Differential fault analysis (DFA) is a type of activeside-channel attack in the field ofcryptography, specificallycryptanalysis. The principle is to inducefaults—unexpected environmental conditions—into cryptographic operations to reveal their internal states.
Taking asmartcard containing an embeddedprocessor as an example, some unexpected environmental conditions it could experience include being subjected to high temperature, receiving unsupportedsupply voltage or current, being excessivelyoverclocked, experiencing strongelectric ormagnetic fields, or even receivingionizing radiation to influence the operation of the processor. When stressed like this, the processor may begin to output incorrect results due to physicaldata corruption, which may help acryptanalyst deduce the instructions that the processor is running, or what the internal state of its data is.[1][2]
ForDES andTriple DES, about 200 single-flipped bits are necessary to obtain a secretkey.[3] DFA has also been applied successfully to theAES cipher.[4]
Many countermeasures have been proposed to defend from these kinds of attacks. Most of them are based on error detection schemes.[5][6]
A fault injection attack involves stressing thetransistors responsible forencryption tasks to generate faults that will then be used as input for analysis. The stress can be an electromagnetic pulse (EM pulse orlaser pulse).
Practical fault injection consists of using an electromagnetic probe connected to a pulser or a laser generating a disturbance of a similar length to the processor'scycle time (of the order of a nanosecond). The energy transferred to the chip may be sufficient to burn out certain components of the chip, so the voltage of the pulser (a few hundred volts) and the positioning of the probe must be finely calibrated. For greater precision, the chips are often decapsulated (chemically eroded to expose the bare silicon).[7]
 | This cryptography-related article is astub. You can help Wikipedia byadding missing information. |
