Fault Attack on AES via Hardware Trojan Insertion by Dynamic Partial Reconfiguration of FPGA over Ethernet

Anju Johnson, Sayandeep Saha, Rajat Subhra Chakraborty, Debdeep Mukhopadhyay, Sezer Gören

Research output: Chapter in Book/Report/Conference proceedingConference contribution

12 Citations (Scopus)

Abstract

We describe a novel methodology to exploit the widely used Dynamic Partial Reconfiguration (DPR) support in Field Programmable Gate Arrays (FPGAs) to implant a hardware Trojan in an Advanced Encryption Standard (AES) encryption circuit implemented on a FPGA. The DPR is performed by transferring the required partial configuration bitstream file over an Ethernet connection to the FPGA board, from an attacker's computer which can communicate with the FPGA over a network. The inserted Trojan launches a "fault attack" on the AES encryption circuit, which enables recovery of the secret key by standard mathematical analysis of the faulty ciphertext produced. To the best of our knowledge, this is the first reported attack which exploits DPR to break an AES hardware implementation on FPGA. Our implementation results establish this to be an extremely potent attack on AES at low hardware and computational overhead, while using the standard unlicensed FPGA design tools.
LanguageEnglish
Title of host publicationProceedings of the 9th Workshop on Embedded Systems Security
Subtitle of host publicationWESS '14
PublisherAssociation for Computing Machinery (ACM)
Number of pages8
ISBN (Electronic)9781450329323
DOIs
Publication statusPublished - 12 Oct 2014
Externally publishedYes
Event9th Workshop on Embedded Systems Security - New Delhi, India
Duration: 12 Oct 201412 Oct 2014
Conference number: 9
http://www.wikicfp.com/cfp/servlet/event.showcfp?eventid=38626 (Link to Workshop Information)

Workshop

Workshop9th Workshop on Embedded Systems Security
Abbreviated titleWESS'14 (ESWEEK)
CountryIndia
CityNew Delhi
Period12/10/1412/10/14
Internet address

Fingerprint

Ethernet
Cryptography
Field programmable gate arrays (FPGA)
Computer hardware
Networks (circuits)
Printed circuit boards
Hardware security
Side channel attack
Recovery

Cite this

Johnson, A., Saha, S., Chakraborty, R. S., Mukhopadhyay, D., & Gören, S. (2014). Fault Attack on AES via Hardware Trojan Insertion by Dynamic Partial Reconfiguration of FPGA over Ethernet. In Proceedings of the 9th Workshop on Embedded Systems Security: WESS '14 Association for Computing Machinery (ACM). https://doi.org/10.1145/2668322.2668323
Johnson, Anju ; Saha, Sayandeep ; Chakraborty, Rajat Subhra ; Mukhopadhyay, Debdeep ; Gören, Sezer. / Fault Attack on AES via Hardware Trojan Insertion by Dynamic Partial Reconfiguration of FPGA over Ethernet. Proceedings of the 9th Workshop on Embedded Systems Security: WESS '14 . Association for Computing Machinery (ACM), 2014.
@inproceedings{7018440be378494ea567b93b00990968,
title = "Fault Attack on AES via Hardware Trojan Insertion by Dynamic Partial Reconfiguration of FPGA over Ethernet",
abstract = "We describe a novel methodology to exploit the widely used Dynamic Partial Reconfiguration (DPR) support in Field Programmable Gate Arrays (FPGAs) to implant a hardware Trojan in an Advanced Encryption Standard (AES) encryption circuit implemented on a FPGA. The DPR is performed by transferring the required partial configuration bitstream file over an Ethernet connection to the FPGA board, from an attacker's computer which can communicate with the FPGA over a network. The inserted Trojan launches a {"}fault attack{"} on the AES encryption circuit, which enables recovery of the secret key by standard mathematical analysis of the faulty ciphertext produced. To the best of our knowledge, this is the first reported attack which exploits DPR to break an AES hardware implementation on FPGA. Our implementation results establish this to be an extremely potent attack on AES at low hardware and computational overhead, while using the standard unlicensed FPGA design tools.",
author = "Anju Johnson and Sayandeep Saha and Chakraborty, {Rajat Subhra} and Debdeep Mukhopadhyay and Sezer G{\"o}ren",
year = "2014",
month = "10",
day = "12",
doi = "10.1145/2668322.2668323",
language = "English",
booktitle = "Proceedings of the 9th Workshop on Embedded Systems Security",
publisher = "Association for Computing Machinery (ACM)",
address = "United States",

}

Johnson, A, Saha, S, Chakraborty, RS, Mukhopadhyay, D & Gören, S 2014, Fault Attack on AES via Hardware Trojan Insertion by Dynamic Partial Reconfiguration of FPGA over Ethernet. in Proceedings of the 9th Workshop on Embedded Systems Security: WESS '14 . Association for Computing Machinery (ACM), 9th Workshop on Embedded Systems Security, New Delhi, India, 12/10/14. https://doi.org/10.1145/2668322.2668323

Fault Attack on AES via Hardware Trojan Insertion by Dynamic Partial Reconfiguration of FPGA over Ethernet. / Johnson, Anju; Saha, Sayandeep; Chakraborty, Rajat Subhra; Mukhopadhyay, Debdeep; Gören, Sezer.

Proceedings of the 9th Workshop on Embedded Systems Security: WESS '14 . Association for Computing Machinery (ACM), 2014.

Research output: Chapter in Book/Report/Conference proceedingConference contribution

TY - GEN

T1 - Fault Attack on AES via Hardware Trojan Insertion by Dynamic Partial Reconfiguration of FPGA over Ethernet

AU - Johnson, Anju

AU - Saha, Sayandeep

AU - Chakraborty, Rajat Subhra

AU - Mukhopadhyay, Debdeep

AU - Gören, Sezer

PY - 2014/10/12

Y1 - 2014/10/12

N2 - We describe a novel methodology to exploit the widely used Dynamic Partial Reconfiguration (DPR) support in Field Programmable Gate Arrays (FPGAs) to implant a hardware Trojan in an Advanced Encryption Standard (AES) encryption circuit implemented on a FPGA. The DPR is performed by transferring the required partial configuration bitstream file over an Ethernet connection to the FPGA board, from an attacker's computer which can communicate with the FPGA over a network. The inserted Trojan launches a "fault attack" on the AES encryption circuit, which enables recovery of the secret key by standard mathematical analysis of the faulty ciphertext produced. To the best of our knowledge, this is the first reported attack which exploits DPR to break an AES hardware implementation on FPGA. Our implementation results establish this to be an extremely potent attack on AES at low hardware and computational overhead, while using the standard unlicensed FPGA design tools.

AB - We describe a novel methodology to exploit the widely used Dynamic Partial Reconfiguration (DPR) support in Field Programmable Gate Arrays (FPGAs) to implant a hardware Trojan in an Advanced Encryption Standard (AES) encryption circuit implemented on a FPGA. The DPR is performed by transferring the required partial configuration bitstream file over an Ethernet connection to the FPGA board, from an attacker's computer which can communicate with the FPGA over a network. The inserted Trojan launches a "fault attack" on the AES encryption circuit, which enables recovery of the secret key by standard mathematical analysis of the faulty ciphertext produced. To the best of our knowledge, this is the first reported attack which exploits DPR to break an AES hardware implementation on FPGA. Our implementation results establish this to be an extremely potent attack on AES at low hardware and computational overhead, while using the standard unlicensed FPGA design tools.

U2 - 10.1145/2668322.2668323

DO - 10.1145/2668322.2668323

M3 - Conference contribution

BT - Proceedings of the 9th Workshop on Embedded Systems Security

PB - Association for Computing Machinery (ACM)

ER -

Johnson A, Saha S, Chakraborty RS, Mukhopadhyay D, Gören S. Fault Attack on AES via Hardware Trojan Insertion by Dynamic Partial Reconfiguration of FPGA over Ethernet. In Proceedings of the 9th Workshop on Embedded Systems Security: WESS '14 . Association for Computing Machinery (ACM). 2014 https://doi.org/10.1145/2668322.2668323