing the cryptographic algorithms (such as smart cards) has become a critical issue. Some malicious means or

"physical attacks" could be used to retrieve sensitive information such as encryption keys and therefore lower the security of the whole protected transmission chain of information. There are three types of physical attacks: invasive attacks, which cover all the techniques based on the “physical” analysis, modification (ANDERSON 1998) and probing (HANDSCHUH 1999, SCHMIDT 2009, GAMMEL 2010) of integrated circuits (IC) by an invasive method (KÖMMERLING 1999, KOEUNE 2005); observation or passive attacks which exploit the fact that some physical characteristics such as power consumption (KOCHER 1999, LU 2010) , electromagnetic radiation or the duration of computation depends on the chip’s internal calculations (KOEUNE 2005); perturbation or fault attacks, which are based on changing environmental conditions of the chip. The latter ones are the most complex to implement as various and complex parameters must be taken into account such as the timing (i.e. the synchronization between the injection time and the calculation), the localization and the power level.

In this paper we mainly discuss about characterisations based on fault attacks. One of the goals of such attacks could be to reveal the secret keys of a cryptographic device based on techniques like Differential Fault Analysis (DFA) (BIHAM 1997, BONEH 1997). Several methods can be used to induce faults into cryptographic integrated circuits: use of a laser (SKOROBOGATOV 2005, BAR-EL 2006), voltage pulses (BLÖMER 2003), clock glitches (AGOYAN 2010) or electromagnetic (EM) disturbances (SCHMIDT 2007).

The use of lasers is one of the most effective techniques: lasers allow a good reproducibility, an accurate control on the timing of the injection (the instant of firing and the duration of the pulse) and a precise focalization (the location and the penetration of the fault). Consequently, lasers generate precise local effects onto the IC, thus ‘protecting’ the remaining chip against unwanted perturbations. Several theoretical attacks against cryptographic algorithms are based on such models of fault injection methods (PIRET 2003,

GIRAUD 2005, 2010, MORADI 2010). Although protections against these kinds of attacks exist (YEN 2006), advanced methods combine semi-invasive attacks and power or EM analysis (MORADI, 2011).

We hereby describe the security assessment of an AES hardware chip done to validate the efficiency of the embedded countermeasures that could be incorporated into the AES module of the SECRICOM’s secure docking station (SDM). The SDM contains authentication keys and access rights associated with each user of the SECRICOM secure communication network. To access such keys, a secure channel, based on AES encryption, has to be established between the SDM and the host. Hence, guaranteeing the resistance of the AES used against physical attacks helps in hardening the security chain of SECRICOM’s communication infrastructure.

The outline of this paper is as follows. First, we recall the physical phenomena occurring when a laser is used to inject a fault into an IC. Then we describe the AES implementation used as target of our laser-based characterization. Third, we provide a description of the laser-based tests made on the targeted AES. With attacks like those described in (PIRET 2003, GIRAUD 2005) in mind, we tested the countermeasure in a

“black box” approach (i.e. without using the knowledge we had of the implemented countermeasures). We also tested the AES in a “white box” approach where we tried to take advantage of the knowledge we had of the implemented countermeasures in order to circumvent them. Finally we provide a discussion about the results that we obtained and the conclusions that could be drawn from them.

2. Physical phenomena induced by lasers into an IC

When an IC is exposed to a laser beam, two phenomena have to be considered: the photoelectric effect appearing and the fact that some parts of the IC are more sensitive than others. When a laser beam strikes the silicon and that the photon’s energy is higher than the Silicon’s band gap, electron-hole pairs are created.

In general, these pairs recombine and there is no effect on the IC but under specific conditions, some undesired effects can appear. We shall focus on one of those effects called the Single Event Effect (SEE).

1.1. Single Event Effect

A Single Event Effect can appear when the electron-hole pairs created by the laser beam are drifted in opposite directions by the electrical field instead of immediately recombining. The consequence of that is the creation of a transient current as illustrated in Figure 1.

Fig. 1: Laser beam effect onto MOS structure Fig. 2: Transient current from charge collection after laser shoot

Along the laser beam shown in Figure 1, after the creation of the electron-hole pairs, two collection phenomena lead to the creation of the transient current. The first phenomenon stretches the depletion region (hence the extension of the electric field) along the laser beam and within a few picoseconds, charges are collected giving a current peak. In a second time, the rest of the charges are collected in a longer diffusing scheme. Figure 2 shows the transient current associated with the two phenomena of collection as given in (Wang 2008).

1.2. Sensitive zones

In CMOS technology, some parts are more sensitive than others to SEEs. Indeed, to create an SEE, and then a fault, a strong electric field is needed. The reverse biased PN-junctions of the chip provide this required electric field. The position of these junctions can change, depending on the value of the data manipulated.

A good example to illustrate this data dependency is the CMOS inverter. The first case is a high state on the inverter’s input: the NMOS transistor is in ON state, its drain is grounded, the source and the bulk too and there is no reverse biased PN-junction. The PMOS transistor is in OFF state, then its source and the N well are in high potential, but its drain is grounded giving rise to a reverse biased junction. Hence, the drain of the PMOS transistor becomes sensitive to a laser shoot. In the same way, with a low state on the inverter’s input, the drain of the NMOS transistor becomes sensitive to a laser shoot.

Figure 3(a) shows an inverter with a low state on its input and the sensitive zone associated. The second inverter (b) on the figure represents the other case of localisation of a sensitive zone.

Fig. 3: CMOS inverter with a low state (a) or high state (b) on its input

1.3. From SEE to faults

We showed in the previous sections how a laser beam can create single events into CMOS structures and which parts of it are more sensitive to a laser. Even if an SEE is created by a laser, it is possible that the SEE has no effect on the chip. An SEE can be transformed into a fault in two different ways. The first one is to generate an SEE directly into a register, then its state is changed and this change is stored and propagated.

The second way consists in creating, into the chip’s logic, an SEE which propagates into the logic until the next register. Depending on the timing, if the SEE reaches the register’s input on a clock’s rising edge, an incorrect value will be latched. Thus, a fault is injected into the chip’s computation. Figure 4 illustrates the propagation of a SEE into the logic and the difficulty of transforming it into a fault. In the first case, the SEE generated into the logic is not captured by the D flip flop of the register cell and has no significant effect on

the data processed. In the second case, with the perfect timing, the SEE is captured by the D flip flop. Thus, the value of the register is changed, the SEE has been turned into a fault.

Fig. 4: Propagation of SEE into Logic

2. The hardened AES test chip

In this section, we describe the chip used as a device under test (DuT) for our laser-based characterizations. The DuT is a hardware module implementing the Advanced Encryption Standard (AES) algorithm used, for example, for encrypting the secure channel between a SECRICOM host device and the SECRICOM SDM.

2.1. The AES algorithm

The AES algorithm is a symmetric key cryptography standard established by the NIST (NIST 2001). This algorithm is based on a few transformations (SubBytes, ShiftRows, MixColumns, AddRoundKey) used iteratively in rounds (Figure 5). In this paper, we focus on the 128-bit key version. This version processes data blocks of 128 bits, considered as matrices of 4x4 bytes called States, in ten rounds. The round keys (K1 to K10) used during each round, are calculated by a key expansion routine (not detailed in this paper). We denote M1 to M10 the AES States at the end of each round.

Fig. 5: The AES algorithm and its hardware implementation

2.2. The secure ASIC AES

In our study, we use the secure AES test chip described in (AGOYAN 2011) implemented in HCMOS9gp 130nm STM technology. The size of the die is 1336µm x 1411.8µm and its working frequency is 25MHz. A picture of the chip is shown in Fig. 10.

The countermeasure against faults attacks implemented in this chip consists first in detecting errors and then reacting in case of detection. The error detection is done by using spatial duplication: the AES is executed twice in parallel and at each round, the results of the two instances are compared. If an error is detected, the reaction consists in blurring the erroneous cipher text with the scrambled value of the detected error. The error detection mechanism is described in the following section.

The figure below presents an overview of the ASIC AES architecture. We can see the two AES executed in parallel with the error detection system. The AES is interfaced with an AMBA APB bus to communicate with the external world. We used an FPGA for the interface between the APB bus and the PC used to control the AES and perform the different tests.

Fig. 6: Overview of the ASIC AES architecture

2.3. The error detection mechanism

As mentioned in the previous section, when an error is detected (XNOR operation between the two paths), the error detection mechanism scrambles the error value and then blurs the cipher text with the scrambled error. An error matrix is used whereby the error is spread across the rows and the columns as shown in the Figure 7. After that, the error matrix is XORed with the SubByte’s results of the two data paths.

Fig. 7: The Error Detection and Spreading Mechanism

2.4. The Cross-ShiftRows operation

In addition to the above error detection mechanism, the ShiftRows operation is crossed between the two data paths. Half of the bits of each byte come from the other path and vice versa. This “crossing” operation is an additional security barrier. Indeed, if a fault is injected onto one of the paths, the fault is detected and propagated onto the two paths in parallel. With the Cross-ShiftRows, half of information is lost due to the transfer to the other path. Figure 8 illustrates the injection of a fault on the last round of the AES and its propagation throughout the two data paths.

Fig. 8: Propagation of a fault on the last AES round (with the countermeasures)

3. Fault injection using laser

3.1. The Laser test bench

To perform the different tests on the AES chip, we used the laser facility of the MicroPackS™ platform (MICROPACKS 2012). This laser is a YAG (Yttrium Aluminium Garnet) laser with three different wavelengths: green, infra-red and ultra-violet. We used the green wavelength (~532nm) with a 20x Mitutoyo lens. We obtained a spot size between 1µm and 150µm. With the larger spot size, we have an energy of approximately 15pJ per laser shoot.

The AES is interfaced with a control PC. When an encryption is launched, a trigger signal is sent to an FPGA synchronization board, which sends a shoot signal to the laser after a delay defined by the control PC.

This delay allows triggering the laser at different times during the encryption.

We put ourselves into two configurations when doing those tests. In the first configuration we adopted a

“black box” approach where we ignored any of the implementation information we had on the DuT and tried to perform fault injections on the data path of the AES, in the ‘classical one’, with the objective of collecting the erroneous ciphertexts and doing differential cryptanalysis like in Giraud’s or Piret’s methods. In the second configuration, we used our knowledge of the implemented countermeasures, in a so-called “white box” approach, to try to circumvent the security mechanism by, say, trying to fault the detection mechanism itself.

3.2. Fault injection on the data path

The easiest way to generate errors and trigger the detection mechanism is to inject faults into the register of the SubByte module. Despite the propagation of the error onto the two data paths and the loss of half of the information due to the Cross-ShiftRows, we can always try to use the faulty ciphertexts in Giraud’s DFA (GIRAUD 2005). The sine-qua-none condition for this attack is to generate mono-bit faults (i.e. errors on only one bit of the State matrix). The error matrix can be found with a simple XOR operation between the correct ciphertext and the faulty one. Figure 8 illustrates this kind of fault injection.

3.3. Fault injection on the detection mechanism

Another way of generating errors is to use the error detection mechanism itself. The DFA described in (PIRET 2003) needs a fault injection before the last MixColumns operation (Round 9). With our countermeasures and a fault injection on the data path, the faulty ciphertexts are not exploitable for this attack. When looking closer at the Cross-ShiftRows operation, it appears that if the same fault is injected on the two data paths, the effect of the Cross-ShiftRows is “neutralized”. Due to the dispersion of the lay-out of the two paths in all the chip’s surface, it’s very hard to inject the same fault into the two paths with a laser which has a local effect. The solution is to inject the fault directly into the error matrix. By doing so, we could propagate the same error on the two paths and the Cross-ShiftRows is neutralized and we do not have any loss of information. In the last round, as the errors are the same on the two data paths, no detection appears and we have a faulty ciphertext that could be used for DFA. Figure 9 depicts the propagation onto the two paths of an error injected directly into the error matrix at the 9^th round.

Figure 9: Injection of an error into the error matrix and its propagation

4. Laser tests on the AES chip

4.1. Localization of the SubByte’s registers

Since the registers of the SubByte are dispersed across the ASIC, the first step of the characterization work was to physically localize those registers. To do so, we made a cartography using the laser. The surface of the chip was partitioned into 36 zones of size 150µm x 150µm each as shown in Figure 10. For each zone, 50 different encryptions were performed among which we looked for specific faulty ciphertexts.

Indeed, as shown in the Figure 8, if a fault is injected on one byte at the beginning of the last round, in the end, we have six times the same error, due to the propagation mechanism, and one different error at the position of the injected fault. In Figure 10, the colored the regions highlight those where specific faulty ciphertexts were obtained and which appeared to be more sensitive to this type of fault on the last round of encryption.

Fig. 10: Sensitive areas of the ASIC

4.2. Results

Once the SubByte’s registers have been localized, we first injected faults on the data path. In the “black box” approach, we tried to perform DFA as described in (GIRAUD 2005) using only the faulty and correct ciphertexts but in vain: the detection and error spreading mechanism proved to be efficient against such attacks.

However, when we used the knowledge of the implementation of the countermeasure (i.e. in a “white box” approach), especially the structure of the Cross-ShiftRows, we managed to recover a few bytes of the secret key of the AES. The complete knowledge of the Cross-ShiftRows is necessary because half of the information is lost in this operation and we need, for the attack, to keep all the information.

We also tried to inject faults directly on the error matrix in order to try another type of DFA (PIRET 2003) where in theory two faulty ciphertexts are needed to recover 4 bytes of the secret key. To find all the 16 bytes of the key, we need to inject an error on one of the bytes of each column of the error matrix. Despite our effort, we couldn’t inject a fault on the error matrix with the laser test bench. One of the reasons is that the error matrix is not implemented with registers but with logic gates. Thus it’s very hard to synchronize the laser shoot with the ASIC’s encryption precisely enough to target separately each column of the error matrix.

5. Discussion & Conclusion

In this paper, we have described how countermeasures implemented in a hardware implementation of the AES have been tested using a laser as fault injection means. We have seen that, in a “black box”

approach, classical DFA techniques are inefficient against such countermeasures. However our characterization work has also shown that in a “white box” scenario, some bytes of the secret keys could be recovered. This has led us to the conclusion that the error propagation should have been truly random and independent from the generated errors (requiring the implementation of a True Random Number Generator on the chip). Moreover, another investigated attack path, trying to inject a fault on the error matrix itself, has proven to be unsuccessful illustrating the limits of current equipment with respect to current technologies.

Such characterization works have provided valuable design rules for implementing secure encryption AES modules like those used in the SDM of the SECRICOM project.

6. Acknowledgements

This work was funded by SECRICOM project (EC FP7-SEC-2007 grant 218123). The research work of Cyril Roscian is partly funded by the “Conseil Regional Provence-Alpes Côtes d’Azur”.

Bibliography

AGOYAN M., DUTERTRE J-M., NACCACHE D, ROBISSON B. and TRIA A. “When Clocks Fail: On Critical Paths and Clock Faults”, SPRINGER VERLAG ed., Smart Card Research and Advanced Application, 2010.

AGOYAN M., BOUSQUET S., DUTERTRE J-Max. FOURNIER J., RIGAUD J-B., ROBISSON B. and TRIA A.

“Design and characterisation of an AES chip embedding countermeasures” International Journal of Intelligent Engineering Informatics 1, n° 3-4 (2011): 328-347, 2011

AMIEL F., CLAVIER C. and TUNSTALL M. “Collision fault analysis of DPA resistant algorithms” in the proceedings of Fault Diagnosis and Tolerance in Cryptography 2006 — FDTC 2006.

ANDERSON R.J. and KUHN M.G. “Low Cost Attacks on Tamper Resistant Devices”, in the Proceedings of the 5^th International Workshop on Security Protocols, 1998.

BAR-EL H., CHOUKRI, H., NACCACHE D, TUNSTALL M. and WHELAN C. “The Sorcerer's Apprentice Guide to Fault Attacks”. E-Print: 2004/100

BIHAM E. and SHAMIR A. “Differential Fault Analysis of Secret Key Cryptosystems” in the proceedings of the 17^th Annual International Cryptology Conference on Advances in Cryptology, 1997.

BLÖMER J. and SEIFERT J. “Fault Based Cryptanalysis of the Advanced Encryption Standard (AES)”

Financial Cryptography 2003.

BONEH D., DEMILLO R.A. and LIPTON R.J. “On the Importance of Checking Cryptographic Protocols for Faults”. Advances in Cryptology - EUROCRYPT '97, International Conference on the Theory and Application of Cryptographic Techniques, Konstanz, Germany, May 11-15, 1997.

GAMMEL B.M. and MANGARD S. “On the Duality of Probing and Fault Attacks”. J.Electron.Test., aug 2010, vol. 26, no. 4, pp. 483-493 ISSN 0923-8174. DOI 10.1007/s10836-010-5160-0, 2010.

GIRAUD C. “DFA on AES” in the Proceedings of the 4^th international conference on Advanced Encryption Standard. Bonn, Germany, 2005.

GIRAUD C. and THILLARD A. “Piret and Quisquater's DFA on AES Revisited”. E-print: 2010/440

HANDSCHUH H., PAILLIER P and STERN J. “Probing Attacks on Tamper-Resistant Devices” in the Proceedings of the First International Workshop on Cryptographic Hardware and Embedded Systems, 1999.

KIM, C.H. and QUISQUATER J-J. “New Differential Fault Analysis on AES Key Schedule: Two Faults Are Enough” in the proceedings of the 8^th IFIP WG 8.8/11.2 international conference on Smart Card Research and Advanced Applications. London, UK, 2008.

KOCHER P.C., JAFFE J. and JUN B. “Differential Power Analysis” in the proceedings of CRYPTO, 1999.

KOEUNE, F. and STANDAERT, F. “A Tutorial on Physical Security and Side-Channel Attacks” in Foundations of Security Analysis and Design III : FOSAD 2004/2005, Nov 2006, vol 3655, pp. 78-108

KÖMMERLING O. and KUHN M.G. “Design principles for tamper-resistant smartcard processors” in the Proceedings of the USENIX Workshop on Smartcard Technology on USENIX Workshop on Smartcard Technology. Chicago, Illinois, 1999.

LU, J., J. PAN and J. DEN HARTOG. “Principles on the security of AES against first and second-order differential power analysis” in the Proceedings of the 8^th international conference on Applied cryptography and network security. Beijing, China, 2010.

MICROPACKS. http://www.arcsis.org, last accessed 19^th of April 2012.

MORADI, A., MISCHKE O., PAAR C., LI Y., OHTA K. and SAKIYAMA K. “On the power of fault sensitivity analysis and collision side-channel attacks in a combined setting” in the proceedings of the 13^th international conference on Cryptographic hardware and embedded systems. Nara, Japan, 2011.

MORADI, A., M.T.M. SHALMANI and M. SALMASIZADEH. “A generalized method of differential fault attack against AES cryptosystem” in the Proceedings of the 8^th international conference on Cryptographic Hardware and Embedded Systems. Yokohama, Japan, 2006.

MUKHOPADHYAY, D. “An Improved Fault Based Attack of the Advanced Encryption Standard” in the Proceedings of the 2nd International Conference on Cryptology in Africa: Progress in Cryptology. Gammarth, Tunisia, 2009.

NIST, National Institute of Standards and Technology (NIST), “Announcing the advanced encryption standard (AES)”, Federal Inf. Processing Standards Pub., Vol. 197, 2001.

DUSART P., LETOURNEUX G. and VIVOLO O. “Differential Fault Analysis on A.E.S », E-print: 2003/010.

PIRET G. and QUISQUATER J-J. “A Differential Fault Attack Technique Against SPN Structures, with Application to the AES and KHAZAD”. in the proceedings of the 5^th international conference on Cryptographic hardware and embedded systems, LNCS 2779, 2003.

SCHMIDT, J. and M. HUTTER. “Optical and EM Fault-Attacks on CRT-based RSA: Concrete Results”, ed.

Austrochip 2007, 15^th Austrian Workhop on Microelectronics, 11 October 2007, Graz, Austria, Proceedings, 2007.

SCHMIDT, J. and KIM, C.H. « Information Security Applications ». In: K. CHUNG, K. SOHN and M. YUNG eds., Berlin, Heidelberg: Springer-Verlag, pp. 256-265 ISBN 978-3-642-00305-9. DOI 10.1007/978-3-642- 00306-6_19. 2009

SKOROBOGATOV, S.P. “Semi-Invasive Attacks -- A New Approach to Hardware Security Analysis.” PhD thesis, University of Cambridge, Computer Laboratory, 2005

TAKAHASHI, J. and FUKUNAGA, T., “Differential Fault Analysis on the AES Key Schedule.” E-print:

2007/480

TRICHINA, E. “Combinational Logic Design for AES SubByte Transformation on Masked Data.” E-print:

2003/236

TUNSTALL, M., D. MUKHOPADHYAY and S. ALI. “Differential fault analysis of the advanced encryption standard using a single fault” in the Proceedings of the 5^th IFIP WG 11.2 international conference on Information security theory and practice: security and privacy of mobile devices in wireless communication.

Heraklion, Crete, Greece, 2011.

WANG, F. and V.D. AGRAWAL. « Single Event Upset: An Embedded Tutorial » Proc. of 21^st International Conference on VLSI Design. 2008

YEN, C. and WU, B. “Simple Error Detection Methods for Hardware Implementation of Advanced Encryption Standard”. IEEE Trans.Comput., jun, vol. 55, no. 6, pp. 720-731 ISSN 0018-9340. DOI 10.1109/TC.2006.90, 2006