Manipulation: differential fault analysis (DFA)
As is well known, the operation of electronic devices can be adversely affected by exposing them to electromagnetic interference. For instance, a mobile telephone can cause the processors of many types of small computer-controlled appliances to crash. The cause lies in the memory cells, whose contents can be altered by the high-frequency AC fields. In 1996, Dan Boneh, Richard DeMillo and Richard Lipton published a study [Boneh 96] describing a theoretical method for determining the secret keys of asymmetric cryptographic algorithms by introducing scattered hardware errors. Since the three discoverers of this method worked at the Bell Communications Research (Bellcore) Laboratories at the time, this type of attack is often called the Bellcore attack. Only two months later, Eli Biham and Adi Shamir published an extension of the Bellcore attack called differential fault analysis (DFA) [Biham 96], which also included symmetric cryptographic algorithms such as DES. This meant that, at least in theory, many smart card applications were exposed to a new and serious form of attack. The basic principle of both of these types of attack is relatively simple. In the first step, an arbitrary plaintext is encrypted using the key to be broken, and the resulting ciphertext is saved. Following this, the operation of the card is disturbed while it is processing the cryptographic algorithm, for example by exposing it to ionizing radiation or high-frequency fields in order to alter a single bit of the key in a random location while the computation is being performed. This yields a ciphertext that is incorrectly encrypted, due to the altered bit. This process is repeated many times, and all the results are saved for analysis. The remainder of the procedure for determining the value of the secret key is purely mathematical, and it is fully described in the papers just mentioned.

The strength of this attack is primarily due to the fact that it is not even necessary to know the location of the altered bit in the secret key. Biham and Shamir state in their publication that with a single corrupted key bit, 200 ciphertext blocks are sufficient to compute the value of the secret DES key. If triple DES (with a 168-bit key) is used in place of simple DES, the number of required ciphertexts does not increase significantly. Even if more than one bit is altered, this attack remains effective; the only consequence is that more incorrectly encrypted ciphertexts are needed. In practice, this type of attack is not as simple as it sounds. If at all possible, only one bit should be altered, or at least only very few bits. If the entire microcontroller is simply bathed in microwave radiation, usually so many bits will be altered that the processor will hopelessly crash. Consequently, an attempt is made to induce the processor to make isolated processing errors by injecting specially prepared glitches12 into the power or clock lines. If the filter on the associated input leads cannot neutralize these glitches, they can produce the desired processing errors. However, a smart card is not totally helpless in the face of a Bellcore attack or DFA if suitable precautions are taken. The simplest defense is to simply compute the cryptographic algorithm twice and compare the two results. If they match, no attempt has been made to alter any bits from outside the card. This defense assumes that intentionally introduced random errors can never alter the same bit twice in a row. This is a realistic assumption, since if it ever became possible to selectively alter specific bits in a smart card processor, attacks that are much simpler and faster than DFA would be possible. The main disadvantage of double computation is the additional time that it requires, which can cause problems. This applies primarily to attacks on time-intensive asymmetric cryptographic procedures, such as RSA and DSS. Another effective defensive measure against differential fault analysis can be achieved by always encrypting different plaintexts. The simplest solution is to prefix the plaintext to be encrypted with a random number. This means that the cryptographic algorithm always encrypts different data, which prevents DFA from being used. In summary, the Bellcore attack and differential fault analysis are unquestionably dangerous types of attack that can succeed with smart cards that do not incorporate adequate protective measures. However, all smart card operating systems and applications were modified to protect them against these types of attack shortly after they became known, so neither the Bellcore attack nor DFA currently represents a serious threat.

Attack and defense: disturbing the processor
A type of attack that is similar to using differential fault analysis to attack the secret key of a cryptographic algorithm consists of attempting to affect the execution of program code routines by disturbing the operation of the processor. A type of attack that has been known to manufacturers of smart cards and smart card microcontrollers since around 1998 is the ‘light attack’, which was described in mid-2002 by Sergei Skorobogatov and Ross Anderson [Skorobogatov 02] as an ‘optical fault induction attack’. This paper describes an arrangement in which a standard commercial flash unit is attached to the camera adapter flange of a conventional optical microscope. Following this, a highly restricted region of the RAM of a standard microcontroller (PIC16F84) is exposed to light from the flash unit.With microcontrollers that are not hardened to resist this type of attack, this arrangement can be used to selectively set certain bits in the RAM to the logic 0 or 1 states. The operation of the processor can be disturbed by applying glitches to the supply lines, exposing the chip to flashes of light or using high-frequency radiation [Lamla 00], among other things. If the disturbance is triggered at the proper instant during the execution of the program, it can be used to intentionally influence a query operation, for instance. A simple example of this is shown in Figure 8.42. The task of the illustrated routine is to send the content of a transmit buffer, whose boundaries are specified by a start address and an end address. If the attacker succeeds in intentionally disturbing the query that determines the end address of the transmit buffer, data following the end of the transmit buffer will also be sent to the terminal. Should the workspace for a cryptographic algorithm be located in this region of memory, its keys could be illicitly read out in this manner.

The defense against this attack involves several system levels. At the hardware level, it is important for the smart card microcontroller to have suitable sensors, so that it can detect all attempts to disturb the processor. These sensors can include voltage glitch detectors and a large number of suitable light sensors. In order to make it impossible to defeat a few light sensors by covering them with black ink, it is a good idea to use a relatively large number of sensors distributed over the surface of the chip. This by itself is sufficient to preclude many types of attack. An opaque chip encapsulation material provides only limited protection, since it can be removed relatively easily using chemical methods. The second level of protection must be implemented in the software. The program code shown in the example can be made significantly more robust by using an ‘equal to’ query instead of a ‘less than or equal to’ query. Another countermeasure is to execute the query twice, with a random delay between the two queries. This requires the attacker to use two flashes of light to manipulate the query, and he will be additionally hindered by the fact that he cannot exactly predict the timing of the second flash. In addition, all confidential data stored in RAM should be immediately deleted after they have been used, or they should be temporarily encrypted. In order to further reduce the consequences of this type of attack, it is also a good idea to encrypt all secret data (such as PIN codes and keys) located in EEPROM. Should an attacker succeed in reading out portions of the EEPROM by manipulating queries, he would then only obtain encrypted data, which would be of no use to him. If an MMU is present, it can also be configured to monitor compliance with certain boundaries for transmitting data from the card. Furthermore, modern processors can detect illegal machine instructions and invalid addresses and respond appropriately. As can be clearly seen from this defense scenario, an attack that unquestionably can be regarded as serious can be blocked by suitable combination protective measures in hardware and software.