Professional Documents
Culture Documents
Final Report
Jörn-Marc Schmidt
June 16, 2008
joern-marc.schmidt@iaik.tugraz.at
Differential Fault Analysis
Final Report
Abstract
iii
Contents
Contents iv
List of Figures v
1 Introduction 1
1.1 Results . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2
1.2 Structure of this Report . . . . . . . . . . . . . . . . . . . . . 2
3 Injecting Faults 13
3.1 Decapsulation . . . . . . . . . . . . . . . . . . . . . . . . . . . 14
Index 25
Bibliography 26
iv
List of Figures
v
Chapter
1
Introduction
During the last years, microchips became more and more part of the
every days life of many people, sometimes even without being rec-
ognized. In Austria every member of the compulsory health insur-
ance receives a so-called eCard containing a microchip that stores
information about the insured person. Most electronic-cash cards
include a microchip containing information about former money
transactions. Modern traveling documents also use chips to protect
them against forgery. All those chips store valuable information.
Thus, these devices should be protected against unauthorized ac-
cess. This is done by implementing cryptographic algorithms on the
devices. Attacks that do not focus on the algorithm itself but on its
realization in hardware are called implementation attacks.
Those attacks are among the most powerful attacks against cryp-
tographic devices nowadays. In contrast to traditional cryptanal-
ysis, implementation attacks do not treat the cryptographic algo-
rithm as a black box. The way of implementing an algorithm and
the device it runs on may lead to information leakage although the
algorithm is cryptographically secure. An adversary can use so-
called side channels to gain information about inner states of the
device or influence its behavior. As a change of the behavior is not
intended in common usage, it is referred to as fault. In 1997 Dan
Boneh et al. [BDL97] and Eli Biham and Adi Shamir [BS97] showed
that the occurrence of faults is a serious threat to cryptographical
devices. Their attacks exploit faults within the computation of a
cryptographic algorithm to reveal secret information.
Such faults can be provoked by an adversary in several ways.
1
Results
One method to inject faults is to insert peaks into the clock supply.
These peaks may corrupt data transferred between registers and
memory [KK99]. This is called a glitch attack. As no modification
of the device is needed, glitch attacks belong to the non-invasive
attacks. In contrast to non-invasive methods, invasive and semi-
invasive ones are also targeting data storage and not only its trans-
fer. Both attack methods require direct access to the chip. Mostly,
a decapsulation procedure has to be applied to expose it. Semi-
invasive attacks inject faults without electrical contact to the chip
surface.
A conventional semi-invasive attack uses light [SA03], result-
ing in transient faults, or electromagnetic fields [QS02], resulting
in transient or permanent faults. Invasive attacks establish direct
contact to the chip. The behavior of the device can be permanently
changed in this way. Using a probing needle, the content of EEPROM
cells can be manipulated [Koc96]. It is also possible to injected per-
manent faults by modifying the device itself and cutting some wires
using a laser cutter or a focused ion beam (FIB) [KK99].
1.1 Results
At the beginning of this project, knowledge how to decapsulate mi-
crochips had to be acquired. First setups for optical fault injection
where built up. Later on, these setups were improved by using a
microscope to increase the precision of the fault. Subsequently, EM
fault injection was performed. We published low cost attacks on
CRT-RSA using light as well as electromagnetic fields [SH07]. Be-
sides the practical fault injection, theoretical work on fault models
and analyzing faults was done.
2
Structure of this Report
semi-invasive attacks.
3
Chapter
2
Faults and Their Impacts
4
trol. Otherwise, an attacker has no control.
Control on the timing. An adversary is said to have full
control, if it is possible to target an operation at his will. Loose
control would mean an operation within a specified block. If
only an operation out of the whole execution can be attacked.
An adversary has no control on the timing of the attack, if an
attack can only be triggered by hand, for example.
Number of affected bits. An attack can target single bits, a
few bits, e.g. a byte or a random number of bits, which may
be bounded by the size of the affected variable.
Duration. Depending on the type the fault, it can be tran-
sient, where it only affects the variable only once, e.g. in one
computation; next time the variable is accessed it has its cor-
rect value. Permanent faults in contrast retain the faulty value
throughout a whole execution of the algorithm. Once injected,
destructive faults affect all following computations of the de-
vice.
Probability. For some attacks also a success probability has
to be defined. A fault or a fault within the specific range only
occurs with a special probability.
As attacks in a destructive fault model are presented in the follow-
ing, we will elaborate on it in more detail.
5
card reader. Therefore, it is not necessary to adjust the time when
a fault is injected, which can be challenging for transient fault in-
jection. Here, computing the faulty ciphertexts can be totally sepa-
rated from the fault injection setup, thus computing a faulty cipher-
text is as costly as computing a normal encryption after the fault
was injected.
6
Attacks on CRT-RSA
(Zp , Zq ) → Zn
(, y) → CRT(p,q)→n (, y) = · cp + y · cq mod n,
with cp = q (q−1 mod p) and cq = p (p−1 mod q). Its inverse opera-
tion is
Zn → (Zp , Zq )
z → (z mod p, z mod q).
7
Attacks on CRT-RSA
1. Sp = md mod pt1
1. Srp = md mod rp
2. Sq = md mod qt2
2. Srq = md mod rq
3. S = CRT(pt1 ,qt2 )→nt1 t2 (Sp , Sq )
3. S = CRT(p,q)→n (Sp mod p, Sq mod q)
et
4. c1 = m − S 1 + 1 mod t1
4. if(Sp mod r == Sq mod r)
output S et
5. c2 = m − S 2 + 1 mod t2
p = gcd(S̃e − m, n).
8
Attacks on CRT-RSA
Let md1 , md2 be two correct signed messages and S˜1 , S˜2 their corre-
sponding erroneous signatures.
S˜1 m−d
1
− S˜2 m−d
2
= q(−(m−d
1
)δkq1 + (m−d
2
)δkq2 ) mod n
gcd(S˜1 (m−d
1
) − S˜2 (m−d
2
), n) = q.
Iff δ((m−d
1
)kq1 − (m−d
2
)kq2 ) = 0 mod p, it is not possible to factor the
modulus this way. In that case, (m−d 1
)kq1 (md2 ) = kq2 mod p holds,
as p - δ. All variables in this equation depend on the secret values
d, p and q. Thus, they are random for an adversary. For each
selection of m1 , kq1 and m2 , there is one value kq2 ∈ Zp that fulfills
the equation. As p is a prime number in the size of 512 bit, the
probability that the equation holds is negligible.
9
Attacks on CRT-RSA
m2 be two messages and their erroneous signatures S̃1 and S̃2 . For
∈ {1, 2} and some Δ ∈ Zp
e
S̃ = ((1 + δ)md − q(δkq ))e mod n
= (1 + δ)e m − q(Δ) mod n
Note that qΔ consists of all the terms from the exponentiation with
δ2 + δt containing a q, so even a small change of δt will significantly
alter Δ. As δ2 , δt and Δ are unknown, q cannot be recovered directly
˜
from Sg. Using the transient fault, it is possible to compute two
10
Attacks on CRT-RSA
˜ 1 and Sg
erroneous signatures Sg ˜ 2 for the same m with different δ1
t
and δ2t ;
(Sδ2 +δt + Δ1 q)
1
˜ 1 (Sg
˜ 2) −1
Sg = mod n
(Sδ2 +δt + Δ2 q)
2
Sδ2 +δt
2
δ1t −δ2t
Δ1
= S ( ) + q( ) mod n
(Sδ2 +δt + Δ2 q) (Sδ2 +δt + Δ2 q)
2 1
Sδ2 +δt + Δ2 q − Δ2 q
2
δ1t −δ2t
= S ( )+
(Sδ2 +δt + Δ2 q)
2
Δ1
q( ) mod n
(Sδ2 +δt + Δ2 q)
1
1 2
δ1t −δ2t
(−Sδt −δt Δ2 + Δ1 )
= S +q mod n.
(Sδ2 +δt + Δ2 q)
2
δ1 2
t −δt
(−S Δ2 +Δ1 )
as long as δ2 +δ2
6= 0 mod p. The remaining task is to deal
(S +Δ2 q)t
11
Attacks on CRT-RSA
12
Chapter
3
Injecting Faults
13
Decapsulation
3.1 Decapsulation
A chip can be accessed from the front or the rear side. The ladder
case does not include chemical treatment, but gives access to the
substrate only.
In order to access the chip from the front side, three steps have
to be performed. First, a hole is milled into the package. After-
wards it is filled with fuming nitric acid for about 10-30 seconds and
cleaned in acetone by ultrasonic treatment. The last two steps are
repeated until the chip is exposed to needs of the attack. The three
steps are shown in Figure 3.1.
The rear-side decapsulation of the chip can be carried out with-
out the need of chemicals. It is possible to mill a hole into the
rear-side of the package. Under the substrate layer of the chip
exists a copper plate that can be easily removed using a screw
driver [Sko05].
14
Decapsulation
15
Chapter
4
Optical Fault Injection
16
Low Cost Setup
17
Low Cost Setup
18
Chapter
5
Electromagnetic Fault
Induction
19
Characterization of Injected Current
20
Electromagnetic Fault-Injection Attacks
tains a tiny hole, which is used to connect the socket of the micro-
controller with the rest of the board, i.e. the power-supply connec-
tors, the crystal oscillator, and the serial-interface circuit. The de-
vice under attack was placed on front of the shield; the rest of the
devices were placed behind the shield. Furthermore, all involved
cables were fixed with a copper tape, which has a contact to the
ERP plate as well. For contact-based high-voltage protection, fer-
rite cores that are plugged onto cables which are connected to the
PC, the digital oscilloscope, and the power-supply unit were used.
This shielded environment avoids the measurement of interfering
signals caused by the generated sparks.
The induced voltage of three different chip capsulation scenarios
was characterized. First, a standard capsulated microcontroller was
used. Second, the rear-side of the microcontroller was removed
and the induced voltage was measured. The third scenario uses a
front-side decapsulated microcontroller for fault-injection analysis.
Next, a measuring bar in front of the chip surface was used in or-
der to vary the distance between the chip and the generated spark
gap. Figure 5.2 shows the results of the experiment. As expected,
the most current has been injected in the front-side decapsulated
microcontroller. Notice that the success probability of our attacks
was higher than using the capsulated or rear-side decapsulated mi-
crocontroller. A lower voltage has been induced into the standard-
capsulated microcontroller. However, after about 10 mm from the
surface of the chip, the same voltage is induced in all three package
scenarios. In Figure 5.3, the variance of the different measurement
scenarios is shown. It turns out that the variance of the induced
voltages decreases the higher the distance to the surface of the
chip.
21
Electromagnetic Fault-Injection Attacks
22
Electromagnetic Fault-Injection Attacks
23
Chapter
6
Conclusions and Further Work
24
Index
BOS scheme, 8
CRT, 7
Decapsulation, 14
Fault models, 4
Implementation attack, 1
Injected current, 20
Injection methods, 13
Non-volatile faults, 5
OBIC, 16
Optical fault injection, 16
Rear-side decapsulation, 14
Results, 2
Sample preparation, 14
Shamir’s trick, 8
Spark gap, 19
25
Bibliography
26
[Koc96] Osman Kocar. Hardwaresicherheit von Mikrochips in
Chipkarten. Datenschutz und Datensicherheit, (7):421–
424, July 1996.
[TTO97] K.T. Tan, S.H. Tan, and S.H. Ong. Functional failure anal-
ysis on analog device by optical beam induced current
technique. In Physical & Failure Analysis of Integrated
27
Circuits, 1997., Proceedings of the 1997 6th Interna-
tional Symposium on, pages 296–301. IEEExplore, July
1997.
28