Over the past decade, in addition to methods of extracting secrets or performing other unauthorized actions, attackers have begun to use unintentional data leakage and manipulation of the program execution process through side channels.
Traditional attack methods can be costly in terms of knowledge, time, and processing power. Side-channel attacks, on the other hand, can be more easily implemented and non-destructive, as they expose or manipulate physical properties that are available during normal operation.
By statistically processing side-channel measurements, or by introducing failures into the circuit's private channels, an attacker can gain access to its secrets within hours.
With more than 5,000 million smart cards issued each year and new embedded cryptographic technologies entering the markets, the need to secure both business and private life is growing.
In the Netherlands, Riscure created the Inspector system, which provides R&D labs as well as manufacturers with new, highly effective security threat detection tools.
The Inspector Riscure system supports various side channel analysis (SCA) methods such as power consumption analysis (SPA/DPA), timing, RF, as well as electromagnetic analysis (EMA) and disturbance attacks (FI) such as voltage failures, clock failures and laser manipulation. The system's built-in functions support numerous cryptographic algorithms, application protocols, interfaces, and instruments.
The system allows you to extend and implement new methods and custom applications for vulnerability detection.
The side channel analysis system Inspector SCA includes:
- power tracer Power Tracer;
- installation of electromagnetic sounding EM Probe Station;
- trigger generator icWaves;
- CleanWave filter;
- current probe Current Probe.
Among the main "buns" are the main ones:
- It is a single integrated tool for side-channel analysis and testing by introducing failures;
- The Inspector meets EMVco and CMVP certified side-channel test requirements under common criteria;
- It is an open environment that includes the source code of the modules, thereby allowing existing methods to be modified and new test methods that can be developed by the user for the Inspector;
- Stable and integrated software and hardware includes high-speed data collection for millions of traces;
- The six-month software release cycle keeps users up-to-date with the latest side-channel testing techniques in the field.
Inspector is available in various versions on a single platform:
- Inspector SCA offers all the necessary options for analyzing the side channels of DPA and EMA.
- Inspector F.I. offers full functionality for injecting faults (perturbation attacks) as well as Differential Fault Analysis (DFA).
- Inspector Core and SP (Signal Processing) offers core SCA functionality implemented as separate modules to provide an affordable software package for data acquisition or post-processing.
Inspector SCA
Once the measurement results are obtained, a variety of signal processing techniques are available to generate multiple high-signal, low-noise traces. Signal processing functions have been developed that take into account the subtle differences between signal processing for electromagnetic tracing, power consumption tracing, and RF tracing. The Inspector's powerful graphical trace tools allow users to perform temporal analysis or check traces for, for example, SPA vulnerabilities.
Performing DPA while implementing ECC
For many security implementations now considered SPA-resistant, the focus of testing is usually on differential testing methods (ie DPA/CPA). To this end, the Inspector offers a wide range of configurable methods covering a large number of cryptographic algorithms and commonly used algorithms such as (3)DES, AES, RSA, and ECC.
EM radiation chip to find the best location when implementing DEMA
The main features
- This solution integrates Power Analysis (SPA/DPA/CPA), Electromagnetic (SEMA/DEMA/EMA-RF), and Non-Contact (RFA) test methods.
- The data acquisition speed is greatly improved by the tight integration of the oscilloscope with the Inspector.
- Advanced equalization techniques are used to prevent clock jitter and randomization
- The user can configure cryptanalysis modules supporting primary and high order attacks on all major algorithms such as (3)DES, AES, RSA and ECC.
- Extended support for domain-specific algorithms is used, including SEED, MISTY1, DSA, including Camellia.
Hardware
In addition to the PC Inspector workstation, SCA uses hardware optimized for side channel data and signal acquisition:
- Power Tracer for SPA / DPA / CPA on smart cards
- EM Probe station for SEMA / DEMA / EMA RF
- Current Probe for SPA / DPA / CPA on Embedded Devices
- CleanWave filter with Micropross MP300 TCL1/2 for RFA and RF EMA
- IVI compatible oscilloscope
The objects being evaluated often require measurements, switching, and hardware control that are necessary to perform SCA. The Inspector's flexible hardware manager, open development environment, and rich interface options provide a solid foundation for high-quality measurements using user equipment.
Inspector SCA
Lead Homeland Security Engineer Joh John Connor has this to say about the system:
“The Inspector has revolutionized the way we evaluate the resistance of our products to differential DPA. Its strength lies in the fact that it integrates collection and analysis processes that allow us to quickly evaluate the effectiveness of new cryptographic hardware projects. What's more, its superior GUI allows the user to visualize power consumption signatures from collected discrete data individually or simultaneously - invaluable when preparing data for DPA during an attack - while its powerful analytical libraries support the most commonly used commercial encryption algorithms. Timely software and technology updates supported by Riscure help us keep our products secure.”
Inspector F.I.
FI Inspector - Fault Injection - offers a wide range of features to perform fault injection testing in smart card and embedded device technologies. Supported test methods include clock glitches, voltage glitches, and laser-assisted optical attacks. Fault injection attacks - also known as perturbation attacks - change the behavior of the chip, causing a usable failure.
With the FI Inspector, users can test whether it is possible to extract a key by causing failures in the chip's cryptographic operations, bypass checks such as authentication or lifecycle state, or change the flow of program execution on the chip.
Extensive configurable options
Inspector FI includes a large number of user-configurable parameters to programmatically control switching and disturbances such as peak pulses of varying duration, pulse repetition, and voltage level changes. The software presents results showing expected behavior, card resets and unexpected behavior, along with detailed logging. DFA attack modules are available for major encryption algorithms. Using the "wizard", users can also create a custom perturbation program with the API.
The main features
- Non-parallel and easily reproducible accuracy and timing for all glitching hardware.
- Attack design scenarios using a powerful command system and integrated IDE Inspector.
- Extensive Inspector configuration options for automated crash testing.
- Laser equipment for multi-glitching on the back and front sides of the card, custom-made for testing by the method of introducing a glitch.
- DFA modules for implementations of popular encryption algorithms, including RSA, AES, and 3DES
- An upgrade to a multi-point laser provides the ability to influence the chip in several places at once.
- Operation dependent timing using the icWaves trigger generator can prevent countermeasures and sample loss.
Hardware
Inspector FI can be used with the following hardware components to carry out attacks:
- VC Glitcher with additional glitch booster
- Diode laser station with optional multi-point upgrade
- PicoScope 5203 or IVI compatible oscilloscope
Inspector FI with VC Glitcher, icWaves Trigger, Glitch Amplifier and Laser Station
The VC Glitcher generator forms the core of the Inspector System Fault Injection Architecture. Using ultra-fast FPGA technology, it is possible to generate glitches as short as two nanoseconds. The hardware has a user-friendly programming interface. The failing program created by the user is loaded into the FPGA before the test run. The VC Glitcher includes an integrated circuit for introducing voltage glitches and clock glitches, as well as a channel output for controlling the laser station.
The diode laser station consists of a special set of powerful diode lasers with custom-made optics, which are quickly and flexibly controlled by the VC Glitcher. The equipment takes optical testing to the next level, providing efficient multi-failure, precise power consumption control, and fast and predictable response for pulse switching.
By upgrading the diode laser station to a multi-point on-chip version, multiple areas can be tested using different timing and supply voltage settings.
Signal Based Triggering Using icWaves Trigger Pulser
Clock jitter, random process interruptions, and data-dependent process time require flexible fault switching and side-channel data acquisition. The Inspector's icWaves generator generates a trigger pulse in response to real-time detection of differences from a given model in the power supply of the microcircuit or the EM signal. The device includes a special narrow band filter to ensure pattern matching is detected even with a noisy signal.
The reference trace used to match the model inside the FPGA device can be modified using the Inspector's signal processing functions. A smart card that has detected the introduction of a failure may initiate a protection mechanism to remove secret data or block the card. The icWaves component can also be used to trigger a card shutdown whenever the power consumption or EM profile deviates from standard operation.
Laser Station (LS) with multi-point access option,
with microscope and coordinate table
Integrated Development Environment (IDE)
The Inspector development environment is designed to provide maximum flexibility for the user to use SCA and FI for any purpose.
- Open API: simplifies the implementation of new modules
- Source code: each module comes with its own source code, so modules can be adapted to the user's wishes or used as a basis for creating new modules
Inspector F.I.
Inspector combines glitch injection and side channel analysis techniques in one high performance package.
An example of failure behavior analysis:
The field of side-channel attacks is rapidly evolving, with new research findings published every year, becoming public knowledge or requiring certification of circuits and standards. The Inspector keeps users up to date with new developments and regular software updates that implement new techniques.
Source: habr.com