FIPS 140-3 introduces this new section to specify requirements to protect the cryptographic module against attacks that do not require physical access to the module. The requirements are yet to be defined although they are expected to outline test metrics for the evaluation of countermeasures against non-invasive attacks such as single/differential power analysis (SPA/DPA), voltage/clock glitching, etc.
Although the list of non-invasive attacks a module should be able to mitigate and the specific evaluation metrics are yet to be defined, the Zynq UltraScale+ MPSoC includes built-in DPA countermeasures (see Developing Tamper-Resistant Designs with Zynq UltraScale+ Devices (XAPP1323)).
To protect against DPA attacks, it is extremely important to reduce the amount of side-channel data an adversary can collect on any one key. To this end, the device authenticates images (before decrypting them) to detect random (or invalid) images the adversary loads on the device in an attempt to increase the amount of information the side-channel leaks. Furthermore, each image is broken up into multiple smaller blocks and each block is encrypted using its own unique user-defined key to reduce the amount of data that can be collected for a single key. The device also employs a key rolling technique to avoid having to store all the decryption keys on the chip. In this technique, only the decryption key for the first block of the image is stored in on-chip memory while all the other keys are stored in the blocks of the image (i.e., each block contains the decryption key of the next block). To mitigate glitching attacks, the Zynq UltraScale+ MPSoC implements the following countermeasures to continuously monitor the health of the device at runtime:
- CSU/PMU triple redundant processors
- ECC on PS and DDR memories
- SHA integrity checks on immutable ROM code
- SecMon IP