Inspector Data Sheet
Diode Laser Station Fast, accurate and predictable multi-in-time optical glitching for front side and back side laser attacks.
Riscure Diode Laser Station 1/12
Introduction
Key features
Protecting chips against laser fault attacks is one of the main security challenges in the smart card industry. With the Diode Laser Station, a user can perform advanced laser fault attacks that meet the highest international standards to assess if a smart card is secured against laser attacks.
• Near Infrared diode laser enabling silicon substrate penetration for back side attack • Powerful red diode laser for front side attack • Small spot sizes • Fast multi glitching
The Diode Laser Station offers a set of new features meeting the latest timing and power requests from fault injection experts around the world. The special set of diode lasers with dedicated optics and the ultra-fast and flexible control create the ultimate fault injection test solution. Its integration with the Inspector software further ensures that automation and analysis are covered by extendible modules which are flexible and easy to use.
The Diode Laser Station contains powerful red and nearinfrared diode lasers (resp. 14W, 20W). The red laser is designed for frontside testing of smart card chips and in combination with the optics it produces a spot size of 6 × 1.4 μm on the chip surface. This gives an accurate control over the chip area. The laser has sufficient power to penetrate through the gaps in the shielding commonly applied in today’s secure chips (see Figure 1). The near-infrared laser is designed for back-side testing of smart card chips. This powerful diode laser penetrates the chip substrate to reach the transistors. Riscure partners with Opto (www.opto.de), a world-renowned optical design house in Germany, for the Diode Laser Station. The optics and lasers of the system have been specifically designed to achieve the ultimate laser setup for fault injection testing.
front side
shield
substrate infrared laser
• Fast and predictable response to trigger pulse • Automatic scanning of a chip’s surface with integrated motorized XY stage • Camera inspection of laser spot and location on chip area
Powerful diode lasers
red laser
• Accurate digital scaling
back side
• Integration with Inspector’s software and fault analysis modules
Integrated with Inspector or Standalone Inspector integration: The Diode La ser Station forms an integral part of the Inspector test tool. The VC Glitcher controls the timing and power settings of the diode laser pulse, and performs triggering, synchronous power measurements and card communication. The XY stage and camera connect to the Inspector FI soft ware for navigation and automated surface scanning. The solution can further be extended with icWaves to trigger faults and to prevent a card from breaking down after a laser attack by triggering a cold reset on the VC Glitcher. Standalone: The Diode Laser Station in standalone mode can be integrated with any fault injection test software. In this mode, the XY stage and the camera (each with software and SDK) are optional.
Figure 1 Front-side and back-side testing on smart card chips Riscure Diode Laser Station 2/12
Diode Laser Station (DLS)
Multi glitching Accurate timing is critical in fault injection testing. It is required when targeting specific program instructions and it saves testing time when investigating a specific weakness. The Diode Laser Station has a stable and very fast response to a trigger which enables any multi-glitching test scenario. Figure 2 shows an example of the laser response when multi glitching with the Diode Laser Station and the VC Glitcher. At the top graph, three trigger pulses are generated with different lengths and a shortest interval of 20 nanoseconds. The bottom graph shows that the laser responds to each trigger with a constant delay of 50 nanoseconds, and with the exact same interval as the trigger pulses.
Figure 2 Measurement of three trigger pulses (top) and corresponding laser responses (bottom)
Riscure Diode Laser Station 3/12
Application WL,nJ
The Diode Laser Station is designed to test smart card chips of the latest generation. The tool has demonstrated to be very effective in testing hardware and software countermeasures in smart cards. It automates the surface scanning process, it offers fine control over the laser power, and it injects pulses with a small spot size. With the accurate and fast response to a trigger and with the ability to perform multi glitching, it is the ultimate fault injection test tool.
latch-up effect
10
1
reliable switching 0.1
not enough energy to switch
0.01
0.001 0.6
0.7
0.8
0.9
1.0
Figure 3 Relationship between injected laser energy and effect on transistors (source: Sergei Skorobogatov)
User control The user controls the following parameters from the Inspector FI software: • Flexible multi-glitch testing • Automated testing with randomized or fixed parameters: pulse length, offset, repetition count, timing • Digital scaling of laser power strength • Automatic XY scanning range
Figure 4 Red laser pulse
Adjusting power Smart card chips differ and to identify a chip’s weakest spot, one has to be able to accurately adjust the strength of the laser pulse. Figure 3 shows the relationship between laser energy and the effect on an integrated circuit. When injecting too little energy, there is no effect, and when injecting too much energy, the so-called latchup effect occurs which causes chip damage. Only when injecting the right amount of energy, integrated circuitry can be effectively manipulated. With the Diode Laser Station, a user can accurately tune the laser strength from the software to find a chip’s vulnerable energy level. Figure 4 shows a short red laser pulse on a chip surface.
In addition, the following manual controls are available on the Diode Laser Station: • Back / front side position of smart card • Laser wavelength selection: near-infrared or red • Joystick driven positioning of the XY stage • Spot size variation by objective selection, focus, and spot size reducer • Light reduction filters for lowest power range
Riscure Diode Laser Station 4/12
Test approach Although the Diode Laser Station is also available in standalone mode, here we assume it operates with the other Inspector components. 1. Chip preparation The chip under test should first be de-capsulated. Figure 4 shows an example of a prepared chip. Note that decapsulation equipment is not included with the Diode Laser Station. Figure 4 Chip prepared for laser attacks
2. Communication & parameters The smart card under test is inserted in the VC Glitcher. The user makes his own perturbation program on the VC Glitcher using the dedicated fault injection API in Inspector and configures the parameters such as timing and power settings of the laser pulse and triggering (e.g. see Figure 5 and Figure 6). 3. Profiling chip surface The smart card with VC Glitcher is mounted on the XY stage to perform automated scanning of the chip surface. The smart card behaviour during the tests is logged by VC Glitcher and stored on the workstation with Inspector software for further analysis. The smart card power consumption is also monitored to assist in identifying weak spots on the chip.
Chip front side (5x)
Figure 5 Fault injection parameters
Figure 6 Microscope control Riscure Diode Laser Station 5/12
Figure 7 Test results after a laser attack run: power trace, camera image, and test results for each laser pulse
4. Detailed testing in specific area Once an area of interest has been identified, detailed testing can be performed by iteratively and automatically changing the strength and duration of the laser pulse and by adjusting the timing of the injected faults. An example of the test results is shown in Figure 7. For each fault injected, the fault parameters and location, I/O of the card, and the measured power trace are logged. For more information on the software features of Inspector FI, please refer to the Inspector software data sheet. Shield covering front side (50x)
Chip surface (50x) Riscure Diode Laser Station 6/12
Solution based on typical laser cutter
Inspector Diode Laser Station
Intended application
Laser cutting, failure analysis
Side channel fault injection
Laser wavelengths
IR/Green
IR/Red
Power level control
Difficult to adjust to lower power level in efficient manner
Digital control over power level that can be adjusted in automated manner
Timing accuracy
>1000 ns propagation delay, with significant jitter
50 ns propagation delay, no jitter
Multi-glitch frequency
Max 0.050 kHz
Max 25,000 kHz
Integration
Usually a set of scripts running in different software environments
Inspector tool in one integrated software environment
Visual feedback
Oculars, camera is added separately
Camera integrated with Inspector software
Waveformbased triggering
Not available / limited to oscilloscope features
Compatible with icWaves for triggering based on a complex waveform
Diode laser versus laser cutter Most laser setups currently used for fault injection attacks on smart cards are based on laser cutting technology. Diode lasers have always been attractive but historically lacked the power and small spot size for effective chip manipulation. These issues have been resolved in the Diode Laser Station by applying a dedi cated laser and optics design and by using the latest diode laser technology. It further offers features that laser cutters do not offer: • Effective multi glitching • A short and constant trigger response time • Accurate digital control over laser power This makes the Diode Laser Station a very powerful and flexible solution for fault injection testing. The table summarises the differences between a typical laser cutter solution and the Diode Laser Station.
Riscure Diode Laser Station 7/12
Multi-Area DLS upgrade Optical fault injection is performed by illumination of a very small spot on the chip die with a powerful laser pulse. To test the vulnerability of an implementation on the die against optical fault injection Riscure developed the Diode Laser Station, providing the state-of-art in respect to timing, spot size and power. For some secure implementations or presence of fault injection countermeasures it may be required to target multiple locations. With the Multi-Area upgrade the evaluator can select two spots, e.g. cryptoprocessor and verification in the control CPU, to attack two related processes located elsewhere on the die.
System Description
Key features • Maximum flexibility towards laser spot location, timing, duration, power and number of spots • Integrates with Diode Laser Station and Inspector software to upgrade easily from single to multi-area attacks. • Optical fault injection attack scenarios including location, power, pattern and timing are fully controlled from software. • Two types of fibers that can be exchanged and renewed by the evaluator when needed. • Similar cutting-edge timing and power features as provided by the Diode Laser Station.
The multi-area Diode Laser System consists at least of two modules: a module for a single–in –location spot, i.e. Diode Laser Station, and a module for an additional spot. The additional spot is added by a laser beam through a glass fiber. The size of the laser spot is approximately the same as the core diameter of the glass fiber, provided that the glass fiber end is positioned very close to the die surface. Two types of glass fibers are provided with 50 µm and 9 µm core diameters.
Riscure Diode Laser Station 8/12
Power and timing of one laser spot is independent from the other laser spot and can be programmed from Inspector. The Splitter provides the interface for power, timing and laser selection between the VC Glitcher and two laser sources. Several Splitters can also be concatenated to interface between the VC Glitcher and multiple laser sources. The location of the primary laser spot generated by the laser microscope set-up is controlled by moving the die which is fixed to the motorized XY stage. The secondary laser spot generated by the glass fiber is controlled by a motorized XYZ manipulator. The XYZ manipulator base is positioned on top of the XY stage or besides the XY stage. The fiber is fed through a narrow tube that can be positioned almost perpendicular to the chip die surface. Control of the XYZ manipulator can be done from software, like the XY table provided with the Diode Laser Station. The manipulator can also be controlled manually by a 3-axis joystick.
Riscure Diode Laser Station 9/12
Technical specifications
808nm red laser
1064nm NIR laser
Purpose
Smart card chip frontside testing
Smart card chip backside testing
Wavelength
808 nm
1064 nm
Type
Multimode
Multimode
Max laser pulse power
14 W
20 W
Max pulse frequency
25 MHz
25 MHz
Propagation delay
50 ns
50 ns
6 × 1.4 μm
6 × 1.4 μm
Diode life time
No degradation of laser power @ 3500 hrs continuous operation. In pulsed mode many more hours.
No degradation of laser power @ 3500 hrs continuous operation. In pulsed mode many more hours.
Laser controls
Analog input 0 – 3.3 V for power level, TTL input for laser modulation, laser diode current monitor output 20 A/V
Analog input 0 – 3.3 V for power level, TTL input for laser modulation, laser diode current monitor output 20 A/V
Spot size (50× objective)
1
1
Spot size is measured as the chip surface area in which 80% of the laser power is concentrated.
Microscope
Camera
Combined course fine focus unit
2400 μm / rev – 350 μm / rev
Illumination
Cold light source Schott KL 1500 LED through fiber optic
5x objective
M Plan NIR NA=0.14 mm, F=40 mm, WD=37.5 mm
20x objective
M Plan NIR NA=0.40 mm, F=10 mm, WD=20 mm
50x objective
M Plan NIR NA=0.42 mm, F=4 mm, WD=17 mm
Frames per second
15
Sensor
1/2” Sony CCD colour
Resolution
1280 × 1024, SXGA
Die image size (5× objective)
1.2 × 1 mm
Die image size (20× objective)
300 × 250 μm
Die image size (50× objective)
120 × 100 μm
Riscure Diode Laser Station 10/12
Microscope XY stage
Operating requirements
Max. travel range
75 × 50 mm
Temperature
20 degrees Celsius +- 5 degrees
Minimum step size
0.05 μm
Relative humidity
20% – 80% non condensing
Accuracy
± 3 μm
Voltage
100 – 240V, 50 – 60 Hz
Repeatability
< 1 μm
Power
700 W max
Travel speed
45 mm/sec
Controller interface
USB and joystick
Safety box (optional) Purpose
Enable safe operation of the DLS in an open room
External Dimensions
76.5 × 53.5 × 44.5 cm (h×w×d)
Indicators
Externally visible light indicator during laser operation
Shut down
Laser power is shut down when door is opened
Safety regulations
No warranty is provided that the safety box meets local safety regulations in the country in which the DLS is operated
Accessories (optional) Additional filters
On request, additional light blocking filters to reduce laser power
Additional optics
The optics in the DLS reduce the spot size 10:1. On request, additional optics are available to produce a different reduction.
Riscure Diode Laser Station 11/12
Multi-Area DLS upgrade
Splitter
Max travel range (X/Y/Z)
25mm/25mm/25mm
~50 μm
Min step size
0.025 μm
Core diameter
9 µm and 50 µm (5 included)
Base attachment
Mechanical magnetic
Length
50 cm
Fiber holder
Glass
Connector
FC connecter for Laser-to-Fiber coupler
Controller interface
USB and 3-axis joystick
Power supply
110 - 240V, 50/60 Hz AC mains
Glass fibers
Optics
~9 μm
Includes user replaceable 0.1%, 1% and 10% filter
Splitter
Tilt table
Digital Glitch output
Voltage output range 0 – 3.3 V
Pulse amplitude output
0 – 100% Voltage output range 0 – 3.3 V
Analog glitch output
Voltage output range 0 – 3.3 V
Digital pulse input
50 Ohm impedance. Voltage input range 0 – 3.3 V Minimum pulse width 20 ns, minimum pause time in between pulses 20 ns
Pulse amplitude input
1 kOhms input impedance Voltage input range 0 – 3.3 V
Reset input
1 kOhms input impedance Voltage input range 0 – 3.3 V
Control
USB
Firmware
Field upgradable
Power
Supplied via USB
Size
120 x 120 mm
Riscure BV Frontier Building Delftechpark 49 2628 XJ Delft The Netherlands Phone: +31 (0)15 251 4090 Fax: +31 (0)15 251 4099 E-mail:
[email protected] www.riscure.com
DLS 11.09.2011
Spot Size
Riscure provides these specifications for information only. No rights can be obtained from these specifications. Riscure Diode Laser Station 12/12
