Zen and the Art of Breaking Security - Part II
Today we will continue our journey into the less explored ways to break security. Part one has explained what Zen has to do with the topic.
There are cases in which "gentle" techniques like timing or power analyses are not enough to fulfill the attacker's goal. Or the goal itself is not to break the protection scheme but to break through it, to the end target the mechanism is protecting, in a modern reenactment of Alexander the Great's "solution" to the Gordian knot. Enter failure-inducing attacks, in which the technique is to induce a failure in the very protection mechanism itself.
Since computing equipment uses electrical power to function, manipulating the voltage becomes an obvious target. A handy but coarse attack would be to blow the circuit up into smoke by applying the 110/220V voltage to it. Not elegant and a bit dangerous, but perfectly valid in the real world if this is what it takes to access a bank safe.
This is the very reason security systems should have a fail-safe operation: the failure of the protection mechanism should leave the rest of the system in a secure state. A power lock should keep the door locked in the event of a power outage, and a firewall should be designed so that if its software crashes, all traffic is blocked between its interfaces.
There are finer approaches to voltage attacks though. An electrical system, particularly a complex and delicate one like today's digital systems, only works correctly within a specified range of the supply voltage. What happens if we lower this voltage but just enough to cause malfunctions in the system's behavior? If the Vcc, ideally at +5V, is allowed to be between 4.7 and 5.5V, what happens if we make it 4.6V? Does the circuit detect it and shut down?
Not necessarily, and  describes how a microcontroller and a security processor were successfully so attacked. In the former case, the microcontroller had its Vcc (normally +5V) raised up to Vpp -0.5 (Vpp is normally +12V) during repeated attempts to clear the security bit of the chip. In the latter case, the power was momentarily dropped in order to cause the release of the chip's security lock.
Yet another voltage-lowering attack referenced in  caused a smartcard's pseudo-random generator to output mainly digits of 1, compromising the quality of the encryption key.
In situations where direct access to the circuit is not possible, there are other ways to induce failure: irradiation (which affects the state of registry and memory cells) or temperature (freezing the circuits with a chemical spray or heating them with a portable device). Military-grade integrated circuits have better temperature tolerances, but the wider range was intended to accommodate harsh weather conditions and not security attacks.
We have so far explored several possibilities which, however off the beaten path they may seem, still revolve around computing and electricity. For a totally fresh approach to solving a security problem, specifically breaking DES, credits go to the authors of  and , who carried forward an idea set out by Leonard Adleman. In , Prof. Adleman described a way to solve a mathematical problem (the directed Hamiltonian path, also known as the traveling salesman problem: finding the path that goes exactly once through all nodes of a graph), pro
Page 1 of 3