1. Field of the Invention
The invention relates to a method for protecting the execution of sensitive operations against attacks such as side channel attacks. The invention also relates to a cryptographic device, in particular a smart card, implementing such a method.
2. Description of the Related Art
A sensitive operation is defined as an operation which manipulates sensitive data. Sensitive data is defined as data which should only be accessible by legitimate entities which need such sensitive data in order to perform their duties. Typically, special access controls are in place for sensitive data, in order to guarantee that no sensitive data is leaked to unauthorized entities.
Examples of sensitive operations comprise encryption operations taking place inside a cryptographic device, the encryption operation requiring access to a key which is typically securely stored inside the cryptographic device.
As known in the art, cryptographic devices are devices implementing cryptographic mechanisms, such as hashing mechanisms. Examples of cryptographic devices include smart cards, USB keys, dongles, Personal Digital Assistants (a.k.a PDAs), mobile phones, personal computers (a.k.a PCs), etc. Typically, such cryptographic devices may be used for securing a user's electronic transactions. The expression “electronic transaction” is to be taken in its broadest meaning. I.E. it is not limited to financial transaction but also covers any Internet transaction, any transaction occurring through a telecommunication network etc. Securing electronic transactions may comprise the cryptographic mechanisms of digitally signing electronic documents, decrypting electronic documents, negotiating session keys with a third party and/or authenticating a user. The above four cryptographic mechanisms are well known in the art. They are not limitative (other cryptographic mechanisms exist), and not mandatory (for example a cryptographic device does not necessarily embed a digital signature mechanism).
Cryptographic mechanisms have an input and an output. For example, an encryption mechanism may have an input consisting of a plaintext and an output consisting of a ciphertext. When first cryptographic devices were designed, many people were thinking that the only attacks possible on their cryptographic mechanisms consisted in attacking the input and output with cryptanalysis. However, it turned out that cryptographic devices are also susceptible to so-called “side channel attacks”. A side channel attack is any attack based on information gained from the physical implementation of a cryptosystem, rather than theoretical weaknesses in the algorithms (as opposed to cryptanalysis). Side channel attacks rely on the fact that a cryptographic device has inputs and outputs means other than the legitimate input and output means. For example use of illegitimate input means (often referred to as fault injection attacks) may comprise altering cryptographic operations by heating the cryptographic device, by modifying its clock (e.g. speeding up above the recommended limit), by putting it under UV light, X-Ray, or ultrasonic waves, by shaking it or otherwise mechanically acting on it, etc. Such alteration can be carefully designed (for example a glitch can be introduced at the exact moment that a counter is about to be decremented) or can be random (for example the aim might simply be to induce a random fault and analyze the consequence of the fault, which may leak sensitive information). Use of illegitimate output means may comprise analyzing the power consumption of the cryptographic device (indeed, an electronic component requires more electric power to perform a complex operation such as “square and multiply” than it does for a simple operation such as “square only”), analyzing the electromagnetic field created by the cryptographic device, analyzing the sounds emitted by the cryptographic device, etc. Well-known side channel attacks include Simple Power Analysis (SPA), Differential Power Analysis (DPA) or Differential Fault Analysis (DFA).
Periodically checking the integrity of important data manipulated during a sensitive operation, such as keys used inside a cryptographic device during cryptographic computations, can help circumvent so-called fault injection attacks. Indeed, if a fault is generated, it may be detected (thanks to the integrity check), and appropriate actions may then be taken. Examples of integrity checks include fast error detection codes such CRC. CRC stands for Cyclic Redundancy Code. A CRC hardware module is available in many microcontrollers, which makes it a convenient tool for integrity checking in many electronic devices since it's very fast.
Unfortunately, when checking the integrity of data manipulated during a sensitive operation using the above method, some information is typically leaked. For example, an attacker may analyze a cryptographic device while it performs integrity checks for a sensitive operation, by using one of the above mentioned side-channel attacks, and recover some sensitive data.
Therefore, the method makes it more difficult to perform a fault injection attack but facilitates other side channel attacks such as SPA or DPA.