electromagnetic side channel analysis of a contactless smart...

Electromagnetic Side Channel Analysis

of a Contactless Smart Card: First Results

Workshop on RFID and Light-Weight Crypto

July 14th, 2005

Dario Carluccio, Kerstin Lemke, Christof Paar

{carluccio, lemke, cpaar}@crypto.rub.de

Ruhr-University Bochum, Germany

Dario Carluccio July 14th, 2005Dario Carluccio 2

Presentation Outline

uIntroduction to Side Channel Analysis

uMotivation EM-AnalysisuMeasuring EM Field and RadiationuFirst Results for the DESFire Card

Conclusion and Further Directions


Introducing Side Channel Analysis

Crypto Device(e.g. Smartcard)

Secret Key

CipherAlgorithmPlaintext Ciphertext

Tamper resistentEnviroment

(No Access to Secret Key)

Power Consumption

ElectromagneticRadiation

ExecutionTime

ComputationFaults



uIntroduction toSide Channel Analysis

uMotivation EM-Analysis uMeasuring EM Field and RadiationuFirst Results for the DESFire CarduConclusion and Further Directions


Motivation for Electromagnetic Analysis

u Power consumption is not always measurable, e.g., at RFID Devices

u EM-Field might include additional leakage compared to Power Consumption

u Power Analysis Techniques like SPA and DPA are well known

u Same statistical Tests can be used, e.g., for SPA (SEMA) and DPA (DEMA)




uMotivation EM-AnalysisuMeasuring EM Field and RadiationuFirst Results for the DESFire CarduConclusion and Further Directions


ComparsionNearfield - Farfieldu Nearfield:

Electromagnetic Field is dominant

u Farfield:Electromagnetic Radiation is dominant

u Energy in the Nearfield is higher ~1/R2

u Typical Wavelength:– 1 MHz → 300 m– 100 MHz → 3 m– 1 GHz → 30 cm– RFID-Chip @ 13.56 MHz → 22 m

→Measuring in the Nearfield is the better choice.

λ>R

λ<<R


Electric Field coupled Antennas


Magnetic Field coupled Antennas

tBE∂∂

−=×∇r

rr

Faradays Law of Induction:

Only changes in Magnetic Fieldcause an electrical Voltage.


Nearfield Probes


Antenna Positionfor single Wire

E-Field H-Field

Antennas

Best Antenna Position is orthogonal to the Field


Antenna Position on Top of the Chip-Layer

u In a Chip the Wires (Dipols) are in the Chip-Layeru Resulting Electric Field is orthogonal to the Chip-Layeru Magnetic Field is orthogonal to the Chip-Layers surfaceu Best Antenna Position parallel to Chip-Layer

Chip-Layer


DEMA-Verificationon known Smartcard

Verification of EM-Side Channel Analysis on known SmartcardAntenna: CU-plate 4x4mm

AES on ATMega 163 @ 3,56 MHz, 200 MeasurementsCorrect Key Hypothesis S-Box Output




uMotivation EM-Analysis uMeasuring EM Field and RadiationuFirst Results for the DESFire CarduConclusion and Further Directions


Motivation for choosing DESFire Card

u RFID Device computing a well known cipher algorithm (DES/3DES)

u State of the Art cryptographic RFID Card, used by NASA for Access Control and as Ticket for the FIFA World Championchip 2006

u Reader, Chipcards and programming API commercially available (ACG)


Communication betweenReader and DESFire Card

u The Reader sends to the Card by modulating the Field according to the modified Miller Code

u The Card responds by modulating its load according to the Manchester Code

u The Protocol between RFID-Reader and DESFire Card is not documented. It is encapsulated in the RFID-Reader’s Firmware.


Monitoring Antenna Signal of RFID-Readeru For DEMA the Plaintext has to be known, therefore the

Protocol had to be reverse engineered.u By monitoring the Reader’s Antenna Signal, it was possible

to discover the first steps of the authenticate command, and the plaintext on which the DESFire Card computes the DES algorithm.


DESFireAuthentication Protocol

Reader to Card Card to Reader

01: 02 -02: 0A -03: 00 - KeyNo04: DC - CRC105: ED - CRC2

01: 02 02: AF03: F0 - B0,Byte104: 53 - B0,Byte205: 10 - B0,Byte306: 1A - B0,Byte407: 3E - B0,Byte508: 1A - B0,Byte609: 8B - B0,Byte710: F8 - B0,Byte811: EC - CRC 112: 97 - CRC 2

01: 0202: AF03: A2 – B1,Byte104: A4 – B1,Byte205: 19 – B1,Byte306: 2E – B1,Byte407: E6 – B1,Byte508: 9D – B1,Byte609: A1 – B1,Byte710: B8 – B1,Byte811: …


Finding the best Antenna Position

Best Position for the Antenna is directly on Top of the Chip – The Position of the Chip can not be determined by

exposing the Card to strong Light or palpating– X-Ray Photo to locate the Chip inside the DESFire Card

to place antenna exactly on Top of the Chip


Solutions to improve Signal to Noise Ratio (SNR)

As the Reader transmits Energy to the Card– The RFID-Chip is in the Reader’s Field– Side Channel Signal is weak according to the

Reader’s Field

Solution to improve SNR: – Dissolving the Card with

Trichloroethylene C2 H Cl3 @ 100°C to separate the RFID-Chipfrom the card and finally from the Reader’s Field


Measurement Setup with separated RFID-Chip


First Results for RFID Devicesu Up to 10.000 Measurements have been done at a Sampling

Frequency of 1 GHz. u The structure of the EM emanation turned out to be very

uniform.u Until now, DEMA was not successful to reveal cryptographic

keys.

Time t

Mea

n E

M e

man

atio

n


First Results for RFID Devices

Time t

Cor

rela

tion

coef

ficen

t

DEMA Results: Correlation Method with the Selection Function:u Hamming-Weight of the outcome of all 8 S-Boxes

(Known-Key Approach)




uMotivation EM-AnalysisuMeasuring EM Field and RadiationuFirst Results for the DESFire CarduConclusion and Further Directions


Conclusion and Further Directions

Further Directions for DESFire Cardu Custom RFID-Readeru Analogous Filteringu (Semi) Invasive Analysis

Conclusion for EM Analysisu Nearfield better than Farfieldu Antennas parallel to Chip-Layeru Separate RFID-Device from disturbing fields,

e.g., by the RFID Reader


The End

Thank you for your Attention.

Any Questions?

{carluccio, lemke, cpaar}@crypto.rub.de

electromagnetic side channel analysis of a contactless smart...

Documents