R.G. Korkikian, E.V. Trichina
Eventually any cryptographic algorithm, even implemented in software, finally is run on piece of hardware, for example, a microcontroller. The errorless execution can be only guaranteed when normal operating conditions are satisfied. These conditions include temperature, power supply and other parameters and its alteration may lead to a fault in the device. It has been shown that some cryptographic algorithms can be compromised by a fault, induced to a device during its running. Faults can be induced by heating, laser illumination, power changing and by other means. It was proved, that any single fault during CRT RSA execution leads to a computation of both prime numbers, which generate a modulus N. Methods of cryptanalyses, involved those computational errors, was named fault attacks (or differential fault analysis). They are widely used for testing hardware (and software) implementations of cryptographic algorithms.
There are two categories of fault attack countermeasures: hardware and software. Hardware countermeasures are usually based on different architectural solutions, which help a device to be more tolerated to external stresses. Software countermeasures include duplication, infective methods (when an error is force to spread all over the result) and randomization. All of these countermeasures have drawbacks. Hardware protection has latency, while software protection can be overcome by several faults during one encryption.
The main goal of our research is to verify the possibility of fault injection in a modern microcontroller, which include some features for robustness against environmental stresses. The attention was paid on the possibility of several fault injections during a small amount of time, because it would help to get over some software countermeasures.
The modern microcontroller, based on ARM Cotex M3, was chose. This chip has power supply monitor and power supply regulator, which are intended for keeping a constant power supply and restart the chip in case a supply is corrupted. Under the microscope it was possible to understand that the upper layer of the chip is a metal mesh, which protects the device against reverse engineering. It was possible to imply that both SRAM and Flash top layers are covered by metal cells, which isolate the layers below.
All experiments were conducted in a French center of microelectronics, called CMP Charpak, in Gardanne. CRT RSA cryptographic algorithm was used as a target for analysis. Initially, it was implemented without any countermeasure, but later the countermeasure, based on re-computation and comparison was induced to the realization. If initial and recomputed values were different, then an exception was raised.
We used a laser and a power glitch in order to induce errors to the chip. It was implied, that a memory and a core couldn’t be used for the laser attack. The only one zone vulnerable to faults takes about 0.125% of all chips surface and it may include decoders or other particles between Flash and CPU.
Power supply testing was done with glitches of amplitude between 14 and 24 volts and width from 100 to 450 ns. With these parameters it was possible to create different errors, even one-bit error. This error inducing method is much cheaper than laser attack and it is possible to put several glitches in a short period of time and so target different instructions in algorithm.
On the basis of these two error injection methods we were able to retrieve both prime numbers of modulus N of CRT RSA algorithm, implemented without and with countermeasures. Therefore, it is necessary to protect a system against this type of attack