Abstract: The side frequency attack technology was the recent years new popular one smart card method of attack. Is different with the former method, it either disturbs in the electric circuit through the observation the physical quantity change to analyze or the operation smart card behavior, the harm is enormous. In the article compares several main smart card safe method of attack the income cost ratio; The selective analysis difference energy analysis and the energy short pulse interference’s attack principle and the committed step, and from the software, the hardware and propose the corresponding safety precaution measure using the stratification plane.
Key word: Smart card side frequency attack safety precaution measure
In smart card application widespread today, the smart card application system’s security problem is day by day important. Usually thought that the smart card has high secure [1], but along with some special-purpose attack technology’s appearance and the development, the smart card also presents its security crack, causes the entire application system security to reduce. The analysis smart card faces the safe attack, studies the corresponding defensive measure, has the great significance regarding the guarantee entire smart card application system’s security. Of a - - side frequency attack technology following analysis present main smart card attack technologies, and proposes the corresponding safe design strategy target-oriented.
1 smart card summary
The smart card has the memory, the encryption and the data-handling capacity integrated circuit chip crustification the card which makes on the plastic substrate. The smart card hardware mainly includes the microprocessor and the memory two parts, logical organization as shown in Figure 1.
Figure 1 smart card hardware architecture
The smart card internal microprocessor uses 8 word lengths CPU (certainly top digit microprocessor also to start application). Microprocessor’s major function receives the order which the external instrumentation transmits, carries on the analysis after it, according to needs to control visit to the memory. When visit, the microprocessor provides the data unit address which and the essential parameter to the memory must visit, the memory the data transmission which will correspond according to the address gives the microprocessor, finally carries on the processing operation by the microprocessor to these data. In addition, the smart card carries on each kind of operation (for example encryption operation) is also completes by the microprocessor; What but controls and realizes the above process is smart card operating system COS. In the card storage capacity by non-erasable storage ROM, stochastic memory RAM and the electricity cleans programmable memory EEPROM to be composed. And, what in ROM solidifies is the operating system code, its capacity is decided by the microprocessor which uses; RAM uses in storing the service data, the capacity usually does not surpass 1 KB; EEPROM memory smart card’s each kind of information, like the enciphered data and the application document and so on, the capacity usually is situated between 2 KB~32 KB (this part of memory resources to be possible for user development use).
2 pair of smart card security threat
The attack may divide into three fundamental types to the smart card:
① The logical attack - - inserts the interception procedure in software’s implementation. In the smart card and COS has many kinds of latent logic flaws, such as hides the order, the bad parameter and the buffer overflow, the file access, the malicious advancement, the communication protocol, the encryption agreement and so on. The logical aggressor uses these flaws to trap the card revelation confidential data or to permit the non-expectation the data revision.
② Physical attack - - analysis or change smart card hardware. Uses in realizing the physical attack method and the tool including chemistry resolver, the etching and the coloring material, the microscope, the submicron probe station as well as particle beam FIB and so on.
③ The side frequency attack - - analyzes and the change smart card behavior using the physical quantity. Through observation electric circuit’s in certain physical quantities, like the energy consumption, the electromagnetic radiation, the time and so on change rule, analyzes the smart card the enciphered data; Or through disturbance electric circuit’s in certain physical quantities, like the voltage, the electromagnetic radiation, the temperature, the light and the X-ray, the frequency and so on, operates the smart card the behavior.
The smart card method of attack’s validity the benefit which obtains by the aggressor is higher than its consumption the time, the energy, the funds and so on to take the standard. Table 1 has given the above three kind of attack type situation contrast.
Table 1 smart card attack situation contrast
As seen in Table 1, the physical attack cost excessively is high, the time-consuming hard sledding, is short is used; Although the logical attack invests few, easy to implement, but also easy to guard against, the success ratio is low. , The emerging side frequency attack technology compared to widely is used in recent years because of it high income cost. Although the smart card field had more and more understanding regarding the side frequency attack’s solution, however many smart cards regarding this kind of attack still not in the least immunity. At present, applies the most widespread side frequency analysis and the side frequency operation technology includes: Difference energy parsing technique DPA (Differential Power Analysis) and energy short pulse waveform disturbance (Power Glitching) technology. Below key analyzes on these two side frequency attack’s method, and gives the corresponding security policy.
3 difference energy analysis
3.1 DPA attack analysis
DPA (difference energy analysis) attacks is through uses the oscilloscope examination electronic device’s energy consumption to learn its behavior. Figure 2 is some smart card uses when the DES algorithm encryption the energy tracing chart.
Chart 2DES operation energy tracing chart
As seen in Figure 2, the energy consumption is not continual and presents some kind of pattern. It is well known, with the DES algorithm to a data-in encryption when needs to carry out 16 circulations, therefore may distinguish these circulations in the energy path’s 16 redundant patterns. The aggressor only need know that the algorithm the definite orders (input) or the scrambled text (output), and the quite a series of energy path may reappear the encryption key through the analysis. The DPA attack’s foundation is the supposition between the data which and the energy consumption processes exists some kind of relation, (vice versa) in other words, the supposition processes the energy which 0:1 uses to want few, will then carry out the identical algorithm two energy path to two different data different to have the small difference as a result of the data-. Calculates two path’s difference with the computer according to the clock to obtain the difference path, in the difference path presents peak value the time is strictly the data-in has the difference clock cycle. So inspection encryption algorithm’s all inputs as well as each pair 0 and 1 produce the difference path, may distinguish them to appear in the procedure code the exact hour, thus gain encryption key.
DPA causes the encryption algorithm the internal treatment process to be possible to study, this risk set a higher request safely to the smart card. The encryption algorithm must use the enough length the entire key, guaranteed that explores key’s process because of too time-consuming, but is not feasible. A complete algorithm usually decomposes many small steps in the encryption process to enable the processor to be possible to realize. These small steps often do not use the entire key, but uses a part. DPA may gain these small step output and explore these short key value, therefore, theoretically speaking, all encryption algorithm available DPA explains. Although this kind of method of attack’s development is very complex, however its application is very actually simple, and only need the very small investment, need the equipment is only restricted in 1 PC and the medium precision oscilloscope, therefore solves the DPA problem to become one which of questions the smart card manufacturer is most urgently needed faces.
3.2 DPA attack security policy
Deals with the DPA attack the security policy to divide into three stratification planes basically: Hardware, software and application stratification plane.
(1) hardware stratification plane countermeasure
① Uses the balanced circuit to reduce the signal energy, as well as the establishment metal protection suppresses the electromagnetic emission.
② Carries out the parallel random processing to enlarge the peak-to-peak value noise level. For example, the internal programming voltage produces the electric circuit to be possible to serve as the parallel noise generator.
③ Momentarily processing interrupt introduction time noise and different clock rate. Carries on computer processing to the difference path the foundation is the path may arrange. Before joining the path processor’s job step should be the synchronization. The time noise will prevent or hinders the path to arrange well at least.
The hardware countermeasure’s advantage quite few relies on the smart card regarding the by-pass attack’s sensitivity software’s change, but its weakness lies in can only reduce the smart card to be unable regarding the by-pass attack sensitivity to eliminate it completely. In fact, the hardware measure is only reduces the signal to the noise level, thus causes the attack becomes difficult.
(2) software stratification plane countermeasure
① Uses the random processing order to reduce the related signal. For example, in the algorithm parallel replacement (such as in the DES S box) may depend on the stochastic order to complete, the replacement number rearranges, then may produce a replacement signal decomposition.
② Uses the stochastic time delay and the change way increases the time noise. The time noise will hinder path’s arrangement, and will reduce the difference path’s quality.
③ Eliminates the key value and the middle medium value time dependency. When the treating processes are decided by the key value, may realize the simple energy analysis directly with the visual observation path; But the continual key treating processes may prevent this kind of Yi Xing attack in the time.
④ Hides the middle medium value with the stochastic value. The energy revelation is decided in a data the figure. If adds on the random data in the actual data, after processing, subtracts again, then transmits the way will not reveal the useful information. However, this kind of hiding will cause the transfer function the misalignment and has the wrong result. Therefore, these functions need carefully the redesign, compensates deviation which causes by the random data.
In the theory, the software countermeasure has solved the DPA attack problem perfectly. However this method must aim at some algorithm to have custom-made, and its design is quite difficult, thus very expensive, and maintains with difficulty.
(3) using stratification plane countermeasure
① Supposes the counter again, uses in number of times which limits the aggressor to probe. After continual three PIN verification defeat, the self-locking is guards against the difference energy analysis the efficacious device.
② In the limit encryption algorithm inputs the output the control and the visibility. If can only choose the part input, or only then the partial algorithm’s result returns, the aggressor is unable to complete the difference energy analysis.
The above is guards against the DPA attack the essential method, its shortcoming is as well as needs to change the existing agreement to the reliable negative influence.
4 energy short pulse interference
4.1 energy short pulse interference attack analysis
The microprocessor request works under the stable voltage, power service’s interrupt suddenly probably attacks the program run or the reset circuit. However, short and the ingenious pulse may cause the program error on foot, but the microprocessor still could continue the executive routine. For example, the CPU read memory cell’s content, the crystal is effective a threshold value to examine the memory cell the value, by determined what reads is logic “0″ or “1″. Appears suddenly the energy short pulse to saves the value and the logical value can have the influence. The different internal capacity will cause the memory value to come under the different influence, will have the possibility to cause the real value to twist. As shown in Figure 3, “0″ the corresponding low level possibly is lower than the threshold value level with logic under the normal operating status, however, because under the short pulse’s energy presses possibly causes it to be higher than the threshold value level.
Figure 3 reads when the memory energy short pulse interference
Many encryption algorithm Yi Shouzhei the kind of breakdown pours into influence. Will use difference fault analysis DFA (Differential Fault Analysis) the technology to compare correctly with the wrong password code, will thus separate out the key which will hide away. When some algorithms a precise intermediate quantity is only attacked can attack, but other algorithm request not that harsh, may attack in treating processes any position. Usually DFA requests to have the possibility to encrypt to the identical definite orders 2 times, produces one correct and a wrong scrambled text.
The breakdown pours into the second kind of application occurs in the safe treating processes key decision time. If some application carries out a such as PIN verification security check, is continues or interrupt processing that moment in the component decision carries on the attack to be most effective. The aggressor has the possibility to transfer successfully the PIN verification defeat deceives the processor. A stricter one way is, when the processor is just about to will verify the defeat write store closes the power source completely, thus avoids the PIN verification defeat counter overflow.
The short pulse interference’s third kind applies take operates correspondence as a goal. Communication protocol’s design is for reads several bytes from the smart card memory and transmits to the terminal. If the breakdown poured into has attacked the transmission limit counter successfully, possibly caused the entire memory content to output the serial interface.
4.2 energy short pulse interference security policy
The energy short pulse interference as well as other by-pass operation technology attempt to change the smart card the environment. Usually guards against this kind of attack the strategy is the strict voltage, the frequency and the temperature examination. However will use the precise sensor also to affect the reliability, and will cause the potential failure in certain terminals. Not only that the sensor is impossible to examine all induction signal. The electric circuit regarding the signal which or the careful adjustment energy short pulse impossible complete immunity pours into through the induction way. More importantly, must investigates using the software or the application measure and restores the breakdown to pour into.
Speaking of the software measure, may flow to as well as the encryption operation result through the inspection key procedure realizes the breakdown monitor. Asks two operation results and compares is one of test result valid methods, but if two times pours into similarly wrongly is unable to examine; Therefore the best method is extracts its input by the result reverse operation, and carries on the comparison with the original input. The reverse operation usually is different, and the reverse controls can be more difficult. 5 conclusion smart card application system is a security environment very complex system. This article to analyze the safe attack which this system faced to provide a mentality, has provided the basis for system’s safe design. The next step work is the quantification each safe design strategy, in reduces the security threat with to increase between the security cost to seek for the best balance point the method.
