150 likes | 593 Views
Optical side-channel attack on PIC16F84A. Martin Hlav áč Charles University in Prague. CNES internship summary (part of USE IT project) ECRYPT Ph. D. Summer School, Samos, Greece, May 4, 2007. Gold Card = PIC16F84 + 24LC16B. PIC16F84 1024 x 14 bit program 68B Static RAM
E N D
Optical side-channel attack on PIC16F84A Martin Hlaváč Charles University in Prague CNES internship summary (part of USE IT project) ECRYPT Ph. D. Summer School, Samos, Greece, May 4, 2007
Gold Card = PIC16F84 + 24LC16B • PIC16F84 1024 x 14 bit program 68B Static RAM 5V @ 4MHz (ISO7816) • 24LC16B 2048Byte EEPROM 18 10 8 5 PIC16F84 24LC16B 1 4 1 9 C5 C1 C6 C2 C7 C3 C8 C4
Gold Card uncovered (Front Side) SRAM Problem: Too much metal on SRAM. Solution: Back Side
PIC16F84A back side SRAM back side (20x) PIC16F84A uncovered (Back Side) Problem: Silicon layer too thick (~300 µm). Solution: Slim it down to ~70 µm.
16 bytes AES state 16 bytes Measurement goal We can do bit flips!!! Monitor changes of bytes in State block during AES How? Dynamic light emission detection (PICA) Theory: byte flips => light is emitted byte stays => just noise bit bit
Static vs. dynamic observation vs. All photons observed at one image Frames 166 ns = 1 clock cycle
movlw 0xff (frames 0..3) xorwf block+0x0,f (frames 4..7) movlw 0xaa (frames 8..11) xorwf block+0x0,f (frames 12..15) movlw 0x55 (frames 16..19) xorwf block+0x0,f (frames 20..23) movlw 0x00 (frames 20..23) xorwf block+0x0,f (frames 24..27) Individual frames 3rd clock
“xor 0xFF” “xor 0xAA” “xor 0x55” “xor 0x00” 3rd clocks reveal the key
No cryptanalysis needed • AES key is fully revealed during AddRoundKey operation • Even if only byte flips can be detected, the key can be recovered with 28 measurements
Conclusions Dynamic light emission • is a very strong side channel (once synchronized) • applicable on other ciphers/schemes and devices
The end Thank you for your attention! hlavm1am@artax.karlin.mff.cuni.cz USE IT: http://useit.cuni.cz/