Side Channel Attacks

Questions and Answers

What is a fault-based attack?

An intentional manipulation of a target, with the goal of causing an error within its execution flow to move the device into an unintended state.

How can fault-based attacks be used in cryptographic implementations?

To provoke an unusual behavior of the operations in order to extract secret information (such as an encryption key).

What is clock glitching?

Inserting short clock cycles in the device to skip some instructions.

How is glitching done?

By XORing a glitching clock to the original clock of the device.

The altered text is send afterwards to the target, before starting our _____ capturing.

trace

What is being tested on Lab 2 1B - Power Analysis for Password Bypass?

The difference in traces to break a password by determining when a device is performing certain operations.

How do we make the result more relevant in testing trace differences?

We take the absolute value of samples, since they can cancel out each other (negative and positive values).

What is focused on at Lab 3 1 - Large Hamming Weight Swings?

Another factor that affects power consumption, which is data manipulation.

What is being calculated on Lab 3 3: DPA On Firmware Implementation Of AES?

The value of internal state of guesses and related those values with the leakage.

What relationship is described at Lab 4 1: Power and Hamming Weight Relationship?

The relationship between the value of the bits being manipulated on our target.

Flashcards

Side Channel Attacks

Attacks exploiting flaws in hardware implementations of algorithms, measuring parameters like power consumption and timing.

Instruction Power Differences

When complexity differences in operations lead to different power consumptions, leaking information like the position of an AES Sub bytes operation on a trace.

Power Analysis for Password Bypass

Analyzing power consumption to determine operations or bypass security checks, like password checks.

Large Hamming Weight Swings

Variations in a device's power consumption based on firmware and data manipulation, used to infer information.

Recovering AES Key

Recovering the AES key from a single bit of data.

Power and Hamming Weight Relationship

Relates the Hamming weight of manipulated bits to power consumption, revealing operation locations.

Fault Injection

Intentional manipulation to cause errors, disable protections, or extract secret information.

Clock Glitching

Manipulating the clock signal to skip instructions, often by inserting short clock cycles

Breaking Devices

Determining when a device performs certain operations by analyzing power consumption.

Study Notes

Side Channel Attacks

• Algorithms are mathematically robust but their circuit implementations have flaws.
• Physical attacks exploit the hardware implementation of algorithms.
• Circuits have current consumption and computation time linked to handled data.
• These parameters can be measured to obtain information about secrets in "Side Channel Attacks".

Instruction Power Differences

• Different operations during plaintext encryption cause complexity differences.
• These complexity differences can lead to varying power consumption.
• Power consumption can leak the position of an AES Sub bytes operation.
• Power consumption is measured to differentiate between assembly instructions.
• The 'capture_trace' function returns a 5000-sample trace by generating a plaintext/key pair and getting the trace wave back.
• The simpleserial-base.c file in the firmware directory dictates target execution and trace capture.

Modifying the Firmware

• Comment out the 'simpleserial_put' function call.
• Rebuild the firmware by navigating to the simpleserial-base- lab2 directory.
• Command to rebuild firmware: make PLATFORM=$1 CRYPTO_TARGET=NONE
• Command to capture a trace and check for pattern: wave1 = capture_trace()
• Use cw.plot(wave1) for trace plotting

Instructions Impact on Power Trace

• Multiple instructions with varying complexity can be introduced to check influence on power consumption.
• Introducing addition operations within get_pt function, between triggers changes the firmware.
• After rebuilding and uploading with the new firmware, the target adds variable A to the variable.
• Next step involves capturing a new trace and comparing it to the old one.

Introducing a Loop into Execution

• Looping A+=2 20 times is another way to add 2 to the variable A 20 times.
• C code can be changed by introducing a loop.
• The captured trace should be plotted and compared to the previous addition implementation.
• A loop takes more time to execute than a full loop enrolling due to assembly instructions like JMP and CMP.

Expensive Operations: Exponential

• Exponential operations execute for a longer time since they are defined as repeated multiplications.
• Repeated multiplications are repeated addition operations.

Power Analysis for Password Bypass

• Different traces can be used to break a password by determining when a device is performing certain operations.
• The device performs a password check.
• A basic power analysis demonstrates how to perform this.

Trace Capturing - Password Guess

• Target is reset before trace capturing, serial buffer read with "in waiting" and "read" functions, mandatory scope armed.
• Password guess sent, target trace captured, trace returned with get_last_trace call.
• Slight delays exist between traces when comparing random characters.
• Delays can be due to the check algorithm executing immediately on wrong characters and trying to find a second, correct character.

Testing Combinations

• All traces plotted via looping through possible characters to find outliers.
• Code:
  • For chars in tqdm('abcdefghijklmnopqrstuvwxyz0123456789'):
    • trace = cap_pass_trace ( c + "\n")
    • fig *= cw.plot(trace [0:1000])

Attack Automation

• Automate attack interpreter character guess outcomes.
• Outlier trace checked when looping characters.
• Compute trace difference of each guess with a wrong guess.
• Time factor represents delay between traces.
• Spikes can occur at certain sample points
• Automation code:
  • ref_trace = cap_pass_trace("\x00\n") [0:1000]
  • plot = cw.plot({})

Full Attack

• Required the guess trace to be updated, otherwise the forst character trace will always be compared when the updated reference trace comes out.
• The comparison would be between the foruth character and the first trace.
• For each correct guess "bee" is guessed as a passowrd.
• Since the target goes to idle after an incorrect guess the referecne trace is updated per the correct guess

Conclusion

• Devices with poorly hidden operations are easier to break.
• Power can be used to determine timing information can be useful for hackers.
• Wave-form differences can be used to find the correct password characters.

Large Hamming Weight Swings

• Power consumption can vary based on device firmware which indicates whether the correct character is guessed.
• Factor impacts power consumption, data manipulation via reducing brute-force scope/dividing attack into 5 parts.
• Process:

Gathering Traces

• Used ktp.next to generate a plaintext/key pair.
• Target's key set before entering the trace gathering loop.
• Inside the loop, armed the scope which is mandatory for capturing.
• Least Significant Byte set to either 0x00 or 0xFF, based on bit’s value: LSB=1 sets byte to 0xFF, or to 0x00.
• The altered text sent before trace capturing.

Recovering AES Key From A Single Bit Of Data

• AES takes the round key as round 0, not the key schedule itself
• If the master key can be atacked and round key can be obtained then master key can be obtained.
• A master key is 128 bits therefore encryption takes place, so its hard to brute force without inside knowledge
• internal key is XORed with bitwise blocks in key addition by using S-Boxes.

Brute Force

• Assumed the attacker is on the device plaintext and wants to read one bit from it
• This 1 bit stream belongs to Oth round and Sbox substitution.
• With this 1 bit leak the attacker has to brute force 8 bits by 8 bits and reduce the key size of 2^8 to 16.

DPA On Firmware Implementation Of AES

• Directly attacks the AES.
• Directly reads one bitstream from the board.
• Attacks the S Box by using differential oower analysis,
• Using this we have to chose the intermediate value, measures traces and use the leakage models

Measuring Traces

• We used known plaintext in traces to get the cipher key bit
• By doing this we can bruteforce to break ciphered key blocks
• The power consumption is determined by the value of guess byte
• A successful guess will mean the most likely key is correct.

Power and Hamming Weight Relationship

• Relationship exists between manipulating bit value to the target, recovering whole AES keys using this property.
• Power also relies to the hamming weight, recovering traces and the location of a cryptographic implementation.