Scan Based Side Channel Attack on Data Encryption Standard
- 1. Scan Based Side Channel Attack on Data Encryption Standard IACR’04 Bo Yang, Kaijie Wu, Ramesh Karri ECE Dept., Polytechnic University, Brooklyn. (Currently NYU Tandon)
- 2. Scan Based Side Channel Attack on Data Encryption Standard Outline • Introduction • Assumptions • Methodology • Discussion • Conclusions 2
- 3. Scan Based Side Channel Attack on Data Encryption Standard Outline • Introduction • Assumptions • Methodology • Discussion • Conclusions 3
- 4. Scan Based Side Channel Attack on Data Encryption Standard Introduction • Cryptographic algorithms – Application-Specific Integrated Circuits (ASIC) – Cryptographic Coprocessors • Scan-based tests – Validate the function of a hardware system at fabrication time and in field. – High fault coverage, test pattern generation and signature analysis w/o additional hardware. (cp. built-in self test (BIST)) 4
- 5. Scan Based Side Channel Attack on Data Encryption Standard Introduction • Scan-based tests – Constructs several Scan Chains (SCs) in a chip by tying together internal registers and flip flops and connecting them to the JTAG. – During test synthesis • SCs are inserted by synthesis tool. – During chip packaging • SCs are connected to external JTAG interface pins to provide on-chip debugging and maintenance in field, or left unbound. 5
- 6. Scan Based Side Channel Attack on Data Encryption Standard Introduction • Scan-based tests – However, unbound scan chains can still be accessed by breaking the package open. 6
- 7. Scan Based Side Channel Attack on Data Encryption Standard Introduction • Data Encryption Standard – DES is a symmetric encryption algorithm developed in the 1970s by IBM. – Encrypts 64-bit data blocks under the control of a 56-bit user key. – DES decryption is the inverse of DES encryption and uses the same user key. 7
- 8. Scan Based Side Channel Attack on Data Encryption Standard Introduction • Data Encryption Standard 8
- 9. Scan Based Side Channel Attack on Data Encryption Standard Introduction • Contributions – Show that scan chains can be used to discover the secret keys stored in a cryptographic device. – The approach is simple yet general and powerful and can be adapted to any cryptographic implementation on ASICs or FPGAs or general microprocessors. 9
- 10. Scan Based Side Channel Attack on Data Encryption Standard Outline • Introduction • Assumptions • Methodology • Discussion • Conclusions 10
- 11. Assumptions • Know the DES algorithm. • Have access to high level timing diagrams. • Do not know the exact number of registers used. • Round keys are stored in a secure RAM/ROM. • Round key registers are not included in the scan chain. • Do not know the structure of the scan chain. 11
- 12. Scan Based Side Channel Attack on Data Encryption Standard Outline • Introduction • Assumptions • Methodology • Discussion • Conclusions 12
- 13. Scan Based Side Channel Attack on Data Encryption Standard Methodology • Step 1. Determine Scan Chain Structure • Step 2. Recover DES Round Key • Step 3. Recover DES User Key 13
- 14. Scan Based Side Channel Attack on Data Encryption Standard Methodology • Switch the DES circuit between normal mode and test mode. 1. Reset to normal mode -> Load a known plaintext into input register. 2. Switch to test mode -> Scan out the bit stream, pattern 1. 3. Switch to normal mode -> Load the plaintext into L or R registers. 4. Switch to test mode -> Scan out the bit stream, pattern 2. 5. Repeat steps 1 to 3 using a plaintext that is different from the first plaintext in only one-bit position. Save the pattern 3 and pattern 4. 14 Step 1. Determine Scan Chain Structure
- 15. Scan Based Side Channel Attack on Data Encryption Standard Methodology • Know the location of L and R registers in the scan chain → Break DES algorithm! 15 Step 2. Recover DES Round Key L1 = R0 ‚ R1 = L0 ⨁ d ƒ d = permutation(c) „ a = Expand(r) … b = a ⨁ K1 † c = S_box(b) d d L1 L0 R0 R1 r a a c c b b K1
- 16. Scan Based Side Channel Attack on Data Encryption Standard Methodology • Reverse the S-box (Substitution Box) – Each S-box compresses the 6-bit input into a 4-bit output. 16 Step 2. Recover DES Round Key (000110)2, (001111)2, (100010)2 or (101101)2 (001110)2, (000111)2, (101010)2 or (100101)2 c2=8 c2=8 c2=4 c2=6 (010111)2 (111100)2 c3=11 c3=5 K148K143 K147K146K145K144
- 17. Scan Based Side Channel Attack on Data Encryption Standard Methodology • Each round key contains 48 bits of the 56-bit user key. • By analysis of the DES round key generation algorithm, we only need to recover round keys K1, K2, and K3 to derive the user key. 17 Step 3. Recover DES User Key
- 18. Scan Based Side Channel Attack on Data Encryption Standard Outline • Introduction • Assumptions • Methodology • Discussion • Conclusions 18
- 19. Scan Based Side Channel Attack on Data Encryption Standard Discussion 19 • Attack Complexity Analysis – 198 clock cycles to scan-out the first bit stream. – 198 clock cycles to locate one flip flop in the input register. • Total 38016 cycles to determine the entire scan chain. – 397 clock cycles for every input plaintext to reach R0, L0, R1 and L1. • Total 3561 cycles to discover round keys K1, K2 and K3. – Overall, 41775 clock cycles are required to discover the user key.
- 20. Scan Based Side Channel Attack on Data Encryption Standard Discussion 20 • Attack Complexity Analysis – 198 clock cycles to scan-out the first bit stream. • 1 cycle for normal operation + 197 cycles for scan operations – 198 clock cycles to locate one flip flop in the input register. • Total 38016 (=192×198) cycles to determine the entire scan chain. – 397 clock cycles for every input plaintext to reach R0, L0, R1 and L1. • 2 cycles for normal operation + 197 cycles for scan operation + 1 cycle for normal operation + 197 cycles for scan operation • 1191 cycles (397×3) to discover round key K1. • 1185 cycles to discover round keys K2 and K3.
- 21. Scan Based Side Channel Attack on Data Encryption Standard Discussion 21 • Extension to a pipelined DES architecture – 16-stage pipeline will have 17 pairs: (L0, R0) … (L16, R16). – L0 and R0 can be located first. – L1 and R1 can be located by observing that L1= R0 and R1=L0⊕f (R0, K1). – If we only change the lowest bit in L0, L1 remains unchanged, then the lowest bit in R1 will switch because f (R0, K1) remains unchanged. – Similarly, we can locate all flip-flops. – Hence, we can recover round key K1, K2 and K3.
- 22. Scan Based Side Channel Attack on Data Encryption Standard Discussion 22 • Characteristics of crypto algorithms on hardware – Data-driven: different plaintexts, but the control logic performs the same action. – Avalanche effect: One-bit difference in a round will translate into several bit changes in the next round. • This determines the clock cycle when the plaintext is loaded into the input plaintext register and the L, R registers.
- 23. Scan Based Side Channel Attack on Data Encryption Standard Outline • Introduction • Assumptions • Methodology • Discussion • Conclusions 23
- 24. Scan Based Side Channel Attack on Data Encryption Standard Conclusions • Several side-channel attacks have been proposed. • Show that scan chains and scan-based tests are a potent side- channel. • Propose an attack using only 3 plaintexts to break DES. 24