Security in Embedded Hardware Chapter 6

Questions and Answers

What do non-invasive attacks require?

access to the internal components of the device

What is the goal of non-invasive physical attacks, also known as side-channel attacks?

To physically harm the device

To induce faults in the device

To protect the passivation layer

To gather information about cryptographic operations in embedded systems (correct)

What type of attacks exploit side channels?

Physical Attacks

Passive Side-Channel Attacks involve the observer inducing faults.

False

Timing Side Channel in SEH Exercise 2 Code snippet checks whether input complies with __________.

secret passphrase

What happens if the most significant bit (MSBit) of byte 𝒚𝒋,𝒊 is 1?

It is XORed with an irreducible polynomial

What is the result if 𝑦𝑗,𝑖 = 1101 0100₂ is left-shifted and XORed with 1 0001 1011?

0 1011 0011₂

Multiplication in GF(2⁸) takes one cycle longer when the most significant bit (MSBit) is 1. (True/False)

True

Match the steps in the beginning of AES encryption with their descriptions:

XOR operation with a key byte 𝑘[𝑖] = Input of the AES S-box Output of the S-box after XOR operation = Input for MixColumn block Permuted after S-box output = Output after MixRows

What does the evaluation of strcmp() depend on, in the context of matched characters in a sequence?

each matched character

How many rounds are involved in the AddRoundKey operation in AES?

9

In AES, how many bits does the 128-bit plaintext consist of?

16 Bytes

How is each byte of the data block replaced in the SubBytes operation of AES?

by another according to a known rule (Rijndael substitution box)

How many rounds are involved in the Shift Rows operation in AES?

9

What kind of field is used for multiplication in the Mix Columns operation in AES?

Galois Field GF(8)

What does the multiplication in Galois Field GF(8) involve in AES?

multiplying bytes with 1, 2, or 3

Study Notes

Integrated Circuit Packaging

• A semiconductor die is the functional circuit of a microchip
• The die is protected by a passivation layer, which is the target of invasive attacks
• The die is connected to the lead frame through bonding wires, and is encased in a resin mold (chip case)

Physical Attacks

• Physical attacks require physical accessibility to the target system
• Non-invasive attacks do not physically harm the device, but can exploit side channels
• Semi-invasive attacks require access to the internal components of the device, but the passivation layer remains intact
• Invasive attacks require access to the internal components of the device and may involve tampering or partially destroying the passivation layer

Non-Invasive Physical Attacks

• Non-invasive physical attacks are also known as side-channel attacks
• The goal of these attacks is to gather information about cryptographic operations in embedded systems
• The attacker has full control over power and clock lines
• Passive side-channel attacks involve observing physical properties, such as timing, power consumption, electromagnetic fields, and acoustic signals
• Active side-channel attacks involve inducing faults, such as fault analysis and glitch analysis

Passive Side-Channel Attacks

• Side-channel analysis involves observing physical properties to gather information about secret keys
• Side-channel information can be obtained through electromagnetic emissions, heat, timing, and power consumption

Timing Side Channel in SEH Exercise 2

• The code snippet checks whether the input complies with a secret passphrase
• For each correctly matched character, the evaluation of strcmp() takes longer, revealing a timing side channel

Timing Attack on AES

• Timing attacks can be used to compromise the security of AES encryption
• Each byte of the plaintext is encoded with one byte of the key using bitwise XOR
• The AES encryption process involves multiple rounds of substitution and permutation

Advanced Encryption Standard (AES)

• AES is a symmetric-key block cipher that uses a substitution-permutation network
• The encryption process involves 10 rounds of AddRoundKey, SubBytes, ShiftRows, and MixColumns
• Each round involves adding a round key, substituting bytes using a substitution box, shifting rows, and mixing columns

SubBytes

• SubBytes involves replacing each byte of the data block with another byte according to a known rule
• The substitution box is a fixed table that is used to substitute bytes

ShiftRows

• ShiftRows involves shifting bytes row by row
• The bytes are shifted in a circular manner, with the last byte of each row becoming the first byte of the next row

MixColumns

• MixColumns involves mixing bytes within each column
• The mixing is done using a matrix multiplication in a Galois field

Closer Look at Mixed Column

• The mixed column operation involves multiplying bytes with 1, 2, or 3
• The multiplication is performed in a Galois field, using a binary polynomial representation of bytes
• The multiplication takes one cycle longer when the most significant bit (MSBit) is 1

Attack Setting

• The attacker encrypts random data blocks using AES and observes the timing of a single byte operation inside MixColumn
• The attacker can learn the timing difference between MSBit 1 and MSBit 0, which can be used to compromise the security of the AES encryption.### S-Box and Its Function
• S-Box is a lookup table used in substitution-permutation networks
• It takes a plaintext byte x and a key byte k as inputs, and produces a ciphertext byte y
• The S-Box operation is a bitwise XOR of x and k, followed by a lookup in the table

Basic Principle of Attack

• The attack is based on the fact that the most-significant bit of the S-Box output y is known
• The attacker makes a hypothesis about the key byte k and computes the corresponding S-Box output y'
• If the most-significant bit of y' matches the known bit of y, the key hypothesis could be correct or wrong
• If the most-significant bit of y' does not match, the key hypothesis is wrong

Number of Hypotheses

• There are 2^8 = 256 possible key hypotheses for a single byte

Learning About the Key

• Encrypt multiple plaintexts pi such that the bytes pi[j] are known
• For each known plaintext byte, compute the S-Box output for all 256 possible key hypotheses
• Compare the most-significant bit of each output with the known bit of y
• The key hypothesis that leads to the same bit is the correct key byte

Attack Strategy

• Test with multiple bytes to reduce the number of possible key hypotheses
• Use the known most-significant bit of y to eliminate wrong key hypotheses

Alternative Attack

• If only the total encryption time is known, the attack can be modified
• Observe the timing of multiple encryptions with random inputs
• Select one S-Box output as the attack target and calculate the average timing for each key hypothesis
• Compare the differences between the average timings and select the key with the largest difference

Attack on AES Software Implementation

• An example attack on an AES software implementation was performed using 10,000 timing measurements
• The attack resulted in the recovery of the key byte

Description

Learn about non-invasive physical attacks on embedded hardware, including the security of integrated circuit packaging and the role of semiconductor die and bonding wires.