## The Need for Intrinsic Hardware Security below 65nm

Mathias Wagner Chief Security Technologist Business Unit Security & Connectivity



### Content

- Introduction & Overview
- Security landscape: What are the business cases of today? What level of security do they need? What technology is available?
- What happens to attack vectors as technology moves to 65nm and below
- Conclusion



## Security landscape Where are we today



## **USE CASES**



### NXP in established security markets



\* H1 2014 acc. ABI \*\* ABI 2014

NP

### **Embedded secure elements**



#### Wallet



**Security** 



### End to end security





### The root of trust





## NEED FOR HW SECURITY



## Why is a secure element needed for security?

#### **Reduce Impact of SW bugs**

- Java SW averages ~1 bug every 80 lines of code.
- With intense review ~1 bug in 500 lines of code
- This rate goes up again as code size and thus complexity increases.

#### **Reduce Complexity**

• The complexity caused by all devices connected with each other multiplied by their functionality keeps increasing dramatically.

#### **Reduce Attack Surface**

• A small, compact design with a few well-defined APIs has a much smaller attack surface to get worried about.



## Why is a secure element needed for security?

#### **Provide End-2-End Security**

- E-2-E Security is needed to "tunnel" through hostile territory.
- Example: Payment with phone  $\leftarrow \rightarrow$  back end

#### **Provide Secure Key Storage**

- At the root of any cryptography are secret keys.
- Keeping secret keys secret is the essence of strong crypto.

#### **Certification**

• Independent 3<sup>rd</sup> party verification of security promise!



## CERTIFICATION



## **Security Evaluation**



- Levels 1 4
- Not dedicated to smart cards, so it may also describe the physical security of a secure letter box...
- Based on Do's and Don'ts
- Based on Checklists

## Common Criteria

Criteria

Common

- In practice levels EAL 3 6+
- Levels 6 & 7 require formal modeling and proofs
- Variant dedicated to smart cards available
- Based on Assets that need to be protected like secret keys, user data, user SW



140-2

S

## **Common Criteria – Mission Statement**

CC Evaluation rates
Correctness
and
Effectiveness
of implemented Security
Functions

Covering the whole development and production process

Involving independent accredited security labs

> Assurance Levels: EAL1 - EAL7



## "EAL" Assurance Levels

EAL 7: formally verified designed & tested

EAL 6: semi-formally verified designed & tested

EAL 5: semi-formally designed & tested

EAL 4: methodically designed, tested & reviewed

EAL 3: methodically tested & checked

EAL 2: structurally tested

EAL 1: functionally tested



## TECHNOLOGY



## **Technology progress**







# Below 65 nm

## **Attack vectors**

NP

## INVASIVE



## Invasive attacks complexity





## **HW Reverse engineering**

|  | Image chip<br>- Polishing<br>- Microscope<br>- Image stitching | Recognize structures<br>- Pattern recognition<br>- Wire tracing | Interpret structures<br>- Gate simulation | Algorithm |
|--|----------------------------------------------------------------|-----------------------------------------------------------------|-------------------------------------------|-----------|
|--|----------------------------------------------------------------|-----------------------------------------------------------------|-------------------------------------------|-----------|

#### Chip image



#### Wires



#### Netlist

<port id="0" nam <port id="1" nam

<ports>

# netlist <?xml version="1.0" <gate-library> <gate\_description= .</pre>

Annotated

From: Olivier Thomas, "Advanced Engineering Techniques: In-Depth Analysis of a Modern Smart Card", Blackhat USA 2015



27. January 10, 2016

### **Open source tool**

 Cooperation
 Reverse engineering integrated circuits with degate – Home

 Image: Specific cooperation
 Reader C Q Cooperation

 Image: Specific cooperation
 Reader C Q Cooperation

Home Status Documentation Screenshots Download Contact

#### Welcome to the Degate Project Website.

#### About Degate

Degates' purpose is to aid in <u>VLS1</u>-reverse engineering of <u>diatal logic</u> in integrated circuits (ICs). Degate helps you to explore images from ICs. It matches <u>standard</u> <u>cells</u> on the imagery given by graphical templates and to some degree <u>vias</u> and wires. Degate assits you in tracing circuit paths and in reconstructing the netlist.

Degate is not a completely automatic analyzing tool. Degate helps you with some automation in your manual reverse engineering process.

#### Supported Platforms

Degate is developed under Ubuntu and OS X. The GUI is based on  $\underline{\mathsf{gtkmm}}.$  So Degate should run on any unixoid platform, where  $\underline{\mathsf{gtkmm}}$  was ported to.

#### Status

Degate is a spare time project. It is still under development. Some project steps are already implemented other steps are not. Please have a look at the <u>status page</u> to see what is implemented until now. Degate is topic of my diploma thesis, which was <u>published</u> in June 2011.

#### Author and Licence

Degate is developed by <u>Martin Schobert</u>. The software is open source. It is released under the <u>GNU</u> <u>General Public Licence Version 3</u>.



#### http://www.degate.org/



0





## **FAULT INJECTION**



### Laser fault injection

- Question: Do small feature sizes make laser fault injection more difficult?
- Critical aspects for a successful fault injection
  - Enough light to manipulate bits
  - Little enough light to avoid triggering countermeasures
  - Correct timing
  - Repeatability
  - Predictable impact on the IC operation





## Charge generation by laser light





#### Determined by

- Wavelength
- Light Intensity
- Illuminated volume

#### Maintained for

- All technology nodes equally
- Slight differences due to dopant concentrations

#### For newer technologies

- NIR laser spots always illuminate multiple cells
- Frontside illumination is blocked by metal layers



## **Charge diffusion / drift**





LFI into a particular cell requires max. focusing



### Impact on bit flips





## **EM-SIDE-CHANNEL**



### **EM – Side-Channel**

#### • Question: Do small feature sizes affect EM-SCA?

- Critical aspects
  - Raw signal strength through probe
  - Signal-to-noise-ratio through probe
  - Spatial resolution
  - Temporal resolution
  - Analysis stays mostly constant



## **Electromagnetic Emanation**



#### EMA signal created by

- Current through metal line
- Coupled by magnetic field
- To a vertical or horizontal coil

#### **EMA** detects

Changes in current through the line

#### Leaks information on

- Internal power consumption
- Loading/unloading of internal capacities



## **SNR in EM probing**





#### Determined by

- Absolute flux through probe
- Ratio of signal to noise

#### For each generation

- Core voltage changes but current stays about the same
- Absolute flux per line length constant

#### For newer technologies

- Smaller structures lead to overlapping and hence decreased SNR
- Higher clock frequency increases SNR via quicker changes in flux



## **Resolution of EM probing**



#### Determined by

- Probe dimension
- Density of probed lines

#### Newer technologies

Need smaller probes for the same spatial resolution

#### Smaller probes lead to

- Lower induction  $\rightarrow$  worse SNR
- High complexity of setup



### Impact on EM probing



- Resolution decreases with smaller technologies
- Increased cost for smaller EM probes

- Absolute flux per line and per area stays constant
- Higher clocks lead to higher signal through  $\Delta \phi / \Delta t$



## Stories from behind the metal shield



## SAFE ERROR



### **Safe Error Attack Analysis**

- Based on bit flip bias Independent of technology node
- Attacks runs in three phases





# **Physical Characterization**

#### **Determine bit flip bias**

- Scan a set of standard registers with an LFI station
- Two Presets: 0x00, 0xFF



## **Physical Characterization**



#### Preset 0x00

Results over different laser pulse energies and position

Preset 0xFF



# **Physical Characterization**

#### Determine bit flip bias

- Scan a set of standard registers with an LFI station
- Two Presets: 0x00, 0xFF



- Preferred flip direction for very low energy:  $0 \rightarrow 1$
- Not a 100% bias, but enough for a safe-error attack



# **Effect of masking**

#### Targeted pair could be

- Two mask bits
- Two masked key bits
- One mask, one masked key bit

#### Possible effects of hitting a pair

• Flip bias  $0 \rightarrow 1$ 

| Кеу | Mask | Masked Key | Mask' | Masked Key' | Key'   |
|-----|------|------------|-------|-------------|--------|
| 0   | 0    | 0          | 1     | 1           | 0 -> 0 |
| 0   | 1    | 1          | 1     | 1           | 0 -> 0 |
| 1   | 0    |            | → 1   | 1           | 1 -> 0 |
| 1   | 1    | 0          | 1     | → 1         | 1 -> 0 |



# **Excursion – Security Evaluation**

**Identification Phase:** 

 Perform the attack once to demonstrate its feasibility and / or achieve a one-time benefit (learning phase)

**Exploitation Phase:** 

• Perform the attack **multiple times** for commercial exploitation

Information Flow between these Phases:

• One of the outcomes of the Identification Phase is a **virtual script** that tells the attacker of the Exploitation Phase how to perform the attack



# **Excursion – CC for Smart Cards**

| Range of values<br>CC 3.x | TOE resistant to attackers with attack<br>potential of: |  |
|---------------------------|---------------------------------------------------------|--|
| 0-15                      | No rating                                               |  |
| 16-20                     | Basic                                                   |  |
| 21-24                     | Enhanced-Basic                                          |  |
| 25-30                     | Moderate                                                |  |
| 31 and above              | High                                                    |  |

We need to achieve 31 points for VAN.5 (part of EAL 4+, 5, 5+, 6, 6+) for each and every attack path!

"Application of Attack Potential to Smartcards" (developed for JIL by JHAS group)

| Factors                       | Identification | Exploitation |
|-------------------------------|----------------|--------------|
| Elapsed time                  |                |              |
| < one hour                    | 0              | 0            |
| < one day                     | 1              | 3            |
| < one week                    | 2              | 4            |
| < one month                   | 3              | 6            |
| > one month                   | 5              | 8            |
| Not practical                 | *              | *            |
| Expertise                     |                |              |
| Layman                        | 0              | 0            |
| Proficient                    | 2              | 2            |
| Expert                        | 5              | 4            |
| Multiple Expert               | 7              | 6            |
| Knowledge of the TOE          |                |              |
| Public                        | 0              | 0            |
| Restricted                    | 2              | 2            |
| Sensitive                     | 4              | 3            |
| Critical                      | 6              | 5            |
| Very critical hardware design | 9              | NA           |
| Access to TOE                 |                |              |
| < 10 samples                  | 0              | 0            |
| < 100 samples                 | 2              | 4            |
| > 100 samples                 | 3              | 6            |
| Not practical                 | *              | *            |
| Equipment                     |                |              |
| None                          | 0              | 0            |
| Standard                      | 1              | 2            |
| Specialized                   | 3              | 4            |
| Bespoke                       | 5              | 6            |
| Multiple Bespoke              | 7              | 8            |
| Open samples                  |                |              |
| Public                        | 0              | NA           |
| Restricted                    | 2              | NA           |
| Sensitive                     | 4              | NA           |
| Critical                      | 6              | NA           |

## **Identification scenario**





## **Exploitation scenario**

#### **Result from identifcation phase**

- Physical location of bits
- Timing information on key loading

#### **Additional conditions**

- Known cipher text, known plain text
- Unlimited tries

#### Attack

- Pair of masked key and mask
- Between key loading and AES operation
- Either per spatial or temporal double shot
- Analyse result get key



## **Identification phase**

Identification of physical location of key bits

- Problem 1: Key bits are masked
- Problem 2: Mask bits are stored scrambled
- Problem 3: Any reset is creating a new mask and scrambling pattern

#### Assumptions

- Mask has on average a Hamming Weight of 0.5
- Mask bits are scrambled byte-wise and independently



# **Identification phase**





# **Excursion – CC for Smart Cards**

| Range of values<br>CC 3.x | TOE resistant to attackers with attack<br>potential of: |  |
|---------------------------|---------------------------------------------------------|--|
| 0-15                      | No rating                                               |  |
| 16-20                     | Basic                                                   |  |
| 21-24                     | Enhanced-Basic                                          |  |
| 25-30                     | Moderate                                                |  |
| 31 and above              | High                                                    |  |

# We need to achieve 31 points for VAN.5 (part of EAL 4+, 5, 5+, 6, 6+) for each and every attack path!

"Application of Attack Potential to Smartcards" (developed for JIL by JHAS group)

| Factors                       | Identification | Exploitation |
|-------------------------------|----------------|--------------|
| Elapsed time                  |                |              |
| < one hour                    | 0              | U            |
| < one day                     |                | 3            |
| < one week                    | 2              | 4            |
| < one month                   | 3              | 6            |
| > one month                   | 5              | 8            |
| Not practical                 | *              | *            |
| Expertise                     |                |              |
| Layman                        | 0              | 0            |
| Proficient                    |                | 2            |
| Expert                        | 5              | 4            |
| Multiple Expert               | 7              | 6            |
| Knowledge of the TOE          |                |              |
| Public                        | 0              | U            |
| Restricted                    | 2              | 2            |
| Sensitive                     | 4              | 3            |
| Critical                      | 6              | 5            |
| Very critical hardware design | 9              | NA           |
| Access to TOE                 |                |              |
| < 10 samples                  | 0              | 0            |
| < 100 samples                 | 2              | 1            |
| > 100 samples                 | 3              | 6            |
| Not practical                 | *              | *            |
| Equipment                     |                |              |
| None                          | 0              | 0            |
| Standard                      | 1              | 2            |
| Specialized                   | 3              | 4            |
| Bespoke                       |                | e l          |
| Multiple Bespoke              | 7              | 8            |
| Open samples                  |                |              |
| Public                        | 0              | NA           |
| Restricted                    | 2              | NA           |
| Sensitive                     | 4              | NA           |
| Critical                      | 6              | NA           |
|                               | 14 +           | 13 = 27      |

# Conclusion

NP

# **Security Summary**

- The question is, whether HW security offers sufficient advantages over SW security in an Online World, where a system view is required → We like to believe it does...
- Security will improve as technology shrinks, but not per see dramatically
- Security Analysts are here to stay...







### SECURE CONNECTIONS FOR A SMARTER WORLD