Vol.3 No.1 2010

93/110

Research paper : Secure implementation of cryptographic modules (A. Satoh et al.)−90−Synthesiology - English edition Vol.3 No.1 (2010) on security evaluation technology, cooperating with other organizations including NIST and CRYPTREC in its neutral position, listening to industry’s voice.In operation of an evaluation system, every participating testing laboratory is required to produce the same evaluation results if they use the same target cryptographic module. In order to ensure uniform evaluation environments and analysis skills, we plan to conduct a skill test for the testing laboratories with the SASEBO implementing a cryptographic circuit. We are also developing an analysis tool for the testing laboratories, who would then demand a training program using the board or the tool. To develop and operate such a training program will require much money and human resources, but it is difficult to keep acquiring public funds for it. Note not only that the entire society obviously benefits from the improvement of the cryptographic products security, but also that cryptographic product vendors and the testing laboratories running a security evaluation business benefit from this security evaluation movement. Therefore, we should take advantage of the vitality of corporations for the realization of higher security and the advancement of the evaluation systems. To realize this, we have brought the SASEBO to market through a few Japanese circuit board vendors toward popularization of the evaluation and countermeasure technologies. We are also planning to expand the distribution channel overseas. There are two companies in Europe and one in the U.S. which run smart card evaluation tool businesses. The negotiations we had with each of the three companies resulted in having all their tool products support the SASEBO. In addition, discussions are in progress to offer their evaluation tools and training programs to the testing laboratories with the analysis scheme AIST is developing. As a public research institution, AIST will control the fundamental subjects such as the standardization of evaluation method and the development of analysis technology with other organizations including CRYPTREC and NIST and pursue further cooperation with domestic and overseas companies toward more efficient operation of the system.4 Practical side-channel attacks 4.1 Various physical analysis attacks against cryptographic modulesPhysical analysis attack methods against cryptographic modules are classified roughly into invasive attacks and non-invasive attacks as shown in Fig. 2. Invasive attacks require expensive equipment and sophisticated technical skills to depackage the LSI, which is the core part of a cryptographic module, and to analyze its insides directly. In contrast, side-channel attacks[21][22], proposed by Kocher et al., are non-invasive attacks, which do not make modifications to the modules. They exploit the internal activity information leaked through side-channels in the form of power consumption waveforms, electromagnetic waves, or timing of the operating LSI that are different from the normal I/O channels. Side-channel attacks only require relatively cheap equipment such as an oscilloscope and a personal computer to acquire and analyze the information, but they are a remarkably strong attack method. While side-channel attacks, which observe the operating states of the LSI from outside, are classified as a passive attack method, fault-injection attacks, which inject noise into the power line or clock signal to induce false operations on the LSI and analyze its response, are classified as a more sophisticated attack. It is necessary to carry out the standardization of security evaluation schemes for fault-injection attacks, following that of side-channel attacks. 4.2 Side-channel attack standard evaluation board (SASEBO)To construct a security evaluation standard platform, we have developed the SASEBO boards and the cryptographic LSIs shown in Fig. 3 and Fig. 4, respectively. The SASEBO-G and SASEBO-B employ Xilinx® and Altera® FPGAs (Field Programmable Gate Arrays), respectively, which offer users reconfigurability of circuit functions for cryptographic algorithm implementation on different device architectures. To enable various side-channel attack experiments on these boards, we have designed the circuits of all the ISO/IEC 18033-3 standard block ciphers and the RSA scheme, the public-key cipher standard, and published the source codes of those on our partner’s web site[23]. These boards offer not only hardware experiments, but also cryptographic software evaluation experiments with the Xilinx® FPGA’s embedded processor or a processor macro. The cryptographic LSIs shown in Fig. 4 were fabricated in a 90-nm and a 130-nm CMOS standard cell process and have the published cryptographic circuits. These LSIs are designed to be mounted on the SASEBO-R. The SASEBO-GII, the latest SASEBO board, is equipped with a Xilinx® FPGA, and has a four to seven times larger logic capacity than SASEBO-G, while achieving a significant reduction of the board area to one third the size with a much higher density. It also features the cutting-edge partial-reconfigurability for uses other than side-channel attack experiments so that research on even higher level hardware security systems is possible. Fig. 2 Various physical attacks against cryptographic modules.Fault attacksSide-channelattacksOutput frominside of moduleLight, EM-wave, Radiation exposureFrequency, voltagemanipulationNoise injectionLight, EM-wave,radiation exposureIllegal I/OLeakinginformationPlaintext, Ciphertext, KeyLayout pattern analysisWire probeEM observationOperating timeCurrent, VoltageEM radiationKeyboard inputComputer virusInput to inside of moduleInvasiveattackNon-invasiveattackNormal data I/O

※このページを正しく表示するにはFlashPlayer9以上が必要です