Ecrypt2011 1 PDF

Design and Security of Cryptographic Algorithms and Devices (ECRYPT II Al!
ena" #ulgaria" $% &ay ' ( )une $*++

Fault attacks on secure chips:
from glitch to flash
Dr Sergei Skorobogatov
http://www.cl.cam.ac.uk/~sps32 email: sps32@cam.ac.uk
2
Design and Security of Cryptographic Algorithms and Devices (ECRYPT II Al!ena" #ulgaria" $% &ay ' ( )une $*++
Introduction
Attack scenarios on secure systems
theft of service attacks on service providers: satellite !"

electronic meters" access cards" soft#are protection dongles
access to information: information recovery and e$traction" gaining

trade secrets %I& piracy'" ID theft
cloning and overbuilding: copying for making profit #ithout

investment in development" lo#(cost mass production by
subcontractors
denial of service: dishonest competition" electronic #arfare
Attack technologies are being constantly improved
here is gro#ing demand for secure chips
)ho needs secure chips*
car industry" service providers" manufacturers of various devices
banking industry and military applications

+
Attack categories
Side(channel attacks
techni,ues that allo# the attacker to monitor the analog characteristics of
po#er supply and interface connections and any electromagnetic radiation
Soft#are attacks
use the normal communication interface and e$ploit security vulnerabilities
found in the protocols" cryptographic algorithms" or their implementation
,ault generation
use abnormal environmental conditions to generate malfunctions in the
system that provide additional access
&icropro!ing
can be used to access the chip surface directly" so #e can observe"
manipulate" and interfere #ith the device
-everse engineering
used to understand the inner structure of the device and learn or emulate
its functionality. re,uires the use of the same technology available to
semiconductor manufacturers and gives similar capabilities to the attacker
/
Attack methods
0on(invasive attacks %lo#(cost'
observe or manipulate the device #ithout physical harm to it
re,uire only moderately sophisticated e,uipment and kno#ledge

to implement
Invasive attacks %e$pensive'
almost unlimited capabilities to e$tract information from chips and

understand their functionality
normally re,uire e$pensive e,uipment" kno#ledgeable attackers

and time
Semi(invasive attacks %affordable'
semiconductor chip is depackaged but the internal structure of it

remains intact
fill the gap bet#een non(invasive and invasive types" being both
ine$pensive and easily repeatable
1
argets of fault attacks
2mbedded memory
S-A3" 22&-43" Flash" -43
5&6
instructions" data" result" 7umps
Security
reset fuse" force debug" access
5ommon components
5&6
3emory
I84
A8D and D8A

9
2mbedded memory
22&-43 and Flash
access one ro# at a time
read(sense amplifiers bottleneck
high(voltage operation
S-A3
access #ith data bus #idth
read(sense amplifiers bottleneck

:
0on(invasive attacks
0on(penetrative to the attacked device
normally do not leave tamper evidence of the attack
ools
digital multimeter
I5 soldering8desoldering station
universal programmer and I5 tester
oscilloscope and logic analyser
signal generator
programmable po#er supplies
&5 #ith data ac,uisition board
F&;A board
prototyping boards
<
0on(invasive attacks: fault in7ection
;litch attacks
clock glitches
po#er supply glitches
corrupting data
Security fuse verification in the 3ask -43 bootloader of

the 3otorola 359<=5>1?9 microcontroller
double fre,uency clock glitch causes incorrect instruction fetch
lo#(voltage po#er glitch results in corrupted 22&-43 data read

@DA A>Bh
A0D C>B>> .the contents of the 22&-43 byte is checked
loop: ?2D loop .endless loop if bit > is Eero
?-5@- /" C>>>+" cont .test mode of operation
F3& C>>>> .direct 7ump to the preset address
cont: G G G
H
-esponse from chip manufacturers
Additional tamper protections
voltage" fre,uency and temperature sensors
memory access protection
crypto(coprocessors
asynchronous logic design
symmetric design" dual(rail logic
internal clock sources" clock conditioning and &@@ circuits
internal charge pumps and voltage regulators
soft#are countermeasures
B>
Invasive attacks
&enetrative attacks
leave tamper evidence of the attack or even destroy the device
ools
simple chemical lab
high(resolution optical microscope
#ire bonding machine
laser cutting system
microprobing station
signal generator
scanning electron microscope
focused ion beam #orkstation

BB
Invasive attacks: sample preparation
Decapsulation
manual #ith fuming nitric acid %=04
+
' and acetone at 9>I5
automatic using mi$ture of =04
+
and =
2
S4
/
full or partial
from front side and from rear side
oday: more challenging due to small and ?;A packages

B2
Invasive attacks: imaging
4ptical imaging
resolution is limited by optics and #avelength of a light:

- J >K9B 8 NA J >K9B 8 n sin%' best is >KB<Lm technology
reduce #avelength of the light using 6! sources
increasing the angular aperture" eKgK dry ob7ectives have NA J >KH1
increase refraction inde$ of the media using immersion oil %n J BK1'
oday: optical imaging is replaced by electron microscopy

?auschM@omb 3icroNoom" 1>O2O" 0A J >K/1 @eitE 2rgolu$ A35" B>>O" 0A J >KH
B+
Invasive attacks: reverse engineering
-everse engineering understanding the structure of a

semiconductor device and its functions
optical" using a confocal microscope %for P>K1Qm chips'
deprocessing is necessary for chips #ith smaller technology

&icture courtesy of Dr 3arkus Ruhn
B/
Invasive attacks: microprobing
3icroprobing #ith fine electrodes
eavesdropping on signals inside a chip
in7ection of test signals and observing the reaction
can be used for e$traction of secret keys and memory contents
limited use for >K+1Lm and smaller chips

B1
Invasive attacks: microprobing
@aser cutting systems
removing polymer layer from a chip surface
local removing of a passivation layer for microprobing attacks
cutting metal #ires inside a chip
ma$imum can access the second metal layer

B9
Invasive attacks: chip modification
oday: Focused Ion ?eam #orkstation
chip(level surgery #ith B>nm precision
create probing points inside smartcard chips" read the memory
modern FI?s allo# backside access" but re,uire special chip

preparation techni,ues to reduce the thickness of silicon
&icture: 4liver RSmmerling
B:
Semi(invasive attacks
Filling the gap bet#een non(invasive and invasive attacks
less damaging to target device %decapsulation #ithout penetration'
less e$pensive and easier to setup and repeat than invasive attacks
ools
simple chemical lab
high(resolution optical microscope
6! light sources" lasers
signal generator
&5 #ith data ac,uisition board
F&;A board
prototyping boards
special microscopes %laser scanning" infrared etcK'

B<
Semi(invasive attacks: sample preparation
Decapsulation
manual #ith fuming nitric acid %=04
+
' and acetone at 9>I5
automatic using mi$ture of =04
+
and =
2
S4
/
full or partial
from front side and from rear side
oday: more challenging due to small and ?;A packages

BH
2$perimental setup
Sample preparation for modern chips %T>K1Lm and P23'
only backside approach is effective
it is very simple and ine$pensive
no chemicals are re,uired

2>
Semi(invasive attacks: imaging
?ackside infrared imaging
microscopes #ith I- optics give better ,uality of image
I-(enhanced 55D cameras or special cameras must be used
resolution is limited to U>K9Qm by the #avelength of used light
vie# is not obstructed by multiple metal layers

2B
Semi(invasive attacks: imaging
?ackside infrared imaging
3ask -43 e$traction #ithout chemical etching
oday: the main option for >K+1Lm and smaller chips
multiple metal #ires do not block the optical path

e$as Instruments 3S&/+>FBB2 microcontroller
>K+1 Qm
3otorola 359<=5:>1&9A microcontroller
BK2 Qm
22
Semi(invasive attacks: laser imaging
4?I5 imaging techni,ues active photon probing
photons ioniEe I5Vs regions" #hich results in a photocurrent flo#
used for localisation of active areas
@I!A imaging active photon probing on po#ered up chip
photon(induced photocurrent is dependable on the transistor state
reading logic state of 534S transistors inside a po#ered(up chip
-e,uires backside approach for >K+1Lm and smaller chips
multiple metal #ires do not block the optical path

S e n s i t i v i t y i m a g e [ m V ]
1 0 0 2 0 0 3 0 0 4 0 0 5 0 0 6 0 0 7 0 0 8 0 0 9 0 0
1 0 0
2 0 0
3 0 0
4 0 0
5 0 0
6 0 0
7 0 0
8 0 0
9 0 0
0
5 0 0
1 0 0 0
1 5 0 0
2 0 0 0
3icrochip &I5B9F</A microcontroller
S e n s i t i v i t y i m a g e [ m V ]
1 0 0 2 0 0 3 0 0 4 0 0 5 0 0 6 0 0 7 0 0 8 0 0 9 0 0
1 0 0
2 0 0
3 0 0
4 0 0
5 0 0
6 0 0
7 0 0
8 0 0
9 0 0
1 9 0 0
1 9 5 0
2 0 0 0
2 0 5 0
2 1 0 0
2 1 5 0
optical image of fuse -#IC laser image of fuse .I/A laser image of SRA&
2+
Semi(invasive attacks: fault in7ection
4ptical fault in7ection attacks

optical fault in7ection #as observed in my e$periments #ith microprobing
attacks in early 2>>B" introduced as a ne# method in 2>>2
lead to ne# po#erful attack techni,ues and forced chip manufacturers to
rethink their design and bring better protection
original setup involved optical microscope #ith a photoflash and
3icrochip &I5B9F</ microcontroller programmed to monitor its S-A3
2/
4ptical fault in7ection attacks

the chip #as decapsulated and placed under a microscope
light from the photoflash #as shaped #ith aluminium foil aperture
physical location of each memory address by modifying memory contents
the setup #as later improved #ith various lasers and a better microscope
oday: backside approach for >K+1Lm and smaller chips

successfully tested on chips do#n to H>nm
#
I
T
*
#
I
T
+
#
I
T
$
#
I
T
(
#
I
T
0
#
I
T
1
#
I
T
2
#
I
T
3
21
@ocalised heating using c# lasers
test board #ith &I5B9F92< and &5 soft#are for analysis
permanent change of a single memory cell on a >KHLm chip
oday: influence is limited for modern chips %T>K1Lm'
ad7acent cells are affected as #ell

> 9> B2> B<> 2/> +>> +9> /2> /<> 1/> 9>>
>
B
2
+
/
Time" s
&
e
m
o
r
y

!
i
t
s

e
r
a
s
e
d
> 9> B2> B<> 2/> +>> +9> /2> /<> 1/> 9>>
>
B
2
+
/
Time" s
&
e
m
o
r
y

!
i
t
s

e
r
a
s
e
d
29
0e# fault in7ection attacks
Data protection #ith integrity check
verify memory integrity #ithout compromising confidentiality
=o# secure is the W0o -eadbackX solution*

2:
0e# fault in7ection attacks
Authentication using encryption
verify if a user kno#s the secret key by asking him to encrypt a

message #ith his key
=o# secure is the Y0o -eadbackY scheme against key e$traction*

2<
)here is the key*
Flash memory prevails
usually stores I&" sensitive data" pass#ords and encryption keys
#idely used in microcontrollers" smartcards and some F&;As
non(volatile %live at po#er(up' and reprogrammable" it can be 4&
lo#(po#er %longer battery life'
=o# secure is Flash memory storage*
used in smartcards and secure memory chips" so it has to be secure
used in secure F&;As by Actel" marketed as Wvirtually unbreakableX
!ulnerabilities of Flash memory found during my research
po#er glitching influence on data read from memory %)eb2>>>'
optical fault in7ection changes data values %5=2S2>>2'
laser scanning techni,ues reveal memory contents %&hD2>>/'
data remanence allo#s recovery of erased data %5=2S2>>1'
optical emission analysis allo#s direct data recovery %FD52>>H'

2H
Attacking Flash memory
Flash memory structure
high voltages re,uired for operation
narro# data bus
dedicated control logic

+>
?umping attacks
Y?umpingY is a certain type of physical attack on door locks
3emory Y?umping attacksY is a ne# class of fault in7ection

attacks aimed at the internal integrity check procedure on(chip
+B
?umping attacks
simple YbumpingY is aimed at blocks of data do#n to bus #idth
Yselective bumpingY is aimed at individual bits #ithin the bus

+2
0e# challenge
H>nm Secure A-3 microcontroller #ith A2S crypto(engine
secure memory for A2S(B2< key storage
permanent FA; disable fuse
code is e$ecuted from the internal S-A3 that can be loaded from
A2S(encrypted e$ternal 0A0D" SD or S&I Flash memory
once activated the A2S key is read protected and cannot be altered
other security measures are also in place

++
-esults
Analysis of the selective bumping phenomenon using the secure

microcontroller #ith A2S authentication
hard#are setup #as built based on evaluation kit and FA; debugging
chip #as supplied pre(programmed #ith a test A2S key by industrial sponsor
0on(invasive po#er supply glitching attack #as found

glitching time #as ad7usted in 21ns steps
bumping: 2
B1
attempts per B9(bit #ord" B>>ms cycle" < hours for A2S key
selective bumping: 2
:
attempts per B9(bit #ord" 2 minutes for A2S key
+/
Attack time on B2<(bit block
)ithout any improvements: brute force search

re,uires on average 2
B2:
attempts
?umping: do#n to bus #idth

<(bit bus: 2
:
O B9 J 2
BB
attempts
B9(bit bus: 2
B1
O < J 2
B<
attempts
+2(bit bus: 2
+B
O / J 2
++
attempts
Selective bumping: do#n to single bit in limited steps

<(bit bus: %BZ<Z:Z9Z1Z/Z+Z2ZB'O[OB9 \ 2
<
attempts
B9(bit bus: %BZB9ZB1ZKKKZ2ZB'O[O< \ 2
H
attempts
+2(bit bus: %BZ+2Z+BZKKKZ2ZB'O[O/ \ 2
B>
attempts
In a real attack the comple$ity could be higher due to the

granularity of the delay time and timing 7itter
+2(bit bus: %BZ+2Z+BZKKKZ2ZB'O[O/O<O/ \ 2
B1
attempts
+1
0e# challenge
2mbedded memory bus #idth really matters
5&6: from <(bit to +2(bit
F&;A: from +2(bit to 2>/<(bit and more
Actel
]
&roASI5+
]
>KB+Qm" : metal layers" Flash F&;A
live at power-up low-power hi!hl" secure#$ impossi%le to cop"#
o&&er one o& the hi!hest levels o& 'esi!n securit" in the in'ustr"#
uni(ue in %ein! repro!ramma%le an' hi!hl" resistant to %oth

invasive an' noninvasive attacks#
even without an" securit" measures )such as *lash+ock with A,-.

it is not possi%le to rea' %ack the pro!rammin! 'ata &rom a
pro!ramme' 'evice. /pon pro!rammin! completion the
pro!rammin! al!orithm will reloa' the pro!rammin! 'ata into the
'evice. 0he 'evice will then use %uilt-in circuitr" to 'etermine i& it
was pro!ramme' correctl"#
other security measures: voltage monitors" internal charge pumps"

asynchronous internal clock" lack of information about FA; etcK
+9
2$perimental setup
Sample preparation of &roASI5+ F&;A: front and rear
the surface is covered #ith sticky polymer #hich needs to be

removed for physical access to the surface
PHH^ of the surface is covered #ith supply grid or dummy fillers
backside: lo#(cost approach used #ithout any special treatment

+:
2$perimental setup
Sample preparation: front

only three top metal layers are visible
at a most
full imaging #ill re,uire de(layering
and scanning electron microscopy
any invasive attacks #ill re,uire
sophisticated and e$pensive
e,uipment
+<
2$perimental setup
Actel &roASI5+ Flash(based A+&21> F&;A
limited information is available" but designs are loaded via FA;
memory access via FA; for 2rase" &rogram and !erify operations
there is N1 rea'%ack mechanism on 2A3 'evices#
soon after introduction of optical fault attacks I #arned Actel about

possible outcomes for Flash technology" but they sho#ed no interest
?ackside optical fault in7ection attack setup
chip on a test board under microscope #ith 2>O and B>91nm laser
+H
-esults
@ocating Flash and active areas is easy via laser scanning
FA; interface #as used for communication in !erify mode
Sensitive locations #ere found #ith e$haustive search

2>Lm grid: black data corrupted" #hite matching all YBY
/>
-esults for bumping
6sing S&A for timing analysis: cannot detect data timing
!erification result is available after each block of <+2 bits
2+>> blocks per array" 29 of +2(bit #ords per block
Data e$traction time: B< years per block" />>>> years8chip

2
+B
attempts per #ord" 29 #ords per block" B>ms per cycle
/B
-esults for selective bumping
6sing S&A results as a time reference
block verification />Ls" 29 of +2(bit #ords per block" BK1Ls8#ord
@aser s#itching time #as ad7usted in 21ns steps
searching for single Y>Y bit" then t#o Y>Y and so on until passed
Data e$traction time: +> minutes per block" 1> days8chip

2
B+
/2
@imitations
Slo# process
depends on the implementation of data verification or authentication
&recision timing is not necessary
slo#ly increase the delay until the effect is observed
Selective bumping attacks have partial repeatability
individual bits #ithin a memory ro# have different path lengths
slight variation bet#een memory ro#s due to transistors parameters
Fault attacks can be carried out #ith glitching or optically
optical attacks on modern chips re,uire backside approach
&recise positioning for optical attacks is not necessary" but

a stable optical bench is re,uired for a long run attack
Security #ith no readback is not the only one in &roASI5+
passkey access protection" A2S encryption" security fuses

/+
Improvements
3oving a#ay from semi(invasive attacks to#ard using non(

invasive attacks like in the e$ample #ith A2S key e$traction
from the secure microcontroller
easier to setup for deep(submicron chips
faster to get the result
pose larger threat to the hard#are security
4ne approach is to use data remanence effect to help #ith

bumping through threshold voltage ad7ustment
SK Skorobogatov: Data -emanence in Flash 3emory Devices"

5=2S(2>>1" @05S +91H" ppK++H+1+
In Actel &roASI5+ F&;As !

55
core supply voltage does not
have enough influence on !
=
of the Flash cells" hence"
need to someho# influence the read sense amplifiers
//
0e# challenge
0on(invasive attack on Actel

]
&roASI5+
]
Flash F&;A
uni(ue in %ein! repro!ramma%le an' hi!hl" resistant to %oth

invasive an' noninvasive attacks#
on-%oar' securit" mechanisms prevent access to the

pro!rammin! in&ormation &rom noninvasive attacks#
special securit" ke"s are hi''en throu!hout the &a%ric o& the
'evice preventin! internal pro%in! an' overwritin!. 0he" are
locate' such that the" cannot %e accesse' or %"passe' without
'estro"in! the rest o& the 'evice makin! %oth invasive an' more
su%tle noninvasive attacks ine&&ective#
other security measures: voltage monitors" internal charge pumps"

asynchronous internal clock and lack of information about FA;
3ission Impossible B: bypass multiple security protection
gain lo#(level control over the internal Flash hard#are control

logic and interfere #ith read sense amplifiers to influence !
=
(!
-2F
/1
)ays to approach
Ask Actel if the chip has any backdoors or special features

even under the most strict 0DA Actel #ould not admit the device has any
backdoor access" even if there #ere such
Straightfor#ard invasive reverse engineering %/>k gates'

open up the chip and remove layer by layer using deprocessing techni,ue
take high(resolution digital photos and combine them into the layout map
create transistor level netlist of the device and convert it into gates level
organise gates into functional units and groups
simulate the #hole system and find hidden functions and bugs
9 to B2 months to e$tract the design #ith +>>k to 23 26- cost
+ to B2 months to analyse the data
/9
)ays to approach
Do a bit of research
;oogle it for code e$amples" disclosed information" patents
programming files #ith security settings

hint on !
=
compensation for - devices
6se development tools to generate programming files" use

them and eavesdrop on FA; communication. it is simpler
SA&@ high(level language is used #hich is self(e$planatory
5ompany #ebsite and distributors for clues on the security
release notes and product descriptions mention 'ual-ke" securit"#
%oar' with a 'ual-ke" 34A*-566 'evice#
)hy is the Ydual45ey security6 is not mentioned in any

Actel datasheets" press releases and #hite papers***
/:
Secure A2S(B2< update in Actel F&;A
Designed to prevent I& theft" cloning and overbuilding
A+&9>> vs 3BA+&9>> %&roASI5+ F&;A family'
if certain vendor I& cores are used %5orte$(3B' no user protection
user A2S D3R is used for Actel I& core protection %D3R J 3B key'
/<
Dual(key security in Actel F&;A
)hat problem does the dual(key security solve*
I& cores loyalty control #ithout compromising user security
0he s"stem ena%les application 'evelopment with the A73

8orte9-34 an'/or with "our own optional A,- ke" )owin! to 'ual-
ke" &eature. in mi9e'-si!nal 34-ena%le' *usion 'evices#
AFS9>> vs 3BAFS9>> %Fusion mi$ed(signal F&;A family'
user A2S D3R protects userYs I& and 2

nd
key is for the vendor I&
#hen protection for both user I& and vendor I& are re,uired then
A2S ReyJ=%user key" vendor key'" = secure hash function
in 3BAFS9>> the 2
nd
key J 3B key" #hat is the 2
nd
key in AFS9>>*
/H
=o# the A2S key can be attacked*
Invasive attacks %e$pensive'
partial reverse engineering follo#ed by microprobing
Semi(invasive attacks %affordable'
optical fault in7ection attack %Skorobogatov" Anderson 5=2S2>>2'
optical emission analysis %Skorobogatov FD52>>H'
0on(invasive attacks %simple'
side(channel attacks such as S&A" D&A" 5&A" 23A" D23A
poor signal(to(noise ratio of about `B1d? due to lo#(po#er

operation and multiple sources of noise %clocks" pumps" ac,uisition'
)hat can be done if A2S key is kno#n
decrypt bitstream configuration and clone the design
decrypt internal Flash -43 configuration
authenticate the device and gain access to reconfiguration features

1>
=o# long does it take to get the A2S key*
Initial evaluation time for all attacks from B #eek B month
Invasive attacks %microprobing'
+ day #ith FI? and probing station
Semi(invasive attacks %side(channel and fault attacks'
+ 7ee58+ hour #ith optical emission analysis %FD52>>H'
+ hour #ith optical fault in7ection attack %5=2S2>>2'
0on(invasive attacks %side(channel attacks'

+ day #ith lo#(cost D&A setup: resistor in !
55
core supply line"
oscilloscope #ith active probe and &5 #ith 3at@ab soft#are
+ hour8+* minutes #ith commercial D&A tools %D&A )orkstation

from 5ryptography -esearch IncK or Inspector S5A from -iscure'
+ second #ith D!@(2 board using special S5A sensor from D!@
*9*+ second #ith D!@82spial tester using breakthrough approach

to po#er analysis techni,ue from D!@
1B
Duest for the factory secret master key
-everse engineering of the SA&@ file for 3BAFS9>>

source: ;oogle search that revealed 5orte$(3B Fusion Rit soft 5D
12
-esults
)hat can be done if the factory secret master key is kno#n*
turn some -43 areas into reprogrammable Flash areas
reprogram lo#(level features
access shado# areas
access hidden FA; registers
find the FA; registers responsible for controlling read sense

amplifiers" such that !
-2F
can be ad7usted
ActelYs big security mistake
all Actel +
rd
generation Flash F&;A devices %&roASI5+" &roASI5+@"
&roASI5+ nano" Igloo" Igloo plus" Igloo nano" Fusion" SmartFusion'
share the same factory secret master key
thanks to irresponsible corporate security strategy many Flash F&;A

devices can no# be manipulated
Do #e really have to go that long #ay to find the factory key*
a2S" because it is some#hat million times harder to break the

factory key than the A2S key" thanks to side(channel leakages
1+
2$perimental setup
0on(invasive bumping attack on Actel &roASI5+ Flash(

based A+&21> F&;A
memory access via FA; for 2rase" &rogram and !erify operations
there is N1 rea'%ack mechanism on 2A3 'evices#
the secret FA; registers set !

-2F
close to !
=
of the Flash cells
the test board is glitching !

55
to influence !
=
of the Flash cells
1/
-esults for bumping
!erification result is available after each block of <+2 bits
2+>> blocks per array" 29 of +2(bit #ords per block
#o #ays of approaching
set !
-2F
Tmin%!
=
' to flip all bits to bBV
set !
-2F
Pma$%!
=
' to flip all bits to b>V
&o#er glitching of !
55
for the duration of 0 #ords and
search for matching value
5hange !
-2F
and repeat !
55
glitching until all bits are found
0umber of bits changed at a time: from B to /
Data e$traction time: 1 days per block" +> years8chip

2
2B
11
-esults for selective bumping
block verification />Ls" 29 of +2(bit #ords per block" BK1Ls8#ord

Set !
-2F
Tmin%!
=
' to flip all bits to bBV
;litching !
55
at the time #hen the #ord value is latched
into internal register and ad7usting the timing in 21ns steps
searching for single Y>b bit" then t#o Y>Y and so on until passed
Data e$traction time: 2> minutes per block" +> days8chip

2
B2
Simpler and faster than semi(invasive optical bumping
no need for e$pensive hard#are
ma$imum attack comple$ity is for po#er analysis
t#ice as fast
19
5ountermeasures
2ncryption and redundancy check make analysis harder but

not impossible
Asynchronous circuits could make the attack more

problematic as bumping re,uires predictable timing
Dummy cycles #ill pose certain challenges to the attacker
o develop ade,uate protection you must kno# ho# your

device #as attacked and compromised
0ever use your factory secret master key for authentication
0ever use the same master key in all of your products
6se strong enough keys as pass#ords be creative" some

devices have =2cspeak as a part of the key8pass#ord
D2AD?22F" ?A?2" ?AD" HHH" ?22F" ABB
6nderstanding the core of a problem is vital %key handling'

1:
Defence technologies: tamper protection
4ld devices
security fuse is placed separately from the memory array %easy

to locate and defeat'
security fuse is embedded into the program memory %hard to

locate and defeat'" similar approach is used in many smartcards
in the form of pass#ord protection and encryption keys
moving a#ay from building blocks #hich are easily identifiable

and have easily traceable data paths
3otorola 359<=5H><AN9>A microcontroller Sceni$ Sc2< microcontroller
1<
=elp came from chip fabrication technology
planarisation as a part of modern chip fabrication process

%>K1Qm or smaller feature siEe'
glue logic design makes reverse engineering much harder
multiple metal layers block any direct access
small siEe of transistors makes attacks less feasible
chips operate at higher fre,uency and consume less po#er
smaller and ?;A packages scare off many attackers

>KHLm microcontroller >K1Lm microcontroller >KB+Lm F&;A
1H
Additional protections
top metal layers #ith sensors
voltage" fre,uency and temperature sensors
memory access protection" crypto(coprocessors
internal clocks" po#er supply pumps
asynchronous logic design" symmetric design" dual(rail logic
ASI5s" secure F&;As and custom(designed I5s
soft#are countermeasures
S3icroelectronics SB9 smartcard Fu7itsu secure microcontroller
9>
Defence technologies: #hat goes #rong*
Security advertising #ithout proof
no means of comparing security" lack of independent analysis
no guarantee and no responsibility from chip manufacturers
#ide use of magic #ords: protection encr"ption authentication

uni(ue hi!hl" secure stron! 'e&ence un%reaka%le impossi%le
cannot %e attacke' uncompromisin! %urie' un'er metal la"ers
5onstant economics pressure on cost reduction
less investment" hence" cheaper solutions and outsourcing
security via obscurity approach
Duicker turnaround
less testing" hence" more bugs
)hat about back(doors*
access to the on(chip data for factory testing purposes
ho# reliably #as the factory testing feature disabled*
ho# difficult is to attack the access port*

9B
Defence technologies: ho# it fails
3icrochip &I5 microcontrollers: security fuse bug )comman'.
security fuse can be reset #ithout erasing the code8data memory
Atmel A!- microcontrollers: security fuse bug )!litch attack.
security fuse can be reset #ithout erasing the code8data memory
=itachi smartcard: information leakage on a products 5D
full datasheet on a smartcard #as placed by mistake on the 5D
Actel secure F&;A: programming soft#are bug
devices #ere al#ays programmed #ith a >>KK>> passkey
cilin$ secure 5&@D: programming soft#are bug
security fuse incorrectly programmed resulting in no protection
3a$im8Dallas S=A(B secure memory: factory setting bug
some security features #ere not activated resulting in no protection
4ther e$amples
insiders" datasheets of similar products" development tools
solution: test real devices and control the output

92
Future #ork
Data remanence analysis of embedded Flash in chips
esting other chips for strength against firm#are and

secret key e$traction beyond H>nm technology
Improving fault attacks #ith ne# techni,ues
3ission Impossible 2: recover the erased data
according to Actel it is virtuall" impossi%le# to e$tract the

information from Actel &roASI5+ Flash(based F&;A
ho# about recovering the information after it has been erased*
,uite common situation if you have overproduction of your highly

secure designs and then decide to s#itch to another product. if
you have pre(programmed secure chips left you might erase them
into the initial state and sell on the market. that means those chips
#ill no longer have any security fuses activated" but 7ust Y0o
readbackY feature and data remanence #ithin the Flash memory
9+
5onclusions
Fault in7ection attacks are dangerous and can compromise the

security in chips evaluation and protection is necessary
?ackside approach helps in modern chips" it is simple to do

and does not re,uire e$pensive optics and precise positioning
2mbedded memory is more secure than encrypted e$ternal

memory storage" and encrypted bitstream is even less secure
Attack technologies are constantly improving" so should the

defence technologies
here is no such a thing as absolute protection
given enough time and resources any protection can be broken
Defence should be ade,uate to anticipated attacks
security hard#are engineers must be familiar #ith attack

technologies to develop ade,uate protection
many vulnerabilities #ere found in secure chips and more are to

be found posing challenges to hard#are security engineers
9/
-eferences
Slides
http:88###KclKcamKacKuk8Usps+2825-a&2>BBdBKpdf
@iterature:
http:88###KclKcamKacKuk8Usps+28
http:88###KclKcamKacKuk8Usps+28A&ublications

Ecrypt2011 1 PDF

Diunggah oleh

Informasi Dokumen

Deskripsi Asli:

Judul Asli

Hak Cipta

Format Tersedia

Bagikan dokumen Ini

Bagikan atau Tanam Dokumen

Opsi Berbagi

Apakah menurut Anda dokumen ini bermanfaat?

Apakah konten ini tidak pantas?

Hak Cipta:

Format Tersedia

Ecrypt2011 1 PDF

Diunggah oleh

Hak Cipta:

Format Tersedia

Design and Security of Cryptographic Algorithms and Devices (ECRYPT II Al!

ena" #ulgaria" $% &ay ' ( )une $*++

Attack scenarios on secure systems

theft of service attacks on service providers: satellite !"

access to information: information recovery and e$traction" gaining

cloning and overbuilding: copying for making profit #ithout

denial of service: dishonest competition" electronic #arfare

Attack technologies are being constantly improved

here is gro#ing demand for secure chips

)ho needs secure chips*

car industry" service providers" manufacturers of various devices

banking industry and military applications

0on(invasive attacks %lo#(cost'

observe or manipulate the device #ithout physical harm to it

re,uire only moderately sophisticated e,uipment and kno#ledge

Invasive attacks %e$pensive'

almost unlimited capabilities to e$tract information from chips and

normally re,uire e$pensive e,uipment" kno#ledgeable attackers

Semi(invasive attacks %affordable'

semiconductor chip is depackaged but the internal structure of it

A8D and D8A

22&-43 and Flash

access one ro# at a time

read(sense amplifiers bottleneck

access #ith data bus #idth

read(sense amplifiers bottleneck

0on(penetrative to the attacked device

normally do not leave tamper evidence of the attack

universal programmer and I5 tester

oscilloscope and logic analyser

programmable po#er supplies

&5 #ith data ac,uisition board

po#er supply glitches

Security fuse verification in the 3ask -43 bootloader of

double fre,uency clock glitch causes incorrect instruction fetch

lo#(voltage po#er glitch results in corrupted 22&-43 data read

Additional tamper protections

voltage" fre,uency and temperature sensors

memory access protection

asynchronous logic design

symmetric design" dual(rail logic

internal clock sources" clock conditioning and &@@ circuits

internal charge pumps and voltage regulators

leave tamper evidence of the attack or even destroy the device

simple chemical lab

high(resolution optical microscope

#ire bonding machine

laser cutting system

oscilloscope and logic analyser

scanning electron microscope

focused ion beam #orkstation

from front side and from rear side

oday: more challenging due to small and ?;A packages

resolution is limited by optics and #avelength of a light:

oday: optical imaging is replaced by electron microscopy

-everse engineering understanding the structure of a

optical" using a confocal microscope %for P>K1Qm chips'

deprocessing is necessary for chips #ith smaller technology

3icroprobing #ith fine electrodes

eavesdropping on signals inside a chip

in7ection of test signals and observing the reaction

can be used for e$traction of secret keys and memory contents