Abstract
We have devised a frequency injection attack which is able to destroy the source of entropy in ring-oscillator-based true random number generators (TRNGs). A TRNG will lock to frequencies injected into the power supply, eliminating the source of random jitter on which it relies. We are able to reduce the keyspace of a secure microcontroller based on a TRNG from 264 to 3300, and successfully attack a 2004 EMV (‘Chip and PIN’) payment card. We outline a realistic covert attack on the EMV payment system that requires only 13 attempts at guessing a random number that should require 232. The theory, three implementations of the attack, and methods of optimisation are described.
Chapter PDF
Similar content being viewed by others
Keywords
These keywords were added by machine and not by the authors. This process is experimental and the keywords may be updated as the learning algorithm improves.
References
EMVCo, LLC: EMV 4.2 specification (June 2008) http://www.emvco.com/
Bellare, M., Goldwasser, S., Micciancio, D.: “Pseudo-random” number generation within cryptographic algorithms: The DSS case. In: Kaliski Jr., B.S. (ed.) CRYPTO 1997. LNCS, vol. 1294, pp. 277–291. Springer, Heidelberg (1997)
Bello, L.: DSA-1571-1 openssl – predictable random number generator. Debian Security Advisory (2008), http://www.debian.org/security/2008/dsa-1571
Hajimiri, A., Limotyrakis, S., Lee, T.H.: Jitter and phase noise in ring oscillators. IEEE J. Solid-State Circuits 34(6), 790–804 (1999)
Eastlake, D., Schiller, J., Crocker, S.: Best Common Practice 106: Randomness requirements for security. Technical report, IETF (2005)
Sunar, B., Martin, W.J., Stinson, D.R.: A provably secure true random number generator with built-in tolerance to active attacks. IEEE Trans. Computers 56(1), 109–119 (2007)
Bak, P.: The Devil’s staircase. Physics Today 39(12), 38–45 (1986)
Adler, R.: A study of locking phenomena in oscillators. In: Proc. IRE and Waves and Electrons, vol. 34, pp. 351–357 (1946)
Mesgarzadeh, B., Alvandpour, A.: A study of injection locking in ring oscillators. In: Proc. IEEE International Symposium on Circuits and Systems, vol. 6, pp. 5465–5468 (2005)
Yoo, S.K., Karakoyunlu, D., Birand, B., Sunar, B.: Improving the robustness of ring oscillator TRNGs, http://ece.wpi.edu/~sunar/preprints/rings.pdf
Lai, X., Roychowdhury, J.: Analytical equations for predicting injection locking in LC and ring oscillators. In: IEEE 2005 Custom Integrated Circuits Conference, pp. 461–464 (2005)
Rukhin, A., et al.: A statistical test suite for random and pseudorandom number generators for cryptographic applications. Technical Report SP800-22, National Institute of Standards and Technology, USA (2008)
Brown, R.G., Eddelbuettel, D.: Dieharder: A random number test suite, http://www.phy.duke.edu/~rgb/General/dieharder.php (accessed 2009-03-03)
Mills, E.: Hacked ATMs let criminals steal cash, PINs. ZDNet UK (June 2009), http://news.zdnet.co.uk/security/0,1000000189,39660339,00.htm
Bogdanich, W.: Stealing the code: Con men and cash machines; criminals focus on A.T.M.’s, weak link in banking system. The New York Times (August 2003), http://query.nytimes.com/gst/fullpage.html?res=9803E6DD103EF930A3575BC0A9659C8B63
Rousseau, L.: pcsc_tools package: ATR table, http://ludovic.rousseau.free.fr/softwares/pcsc-tools/smartcard_list.txt (accessed 2009-03-03)
Sunar, B.: True random number generators for cryptography. In: Koç, Ç.K. (ed.) Cryptographic Engineering, pp. 55–74. Springer, Heidelberg (2009)
Herzel, F., Razavi, B.: A study of oscillator jitter due to supply and substrate noise. IEEE Trans. Circuits and Systems II 46(1), 36–42 (1999)
Author information
Authors and Affiliations
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2009 Springer-Verlag Berlin Heidelberg
About this paper
Cite this paper
Markettos, A.T., Moore, S.W. (2009). The Frequency Injection Attack on Ring-Oscillator-Based True Random Number Generators. In: Clavier, C., Gaj, K. (eds) Cryptographic Hardware and Embedded Systems - CHES 2009. CHES 2009. Lecture Notes in Computer Science, vol 5747. Springer, Berlin, Heidelberg. https://doi.org/10.1007/978-3-642-04138-9_23
Download citation
DOI: https://doi.org/10.1007/978-3-642-04138-9_23
Publisher Name: Springer, Berlin, Heidelberg
Print ISBN: 978-3-642-04137-2
Online ISBN: 978-3-642-04138-9
eBook Packages: Computer ScienceComputer Science (R0)