請用此 Handle URI 來引用此文件:
http://tdr.lib.ntu.edu.tw/jspui/handle/123456789/20013
完整後設資料紀錄
DC 欄位 | 值 | 語言 |
---|---|---|
dc.contributor.advisor | 鄭振牟 | |
dc.contributor.author | Ke-Syuan Chen | en |
dc.contributor.author | 陳克烜 | zh_TW |
dc.date.accessioned | 2021-06-08T02:38:46Z | - |
dc.date.copyright | 2018-07-19 | |
dc.date.issued | 2018 | |
dc.date.submitted | 2018-07-13 | |
dc.identifier.citation | [1] N. F. Pub, “197: Advanced encryption standard (aes),” Federal information processing standards publication, vol. 197, no. 441, p. 0311, 2001.
[2] A. Barenghi, L. Breveglieri, I. Koren, and D. Naccache, “Fault injection attacks on cryptographic devices: Theory, practice, and countermeasures,” Proceedings of the IEEE, vol. 100, no. 11, pp. 3056–3076, 2012. [3] D. Mukhopadhyay and R. S. Chakraborty, Hardware security: Design, threats, and safeguards. Chapman and Hall/CRC, 2014. [4] D. Mukhopadhyay, “An improved fault based attack of the advanced encryption standard,” in International Conference on Cryptology in Africa. Springer, 2009, pp. 421–434. [5] D. Saha, D. Mukhopadhyay, and D. R. Chowdhury, “A diagonal fault attack on the advanced encryption standard.” IACR Cryptology ePrint Archive, vol. 2009, no. 581, 2009. [6] M. Tunstall, D. Mukhopadhyay, and S. Ali, “Differential fault analysis of the advanced encryption standard using a single fault,” in IFIP International Workshop on Information Security Theory and Practices. Springer, 2011, pp. 224–233. [7] A. Moradi, M. T. M. Shalmani, and M. Salmasizadeh, “A generalized method of differential fault attack against aes cryptosystem,” in International Workshop on Cryptographic Hardware and Embedded Systems. Springer, 2006, pp. 91–100. [8] H. Choukri and M. Tunstall, “Round reduction using faults,” FDTC, vol. 5, pp. 13–24, 2005. [9] K. Bae, S. Moon, D. Choi, Y. Choi, D.-s. Choi, and J. Ha, “Differential fault analysis on aes by round reduction,” in Computer Sciences and Convergence Information Technology (ICCIT), 2011 6th International Conference on. IEEE, 2011, pp. 607–612. [10] M. Agoyan, J.-M. Dutertre, D. Naccache, B. Robisson, and A. Tria, “When clocks fail: On critical paths and clock faults,” in International Conference on Smart Card Research and Advanced Applications. Springer, 2010, pp. 182–193. [11] M. Matsubayashi, A. Satoh, and J. Ishii, “Clock glitch generator on sakura-g for fault injection attack against a cryptographic circuit,” in Consumer Electronics, 2016 IEEE 5th Global Conference on. IEEE, 2016, pp. 1–4. [12] Y. Qiao, Z. Lu, H. Liu, and Z. Liu, “Clock glitch fault injection attacks on an fpga aes implementation.” [13] “Spartan-6 fpga clocking resources,” 2015, https://www.xilinx.com/support/ documentation/user_guides/ug382.pdf. [14] Y. Ni, X. Cui, T. Wang, Y. Fan, Q. Han, K. Liu, and X. Cui, “Improving dfa on aes using all-fault ciphertexts,” in ASIC (ASICON), 2017 IEEE 12th International Conference on. IEEE, 2017, pp. 283–286. [15] P. C. Kocher, “Timing attacks on implementations of diffie-hellman, rsa, dss, and other systems,” in Annual International Cryptology Conference. Springer, 1996, pp. 104–113. [16] N. Selmane, S. Guilley, and J.-L. Danger, “Practical setup time violation attacks on aes,” in Dependable Computing Conference, 2008. EDCC 2008. Seventh European. IEEE, 2008, pp. 91–96. [17] D. Boneh, R. A. DeMillo, and R. J. Lipton, “On the importance of checking cryptographic protocols for faults,” in International conference on the theory and applications of cryptographic techniques. Springer, 1997, pp. 37–51. [18] E. Biham and A. Shamir, “Differential fault analysis of secret key cryptosystems,” in Annual international cryptology conference. Springer, 1997, pp. 513–525. [19] P. Dusart, G. Letourneux, and O. Vivolo, “Differential fault analysis on aes,” in International Conference on Applied Cryptography and Network Security. Springer, 2003, pp. 293–306. [20] C. Giraud, “Dfa on aes,” in International Conference on Advanced Encryption Standard. Springer, 2004, pp. 27–41. [21] “Opencores aes,” 2012, https://opencores.org/project,tiny_aes,Overview. | |
dc.identifier.uri | http://tdr.lib.ntu.edu.tw/jspui/handle/123456789/20013 | - |
dc.description.abstract | 差別錯誤分析成為一種新型態的密碼分析方法,將加密裝置暴露在錯誤攻擊法的危險之中,攻擊者於加密裝置上注入錯誤產生錯誤密文,因此攻擊者再取得錯誤密文與正確密文,進一步分析取得密鑰將加密裝置破解,舉例實作錯誤攻擊法的方式:注入高頻頻率、降低電壓準位以及超過工作溫度等等。錯誤攻擊法中,賦予攻擊者具有能力在加密過程中去做選擇注入錯誤的時間與位置,以達到攻擊者預期的錯誤特徵。
本論文中,將之前的錯誤模型做延伸,我們產生了一個更能夠廣泛使用的錯誤模型:容忍錯誤,能夠解決一至三個錯誤位元組的範圍;因為AES 架構的差異於四個暫存器在加密回合中,我們發現到使用減少加密回合的方法能夠有效的被執行;使用錯誤攻擊法跳過一個加密運算等同於跳過一次加密回合,疊式AES 與管線化AES 將深入地探討錯誤攻擊法,包含如何過濾候選密鑰以及在不同暫存器架構下中錯誤傳遞的過程,本論文實驗中,使用高頻時脈實現錯誤攻擊法,減少加密所須時間使特定加密運算失效,並提出針對管線化AES 的攻擊方式「初始化加密」,攻擊者透過差別錯誤分析於正確密文與錯誤密文,還原出加密所使用的密鑰。 | zh_TW |
dc.description.abstract | DFA (Differential Fault Analysis) formed the new type of cryptanalytic and posed the threat to crash secret devices by fault injection. The attacker injects the fault to make the secret devices generate the faulty ciphertext; therefore, the attacker analyzes differences
between the faulty ciphertext and correct ciphertext to figure out their relationship in order to reverse the secret key. There are many ways to implement the fault injection such as injecting the abnormal clock, pulling down the voltage level and exceeding the working temperature. Through fault injection, we assume that the attacker is able to control the injection location and injection timing to occur the expected error patterns during the encryption. In this paper, we generate the more generalized fault model called fault with tolerance to solve the error bytes range from one to three by extending the previous fault model. We find that the method of round reduction can be easily implemented by fault injection in four registers of iterative round because the canceling one round is equal to skip one operation. The pipeline AES and iterative AES will be thoroughly discussed fault injection, including filtering candidate keys and comprehending the error propagation. In our experiment, the high frequency of clock as the glitch is used to conduct fault injection in order to reduce the execution consumption time and deactivate the target operation. We propose the new method called initial encryption for pipeline AES. Once the attacker gets the faulty ciphertext and correct ciphertext, he may retrieve enough information to find out the secret key by DFA. | en |
dc.description.provenance | Made available in DSpace on 2021-06-08T02:38:46Z (GMT). No. of bitstreams: 1 ntu-107-R05943144-1.pdf: 2446988 bytes, checksum: 326f22d9a59690540052575a0f8ca72f (MD5) Previous issue date: 2018 | en |
dc.description.tableofcontents | Contents
1 Introduction ...1 1.1 Advanced Encryption Standard ...1 1.1.1 SubBytes ...3 1.1.2 ShiftRows ...4 1.1.3 MixColumns ...4 1.1.4 AddRoundKey ...5 1.2 Fault Analysis ...6 1.2.1 Side-Channel Analysis ...6 1.2.2 Fault Injection Analysis ...7 1.3 Fault Injection techniques ...7 1.4 Chapters Introduction ...9 1.5 Notation ...9 2 Differential Fault Analysis ...10 2.1 Fault Model ...11 2.1.1 Previous Fault Model ...12 2.1.2 Previous Implementations ...15 2.2 Fault Injection Method ...17 2.2.1 Induce the Error Bytes ...17 2.2.2 Deactivate the Target Operation ...17 2.2.3 Initial Encryption ...18 2.3 Reverse Key Method ...19 2.3.1 Calculate the Error Bytes ...19 2.3.2 Reversing Equation ...20 2.3.3 Fault with Tolerance ...22 2.3.4 XOR the Original Intermediate Value ...23 3 Hardware Implementations of AES ...24 3.1 One Register of Iterative Round ...24 3.1.1 Architecture ...24 3.1.2 Error Propagation ...25 3.2 Four Registers of Iterative Round ...25 3.2.1 Architecture ...25 3.2.2 Error Propagation ...26 3.3 Simple Pipeline ...27 3.3.1 Architecture ...27 3.3.2 Error Propagation ...27 3.4 OpenCores AES ...28 3.4.1 Architecture ...28 3.4.2 Error Propagation ...29 4 Equipment Setup ...30 4.1 Process of Fault Injection ...30 4.2 Generate the Glitch ...30 4.3 Injection Location on AES Module ...32 4.3.1 Inject the Counter Module ...32 4.3.2 Inject the Round Module and Counter Module ...33 4.4 Reverse Key Method ...34 5 Experimental Results ...35 5.1 One Register of Iterative Round ...35 5.1.1 SubBytes of Ninth Round ...35 5.1.2 ShiftRows of Ninth Round ...37 5.1.3 MixColumns of Ninth Round ...38 5.2 Four Register of Iterative Round ...40 5.2.1 ShiftRows of Ninth Round ...40 5.2.2 SubBytes of Ninth Round ...41 5.2.3 AddRoundKey of Ninth Round ...41 5.3 Simple Pipeline ...42 5.4 OpenCores AES ...44 6 Conclusions ...46 References ...47 | |
dc.language.iso | en | |
dc.title | 於AES硬體架構上注入高頻時脈實現錯誤攻擊法 | zh_TW |
dc.title | A Practical Power Glitch Attack on Hardware Implementations of AES | en |
dc.type | Thesis | |
dc.date.schoolyear | 106-2 | |
dc.description.degree | 碩士 | |
dc.contributor.oralexamcommittee | 楊柏因,陳君明,洪維志,謝致仁,陳君朋 | |
dc.subject.keyword | 錯誤攻擊法,管線化AES,開源式AES,高頻時脈,錯誤傳遞, | zh_TW |
dc.subject.keyword | fault injection,pipeline,OpenCores AES,glitch,error propagation, | en |
dc.relation.page | 49 | |
dc.identifier.doi | 10.6342/NTU201801458 | |
dc.rights.note | 未授權 | |
dc.date.accepted | 2018-07-13 | |
dc.contributor.author-college | 電機資訊學院 | zh_TW |
dc.contributor.author-dept | 電子工程學研究所 | zh_TW |
顯示於系所單位: | 電子工程學研究所 |
文件中的檔案:
檔案 | 大小 | 格式 | |
---|---|---|---|
ntu-107-1.pdf 目前未授權公開取用 | 2.39 MB | Adobe PDF |
系統中的文件,除了特別指名其著作權條款之外,均受到著作權保護,並且保留所有的權利。