Menu
Home
Log in / Register
 
Home arrow Computer Science arrow Hardware Security and Trust: Design and Deployment of Integrated Circuits in a Threatened Environment
Source

Fault Attacks

Faults attacks have gained popularity as a serious threat to embedded systems over the last few years. Attacks can target a specific algorithm or generically modify the program flow to attacker’s advantage. In the following, we refer the classification of attacks and the organization proposed by Karaklajic et al. [15]. In particular, three distinct classes of fault attacks are identified for embedded system.

Algorithm Specific Attacks

Fault attacks can be designed to exploit specific weaknesses of the target algorithm which are introduced by the injection of a fault. Several attacks targeting a large number of algorithms were presented in the past, the most common being the attacks against AES, RSA, and ECC.

Bloemer et al. in [16] proposed an attack on AES which exploit the change of a single bit after the first key addition. However, this attack can successfully recover a complete key only when the adversary has the possibility to inject a fault at a very precise timing and at a very specific position.

The security of asymmetric cryptosystems relies on problems which are mathematically hard to be solved. Fault attacks can be designed to weaken the problems and thus weaken the security of the algorithm based on that. A common target for such attacks are public-key cryptography algorithm, in particular RSA and ECC, as they are widely used for authentication, digital signature, and key exchange. RSA is based on exponentiation using a square and multiply (S&M) routine, while ECC is based on point-scalar multiplication using a double and add (D&A) routine. Both (S&M) and (D&A) have similar structure where the set of executed routine depends on the value of the processed bit of the secret.

Proposed attacks to these cryptosystems requires the attacker to change the base point of an ECC. As a result, the scalar point-multiplication will be moved to a weaker curve. The use of weak curve will make the problem of solving the discrete- logarithm problem of ECC manageable, and thus will lead to the recover of the secret [17]. The same attack can be carried out if the attacker manage to supply wrong parameters for the curve [17]. Other attacks proposed in the past showed that faults can be exploited to control few bits of the secret nonce in DSA and, which ultimately allows to recover the whole key [18]. Pairing algorithm are also vulnerable

Table 2.2 Comparison of fault injection mechanisms

Mechanism

Cost

Controllability

Trigger

Type

Repeatability

Injection time

Risk of damage

Runtime

injection

Simulator

Static analisys Execution based Trace-based Transistor level

Med.

High

Yes

App. [lint.] Sys. [lint.]

High

Med.

No

No

No

Yes

No

Software sim.

Compile time Runtime

Low

Low

Yes

App.

OS

High

Low

No

No

Yes

Low-level VM sim.

Med

High

Yes

OS

Sys [lint].

Med.

High

No

Yes

Emulation

High

Med.

Med.

App. [lint.]

Med.

High

Yes

Yes

Sys.

Hardware

High

Med.

Med.

Sys.

Med.

High

Yes

Yes

Fault Attacks, Injection Techniques and Tools for Simulation

to

ox to faults [19]: it was demonstrated that by modifying the loop parameter of a pairing algorithm, the secret point can be recovered.

 
Source
Found a mistake? Please highlight the word and press Shift + Enter  
< Prev   CONTENTS   Next >
 
Subjects
Accounting
Business & Finance
Communication
Computer Science
Economics
Education
Engineering
Environment
Geography
Health
History
Language & Literature
Law
Management
Marketing
Mathematics
Political science
Philosophy
Psychology
Religion
Sociology
Travel