請用此 Handle URI 來引用此文件:
http://tdr.lib.ntu.edu.tw/jspui/handle/123456789/20013
標題: | 於AES硬體架構上注入高頻時脈實現錯誤攻擊法 A Practical Power Glitch Attack on Hardware Implementations of AES |
作者: | Ke-Syuan Chen 陳克烜 |
指導教授: | 鄭振牟 |
關鍵字: | 錯誤攻擊法,管線化AES,開源式AES,高頻時脈,錯誤傳遞, fault injection,pipeline,OpenCores AES,glitch,error propagation, |
出版年 : | 2018 |
學位: | 碩士 |
摘要: | 差別錯誤分析成為一種新型態的密碼分析方法,將加密裝置暴露在錯誤攻擊法的危險之中,攻擊者於加密裝置上注入錯誤產生錯誤密文,因此攻擊者再取得錯誤密文與正確密文,進一步分析取得密鑰將加密裝置破解,舉例實作錯誤攻擊法的方式:注入高頻頻率、降低電壓準位以及超過工作溫度等等。錯誤攻擊法中,賦予攻擊者具有能力在加密過程中去做選擇注入錯誤的時間與位置,以達到攻擊者預期的錯誤特徵。
本論文中,將之前的錯誤模型做延伸,我們產生了一個更能夠廣泛使用的錯誤模型:容忍錯誤,能夠解決一至三個錯誤位元組的範圍;因為AES 架構的差異於四個暫存器在加密回合中,我們發現到使用減少加密回合的方法能夠有效的被執行;使用錯誤攻擊法跳過一個加密運算等同於跳過一次加密回合,疊式AES 與管線化AES 將深入地探討錯誤攻擊法,包含如何過濾候選密鑰以及在不同暫存器架構下中錯誤傳遞的過程,本論文實驗中,使用高頻時脈實現錯誤攻擊法,減少加密所須時間使特定加密運算失效,並提出針對管線化AES 的攻擊方式「初始化加密」,攻擊者透過差別錯誤分析於正確密文與錯誤密文,還原出加密所使用的密鑰。 DFA (Differential Fault Analysis) formed the new type of cryptanalytic and posed the threat to crash secret devices by fault injection. The attacker injects the fault to make the secret devices generate the faulty ciphertext; therefore, the attacker analyzes differences between the faulty ciphertext and correct ciphertext to figure out their relationship in order to reverse the secret key. There are many ways to implement the fault injection such as injecting the abnormal clock, pulling down the voltage level and exceeding the working temperature. Through fault injection, we assume that the attacker is able to control the injection location and injection timing to occur the expected error patterns during the encryption. In this paper, we generate the more generalized fault model called fault with tolerance to solve the error bytes range from one to three by extending the previous fault model. We find that the method of round reduction can be easily implemented by fault injection in four registers of iterative round because the canceling one round is equal to skip one operation. The pipeline AES and iterative AES will be thoroughly discussed fault injection, including filtering candidate keys and comprehending the error propagation. In our experiment, the high frequency of clock as the glitch is used to conduct fault injection in order to reduce the execution consumption time and deactivate the target operation. We propose the new method called initial encryption for pipeline AES. Once the attacker gets the faulty ciphertext and correct ciphertext, he may retrieve enough information to find out the secret key by DFA. |
URI: | http://tdr.lib.ntu.edu.tw/jspui/handle/123456789/20013 |
DOI: | 10.6342/NTU201801458 |
全文授權: | 未授權 |
顯示於系所單位: | 電子工程學研究所 |
文件中的檔案:
檔案 | 大小 | 格式 | |
---|---|---|---|
ntu-107-1.pdf 目前未授權公開取用 | 2.39 MB | Adobe PDF |
系統中的文件,除了特別指名其著作權條款之外,均受到著作權保護,並且保留所有的權利。