key extraction using thermal laser stimulation a case
play

Key Extraction Using Thermal Laser Stimulation: A Case Study on - PowerPoint PPT Presentation

Key Extraction Using Thermal Laser Stimulation: A Case Study on Xilinx Ultrascale FPGAs Heiko Lohrke 1 , Shahin Tajik 1,2 , Thilo Krachenfels 1 , Christian Boit 1 , and Jean-Pierre Seifert 1 1 Technische Universitt Berlin, 2 University of Florida


  1. Key Extraction Using Thermal Laser Stimulation: A Case Study on Xilinx Ultrascale FPGAs Heiko Lohrke 1 , Shahin Tajik 1,2 , Thilo Krachenfels 1 , Christian Boit 1 , and Jean-Pierre Seifert 1 1 Technische Universität Berlin, 2 University of Florida September 10 th , 2018 CHES 2018 CHES 2018 1

  2. Background CHES 2018 2

  3. Bitstream Encryption FPGA JTAG BBRAM / eFuse AES Decryptor CHES 2018 3

  4. Bitstream Encryption FPGA JTAG BBRAM / eFuse AES Decryptor CHES 2018 3

  5. Bitstream Encryption FPGA Design BBRAM / eFuse … AES AES Encryptor NVM Decryptor CHES 2018 3

  6. Bitstream Encryption FPGA BBRAM / eFuse Encrypted Bitstream bitstream AES NVM 010101… Decryptor 10111001010 CHES 2018 3

  7. Case Study: Key Extraction from BBRAM FPGA BBRAM / eFuse TLS Encrypted Bitstream bitstream AES NVM 010101… Decryptor 10111001010 CHES 2018 4

  8. Thermal Laser Stimulation (TLS) ๏ The chip is scanned with a 1.3 ! m laser beam from the backside Chip ๏ The current changes in response to VDD (+) Laser the local thermal stimulations ๏ Measured current is monitored by a Current current amplifier >> a proportional GND (-) PC Amplifier - + analog voltage is generated Power Supply ๏ Analog voltage is fed into image acquisition hardware while scanning the laser CHES 2018 5

  9. SRAM readout using TLS ๏ Thermal stimulation leads to thermal gradient at the source/drain of the transistors ๏ Different materials lead to Seebeck voltage generation ๏ Seebeck voltage alters gate voltage of Seebeck Generator non-conducting transistor -> increased leakage current IC backside Laser beam ๏ Which parts of the cell are sensitive depends on cell logical state CHES 2018 6

  10. SRAM readout using TLS ๏ Thermal stimulation leads to thermal gradient at the source/drain of the transistors ๏ Different materials lead to Seebeck voltage generation ๏ Seebeck voltage alters gate voltage of non-conducting transistor -> increased leakage current ๏ Which parts of the cell are sensitive depends on cell logical state CHES 2018 6

  11. SRAM readout using TLS ๏ Thermal stimulation leads to thermal gradient at the source/drain of the transistors ๏ Different materials lead to Seebeck voltage generation ๏ Seebeck voltage alters gate voltage of non-conducting transistor -> increased leakage current ๏ Which parts of the cell are sensitive depends on cell logical state CHES 2018 6

  12. Experimental Setup CHES 2018 7

  13. Experimental Setup CHES 2018 8

  14. Experimental Setup ๏ Device under Test (DUT): Avnet Kintex UltraScale Development Board - Chip’s technology: 20 nm - No chip preparation (e.g., depackaging, silicon polishing, etc.) required CHES 2018 8

  15. Experimental Setup ๏ Device under Test (DUT): Avnet Kintex UltraScale Development Board - Chip’s technology: 20 nm - No chip preparation (e.g., depackaging, silicon polishing, etc.) required ๏ Optical Setup: Hamamatsu PHEMOS-1000 - Laser wavelength: 1.3 ! m - Laser spot size: approximately 1 ! m CHES 2018 8

  16. Results CHES 2018 9

  17. Localizing the Configuration Logic Xilinx Kintex UltraScale in flip chip package CHES 2018 10

  18. Localizing the Configuration Logic Xilinx Kintex UltraScale Image acquisition with a laser in flip chip package scanning microscope CHES 2018 10

  19. Localizing the Configuration Logic Configuration Logic CHES 2018 10

  20. Localizing BBRAM using Laser Stimulation CHES 2018 11

  21. Localizing BBRAM using Laser Stimulation Laser Stimulation of configuration area and measuring the current on VBATT when BBRAM key is set FPGA is powered off in all experiments! CHES 2018 11

  22. Localizing BBRAM using Laser Stimulation Laser Stimulation of configuration area and measuring the current on VBATT when BBRAM key is not set FPGA is powered off in all experiments! CHES 2018 11

  23. Localizing the key bits in BBRAM by TLS (1) 1 bit Set 255 bits to “0” and one bit to “1”. Shifting the bit “1” eight times by one bit CHES 2018 12

  24. Localizing the key bits in BBRAM by TLS (2) Set all 256 bits to “1” and reset all bits to “0” again. CHES 2018 13

  25. Automatic Key Recovery Target image containing the key Reference image of the cleared BBRAM CHES 2018 14

  26. Automatic Key Recovery 0xd781b86f274630b561f39c9736f512eb0adf714f0d5c836c7a76ff627aca4923 CHES 2018 14

  27. Conclusion ๏ The required effort to develop the attack is shown to be less than 7 hours . ๏ The lower cost and higher availability of TLS in comparison to other optical attacks makes this technique even more threatening. ๏ The stored key in the BBRAM of the FPGA can be extracted when the FPGA is disconnected from power >> conventional side-channel countermeasures are incapable of preventing such an attack. CHES 2018 15

  28. Thank you CHES 2018 16

  29. Countermeasure: Adding Noise ๏ Countermeasure Requirements: - Preventing the attack, even when the FPGA is turned o ff - Not draining the backup battery excessively, so that the device can be in its powered-o ff state for a long time. - Realizable by standard processes 17 CHES 2018

  30. Countermeasure: Adding Noise ๏ Countermeasure Requirements: - Preventing the attack, even when the FPGA is turned o ff - Not draining the backup battery excessively, so that the device can be in its powered-o ff state for a long time. - Realizable by standard processes 17 CHES 2018

  31. Countermeasure Results 18 CHES 2018

Recommend


More recommend