It is well known that if a secret processed by a device can be correlated with side-effects of the calculation, then the secret can be deduced by measuring these side-effects. Such attacks were used back in time of mechanical rotary encryption machines.
Modern electronic cryptographic devices in addition to the acoustic side-channel of their mechanical predecessors, leak information by means of variation of their power consumption and electro-magnetic radiation. Aside from passively analyzing side-effects of cryptographic computations, an attacker can also actively subvert the environment to introduce faults into the computation. This approach is known as a “fault attack”.
Although the side-channel attacks on a general purpose CPU (especially, timing attacks) were known for a long time, the fault attacks were limited to very small devices, primarily, smart cards.
Recently, a team of researchers from Italy http://eprint.iacr.org/2010/130 presented a fault injection attack against cryptographic software run on an ARM9 general purpose CPU.
Fault injection attacks have proven in recent times a powerful tool to exploit implementative weaknesses of robust cryptographic algorithms. A number of different techniques aimed at disturbing the computation of a cryptographic primitive have been devised, and have been successfully employed to leak secret information inferring it from the erroneous results. In particular, many of these techniques involve directly tampering with the computing device to alter the content of the embedded memory, e.g. through irradiating it with laser beams.
In this contribution we present a low-cost, non-invasive and effective technique to inject faults in an ARM9 general purpose CPU through lowering its feeding voltage. This is the first result available in fault attacks literature to attack a software implementation of a cryptosystem running on a full fledged CPU with a complete operating system. The platform under consideration (an ARM9 CPU running a full Linux 2.6 kernel) is widely used in mobile computing devices such as smartphones, gaming platforms and network appliances.
At first, we validate the effectiveness of the proposed fault model to lead practical attacks to implementations of RSA and AES cryptosystems, using techniques known in open literature. Then we devised two new attack techniques, one for each cryptosystem. The attack to AES is able to retrieve all the round keys regardless both their derivation strategy and the number of rounds. A known ciphertext attack to RSA encryption has been devised: the plaintext is retrieved knowing the result of a correct and a faulty encryption of the same plaintext, and assuming the fault corrupts the public key exponent. Through experimental validation, we show that we can break any AES with roughly 4 kb of ciphertext, RSA encryption with 3 to 5 faults and RSA signature with 1 to 2 faults.