Hardware Security: Side Channel Attacks

Questions and Answers

In the context of side-channel attacks, which statement best characterizes the relationship between an algorithm's mathematical robustness and its vulnerability when implemented in hardware?

• Mathematically robust algorithms are inherently immune to side-channel attacks due to their complexity.
• Side-channel attacks primarily target the mathematical weaknesses of an algorithm, making hardware implementation irrelevant.
• The vulnerability of a hardware implementation is solely determined by the compiler optimization level used.
• Hardware implementations introduce physical characteristics that can be exploited, regardless of the algorithm's mathematical strength. (correct)

In Lab 2_1A, concerning instruction power differences, what is the most critical implication of observing variations in power consumption during the execution of different instructions?

• It provides a basis for differentiating between assembly instructions, potentially revealing the program's execution flow and sensitive operations. (correct)
• It enables the attacker to inject faults into the system by manipulating the power supply.
• It reveals the exact memory addresses being accessed during program execution.
• It allows an attacker to precisely determine the clock frequency of the target device.

In the context of trace capturing, which of the following represents the most significant challenge in accurately interpreting power traces for side-channel analysis?

• The limited resolution of modern oscilloscopes.
• The computational complexity of the Fast Fourier Transform (FFT) algorithm.
• The inherent unpredictability of the key generation process.
• The presence of noise and irrelevant data within the traces, obscuring the signals of interest. (correct)

When introducing a loop into the firmware, which of the following factors most significantly contributes to the increased execution time compared to an unrolled sequence of the same operations?

The overhead associated with loop control instructions, such as JMP and CMP, which manage the loop's iterations. (B)

When comparing the power consumption of addition versus exponential operations within a firmware, what fundamental property of exponential operations dictates their generally longer execution time?

Exponential operations are defined as repeated multiplications, which themselves are repeated additions, leading to a longer execution time. (A)

In the context of side-channel analysis, what is the most critical countermeasure a device should implement to protect against information leakage from power traces?

Hide any operation performed on it, so that an attacker will be faced with a trace that doesn't provide him any information. (A)

In Lab 2_1B, concerning power analysis for password bypass, what underlying principle allows an attacker to differentiate between traces obtained from correct and incorrect password guesses?

The distinct power consumption patterns resulting from different branches of the password check algorithm, due to the varying operations performed on correct versus incorrect characters. (D)

In side-channel attacks targeting password bypass, what is the most significant implication of observing a slight delay in the target's idling behavior after providing different password guesses?

It suggests that the check algorithm exists immediately after encountering a wrong character, while it tries to look for the second one if we provide a correct first character. (D)

In the context of automating a side-channel attack, what is the most critical advantage of computing the trace difference between a correct password guess and a wrong one?

wrong guess traces a quite similar, which outcomes a trace that varies around 0. For a correct guess, the time factor, which represents a kind of delay between two traces will lead to spikes at certain sample points.. (B)

When automating a full password attack using side-channel analysis, what is the most critical consideration regarding the guessing trace and reference trace?

The guessing trace has to be updated which is our first character and the first character of the reference trace from one part of the traces. From another part, the comparison would bee between the target's idling power trace and the other guesses in the reference trace. This will lead to obtain haaaa as a guessed password. (D)

When conducting side-channel analysis, what constitutes the most significant threat to reliable measurements, potentially requiring advanced signal processing techniques to mitigate?

The presence of electromagnetic interference and other sources of noise corrupting the power traces. (D)

In Lab 3_1, concerning large Hamming weight swings, what is the most critical rationale for setting the least significant byte to either 0x00 or 0xFF?

To achieve the greatest Hamming distance, thereby maximizing the power consumption difference for analysis. (A)

When grouping traces based on Hamming weight, what is the fundamental statistical challenge that necessitates averaging, and how does averaging address this issue?

The non-uniform distribution of traces among different Hamming weight groups, which is resolved by averaging each group to create a representative trace and reduce noise. (C)

What is the most significant advantage of analyzing the difference between averaged traces with differing Hamming weights, as opposed to directly analyzing individual traces?

It amplifies the correlation between Hamming weight and power consumption, while mitigating noise and unrelated variations. (B)

Beyond displaying differences in program flow, what is the most critical insight power analysis can provide regarding internal data processing within an encrypting device?

The manipulation of internal data, which can be exploited to crack the device. (D)

What is the fundamental security implication of successfully recovering an AES key from a single bit of data, particularly concerning the key space?

It dramatically reduces the effective key space, making brute-force attacks feasible. (C)

In the context of recovering an AES key, what property of the S-box substitution makes it a point of vulnerability suitable for side-channel attacks, and how does this manifest in practice?

Its hardware implementation's power consumption and timing characteristics depending directly on the input data (C)

What is the most fundamental benefit of using Differential Power Analysis (DPA) when attacking a firmware implementation of AES, as opposed to directly reading one bitstream from the board?

It can deal with a noisy measurement when direct measurement might be impossible. (B)

In Differential Power Analysis (DPA) what is the primary role of hypothetical intermediate values in the key recovery process?

To generate a set of values used to classify power traces and facilitate key recovery. (C)

In Lab 4 1, concerning the power and Hamming weight relationship, what key insight allows the correlation of power to hamming weight?

Each color can associate each color to its hamming weight, or plot the power consumption to hamming weight function, at the sample point where we substitute. (D)

In Hamming Weight analysis, what is the main reason of subtracting the average traces?

To get rid of the noise, and to have distinct graphs is to subtract the average from each trace. (B)

What is the most significant challenge in mitigating the intrinsic relationship between the Hamming weight of an intermediate cipher value and the power consumption of an algorithm?

Utilize security measures in order to break this tight correlation by including some randomness into operations. (B)

What is the fundamental security goal of fault injection attacks, and how do they differ from side-channel attacks?

A fault-based attack is an intentional manipulation of a target, with the goal of causing an error within the its execution flow to move the device into an unintended state whereas side-channel attacks is to extract secret information by passively monitoring a target's physical characteristics. (C)

In the context of clock glitching, what is the most critical factor that determines the success of skipping instructions within a device?

The design and usage of a very short clock cycle, caused by xoring the original clock. (D)

In clock glitching, what defines the 'width' parameter within a glitch module, and how does it impact the success of a fault injection attack?

"Width" means the width of the glitch. It is how long the glitch will be practiced,. (B)

In the context of clock glitching, what does the term 'offset' refer to, and what is its significance in launching a successful attack?

The starting time, which is how many time after clock occurs. (C)

In clock glitching attacks targeting password bypass, what is the most critical trade-off that must be considered when attempting to shorten the interval for glitching?

Glitching is more difficult here due to the nature of the software. We can see that we have a shorter interval for glitching. (D)

In clock glitching attacks, what is the role of the 'ext_offset' parameter in the glitch setup, and how does it differ from the standard 'offset' parameter?

Ext offset is the offset that the glitch will happen after the triggering is done. (A)

In the context of securing embedded systems, what is the most profound challenge posed by the interplay of side-channel and fault injection attacks?

The synergistic effect where one attack amplifies the effectiveness of the other, leading to more severe security breaches. (C)

When implementing countermeasures against side-channel attacks, what is the most fundamental challenge in ensuring their effectiveness across diverse operating conditions and attack vectors?

The complex interplay between algorithmic design, hardware implementation, and environmental factors, requiring holistic and adaptive security measures. (D)

Considering the inherent limitations of relying solely on mathematical robustness to defend against hardware attacks, what constitutes the most promising direction for future research in embedded systems security?

Developing adaptive security mechanisms that dynamically respond to changing threat models and environmental conditions. (A)

In the landscape of embedded systems security, what is the most pressing need for bridging the gap between theoretical cryptographic protocols and their practical hardware implementations?

All of the Above (D)

Flashcards

Side Channel Attacks

Attacking hardware implementation flaws, not the algorithm itself, using measurements like power consumption and timing to extract secrets.

Instruction Power Differences

Varying power usage based on operation complexity; simple addition instructions influence the power consumption

Power Analysis for Password Bypass

A method used to bypass password authentication by analyzing power consumption of the target, and determining the correct password.

Large Hamming Weight Swings

Exploiting power variations when manipulating data with large Hamming weights (number of 1s), can affects power consumption.

Recovering AES key

Recovering part of the key in AES due to a leaked bit giving information about master key making it vulnerable

DPA on AES

Differential Power Analysis on Firmware Implementation of AES by attacking to internal states after Sbox to obtains keys

Power and Hamming Weight Relationship

The Hamming Weight of an intermediate cipher value correlates to power consumption. Need randomness measures in order to break this correlation.

Fault Injection

Intentionally manipulating a target to cause errors, gaining access to critical information or disabling protections.

Clock Glitching

Device skips some instructions, this can be done by Xoring a glitching clk to the original clk of the device

Glitching Parameters

Width: How long the glitch will be practiced, offset: when the glitch trigger will start, Steps: Iterate over Width and offset parameters. Repeat: Retries the given number of times

Study Notes

• These study notes cover the document "Hardware Security: Lab Report" focusing on side channel and fault injection attacks.

Side Channel Attacks

• Side channel attacks exploit flaws in hardware implementations rather than attacking the algorithm itself.
• These attacks leverage measurable parameters like current consumption and computation time to extract secret information.
• Different operations within an algorithm result in varying power consumption levels.
• Instructions with varying complexity exhibit differing power consumption patterns.
• Power analysis can reveal details about the operations being performed, which necessitates hiding operations.

Lab 2_1A: Instruction Power Differences

• Power consumption measurements can be used to distinguish between assembly instructions.
• The 'capture_trace' function generates a 5000-sample trace by encrypting a plaintext/key pair.
• Modifying the firmware, specifically the simpleserial-base.c file, alters the behavior and captured traces.
• A repetitive pattern observed in the trace relates to the infinite loop in the code.
• The initial pattern is associated with platform initialization and the 'get_pt' function.
• Addition operations impact the power trace.
• Addition via loop takes more time to execute than unrolled addition.
• Exponential operations exhibit longer execution times compared to addition.

Lab 2_1B: Power Analysis for Password Bypass

• The lab involves using differences in power traces to bypass password checks.
• The 'cap_pass_trace' function is designed to capture traces during password attempts.
• It resets the target, arms the scope for capturing, sends the password guess, and retrieves the trace.
• Slight delays in traces can indicate processing differences based on input characters:
• An incorrect password causes the target to idle, while a correct first character leads to continued checks.
• Plotting traces for all possible characters can highlight an outlier trace, representing the correct character.
• Automating the attack involves computing trace differences with a known incorrect guess.
• A spike in the trace difference indicates a correct character guess.

Attack Automation

• The guessing trace needs continuous updating to compare correctly to each character's trace
• The reference trace should also be updated for each correct guess, as the target goes to idle after an incorrect guess.
• Side channel attacks break devices by using power to determine timing and other sensitive info

Lab 3_1: Large Hamming Weight Swings

• Exploits variations in power consumption based on the firmware.
• Aimed at breaking a password by revealing when the correct character is guessed
• Reduces the scope of brute-forcing by dividing the attack into parts.
• The 'ktp.next' method generates plaintext/key pairs
• An array is created to store each trace.
• Sets the byte to one 2 values of 0x00 or 0xFF, based on the least significant bit.
• A target is written and the scope set to capture
• A corresponding list contains it's corresponding text and the process is repeated

Grouping Traces

• Two lists created for grouping traces by hamming weight of each bytes, either one or zero.
• NumPy is implemented to average array to end with one trace the result.

Comparing Traces

• The traces for each group are computed with a subtraction formula

Conclusion

• Large swings in power can occur when the target manipulates both 0x00 and 0xFF.
• Setting different plaintext bytes causes spikes at different sampling points, dependent on Hamming distance.
• Power analysis can be useful for attackers in cracking encrypting devices.

Lab 3_2: Recovering AES Key From A Single Bit Of Data

• Involves recovering the AES key from a single bit of data.
• Knowing one bit of data from the secret key of the original round allows an attacker to guess 1 byte
• Since key expansion happened mostly after the first round, the first round is just the master key
• The hard coded AES internal function gets a value and then uses sbox manipulation and bitwise XOR.
• In the AES secret function, one byte is hardcoded as OxEF

Implementing Leakage

• By applying a bitwise AND operation, you get the least significant bit value of the internal state

Lab 3_3: DPA on Firmware Implementation of AES

• Demonstrates attacking the state after the S-Box using differential power analysis (DPA).
• Measure traces, then know the corresponding code/cipher text
• Choose leakage model, most commonly LSB
• Inferring original leakage from peaks and troughs in original leak of power consumption versus the hyphotetical, assumed one
• In the classification step, arrays of traces classify LSB based leakages with code " if hypothetical_leakage 0x01:.."
• In the for() loops, code iterates from range 0 to 256, to bruteforce key guessing
• For each loop, get a AES internal (guess, input) where subkey (0th,1st so on) is implemented and then use.

Lab 4_1: Power and Hamming Weight Relationship

• Lab investigates relationship between power and hamming weight, and how data can be recovered
• Data is gathered as an AES state with a Basic KTP object
• Key value is set with target object

Hamming Weight Computation

• Implement hamming weight functions
• Create code based apon the bin().count("1") method
• Create functions where traces are computed
• Code plots a visual distribution of AES internal objects
• Output is not visible due to plots being extremely noisy
• To fix this use a averaging method that gets rid of the noise
• To properly create visual distribution, create a for loop and then numpy is used on an array where another numpy mean is in axis = 0
• Resulting figures can then be deduced

Automation

• A function will be coded to locate a Sbox operation, this is for automation purpose.
• Code associates each color to each corresponding weight, then plotting the hamming weight to resulting function

Fault Injection

• Fault injection intentionally manipulates a target triggering errors and unintended states in order to:
• Gain access to safety-critical information or.
• Disable internal protection mechanisms
• It couples with various channel attacks like injection attacks to gain more information

Fault 1_1: Intro to Clock Glitching

• Achieved when short circuit like cycles are added to device where instructions are skipped by device.
• Clocking helps load instructions and the device immediately loads next instruction because the glitched clock doesn't allow to execute current.
• The glitch, is done by XORing the glitching clock to the original device clock where the clock is divided into small clock up and one wide clock down

Implementation

• Code target increases counter in 2 loops, if last result isn't 2500 it means we were successful in at least one clocking.
• Glitch module is needed
• Set up ranges for the glitch and make code to try out the ranges on width and offset of the glitch
• Repeat the re-tries the glitch

Fault 1_2: Clock Glitching to Bypass Password

• Similar approach to lab 1 with similar scanning methods
• The function "ext offset" is utilized due to the fact trigers might not work as intended at first
• On an example, it takes many tries to work to glitch the device.