Implementation Attacks

We refer to all attacks that do not aim at the weaknesses of the algorithm itself, but on the actual implementations on cryptographic devices, as implementation attacks.

When considering usability, strength or cost, implementation attacks are among the most powerful known attacks against cryptographic devices. Implementation at-tacks can be categorized on active and passive atat-tacks. In passive atat-tacks, the device operates within its specification and the attacker just reads hidden signals. In active attacks one or more parameters of device is working outside the nominal operation range. Another division is based on the degree on invasiveness on the device under attack. In non-invasive attack, there is no mechanical manipulation with the cryp-tographic device. In the semi-invasive attack attacker removes only the outer layers of the cryptographic device. Finally, in invasive attack the attacker modifies the electronic circuit of cryptographic device. Common types of implementation attacks are:

• Side-channel attacks

• Fault attacks

• Probing attacks

26

Figure 2.5: Sources of side-channel information.

Side-channel Attacks

Based on the division above, side-channel attacks belong into passive, non-invasive attacks. In such attacks, physical values such as power consumption [KJJ99], EM emissions [QS01], timing [Koc96] or sound [GST13] are exploited to determine the secret key of a cryptographic device. Such physical values are called side-channels.

We display several side-channels in Figure 2.5.

The simplest form of side-channel attacks is an attack where the attacker visu-ally inspects on an oscilloscope physical values such as power consumption and EM emanation, while the device executes cryptographic instructions. By doing so, the attacker can determine the secret key. In case of attack using side-channel like power consumption or EM, the attacker analyses actual signals that we call traces.

When the attacker possesses an identical experimental device as the one he wants to attack, a single trace may be enough to determine the correct key. Namely, in this case the attacker is assumed to use the device for profiling phase during which he creates a database of all key fingerprints. Afterwards, one real trace is used to deduce the actual key. This kind of attack is called template attack [CRR03]. In this attack, iterative classification is used to unroll one more segment of the sample which uses more bits of the secret key [CRR03].

In the case that the attacker has at his disposal many different traces, he can mount DPA [KJJ99] or Correlation Power Analysis (CPA) attacks [BCO04]. The difference between those attacks is that CPA looks at correlation between all key guesses and is faster, more accurate than other DPA only when the leakage model is linear. Both versions of the attack use the relationship between the power and data.

Next, we give a short description of DPA. First, one records the side-channel values of the attacked cryptographic device while it processes many known, differ-ent data values where those side-channel values depend partly on the secret key.

With all known data values and all possible guesses for a part of the secret key (di-vide and conquer strategy) we calculate the hypothetical values of the influenced

side-channel. Those hypothetical values are for different guesses of the secret key.

In order to characterize the information leakage through the power consumption, we need to use a power leakage model. Two well-known models are Hamming Weight (HW) and Hamming Distance (HD). In the simpler, HW model one assumes that the power consumption varies in accordance to the HW of the manipulated data.

In the HD model, one considers the number of bit transitions from the previous state to the current state. As the final step, we compare the measured and hypothetical side-channel values. Those hypothetical values that match the measured values best should yield the part of the actual secret key used in the cryptographic device. This procedure is simply repeated for other parts of the secret key.

Countermeasuresagainst side-channel attacks can be divided into various hid-ing and masking schemes. The goal of countermeasures is to reduce (or ideally, avoid) the dependencies between the power consumption of a cryptographic device and intermediate values of the executed cryptographic algorithm. When using hid-ing schemes, this is done by breakhid-ing the link between the power consumption and the processed data values [MOP07]. On the other hand, in the masking schemes this is done by randomizing the intermediate values that are processed by crypto-graphic device [MOP07]. For further information about side-channel attacks, we refer to [MOP07].

Fault Injection Attacks

Fault injection attackscan be characterized as active implementation attacks. In contrast to side-channel attacks, fault injection attacks change the behavior of a cryp-tographic device, i.e. the device is influenced in order to produce erroneous results (faults).

In non-invasive attacks, the packaging of the device is not modified, but only the working conditions are changed. An example of such an attack is the short-term change of the clock signal voltage levels. However, such a change affects the behavior of the whole device and belongs to global attack category. Semi-invasive attacks inject faults without electrical contact to the chip surface. Conventional semi-invasive attacks use light to cause transient faults or EM fields to cause transient or permanent faults. Optical fault injection is an example of a semi-invasive attack that is also a local attack since it targets only a limited area of chip. Both semi-invasive and invasive attacks require direct access to the chip so mostly a decapsulation pro-cedure needs to be done. These attacks can be transient and permanent. Transient faultaffects the chip until it restarts and afterwards it operates correct. Permanent faultsmodify the chip in a permanent way. An example of permanent attack is the attack with focused ion beam.

Invasive attacks modify the chip structure by cutting or connecting wires. In these attacks, there is a direct electrical contact to the surface of the chip [MOP07].

For further information about fault injection attacks, we refer readers to [JT12].

28

Probing Attacks

Probing attacksbelongs to the invasive attacks category. They are used to find out the inner values of the chip by placing a probe on it.