Archive for November, 2012

PostHeaderIcon Brute Force IC break example

Brute force IC break’s one good example could be the password protection scheme used in microcontrollers, such as the Texas Instruments MSP430 family. The password itself is 32 bytes (256 bits) long which is more than enough to withstand direct brute force ic break. But the password is allocated at the same memory addresses as the CPU interrupt vectors. That, firstly, reduces the area of search as the vectors always point to even addresses within memory. Secondly, when the software gets updated, only a small part of the password is changed because most of the interrupt subroutines pointed to by the vectors are very likely to stay at the same addresses. As a result, if the ic breaker knows one of the previous passwords he could easily do a systematic search and find the correct password in a reasonable time.

PostHeaderIcon Brute force chip attack

Brute force chip attack has different meanings for cryptography and semiconductor hardware. In cryptography, a brute force chip attack would be defined as the methodical application of a large set of trials for a key to the system. This is usually done with a computer or an array of FPGAs delivering patterns at high speed and looking for success.

PostHeaderIcon How to prevent timing attack

To prevent timing attacks, the designer should carefully calculate the number of CPU cycles that take place when the password is compared and make sure they are the same for correct and incorrect passwords. For example, in the Motorola 68HC08 microcontrollers family the internal ROM bootloader allows access to the Flash memory only if the correct eight-byte password was entered first. To achieve that, extra NOP commands were added to the program making the processing time equal for both correct and incorrect bytes of the password. That gives good protection against timing attacks. Some microcontrollers have an internal RC generator mode of operation in which the CPU running frequency depends upon the power supply voltage and the die temperature. This makes timing analysis more difficult as the attacker has to stabilize the device temperature and reduce any fluctuations and noise on the power supply line. Some smartcards have an internally randomised clock signal to make measurements of the time delays useless for the attack.

PostHeaderIcon Timing Attack Application

Timing attacks can be applied to microcontrollers whose security protection is based on passwords, or to access control systems that use cards or keys with fixed serial numbers, for example, Dallas iButton products. The common mistake in such systems is the way the serial number of the entered key is verified against the database. Very often the system checks each byte of the key against one entry in the database and stops as soon as an incorrect byte is found. Then it switches to the next entry in the database until it reaches the end. So the attacker can easily measure the time between the input of the last key and the request for another key and figure out how many coincidences were found. With a relatively small number of attempts, he will be able to find one of the matching keys.

PostHeaderIcon Prevent Timing IC Attack

To prevent such attacks the techniques used for blinding signatures can be used. The general idea is to prevent the attacker knowing the input to the modular exponentiation operation by mixing the input with a chosen random value.

PostHeaderIcon Necessary information before timing attack

To conduct the attack one needs to collect a set of messages, together with their processing time, e.g. question-answer delay. Many cryptographic algorithms were found to be vulnerable to timing attacks. The main reason why this happens is in the software implementation of each algorithm. That includes performance optimisation to bypass unnecessary branching and conditional operations, cache memory usage, non-fixed time processor instructions such as multiplication and division, and a wide variety of other causes. As a result performance characteristics typically depend on both the encryption key and the input data.

PostHeaderIcon Break Secured MCU ATmega88PA Program

We can break secured mcu ATMEGA88PA program, please view the secured mcu ATMEGA88PA features for your reference:
When writing serial data to the ATtiny15L, data is clocked on the rising edge of SCK. When reading data from the ATtiny15L, data is clocked on the falling edge of SCK. See Figure 34, Figure 35, and Table 28 for timing details.
To program and verify the ATtiny15L in the Serial Programming mode, the following sequence is recommended (See 4-byte instruction formats in Table 27):
Power-up sequence:
Apply power between VCC and GND while RESET and SCK are set to “0 ”. If the programmer cannot guarantee that SCK is held low during Power-up, RESET must be given a positive pulse of at least two MCU cycles duration after SCK has been set to “0” if Break Secured MCU ATmega88PA Program.
Wait for at least 20 ms and enable serial programming by sending the Programming Enable serial instruction to the MOSI (PB0) pin. Refer to the above section for minimum low and high periods for the serial clock input SCK.
The serial programming instructions will not work if the communication is out of synchronization. When in sync, the second byte ($53) will echo back when issuing the third byte of the Programming Enable instruction.
Whether the echo is correct or not, all four bytes of the instruction must be transmitted. If the $53 did not echo back, give SCK a positive pulse and issue a new Programming Enable instruction. If the $53 is not seen within 32 attempts, there is no functional device connected when Break Secured MCU ATmega88PA Program.
If a Chip Erase is performed (must be done to erase the Flash), wait tWD_ERASE after the instruction, give RESET a positive pulse, and start over from step 2. See Table 29 on page 63 for tWD_ERASE value.

The Flash or program array is programmed one byte at a time by supplying the address and data together with the appropriate write instruction. An program memory location is first automatically erased before new data is written. Use data polling to detect when the next byte in the Flash or program can be written before Break Secured MCU ATmega88PA Program.
If polling is not used, wait tWD_PROG_FL or tWD_PROG_EE, respectively, before transmitting the next instruction. See Table 30 on page 63 for the tWD_PROG_FL and tWD_PROG_EE values. In an erased device, no $FFs in the data file(s) need to be programmed after BREAK IC.

Any memory location can be verified by using the Read instruction, which returns the content at the selected address at the serial output MISO (PB1) pin.
At the end of the programming session, RESET can be set high to commence normal operation.
Power-off sequence (if needed):
Set RESET to “1”.
Turn VCC power off.

PostHeaderIcon Recover the system secret key

Some security-related operations a semiconductor chip performs can take a different time to compete depending on the values of the input data and the secret key. Careful timing measurement and analysis may allow recovery of the system’s secret key. This idea was first published in the scientific literature in 1996. Then later these attacks were successfully performed on an actual smartcard implementation of the RSA signature.

PostHeaderIcon Restricting access to information on memory programming

Another simple trick many semiconductor manufacturers use is restricting access to information on memory programming. This is normally used for smartcards, but on some microcontrollers such information is not publicly available as well. This is not a reliable and practical way of making the design secure. Of course it works well with smartcards where all the customers are obliged to sign a non-disclosure agreement with the chip manufacturer. But microcontrollers, with very few exceptions, can be programmed with universal programmers that are widely available from different companies around the world. Even if the programming specification is not documented, all the necessary waveforms can be easily extracted in a few hours with using any low cost oscilloscope, because all the signals are normally applied with less than 1 MHz frequency. If the microcontroller is not supported by a particular universal programmer, it is always possible to buy the development kit directly from the manufacturer and obtain all the necessary protocols from it directly.

PostHeaderIcon Reverse Engineering IC ATMEGA88PV Locked Flash

We can reverse engineering IC ATMEGA88PV locked flash, please view the IC ATMEGA88PV features for your reference:

When a byte is being programmed into the Flash or EEPROM, reading the address location being programmed will give the value $FF. At the time the device is ready for a new byte, the programmed value will read correctly.
This is used to determine when the next byte can be written. This will not work for the value $FF so when programming this value, the user will have to wait for at least tWD_PROG_FL before programming the next Flash byte, or tWD_PROG_EE before the next EEPROM byte if Reverse Engineering IC ATMEGA88PV Locked Flash.
As a chip-erased device contains $FF in all locations, programming of addresses that are meant to contain $FF can be skipped. This does not apply if the EEPROM is reprogrammed without chip-erasing the device.
In that case, data polling cannot be used for the value $FF and the user will have to wait at least tWD_PROG_EE before programming the next byte. See Table 30 for tWD_PROG_FL and tWD_PROG_EE values.
Stresses beyond those listed under “Absolute Maximum Ratings” may cause permanent damage to the device. This is a stress rating only and functional operation of the device at these or other conditions beyond those indicated in the operational sections of this specification is not implied when Reverse Engineering IC ATMEGA88PV Locked Flash.
Exposure to absolute maximum rating conditions for extended periods may affect device reliability.
“Max” means the highest value where the pin is guaranteed to be read as low if reverse engineering IC locked flash.
“Min” means the lowest value where the pin is guaranteed to be read as high.
Although each I/O port can sink more than the test conditions (20 mA at VCC = 5V, 10 mA at VCC = 3V) under steady state conditions (non-transient), the following must be observed before reverse engineering IC locked flash:
1] The sum of all IOL, for all ports, should not exceed 100 mA. If IOL exceeds the test condition, VOL may exceed the related specification. Pins are not guaranteed to sink current greater than the listed test conditions.
Although each I/O port can source more than the test conditions (3 mA at VCC = 5V, 1.5 mA at VCC = 3V) under steady state conditions (non-transient), the following must be observed when reverse engineering IC locked flash:
1] The sum of all IOH, for all ports, should not exceed 100 mA. If IOH exceeds the test condition, VOH may exceed the related specification. Pins are not guaranteed to source current greater than the listed test condition if Reverse Engineering IC ATMEGA88PV Locked Flash.