Glitching and Side-Channel Analysis for All Colin OFlynn NewAE - - PowerPoint PPT Presentation

▶

Mar 30, 2023 155 likes •633 views

Glitching and Side-Channel Analysis for All Colin OFlynn NewAE Technology Inc. RECON 2015 Montreal, QC. Overview W.t.f is side-channel power analysis (again) Example: IEEE 802.15.4 Node Example: AES-256 Bootloader W.t.f.

SLIDE 1

Glitching and Side-Channel Analysis for All

Colin O’Flynn – NewAE Technology Inc. RECON 2015 – Montreal, QC.

SLIDE 2

Overview

W.t.f is side-channel power analysis (again)
Example: IEEE 802.15.4 Node
Example: AES-256 Bootloader
W.t.f. is Glitching
Simple power glitching

SLIDE 3

About Me

PhD at Dalhousie University in Halifax, Canada (Ongoing)
Designed open-source hardware security project

(ChipWhisperer)

Commercialization through NewAE Technology Inc.
Previously talked at Blackhat US/EU/AD, RECON, ESC

SLIDE 4

Side Channel Power Analysis

SLIDE 5

Side Channel Analysis

Crypto Device Secret Key Ciphertext Plaintext

SLIDE 6

Super-Fast Side Channel

SLIDE 7

Real-Life

SLIDE 8

Breaking Apart

SLIDE 9

Hardware Example

SLIDE 10

Hackaday Prize 2014

SLIDE 11

Cheap Hardware… First Ver

SLIDE 12

ChipWhisperer-Lite Kickstarter

SLIDE 13

Cheaper Hardware

SLIDE 14

Open-Source Software

SLIDE 15

Example of Power Analysis

SLIDE 16

IEEE 802.15.4 Nodes

SLIDE 17

IEEE 802.15.4

SLIDE 18

Example #1: 802.15.4

http://eprint.iacr.org/2015/529

802.15.4 Node ZigBee (ZigBee IP, ZigBee Pro, RF4CE, etc.) WirelessHART MiWi ISA100.11a 6LoWPAN Nest Weave JenNet Thread Atmel Lightweight Mesh IEEE 802.15.5 DigiMesh

SLIDE 19

Hardware Setup

SLIDE 20

802.15.4 Frame Format

Frame Header

Seq. Number

Dest Address (ff = Broadcast) Source Addressing

Sec. Level.

FrameCounter Key ID Encrypted Payload + MAC (MIC in 802.15.4 parlance) CRC-16 Goes Here

SLIDE 21

802.15.4 Decoding

1. Validate headers and security options.
2. Check that the received frame counter is numerically

greater than the last stored frame count.

3. Look up the secret key based on message address

and/or key index.

4. Decrypt the payload (and MAC if present).
5. Validate the MAC (if present).
6. Store the frame counter.

IEEE 802.15.4 Wireless Stack: Frame Decryption Procedure:

SLIDE 22

Example #1: 802.15.4

Input to AES Block

SLIDE 23

Many fixed bytes…

SLIDE 24

CPA Attack Result

SLIDE 25

ATMega128RFA1

SLIDE 26

ATMegaRF AES Peripheral

SLIDE 27

Example #2: AES-256 Bootloader

Tutorial: http://newae.com/sidechannel/cwdocs/tutorialaes256boot.html Paper (CCECE 2015): https://eprint.iacr.org/2014/899.pdf

SLIDE 28

Bootloader Protocol

SLIDE 29

AES-256 in CBC Mode

SLIDE 30

Round 14

SLIDE 31

Round 13

SLIDE 32

Trace View

SLIDE 33

Success Rate

SLIDE 34

Getting Started in Side Channel Power

Build/buy a simple target device:
AVR dev-board
Arduino Uno
PIC
Get a scope with USB API
Picoscope
Most bench scopes
Be wary of cheap off-brand scopes, sometimes USB interface is

poor

Experiment!

SLIDE 35

Glitching

SLIDE 36

Glitching Target

int i,j,count; while(1){ count = 0; for (j = 0; j < 5000; j++){ for (i = 0; i < 5000; i++){ count++; } } printf("%d %d %d\n", count, i, j); }

SLIDE 37

Easy Glitching

SLIDE 38

High-Precision Glitches

SLIDE 39

Easy Glitching

SLIDE 40

Raspberry Pi Example

SLIDE 41

Raspberry Pi Example

SLIDE 42

Raspberry Pi Example

SLIDE 43

Glitch Tool

SLIDE 44

Glitch Waveform (Raspberry Pi)

SLIDE 45

Getting Started in Glitching

Load simple code onto target
Determine/guess sensitive power rail
Test glitch parameters  ideally with profiling code

SLIDE 46

Glitching in CW-Lite

SLIDE 47

It’s fun!

Try Power Analysis and Glitching today! ChipWhisperer Project: www.chipwhisperer.com NewAE Technology Inc.: www.newae.com Personal:

@colinoflynn coflynn@newae.com http://www.oflynn.com