Logo
Logo-Icon Sitemap Print-Icon Print-Version Contact-Icon Contact
  • Home
  • About IAIK
    • People
    • News
    • Events
    • How To Reach Us
    • Jobs
    • Privacy Policy
  • Research
    • Publications
    • E-Government
    • Formal Methods for Design & Verification
    • Implementation Attacks
    • Java-Security
    • Krypto
    • Secure & Correct Systems
    • Secure Entities for Smart Environments
    • Secure RFID
    • Trusted Computing
    • VLSI
  • Teaching
    • Bachelor Courses
    • Master Courses
    • Master Theses
    • Microsoft Academic Alliance
    • PhD
    • E-Exam
  • Partnerships
    • A-SIT
    • Stiftung SIC
Left Logo
Research
Publications E-Government Formal Methods for Design & Verification Implementation Attacks - Introduction to IMPA - The IMPA Lab - IMPA Lab Infrastructure - Projects & Partners   - IIA   - TAMPRES   - ECRYPT II   - Project Archive - Publications & Theses   - The DPA Book - Student Projects & Theses Java-Security Krypto Secure & Correct Systems Secure Entities for Smart Environments Secure RFID Trusted Computing VLSI
Right Logo
You are here: Start » Research » Implementation Attacks » Introduction to IMPA

Introduction to Implementation Attacks

Several types of implementation attacks (IMPAs) are amongst the strongest currently know attacks against cryptographic devices when looking at practicability, strength, and costs. With cryptographic devices we typically mean all devices that perform cryptographic operations (e.g. encryption, digital signing, entity authentication) or that store cryptographic keys. The form factors of cryptographic devices for which implementation attacks are relevant in particular are smart cards, USB tokens, RFID tags, and alike.

IMPAs can first be categorized into passive (attacked device is operated within its specifications) or active attacks (one or more parameters of the attacked device exceed their nominal operation range (e.g. supply voltage levels, device temperature, radiation levels, circuit structure). A second category of IMPAs is their mechanical invasiveness. We distinct between non-invasive (no mechanical manipulation of the attacked device), semi-invasive (only "outer" layers of the attacked device are removed, e.g. the package; the passivation layer of the semiconductor circuit stays intact), and invasive attacks (electronic circuit is directly modified).

The common types of implementation attacks are:

  • Side-channel analysis (SCA)
    • Timing analysis (TA)
    • Power analysis (PA)
    • Electro-magnetic analysis (EMA)
  • Fault analysis (FA)
  • Probing attacks
  • Others
    • Reverse engineering

Side-Channel Analysis (SCA)

In the passive, non-invasive SCA attacks, physical values such as the power consumption or the electro-magnetic (EM) emissions (the so-called side-channels) of a device are exploited to determine the secret key used in the cryptographic device. SCA attacks are currently the most powerful attacks against cryptographic devices.

In a simple SCA attack, we visually inspect the side-channel values while the attacked device executes the cryptographic algorithm once. From the shape of the side-channel values (typically called a trace), we try to determine the used secret key (e.g. if the bit values of the key significantly influence the side-channel values). If we have a device that is similar or equal to the attacked device and which is under our full control (i.e. we can set the used secret key), we can characterize the side-channel traces of the attacked device for all possible key values. When we then get the single side-channel trace from the attack, we can use the characterization information to identify the most probably used secret key. This very powerful attack is called template attack.

The first step in a differential SCA attack is to record the side-channel values of the attacked cryptographic device while it processes many known, different data values (typically input or output values). In this step, we get measured side-channel values, which depend at least partially on the used secret key. Secondly, with the known data values and all possible guesses for a part of the secret key (e.g. 8 bits of it), hypothetical value(s) of the influenced side-channel are calculated (e.g. dependence of power consumption or EM emissions on a combination of the known data and key values). In this second step, we get hypothetical side-channel values for different guesses of the secret key. Finally, we compare the measured and the hypothetical side-channel values. The hypothetical side-channel values that match the measured ones best should give us the actual part of the secret key used in the attacked device. We simply continue the attack in the same way for the other parts of the secret key.

The most popular side-channels are:

  • execution time -> timing analysis (TA)
  • power consumption -> simple (SPA) and differential power analysis (DPA)
  • electro-magnetic radiation -> simple (SEMA) and differential electro-magnetic analysis (DEMA)

Countermeasures against SCA attacks belong either to hiding (changing the side-channel characteristic of a device) and masking (randomizing the data that is processed on a device).

Comprehensive information on PA and partly EMA can be found in our power analysis tutorial or especially in the book "Power Analysis Attacks - Revealing the Secrets of Smart Cards" we have written.

Fault Analysis (FA)

Fault attacks are active implementation attacks. In contrast to side-channel analysis, the behavior of the device is influenced to gain erroneous computation results. Based on these results, it is possible to reveal secret information. Manipulating the device can be done in several ways. They differ in terms of effort and efficiency. Non-invasive attacks can usually be performed at low cost. Thereby, the package of a device is not modified. Faults are injected by changing the working conditions of the device, e.g. a short-term interrupt of the power supply. These methods affect the whole device at once. Therefore, they belong to the global attacks. Local attacks, on the other hand, target only at a limited area, like one or a few memory cells. A common local attack is optical fault induction. This semi-invasive method uses a focused laser beam to flip bits of a decapsulated chip. If the photons of the beam hit an np-junction, current is induced. The faults injected by the previous mentioned methods are transient. After restarting the device, it operates correct. Using a Focused Ion Beam (FIB), the chip can be modified in a permanent way. These kinds of attacks require very sophisticated and expensive equipment.

However, not only the way how to manipulate a device, but also how to benefit from such a malfunction is an important research topic. Thereby, different cryptographic primitives and protocols are investigated. A popular method is the so-called Differential Fault Analysis. A pair of correct and erroneous ciphertexts is used to reveal the secret key. Depending on the algorithm, one pair might be enough. Unlike attacks, countermeasures are not always tailored to a special algorithm. Adding redundancy, parts of the microcontroller, like the ALU, can be secured.

Probing Attacks

While fault attacks try to manipulate the device, probing attacks aim to spy on inner values of the chip, like a bus. This can be achieved by placing a probe on the chip. However, placing a probe is quite expensive and therefore the number of probes placed on a chip should be minimized. Thus, it is investigated how to reveal secret information with only one or a few probes. Furthermore, other methods to gain inner values are topic of our research.

Others

As security by obscurity is still commonly used, reverse engineering aims at revealing the functionality and the inner life of a device. Therefore, the chip is disassembled layer by layer. From each layer photos are taken to reconstruct the layout of the device afterwards.

© 1990 - 2012 IAIK TU Graz
Contact | Jobs | Sitemap | Impressum