ABSTRACT
In this paper we present software countermeasures specifically designed to counteract fault injection attacks during the execution of a software implementation of a cryptographic algorithm and analyze the efficiency of these countermeasures. We propose two approaches based on the insertion of redundant computations and checks, which in their general form are suitable for any cryptographic algorithm. In particular, we focus on selective instruction duplication to detect single errors, instruction triplication to support error correction, and parity checking to detect corruption of a stored value. We developed a framework to automatically add the desired countermeasure, and we support the possibility to apply the selected redundancy to either all the instructions of the cryptographic routine or restrict it to the most sensitive ones, such as table lookups and key fetching. Considering an ARM processor as a target platform and AES as a target algorithm, we evaluate the overhead of the proposed countermeasures while keeping the robustness of the implementation high enough to thwart most or all of the known fault attacks. Experimental results show that in the considered architecture, the solution with the smallest overhead is per-instruction selective doubling and checking, and that the instruction triplication scheme is a viable alternative if very high levels of injected fault resistance are required.
- R. J. Anderson and M. G. Kuhn. Low Cost Attacks on Tamper Resistant Devices. In B. Christianson, B. Crispo, T. M. A. Lomas, and M. Roe, editors, Security Protocols Workshop, volume 1361 of Lecture Notes in Computer Science, pages 125--136. Springer, 1997. Google ScholarDigital Library
- H. Bar-El, H. Choukri, D. Naccache, M. Tunstall, and C. Whelan. The Sorcerer's Apprentice Guide to Fault Attacks. Proceedings of the IEEE, 94(2):370--382, February 2006.Google ScholarCross Ref
- A. Barenghi, G. Bertoni, L. Breveglieri, M. Pellicioli, and G. Pelosi. Low Voltage Fault Attacks to AES. In M. Tehranipoor and J. Plusquellic, editors, HOST, pages 7--12. IEEE Computer Society, 2010.Google Scholar
- A. Barenghi, G. Bertoni, E. Parrinello, and G. Pelosi. Low Voltage Fault Attacks on the RSA Cryptosystem. In L. Breveglieri, S. Gueron, I. Koren, D. Naccache, and J.-P. Seifert, editors, FDTC, pages 23--31. IEEE Computer Society, 2009. Google ScholarDigital Library
- G. Bertoni, L. Breveglieri, I. Koren, P. Maistri, and V. Piuri. Error Analysis and Detection Procedures for a Hardware Implementation of the Advanced Encryption Standard. IEEE Trans. Computers, 52(4):492--505, 2003. Google ScholarDigital Library
- J. Blömer and J.-P. Seifert. Fault Based Cryptanalysis of the Advanced Encryption Standard (AES). In R. N. Wright, editor, Financial Cryptography, volume 2742 of Lecture Notes in Computer Science, pages 162--181. Springer, 2003.Google Scholar
- J. Daemen and V. Rijmen. The Design of Rijndael: AES - The Advanced Encryption Standard. Springer, 2002. Google ScholarDigital Library
- P. Dusart, G. Letourneux, and O. Vivolo. Differential Fault Analysis on A.E.S. CoRR, cs.CR/0301020, 2003.Google Scholar
- C. Giraud. DFA on AES. In H. Dobbertin, V. Rijmen, and A. Sowa, editors, AES Conference, volume 3373 of Lecture Notes in Computer Science, pages 27--41. Springer, 2004. Google ScholarDigital Library
- M. G. Karpovsky, K. J. Kulikowski, and A. Taubin. Differential Fault Analysis Attack Resistant Architectures for the Advanced Encryption Standard. In J.-J. Quisquater, P. Paradinas, Y. Deswarte, and A. A. E. Kalam, editors, CARDIS, pages 177--192. Kluwer, 2004.Google Scholar
- R. Karri, G. Kuznetsov, and M. Gössel. Parity-Based Concurrent Error Detection of Substitution - Permutation Network Block Ciphers. In Walter et al. {21}, pages 113--124.Google Scholar
- A. Moradi, M. T. M. Shalmani, and M. Salmasizadeh. A Generalized Method of Differential Fault Attack Against AES Cryptosystem. In L. Goubin and M. Matsui, editors, CHES, volume 4249 of LNCS, pages 91--100. Springer, 2006. Google ScholarDigital Library
- G. Piret and J.-J. Quisquater. A Differential Fault Attack Technique against SPN Structures, with Application to the AES and KHAZAD. In Walter et al. {21}, pages 77--88.Google Scholar
- J.-M. Schmidt and C. Herbst. A Practical Fault Attack on Square and Multiply. In L. Breveglieri, S. Gueron, I. Koren, D. Naccache, and J.-P. Seifert, editors, FDTC, pages 53--58. IEEE Computer Society, 2008. Google ScholarDigital Library
- N. Selmane, S. Guilley, and J.-L. Danger. Practical Setup Time Violation Attacks on AES. In EDCC, pages 91--96. IEEE Computer Society, 2008. Google ScholarDigital Library
- S. P. Skorobogatov. Semi-invasive Attacks-a New Approach to Hardware Security Analysis. Ph.D. dissertation, University of Cambridge - Computer Laboratory, 2005. {Online}. http://www.cl.cam.ac.uk/techreports/UCAM-CL-TR-630.pdf.Google Scholar
- S. P. Skorobogatov and R. J. Anderson. Optical Fault Induction Attacks. In B. S. K. Jr., Çetin Kaya Koç, and C. Paar, editors, CHES, volume 2523 of Lecture Notes in Computer Science, pages 2--12. Springer, 2002. Google Scholar
- STMicroelectronics. Environment Resistence Improvements on Microcontrollers, 2010, {Online}. http://www.st.com/stonline/products/promlit/p_protection_devices.htm.Google Scholar
- J. Takahashi and T. Fukunaga. Differential Fault Analysis on AES with 192 and 256-Bit Keys. Cryptology ePrint Archive, Report 2010/023, 2010, {Online}. http://eprint.iacr.org/.Google Scholar
- E. Tromer, D. A. Osvik, and A. Shamir. Efficient Cache Attacks on AES, and Countermeasures. Journal of Cryptology, 23(1):37--71, 2010. Google ScholarDigital Library
- C. D. Walter, Çetin Kaya Koç, and C. Paar, editors. Cryptographic Hardware and Embedded Systems - CHES 2003, 5th International Workshop, Cologne, Germany, September 8--10, 2003, Proceedings, volume 2779 of Lecture Notes in Computer Science. Springer, 2003.Google Scholar
Index Terms
- Countermeasures against fault attacks on software implemented AES: effectiveness and cost
Recommendations
Countermeasures against fault attacks: The good, the bad, and the ugly
IOLTS '11: Proceedings of the 2011 IEEE 17th International On-Line Testing SymposiumHardware implementations of cryptographic systems are becoming common, due to new market needs and to reduced costs. However, the security of a system may be seriously compromised by implementation attacks, such as side channel analysis or fault ...
Fiat-shamir identification scheme immune to the hardware fault attacks
Special section on ESTIMedia'12, LCTES'11, rigorous embedded systems design, and multiprocessor system-on-chip for cyber-physical systemsThe Fiat-Shamir identification scheme is popular for “light” consumer devices, such as smart cards, in a wide range of consumer services. However, it can be vulnerable to fault attacks, even though a cryptographic algorithm is theoretically secure. Thus,...
QEMU-Based Fault Injection for a System-Level Analysis of Software Countermeasures Against Fault Attacks
DSD '15: Proceedings of the 2015 Euromicro Conference on Digital System DesignPhysical attacks, such as fault attacks, pose a decisive threat for the security of devices in the Internet of Things. An important class of countermeasures for fault attacks is fault tolerant software that is applicable for systems based on COTS ...
Comments