Oct 13, 2009 - AES), it is not possible to read back the programming data from a programmed deviceâ ... obfuscated dat
Optical surveillance on silicon chips: your crypto keys are visible
Security Group, Computer Laboratory, University of Cambridge, 13 October 2009
Optical surveillance on silicon chips: your crypto keys are visible Dr Sergei Skorobogatov http://www.cl.cam.ac.uk/~sps32
email:
[email protected]
Optical surveillance on silicon chips: your crypto keys are visible
Security Group, Computer Laboratory, University of Cambridge, 13 October 2009
Talk Outline • Introduction • Background of optical emission • Experimental setup • Results for an old microcontroller chip • Limitations and improvements • Challenge with modern chips • Results for a secure FPGA chip • Countermeasures • Conclusion
2
Optical surveillance on silicon chips: your crypto keys are visible
Security Group, Computer Laboratory, University of Cambridge, 13 October 2009
Introduction • Operating semiconductor circuits emit photons – known for over 40 years – actively used in failure analysis for over 20 years
• Existing failure analysis techniques – picosecond imaging circuit analysis (PICA) uses photomultiplier array – photon emission microscopy (PEM) uses special IR cameras – both techniques are expensive and require sophisticated sample preparation
• What about hardware security? – any possibility of seeing internal signals? – any leaks from memory arrays?
3
Optical surveillance on silicon chips: your crypto keys are visible
Security Group, Computer Laboratory, University of Cambridge, 13 October 2009
Introduction •
Optical emission analysis attacks were introduced in 2008 and exploit well known fact that photon emission of a chip is correlated with the processed data* – done on a PIC16F84A (0.9 μm) running at 6MHz with 7V supply – from backside with the silicon substrate thinned down to 20 μm – using Mepsicron II camera with hi-res 2D imaging and 50ps timing – continued for 12 hours with test code in a loop – proved that AES key can be extracted from the operating device
•
Can this be used to compromise security in silicon chips? – requires expensive equipment and special chip preparation – was not considered as a threat, hence, no protection is in place – does not form part of standard security evaluation techniques
* J. Ferrigno et al, “When AES blinks: introducing optical side channel”, IET Information Security 4
Optical surveillance on silicon chips: your crypto keys are visible
Security Group, Computer Laboratory, University of Cambridge, 13 October 2009
Introduction • Challenges – find low-cost detectors suitable for optical emission analysis – reduce the cost of sample preparation
• Any technical progress for the past 20 years? – are modern CCD cameras good for the attack? – what about photomultipliers (PMT)? – what parameters are essential for such detectors?
• If optical emission from operating chip has correlation with processed data, is there any correlation between photon emission and power consumption? – if found, this can be used for finding weak spots in protection against power analysis attacks – optical emission can be scaled down to an individual transistor 5
Optical surveillance on silicon chips: your crypto keys are visible
Security Group, Computer Laboratory, University of Cambridge, 13 October 2009
Background • What is the problem with optical emission analysis attacks? • Number of photons emitted per every switch of a transistor Ne = SeB(LHId/qvs)Ts ~ 10−2...10−4 photons/switch Se – spectral emission density, B – emission bandwidth, LH – hot-carrier region length, Id – drain current, q – e− charge, vs – carrier saturated velocity, Ts – transition time
• Emission spectrum is from ~500nm to above 1200nm with maximum emission at 900nm…1100nm (NIR region) • Small fraction of emitted photons can be detected:
