Archive for February, 2013

PostHeaderIcon RC element with a characteristic time delay

Every transistor and its connection paths acts like an RC element with a characteristic time delay. The maximum usable clock frequency of a processor is determined by the maximum delay among its elements. Similarly, every flip-flop has a characteristic time window (of a few picoseconds) during which it samples its input voltage and changes its output accordingly. This window can be anywhere inside the specified setup cycle of the flip-flop, but is quite fixed for an individual device at a given voltage and temperature. So if we apply a clock glitch (a clock pulse much shorter than normal) or a power glitch (a rapid transient in supply voltage) this will affect only some transistors in the chip and cause one or more flip-flops to adopt the wrong state. By varying the parameters, the CPU can be made to execute a number of completely different wrong instructions, sometimes including instructions that are not even supported by the microcode. Although we do not know in advance which glitch will cause which wrong instruction in which chip, it can be fairly simple to conduct a systematic search.

PostHeaderIcon Glitch attacks from IC Crack method

Glitch attacks are fast changes in the signals supplied to the device and designed to affect its normal operation. Usually glitches are inserted in power supply and clock signals, but a glitch could be an external electric field transient or an electro-magnetic pulse. two metal needles might be placed on a smartcard within a few hundred micrometers away from the chip surface. Then by applying a spike of a few hundred volts for less than a microsecond on these needles, an electric field in the silicon substrate of sufficient strength to temporarily shift the threshold voltages of nearby transistors will be induced. One modification of the above proposal was suggested recently: using a miniature inductor consisting of several hundred turns of fine wire around the tip of a microprobe needle. A current injected into this coil will create a magnetic field, and the needle will concentrate the field lines.

PostHeaderIcon Power Analysis Setup Improvement

We made some improvements to the existing power analysis setup. This is a new approach and we have not seen any reference to it before. Instead of using a resistor in the power or ground line we used a ferrite core transformer. That brought some changes to the waveform because the DC component of the signal was lost. At the same time it has some advantages, there is almost no limitation DC current flow where with a 10 resistor a transient increase in the consumption current to 100 mA will cause a 1 V drop, which could disrupt the normal operation of the device. Reducing the resistor value will solve the problem but make it harder to recognise small changes in the power consumption, as needed to perform reliable analysis. With the transformer, there is no need to use an expensive active probe, as the standard passive probe gives almost the same result (Figure 40). If the signal is too small, extra turns in the secondary coil will increase the amplitude. Also the transformer acts as a passive filter itself. As it can be seen from the waveforms in Figures 37 and 40, the same CPU instructions have different influence on the waveform for resister and transformer measurements. That can be used as a form of post-processing of the acquired signal.

PostHeaderIcon Noise Component is Power Consumption Characteristics

Power consumption characteristics always include noise components. The external noise can be reduced by proper design of the signal acquisition path and careful use of the measurement equipment. Measuring the power consumption on the resistor in the ground line has some advantages. Firstly, it reduces the noise level and, secondly, it allows us to measure the signal directly with an oscilloscope probe, because most probes have their common line permanently connected to the main power ground. To increase the signal-to-noise ratio further, the number of averaged samples can be increased.