Abstract
Measuring power consumption for side channel analysis typically uses an oscilloscope, which measures the data relative to an internal sample clock. By synchronizing the sampling clock to the clock of the target device, the sample rate requirements are considerably relaxed; the attack will succeed with a much lower sample rate. This work characterizes the performance of a synchronous sampling system attacking a modern microcontroller running a software AES implementation. This attack is characterized under four conditions: with a stable crystal oscillator-based clock, with a clock that is randomly varied between 3.9 and 13 MHz, with an internal oscillator that is randomly varied between 7.2 and 8.1 MHz, and with an internal oscillator that has slight random variation due to natural ‘drift’ in the oscillator. Traces captured with the synchronous sampling technique can be processed with a standard Differential Power Analysis style attack in all four cases, whereas when an oscilloscope is used only the stable oscillator setup is successful. This work also develops the hardware to recover the internal clock of a device which does not have an externally available clock. It is possible to implement this scheme in software only, allowing it to work with existing oscilloscope-based test environments. Performing the recovery in hardware allows the use of fault injection with excellent temporal stability relative to a sensitive event. This is demonstrated with a power glitch inserted into a microcontroller, where the glitch is triggered based on a signature in the measured power consumption.
This is a preview of subscription content, log in via an institution to check access.
Similar content being viewed by others
Notes
The feature size of this specific device is unknown, but based on similar devices is assumed to be within the 0.12–0.18 \(\upmu \)m range.
This paper is always using AES-128.
After 2,500 traces the average PGE was 40, and only 4 of the 16 bytes had a stable PGE \(<\) 5.
References
Atmel Corporation: ATmega48A Datasheet
Banerjee, D.: PLL performance simulation and design handbook, 4th edn. Texas Instruments, Dallas (2006)
Brier, E., Clavier, C., Olivier, F.: Correlation power analysis with a leakage model. Cryptographic Hardware and Embedded Systems—CHES 2004, Lecture Notes in Computer Science, vol. 3156, pp. 16–29. Springer, Berlin (2004)
Costas, J.: Synchronous communications. IRE Trans. Commun. Syst. 5(1), 99–105 (1957). doi:10.1109/TCOM.1957.1097490
Guilley, S., Khalfallah, K., Lomne, V., Danger, J.L.: Formal Framework for the Evaluation of Waveform Resynchronization Algorithms. In: Proceedings of the 5th IFIP WG 11.2 International Conference on Information Security Theory and Practice, WISTP’11, pp. 100–115. Springer, Berlin. URL http://dl.acm.org/citation.cfm?id=2017824.2017835 (2011)
Kafi, M., Guilley, S., Marcello, S., Naccache, D.: Deconvolving Protected Signals. In: International Conference on Availability, Reliability and Security, 2009. ARES ’09, pp. 687–694 (2009). doi:10.1109/ARES.2009.197
Kocher, P., Jaffe, J., Jun, B.: Differential power analysis. In: Advances in Cryptology—CRYPTO’ 99, pp. 388–397. Springer (1999)
Mangard, S., Oswald, E., Popp, T.: Power analysis attacks: revealing the secrets of smart cards, advances in information security. Springer, Berlin (2008)
Massey, J.: Guessing and entropy. In: Proceedings of 1994 IEEE International Symposium on Information Theory, pp. 204 (1994). doi:10.1109/ISIT.1994.394764
Messerges, T.: Power Analysis Attacks and Countermeasures for Cryptographic Algorithms. Ph.D. thesis, University of Illinois at Chicago (2000)
Montminy, D., Baldwin, R., Temple, M., Laspe, E.: Improving cross-device attacks using zero-mean unit-variance normalization. J. Cryptogr. Eng. 3(2), 99–110 (2013). doi:10.1007/s13389-012-0038-y
O’Flynn, C., Chen, Z.D.: A case study of side-channel analysis using decoupling capacitor power measurement with the OpenADC. Lect. Notes Comput. Sci. 7743, 328–344 (2013)
O’Flynn, C., Chen, Z.D.: ChipWhisperer: An open-source platform for hardware embedded security research. In: Constructive side-channel analysis and secure design—COSADE 2014, Lecture Notes in Computer Science, vol. 8622, pp. 243–260, Springer, Paris (2014). URL http://link.springer.com/chapter/10.10072F978-3-319-10175-0_17
Quisquater, J.J., Samyde, D.: Eddy current for magnetic analysis with active sensor. In: Esmart 2002, Nice, France (2002)
Réal, D., Canovas, C., Clédière, J., Drissi, M., Valette, F.: Defeating classical hardware countermeasures: a new processing for side channel analysis. In: Proceedings of the Conference on Design, Automation and Test in Europe, DATE ’08, pp. 1274–1279. ACM, New York, NY, USA (2008). doi:10.1145/1403375.1403684
Skorobogatov, S.: Synchronization method for SCA and fault attacks. J. Cryptogr. Eng. 1(1), 71–77 (2011). doi:10.1007/s13389-011-0004-0
Skorobogatov, S., Anderson, R.: Optical fault induction attacks. In: B. Kaliski, e. Ko, C. Paar (eds.) Cryptographic Hardware and Embedded Systems—CHES 2002, Lecture Notes in Computer Science, vol. 2523, pp. 2–12. Springer, Berlin (2003). doi:10.1007/3-540-36400-5_2. URL http://dx.doi.org/10.1007/3-540-36400-5_2
Tian, Q., Huss, S.: On clock frequency effects in side channel attacks of symmetric block ciphers. In: 2012 5th International Conference on New Technologies, Mobility and Security (NTMS), pp. 1–5 (2012). doi:10.1109/NTMS.2012.6208680
van Woudenberg, J., Witteman, M., Menarini, F.: Practical optical fault injection on secure microcontrollers. In: 2011 Workshop on Fault Diagnosis and Tolerance in Cryptography (FDTC), pp. 91–99 (2011). doi:10.1109/FDTC.2011.12
van Woudenberg, J.G.J., Witteman, M.F., Bakker, B.: Improving differential power analysis by elastic alignment. In: Proceedings of the 11th International Conference on Topics in Cryptology: CT-RSA 2011. CT-RSA’11, pp. 104–119. Springer, Berlin (2011)
Yang, S., Gupta, P., Wolf, M., Serpanos, D., Narayanan, V., Xie, Y.: Power analysis attack resistance engineering by dynamic voltage and frequency scaling. ACM Trans. Embed. Comput. Syst. 11(3): 62:1–62:16 (2012). doi:10.1145/2345770.2345774
Acknowledgments
Special thanks to funding provided by NSERC Canada Graduate Scholarship and OZ Optics. The authors appreciate many constructive comments from anonymous reviewers which helped improve the final version of this paper.
Author information
Authors and Affiliations
Corresponding author
Appendix A: Hardware and design details
Appendix A: Hardware and design details
This appendix provides some brief notes on the physical hardware realized in this paper, along with a few notes for researchers looking to duplicate it. Note that full details are posted as part of the ChipWhisperer Wiki at http://www.ChipWhisperer.com.
1.1 Core clock recovery module
The core part of this work is a module with a Low Noise Amplifier (LNA), Limiter, and Phase-Lock Loop (PLL) chip. The schematic for this is given in Fig. 26. The LNA is an Analog Devices AD8331, which has a variable gain up to 55dB. A resistor connected to the ‘RLIM’ pins provides an ability to set an arbitrary clipping level for the output. This clipped output is connected to the PLL chip, which is a Texas Instruments CDCE906. The clipped output from the LNA is used a LVDS input to the PLL, which works assuming the input to the entire block was sufficiently clean, that is to say it contains only a single frequency component. Additional filtering can be added by placing capacitors on each of the input pins of the CDCE906 to ground, values between 100 and 680 pF are reasonable depending on the fundamental frequency being targeted.
The CDCE906 was chosen for its ability to operate down to 1 MHz, many PLL devices have higher lower frequency limits. If attacking devices with relatively slow internal oscillators, such as the KeeLoq devices at 1.3 MHz, this lower range is needed. The CDCE906 can be configured via I\(^2\)C to adjust parameters such as input drive level, frequency divider settings, and outputs in use. For this work, it was configured to enable the PLL with frequency dividers such that the input and output frequency were the same. The sampling rate can easily be set to a higher multiple of the system frequency with this PLL block.
Schematic for the LNA, Limiter, and PLL as used in Fig. 14
1.2 Filter
The filter design was done using the Quite Universal Circuit Simulator (QUCS) software. QUCS contains a Filter Synthesis tool, which can be used to generate an appropriate band-pass filter (Fig. 27). This will be calculated with ‘ideal’ component values, and then these values are adjusted to the closest standard part, and a simulation confirms if the performance is still acceptable.
Note that at DC the filter will present a dead short, as no blocking capacitors are present. If connecting one side of the filter to a shunt or other device with a DC bias, always insert DC blocking capacitors.
Band-pass filter design environment. Note that the component values have been changed to reflect those being used in the actual circuit, and some optimizations may be needed to get acceptable performance. The equation to plot group delay in clock cycles can be seen in this diagram
1.3 First stage LNA
An additional LNA may be required in front of the band-pass filter depending on the signal strength. It is possible to use a standard device such as a MiniCircuits ZFL-1000LN+. Care must be taken with RF amplifiers, as most of them are designed for use with 50\(\Omega \) systems. If the output or input is not matched properly, the amplifier may oscillate causing errors. Generally amplifiers based on Op-Amps are safer in this regard, and specially designed differential amplifiers can be exceedingly useful when measuring across current shunts.
Rights and permissions
About this article
Cite this article
O’Flynn, C., Chen, Z. Synchronous sampling and clock recovery of internal oscillators for side channel analysis and fault injection. J Cryptogr Eng 5, 53–69 (2015). https://doi.org/10.1007/s13389-014-0087-5
Received:
Accepted:
Published:
Issue Date:
DOI: https://doi.org/10.1007/s13389-014-0087-5