The demand for increased security of electronic transactions is rapidly increasing due to the vast number of devices which are now adapted for communicating over data networks. Typically, a security module (e.g., TPM—Trusted Platform Module) employing cryptographic schemes is embedded into such applications (e.g., PC computers). for managing secret data and for protecting user's privacy. However, the wide acceptance of these devices has made the security schemes utilized by them more vulnerable to tampering and hacking attempts, which jeopardize the secret data and authenticity of transactions.
The security of security modules is maintained as long as the secret cryptographic keys embedded into them remain unrevealed. There are various techniques, such as side channel attacks (“New threat forces cryptography rethink”, by Iain Thomson, http://www.vnunet.com, Oct. 10, 2002), that consider different information in an attempt to crack the code, (e.g., the time taken to perform an operation and how power consumption changes during that operation) that can be used for revealing the secret keys used by the security module to carry out its security tasks. Many of the side channel attacks are also based on studying characteristics of the security module and analyzing its functionality utilizing statistical analysis techniques, which may reveal the secret key, or portions thereof. However, these types of attacks that do not involve tampering with the hardware device are rather complex and do not guarantee successful results.
Another type of attack is fault-based cryptanalysis, which often involves direct physical attack of the hardware including the security module. In general, in such attacks the adversary (i.e., the attacker) aims to induce random computational errors (or any fault which may alter the data accessed by the module) during performance of security tasks, to obtain erroneous outputs. Typically, the errors are induced in such attacks by altering the power supply voltage/current, operating temperature, and/or the clock frequency of the security module, and/or by applying magnetic or electromagnetic radiation. This can be done for an extended period or as a ‘glitch’ i.e., for a short period of time at specific points of the device operation.
For example, the cryptographic key used in RSA implementations based on the CRT (Chinese Reminder Theorem) can be exposed utilizing a single erroneous result (R. A. Boneh et al, “On the Importance of Checking Cryptographic Protocols for Faults”, Advances in Cryptology—Eurocrypt '97, LNCS 1233, Springer-Verlag, pp. 37-51, 1997) and thus CRT is rarely used nowadays due to this weakness. In fact, almost any secret key cryptosystem known so far is vulnerable to the Differential Fault Analysis (DFA) attacks (“Differential Fault Analysis of Secret Key Cryptosystems”, Eli Biham and Adi Shamir, Lecture Notes in Computer Science, 1997).
Some of the common errors caused during fault-based cryptanalysis attacks are due to disruptions in the functionality of the device's synchronous (i.e., clock driven) modules, such as the CPU (Central Processing Unit). These disruptions are typically caused by violating the module's operating conditions requirements. Synchronous modules comprise paths of electronic elements that start and end at Flip-Flops (including input FF setup time, which is the time required for the input signal to be valid before the incoming clock edge, and output FF valid time which is a window of time during which the input must be valid and stable in order to assure valid data on the output). Each of these paths has a relative time delay characteristic (timing-path). Typically, the timing-path with the maximal delay dictates the envelop of proper operating conditions (e.g.,: the combination of clock frequency, temperature and voltage), at which the device/module operates properly. It should be noted, that in some cases a timing-path may be longer than one clock cycle, due to logic behavior of the sampling device. By heating and/or increasing clock frequency and/or lowering voltage and/or generating power and/or clock transients (“glitches”) the attacker may cause a pre-mature sampling of transient signals (signals that do not reflect the final propagation result of the path end). Generally, paths having longer delay times are more likely to fail under such attacks. As a result of such attacks, execution of the wrong instructions can be carried out, the result of which is unpredictable, e.g., it can cause effects such as ignoring data output limitations. Another type of attack is a denial of service (DoS) attack, when a user or organization is deprived of the services of a resource they would normally expect to have due to the inability of a particular network service, such as e-mail, to be available or the temporary loss of all network connectivity and services. During such attack, programming and data files may be destroyed, as well.
Some protection against certain fault-based attacks can be achieved by utilizing an internal clock and/or by blocking glitches by using a Low Pass Filter (LPF) at the clock input. However, the effectiveness of these countermeasures is limited since they can not take into account effects such as variations of voltage and temperature (unless significant timing margins are taken when designing the module). Moreover, the design of an LPF that can block small variations on the input clock is considered difficult. Another countermeasure is based on detecting the changes in the operating conditions of the protected module (or circuitry) by using voltage and/or heat sensors. While this type of protection is effective against many types of attacks, it requires careful considerations of the sensors' inaccuracies and additional hardware means (e.g., sensors, comparators), computational effort, and/or dedicated software, which may be required to implement it.
Another protection scheme, which can be implemented by hardware and/or software, is based on parity/redundancy verifications (error detection). This type of protection can be effectively used to verify the validity of data (see, for examples “Improving Smart Card Security Using Self-Timed Circuits”, by S. Moore et al, Proc. ASYNC '02, 2002, pp. 211-218). However, these protection schemes may consume relatively large overhead in area, or may be weak in the sense of their error detection power, when applied for relatively large modules protection, depending on the specific design considerations.
Many of the countermeasures utilized nowadays are software solutions which are mainly based on checking intermediate and/or final results produced by security modules for faults, or improve the immunity of the module against certain types of attacks (e.g., U.S. Pat. No. 5,991,415 to Adi Shamir). However, these countermeasures add considerable computational time and effort to the operation of the security module which is unacceptable in many implementations.
There is an ongoing effort to provide protection against over-clocking attacks on cryptographic systems, and in particular there is a need for hardware means capable of detecting and protecting against such attacks.