Cryptographic operations are used for a variety of processes such as data encryption and authentication. In a typical symmetrical cryptographic process, a secret key is known by two or more participants, who use it to secure their communications. In systems using asymmetric (or public key) cryptography, one party typically performs operations using a secret key (e.g., the so-called private key), while the other performs complementary operations using only non-secret parameters (e.g., the so-called public key). In both symmetric and asymmetric cryptosystems, secret parameters must be kept confidential, since an attacker who compromises a key can decrypt communications, forge signatures, perform unauthorized transactions, impersonate users, or cause other problems.
Methods for managing keys securely using physically secure, well-shielded rooms are known in the background art and are widely used today. However, previously-known methods for protecting keys in low-cost cryptographic devices are often inadequate for many applications, such as those requiring a high degree of tamper resistance. Attacks such as reverse-engineering of ROM using microscopes, timing attack cryptanalysis (see, for example, P. Kocher, Timing Attacks on Implementations of Diffie-Hellman, RSA, DSS, and Other Systems; Advances in Cryptology CRYPTO '96, Springer-Verlag, pages 104-113), and error analysis (see, for example, E. Biham and A. Shamir, Differential Fault Analysis of Secret Key Ctyptosystems; Advances in Cryptology; CRYPTO '97, Springer-Verlag, 1997, pages 513-525) have been described for analyzing cryptosystems.
Ciphers and algorithms believed to be cryptographically secure are known in the background art. For example, protocols using triple DES (a cipher constructed using three applications of the Data Encryption Standard using different keys) can resist all feasible cryptanalytic attacks, provided that attackers only have access to the standard inputs to and outputs from the protocol. However, even a product using an extremely strong cipher such as triple DES can be insecure if the attacker can generate a physical (perturbation), such as fault.
These attacks are very critical if they occur on a Key register. Indeed, a special feature of the key register, embedded in most of cryptographic elements, is that it is not possible to read it. Allowable actions are generally “use-it” or “load-it”.
The “use-it” command permits to use such register during a cryptographic computation, the “load-it” command permits to load a key inside such register. Such registers are used, for example inside hardware cryptographic blocks cipher.
Such attacks can be operating as follow:
The attacker physically targets at least one bit of a register of the block cipher (he knows which bit position is attacking and we consider that the attack always causes the same perturbation (1−>0 or 0−>1)).
If the result of the block cipher execution is false or if it has no result (the fault has been detected), he knows that the previous value of the bit targeted was 1. Otherwise, (after several tentative), if the result is correct the targeted the previous value of the targeted bit was 0. By attacking bit after bit allows an attacker to retrieve all bits of the secret.
To implement such attack, the attacker can redo the same fault, several times. This attack is very efficient if it occurs during the key loading step or when the key has been loaded in the key register because the register is easy to locate into the block cipher. The impact of the attack will be readable after the block cipher execution (done with the modified key value).
Currently available protection mechanisms are implemented off-line and are not suitable for all applications. For example, existing mechanisms would not offer protection to session keys, which are generated as needed rather than in advance.
Hagai Bar-El et al., in “The Sorcerer's Apprentice Guide to Fault Attacks”, Discretix Technologies White Paper, given at Workshop on Fault Detection and Tolerance in Cryptography, Florence Italy, 30 Jun. 2004 (Cryptology ePrint Archive (eprint.iacr.org) Report 2004/100; also, CiteSeer article 705084), describe various methods of implementing such fault attacks on electronic cryptographic circuits, and suggest a number of countermeasures. The countermeasures mainly involve introducing redundancy in which operations are recomputed and the results compared, on the assumption that identical faults cannot be replicated. The resulting system is admitted to be slower and less efficient, but that is conceded to be part of the cost of security.
Other known counter measures exist for specific algorithm such the DES/3DES (for Data Encryption Standard and Triple Data Encryption Standard), as known in the patent WO2010046251.
The solution proposed in the invention is not applicable to all block ciphers, because based on a mathematical property of the DES algorithm.