When assessing the security of an information system, two questions usually arise: what is the level of security of the system and how much does it cost to ensure that level of security. Thanks to the emergence of standards that make it possible to obtain independent assessments of the security of information systems, it has become possible to get answers to these questions.
The Information Technology Security Evaluation Criteria (ITSEC) standard was developed in Europe and recognized by France, Germany, Great Britain and the Netherlands in 1991. At the same time, the United States and Canada developed their own standards for assessing the security of information systems - TCSEC and CTCRES, respectively.
More recently, the Common Criteria standard (ISO / IEC 15408) has appeared, which claims to be a global standard. Each information system manufacturer wishing to submit it for independent testing in accordance with the Common Criteria standard must formulate a test goal (Security Target or ST), consisting of the following components:
For ease of use of the Common Criteria standard, ST testing objectives have been predefined for various types of information systems and products. Test objectives are defined in the form of so-called Protection Profiles (PP). In particular, for smart cards, these profiles are described in the BSI-PP-0002-2001 specification, which defines the minimum set of security characteristics that must be verified during the card security assessment process.
For the user, the fact of passing the system testing means, firstly, obtaining an independent assessment of the security of the system used by him, and secondly, the realization of the developer's confidence in his system, expressed in his willingness to submit the system for open independent testing.
A wide variety of systems can be certified, including operating systems, DBMS, network access protection systems, PK1 systems, smart cards, chips used in smart cards, smart card operating systems, smart card applications.
Currently, system security can be assessed against a variety of criteria systems, including Common Criteria, ITSEC (most commonly used in Europe) and FIPS (a system of criteria widely used in North America but rarely used in Europe). Tab. 2.8 demonstrates the conditional correspondence between the Common Criteria and ITSEC certification levels.
Tab. 2.8. Correspondence of the levels of safety assessment systems
Common Criteria and ITSEC
Given in table. 2.8 Compliance does not mean that the presence of a certificate in one system of criteria automatically indicates the receipt of a certificate of the corresponding level in another system. In any case, in order to obtain a certificate in a certain system of criteria, it is necessary to pass the necessary tests in this system. For example, one MULTOS system has ITSEC level E6 certification, while its Common Criteria certification level is EAL4 +.
The central aspect of the overall security of any system is its physical security - the ability to resist external physical influences on the system. In this sense, a smart card is an example of a system that demonstrates a high degree of security. Placing microcomputer modules of a smart card in a single-chip microcircuit allows you to hide the connections between the computer modules and the modules themselves from external influences (see section 2.2). Combining computer elements in one chip makes it difficult for an external observer to intercept signals transmitted between the elements of the microcircuit, and, consequently, to recognize the information content of these signals.
It is of course possible, although difficult and expensive, to connect electrical probes to the internal lines of the microcircuit. In this case, the attacker (the person trying to extract information from the chip) must have at his disposal a card and expensive equipment to probe it. In addition, he must know both the hardware architecture of the chip (chip topology) and its software.
Another attack is by examining information from a working smart card. An example is an attack on smart card encryption algorithms based on intercepted ciphertext generated by the card.
Physical security includes tamper resistance and the ability to tamper evidence, if any. One of the physical security elements of a smart card is the layout of the microcircuit and its connections in the microcircuit module enclosed in an epoxy filler, as shown in Fig. 2.11. This arrangement provides both security against certain types of external interference and the ability to witness such interference. The epoxy cannot be penetrated without destroying it, and in order to do so, you must take possession of the card. When entering the module, traces remain, indicating the fact of interference.
In addition, the microcircuit module is embedded in the card plate, where it is placed under a second layer of protection against tampering and / or its certification. Therefore, it is practically impossible to find out the secrets contained in a smart card by methods of physical intervention without detecting the fact of interference.
Thus, microprocessor cards have all the necessary components of an enhanced security computer platform. However, it must be understood that the security achieved by the packaging of the chip is not infallible. The card resists tampering, but cannot completely prevent it.
All attacks on a microprocessor card can be roughly divided into software and physical attacks. Software attacks, in turn, are divided into two categories: attacks aimed at opening the cryptographic algorithms used by the card, and attacks that exploit weaknesses in the implementation of programs supported by the card. Examples of attacks in the second category are built-in programs that overflow memory buffers or act like a Trojan horse. The use of such attacks allows you to obtain the secret data of the card application.
Physical attacks in turn fall into two broad categories: penetrating and non-penetrating attacks. Recently, the class of semi-penetrating attacks has been distinguished from the class of penetrating attacks.
Penetrating attacks require penetration into the body of the chip. To access the surface of the chip, it is removed from the plastic card. For this, the chip, together with the epoxy filler in which it is located, is removed from the card's PVC plate using a sharp knife. Sometimes it is enough to heat the plastic case of the card, which makes it flexible, and bend the card at the location of the chip in order to remove it from the plastic case.
Next, a few drops of highly concentrated (> 98%) nitric acid (HNO 3 ) are used to free the epoxy from the filler . Within a few minutes, the acid dissolves the epoxy filler, after which the chip is immersed in an ultrasonic bath, in which acid and filler residues are washed off with acetone. This entire procedure is referred to in the literature as chip depackaging.
The chip is now ready to be examined. The purpose of the microcircuit survey is to reproduce the layout reconstruction of individual chip modules (memory modules, processor and coprocessors, data and address buses). The attacker must represent the object of the attack in order to understand how to act to achieve the desired result. Based on the methods of reverse engineering (Reverse Engineering) and having a good understanding of the CMOS chip design, you can get a complete picture of the architecture of the microcircuit and its modules, determine the "weak" spots of the microcircuit that become the target of subsequent attacks.
There are several ways to inspect a chip. An optical microscope equipped with a CCD camera can be used to reproduce the arrangement of the chip modules. The main modules of the microcircuit (ROM, EEPROM, RAM, processor, buses) are clearly visible in the photograph taken with a high-resolution CCD camera.
To obtain an image of the deeper layers of the microcircuit, physically remove (by etching with hydrofluoric acid (HF) in an ultrasonic bath) the already examined layer of the chip to gain access to the next layer. To create a three-dimensional three-dimensional image of the chip, photographs of its individual layers are processed by an image analysis program.
If the processor of the microcircuit has a standard architecture, the attacker only needs to get to the layer, after which the understanding of the location of the modules and buses that the attacker is going to manipulate to access memory becomes complete.
Another method for examining a chip is called manual micro-probing. It is based on the use of an optical microscope and a probe, which is a sharpened tungsten hair, with which the attacker can establish contact with the chip bus without destroying it. The probe is connected through an amplifier to a special signal processor, which records the signals received from the microcircuit processor, and also supplies the card with a supply voltage, sends a Reset signal, a clock signal (Clock) and other input signals necessary for the microcircuit to function in an active state.
There is also a beam sensing method for the chip, which uses focused beams of gallium ions (Focused Ion Beams or FIB). Gallium ions are accelerated and focused in a vacuum chamber into a beam with a diameter of 5-10 nanometers. Gallium ions emitted by a liquid cathode at a voltage of 30 kilovolts generate a current of 10 " 12 to 10" 8 amperes. A focused beam of gallium ions can recreate the chip layout by capturing the secondary radiation it causes. The resolution is very high, up to 5 The FIB workstation costs about half a million euros.
Another kind of beam sensing of a chip is the use of electron beams. An electrical voltage of about 2.5 kilovolts is used to accelerate the electrons. As a result, a current of about 5 nanoamperes is generated. In this case, the number and energy of secondary electrons are indicators of the electric field on the surface of the crystal and make it possible to examine signal lines with a resolution measured in fractions of a micron.
Recently, another type of beam method for examining a chip has appeared - the use of an infrared laser. The irradiation frequency of the microcircuit is used, at which its silicon base becomes transparent to the laser beam. In this case, the measurement of currents arising in the microcircuit as a result of irradiation is carried out, the size of which reflects the logical state of individual transistors.
To implement manual and beam sensing, in addition to performing the chip extraction procedure, it is necessary to destroy at least some part of the microcircuit passivation layer. The fact is that after removing the chip, you can find that the connecting aluminum lines on the surface of the chip are protected by a special coating called a passivation layer and consisting of silicon oxide or nitrogen (nitride). The passivation layer protects the microcircuit from certain types of radiation and harmful environmental influences. To remove the passivation layer, ultraviolet or "green" lasers are used, which irradiate the passivation area with short pulses. By correctly calculating the pulse energy and time, it is easy to achieve the destruction of this coating.
Drilling is sometimes used to destroy a small portion of the passivation layer.
At the same time, there are attacks that require the removal of the chip from the plastic case of the card, but do not require the destruction of the passivation layer. Such attacks are called semi-invasive attacks. This definition was first introduced by S. Skorobogatov, who demonstrated the possibility of using ultraviolet and X-ray radiation to attack a microcircuit.
Below are some sneaky attacks based on the above methods of examining the chip.
Replaying the layout of the chip allows you to fully read the contents of the ROM memory. Despite the fact that ROM memory, as a rule, does not contain secret keys, it gives a complete understanding of programs for providing access to secret information, as well as the cryptographic algorithms used and how they are implemented. Information about how cryptographic algorithms are implemented is valuable when using non-intrusive attacks.
Another way to get card information is to probe the chip's data bus. It allows not to read all the data contained in the EEPROM, but to intercept the information most valuable for an attack. For example, probing the bus of the cryptographic coprocessor can extract information about the keys of the card.
Knowing the structure of the ROM memory, an attacker can try to obtain the secret keys of the card. This is achieved through unauthorized changes to the ROM memory. For example, to implement an attack on DES keys, it is sufficient to modify the instructions of the DES algorithm in a certain way. In particular, it is possible to reduce the number of cycles of the algorithm (from 16 to 1), to exclude the procedure of bitwise addition modulo 2 (exclusive or) of two Boolean sequences of the same length, to change the form of S-transformations (see Section 2 of Appendix B) in this way, so that they become linear. Depending on how DES is implemented, it is sometimes sufficient to change just a few bits of the ROM to make retrieving the secret key a simple task.
In the general case, a situation is possible when an attacker completely rewrites the ROM and implements some linear encryption algorithms, when using which the value of the secret key is easily extracted.
Note that a microscope with a laser cutter is used to change the values of the individual bits of the ROM memory.
Another way to extract DES keys is to sequentially change the EEPROM bits that store the DES key. By sequentially setting the value of the next bit of the key to a known one (0 or 1), the attacker considers the behavior of the card during the execution of a cryptographic operation. If the card does not complain about parity checking, then the key bit was guessed correctly.
Note that two pins used to probe the IC are used to set any preset EEPROM bit value.
Another interesting way to determine the secret key is as follows. Typically, the implementation of the DES algorithm is an instruction describing a repeated loop of the algorithm and a memory register that stores the result of the loop. The register value is also the input value for the next cycle of the algorithm (see section 2 of Appendix B).
DES algorithm is a recurrent procedure, according to which the encrypted block is divided into left and right parts.
MasterCard to A
At each cycle of the algorithm, these parts are redefined depending on the current values of the right and left sides, the DES algorithm key and the cycle number (see Appendix B). In this case, the left side is always equal to the value of the right side of the previous cycle.
When the last bit of the right side of the register changes on the last sixteenth cycle of the DES algorithm, it turns out that as a result, in the right side of the ciphertext (before the last permutation in the cycle of the DES algorithm), only the first and last four bits will change (this is how the function of extending the DES algorithm and S-transform ). Therefore, by enumeration, one can find on average four values of the first and last sixes of the key K 16 , at which the known sums of the first and last fours, respectively, in the ciphertexts obtained without changing and with changing the last bit of the right side of the register are obtained.
E. Biham and A. Shamir in their work on differential cryptanalysis established the following result. If we assume that one bit of the right side of some DES cycle changes, and the position of this bit and the number of the cycle on which the bit changed are stochastically distributed evenly, then as a result of the analysis of less than 200 pairs of ciphertexts obtained without changing and with a change in the bit of the right side , determine the value of the key K 16 , containing 48 bits of the DES key. The DES key can be found by searching 2 56 48 = 2 8 = 256 options for the missing 8 key bits. More details about the differential cryptanalysis method will be discussed later in this section when discussing the Differential Fault Attack.
There are other ways to extract the key, for example, using the property of the remanent magnetization of memory. Even RAM, when the power is turned off, continues to retain the values of the data stored in it for some time. The EEPROM also has the property of residual magnetization. Therefore, before any secret information is written into it, some random data is pre-recorded and erased in the memory. Typically 10-100 write / erase cycles are used in order to protect against the possibility of recovering data previously stored in a memory cell.
An attack aimed at reading data from EEPROM memory is quite obvious. To read the data in the EEPROM without using the card software, the chip's processor is used as a program counter. For this purpose, all processor components, with the exception of the component providing the generation of access to read data from the EEPROM, are disconnected from the microcircuit bus. The program counter is automatically incremented after the processor executes the next instruction and is used as a generator of the next address at which the data to be read is located. An attacker only needs to connect to the data bus in order to write information read by the processor.
Penetrating attacks require the use of laboratory equipment, take a long time to implement (on the order of several weeks), and are expensive for these reasons.
The most common non-intrusive attack methods are described below.
A striking representative of this type of attack is an attack based on the analysis of the time required to perform a cryptographic operation (Timing Analysis Attack). The fact is that the time required to perform such an operation depends on the value of the individual bits of the secret key and the encrypted data. Therefore, if you measure the operation time quite accurately and many times, you can conclude about the meaning of the key bits.
To illustrate, here is an example of the sequential squaring method used to calculate the power of C d (mod u) in the RSA algorithm. From the description of the algorithm underlying the method of sequential squaring it follows (see Section 3 of Appendix B) that if the next bit of the key is 1, additional multiplication of numbers is required, in contrast to the case when this bit of the key is 0. Therefore, having found out that a lot of time was spent at the next step of the algorithm, we can conclude that the corresponding key bit is equal to 1. On the contrary, from the fact that the step under consideration was performed quickly, we can conclude that the corresponding key bit is 0 ...
Another representative of non-penetrating attacks is the attack based on the analysis of the power consumption of the card (Power Consumption Attack). By measuring the current value with the resistance of the card's power supply, you can thus understand the current level of activity of the card when executing the card application instruction.
The microcircuit of the card consists of hundreds of thousands of transistors, each of which acts as a switch controlled by the voltage applied to the gate of the transistor. When the charge (voltage) of the gate of the transistor changes, current flows through the transistor. The currents arising from a change in the charge of a transistor deliver charges to the gates of other transistors. These currents cause electromagnetic radiation, which can also be used to measure the electrical activity of the card.
The current value of the electrical activity of the card depends on the instruction being executed by the processor at a given time, as well as on the data values involved in the operation being executed. By analyzing the electrical activity of the card or its individual modules (for example, cryptoprocessors), it is possible to obtain information about the keys of the card, which is often the target of an attack.
Chapter 7 will discuss a contactless card-related Radio Frequency Attack that exploits the correlation between the RSA key bit currently used in the sequential squaring method for calculating the power of C d (mod u) and the current strength value. magnetic field in the area of the microcircuit.
There are two types of attacks based on the analysis of the energy consumed by the card - Single Power Attack (SPA) and Differential Power Attack (DPA).
In the case of a SPA attack, cryptographic analysis is performed based on direct measurements of the power consumed by the microcircuit during various operations. Using the SPA method, you can identify the time intervals during which the microcircuit implements the DES or RSA algorithm. This is achieved due to the fact that the general pattern of power consumption at various stages of the execution of these algorithms is known in advance (DES cycles, sequential squaring in the RSA algorithm).
Moreover, on the basis of SPA, it is possible to identify and differentiate the individual operations performed within the framework of the cryptographic algorithm. For example, using SPA, you can break the RSA key by exploiting the difference in power consumption of the chip when performing squaring and multiplying operations (by analogy with the Timing Analysis Attack). Similarly, depending on the key values, DES implementations find an obvious difference in the power consumption of the microcircuit when performing the permutation and substitution operations.
The energy consumed by the microcircuit depends on the values of the variables used in the operations performed by the microcircuit. These differences are often masked by noise or measurement errors. However, the statistical methods of correlation analysis of measurement results used in DPA still sometimes allow to extract information about the secret keys of the card.
Another representative of non-penetrating attacks is an attack based on the use of errors initiated by the attacker (Fault Attack). All attacks of this type are based on the chip's reaction to changes in the external conditions of its use. For example, the behavior of a chip depends on a sharp change in the voltage and clock frequency applied to it, changes in the temperature of individual chip components, irradiation of the chip with light or an ion beam, and on the effect of an electromagnetic field on the chip. By applying these external non-intrusive influences to the chip, the attacker seeks to cause improper behavior of the microcircuit, including errors in the execution of the microcircuit programs. The attacker tries to provoke the microcircuit to make the wrong decision. For example, if a PIN code is required to access a certain memory element, then if the chip behaves inadequately,
Another example is the so-called memory dump. Instead of giving out some of its identification data, under extraordinary conditions the card can show much more data, including fragments of the operating system, as well as secret information - keys and PIN-code.
An attacker can also use external influence on the card in such a way as to disrupt the process of cryptographic computations (Differential Fault Attack), for example, by reducing the number of cycles in the cryptographic algorithm and thereby making it easier to determine the secret key. Within the framework of an attack such as Differential Fault Attack, there may be cases of changing the card constants, leading to the elucidation of its secret.
Let us illustrate what has been said by an example of an attack on the RSA algorithm when using the Chinese remainder theorem CRT for its implementation.
As follows from formula (B4) (see Section 3 of Appendix B), the power of any number C modulo n = pq can be represented as:
C d = (c ^ -cj ^ p + cj '(mod pq).
The last equality, obviously, can be written as:
C d = as p + bs q (mod pq),
where s p = cj p , s q = c d q 4 , a = 1- pjp, b = p ~ 'p.
MasterCard to A
Since the comparison p <p = 1 (mod q) takes place , the following comparisons are made:
a = 1 (mod p); b = 0 (mod p);
a = 0 (mod q); b = 1 (mod q).
Then the attack on the RSA algorithm is as follows. Suppose that the signature s of some message m is known . We change the value of the prime number p on the card to the value p '. Note that in this case neither the value of the number p, nor the value of the number p ' are known. If the value is p ', we will force the card to compute the signature s' of the same message, i.e.
Then we have:
s - s' = as p + bs q + Apq - a's ^ - b's q - Bp'q.
Obviously s - s' is divisible by q, since the comparisons are still valid:
a '= 0 (mod q); b '= 1 (mod q).
Since n = pq, it is obvious that gcd (n, s - s') is one of the factors of n. Thus, we can find the values of q and p. Therefore, the decomposition of n into prime factors requires O ((log 2 n) 3 ) operations, which is much less than the complexity of solving the problem of decomposition into prime factors of the number n = pq, which is the product of two large primes. Estimates of the complexity of solving the last problem are given in Appendix. B. Here, for illustration, you can notice that the decomposition of the number n into prime factors by the enumeration method requires O (Vri (log 2 n) 3 ) bit operations.
Another illustration of a Differential Fault Attack is an attack on the DES algorithm. As follows from formula (B1) of Sec. 2 app. In, on the last cycle of the DES algorithm, the equalities are fulfilled:
L (16) = R (15);
R (16) = L (15) ® / (R (15), K (16)),
where L (16) and R (16) are the left and right parts of the ciphertext, respectively; Ф denotes bitwise addition modulo 2; function f defines S-transforms S 1; ..., S 8 6-bit sequences to 4-bit ones; K (16) is a 48-bit sequence obtained from a DES key using a fixed set of permutations, shifts and substitutions defined in the DES standard.
If now, on the last cycle of the DES algorithm, we change the value of R (15) to R '(15), while leaving the value of L (15) unchanged, then as a result we obtain the equalities:
L '(16) = R' (15);
R '(16) = L (15) © / (R' (15), K (16)).
It is easy to get equality from here:
R (16) © R '(16) = / (L (16), K (16)) © / (1 / (16), K (16)). (2.1)
It can be seen from the last equality that we managed to “cut off” the prehistory of calculating the ciphertext (the value of L (15)), limiting the cryptanalysis to the data of only the last cycle of the algorithm. Now we split the 32-bit value of the left-hand side of the last equality into sequential 4-bit blocks, and divide the K (16) key into eight sequential 6-bit blocks. For each 6-bit block i (i = 1, ..., 8) of the key K (16), by searching at most 2 6 different block values, we find the values for which equality (2.1) is satisfied. Thus, taking into account the presence of eight 6-bit blocks of the key K (16), to find its possible values, 2 9 elementary checks of the upper equality are required .
From general considerations, under the assumption of the presence of the property of ideal "mixing" of data using the algorithms used in each DES cycle (meaning the algorithms used for substitutions, permutations and table transformations S b ..., S 8 , it can be obtained that each value of the left-hand side equality (2.1) corresponds to 2 56 : 2 32 = 2 24 different values of the DES key More accurate calculations show that equality (2.1) reduces the search for a DES key to an enumeration of no more than 2 26 different values.
Similar results are true for the 3DES algorithm. An error in the last cycle of the algorithm in this case shortens the search procedure for a key to an enumeration of no more than 2 75 of its different values.
Spike Attacks are based on the use of rapid changes in the voltage applied to the card. Such attacks cause errors in the operation of the card's processor, which in turn leads to the skipping or incorrect execution of individual instructions. An attacker can exploit these errors, for example, to bypass PIN verification or card blocking.
Attacks called Glitch Attacks are similar in application. Card errors in this case are caused by changes in the clock frequency of the signal supplied to the card, but the consequences are the same - incorrect execution of some instructions by the card processor.
Although today there are numerous ways to prevent attacks by Spike Attacks and Glitch Attacks, in each specific case, special testing of the microcircuit is required to resist these attacks, since the "sensitivity" of different chips to such attacks is different.
Electromagnetic Induction Attacks have become known relatively recently. To initiate the attack, a ring-shaped electrical conductor is used, placed directly above the surface of the microcircuit. A current is passed through the ring, creating an electromagnetic field that causes errors in the operation of the microcircuit. These errors can be used to gain unauthorized access to protected areas of the microcircuit memory.
Unlike Spike Attacks and Glitch Attacks, electromagnetic induction attacks can target individual components of the chip. Therefore, it is more difficult to develop countermeasures for this type of attack. For example, sensors and filters could be provided to monitor and stabilize voltage interruptions to the card. The same goes for clock control. However, if the electromagnetic field affects only a separate component of the microcircuit, for example, a cryptographic coprocessor, then even determining such an effect will not be easy.
Another type of attack is errors induced by optical irradiation of the chip while it is executing a card application. As a result of light irradiation, currents arise inside the chip, which can cause program execution errors. Such errors, in turn, can lead to the possibility of bypassing password verification, a memory dump providing the attacker with secret information, as well as changes in the implementation of the cryptographic algorithm, which allows obtaining information about the secret keys.
An optical attack is called global if the entire surface of the chip is exposed to light. In this case, the radiation source is located on the back of the chip. Sources that provide high-intensity radiation are used, such as flashlights and lasers. In this case, there is even no need to remove the plastic coating on the back of the chip.
Local optical attacks are aimed at irradiating individual components of the microcircuit and therefore require more complex implementation methods using a highly focused light flux. This attack method can be carried out using a microscope equipped with a laser or xenon lamp.
The use of local optical attacks requires the removal of the chip, as in the case of penetration attacks. In this regard, the concept of semi-penetrating attacks has recently appeared in the literature, when the microcircuit is removed from the card, but the passivation layer of the microcircuit is not violated. Many optical attacks, in accordance with the above definition, refer specifically to semi-penetrating attacks.
At the same time, tests show that when using infrared radiation, no shells of the microcircuit, including metal plates, help. Therefore, by irradiating the card from its rear side with an infrared laser, the desired result can be achieved.
Thermal attacks are based on changes in the temperature of individual components of the microcircuit. More often than not, thermal attacks that exploit temperature rise will change the value of some of the RAM bits. On the contrary, a significant decrease in temperature leads to the freezing of information stored in RAM. The effectiveness of thermal attacks essentially depends on the types of memory used in the microcircuit. To combat thermal attacks, temperature sensors are used, which signal if the temperature exceeds the set thresholds.
However, temperature sensors are no longer an effective means of dealing with thermal attacks today. This is due to the emergence of a method called Thermally Induced Voltage Alteration (TIVA). The TIVA method uses localized light irradiation produced by an infrared laser. Once inside the chip, infrared radiation causes heating. In this case, the characteristics of long-wave irradiation are such that the irradiation energy is insufficient for the irradiation to be detected by the light sensors. Heating individual chip components causes the same range of errors that were discussed earlier.
Finally, let's take a look at the attack caused by alpha radiation. Irradiation of the chip surface with alpha particles (helium nuclei, consisting of two protons and two neutrons) leads to a change in the memory content and a delay in the signals used by the microcircuit. In turn, these effects can be used to manipulate computations performed while the application is running. For example, you can avoid checking the PIN or checking the integrity of the information stored on the card. To initiate this attack, it is enough to have a weak MasterCard radio to J
an active source, which can be based on Radium-226, Thorium-232, Americium-241. Some minerals used in life are also sources of alpha particles.
An attack caused by irradiating a chip with alpha particles, from the attacker's point of view, has a significant drawback associated with the fact that, due to the stochastic nature of radiation, it is difficult to predict the moment of an error in the chip. Covering the chip in plastic is an effective means of dealing with this type of attack.
As you can see from the overview of attacks of the Fault Attack class, only a few attacks can be clearly classified as non-penetrating (for example, Spike Attacks, Glitch Attacks). Some attacks of this class should be classified as semi-penetrating attacks, for example, local optical attacks.
To combat these types of attacks, chip vendors have developed a variety of countermeasures. For example, Infineon Technologies has implemented more than 50 different countermeasures in its SLE66P / PE and SLE88P microcircuits. The most versatile countermeasures include:
The Information Technology Security Evaluation Criteria (ITSEC) standard was developed in Europe and recognized by France, Germany, Great Britain and the Netherlands in 1991. At the same time, the United States and Canada developed their own standards for assessing the security of information systems - TCSEC and CTCRES, respectively.
More recently, the Common Criteria standard (ISO / IEC 15408) has appeared, which claims to be a global standard. Each information system manufacturer wishing to submit it for independent testing in accordance with the Common Criteria standard must formulate a test goal (Security Target or ST), consisting of the following components:
- subject of assessment (Target of Evaluation or TOE) - a system or part of a system presented for testing;
- descriptions of attack scenarios that should be considered when assessing the security of TOE;
- descriptions of countermeasures implemented in the TOE assessment subject, the effectiveness of which is assessed during testing.
For ease of use of the Common Criteria standard, ST testing objectives have been predefined for various types of information systems and products. Test objectives are defined in the form of so-called Protection Profiles (PP). In particular, for smart cards, these profiles are described in the BSI-PP-0002-2001 specification, which defines the minimum set of security characteristics that must be verified during the card security assessment process.
For the user, the fact of passing the system testing means, firstly, obtaining an independent assessment of the security of the system used by him, and secondly, the realization of the developer's confidence in his system, expressed in his willingness to submit the system for open independent testing.
A wide variety of systems can be certified, including operating systems, DBMS, network access protection systems, PK1 systems, smart cards, chips used in smart cards, smart card operating systems, smart card applications.
Currently, system security can be assessed against a variety of criteria systems, including Common Criteria, ITSEC (most commonly used in Europe) and FIPS (a system of criteria widely used in North America but rarely used in Europe). Tab. 2.8 demonstrates the conditional correspondence between the Common Criteria and ITSEC certification levels.
Tab. 2.8. Correspondence of the levels of safety assessment systems
Common Criteria and ITSEC
| Common Criteria | EAL1 | EAL2 | EAL3 | EAL4 | EAL5 | EAL6 | EAL7 |
| ITSEC | - | El | E2 | E3 | E4 | E5 | E6 |
Given in table. 2.8 Compliance does not mean that the presence of a certificate in one system of criteria automatically indicates the receipt of a certificate of the corresponding level in another system. In any case, in order to obtain a certificate in a certain system of criteria, it is necessary to pass the necessary tests in this system. For example, one MULTOS system has ITSEC level E6 certification, while its Common Criteria certification level is EAL4 +.
The central aspect of the overall security of any system is its physical security - the ability to resist external physical influences on the system. In this sense, a smart card is an example of a system that demonstrates a high degree of security. Placing microcomputer modules of a smart card in a single-chip microcircuit allows you to hide the connections between the computer modules and the modules themselves from external influences (see section 2.2). Combining computer elements in one chip makes it difficult for an external observer to intercept signals transmitted between the elements of the microcircuit, and, consequently, to recognize the information content of these signals.
It is of course possible, although difficult and expensive, to connect electrical probes to the internal lines of the microcircuit. In this case, the attacker (the person trying to extract information from the chip) must have at his disposal a card and expensive equipment to probe it. In addition, he must know both the hardware architecture of the chip (chip topology) and its software.
Another attack is by examining information from a working smart card. An example is an attack on smart card encryption algorithms based on intercepted ciphertext generated by the card.
Physical security includes tamper resistance and the ability to tamper evidence, if any. One of the physical security elements of a smart card is the layout of the microcircuit and its connections in the microcircuit module enclosed in an epoxy filler, as shown in Fig. 2.11. This arrangement provides both security against certain types of external interference and the ability to witness such interference. The epoxy cannot be penetrated without destroying it, and in order to do so, you must take possession of the card. When entering the module, traces remain, indicating the fact of interference.
In addition, the microcircuit module is embedded in the card plate, where it is placed under a second layer of protection against tampering and / or its certification. Therefore, it is practically impossible to find out the secrets contained in a smart card by methods of physical intervention without detecting the fact of interference.
Thus, microprocessor cards have all the necessary components of an enhanced security computer platform. However, it must be understood that the security achieved by the packaging of the chip is not infallible. The card resists tampering, but cannot completely prevent it.
All attacks on a microprocessor card can be roughly divided into software and physical attacks. Software attacks, in turn, are divided into two categories: attacks aimed at opening the cryptographic algorithms used by the card, and attacks that exploit weaknesses in the implementation of programs supported by the card. Examples of attacks in the second category are built-in programs that overflow memory buffers or act like a Trojan horse. The use of such attacks allows you to obtain the secret data of the card application.
Physical attacks in turn fall into two broad categories: penetrating and non-penetrating attacks. Recently, the class of semi-penetrating attacks has been distinguished from the class of penetrating attacks.
Penetrating attacks require penetration into the body of the chip. To access the surface of the chip, it is removed from the plastic card. For this, the chip, together with the epoxy filler in which it is located, is removed from the card's PVC plate using a sharp knife. Sometimes it is enough to heat the plastic case of the card, which makes it flexible, and bend the card at the location of the chip in order to remove it from the plastic case.
Next, a few drops of highly concentrated (> 98%) nitric acid (HNO 3 ) are used to free the epoxy from the filler . Within a few minutes, the acid dissolves the epoxy filler, after which the chip is immersed in an ultrasonic bath, in which acid and filler residues are washed off with acetone. This entire procedure is referred to in the literature as chip depackaging.
The chip is now ready to be examined. The purpose of the microcircuit survey is to reproduce the layout reconstruction of individual chip modules (memory modules, processor and coprocessors, data and address buses). The attacker must represent the object of the attack in order to understand how to act to achieve the desired result. Based on the methods of reverse engineering (Reverse Engineering) and having a good understanding of the CMOS chip design, you can get a complete picture of the architecture of the microcircuit and its modules, determine the "weak" spots of the microcircuit that become the target of subsequent attacks.
There are several ways to inspect a chip. An optical microscope equipped with a CCD camera can be used to reproduce the arrangement of the chip modules. The main modules of the microcircuit (ROM, EEPROM, RAM, processor, buses) are clearly visible in the photograph taken with a high-resolution CCD camera.
To obtain an image of the deeper layers of the microcircuit, physically remove (by etching with hydrofluoric acid (HF) in an ultrasonic bath) the already examined layer of the chip to gain access to the next layer. To create a three-dimensional three-dimensional image of the chip, photographs of its individual layers are processed by an image analysis program.
If the processor of the microcircuit has a standard architecture, the attacker only needs to get to the layer, after which the understanding of the location of the modules and buses that the attacker is going to manipulate to access memory becomes complete.
Another method for examining a chip is called manual micro-probing. It is based on the use of an optical microscope and a probe, which is a sharpened tungsten hair, with which the attacker can establish contact with the chip bus without destroying it. The probe is connected through an amplifier to a special signal processor, which records the signals received from the microcircuit processor, and also supplies the card with a supply voltage, sends a Reset signal, a clock signal (Clock) and other input signals necessary for the microcircuit to function in an active state.
There is also a beam sensing method for the chip, which uses focused beams of gallium ions (Focused Ion Beams or FIB). Gallium ions are accelerated and focused in a vacuum chamber into a beam with a diameter of 5-10 nanometers. Gallium ions emitted by a liquid cathode at a voltage of 30 kilovolts generate a current of 10 " 12 to 10" 8 amperes. A focused beam of gallium ions can recreate the chip layout by capturing the secondary radiation it causes. The resolution is very high, up to 5 The FIB workstation costs about half a million euros.
Another kind of beam sensing of a chip is the use of electron beams. An electrical voltage of about 2.5 kilovolts is used to accelerate the electrons. As a result, a current of about 5 nanoamperes is generated. In this case, the number and energy of secondary electrons are indicators of the electric field on the surface of the crystal and make it possible to examine signal lines with a resolution measured in fractions of a micron.
Recently, another type of beam method for examining a chip has appeared - the use of an infrared laser. The irradiation frequency of the microcircuit is used, at which its silicon base becomes transparent to the laser beam. In this case, the measurement of currents arising in the microcircuit as a result of irradiation is carried out, the size of which reflects the logical state of individual transistors.
To implement manual and beam sensing, in addition to performing the chip extraction procedure, it is necessary to destroy at least some part of the microcircuit passivation layer. The fact is that after removing the chip, you can find that the connecting aluminum lines on the surface of the chip are protected by a special coating called a passivation layer and consisting of silicon oxide or nitrogen (nitride). The passivation layer protects the microcircuit from certain types of radiation and harmful environmental influences. To remove the passivation layer, ultraviolet or "green" lasers are used, which irradiate the passivation area with short pulses. By correctly calculating the pulse energy and time, it is easy to achieve the destruction of this coating.
Drilling is sometimes used to destroy a small portion of the passivation layer.
At the same time, there are attacks that require the removal of the chip from the plastic case of the card, but do not require the destruction of the passivation layer. Such attacks are called semi-invasive attacks. This definition was first introduced by S. Skorobogatov, who demonstrated the possibility of using ultraviolet and X-ray radiation to attack a microcircuit.
Below are some sneaky attacks based on the above methods of examining the chip.
Replaying the layout of the chip allows you to fully read the contents of the ROM memory. Despite the fact that ROM memory, as a rule, does not contain secret keys, it gives a complete understanding of programs for providing access to secret information, as well as the cryptographic algorithms used and how they are implemented. Information about how cryptographic algorithms are implemented is valuable when using non-intrusive attacks.
Another way to get card information is to probe the chip's data bus. It allows not to read all the data contained in the EEPROM, but to intercept the information most valuable for an attack. For example, probing the bus of the cryptographic coprocessor can extract information about the keys of the card.
Knowing the structure of the ROM memory, an attacker can try to obtain the secret keys of the card. This is achieved through unauthorized changes to the ROM memory. For example, to implement an attack on DES keys, it is sufficient to modify the instructions of the DES algorithm in a certain way. In particular, it is possible to reduce the number of cycles of the algorithm (from 16 to 1), to exclude the procedure of bitwise addition modulo 2 (exclusive or) of two Boolean sequences of the same length, to change the form of S-transformations (see Section 2 of Appendix B) in this way, so that they become linear. Depending on how DES is implemented, it is sometimes sufficient to change just a few bits of the ROM to make retrieving the secret key a simple task.
In the general case, a situation is possible when an attacker completely rewrites the ROM and implements some linear encryption algorithms, when using which the value of the secret key is easily extracted.
Note that a microscope with a laser cutter is used to change the values of the individual bits of the ROM memory.
Another way to extract DES keys is to sequentially change the EEPROM bits that store the DES key. By sequentially setting the value of the next bit of the key to a known one (0 or 1), the attacker considers the behavior of the card during the execution of a cryptographic operation. If the card does not complain about parity checking, then the key bit was guessed correctly.
Note that two pins used to probe the IC are used to set any preset EEPROM bit value.
Another interesting way to determine the secret key is as follows. Typically, the implementation of the DES algorithm is an instruction describing a repeated loop of the algorithm and a memory register that stores the result of the loop. The register value is also the input value for the next cycle of the algorithm (see section 2 of Appendix B).
DES algorithm is a recurrent procedure, according to which the encrypted block is divided into left and right parts.
MasterCard to A
At each cycle of the algorithm, these parts are redefined depending on the current values of the right and left sides, the DES algorithm key and the cycle number (see Appendix B). In this case, the left side is always equal to the value of the right side of the previous cycle.
When the last bit of the right side of the register changes on the last sixteenth cycle of the DES algorithm, it turns out that as a result, in the right side of the ciphertext (before the last permutation in the cycle of the DES algorithm), only the first and last four bits will change (this is how the function of extending the DES algorithm and S-transform ). Therefore, by enumeration, one can find on average four values of the first and last sixes of the key K 16 , at which the known sums of the first and last fours, respectively, in the ciphertexts obtained without changing and with changing the last bit of the right side of the register are obtained.
E. Biham and A. Shamir in their work on differential cryptanalysis established the following result. If we assume that one bit of the right side of some DES cycle changes, and the position of this bit and the number of the cycle on which the bit changed are stochastically distributed evenly, then as a result of the analysis of less than 200 pairs of ciphertexts obtained without changing and with a change in the bit of the right side , determine the value of the key K 16 , containing 48 bits of the DES key. The DES key can be found by searching 2 56 48 = 2 8 = 256 options for the missing 8 key bits. More details about the differential cryptanalysis method will be discussed later in this section when discussing the Differential Fault Attack.
There are other ways to extract the key, for example, using the property of the remanent magnetization of memory. Even RAM, when the power is turned off, continues to retain the values of the data stored in it for some time. The EEPROM also has the property of residual magnetization. Therefore, before any secret information is written into it, some random data is pre-recorded and erased in the memory. Typically 10-100 write / erase cycles are used in order to protect against the possibility of recovering data previously stored in a memory cell.
An attack aimed at reading data from EEPROM memory is quite obvious. To read the data in the EEPROM without using the card software, the chip's processor is used as a program counter. For this purpose, all processor components, with the exception of the component providing the generation of access to read data from the EEPROM, are disconnected from the microcircuit bus. The program counter is automatically incremented after the processor executes the next instruction and is used as a generator of the next address at which the data to be read is located. An attacker only needs to connect to the data bus in order to write information read by the processor.
Penetrating attacks require the use of laboratory equipment, take a long time to implement (on the order of several weeks), and are expensive for these reasons.
The most common non-intrusive attack methods are described below.
A striking representative of this type of attack is an attack based on the analysis of the time required to perform a cryptographic operation (Timing Analysis Attack). The fact is that the time required to perform such an operation depends on the value of the individual bits of the secret key and the encrypted data. Therefore, if you measure the operation time quite accurately and many times, you can conclude about the meaning of the key bits.
To illustrate, here is an example of the sequential squaring method used to calculate the power of C d (mod u) in the RSA algorithm. From the description of the algorithm underlying the method of sequential squaring it follows (see Section 3 of Appendix B) that if the next bit of the key is 1, additional multiplication of numbers is required, in contrast to the case when this bit of the key is 0. Therefore, having found out that a lot of time was spent at the next step of the algorithm, we can conclude that the corresponding key bit is equal to 1. On the contrary, from the fact that the step under consideration was performed quickly, we can conclude that the corresponding key bit is 0 ...
Another representative of non-penetrating attacks is the attack based on the analysis of the power consumption of the card (Power Consumption Attack). By measuring the current value with the resistance of the card's power supply, you can thus understand the current level of activity of the card when executing the card application instruction.
The microcircuit of the card consists of hundreds of thousands of transistors, each of which acts as a switch controlled by the voltage applied to the gate of the transistor. When the charge (voltage) of the gate of the transistor changes, current flows through the transistor. The currents arising from a change in the charge of a transistor deliver charges to the gates of other transistors. These currents cause electromagnetic radiation, which can also be used to measure the electrical activity of the card.
The current value of the electrical activity of the card depends on the instruction being executed by the processor at a given time, as well as on the data values involved in the operation being executed. By analyzing the electrical activity of the card or its individual modules (for example, cryptoprocessors), it is possible to obtain information about the keys of the card, which is often the target of an attack.
Chapter 7 will discuss a contactless card-related Radio Frequency Attack that exploits the correlation between the RSA key bit currently used in the sequential squaring method for calculating the power of C d (mod u) and the current strength value. magnetic field in the area of the microcircuit.
There are two types of attacks based on the analysis of the energy consumed by the card - Single Power Attack (SPA) and Differential Power Attack (DPA).
In the case of a SPA attack, cryptographic analysis is performed based on direct measurements of the power consumed by the microcircuit during various operations. Using the SPA method, you can identify the time intervals during which the microcircuit implements the DES or RSA algorithm. This is achieved due to the fact that the general pattern of power consumption at various stages of the execution of these algorithms is known in advance (DES cycles, sequential squaring in the RSA algorithm).
Moreover, on the basis of SPA, it is possible to identify and differentiate the individual operations performed within the framework of the cryptographic algorithm. For example, using SPA, you can break the RSA key by exploiting the difference in power consumption of the chip when performing squaring and multiplying operations (by analogy with the Timing Analysis Attack). Similarly, depending on the key values, DES implementations find an obvious difference in the power consumption of the microcircuit when performing the permutation and substitution operations.
The energy consumed by the microcircuit depends on the values of the variables used in the operations performed by the microcircuit. These differences are often masked by noise or measurement errors. However, the statistical methods of correlation analysis of measurement results used in DPA still sometimes allow to extract information about the secret keys of the card.
Another representative of non-penetrating attacks is an attack based on the use of errors initiated by the attacker (Fault Attack). All attacks of this type are based on the chip's reaction to changes in the external conditions of its use. For example, the behavior of a chip depends on a sharp change in the voltage and clock frequency applied to it, changes in the temperature of individual chip components, irradiation of the chip with light or an ion beam, and on the effect of an electromagnetic field on the chip. By applying these external non-intrusive influences to the chip, the attacker seeks to cause improper behavior of the microcircuit, including errors in the execution of the microcircuit programs. The attacker tries to provoke the microcircuit to make the wrong decision. For example, if a PIN code is required to access a certain memory element, then if the chip behaves inadequately,
Another example is the so-called memory dump. Instead of giving out some of its identification data, under extraordinary conditions the card can show much more data, including fragments of the operating system, as well as secret information - keys and PIN-code.
An attacker can also use external influence on the card in such a way as to disrupt the process of cryptographic computations (Differential Fault Attack), for example, by reducing the number of cycles in the cryptographic algorithm and thereby making it easier to determine the secret key. Within the framework of an attack such as Differential Fault Attack, there may be cases of changing the card constants, leading to the elucidation of its secret.
Let us illustrate what has been said by an example of an attack on the RSA algorithm when using the Chinese remainder theorem CRT for its implementation.
As follows from formula (B4) (see Section 3 of Appendix B), the power of any number C modulo n = pq can be represented as:
C d = (c ^ -cj ^ p + cj '(mod pq).
The last equality, obviously, can be written as:
C d = as p + bs q (mod pq),
where s p = cj p , s q = c d q 4 , a = 1- pjp, b = p ~ 'p.
MasterCard to A
Since the comparison p <p = 1 (mod q) takes place , the following comparisons are made:
a = 1 (mod p); b = 0 (mod p);
a = 0 (mod q); b = 1 (mod q).
Then the attack on the RSA algorithm is as follows. Suppose that the signature s of some message m is known . We change the value of the prime number p on the card to the value p '. Note that in this case neither the value of the number p, nor the value of the number p ' are known. If the value is p ', we will force the card to compute the signature s' of the same message, i.e.
Then we have:
s - s' = as p + bs q + Apq - a's ^ - b's q - Bp'q.
Obviously s - s' is divisible by q, since the comparisons are still valid:
a '= 0 (mod q); b '= 1 (mod q).
Since n = pq, it is obvious that gcd (n, s - s') is one of the factors of n. Thus, we can find the values of q and p. Therefore, the decomposition of n into prime factors requires O ((log 2 n) 3 ) operations, which is much less than the complexity of solving the problem of decomposition into prime factors of the number n = pq, which is the product of two large primes. Estimates of the complexity of solving the last problem are given in Appendix. B. Here, for illustration, you can notice that the decomposition of the number n into prime factors by the enumeration method requires O (Vri (log 2 n) 3 ) bit operations.
Another illustration of a Differential Fault Attack is an attack on the DES algorithm. As follows from formula (B1) of Sec. 2 app. In, on the last cycle of the DES algorithm, the equalities are fulfilled:
L (16) = R (15);
R (16) = L (15) ® / (R (15), K (16)),
where L (16) and R (16) are the left and right parts of the ciphertext, respectively; Ф denotes bitwise addition modulo 2; function f defines S-transforms S 1; ..., S 8 6-bit sequences to 4-bit ones; K (16) is a 48-bit sequence obtained from a DES key using a fixed set of permutations, shifts and substitutions defined in the DES standard.
If now, on the last cycle of the DES algorithm, we change the value of R (15) to R '(15), while leaving the value of L (15) unchanged, then as a result we obtain the equalities:
L '(16) = R' (15);
R '(16) = L (15) © / (R' (15), K (16)).
It is easy to get equality from here:
R (16) © R '(16) = / (L (16), K (16)) © / (1 / (16), K (16)). (2.1)
It can be seen from the last equality that we managed to “cut off” the prehistory of calculating the ciphertext (the value of L (15)), limiting the cryptanalysis to the data of only the last cycle of the algorithm. Now we split the 32-bit value of the left-hand side of the last equality into sequential 4-bit blocks, and divide the K (16) key into eight sequential 6-bit blocks. For each 6-bit block i (i = 1, ..., 8) of the key K (16), by searching at most 2 6 different block values, we find the values for which equality (2.1) is satisfied. Thus, taking into account the presence of eight 6-bit blocks of the key K (16), to find its possible values, 2 9 elementary checks of the upper equality are required .
From general considerations, under the assumption of the presence of the property of ideal "mixing" of data using the algorithms used in each DES cycle (meaning the algorithms used for substitutions, permutations and table transformations S b ..., S 8 , it can be obtained that each value of the left-hand side equality (2.1) corresponds to 2 56 : 2 32 = 2 24 different values of the DES key More accurate calculations show that equality (2.1) reduces the search for a DES key to an enumeration of no more than 2 26 different values.
Similar results are true for the 3DES algorithm. An error in the last cycle of the algorithm in this case shortens the search procedure for a key to an enumeration of no more than 2 75 of its different values.
Spike Attacks are based on the use of rapid changes in the voltage applied to the card. Such attacks cause errors in the operation of the card's processor, which in turn leads to the skipping or incorrect execution of individual instructions. An attacker can exploit these errors, for example, to bypass PIN verification or card blocking.
Attacks called Glitch Attacks are similar in application. Card errors in this case are caused by changes in the clock frequency of the signal supplied to the card, but the consequences are the same - incorrect execution of some instructions by the card processor.
Although today there are numerous ways to prevent attacks by Spike Attacks and Glitch Attacks, in each specific case, special testing of the microcircuit is required to resist these attacks, since the "sensitivity" of different chips to such attacks is different.
Electromagnetic Induction Attacks have become known relatively recently. To initiate the attack, a ring-shaped electrical conductor is used, placed directly above the surface of the microcircuit. A current is passed through the ring, creating an electromagnetic field that causes errors in the operation of the microcircuit. These errors can be used to gain unauthorized access to protected areas of the microcircuit memory.
Unlike Spike Attacks and Glitch Attacks, electromagnetic induction attacks can target individual components of the chip. Therefore, it is more difficult to develop countermeasures for this type of attack. For example, sensors and filters could be provided to monitor and stabilize voltage interruptions to the card. The same goes for clock control. However, if the electromagnetic field affects only a separate component of the microcircuit, for example, a cryptographic coprocessor, then even determining such an effect will not be easy.
Another type of attack is errors induced by optical irradiation of the chip while it is executing a card application. As a result of light irradiation, currents arise inside the chip, which can cause program execution errors. Such errors, in turn, can lead to the possibility of bypassing password verification, a memory dump providing the attacker with secret information, as well as changes in the implementation of the cryptographic algorithm, which allows obtaining information about the secret keys.
An optical attack is called global if the entire surface of the chip is exposed to light. In this case, the radiation source is located on the back of the chip. Sources that provide high-intensity radiation are used, such as flashlights and lasers. In this case, there is even no need to remove the plastic coating on the back of the chip.
Local optical attacks are aimed at irradiating individual components of the microcircuit and therefore require more complex implementation methods using a highly focused light flux. This attack method can be carried out using a microscope equipped with a laser or xenon lamp.
The use of local optical attacks requires the removal of the chip, as in the case of penetration attacks. In this regard, the concept of semi-penetrating attacks has recently appeared in the literature, when the microcircuit is removed from the card, but the passivation layer of the microcircuit is not violated. Many optical attacks, in accordance with the above definition, refer specifically to semi-penetrating attacks.
At the same time, tests show that when using infrared radiation, no shells of the microcircuit, including metal plates, help. Therefore, by irradiating the card from its rear side with an infrared laser, the desired result can be achieved.
Thermal attacks are based on changes in the temperature of individual components of the microcircuit. More often than not, thermal attacks that exploit temperature rise will change the value of some of the RAM bits. On the contrary, a significant decrease in temperature leads to the freezing of information stored in RAM. The effectiveness of thermal attacks essentially depends on the types of memory used in the microcircuit. To combat thermal attacks, temperature sensors are used, which signal if the temperature exceeds the set thresholds.
However, temperature sensors are no longer an effective means of dealing with thermal attacks today. This is due to the emergence of a method called Thermally Induced Voltage Alteration (TIVA). The TIVA method uses localized light irradiation produced by an infrared laser. Once inside the chip, infrared radiation causes heating. In this case, the characteristics of long-wave irradiation are such that the irradiation energy is insufficient for the irradiation to be detected by the light sensors. Heating individual chip components causes the same range of errors that were discussed earlier.
Finally, let's take a look at the attack caused by alpha radiation. Irradiation of the chip surface with alpha particles (helium nuclei, consisting of two protons and two neutrons) leads to a change in the memory content and a delay in the signals used by the microcircuit. In turn, these effects can be used to manipulate computations performed while the application is running. For example, you can avoid checking the PIN or checking the integrity of the information stored on the card. To initiate this attack, it is enough to have a weak MasterCard radio to J
an active source, which can be based on Radium-226, Thorium-232, Americium-241. Some minerals used in life are also sources of alpha particles.
An attack caused by irradiating a chip with alpha particles, from the attacker's point of view, has a significant drawback associated with the fact that, due to the stochastic nature of radiation, it is difficult to predict the moment of an error in the chip. Covering the chip in plastic is an effective means of dealing with this type of attack.
As you can see from the overview of attacks of the Fault Attack class, only a few attacks can be clearly classified as non-penetrating (for example, Spike Attacks, Glitch Attacks). Some attacks of this class should be classified as semi-penetrating attacks, for example, local optical attacks.
To combat these types of attacks, chip vendors have developed a variety of countermeasures. For example, Infineon Technologies has implemented more than 50 different countermeasures in its SLE66P / PE and SLE88P microcircuits. The most versatile countermeasures include:
- sensors and filters for monitoring the operating conditions of the microcircuit (such sensors and filters include light and temperature sensors, as well as filters that smooth out voltage surges and changes in the clock frequency);
- data encryption of all types of memory (ROM, EEPROM, RAM) to prevent the possibility of analyzing the contents of the memory;
- scrambling or encryption of data transmitted in address and data buses;
- using a memory management unit (Memory Management Unit or MMU) to encrypt data stored in EEPROM and RAM and control access to various types of memory;
- means of combating attacks based on the measurement of the energy consumed by the microcircuit by the microcircuit radiation: camouflage radiation or, conversely, reduction of radiation due to special filters; variable logic of the execution of the same program;
- use of a special processor design;
- use of a special cryptoprocessor to execute the RSA and DES algorithms;
- use of a special hardware random number generator used to generate keys in the RSA scheme;
- use of active means of protection against penetrating attacks.
