Attack on DFA protected AES by Simultaneous Laser Fault Injections · 2 AES instances, one clock...
Transcript of Attack on DFA protected AES by Simultaneous Laser Fault Injections · 2 AES instances, one clock...
Attack on DFA protected AES by Simultaneous LaserFault Injections
Bodo Selmkea, Johann Heyszla, Georg Siglb, 08 / 16 / 2016
aFraunhofer Institue AISECbTechnische Universität München
� Laser Fault Injection
� Protected Hardware Implementation
� Symmetric algorithm (AES)
2xLFI on AES | Bodo Selmke | 08 / 16 / 2016 | 1
© Fraunhofer
FA Countermeasures
1. Direct detection by specialized sensors
2. Handling of faults with various forms of redundancy (Time, Space)
Detection Raise an alarm (interrupt signal)→ Discard output of faulty ciphertext
Infection Transform ("infect") ciphertext→ Render analysis of output by DFA impossible
2xLFI on AES | Bodo Selmke | 08 / 16 / 2016 | 2
© Fraunhofer
Our practical Investigation
Demonstrate successful attack against AES with duplication-basedcountermeasure using two simultaneous laser shots
� AES on FPGA
� Protection by a countermeasure based on hardware duplication
� Determine locations for Laser Fault Injection→ AES state registers
� Carry out Fault Injections into AES
� Apply DFA on record of output data→ Determine if attack is feasible (We used the DFA by Saha et al.)
2xLFI on AES | Bodo Selmke | 08 / 16 / 2016 | 3
© Fraunhofer
Redundant AES DesignFeatures
AES core
� 2 AES instances, one clock cycle per round
� Infection Countermeasure based on the design by Lomné et al.
� 48 MHz clock frequency
2xLFI on AES | Bodo Selmke | 08 / 16 / 2016 | 4
© Fraunhofer
Redundant AES DesignInfection Scheme
state 0
Δ state
outputstate 0
state 1
I state
mask
state 1
2xLFI on AES | Bodo Selmke | 08 / 16 / 2016 | 5
© Fraunhofer
Redundant AES DesignInfection Scheme
state 0
Δ state
outputstate 0
I state
mask
state 1 outputstate 1
2xLFI on AES | Bodo Selmke | 08 / 16 / 2016 | 6
© Fraunhofer
Redundant AES DesignInfection Scheme
state 0
Δ state
outputstate 0
state 1
I state
mask
state 1
2xLFI on AES | Bodo Selmke | 08 / 16 / 2016 | 7
© Fraunhofer
Redundant AES DesignFeatures cont’d
AES core
� 2 AES instances, one clock cycle per round
� Infection Countermeasure based on the design by Lomné et al.
� 48 MHz clock frequency
Generation of Trigger Signal
� Implemented on FPGA
� Adjustable delay counters, initiated with the start-signal of the AES
Device Under Test
� Xilinx Spartan-6 FPGA
� 45 nm feature size
2xLFI on AES | Bodo Selmke | 08 / 16 / 2016 | 8
© Fraunhofer
Used Laser System
� 2× infrared (1064 nm) laserwith 800 ps pulse length
� Beams independentlypositionable by laser scanners
� Combination of both beamsby beam splitter
� 4 µm spot size
2xLFI on AES | Bodo Selmke | 08 / 16 / 2016 | 9
© Fraunhofer
Preliminary InvestigationLocating the AES State Registers
� Attack requires knowledge of register location
� Use of dedicated FPGA-design to locate individual flip-flops
� Precision of the Laser sufficient to inject matching fault?
� 3-Step Approach to find the flip-flops of interest:1. Locate a BRAM near the area where the relevant slices are assumed2. Evaluate optimal focal plane for maximum precision3. Scan area to locate the specific flip-flops
2xLFI on AES | Bodo Selmke | 08 / 16 / 2016 | 10
© Fraunhofer
Preliminary InvestigationFF-Verification Design
Slice n
D5FF DFF
C5FF CFF
B5FF BFF
A5FF AFF
Slice n +1
D5FF DFF
C5FF CFF
B5FF BFF
A5FF AFF
2xLFI on AES | Bodo Selmke | 08 / 16 / 2016 | 11
© Fraunhofer
Preliminary InvestigationFF-Verification Design
Slice #527
-30.0 -25.0 -20.0 -15.0 -10.0 -5.0 0.0 5.0 10.0 15.0 20.0 25.0 30.0x [µm]
-15.0
-10.0
-5.0
0.0
5.0
10.0
15.0
y [µ
m]
no faultslogic errordifferent slicebit 0bit 1bit 2bit 3bit 4bit 5bit 6bit 7
� scan field 60 µm×30 µm
� step size 200 nm
� 2 laser shots per location:flip-flops initialized to 0 and 1
2xLFI on AES | Bodo Selmke | 08 / 16 / 2016 | 12
© Fraunhofer
Preliminary InvestigationFF-Verification Design
Slice #526
-30.0 -25.0 -20.0 -15.0 -10.0 -5.0 0.0 5.0 10.0 15.0 20.0 25.0 30.0x [µm]
-15.0
-10.0
-5.0
0.0
5.0
10.0
15.0
y [µ
m]
no faultslogic errordifferent slicebit 0bit 1bit 2bit 3bit 4bit 5bit 6bit 7
� scan field 60 µm×30 µm
� step size 200 nm
� 2 laser shots per location:flip-flops initialized to 0 and 1
2xLFI on AES | Bodo Selmke | 08 / 16 / 2016 | 13
© Fraunhofer
Preliminary InvestigationFF-Verification Design
Set (0→ 1) and Reset (1→ 0) sensitive areas
-30.0 -25.0 -20.0 -15.0 -10.0 -5.0 0.0 5.0 10.0 15.0 20.0 25.0 30.0x [µm]
-15.0
-10.0
-5.0
0.0
5.0
10.0
15.0
y [µ
m]
no faults
logic error
set
rst
flip
� scan field 60 µm×30 µm
� step size 200 nm
� 2 laser shots per location:flip-flops initialized to 0 and 1
2xLFI on AES | Bodo Selmke | 08 / 16 / 2016 | 14
© Fraunhofer
Performing the attack on the AESProcedure
Preparation
� Positioning of both lasers according to the previous results
� Evaluation of correct timing for the fault injection
Attack
� Start AES computation
� Inject fault into state registers during round 7
� Record output
� Test if attack was successful (Perform DFA based on ciphertext pair)
2xLFI on AES | Bodo Selmke | 08 / 16 / 2016 | 15
© Fraunhofer
Performing the attack on the AESResults
Shots Non-ExploitableFaults
Exploitable Faults Attack SuccessRatio
80000 21845 229 0.29 %
� Low success rate
� Single successful FI is sufficient
� Time to success: ≈ 5min
Problems:
� Jitter of laser shot
� Drift of laser spot location
2xLFI on AES | Bodo Selmke | 08 / 16 / 2016 | 16
© Fraunhofer
Performing the attack on the AESFeasibility of the Attack in practice
� The attack required knowledge of the location of the state registers� Activity-Analysis can reveal location of the AES cores
� Reverse-Engineering Methods can identify locations of registers
� Matching flip-flops can be found by exhaustive search(128 combinations)
� Stress on the device is low enough (All FI on single DUT)
2xLFI on AES | Bodo Selmke | 08 / 16 / 2016 | 17
© Fraunhofer
DiscussionCountermeasures
Prevent this attack on state registers:� Fault Space Transformation (Patranabis et al.a)
� Add an additional MixColumns / InvMixColumns Operation to one branch� The associated state register stores MixColumns-transformed version of
state� FI in the combinatorial path might be feasible
� Parity Check for altered register contents
Raising attack complexity:
� Scrambling of the flip-flop locations
� Varying timing between both AES cores
aUsing State Space Encoding To Counter Biased Fault Attacks on AES Countermeasures,2015
2xLFI on AES | Bodo Selmke | 08 / 16 / 2016 | 18
© Fraunhofer
Conclusion
� We successfully show how two lasers can be used in an attack
� As example, broke duplication-based infective countermeasures
� Results principally affect most hardware duplication-basedcountermeasures!
2xLFI on AES | Bodo Selmke | 08 / 16 / 2016 | 19
© Fraunhofer
Thank your for your attentionQuestions?
2xLFI on AES | Bodo Selmke | 08 / 16 / 2016 | 20
© Fraunhofer
Contact Information
Dipl.-Ing. Bodo Selmke
Department Hardware Security (HWS)
Fraunhofer-Institute forApplied and Integrated Security (AISEC)
Address: Parkring 485748 Garching (near Munich)Germany
Internet: http://www.aisec.fraunhofer.de
Phone: +49 89 3229986-132Fax: +49 89 3229986-222E-Mail: [email protected]
2xLFI on AES | Bodo Selmke | 08 / 16 / 2016 | 21
© Fraunhofer
Backup Slides
-100.0 -80.0 -60.0 -40.0 -20.0 0.0 20.0 40.0 60.0 80.0 100.0x [µm]
-30.0
-10.0
10.0
30.0
y [µ
m]
no data
no faults
logic error
#562
other flipflop
-100.0 -80.0 -60.0 -40.0 -20.0 0.0 20.0 40.0 60.0 80.0 100.0x [µm]
-30.0
-10.0
10.0
30.0
y [µ
m]
no data
no faults
logic error
#527
other flipflop
2xLFI on AES | Bodo Selmke | 08 / 16 / 2016 | 22
© Fraunhofer
Backup Slides
Slice #562
-30.0 -25.0 -20.0 -15.0 -10.0 -5.0 0.0 5.0 10.0 15.0 20.0 25.0 30.0x [µm]
-15.0
-10.0
-5.0
0.0
5.0
10.0
15.0
y [µ
m]
no faultslogic errordifferent slicebit 0bit 1bit 2bit 3bit 4bit 5bit 6bit 7
2xLFI on AES | Bodo Selmke | 08 / 16 / 2016 | 23
© Fraunhofer
Backup Slides
Total number of bit faults
-30.0 -25.0 -20.0 -15.0 -10.0 -5.0 0.0 5.0 10.0 15.0 20.0 25.0 30.0x [µm]
-15.0
-10.0
-5.0
0.0
5.0
10.0
15.0
y [µ
m]
no faults
logic error
1 flip-flop
2 flip-flops
2xLFI on AES | Bodo Selmke | 08 / 16 / 2016 | 24
© Fraunhofer
Backup Slides
state
key
plaintext
ciphertext
'0'
SubBytes ShiftRows MixColumns
roundkey
Key-Schedule
2xLFI on AES | Bodo Selmke | 08 / 16 / 2016 | 25
© Fraunhofer
Backup Slides
2xLFI on AES | Bodo Selmke | 08 / 16 / 2016 | 26
© Fraunhofer
Backup Slides
-4.0 -3.0 -2.0 -1.0 0.0 1.0 2.0 3.0 4.0x in µm
-4.0
-3.0
-2.0
-1.0
0.0
1.0
2.0
3.0
4.0
y in
µm
Address = 0, Bit = 0
set
set + other bit(s)
rst
rst + other bit(s)
toggle
toggle + other bit(s)
other bit(s)
no faults
-4.0 -3.0 -2.0 -1.0 0.0 1.0 2.0 3.0 4.0x in µm
-4.0
-3.0
-2.0
-1.0
0.0
1.0
2.0
3.0
4.0
y in
µm
Address = 4, Bit = 0
set
set + other bit(s)
rst
rst + other bit(s)
toggle
toggle + other bit(s)
other bit(s)
no faults
-4.0 -3.0 -2.0 -1.0 0.0 1.0 2.0 3.0 4.0x in µm
-4.0
-3.0
-2.0
-1.0
0.0
1.0
2.0
3.0
4.0
y in
µm
Address = 4, Bit = 0
set
set + other bit(s)
rst
rst + other bit(s)
toggle
toggle + other bit(s)
other bit(s)
no faults
Pulse energy 1.0 nJ
2xLFI on AES | Bodo Selmke | 08 / 16 / 2016 | 27
© Fraunhofer