Fault injection attacks have proven to be a powerful tool to exploit the implementation weaknesses of cryptographic algorithms. Several techniques perturbing the computation of a cipher have been devised and successfully employed to leak secret information from erroneous results. We present a low-cost, non-invasive and effective technique to inject transient faults into a general purpose processor through lowering its feeding voltage, and to characterize the effects on the computing system. This technique is effective enough to lead attacks against a software implementation of a cryptosystem running on a full fledged ARM9 CPU with a complete operating system. We validate the effectiveness of the fault model through attacking OpenSSL implementations of the RSA and AES cryptosystems. A new attack against AES, able to retrieve the full 256-bit key, is described, and the number of faults to be collected is delineated. In addition, we propose a generalization of the attack against the RSA encryption presented in Barenghi et al. (2009), to a multi-bit fault model, and the analysis of its computational complexity. The attacks against AES retrieve all the round keys regardless of their derivation strategy, the number of cipher rounds and the diffusion layer, while the attacks against RSA retrieve either the message or the secret key.

A Fault Induction Technique Based on Voltage Underfeeding with Application to Attacks against AES and RSA

BARENGHI, ALESSANDRO;BREVEGLIERI, LUCA ODDONE;PELOSI, GERARDO
2013

Abstract

Fault injection attacks have proven to be a powerful tool to exploit the implementation weaknesses of cryptographic algorithms. Several techniques perturbing the computation of a cipher have been devised and successfully employed to leak secret information from erroneous results. We present a low-cost, non-invasive and effective technique to inject transient faults into a general purpose processor through lowering its feeding voltage, and to characterize the effects on the computing system. This technique is effective enough to lead attacks against a software implementation of a cryptosystem running on a full fledged ARM9 CPU with a complete operating system. We validate the effectiveness of the fault model through attacking OpenSSL implementations of the RSA and AES cryptosystems. A new attack against AES, able to retrieve the full 256-bit key, is described, and the number of faults to be collected is delineated. In addition, we propose a generalization of the attack against the RSA encryption presented in Barenghi et al. (2009), to a multi-bit fault model, and the analysis of its computational complexity. The attacks against AES retrieve all the round keys regardless of their derivation strategy, the number of cipher rounds and the diffusion layer, while the attacks against RSA retrieve either the message or the secret key.
Embedded System Security; Side Channel Attacks; Fault Attacks
File in questo prodotto:
File Dimensione Formato  
VQR2.pdf

Accesso riservato

: Publisher’s version
Dimensione 969.09 kB
Formato Adobe PDF
969.09 kB Adobe PDF   Visualizza/Apri

I documenti in IRIS sono protetti da copyright e tutti i diritti sono riservati, salvo diversa indicazione.

Utilizza questo identificativo per citare o creare un link a questo documento: http://hdl.handle.net/11311/717947
Citazioni
  • ???jsp.display-item.citation.pmc??? ND
  • Scopus 33
  • ???jsp.display-item.citation.isi??? 28
social impact