200 likes | 385 Views
Why is Scan a Bad Design For Test Methodology?. Scan Based Attack on Dedicated Hardware Implementation of Data Encryption Standard. Scan DFT is extremely popular. Scan DFT is extensively deployed 82% of all ICs use Scan DFT for testing Scan DFT is widely supported
E N D
Why is Scan a Bad Design For Test Methodology? Scan Based Attack on Dedicated Hardware Implementationof Data Encryption Standard
Scan DFT is extremely popular • Scan DFT is extensively deployed • 82% of all ICs use Scan DFT for testing • Scan DFT is widely supported • Fast Scan and TestKcompress: Mentor Graphics • DFT compiler and TetraMAX ATPG: Synopsys • Encounter Test: Cadence
Objective • Show how secrets on a crypto chip can be compromised • Demonstrate that scan is a terrible design-for-test methodology
Data Encryption Standard • DES is a symmetric encryption algorithm • encryption key = decryption key • Decryption = Encryption-1 • ENCRYPT (plaintext, bit key) = ciphertext • DECRYPT (ciphertext, bit key) = plaintext • 64-bit plaintext, 64-bit ciphertext, 56-bit secret key
DES Encryption Plaintext 64 Initial Permutation R 32 L 32 Round Function 48-bit Round Key Inverse Permutation 64 • 16 identical rounds • one 48-bit round key per round • 16 48-bit round keys are generated from 56-bit secret Ciphertext
One DES Round Ri Li Round Key Ki r 32 Expansion 32 48 48 a + 48 b 6 6 S-box 1 S-box 8 4 4 c 32 Permutation d 32 + Ri+1 Li+1
DES Hardware Architecture • Cipher Block Chaining mode Iterative arch • Input, L, R, Output Regs (32+32+64+64 FFs)
Mounting a scan attack • Calculate X from W • Calculate Y from Z • Solve Key mixing
Two-step scan attack • Step 1: Determine L and R registers in the scan chain • Step 2: Discover round key 1 from L0, R0, L1 and R1
Scan Attack step 1 Flip-flops of input register • Apply Plaintext 1:000000…000000 run in normal mode for 1 clock cycle scan out bitstream 1: 01101…10011010 • Apply Plaintext 2:100000…000000 run in normal mode for 1 clock cycle scan out bitstream 2: 01101…10001010 • Input, L, R and output registers can be determined • 199+199 cycles to locate 1 FF 192×199+199 cycles to locate all FFs clock TDO … reset IC
Ri 32 r Expansion a 48 48 + Round Key, Ki 48 b 6 6 S-box 1 S-box 8 4 4 c 32 Permutation 32 d How can we get Ki? • Round Key Ki = a xor b • Expansion is a bijection ra is easy • Permutation is a bijection dc is easy • s-box is not a bijection cb is not easy
Scan attack step 2 • s-box is not a bijection cb is not easy • Every value appears 4 times in an s-box • Every value appears only once in each row • No s-box column has two or more identical values
Scan attack step 2 a 48 48 + Round Key, Ki 48 b • 3 chosen plaintexts are enough to get a round key • apply a1=(000000000000)16 and observe c1 • apply a2=(208208208208)16 and observe c2 • apply a3=(4A1C05451151)16 and observe c3 • Derive round key K1 • Several such 3-tuples exist !!! 6 6 S-box 1 S-box 8 4 4 c 32
Ri Li Round Key Ki r 32 Expansion 32 48 48 a + 48 b 6 6 S-box 1 S-box 8 4 4 c 32 Permutation d 32 + Ri+1 Li+1 Scan attack step 2 • Apply three plaintexts • Apply PT1 = (0000000000000000)16 • Scan-out CT1 from round register • Apply PT2 = (0000550000005500)16 • Scan-out CT2 from round register • Apply PT3 = (5500400110000401)16 • Scan-out CT3 from round register • Derive round key K1
Discover round key • Discover round key K1399×3=1197 clock cycles • 2 clock cycles in normal mode for plaintext to reach R0, L0 • 198 clock cycles in scan mode to scan out R0, L0 • 1 clock cycle in normal mode for plaintext to reach R1, L1 • 198 clock cycles in scan mode to scan out R1, L1
Discover user secret • Discover user secret as follows: • 48-out-of-56 secret bits from round key K1 • 7-out-of-remaining 8 secret bits from round key K2 • Secret bits 17, 20, 23, 40, 41, 49, 50 • Secret bit 46 from round key K3 • 1197×2 clock cycles to discover round keys K2 and K3
Summary of the attack • Determine the positions of flip flops in the round register in the scan chain • Scan round 1 and round 2 results • Discover round keys K1, K2 and K3 • Discover user secret from round keys
Concluding remarks • Do not use Scan DFT in crypto chips! • FIPS 140-1 “A cryptographic module shall employ physical security mechanisms in order to restrict unauthorized physical access to the contents of the module and to deter unauthorized use or modification of the module ... (In 1994 at the peak of Scan DFT research) • Translation: “Do not use scan DFT” • Why should you ?
Beware of Scan DFT • Crypto chips are an excellent case study to show how bad scan DFT is. • Your IC may be used in secure applications in the future. Beware of the security issues when you design ICs.
Scan Attack: Assumptions • The attacker can access scan chains • Round key registers are not in the scan chain • The attacker knows the algorithm • The attacker need not have access to high level timing diagrams • Avalanche effect (when does encryption begin and how long does it take?) • Modes of operation (CBC)