CA2327037A1 - Method to detect fault attacks against cryptographic algorithms - Google Patents
Method to detect fault attacks against cryptographic algorithms Download PDFInfo
- Publication number
- CA2327037A1 CA2327037A1 CA002327037A CA2327037A CA2327037A1 CA 2327037 A1 CA2327037 A1 CA 2327037A1 CA 002327037 A CA002327037 A CA 002327037A CA 2327037 A CA2327037 A CA 2327037A CA 2327037 A1 CA2327037 A1 CA 2327037A1
- Authority
- CA
- Canada
- Prior art keywords
- key
- sub
- algorithm
- computed
- checksum value
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Abandoned
Links
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L9/00—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
- H04L9/002—Countermeasures against attacks on cryptographic mechanisms
- H04L9/004—Countermeasures against attacks on cryptographic mechanisms for fault attacks
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L2209/00—Additional information or applications relating to cryptographic mechanisms or cryptographic arrangements for secret or secure communication H04L9/00
- H04L2209/24—Key scheduling, i.e. generating round keys or sub-keys for block encryption
Landscapes
- Engineering & Computer Science (AREA)
- Computer Security & Cryptography (AREA)
- Computer Networks & Wireless Communication (AREA)
- Signal Processing (AREA)
- Storage Device Security (AREA)
Abstract
A method for detecting fault attacks against cryptographic algorithms comprising an initialisation process to which an init vector and a key are supplied to compute at least one sub-key from the key; a checksum function on the at least one sub-key and the init vector. The result of the checksum computing step is stored. The method also includes, in the cryptographic algorithm to which are supplied a message, an init vector and a key, computing at least one sub-key from the key;
computing a checksum function on the at least one sub-key and the init vector; comparing the result of said checksum computing step with said stored result; and encrypting the message via an encrypting algorithm using the computed sub-keys. Wherein a fault attack is detected when the result of the comparing step is that the stored result of the checksum computing step of the initialisation process is not identical to the result of the checksum computing step of the cryptographic algorithm.
computing a checksum function on the at least one sub-key and the init vector; comparing the result of said checksum computing step with said stored result; and encrypting the message via an encrypting algorithm using the computed sub-keys. Wherein a fault attack is detected when the result of the comparing step is that the stored result of the checksum computing step of the initialisation process is not identical to the result of the checksum computing step of the cryptographic algorithm.
Description
TITLE OF THE INVENTION
METHOD TO DETECT FAULT ATTACKS AGAINST
CRYPTOGRAPHIC ALGORITHMS
FIELD OF THE INVENTION
The present invention relates to cryptographic algorithms. More specifically, the present invention is concerned with a method for detecting fault attacks against cryptographic algorithms.
BACKGROUND OF THE INVENTION
Smart cards, as a particular embodiment of electronic devices, were initially conceived to enhance the security of distributed systems. Applications of smart cards include, for example, calling cards, identification cards, medical cards, transaction cards (credit/debit bank, store, restaurant, etc.) and security cards. All of these applications require sensitive and confidential data to be processed within the smart card.
Means to maintain privacy and confidentiality of the data are important to guarantee an adequate security of smart cards. Indeed, these cards have to deal with different types of fraudulent external attempts to access the data stored therein.
METHOD TO DETECT FAULT ATTACKS AGAINST
CRYPTOGRAPHIC ALGORITHMS
FIELD OF THE INVENTION
The present invention relates to cryptographic algorithms. More specifically, the present invention is concerned with a method for detecting fault attacks against cryptographic algorithms.
BACKGROUND OF THE INVENTION
Smart cards, as a particular embodiment of electronic devices, were initially conceived to enhance the security of distributed systems. Applications of smart cards include, for example, calling cards, identification cards, medical cards, transaction cards (credit/debit bank, store, restaurant, etc.) and security cards. All of these applications require sensitive and confidential data to be processed within the smart card.
Means to maintain privacy and confidentiality of the data are important to guarantee an adequate security of smart cards. Indeed, these cards have to deal with different types of fraudulent external attempts to access the data stored therein.
Cryptography, the art and science of keeping data secret, has become one of the main tools for maintaining privacy, trust, access control and corporate security, among other things. The cryptographic transformation of confidential data is usually referred to as encryption. On the other hand, the process of retrieving the plain data from the ciphertext (the encrypted data) is usually called decryption.
Modern cryptographic algorithms conventionally use at least one key to control encryption and decryption. There are two general classes of key-based cryptographic algorithms: symmetric (or secret-key) and asymmetric (or public-key) algorithms. Generally stated, symmetric algorithms use the same key for encryption and decryption or use a decryption key that may easily be derived from the encryption key.
Conversely, asymmetric algorithms use a different key for encryption and decryption, and the decryption key cannot be derived from the encryption key. Therefore, the key of symmetric cryptographic algorithms must be kept secret while the encryption key of asymmetrical cryptographic algorithms may be publicised.
A smart card is typically used to store secret key(s), for example, which are used in turn to encrypt or decrypt data coming from the external world. A secret key can be used to perform many operations such as authentication, data integrity, data authenticity and data confidentiality, for example.
As previously mentioned, cryptosystems, i.e. systems using cryptographic technology, are subject to different types of external attempts to access the key contained therein. The fraudulent external access attempts, usually referred to as attacks, form the cryptoanalysis, which, generally stated, is the art of finding the secret key used in a given protocol.
There are many known cryptoanalytic techniques or attacks that may be launched against cryptographic algorithms. In recent years, a new type of attacks came out to break the cryptographic device implementation on the hardware level rather than on the algorithm level.
One example of such hardware attacks, usually referred to as "Fault attacks", will be discussed hereinbelow.
A fault attack assumes that by exposing a sealed electronic device, for example, a smart card to certain physical effects (e.g., ionizing or microwave radiation), one can induce with reasonable probability a fault at a random bit location in one of the registers at some random intermediate stage in the cryptographic algorithm.
Usually, the attacker is in physical possession of the electronic device, with the intention of repeating the experiment with the same message and key but without applying the external physical effects.
As a result, two ciphered messages derived from the same (unknown) message and key are obtained, where one of the ciphered message is correct and the other is the result of a computation corrupted by a single bit error during the computation.
Hence, a concern in cryptosystem technologies is to secure the cryptographic algorithms from the above-mentioned fault attacks.
Modern cryptographic algorithms conventionally use at least one key to control encryption and decryption. There are two general classes of key-based cryptographic algorithms: symmetric (or secret-key) and asymmetric (or public-key) algorithms. Generally stated, symmetric algorithms use the same key for encryption and decryption or use a decryption key that may easily be derived from the encryption key.
Conversely, asymmetric algorithms use a different key for encryption and decryption, and the decryption key cannot be derived from the encryption key. Therefore, the key of symmetric cryptographic algorithms must be kept secret while the encryption key of asymmetrical cryptographic algorithms may be publicised.
A smart card is typically used to store secret key(s), for example, which are used in turn to encrypt or decrypt data coming from the external world. A secret key can be used to perform many operations such as authentication, data integrity, data authenticity and data confidentiality, for example.
As previously mentioned, cryptosystems, i.e. systems using cryptographic technology, are subject to different types of external attempts to access the key contained therein. The fraudulent external access attempts, usually referred to as attacks, form the cryptoanalysis, which, generally stated, is the art of finding the secret key used in a given protocol.
There are many known cryptoanalytic techniques or attacks that may be launched against cryptographic algorithms. In recent years, a new type of attacks came out to break the cryptographic device implementation on the hardware level rather than on the algorithm level.
One example of such hardware attacks, usually referred to as "Fault attacks", will be discussed hereinbelow.
A fault attack assumes that by exposing a sealed electronic device, for example, a smart card to certain physical effects (e.g., ionizing or microwave radiation), one can induce with reasonable probability a fault at a random bit location in one of the registers at some random intermediate stage in the cryptographic algorithm.
Usually, the attacker is in physical possession of the electronic device, with the intention of repeating the experiment with the same message and key but without applying the external physical effects.
As a result, two ciphered messages derived from the same (unknown) message and key are obtained, where one of the ciphered message is correct and the other is the result of a computation corrupted by a single bit error during the computation.
Hence, a concern in cryptosystem technologies is to secure the cryptographic algorithms from the above-mentioned fault attacks.
Figure 1, which is labelled "Prior Art" is a block diagram of a conventional cryptographic algorithm 10 where security functions have been implemented to detect fault attacks. As will easily be understood by one skilled in the art, the conventional method to detect fault attacks is to perform each computation twice and compare the results of the two computations to determine if a fault attack has occurred. If this is the case, the cryptographic algorithm is stopped to prevent relevant data to leak.
The conventional cryptographic algorithm 10 of Figure 1 is conceptually divided in two algorithms. A first algorithm 12, referred to as the secret key algorithm, concerns the actual encryption of the message 14. A second algorithm 16, referred to as the key schedule algorithm, receives a key 20 to calculate sub-keys that are required by the secret key algorithm 12 as conventionally known in the art.
Each of the two algorithms 12 and 16 executes each computing operation twice as described hereinabove. Accordingly, fault attack errors 22 and 24 may be generated by these algorithms.
It is to be noted that while the message 14 submitted to the secret key algorithm 12 varies each time the cryptographic algorithm 10 is used, the key 20 is the same for each use of the algorithm 10. Of course, this assumes that the correct key 20 is used.
If no such fault attacks are detected at the end of the secret key algorithm 12, the message 14 is then encrypted into a ciphered message 26.
The key schedule algorithm 16 is illustrated in a more detailed block diagram in Figure 2, which is also labelled "Prior Art". This Figure illustrates the measures taken for duplicating computation in order to verify the integrity of the results obtained in the key schedule algorithm 16.
As well known to those skilled in the art, a secret key algorithm such as 12 conventionally requires a sub-key for each of the plurality of computation rounds required to perform the encryption of the message. However, for concision purposes only the steps leading to the transfer of the sub-key from the key schedule algorithm 16 to the secret key algorithm 12 for the first round will be described hereinbelow.
As illustrated in Figure 2, two separate computation steps 28 and 30 of the first derived sub-key respectively labelled "sub-key K~"
and "sub-key K~"' are independently done in the first computation round 32.
The results of these two computation steps are then compared in step 38, in order to verify their integrity. If the result of the computation steps 28 and 30 are not identical, a fault attack error 24 is generated. If the two computed sub-keys are identical, the sub-key K, is then supplied to the secret key algorithm 12.
As it will be understood by one skilled in the art; the computation process as previously described for the first round 32, is repeated in subsequent rounds until it reaches the end of the key schedule algorithm.
Of course, algorithms using double computation as described hereinabove, are rather costly in terms of performance since the process takes twice as much time. Hence, means for upgrading performances by saving computation time is considered in recent smart cards technologies.
SUMMARY OF THE INVENTION
More specifically, in accordance with the present invention, there is provided a method for detecting fault attacks against cryptographic algorithms, the method comprising:
in an initialisation process:
- providing an init vector;
- providing a key;
- computing at least one sub-key from the key;
- computing a checksum function on the at least one sub-key and the init vector to yield a reference checksum value;
- storing the key and the reference checksum value;
in the cryptographic algorithm:
- providing a message;
- providing the init vector;
- providing the key;
- computing at least one sub-key from the key;
- computing a checksum function on the at least one sub-key and the init vector;
- comparing the checksum value of the checksum computing step with the reference checksum value; and - executing the cryptographic algorithm, using the message and at least one computed sub-key, to execute at least one internal computation;
wherein a fault attack is detected when the result of the comparing step is that the checksum value is not identical to the stored reference checksum value.
Other objects, advantages and features of the present invention will become more apparent upon reading the following non restrictive description of preferred embodiments thereof, given by way of example only with reference to the accompanying drawings.
BRIEF DESCRIPTION OF THE DRAWINGS
In the appended drawings:
Figure 1, which is labeled "prior art", is a schematic block diagram of a conventional configuration of a cryptographic algorithm;
Figure 2, which is labeled "prior art", is a schematic block diagram of the key schedule algorithm of the cryptographic algorithm of Figure 1;
Figure 3 is a schematic block diagram of a configuration of a cryptographic algorithm implementing a method for detecting fault attacks against cryptographic algorithms according to the present invention;
Figure 4 is a schematic block diagram of the initialisation process according to the present invention;
Figure 5 is a more detailed schematic block diagram of the cryptographic algorithm of Figure 3;
Figure 6 is a schematic block diagram of the secret key algorithm, according to a second embodiment; and Figure 7 is a schematic block diagram of the secret key algorithm, according to a third embodiment.
DESCRIPTION OF THE PREFERRED EMBODIMENT
A cryptographic algorithm 100 including features for detecting fault attacks according to an embodiment of the present invention, will now be described with references to Figures 3 to 5. This algorithm 100 may, for example, be implemented into electronic devices such as, for example, smart cards.
As it can be seen from Figure 3, the cryptographic algorithm 100 includes a secret key algorithm 102 and a key schedule algorithm 104. The secret key algorithm 102 receives a message 106 and sub-keys 108 computed by the key schedule algorithm 104 as will be described hereinbelow. On the other hand, the key schedule algorithm 104 receives an init vector 110 and a key 112. The init vector 110 has a fixed value and is used in checksum functions as will be described hereinbelow. The init vector is advantageously stored in non-volatile memory of the electronic device. The key 112 is the so called "secret key"
required to encrypt and decrypt the message.
As described hereinabove with respect to cryptographic algorithms of the prior art, the secret key algorithm 102, since it processes data that changes every time the algorithm is used, i.e., the message 106, computes each operation twice and compares the results of the two computations. A fault attack error 114 is generated when the two results are not identical and, consequently, the algorithm 100 is stopped.
However, as will be described hereinbelow in greater details, the key schedule algorithm 104 does not compute each operation twice.
Generally stated, the present invention consists in performing an initialisation process when the electronic device, hereinafter referred to as a smart card, is setup before being given to the user. This initialisation process consists in computing all the sub-keys required by the secret key algorithm 102, computing a checksum function over all these sub-keys and storing the resulting checksum value, hereinafter referred to as SBKCHK;, along with the secret key, preferably into a non-volatile memory of the smart card so that it may be accessed when the smart card is subsequently used.
More specifically, the same checksum function is part of the key schedule algorithm 104 and yields a checksum value, hereinafter referred to as SBKCHK, that may be compared to the stored SBKCHK;
value in a final check step 116 that determines if a fault attack has been 5 successful during the key schedule algorithm 104. If such a successful fault attack has been detected, a fault attack error 118 is generated. If not, the ciphered message 120 is completed.
As will be apparent to one skilled in the art, since each 10 sub-key computation is done only once when the smart card is used, and since the fault attack detection is made only once after the key schedule algorithm 104 is completed, by comparing SBKCHK and SBKCHK;, the key schedule algorithm 104 is much faster than the key schedule algorithm 16 of the prior art (see Figure 1) without compromising security or the integrity of the cipher message 120.
Turning now to Figure 4 of the appended drawings the initialisation process, part of the setup of the smart card, will be described.
Indeed, prior to its initial use, any smart card has to be properly setup, for example to encode the key chosen by the user therein. According to an embodiment of the present invention, this one time setup of the smart card also involves a supplemental initialisation process.
This initialisation process includes as many rounds as the actual secret key algorithm 102 to thereby compute all the sub-keys required by the secret key algorithm 102. For example, in round 1, sub-key K~ is computed (step 122) from the key 112. Sub-key K~ is then supplied to a checksum function 124 which also has the init vector 110 as an input. The resulting checksum value SBKCHK~ is used in the next round, as an input to the checksum function of this subsequent round.
The init vector 110 is only used in the first round of the computation process. The final computed checksum value SBKCHK;, which may also be referred to as the reference checksum value, is stored into the non volatile memory in step 126.
As will be understood by one skilled in the art, the setup of the smart card is done only once. It is also to be noted that since this setup is done at the card issuer's premises, fault attacks should not occur during the setup and no security features to guard against them is required.
A more detailed description of the cryptographic algorithm 100 of Figure 3 will now be described with reference to Figure 5.
It is to be noted that while the description hereinbelow refers more specifically to the first round 128 of the cryptographic algorithm 100, the following steps are repeated for each round of the algorithm.
In the first round 128, the key schedule algorithm 104 computes a first sub-key K~ from the key 112 (step 130). The sub-key K~
is then supplied to the secret key algorithm 102 and is also used by a checksum function 132, identical to the checksum function 124 of the initialisation process of Figure 4, that also uses the init vector 110 as an input. The resulting checksum value SBKCHK~ of this function 132 is used as an input of the checksum function of the next round.
With respect to the secret key algorithm 102, the first round 128 involves computing twice (steps 134 and 136) a first intermediary result, respectively R~ and R~' from the message 106 and the first sub-key K~. These two results are then compared in step 138. If the results are identical, the result is supplied to the next round. If not, the algorithm 100 is stopped and a fault attack error 114 is generated.
Of course, as will be apparent to one skilled in the art, the sub-steps in the computation of the first intermediary result vary according to the specific secret key algorithm used.
The steps described hereinabove are repeated for each round until the last round 140 is completed. The resulting checksum value SBKCHK of the checksum function 142 of the last round 140 is then compared with the stored reference checksum value SBKCHK; to determine if a fault attack has been successful.
Therefore, during the cryptographic algorithm 100, fault attacks are detected, in the secret key algorithm 102 involving the message 106, by duplicating computation and comparing corresponding results. On the other hand, in the key schedule algorithm 104, which involves only fixed data, fault attacks are detected by comparing the final checksum value with a previously stored reference checksum value in the non volatile memory of the smart card during the initialisation process.
It is also to be noted that the checksum functions used in the above described key schedule algorithm 102 have not been described in detail since it is believed to be within the reach of one skilled in the art to design an adequate checksum function.
A second embodiment of the secret key algorithm 202 will now be described with reference to Figure 6 of the appended drawings.
Generally stated, in the secret key algorithm 202, instead of verifying the intermediate results of each duplicated round, the entire encryption process is completed to yield the ciphered message 120. Once the result is computed, the reverse cryptographic algorithm, or decryption, is done, using the ciphered message 120 as an input, to verify that the original message 106 may be deducted from the ciphered message 120.
If this is the case, it can be assumed that no successful fault attack has occurred.
More specifically, the first step 204 is to store a copy of the original message. The cryptographic algorithm, consisting in successive computation rounds leading to the final round 206, is then processed. The result of the final round 206, which is technically the ciphered message, is then stored in step 208. The reverse cryotographic algorithm, consisting in the reverse rounds (for example 210, 212 and 214), is applied to the ciphered message to yield the original message should no successful fault attack occur. The result of the last round 214 of the reverse cryptographic algorithm is saved (step 216) and compared with the original message in step 218. If the two messages are identical, the final check 116 is done as described hereinabove. If not, the algorithm 100 is stopped and a fault attack error 114 is generated.
As will easily be understood by one skilled in the art, all the sub-keys are saved in the volatile memory of the smart card since they are required at two different times in the secret key algorithm 202, i.e. in the cryptographic and reverse cryptographic algorithms.
The main advantage of this embodiment is the increased level of security. Indeed, it would be harder to generate two faults, one in the normal algorithm and one in the inverse algorithm , which would lead to the original message.
On the other hand, a minor drawback of this embodiment concerns the amount of volatile memory required to save all the sub-keys.
Finally, Figure 7, illustrates an alternative of the secret key algorithm 302 according to a third embodiment of the present invention.
In this embodiment, the entire cryptographic algorithm is done twice in parallel and the result of the two algorithms are stored (steps 304 and 306) and compared (step 308) to determine if a successful fault attack has occurred.
It is to be noted that while the electronic device in which the cryptographic algorithm according to the present invention is integrated has been described hereinabove as being a smart card, other types of electronic devices, such as, for example, Personal Digital Assistant (PDA) and cellular phones could benefit from the cryptographic algorithm of the present invention.
5 As will easily be understood by one skilled in the art, the algorithms illustrated and described herein are schematic and many other features are required to yield an adequate cryptographic algorithm. These other features are believed to be well known and therefore will not be further discussed herein.
Although the present invention has been described hereinabove by way of preferred embodiments thereof, it can be modified, without departing from the spirit and nature of the subject invention as defined in the appended claims.
The conventional cryptographic algorithm 10 of Figure 1 is conceptually divided in two algorithms. A first algorithm 12, referred to as the secret key algorithm, concerns the actual encryption of the message 14. A second algorithm 16, referred to as the key schedule algorithm, receives a key 20 to calculate sub-keys that are required by the secret key algorithm 12 as conventionally known in the art.
Each of the two algorithms 12 and 16 executes each computing operation twice as described hereinabove. Accordingly, fault attack errors 22 and 24 may be generated by these algorithms.
It is to be noted that while the message 14 submitted to the secret key algorithm 12 varies each time the cryptographic algorithm 10 is used, the key 20 is the same for each use of the algorithm 10. Of course, this assumes that the correct key 20 is used.
If no such fault attacks are detected at the end of the secret key algorithm 12, the message 14 is then encrypted into a ciphered message 26.
The key schedule algorithm 16 is illustrated in a more detailed block diagram in Figure 2, which is also labelled "Prior Art". This Figure illustrates the measures taken for duplicating computation in order to verify the integrity of the results obtained in the key schedule algorithm 16.
As well known to those skilled in the art, a secret key algorithm such as 12 conventionally requires a sub-key for each of the plurality of computation rounds required to perform the encryption of the message. However, for concision purposes only the steps leading to the transfer of the sub-key from the key schedule algorithm 16 to the secret key algorithm 12 for the first round will be described hereinbelow.
As illustrated in Figure 2, two separate computation steps 28 and 30 of the first derived sub-key respectively labelled "sub-key K~"
and "sub-key K~"' are independently done in the first computation round 32.
The results of these two computation steps are then compared in step 38, in order to verify their integrity. If the result of the computation steps 28 and 30 are not identical, a fault attack error 24 is generated. If the two computed sub-keys are identical, the sub-key K, is then supplied to the secret key algorithm 12.
As it will be understood by one skilled in the art; the computation process as previously described for the first round 32, is repeated in subsequent rounds until it reaches the end of the key schedule algorithm.
Of course, algorithms using double computation as described hereinabove, are rather costly in terms of performance since the process takes twice as much time. Hence, means for upgrading performances by saving computation time is considered in recent smart cards technologies.
SUMMARY OF THE INVENTION
More specifically, in accordance with the present invention, there is provided a method for detecting fault attacks against cryptographic algorithms, the method comprising:
in an initialisation process:
- providing an init vector;
- providing a key;
- computing at least one sub-key from the key;
- computing a checksum function on the at least one sub-key and the init vector to yield a reference checksum value;
- storing the key and the reference checksum value;
in the cryptographic algorithm:
- providing a message;
- providing the init vector;
- providing the key;
- computing at least one sub-key from the key;
- computing a checksum function on the at least one sub-key and the init vector;
- comparing the checksum value of the checksum computing step with the reference checksum value; and - executing the cryptographic algorithm, using the message and at least one computed sub-key, to execute at least one internal computation;
wherein a fault attack is detected when the result of the comparing step is that the checksum value is not identical to the stored reference checksum value.
Other objects, advantages and features of the present invention will become more apparent upon reading the following non restrictive description of preferred embodiments thereof, given by way of example only with reference to the accompanying drawings.
BRIEF DESCRIPTION OF THE DRAWINGS
In the appended drawings:
Figure 1, which is labeled "prior art", is a schematic block diagram of a conventional configuration of a cryptographic algorithm;
Figure 2, which is labeled "prior art", is a schematic block diagram of the key schedule algorithm of the cryptographic algorithm of Figure 1;
Figure 3 is a schematic block diagram of a configuration of a cryptographic algorithm implementing a method for detecting fault attacks against cryptographic algorithms according to the present invention;
Figure 4 is a schematic block diagram of the initialisation process according to the present invention;
Figure 5 is a more detailed schematic block diagram of the cryptographic algorithm of Figure 3;
Figure 6 is a schematic block diagram of the secret key algorithm, according to a second embodiment; and Figure 7 is a schematic block diagram of the secret key algorithm, according to a third embodiment.
DESCRIPTION OF THE PREFERRED EMBODIMENT
A cryptographic algorithm 100 including features for detecting fault attacks according to an embodiment of the present invention, will now be described with references to Figures 3 to 5. This algorithm 100 may, for example, be implemented into electronic devices such as, for example, smart cards.
As it can be seen from Figure 3, the cryptographic algorithm 100 includes a secret key algorithm 102 and a key schedule algorithm 104. The secret key algorithm 102 receives a message 106 and sub-keys 108 computed by the key schedule algorithm 104 as will be described hereinbelow. On the other hand, the key schedule algorithm 104 receives an init vector 110 and a key 112. The init vector 110 has a fixed value and is used in checksum functions as will be described hereinbelow. The init vector is advantageously stored in non-volatile memory of the electronic device. The key 112 is the so called "secret key"
required to encrypt and decrypt the message.
As described hereinabove with respect to cryptographic algorithms of the prior art, the secret key algorithm 102, since it processes data that changes every time the algorithm is used, i.e., the message 106, computes each operation twice and compares the results of the two computations. A fault attack error 114 is generated when the two results are not identical and, consequently, the algorithm 100 is stopped.
However, as will be described hereinbelow in greater details, the key schedule algorithm 104 does not compute each operation twice.
Generally stated, the present invention consists in performing an initialisation process when the electronic device, hereinafter referred to as a smart card, is setup before being given to the user. This initialisation process consists in computing all the sub-keys required by the secret key algorithm 102, computing a checksum function over all these sub-keys and storing the resulting checksum value, hereinafter referred to as SBKCHK;, along with the secret key, preferably into a non-volatile memory of the smart card so that it may be accessed when the smart card is subsequently used.
More specifically, the same checksum function is part of the key schedule algorithm 104 and yields a checksum value, hereinafter referred to as SBKCHK, that may be compared to the stored SBKCHK;
value in a final check step 116 that determines if a fault attack has been 5 successful during the key schedule algorithm 104. If such a successful fault attack has been detected, a fault attack error 118 is generated. If not, the ciphered message 120 is completed.
As will be apparent to one skilled in the art, since each 10 sub-key computation is done only once when the smart card is used, and since the fault attack detection is made only once after the key schedule algorithm 104 is completed, by comparing SBKCHK and SBKCHK;, the key schedule algorithm 104 is much faster than the key schedule algorithm 16 of the prior art (see Figure 1) without compromising security or the integrity of the cipher message 120.
Turning now to Figure 4 of the appended drawings the initialisation process, part of the setup of the smart card, will be described.
Indeed, prior to its initial use, any smart card has to be properly setup, for example to encode the key chosen by the user therein. According to an embodiment of the present invention, this one time setup of the smart card also involves a supplemental initialisation process.
This initialisation process includes as many rounds as the actual secret key algorithm 102 to thereby compute all the sub-keys required by the secret key algorithm 102. For example, in round 1, sub-key K~ is computed (step 122) from the key 112. Sub-key K~ is then supplied to a checksum function 124 which also has the init vector 110 as an input. The resulting checksum value SBKCHK~ is used in the next round, as an input to the checksum function of this subsequent round.
The init vector 110 is only used in the first round of the computation process. The final computed checksum value SBKCHK;, which may also be referred to as the reference checksum value, is stored into the non volatile memory in step 126.
As will be understood by one skilled in the art, the setup of the smart card is done only once. It is also to be noted that since this setup is done at the card issuer's premises, fault attacks should not occur during the setup and no security features to guard against them is required.
A more detailed description of the cryptographic algorithm 100 of Figure 3 will now be described with reference to Figure 5.
It is to be noted that while the description hereinbelow refers more specifically to the first round 128 of the cryptographic algorithm 100, the following steps are repeated for each round of the algorithm.
In the first round 128, the key schedule algorithm 104 computes a first sub-key K~ from the key 112 (step 130). The sub-key K~
is then supplied to the secret key algorithm 102 and is also used by a checksum function 132, identical to the checksum function 124 of the initialisation process of Figure 4, that also uses the init vector 110 as an input. The resulting checksum value SBKCHK~ of this function 132 is used as an input of the checksum function of the next round.
With respect to the secret key algorithm 102, the first round 128 involves computing twice (steps 134 and 136) a first intermediary result, respectively R~ and R~' from the message 106 and the first sub-key K~. These two results are then compared in step 138. If the results are identical, the result is supplied to the next round. If not, the algorithm 100 is stopped and a fault attack error 114 is generated.
Of course, as will be apparent to one skilled in the art, the sub-steps in the computation of the first intermediary result vary according to the specific secret key algorithm used.
The steps described hereinabove are repeated for each round until the last round 140 is completed. The resulting checksum value SBKCHK of the checksum function 142 of the last round 140 is then compared with the stored reference checksum value SBKCHK; to determine if a fault attack has been successful.
Therefore, during the cryptographic algorithm 100, fault attacks are detected, in the secret key algorithm 102 involving the message 106, by duplicating computation and comparing corresponding results. On the other hand, in the key schedule algorithm 104, which involves only fixed data, fault attacks are detected by comparing the final checksum value with a previously stored reference checksum value in the non volatile memory of the smart card during the initialisation process.
It is also to be noted that the checksum functions used in the above described key schedule algorithm 102 have not been described in detail since it is believed to be within the reach of one skilled in the art to design an adequate checksum function.
A second embodiment of the secret key algorithm 202 will now be described with reference to Figure 6 of the appended drawings.
Generally stated, in the secret key algorithm 202, instead of verifying the intermediate results of each duplicated round, the entire encryption process is completed to yield the ciphered message 120. Once the result is computed, the reverse cryptographic algorithm, or decryption, is done, using the ciphered message 120 as an input, to verify that the original message 106 may be deducted from the ciphered message 120.
If this is the case, it can be assumed that no successful fault attack has occurred.
More specifically, the first step 204 is to store a copy of the original message. The cryptographic algorithm, consisting in successive computation rounds leading to the final round 206, is then processed. The result of the final round 206, which is technically the ciphered message, is then stored in step 208. The reverse cryotographic algorithm, consisting in the reverse rounds (for example 210, 212 and 214), is applied to the ciphered message to yield the original message should no successful fault attack occur. The result of the last round 214 of the reverse cryptographic algorithm is saved (step 216) and compared with the original message in step 218. If the two messages are identical, the final check 116 is done as described hereinabove. If not, the algorithm 100 is stopped and a fault attack error 114 is generated.
As will easily be understood by one skilled in the art, all the sub-keys are saved in the volatile memory of the smart card since they are required at two different times in the secret key algorithm 202, i.e. in the cryptographic and reverse cryptographic algorithms.
The main advantage of this embodiment is the increased level of security. Indeed, it would be harder to generate two faults, one in the normal algorithm and one in the inverse algorithm , which would lead to the original message.
On the other hand, a minor drawback of this embodiment concerns the amount of volatile memory required to save all the sub-keys.
Finally, Figure 7, illustrates an alternative of the secret key algorithm 302 according to a third embodiment of the present invention.
In this embodiment, the entire cryptographic algorithm is done twice in parallel and the result of the two algorithms are stored (steps 304 and 306) and compared (step 308) to determine if a successful fault attack has occurred.
It is to be noted that while the electronic device in which the cryptographic algorithm according to the present invention is integrated has been described hereinabove as being a smart card, other types of electronic devices, such as, for example, Personal Digital Assistant (PDA) and cellular phones could benefit from the cryptographic algorithm of the present invention.
5 As will easily be understood by one skilled in the art, the algorithms illustrated and described herein are schematic and many other features are required to yield an adequate cryptographic algorithm. These other features are believed to be well known and therefore will not be further discussed herein.
Although the present invention has been described hereinabove by way of preferred embodiments thereof, it can be modified, without departing from the spirit and nature of the subject invention as defined in the appended claims.
Claims (5)
1. A method for detecting fault attacks against cryptographic algorithms, said method comprising:
in an initialisation process:
- providing an init vector;
- providing a key;
- computing at least one sub-key from the key;
- computing a checksum function on the at least one sub-key and the init vector to yield a reference checksum value;
- storing the key and the reference checksum value;
in the cryptographic algorithm:
- providing a message;
- providing the init vector;
- providing the key;
- computing at least one sub-key from the key;
- computing a checksum function on the at least one sub-key and the init vector;
- comparing the checksum value of said checksum computing step with the reference checksum value; and - executing the cryptographic algorithm, using the message and at least one computed sub-key, to execute at least one internal computation;
wherein a fault attack is detected when the result of said comparing step is that the checksum value is not identical to the stored reference checksum value.
in an initialisation process:
- providing an init vector;
- providing a key;
- computing at least one sub-key from the key;
- computing a checksum function on the at least one sub-key and the init vector to yield a reference checksum value;
- storing the key and the reference checksum value;
in the cryptographic algorithm:
- providing a message;
- providing the init vector;
- providing the key;
- computing at least one sub-key from the key;
- computing a checksum function on the at least one sub-key and the init vector;
- comparing the checksum value of said checksum computing step with the reference checksum value; and - executing the cryptographic algorithm, using the message and at least one computed sub-key, to execute at least one internal computation;
wherein a fault attack is detected when the result of said comparing step is that the checksum value is not identical to the stored reference checksum value.
2. The method for detecting fault attacks against cryptographic algorithms as recited in claim 1, wherein:
in the initialisation process:
- said sub-key computing step includes computing a predetermined number of sub-keys;
- for the first sub-key computed, said checksum value is computed using the first sub-key and the init vector;
and - for each of the other sub-keys computed, said checksum value is computed using the sub-key and a previously computed checksum value;
in the cryptographic algorithm:
- said sub-key computing step includes computing a predetermined number of sub-keys;
- for the first sub-key computed, said checksum value is computed using the first sub-key and the init vector;
and - for each of the other sub-keys computed, said checksum value is computed using the sub-key and a previously computed checksum value;
in the initialisation process:
- said sub-key computing step includes computing a predetermined number of sub-keys;
- for the first sub-key computed, said checksum value is computed using the first sub-key and the init vector;
and - for each of the other sub-keys computed, said checksum value is computed using the sub-key and a previously computed checksum value;
in the cryptographic algorithm:
- said sub-key computing step includes computing a predetermined number of sub-keys;
- for the first sub-key computed, said checksum value is computed using the first sub-key and the init vector;
and - for each of the other sub-keys computed, said checksum value is computed using the sub-key and a previously computed checksum value;
3. The method for detecting fault attacks against cryptographic algorithms as recited in claim 1, wherein, in said cryptographic algorithm execution step, each internal computation required for algorithm execution is done twice and compared to detect fault attacks.
4. The method for detecting fault attacks against cryptographic algorithms as recited in claim 1, further comprising, in the cryptographic algorithm:
storing the at least one computed sub-key;
executing a reverse cryptographic algorithm on the result of the cryptographic algorithm execution step using the at least one computed sub-keys; and comparing the message and the result of the reverse cryptographic algorithm execution step;
wherein a fault attack is detected when the message and the result of the decrypting step are not identical.
storing the at least one computed sub-key;
executing a reverse cryptographic algorithm on the result of the cryptographic algorithm execution step using the at least one computed sub-keys; and comparing the message and the result of the reverse cryptographic algorithm execution step;
wherein a fault attack is detected when the message and the result of the decrypting step are not identical.
5. The method for detecting fault attacks against cryptographic algorithms as recited in claim 1, further comprising, in the cryptographic algorithm:
repeating said cryptographic algorithm executing step; and comparing the results of the two identical cryptographic algorithm executing steps;
wherein a fault attack is detected when the results of the two cryptographic algorithm executing steps are not identical.
repeating said cryptographic algorithm executing step; and comparing the results of the two identical cryptographic algorithm executing steps;
wherein a fault attack is detected when the results of the two cryptographic algorithm executing steps are not identical.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CA002327037A CA2327037A1 (en) | 2000-11-22 | 2000-11-22 | Method to detect fault attacks against cryptographic algorithms |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CA002327037A CA2327037A1 (en) | 2000-11-22 | 2000-11-22 | Method to detect fault attacks against cryptographic algorithms |
Publications (1)
| Publication Number | Publication Date |
|---|---|
| CA2327037A1 true CA2327037A1 (en) | 2002-05-22 |
Family
ID=4167761
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CA002327037A Abandoned CA2327037A1 (en) | 2000-11-22 | 2000-11-22 | Method to detect fault attacks against cryptographic algorithms |
Country Status (1)
| Country | Link |
|---|---|
| CA (1) | CA2327037A1 (en) |
Cited By (6)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| WO2003069841A1 (en) * | 2001-12-28 | 2003-08-21 | Gemplus | Method for detection of attacks on cryptographic algorithms by trial and error |
| WO2004056035A1 (en) * | 2002-12-13 | 2004-07-01 | Giesecke & Devrient Gmbh | Encoding method |
| FR2904901A1 (en) * | 2006-08-09 | 2008-02-15 | Sagem Defense Securite | METHOD FOR VERIFYING THE INTEGRITY OF AN ENCRYPTION KEY OBTAINED BY COMBINING KEY PARTS |
| DE102010055237A1 (en) * | 2010-12-20 | 2012-06-21 | Giesecke & Devrient Gmbh | Method for protected execution of a cryptographic calculation |
| DE102017006169A1 (en) * | 2017-06-29 | 2019-01-03 | Giesecke+Devrient Mobile Security Gmbh | Microprocessor setup with key-checking routine |
| WO2019058047A1 (en) | 2017-09-22 | 2019-03-28 | Commissariat à l'énergie atomique et aux énergies alternatives | Method for executing a machine code of a secure function |
-
2000
- 2000-11-22 CA CA002327037A patent/CA2327037A1/en not_active Abandoned
Cited By (14)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| WO2003069841A1 (en) * | 2001-12-28 | 2003-08-21 | Gemplus | Method for detection of attacks on cryptographic algorithms by trial and error |
| WO2004056035A1 (en) * | 2002-12-13 | 2004-07-01 | Giesecke & Devrient Gmbh | Encoding method |
| CN1748385B (en) * | 2002-12-13 | 2012-08-29 | 德国捷德有限公司 | Encoding method |
| CN101502038B (en) * | 2006-08-09 | 2012-10-10 | 摩福公司 | Method of verifying the integrity of an encryption key obtained by combining key parts |
| FR2904901A1 (en) * | 2006-08-09 | 2008-02-15 | Sagem Defense Securite | METHOD FOR VERIFYING THE INTEGRITY OF AN ENCRYPTION KEY OBTAINED BY COMBINING KEY PARTS |
| WO2008023107A2 (en) * | 2006-08-09 | 2008-02-28 | Sagem Securite | Method of verifying the integrity of an encryption key obtained by combining key parts |
| WO2008023107A3 (en) * | 2006-08-09 | 2008-04-10 | Sagem Securite | Method of verifying the integrity of an encryption key obtained by combining key parts |
| US8031867B2 (en) * | 2006-08-09 | 2011-10-04 | Morpho | Method of verifying the integrity of an encryption key obtained by combining key parts |
| DE102010055237A1 (en) * | 2010-12-20 | 2012-06-21 | Giesecke & Devrient Gmbh | Method for protected execution of a cryptographic calculation |
| DE102017006169A1 (en) * | 2017-06-29 | 2019-01-03 | Giesecke+Devrient Mobile Security Gmbh | Microprocessor setup with key-checking routine |
| DE102017006169B4 (en) | 2017-06-29 | 2019-01-24 | Giesecke+Devrient Mobile Security Gmbh | Microprocessor setup with key-checking routine |
| WO2019058047A1 (en) | 2017-09-22 | 2019-03-28 | Commissariat à l'énergie atomique et aux énergies alternatives | Method for executing a machine code of a secure function |
| FR3071633A1 (en) * | 2017-09-22 | 2019-03-29 | Commissariat A L'energie Atomique Et Aux Energies Alternatives | METHOD FOR EXECUTING A MACHINE CODE OF A SECURE FUNCTION |
| US11442738B2 (en) | 2017-09-22 | 2022-09-13 | Commissariat A L'energie Atomique Et Aux Energies Alternatives | Method for executing a machine code of a secure function |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| US11797683B2 (en) | Security chip with resistance to external monitoring attacks | |
| CA2334597C (en) | Leak-resistant cryptographic indexed key update | |
| JP5306465B2 (en) | Pre-calculation of message authentication code applied to secure memory | |
| JP2020522205A (en) | Progressive key encryption algorithm | |
| US20100303229A1 (en) | Modified counter mode encryption | |
| US8144865B2 (en) | Protection of the execution of a DES algorithm | |
| US20070019805A1 (en) | System employing systematic robust error detection coding to protect system element against errors with unknown probability distributions | |
| US20150288524A1 (en) | Methods and systems for glitch-resistant cryptographic signing | |
| JP4386766B2 (en) | Error detection in data processing equipment. | |
| CA2327037A1 (en) | Method to detect fault attacks against cryptographic algorithms | |
| CN107766725B (en) | Template attack resistant data transmission method and system | |
| CN112532373B (en) | Differential fault analysis method, system and storage medium for stream cipher algorithm |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| EEER | Examination request | ||
| FZDE | Dead |