This paper proposes a multiple-fault injection attack based on adaptive control of fault injection timing in embedded microcontrollers. The proposed method can be conducted under the black-box condition that the detailed cryptographic software running on the target device is not known to attackers. In addition, the proposed method is non-invasive, without the depackaging required in previous works, since such adaptive fault injection is performed by precisely generating a clock glitch. We first describe the proposed method which injects two kinds of faults to obtain a faulty output available for differential fault analysis while avoiding a conditional branch in a typical recalculation-based countermeasure. We then show that the faulty output can be obtained by the proposed method without using information from the detailed instruction sequence. In particular, the validity of the proposed method is demonstrated through experiments on Advanced Encryption Standard (AES) software with a recalculation-based countermeasure on 8-bit and 32-bit microcontrollers. We also present a countermeasure resistant to the proposed method.
Sho ENDO
Tohoku University
Naofumi HOMMA
Tohoku University
Yu-ichi HAYASHI
Tohoku University
Junko TAKAHASHI
NTT Corporation
Hitoshi FUJI
NTT Corporation
Takafumi AOKI
Tohoku University
The copyright of the original papers published on this site belongs to IEICE. Unauthorized use of the original or translated papers is prohibited. See IEICE Provisions on Copyright for details.
Copy
Sho ENDO, Naofumi HOMMA, Yu-ichi HAYASHI, Junko TAKAHASHI, Hitoshi FUJI, Takafumi AOKI, "An Adaptive Multiple-Fault Injection Attack on Microcontrollers and a Countermeasure" in IEICE TRANSACTIONS on Fundamentals,
vol. E98-A, no. 1, pp. 171-181, January 2015, doi: 10.1587/transfun.E98.A.171.
Abstract: This paper proposes a multiple-fault injection attack based on adaptive control of fault injection timing in embedded microcontrollers. The proposed method can be conducted under the black-box condition that the detailed cryptographic software running on the target device is not known to attackers. In addition, the proposed method is non-invasive, without the depackaging required in previous works, since such adaptive fault injection is performed by precisely generating a clock glitch. We first describe the proposed method which injects two kinds of faults to obtain a faulty output available for differential fault analysis while avoiding a conditional branch in a typical recalculation-based countermeasure. We then show that the faulty output can be obtained by the proposed method without using information from the detailed instruction sequence. In particular, the validity of the proposed method is demonstrated through experiments on Advanced Encryption Standard (AES) software with a recalculation-based countermeasure on 8-bit and 32-bit microcontrollers. We also present a countermeasure resistant to the proposed method.
URL: https://global.ieice.org/en_transactions/fundamentals/10.1587/transfun.E98.A.171/_p
Copy
@ARTICLE{e98-a_1_171,
author={Sho ENDO, Naofumi HOMMA, Yu-ichi HAYASHI, Junko TAKAHASHI, Hitoshi FUJI, Takafumi AOKI, },
journal={IEICE TRANSACTIONS on Fundamentals},
title={An Adaptive Multiple-Fault Injection Attack on Microcontrollers and a Countermeasure},
year={2015},
volume={E98-A},
number={1},
pages={171-181},
abstract={This paper proposes a multiple-fault injection attack based on adaptive control of fault injection timing in embedded microcontrollers. The proposed method can be conducted under the black-box condition that the detailed cryptographic software running on the target device is not known to attackers. In addition, the proposed method is non-invasive, without the depackaging required in previous works, since such adaptive fault injection is performed by precisely generating a clock glitch. We first describe the proposed method which injects two kinds of faults to obtain a faulty output available for differential fault analysis while avoiding a conditional branch in a typical recalculation-based countermeasure. We then show that the faulty output can be obtained by the proposed method without using information from the detailed instruction sequence. In particular, the validity of the proposed method is demonstrated through experiments on Advanced Encryption Standard (AES) software with a recalculation-based countermeasure on 8-bit and 32-bit microcontrollers. We also present a countermeasure resistant to the proposed method.},
keywords={},
doi={10.1587/transfun.E98.A.171},
ISSN={1745-1337},
month={January},}
Copy
TY - JOUR
TI - An Adaptive Multiple-Fault Injection Attack on Microcontrollers and a Countermeasure
T2 - IEICE TRANSACTIONS on Fundamentals
SP - 171
EP - 181
AU - Sho ENDO
AU - Naofumi HOMMA
AU - Yu-ichi HAYASHI
AU - Junko TAKAHASHI
AU - Hitoshi FUJI
AU - Takafumi AOKI
PY - 2015
DO - 10.1587/transfun.E98.A.171
JO - IEICE TRANSACTIONS on Fundamentals
SN - 1745-1337
VL - E98-A
IS - 1
JA - IEICE TRANSACTIONS on Fundamentals
Y1 - January 2015
AB - This paper proposes a multiple-fault injection attack based on adaptive control of fault injection timing in embedded microcontrollers. The proposed method can be conducted under the black-box condition that the detailed cryptographic software running on the target device is not known to attackers. In addition, the proposed method is non-invasive, without the depackaging required in previous works, since such adaptive fault injection is performed by precisely generating a clock glitch. We first describe the proposed method which injects two kinds of faults to obtain a faulty output available for differential fault analysis while avoiding a conditional branch in a typical recalculation-based countermeasure. We then show that the faulty output can be obtained by the proposed method without using information from the detailed instruction sequence. In particular, the validity of the proposed method is demonstrated through experiments on Advanced Encryption Standard (AES) software with a recalculation-based countermeasure on 8-bit and 32-bit microcontrollers. We also present a countermeasure resistant to the proposed method.
ER -