At the most recent cryptographic hardware and embedded systems (CHES) workshop, Hossein Hadipour of the Graz University of Technology presented an important step forward in exploiting persistent faults in crypto.
Differential fault analysis (DFA) is a well-known attack class that can lead to the compromise of a secret key when attackers inject faults during the execution of a cryptographic implementation. However, it can be challenging to inject transient faults at the right time. Persistent faults are a category of faults that may be easier applied than transient faults because they do not require precise timing and stay active for a longer period. For example, users may apply persistent faults by corrupting a substitution box (S-box) when its data is moved in memory, or by altering the apparent value of a memory location through a [probe needle](https://www.keysight.com/us/en/product/DS1121A/bidirectional-fault-injection-probe.html) or a continuous laser beam.
Previous research into DFA showed that it’s possible to exploit persistent faults, but this research had multiple limitations:
- The original attack required knowledge of the exact fault model — the location of the faults in the algorithm.
- It resulted in a very high remaining key space to be explored — 50 bits in the case of AES-128.
- It required at least one input-output pair for a brute-force analysis of the remaining key space.
These disadvantages largely reversed the advantage of persistent fault attacks over transient fault attacks. The research reported hardly any practical results in the field.
The Graz team developed several new attack algorithms to improve persistent fault attacks, then simulated and tested them on an implementation of the AES-128 algorithm. Through an analysis of all the Advanced Encryption Standard (AES) rounds, rather than just the final ones, they were able to extract more information. This allowed them to extract the key more quickly under more complex conditions, such as a lack of knowledge of fault locations, occurrence of multiple faults, and absence of a plaintext.
The first part of the attack works with a little more than 1,000 faulty ciphertexts resulting from multiple and unknown persistent faults. The attack reduces the remaining key space to a mere 9 bits. The second part of the attack uses only the faulty ciphertexts to select the correct key from the remaining key space.
These improvements have significant practical implications. For instance, when AES is used for encryption, an attacker should never have access to the plaintext, which would prevent all DFA applications that require a plaintext-ciphertext pair to identify the correct key. With this new method, attackers may be able to extract a key when only corrupted ciphertext is available. Additionally, the lack of known fault locations or long brute force methods make this new attack attractive.
With these new improvements, we can expect more enthusiasm for persistent fault injection among attackers, and we should anticipate practical application in the field. Fortunately, many countermeasures against transient fault injection also work against persistent fault injection. The Keysight device vulnerability analysis team is happy to advise device makers on how to make their products more robust against this and other threats.