In this contribution we present a low-cost, non-invasive and effective technique to inject faults in an ARM9 general purpose CPU through lowering its feeding voltage. This is the first result available in fault attacks literature to attack a software implementation of a cryptosystem running on a full fledged CPU with a complete operating system. The platform under consideration (an ARM9 CPU running a full Linux 2.6 kernel) is widely used in mobile computing devices such as smartphones, gaming platforms and network appliances.
We fully characterise both the fault model and the errors induced in the computation, both in terms of ensuing frequency and corruption patterns on the computed results.
At first, we validate the effectiveness of the proposed fault model to lead practical attacks to implementations of RSA and AES cryptosystems, using techniques known in open literature. Then we devised two new attack techniques, one for each cryptosystem. The attack to AES is able to retrieve all the round keys regardless both their derivation strategy and the number of rounds. A known ciphertext attack to RSA encryption has been devised: the plaintext is retrieved knowing the result of a correct and a faulty encryption of the same plaintext, and assuming the fault corrupts the public key exponent. Through experimental validation, we show that we can break any AES with roughly 4 kb of ciphertext, RSA encryption with 3 to 5 faults and RSA signature with 1 to 2 faults.
Category / Keywords: RSA AES Cryptanalysis Fault Attacks Publication Info: An updated and extended version of this paper has been published in the Journal of Systems and Software Date: received 8 Mar 2010, last revised 21 Mar 2013 Contact author: barenghi at elet polimi it Available format(s): PDF | BibTeX Citation Note: The updated version can be found at: http://dx.doi.org/10.1016/j.jss.2013.02.021
Version: 20130321:101357 (All versions of this report) Short URL: ia.cr/2010/130 Discussion forum: Show discussion | Start new discussion