Design and Implementation of Anti-DPA Attack for Smart Card
0 Preface
With the rapid development of personal computers, the evolution of the Internet and the impact of e-commerce, the market has a strong demand for security and personal privacy protection. Smart cards are lightweight and secure, playing an important role in applications such as secure payments over the network, security controls for network connections, and electronic signatures. In China, many information security application systems use smart cards to memorize the secret information needed for system operation, and use the computing power of smart cards to improve system security. Smart cards are gradually replacing magnetic cards and are widely used in finance and other related industries.
With the continuous development of attack methods for smart cards, especially with the recent emergence of many new types of attack smart card technologies, the security of smart cards faces enormous challenges. These attack techniques can easily attack smart cards with information obtained at low cost devices, such as power consumption, execution time, output and input behavior at the time of failure, radiation, power spikes, and the like. Among them, Differential Power Analysis (DPA) is a very effective energy attack method. It mainly uses statistical methods to extract key-related information. The implementation process is more complicated, but the smart card professional for attackers. The technical level requirements are not very high, and DPA's successful attacks on embedded encryption algorithms in smart cards have been widely reported.
A smart card is a public platform architecture that downloads applications after card issuance. Therefore, in order to prevent fake cards and protect cardholders, smart cards must have high security and high reliability. VISA International stipulates that smart cards must meet the highest security technology requirements. Not only do the embedded memory and the data transmitted on the bus require encryption, but the smart card must provide at least one countermeasure against simple power analysis (Simple Power Analysis, SPA). ) with DPA attacks.
1 smart card chip architecture
The smart card chip architecture is shown in Figure 1. It consists mainly of the following modules:
.jpg)
(1) Embedded microprocessor: The hardware can be controlled to execute related instructions to complete the encryption and decryption operations. It typically has a built-in memory encryption and decryption unit through which the bank data can be accessed; and the application memory is controlled by a hardware firewall.
(2) Built-in memory: The memory of the smart card is divided into three areas: SRAM, E2PROM and ROM. The ROM stores the program and data of the smart card operating system and execution environment. The E2PROM stores the user-customized code for different users and different applications. Provides flexible options; SRAM provides temporary space for performing system operations.
(3) Reset circuit: used to generate a system reset signal, which inputs an external reset signal from the RESET pin input.
(4) Random number generator: Random numbers play an important role in the security of smart cards. Key generation, digital signature, authentication and authentication, and various secure communication protocols are inseparable from high-quality random numbers. This module mainly produces unpredictable high quality encryption data.
(5) ISO7816 interface controller: an important interface for data exchange between smart card and card reader, mainly hardware support T=0 and T=1 protocols established by ISO7816, T=0 is responsible for transmitting characters (Charac-ter) ; T=1 is responsible for transferring the block (Block).
(6) Interrupt controller: used to receive the interrupt request of the timing unit, the encryption engine, and the interface controller, and transmit an "interrupt" signal to the microprocessor to notify the peripheral module of the microprocessor that the specified work has been completed or something has happened.
(7) Built-in timing unit: It is mainly used as a watchdog timer to monitor the operation of the system and monitor whether the internal application is executed correctly. If the program is found to be running incorrectly, an interrupt signal will be given to the interrupt controller to put the smart card into a pause state, and it will wait until the reset signal appears to resume normal operation.
(8) Power controller: The built-in voltage sensor and control circuit provide a stable and safe power supply for other modules.
(9) Power management module: The smart card has high requirements on power consumption. This module is a power-saving device designed to save power. It has two working modes: stop and save power. Among them, the power outage mode supports the frequency stop mode of ISO7816-3 to reduce the power consumption of the whole system; the power saving mode plans the working order and state of each module according to the working characteristics of different modules of the system, so that the working time is mutually exclusive. When part of the work, the other part works in a sleep state, thereby achieving the purpose of reducing the overall power consumption of the system.
(10) Frequency generation circuit: As a complex SoC chip, the smart card has different system operating frequency and encryption operation frequency. For this reason, the general smart card has a PLL frequency generation circuit inside. The frequency is derived from the external frequency input to the CLK pin, producing the frequency required for use by the microprocessor and the various cryptographic coprocessors in the crypto engine.
(11) Encryption engine: The encryption engine of the smart card embeds a coprocessor core that can implement multiple encryption algorithms, so that it can support general encryption algorithms including: RSA, DES, AES. The module mainly includes:
Encryption arbitration manages different coprocessor operations through relevant control commands according to different encryption operation requirements under different uses of the system. The DES coprocessor supports the Data En-Encryption Standard (DES). Based on the 56 b key-based cipher block encryption technology, DES encrypts the 64 b data block using the 56 b key and performs 16 rounds of encoding on the 64 b data block. The result is 64 b ciphertext.
The AES coprocessor supports the Ad-Vanced Encryption Standard (AES). An iterative block cipher is used. For encryption, the input is a plaintext packet and a key. The output is a ciphertext packet; the packet length and password length are variable and can be independently specified as 128 b, 192 b or 256 b.
The RSA coprocessor supports a public key encryption and decryption system. RSA is mainly an exponential operation. It is a public key system based on factorization of large prime numbers. In short, it is two large prime numbers, one as a public key and the other as a private key. If one of them is encrypted, the other is used. A decryption. The key length is variable from 40 to 2048 b. The longer the key, the better the encryption effect, but the greater the encryption and decryption overhead.
The ASIC design of the smart card, the main modules such as the encryption and decryption coprocessor and embedded microprocessor involved in the encryption engine are all provided by the relevant IP cores in the market. These IP designs are all implemented with anti-DPA attacks using related algorithms. , with good security. However, the above IP integration and other modules must be designed to take anti-DPA attacks to ensure the high security of the smart card.
2 DPA attack principle
The execution sequence of instructions and related data processing operations on an encryption chip without any anti-DPA attacks can affect power consumption. Although this effect is consumed by noise, statistical methods can still be seen. The DPA attack technology is based on the power consumption graph, and then statistically deducts the attack technology of the master key. The principle is that the smart card consumes energy and generates electromagnetic radiation during the encryption process, by using special electronic measuring instruments and mathematical statistics techniques. These changes can be detected and analyzed to get specific key information in the chip. The energy consumed by a smart card to execute an instruction is related to the operand of the instruction. The average power consumption P consumed by the execution of an instruction I is as follows:
.jpg)
Where: PI represents the average energy consumed during the execution of instruction I; op1, op2, ..., opn represents the operand of I; PI(0) and PI(1) represent the consumption of instruction I when op1 takes 0 and 1, respectively. Average power consumption. It can be seen that PI is related to op1 (ΔPI≠0).
In addition, considering that the smart card uses a CMOS process, its power consumption is mainly dynamic power Pd, and the Pd size is as shown in the following formula:
.jpg){kind=small}
Where: f is the operating frequency; CL is the lumped load capacitance of the output node; VDD is the supply voltage; α is the circuit switching activity factor (circuit inversion rate). It can be seen that the power consumption of the CMOS logic gate is closely related to α, so the 0 and 1 states of the data in the circuit must have a certain correlation with the power signal of the circuit.
In summary, there is a correlation between the encryption key and the power consumption of the circuit. The DPA attack is from this correlation, and finally the key is cracked. The following takes the AES algorithm as an example to introduce the DPA attack process:
(1) randomly generating a large amount of plaintext;
(2) Encrypt these plaintexts and record the energy consumption curves during the encryption operation to obtain an average of these curves;
(3) pay attention to the output of the first round S2 box, set the first bit of the output to b, guess the first byte of the first wheel key, and use the same plaintext to calculate the output of the S2 box;
(4) According to the value of b, the energy consumption curve is divided into two categories according to b=0 and b=1;
(5) Calculate the average energy consumption curves of the two types, and subtract the two to obtain the differential energy consumption curve;
(6) Observe the energy curves generated in steps (2) and (5). If the key guess is correct, then the grouping of step (4) is correct, and the differential energy consumption curve generated in step (5) will be significantly different from the average energy consumption curve generated in step (2), in the differential energy consumption curve. A peak will appear. Therefore, the attacker judges whether the key guess is correct by observing the peak value;
(7) Repeat steps (3) to (6) to obtain sub-keys of other rounds. DPA attacks are easy to implement, and a programmer who does not understand smart card technology can use a dedicated program to attack smart cards without DPA protection. High-security smart cards must take appropriate precautions to achieve anti-DPA attacks.
3 Anti-DPA attack design
At present, the VLSI design of the arithmetic logic unit of various cryptosystems has been extensively studied. How to implement anti-DPA attacks in other aspects is a problem worthy of further study. The circuit implementation of the smart card anti-DPA attack is introduced from the random number generator, combination and timing logic anti-DPA design.
3.1 Random number generator design
For DPA attacks on smart cards, it is mainly to use the power consumed by the execution or data access of a particular instruction when the embedded microprocessor is operating on the card, and the useful information provided by the particular current spectrum on the supply voltage source. Therefore, additional current consumption can be caused by adding additional circuits to change the current spectrum to achieve an anti-DPA attack. At the same time, the extra current consumption circuit must generate random number current consumption by random number randomization method to achieve unpredictability of chip power consumption, so that it cannot be analyzed and counted.
To this end, a random number consuming circuit as shown in FIG. 2 can be designed in the random number generating circuit, and the circuit is composed of a comparator, a shift register, and a decoder; when the noise voltage generated by the resistor noise passes through the amplifier and the comparator, Generate a "1" or "0" digital signal, store it in the shift register, so that the value in the register is similar to the random number generated by the chaotic RNG. After the random number is encoded by the decoder, the tristate charge and discharge buffer is controlled. The number of charge and discharge, and finally achieve the purpose of controlling the current consumption by random number.
.jpg)
3.2 Combinational logic anti-DPA attack design
The main purpose of the anti-DPA attack is to keep the circuit characteristics the same while computing. It is important to keep the electrical characteristics the same. The number of flipped transistors is a constant in any operation step. To achieve this, an intermediate step can be added between the circuit operations to prevent useful information from leaking out of the power analysis. The simplest intermediate step setting is to set the system intermediate value after the input parameters and circuit operations are completed.
To this end, reference is made to the method of encoding two bits of information for each bit of information in the two-track coding mode of the asynchronous logic circuit. The combined values ​​"01" and "10" of the two-signal line are used to represent "true" and "false" of the digital logic, and the combined values ​​"00" and "01" are intermediate values. Under this coding mode, the basic logic unit circuit of the design is shown in Figure 3.
.jpg)
.jpg)
As shown in Figure 3(a), for the inputs A(A1A2) and B(B1B2), the outputs are only valid for O1O2 and R1R2. When the input A1A2B1B2 is 0000 or 1111, the values ​​of the outputs O1O2 and R1R2 are 11 or 00, thus implementing the encoding. The transfer of the intermediate state. When the input A1A2B1B2 is valid data 0101, 0110, 1001 and 1010, the values ​​of O1O2 and R1 are output to obtain the related logic functions of NAND, AND, NOR and OR; among them, the output O1O2→NAND, O2O1→AND, R1R2 →NoR, R2R1→OR. As for the implementation of NOT, as shown in the circuit of Figure 3(b). Therefore, the above basic logic circuit is sufficient to implement complex digital combination logic operation functions.
3.3 Sequential Logic Anti-DPA Attack Design
For differential power analysis, in addition to the defense scheme that uses increased circuit noise to reduce the signal-to-noise ratio of differential power analysis. By reducing the value of the differential power signal, the signal-to-noise ratio of the differential power analysis can also be reduced; if the power difference in the different states of the circuit tends to zero, the differential power analysis will fail. Therefore, based on the above ideas, a complementary structure register circuit as shown in FIG. 4 can be employed in the design of the sequential logic circuit.
Set the initial state of the register to be the same, the output load is the same, and the clock edge is assigned. As shown in Figure 4, regardless of whether the input is O or 1, the two complementary registers must be flipped and the other is not flipped, so the total power consumption does not differ in either case. .
In addition, for the two-line signal encoding method described above, in the design of the sequential logic circuit, the protocol of setting the register to the intermediate state of 00 or 11 before inputting any valid data 01 and 10 can be employed. In this way, no matter what operation is performed, the related registers in the sequential logic have only one register flip, which effectively prevents the information leakage of the register during data transmission.
4 Conclusion
A smart card is a high-security, high-reliability and complex system-on-a-chip with the ability to resist power analysis attacks, time analysis attacks, and failure analysis attacks. However, under the new smart card attack technology, its security is greatly challenged. DPA attack. In this paper, based on the characteristics of DPA attack smart card, the anti-DPA attack design is carried out on the hardware circuit of the smart card. With this design, combined with some anti-DPA attack measures on the software, a perfect smart card security architecture can be formed. Effectively protect smart cards from DPA attacks.
Color Copy Paper is developed and produced in the office copy machine stained paper. Products are divided into light, medium, dark three colors, a total of 27 colors, namely: ivory white, eggshell yellow, beige, light yellow, light yellow 1, light yellow 2, lemon yellow, golden yellow, orange, orange, light green, green, green, Parrot green, green -10, dark green, pink, red, red, red, coffee, light purple, purple, purple, purple, purple, purple, purple, purple, purple, purple, blue; The production machine is a 1760mm paper machine with a weight range of: 70 grams and 80 grams; Commonly used specifications: 846 * 1194 mm, 850 * 1194 mm. Color Copy Paper has been produced for nearly 10 years. The fiber tissue of the product is uniform, the paper is flat, the thickness, tensile strength and surface printing strength are high, the impermeable printing, the hair powder is not able to be dropped, the adhesive degree is high, and the total mass quantitative difference is low. Less dust. Color copy paper products are of stable quality, small color difference between the two sides, bright color, gained a good reputation in the industry, this kind of products are widely used in the copying of various materials and documents
Color Copy Paper
Color Copy Paper,Color Copy Office Paper,High-Grade Color Copy Paper,Full Wood Pulp Color Copy Paper
Mcc Meili Cloud Computing Industry Investment Co., Ltd. , https://www.mcc-offsetpaper.com