Security in Embedded Hardware Chapter 6

Integrated Circuit Packaging

• A semiconductor die is the functional circuit of a microchip
• The die is protected by a passivation layer, which is the target of invasive attacks
• The die is connected to the lead frame through bonding wires, and is encased in a resin mold (chip case)

Physical Attacks

• Physical attacks require physical accessibility to the target system
• Non-invasive attacks do not physically harm the device, but can exploit side channels
• Semi-invasive attacks require access to the internal components of the device, but the passivation layer remains intact
• Invasive attacks require access to the internal components of the device and may involve tampering or partially destroying the passivation layer

Non-Invasive Physical Attacks

• Non-invasive physical attacks are also known as side-channel attacks
• The goal of these attacks is to gather information about cryptographic operations in embedded systems
• The attacker has full control over power and clock lines
• Passive side-channel attacks involve observing physical properties, such as timing, power consumption, electromagnetic fields, and acoustic signals
• Active side-channel attacks involve inducing faults, such as fault analysis and glitch analysis

Passive Side-Channel Attacks

• Side-channel analysis involves observing physical properties to gather information about secret keys
• Side-channel information can be obtained through electromagnetic emissions, heat, timing, and power consumption

Timing Side Channel in SEH Exercise 2

• The code snippet checks whether the input complies with a secret passphrase
• For each correctly matched character, the evaluation of strcmp() takes longer, revealing a timing side channel

Timing Attack on AES

• Timing attacks can be used to compromise the security of AES encryption
• Each byte of the plaintext is encoded with one byte of the key using bitwise XOR
• The AES encryption process involves multiple rounds of substitution and permutation

Advanced Encryption Standard (AES)

• AES is a symmetric-key block cipher that uses a substitution-permutation network
• The encryption process involves 10 rounds of AddRoundKey, SubBytes, ShiftRows, and MixColumns
• Each round involves adding a round key, substituting bytes using a substitution box, shifting rows, and mixing columns

SubBytes

• SubBytes involves replacing each byte of the data block with another byte according to a known rule
• The substitution box is a fixed table that is used to substitute bytes

ShiftRows

• ShiftRows involves shifting bytes row by row
• The bytes are shifted in a circular manner, with the last byte of each row becoming the first byte of the next row

MixColumns

• MixColumns involves mixing bytes within each column
• The mixing is done using a matrix multiplication in a Galois field

Closer Look at Mixed Column

• The mixed column operation involves multiplying bytes with 1, 2, or 3
• The multiplication is performed in a Galois field, using a binary polynomial representation of bytes
• The multiplication takes one cycle longer when the most significant bit (MSBit) is 1

Attack Setting

• The attacker encrypts random data blocks using AES and observes the timing of a single byte operation inside MixColumn
• The attacker can learn the timing difference between MSBit 1 and MSBit 0, which can be used to compromise the security of the AES encryption.### S-Box and Its Function
• S-Box is a lookup table used in substitution-permutation networks
• It takes a plaintext byte x and a key byte k as inputs, and produces a ciphertext byte y
• The S-Box operation is a bitwise XOR of x and k, followed by a lookup in the table

Basic Principle of Attack

• The attack is based on the fact that the most-significant bit of the S-Box output y is known
• The attacker makes a hypothesis about the key byte k and computes the corresponding S-Box output y'
• If the most-significant bit of y' matches the known bit of y, the key hypothesis could be correct or wrong
• If the most-significant bit of y' does not match, the key hypothesis is wrong

Number of Hypotheses

• There are 2^8 = 256 possible key hypotheses for a single byte

Learning About the Key

• Encrypt multiple plaintexts pi such that the bytes pi[j] are known
• For each known plaintext byte, compute the S-Box output for all 256 possible key hypotheses
• Compare the most-significant bit of each output with the known bit of y
• The key hypothesis that leads to the same bit is the correct key byte

Attack Strategy

• Test with multiple bytes to reduce the number of possible key hypotheses
• Use the known most-significant bit of y to eliminate wrong key hypotheses

Alternative Attack

• If only the total encryption time is known, the attack can be modified
• Observe the timing of multiple encryptions with random inputs
• Select one S-Box output as the attack target and calculate the average timing for each key hypothesis
• Compare the differences between the average timings and select the key with the largest difference

Attack on AES Software Implementation

• An example attack on an AES software implementation was performed using 10,000 timing measurements
• The attack resulted in the recovery of the key byte