1. Timing Attacks

2. What are Timing Attacks ?
The term “Timing Attack” was first introduced at CRYPTO'96 in Paul Kocher's paper
Few other theoretical approaches without practical experiments up to the end of 97’
Theory was put into practice in early 98’
Timing attacks belong to the large family of "side channel" attacks

3. What are Timing Attacks ?
Principle of Timing Attacks :
Secret data are processed in the card
Processing time
depends on the value of the secret data
leaks information about the secret data
can be measured (or at least their differences)
Practical attack conditions
Possibility to monitor the processing of the secret data
Have a way to record processing times
Have basic computational & statistical tools
Have some knowledge of the implementation

4. What are Timing Attacks ?
Everything performed unconditionally before the test
A test based on secret data is performed
that leads to a boolean decision
True
False 
Depending on the boolean condition,
the process may be long (t1) or short (t2)
Everything performed unconditionally after the test

5. Case Study Attack on a PIN Code Verification

6. PIN Code Verification Secret data are stored in the smart card
Example : a PIN code, 8 bytes long
Like passwords on a PC, authentication is based on this secret
A dedicated function exists in the smart card software :
The ‘VerifySecret’ command which:
Receives the challenge (proposed value for the PIN code)
Compares the challenge with the stored PIN
Grants access rights if the comparison is successful

7. PIN Code Verification LEVEL 1
Pseudo-code for the "VerifySecret" command IN
P = PIN code value stored in the card
C = Challenge (proposed value for the PIN)
OUT
‘KO’ or ‘OK’
VERIFY SECRET
For b = 0 to 7
If C[b] != P[b]
then return ‘KO’
Return 'OK’

8. PIN Code Verification LEVEL 1
Attack implementation
Propose the n possible values of C[0] (256 values)
Measure [n] the corresponding command duration
Compute the maximum command duration [n0]
[n0] = max([n]), n Î {0, …, 255}
n0 is the solution P[0] for the first byte of the PIN code
C[0] being known, iterate successively for all C[i]
Complexity
Number of comparisons: 8 * 256 = (instead of 2568)

9. PIN Code Verification LEVEL 2
Possible counter-measure
To defeat this attack one may think of adding a random delay during the execution:
Generate a random delay a uniformly distributed
a Î{0, , 2, 3, …, r} with 0  r  255
 is an elementary time unit
Wait a time units whatever the command status 'KO' or 'OK'
Follow the same implementation as the previous one

10. PIN Code Verification LEVEL 2
True
False

11. PIN Code Verification LEVEL 2
Attack idea
It is possible to know what would be the duration for processing a challenge as if there were no delay
if (C[0]=P[0]) ; return KO
Wrong candidates
t1 + … …  2 3 4 …  255
time
if (C[0]=P[0]) ; if (C[1]=P[1]) ; ...
Right candidate
t2 + … …  2 3 4 …  255
time

12. PIN Code Verification LEVEL 2
Random delay elimination
For each n (n is the candidate C[0] for the first PIN code byte)
Acquire a series of N command execution durations i[n]
The minimum duration corresponds to a a = 0 random delay (with high probability, if N is chosen large enough)
Consider the corresponding min[n] run time value
Attack implementation
Get rid of the random delay for each candidate (min [n])
Apply the previous attack scheme
Complexity
Number of comparisons: 8*256*N (still much more efficient than 2568)

13. PIN Code Verification LEVEL n
More complicated counter-measures may be thought of...
Add a binomial (rather than uniform) random delay …
…but they also may be defeated by more clever attacks !!

14. PIN Code Verification CONCLUSION
A typical example of insecure smart card software
Can happen in any routine processing secret data
Secret values comparison
Memory scanning and loading
Checksum computation
Counter-measures evaluation
Adding a delay is definitely not the good alternative
Good counter-measure
Check all bytes at all times
decrease/increase ratification counter with backup
Dynamic enciphered PIN

15. Power Analysis Attacks

16. Summary Introduction to Power Analysis
Experimental equipment
Information leakage through the power
Example : reverse engineering of an algorithm
The algorithm structure
Electrical signatures
Single Power Analysis (SPA)
Attack against the DES key schedule
Attack against RSA
Conclusion
Counter-measures

17. Power Analysis Basic Principles
ICC's Power Consumption leaks information about data processing
Power Consumption = f(processing, data)
Deduce information about secret data and processing
empirical methods
statistical treatment
Example : reverse engineering of an algorithm
The algorithm structure
Electrical signatures
Single Power Analysis (SPA)
Attack against the DES key schedule
Attack against RSA

18. Power Analysis Tools  5V

19. Experimental equipment
Devices for monitoring the current consumption of a chip

20. Information leakage The power consumption of a chip depends on
the manipulated data
the executed instruction
Leakage models
Hamming Weight of the data, address, code Op
HW(0) = 0
HW(1) = HW(2) = HW(4) = HW(2n) = 1
HW(3) = HW(5) = HW(6) = HW(9) = 2 …
HW(255) = HW(0xFF) = 8
Transitions weight (flipping bits on a bus state) :
HW (statei Å statei-1)
Other models, chips & technologies …

21. Load P1 and XOR with P2 = 0 (P1 Å P2 with P1 = 0, 1, 7, 255)
Information leakage
Load P1 and XOR with P2 = 0 (P1 Å P2 with P1 = 0, 1, 7, 255)
P1 = 0 = 0x00
P1 = 1 = 0x01
P1 = 7 = 0x07
P1 = 255 = 0xFF
Signatures
1 cycle
1 cycle
1 cycle
1 cycle
1 cycle
1 cycle
Load P1 into accumulator (3 cycles)
P1 Å P2 (3 cycles)

22. Information leakage HW (P1 Å 184), for P1 = 0, 255 Hamming weight
Consumption (instant slice on 256 traces)

23. Power trace of an algorithm
KEY (64 bits)
PC1 PERMUTATION
REDUCED KEY (56 bits)
PLAIN TEXT R0
R1 = L0  f (R0 , K1) f
CIPHER TEXT
INITIAL PERMUTATION (IP) L0
L1 = R0
L2 = R1
R2 = L1  f (R1 , K2)
R15 = L14  f (R14 , K15)
L15 = R14
L16 = R15
R16 = L15  f (R15 , K16)
IP-1 K1
KeySchedule1
K16
Key Schedule16 K2
KeySchedule2
Data
Encryption
Standard
Typical SK block cipher
key schedule
Feistel scheme
16 rounds

24. Power trace of an algorithm
Content of a DES round (with key schedule)
Li-1
Expansive Permutation
Key
Ri-1
Substitution Boxes
(8 LUT)
P Permutation Ri Li
PC2 Permutation
Key Shift
32 bits
56 bits
48 bits
28 bits

25. Power trace of an algorithm : DES
MAX
AVERAGE
MIN
Duration = 5 ms IP
PC1
16 rounds
16 patterns
IP-1

26. Power Analysis Profiles
Raw data
Power
Time

27. Power Analysis Profiles
Raw data, zoomed in
Power
Time
1ms
Time

28. Power Analysis Profiles
Raw data, zoomed out
Power
Time
1ms

29. Simple Power Analysis Simple (Single) Power Analysis context
Find out a secret or private key
Known algorithm
Unknown implementation (background culture recommended)
Conditions
1 card available
Learning phase required (signature location)
Key inference on a single curve (with relevant height of view)
Possibly known plain or ciphertext

30. Case Study SPA attack on RSA
SPA against RSA private exponentiation
s = md mod n
n large modulus, say 1024 bits (n = p * q, with p & q large primes)
m message : slightly smaller than n (say 1023 bits)
s signature
d private exponent such that : e * d  1 mod (p-1)(q-1), with e public exponent
The attacker aims at retrieving d

31. SPA attack on RSA basic “square and multiply” algorithm
exponent bits scanned from MSB to LSB (left to right)
Example : s = m9 = m1001b
init (MSB 1) s = m
round 2 (bit 0) s = m2
round 1 (bit 0) s = (m2 )2 = m4
round 0 (bit 1) s = (m4 )2 * m = m9

32. SPA attack on RSA Test key value : 0F 00 F0 00 FF 00 1 1 1 1 0F F0 FF
SMSMSM
SMSMSMSMSSSS
SMSMSMSMSMSMSMSM
SSSS SSSS
SSSS SSSS
SSSS SSSS 0F F0 FF 00 00 00

33. SPA attack on RSA Key value : 2E C6 91 5B F9 4A 2 0010 E 1 1 10 C C
1 100 6 9
100 1 1
000 1 5 B F 9
100 1 4
0 100 A
10 10
Key value : 2E C6 91 5B F9 4A

34. What you can do with SPA SPA uses implementation related patterns
SPA strategy
algorithm knowledge
reverse engineering phase (signature location)
representation tuning (height of view, zoom, visualisation)
then play with implementation assumptions...
SPA is always specific due to
the algorithm implementation
the applicative constraints
the chip’s technology (electrical properties)
possible counter-measures...

35. Counter-measures Counter-measure : anything that foils the attack !
Trivial counter-measure
prohibit code branches conditioned by the secret bits
Advanced counter-measures
algorithm specification refinement
code structure
data whitening
implementation design based on the chip’s resources
play with instructions set
hardware electrical behaviour (current scrambler, desynchronisation, cryptoprocessor…)

36. Effects of Counter-measures
d =
d = FF 0A FF
d =
Non significant
bits processing
d =
d =
d = FF 0A FF
Non significant
bits processing
S S
M M
One bit processing
Relevant information
SPA possible
SPA resistant !
Although same specified RSA !

37. Differential Power Analysis
required number of acquisitions : 500 to 10,000
prerequisite
physical access to the card under attack
access to either plaintext M or ciphertext C
varying plaintext and constant key
algorithm specifications (MANDATORY)
cost
A few dollars (to a few thousands)
A few days training
Average good level of expertise
Chip and implementation independent

38. Differential Power Analysis
description :
choose a subset (subKi) of n bits of K
perform a statistical test for each possible value of a subKi
Choose the best guess
Iterate on all possible subKi's 1 n K
subKi
2n-1 1 2

39. Differential Power Analysis
DPA statistical test :
a batch of data acquisitions for various messages Mk
the corresponding plaintext Mk or the cipher text Ck
the values of the subKi 1 k
dfdsffb
fdgcxv
lklkjlsdq M0 M1 Mk
2n-1 1 2

40. Differential Power Analysis
DPA statistical test :
selection function D :
sort curves according to Mk or Ck for each value of a subKi
output = image of a target bit of the algorithm

41. Differential Power Analysis
data processing for a value x of a subKi : x D - n 1
lklkjlsdq
fdgcxv Mn
dfdsffb M1 M0
Average

42. Differential Power Analysis
Choosing the right guess 1
2n-1

43. Differential Power Analysis
iterate on all possible sub-keys :
find the remaining bits through exhaustive search 1 n 1 n 1 n 1 n K
subK1
subK2
subK3
subK4 K

44. Differential Power Analysis
How does it work ?
D = 1
D = 1
Average for subKeyi
D = 0
D = 0
Average for subKeyi
DPA peak
Difference for subKeyi

45. Differential Power Analysis
example : DES
first round
S-BOX ouput
subKi : 6bits of the key

46. Differential Power Analysis
wrong subKi
right subKi

47. Countermeasures Secret keys Messages Private exponents Bases Moduli
Add noise
Scramble power consumption or stabilize it
Randomize all sensitive data variables with a fresh mask for every execution of an algorithm
Randomize, randomize, randomize …
Secret keys
Messages
Private exponents
Bases
Moduli

48. Case study on a Combi Card
Suppose all power consumption curves are flat and identical despite different secret RSA exponents (hardware countermeasure).

49. Electromagnetic Analysis on RSA
Tests require a de-capsulation of chip with semi invasive method.
A scanning of surface is needed to find the « good » area where electromagnetic analysis is possible.
The chip is powered by contact reader

50. RSA Signature Algorithm Power and Electromagnetic
First semi exponentiation (Sq)
Second semi exponentiation (Sp)
Power
combination Em

51. Electromagnetic Analysis Zoom in
One byte processed
Power
One bit processed Sq
Mult 1 1 d=
Em1
Em2 1 1 1 1 1 1 1
d=..bf...

52. Radio Frequency Analysis (Contactless Cards)
Tests are non-invasive.
A simple magnetic loop made with copper wire is needed.
An image of the magnetic field, modified by the card’s consumption, is collected.
The chip is powered by a contactless reader.

53. Equipment (1/2)

54. Equipment (2/2)

55. RSA Signature Algorithm Radio Frequency Analysis
First semi exponentiation
Second semi exponentiation
combination

56. Zoom on first semi exponentiation RF1 1 1 1 1 1 1 1 1 9 7 3 6
dq= …

57. Conclusion There are many potential ways to try to attack a smart card
But there are also many ways to counteract and efficiently protect your secrets
Smart Cards achieve the best possible trade-off between cost and security
We try to keep it that way 

58. (Differential) Fault Attacks

59. Introduction
Fault Attacks where first published as a way of jeopardising computations of cryptographic algorithms (RSA, DSA, DES).
However, you can imagine to implement fault attacks on other processes inside a microprocessor.
Fault attacks are real industrial security concern:
To pass some certification, like FIPS140-1 level 3 (US government security certification), you should prove that your system resists to fault attacks.

60. Different types of faults
Transients Faults.
Appear randomly in a system, have various unpredictable causes.
Latent or Internal Faults.
Are the result of hardware or low level software default (floating point unit on Pentium chips,...).
Rarely controllable
Induced Faults.
Appear after intentional stress (E2) or hardware "mutilation”, can be transient or permanent.
Sometimes controllable with knowledge of the physical/chemical/electrical behaviour of the chip.

61. The DFA crisis: 1996 September 96 October 96 November 96
Attack on RSA CRT by Bellcore (EuroCrypt’97)
Attack improvements by Lenstra
October 96
18: DFA on DES by Biham et Shamir
29: Attack on RSA and ElGamal
30: DFA on unknown cryptosystems by Biham & Shamir. «Differential Fault Analysis of Secret Key Cryptosystems» (Crypto’97)
November 96
Attack of CRT on LUC and Demytko by Marc Joye and JJ Quisquater

62. From theory to practice
We will detail major DFA ideas with associated counter-measures concerning:
RSA
DES
Card processes
Note that some of these attacks does not seem really practical.
Some others are quite realistic if the hardware can be tampered with...

63. Attack on standard signature
Hypothesis:
the message m and its signature s= md are known
a fault is injected on one bit i of d
this results in a wrong signature s’=md’
Then :
s’/s = md’-d=m2i mod n if bit i was 0 or
s’/s = md’-d=m-2i mod n if bit i was 1
One bit in random position of the secret exponent is discovered every round.

64. Attack on standard signature
Faults can be induced on more than one bit, making analysis slightly more difficult.
This attack is compatible with transient or permanent faults.

65. Recall on CRT
The Chinese Remainder Theorem is used in RSA in order to speed up exponentiation by a factor of 4.
Exponentiation is performed in three steps
sp = md mod p is computed (in fact, dp is used)
sq = md mod q is computed (in fact, dq is used)
the signature is recombined with CRT as
s = a.sp + b.sq mod n,
The constants a and b are precomputed such that
a = 1 mod p, b = 0 mod p,
a = 0 mod q, b = 1 mod q.

66. Attack on CRT exponentiation
This attack was first published by Lenstra.
Hypothesis:
s, signature of a message m is known.
a fault is injected in the exponentiation mod p.
Due to error injection, sp becomes sp’ s’ = a.sp’ + b.sq mod n,
s’-s= (a.sp’+ b.sq) - (a.sp+ b.sq) mod n
s’-s= a.(sp’- sp) mod n
the prime q divides a and can be retrieved by Gcd.

67. Counter-measures on RSA
Applicative counter-measures
Use a random padding with sufficient variability
Compute the result twice and compare
Verify that se = m mod n when e is known
e is usually a small number, verification is very fast
Algorithmic counter-measures
Gemplus counter-measure on RSA-CRT (patented) intends to protect both half-exponentiations by:
choosing a small random number r
computing spr = md mod pr et sr = md mod r
checking whether spr mod r = sr

68. DES and fault attack
This attack was first published by Biham & Shamir.
The idea is to:
Stress the card in order to erase key bits in E²
Record all the wrong ciphertexts
Compute backwards the initial key
This attack remains theoretical and is based on permanent faults.
However, this attack can be applied to any cryptographic algorithm.

69. DES and fault attack
There are no published counter-measures against this attack.
The classical ways of dealing with fault attacks on secret keys algorithms are:
Self-tests against permanent faults
Check-sums where available
Just Do It Twice

70. Card processes and fault attacks
Fault attacks can be extended to non mathematical processes.
Need some knowledge about the code embedded to synchronise stresses and computations
To localise the sensible place where the fault should happen
To know the probable effect of the fault
These attacks are mainly fought by hardware counter-measures.

71. Hardware aspects of fault attacks
Flaw injection in this case is a hardly controllable and reproducible process.
Implementation is not that easy:
Stress on memories, during read/writing/retention
By means of variations on power supply, frequency
Through various types of radiation
Modifications on hardware mechanism
Using probing or FIB
Buses
Random generators
Crypto-coprocessors
Hardware DES

72. Fault attacks and smart cards
Need expertise in measurements and hardware to implement efficient fault attacks.
Smart cards give many tools to defeat fault attacks:
Tamper-evidence
Security sensors, security mechanisms
Software counter-measures
On algorithms, on secret storage
GEMPLUS is actually researching on that topic, covering attack implementation and counter-measures.

73. Hardware Security

74. Attacks on Smart Cards
Wide range of techniques, requiring various skills, equipment and time:
Invasive Attacks
Side Channel Attacks
Fault Generation
INVASIVE ATTACK: when the card or the chip are physically and irreversibly modified the attack can be consider as an invasive attack.
Find useful additional information
Find secret etched in silicon
Bypass hardware counter-measure 7

75. Side Channel Attacks
Monitor analog signals on all interfaces, and analyze:
Time
Power
Electromagnetic signals
... 7

76. Fault Generation Apply combinations of environmental conditions
input
key
error
Vcc
Clock
Temperature UV
Light
X-Rays
...
and bypass or infer secrets 7

77. Smart card attacks : state of the art
Smart card attack : Physical Security

78. Invasive Attacks Deposit probe pads on a bus
Deposit probe pads through conductive grid
Expose hardwired ROM links
Defeat blown fuse links
Connect tracks
Cut tracks 7

79. Mechanical Probing
Probe the bus with needles and probe station with micro-manipulators
After FIB modification: pads added to probe buried buses
Probe the bus directly (for >0.5µm technologies) Si
DATA BUS

80. E-beam Probing Use e-beam tester to access submicron technologies
Analysis of the secondary electrons gives the voltage value
Top metal layers can be probe with or without adding probe pad with FIB SI
DATA BUS
e-beam
e -
detector

81. Reverse ROM content Reverse the content of the ROM
Remove the top layers of the component by chemical etching or mechanical polishing
Use a microscope to retrieve the content of the ROM
Can always be done for ROM metal, implant or diffusion
The difficulty is: reverse the scrambling and decipher the ROM array

82. ROM Diffusion Connections à la masse Acces ligne (polysililicium)
Acces colonne (metal)

83. Attack on ROM : Diffusion MOS NOR ROM
Remove the top layers
Read the content of the array WL

84. ROM IMPLANT Ionic implantation ROM at low level
Implantation ROM after staining

85. Example 2: Metal ROM
Unused area filled with ‘0’

86. Chip feature modifications
Shunt parts of the circuit
Disconnect sensors
 Fault attacks, Contrast Voltage...
Disconnect the RNG
modify the output of the RNG (stuck at the same value)
Reconstruct polysilicon fuse
Make probing possible to tape data on the bus
Bypass active shield
Add probe pads
Drill holes to probe buried metal lines

87. Circuit modification Metal strap Cut
Connect or disconnect security mechanism
disconnect sensors
RNG stuck at a fixed value
Reconstruct poly-silicon fuse
Add probe pads
make micro-probing of the buried layers possible
Equipment Laser FIB
Metal
strap
Cut 7

88. Chip modification tools
Laser
Local material removal, cut lines
only top layers
bad resolution (2x2µm min)
Availability: FA labs, university
FIB (Focus Ion Beam)
remove or cut metal lines
good resolution & accuracy (10nm)
metal deposition (strap lines, add pads)
can reach buried layers

89. INSECURE Layout analysis EEPROM CPU Shield Glue logic No Buses visible
RAM
INSECURE
Shield
Glue logic
No Buses visible
Blocks can be easily identified
No shield
No glue logic
Buses clearly visible

90. After metal removing

91. (0,18 µm)

92. Hardware security feature evolution
Temperature, Glitch sensors
Active shield
0.35 µm technology
5 metal layers
Glue logic
Internal free oscillator
CPU Freq = 16 MHz
16-bit CPU
Dummy cycles
Encryption of Memories
Sensor improvement
0.18 µm technology
5 metal layers
Internal free oscillator
CPU Freq = 66 MHz
32-bit CPU
Complemented logic
Dynamic encryption
Frequency,Voltage
Integrity sensor
1 µm technology
Passive shield
2 metal layers
CPU Freq = 5 MHz
8 bit CPU
Fast Erase of memory
UV,Light sensors
0.6 µm technology
3 metal layers
CPU Freq = 10 MHz
ROM encryption
1996
2002
1998
2000

93. Chip Security Features
The following items are carefully analyzed :
Security Sensors
Clock
Reset
Design & Layout
ROM, RAM, EEPROM
CPU
Buses
RNG
Memory Management Unit
Crypto Coprocessor
... 7

94. Security Sensors protect against …
Voltage: fault attacks
Frequency: fault attack, contrast voltage
Temperature: fault attack
UV: fault attack
Light: fault attack, invasive attack
Physical Integrity Sensors: invasive attack 24

95. Clock Internal Clock based on free running oscillator
PLL/Multiplier/Divider
Use external clock for I/O and Timer only
Interesting against Side-Channel and Fault attacks 24

96. Design & Layout Planarization is recommended
The smaller the techno, the better (0.18 µm)
The more metal layers, the better (5)
No accessible test pads
Sensitive parts should be in low and separate levels
Bloc connections should not be obvious (local buses)
Glue logic should be used 24

97. RAM Dynamic Ciphering: Side-Channel attacks
@ and Data dynamic scrambling: Invasive and Fault attacks
Fast Erase: Fault attacks 24

98. Non Volatile Memory (EEprom, Flash)
Ciphering
@ and Data scrambling
Automatic verify
Checksum
Error Correction Code
Independent charge pump 24

99. Buses Ciphering: Side-channel and Invasive attacks
Scrambling: Invasive and Fault attacks
Should be in low and separate levels: Invasive attacks 24

100. RNG RNG: is the basis of many HW and SW security measures
Should be carefully checked with several external conditions (Vcc, Temp, etc...)
User application code should handle the RNG correctly (enough delay, refresh) 24

101. CONCLUSION Current platforms require additional SW Security Measures
HW Security Measures or Designs are to be the right mid-term solutions, for performance reasons: e.g. SW DES = 30 ms, HW DES within few µs
Chips provide different solutions and security levels 24