研究了EMV规范中应用密文的生成过程,发现过程密钥存在部分冗余位,结合DES算法S盒的压缩特性,利用基于碰撞的safe-error攻击实现对EMV规范中应用密文主密钥的破解。提出了针对应用密文生成的差分错误注入的物理模型和实施步骤,深入分析了影响攻击效果的2个关键因素(密钥错误产生概率和碰撞概率),尤其是对不同错误模型进行了理论数据分析。实验分析表明,实际攻击中,只要不同密钥的碰撞概率差大于0.003 5即可区分,结果表明,过程密钥的冗余位提高了碰撞概率,有利于对正确密钥的区分。最后,针对该攻击方法,提出了几种防御方案。
The process of application cryptogram in EMV was researched and dummy bits in session key were found. Based on the session key's dummy bits and compressive property of DES's Sbox, much information of the application cryptogram master key was got by using safe-error attack. The differential fault attack model and steps to implement the attack were proposed, two key factors(the probability of generating wrong key and the probability of collision happening) affecting an attacking result were analyzed. The theoretical result and simulation of the attack were given. The experiment results show that the two keys could be distinguished in a real attacking when the difference of two key's collision probability was bigger than 0.003 5. The dummy bits in the key will increase the difference and make distinguishing easier. Finally, several countermeasures against the attack were proposed.
Chinese Journal of Network and Information Security