reverse engineering of a secret aes like cipher by
play

Reverse Engineering of a Secret AES-like Cipher by Ineffective Fault - PowerPoint PPT Presentation

Jul 02, 2023 •25 likes •535 views

Introduction Scope of the Attack Attack Steps Conclusion Reverse Engineering of a Secret AES-like Cipher by Ineffective Fault Analysis Antoine Wurcker Christophe Clavier antoine.wurcker@xlim.fr christophe.clavier@unilim.fr Universit e

  1. Introduction Scope of the Attack Attack Steps Conclusion Reverse Engineering of a Secret AES-like Cipher by Ineffective Fault Analysis Antoine Wurcker Christophe Clavier antoine.wurcker@xlim.fr christophe.clavier@unilim.fr Universit´ e de Limoges FDTC 2013 20-08-2013 Antoine Wurcker (Universit´ e de Limoges) Reverse AES by IFA FDTC 2013 1 / 33

  2. Introduction Scope of the Attack Attack Steps Conclusion Outline Introduction 1 Advanced Encryption Standard Ineffective Fault Analysis Scope of the Attack 2 Modifications on AES Constraints on Attacker Attack Steps 3 Conclusion 4 Global Results Future Works Antoine Wurcker (Universit´ e de Limoges) Reverse AES by IFA FDTC 2013 2 / 33

  3. Introduction Scope of the Attack Attack Steps Conclusion Outline Introduction 1 Advanced Encryption Standard Ineffective Fault Analysis Scope of the Attack 2 Modifications on AES Constraints on Attacker Attack Steps 3 Conclusion 4 Global Results Future Works Antoine Wurcker (Universit´ e de Limoges) Reverse AES by IFA FDTC 2013 3 / 33

  4. Introduction Scope of the Attack Attack Steps Conclusion AES AES Datapath S r − 1 S 9 M SubBytes SubBytes ShiftRows ShiftRows MixColumns AddRoundKey ( K 0 ) AddRoundKey ( K r ) AddRoundKey ( K 10 ) S 0 S r C r = 1 , . . . , 9 r = 0 r = 10 Figure: The AES encryption path. Antoine Wurcker (Universit´ e de Limoges) Reverse AES by IFA FDTC 2013 4 / 33

  5. Introduction Scope of the Attack Attack Steps Conclusion AES AES KeySchedule K r − 1 RotWord SubWord � Rcon ( r ) � � � � K r Figure: The AES key schedule. Antoine Wurcker (Universit´ e de Limoges) Reverse AES by IFA FDTC 2013 5 / 33

  6. Introduction Scope of the Attack Attack Steps Conclusion IFA Ineffective Fault Analysis Fault Model: Stuck at 0 a precise byte. Fault effect: Ciphertext not modified ⇒ the value was already 0. Ciphertext modified ⇒ the value was not 0. Remark: IFA by-pass dual-execution countermeasure. Antoine Wurcker (Universit´ e de Limoges) Reverse AES by IFA FDTC 2013 6 / 33

  7. Introduction Scope of the Attack Attack Steps Conclusion IFA M M ⇓ ⇓ . . . . . . 45 00 98 34 44 98 34 44 AF 13 9C 59 AF 13 9C 59 23 77 08 B6 23 77 08 B6 E5 75 1A EE E5 75 1A EE . . . . . . ⇓ ⇓ � = C ′ C Figure: Example of no-occurrence of IFA. Antoine Wurcker (Universit´ e de Limoges) Reverse AES by IFA FDTC 2013 7 / 33

  8. Introduction Scope of the Attack Attack Steps Conclusion IFA M M ⇓ ⇓ . . . . . . 00 00 C6 67 34 C6 67 34 31 DE 90 58 31 DE 90 58 5F 4C 58 78 5F 4C 58 78 AB 45 11 6F AB 45 11 6F . . . . . . ⇓ ⇓ = C C Figure: Example of occurrence of IFA. Antoine Wurcker (Universit´ e de Limoges) Reverse AES by IFA FDTC 2013 7 / 33

  9. Introduction Scope of the Attack Attack Steps Conclusion Notations Notations m i : Byte number i of the input plaintext M . c i : Byte number i of the output ciphertext C . K r : 128-bit Key of round number r . k r , i : Byte number i of the round key K r . S (): Function SubBytes . S − 1 (0) : Preimage of 0 value by S-Box table µ i = k 0 , i ⊕ S − 1 (0) X r = { x r , 0 , . . . , x r , 15 } : Input state of SubBytes step of round r Y r = { y r , 0 , . . . , y r , 15 } : Input state of ShiftRows step of round r Z r = { z r , 0 , . . . , z r , 15 } : Input state of MixColumns step of round r T r = { t r , 0 , . . . , t r , 15 } : Input state of AddRoundKey step of round r Antoine Wurcker (Universit´ e de Limoges) Reverse AES by IFA FDTC 2013 8 / 33

  10. Introduction Scope of the Attack Attack Steps Conclusion Outline Introduction 1 Advanced Encryption Standard Ineffective Fault Analysis Scope of the Attack 2 Modifications on AES Constraints on Attacker Attack Steps 3 Conclusion 4 Global Results Future Works Antoine Wurcker (Universit´ e de Limoges) Reverse AES by IFA FDTC 2013 9 / 33

  11. Introduction Scope of the Attack Attack Steps Conclusion Modifications on AES Modifications on AES The modifications allowed have to respect the constraints from the NIST document describing the AES: The SBOX operation is a permutation table. 1 ⇒ 256! possible SBOX ( ≃ 2 1684 ). The ShiftRows operation keeps shifting rows. 2 ⇒ 2 8 possible ShiftRows. The MixColumns matrix stays circulant with four parameters ( � = 0). 3 ⇒ 255 4 possible MixColumns ( ≃ 2 32 ). The RotWord operation keeps shifting word. 4 ⇒ 2 2 possible RotWord. The Rcon vectors keeps the form [ ρ r − 1 , 0 , 0 , 0]. 5 ⇒ 2 8 possible sets of Rcon vectors. Antoine Wurcker (Universit´ e de Limoges) Reverse AES by IFA FDTC 2013 10 / 33

  12. Introduction Scope of the Attack Attack Steps Conclusion Modifications on AES ⊳ σ 0   α 0 α 1 α 2 α 3 ⊳ σ 1 α 3 α 0 α 1 α 2   ⊳ σ 2   α 2 α 3 α 0 α 1   ⊳ σ 3 α 1 α 2 α 3 α 0 Figure: ShiftRows parameters. Figure: MixColumns matrix. ⊕ ρ r − 1 △ η Figure: RotWord parameter. Figure: Rcon [ r ] parameter. Antoine Wurcker (Universit´ e de Limoges) Reverse AES by IFA FDTC 2013 11 / 33

  13. Introduction Scope of the Attack Attack Steps Conclusion Constraints Constraints on Attacker We placed main constraints on an attacker: The SBOX table is unknown. 1 The MixColumns coefficients are unknown. 2 The ShiftRows coefficients are unknown. 3 The fault can only be applied on SBOX output. 4 The key K is unknown. 5 The Key-Schedule operation is also constrained: RotWord coefficient is unknown. 1 Rcon parameter is unknown. 2 Unavailable to fault injection (e.g. pre-computation). 3 Antoine Wurcker (Universit´ e de Limoges) Reverse AES by IFA FDTC 2013 12 / 33

  14. Introduction Scope of the Attack Attack Steps Conclusion Outline Introduction 1 Advanced Encryption Standard Ineffective Fault Analysis Scope of the Attack 2 Modifications on AES Constraints on Attacker Attack Steps 3 Conclusion 4 Global Results Future Works Antoine Wurcker (Universit´ e de Limoges) Reverse AES by IFA FDTC 2013 13 / 33

  15. Introduction Scope of the Attack Attack Steps Conclusion Retrieving K 0 up to a Constant Byte Retrieving K 0 up to a Constant Byte Antoine Wurcker (Universit´ e de Limoges) Reverse AES by IFA FDTC 2013 14 / 33

  16. Introduction Scope of the Attack Attack Steps Conclusion Retrieving K 0 up to a Constant Byte Retrieving K 0 up to a Constant Byte We obtain µ i = k 0 , i ⊕ S − 1 (0) by exhausting m i while faulting the output of i th S-Box of first round. Eventually an IFA occurs and we obtain the equation: S ( m i ⊕ k 0 , i ) = 0 m i ⊕ k 0 , i = S − 1 (0) m i = k 0 , i ⊕ S − 1 (0) m i = µ i We retrieve every µ i values by applying this method on each position. ⇒ The set of candidates for K 0 is reduced from 2 128 to 2 8 . Antoine Wurcker (Universit´ e de Limoges) Reverse AES by IFA FDTC 2013 14 / 33

  17. Introduction Scope of the Attack Attack Steps Conclusion Lemma: ”Choosing” S-Box Input Lemma: ”Choosing” S-Box Input Antoine Wurcker (Universit´ e de Limoges) Reverse AES by IFA FDTC 2013 15 / 33

  18. Introduction Scope of the Attack Attack Steps Conclusion Lemma: ”Choosing” S-Box Input Lemma: ”Choosing” S-Box Input Lemma The knowledge of µ i values allows us to choose any value x 1 , i up to the constant value S − 1 (0) . Proof. Playing value m i = v ⊕ µ i implies that: x 1 , i = m i ⊕ k 0 , i x 1 , i = v ⊕ µ i ⊕ k 0 , i x 1 , i = v ⊕ S − 1 (0) ⊕ k 0 , i ⊕ k 0 , i x 1 , i = v ⊕ S − 1 (0) Remark: if v = 0 it implies x 1 , i = S − 1 (0) ⇒ y 1 , i = 0 Antoine Wurcker (Universit´ e de Limoges) Reverse AES by IFA FDTC 2013 15 / 33

  19. Introduction Scope of the Attack Attack Steps Conclusion Reversing ShiftRows Operation Reversing ShiftRows Operation Antoine Wurcker (Universit´ e de Limoges) Reverse AES by IFA FDTC 2013 16 / 33

  20. Introduction Scope of the Attack Attack Steps Conclusion Reversing ShiftRows Operation Reversing ShiftRows Operation Fault position: first S-Box of second round. First step: Playing random messages until an IFA occurs. Second step: Playing previous message with only one byte modified each time. On each row 1 position will break the IFA when 3 will not. We play the second step until we get the 4 values that break IFA, revealing the 4 ShiftRows parameters. ⇒ The ShiftRows operation is reversed. Antoine Wurcker (Universit´ e de Limoges) Reverse AES by IFA FDTC 2013 16 / 33

  21. Introduction Scope of the Attack Attack Steps Conclusion Reversing ShiftRows Operation Reversing ShiftRows Operation ⊕ K 0 SB SR ⇒ ⇒ ⇒ MC ⇓ ⊕ K 1 SB ⇐ ⇐ Figure: Position of IFA Antoine Wurcker (Universit´ e de Limoges) Reverse AES by IFA FDTC 2013 17 / 33

  22. Introduction Scope of the Attack Attack Steps Conclusion Reversing ShiftRows Operation Reversing ShiftRows Operation � = � = � = � = ⊕ K 0 SB SR ⇒ ⇒ ⇒ MC ⇓ � = � = � = � = � = � = SB ⊕ K 1 ⇐ ⇐ � = � = � = � = � = � = Figure: Proof: shift parameter of second row is not 0 Antoine Wurcker (Universit´ e de Limoges) Reverse AES by IFA FDTC 2013 17 / 33

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

Reverse Engineering CS 166 Armen Boursalian 30 Apr 2018 Reverse Engineering Take a

Reverse Engineering CS 166 Armen Boursalian 30 Apr 2018 Reverse Engineering Take a

Reverse Engineering CS 166 Armen Boursalian 30 Apr 2018 Reverse Engineering Take a product, understand how it works Usually limited to certain aspects, not full systems Need to know a little bit about a lot of topics to gain

636 views • 11 slides
Helping RE with LLVM lionel@lse.epita.fr 1) Reverse Engineering 2) Obfuscation objectives -

Helping RE with LLVM lionel@lse.epita.fr 1) Reverse Engineering 2) Obfuscation objectives -

Helping RE with LLVM lionel@lse.epita.fr 1) Reverse Engineering 2) Obfuscation objectives - confuse tools * hack binary loading * unaligned instructions - confuse human * junk code * proxy calls / vm * cipher 3) unaligned instructions //

789 views • 25 slides
Reverse Engineering TCP/ IP Reverse Engineering TCP/ IP Steven Low EAS, Caltech Joint work

Reverse Engineering TCP/ IP Reverse Engineering TCP/ IP Steven Low EAS, Caltech Joint work

Reverse Engineering TCP/ IP Reverse Engineering TCP/ IP Steven Low EAS, Caltech Joint work with: Li J W Li, J. Wang, Pongsajapan, Tan, Tang, M. Wang P j T T M W Outline Background Layering as optimization decomposition L

932 views • 47 slides
Next-Generation Debuggers For Reverse Engineering For Reverse Engineering The ERESI team

Next-Generation Debuggers For Reverse Engineering For Reverse Engineering The ERESI team

Next-Generation Debuggers For Reverse Engineering For Reverse Engineering The ERESI team eresi@asgardlabs.org This presentation is about .. The Embedded ERESI debugger : e2dbg The Embedded ERESI tracer : etrace The ERESI reverse

849 views • 47 slides
CS 166: Information Security Reverse Engineering & Digital Rights Management Prof. Tom

CS 166: Information Security Reverse Engineering & Digital Rights Management Prof. Tom

CS 166: Information Security Reverse Engineering & Digital Rights Management Prof. Tom Austin San Jos State University SRE Software Reverse Engineering Also known as Reverse Code Engineering (RCE) Or simply reversing

1.04k views • 80 slides
Classical Ciphers Playfair Cipher Polyalphabetic Ciphers Cryptography Vigen` ere Cipher

Classical Ciphers Playfair Cipher Polyalphabetic Ciphers Cryptography Vigen` ere Cipher

Cryptography Classical Ciphers Caesar Cipher Monoalphabetic Ciphers Classical Ciphers Playfair Cipher Polyalphabetic Ciphers Cryptography Vigen` ere Cipher Vernam Cipher One Time Pad School of Engineering and Technology CQUniversity

687 views • 64 slides
Classical Ciphers Playfair Cipher Polyalphabetic Ciphers Cryptography Vigen` ere Cipher

Classical Ciphers Playfair Cipher Polyalphabetic Ciphers Cryptography Vigen` ere Cipher

Cryptography Classical Ciphers Caesar Cipher Monoalphabetic Ciphers Classical Ciphers Playfair Cipher Polyalphabetic Ciphers Cryptography Vigen` ere Cipher Vernam Cipher School of Engineering and Technology One Time Pad CQUniversity

1.02k views • 64 slides
Problem 1 k zero bits n bits IV Block Block Block Block Cipher Cipher Cipher Cipher

Problem 1 k zero bits n bits IV Block Block Block Block Cipher Cipher Cipher Cipher

Problem 1 k zero bits n bits IV Block Block Block Block Cipher Cipher Cipher Cipher removed January 27, 2011 Practical Aspects of Modern Cryptography 2 Problem 1 IV Inverse Inverse Inverse Inverse Cipher Cipher Cipher Cipher

464 views • 20 slides
Reverse Engineering MAC: A Non-Cooperative Game Model Jianwei Huang Information Engineering The

Reverse Engineering MAC: A Non-Cooperative Game Model Jianwei Huang Information Engineering The

Reverse Engineering MAC: A Non-Cooperative Game Model Jianwei Huang Information Engineering The Chinese University of Hong Kong Joint work with J.-W. Lee, A. Tang, M. Chiang and A. R. Canderbank J. Huang (CUHK) Reverse Engineering MAC Nov.

605 views • 38 slides
Vigenre Cipher Like Csar cipher, but use a phrase Example Message THE BOY HAS THE

Vigenre Cipher Like Csar cipher, but use a phrase Example Message THE BOY HAS THE

Vigenre Cipher Like Csar cipher, but use a phrase Example Message THE BOY HAS THE BALL Key VIG Encipher using Csar cipher for each letter: key VIGVIGVIGVIGVIGV plain THEBOYHASTHEBALL cipher OPKWWECIYOPKWIRG May

304 views • 26 slides
TOP SECRET CONFIDENTIAL 1 TOP SECRET WITCHCRAFT SECRETS CONFIDENTIAL 2 Witchcraft Secrets

TOP SECRET CONFIDENTIAL 1 TOP SECRET WITCHCRAFT SECRETS CONFIDENTIAL 2 Witchcraft Secrets

TOP SECRET CONFIDENTIAL 1 TOP SECRET WITCHCRAFT SECRETS CONFIDENTIAL 2 Witchcraft Secrets ...from a reverse-engineer Alyssa Rosenzweig Starswirls First Law Magic can neither be created nor destroyed 4 Starswirls First Law

1.23k views • 54 slides
Reverse Engineering Closed, heterogeneous platforms and the defenders dilemma Looking back at

Reverse Engineering Closed, heterogeneous platforms and the defenders dilemma Looking back at

Reverse Engineering Closed, heterogeneous platforms and the defenders dilemma Looking back at the last 20 years of RE and looking ahead at the next few SSTIC 2018 -- Thomas Dullien (Halvar Flake) Progress in Reverse Engineering 2010

941 views • 64 slides
Cryptanalysis, Reverse-Engineering and Design of Symmetric Cryptographic Algorithms Lo Perrin

Cryptanalysis, Reverse-Engineering and Design of Symmetric Cryptographic Algorithms Lo Perrin

Cryptanalysis, Reverse-Engineering and Design of Symmetric Cryptographic Algorithms Lo Perrin SnT, University of Luxembourg April 25, 2017 PhD Defence Introduction On S-Box Reverse-Engineering On Lightweight Cryptography Conclusion

1.76k views • 137 slides
Deck-Based Wide Block Cipher Modes and an Exposition of the Blinded Keyed Hashing Model Aldo

Deck-Based Wide Block Cipher Modes and an Exposition of the Blinded Keyed Hashing Model Aldo

Deck-Based Wide Block Cipher Modes and an Exposition of the Blinded Keyed Hashing Model Aldo Gunsing, Joan Daemen and Bart Mennink FSE 2020 1 / 15 Block cipher K n n P B C Plaintext P encrypted to ciphertext C with secret key K

632 views • 41 slides
Reverse engineering basics @KirilsSolovjovs on twitter Mg.sc.comp. Kirils Solovjovs

Reverse engineering basics @KirilsSolovjovs on twitter Mg.sc.comp. Kirils Solovjovs

Reverse engineering basics @KirilsSolovjovs on twitter Mg.sc.comp. Kirils Solovjovs http://kirils.org for more Possible Security Reverse engineering? www.indiamart.com Contents Hardware architecture Processors and machine language

536 views • 25 slides
Block Cipher Modes of Operation Electronic Code Book Cipher Block Chaining Mode Cryptography

Block Cipher Modes of Operation Electronic Code Book Cipher Block Chaining Mode Cryptography

Cryptography Block Cipher Modes of Operation Block Ciphers with Multiple Blocks Block Cipher Modes of Operation Electronic Code Book Cipher Block Chaining Mode Cryptography Cipher Feedback Mode School of Engineering and Technology

428 views • 32 slides
Insurer Bad Faith Set-Up Defense and "Reverse Bad Faith" Claims: Insurer vs.

Insurer Bad Faith Set-Up Defense and "Reverse Bad Faith" Claims: Insurer vs.

Presenting a live 90-minute webinar with interactive Q&A Insurer Bad Faith Set-Up Defense and "Reverse Bad Faith" Claims: Insurer vs. Policyholder Perspectives Navigating Insurer Defenses Against Policyholders in Bad Faith

299 views • 27 slides
WELCOME! THE PRESENTATION WILL BEGIN SHORTLY 1. Test your audio to ensure that it is working

WELCOME! THE PRESENTATION WILL BEGIN SHORTLY 1. Test your audio to ensure that it is working

WELCOME! THE PRESENTATION WILL BEGIN SHORTLY 1. Test your audio to ensure that it is working correctly To change your speaker, microphone, or camera settings, select More actions () > Show device settings in your meeting controls

1.01k views • 52 slides
Investor Meeting on Financial Results for FY2019 (May 22, 2020 Questions and Answers Q1. In

Investor Meeting on Financial Results for FY2019 (May 22, 2020 Questions and Answers Q1. In

Investor Meeting on Financial Results for FY2019 (May 22, 2020 Questions and Answers Q1. In light of the impact of COVID-19 pandemic and issues that you might have become aware of through responding to the crisis, what are your thoughts on

108 views • 7 slides
Deaf Scotland Expo 15th March 2019 Who are Phonak? Who are Phonak? We are one of the

Deaf Scotland Expo 15th March 2019 Who are Phonak? Who are Phonak? We are one of the

Deaf Scotland Expo 15th March 2019 Who are Phonak? Who are Phonak? We are one of the worlds leading providers of communications solutions. We supply equipment for challenging listening situations such as: Noisy environments

157 views • 12 slides
Now At The Hottest Address in Australia New Fraser Range Project located between Tropicana

Now At The Hottest Address in Australia New Fraser Range Project located between Tropicana

ASX Code: ORN Now At The Hottest Address in Australia New Fraser Range Project located between Tropicana Gold Project and Nova Nickel-Copper Project Barely explored despite immense nearby success Aeromagnetic survey set to commence;

471 views • 25 slides
Fehmi Fehmi Jaafar Jaafar, Yann , Yann- -Gal Gal Guhneuc Guhneuc, Sylvie Hamel,

Fehmi Fehmi Jaafar Jaafar, Yann , Yann- -Gal Gal Guhneuc Guhneuc, Sylvie Hamel,

Fehmi Fehmi Jaafar Jaafar, Yann , Yann- -Gal Gal Guhneuc Guhneuc, Sylvie Hamel, and , Sylvie Hamel, and Fehmi Fehmi Jaafar Jaafar , Yann , Yann - - Gal Gal Guhneuc Guhneuc , Sylvie Hamel, and , Sylvie

374 views • 18 slides
Role of the Zoning Board of Appeals Monday March 26, 2018 7:00 PM Estral Beach Village Hall

Role of the Zoning Board of Appeals Monday March 26, 2018 7:00 PM Estral Beach Village Hall

Role of the Zoning Board of Appeals Monday March 26, 2018 7:00 PM Estral Beach Village Hall Benjamin Tallerico Photo Credits: Google maps unless otherwise noted Role of the Zoning Board of Appeals The Law Is the law Black and White? Role of

546 views • 42 slides
2019 School Dockets Jenna Kay, Marnie Allen June 20, 2019 Capital Facilities Plan & Impact

2019 School Dockets Jenna Kay, Marnie Allen June 20, 2019 Capital Facilities Plan & Impact

2019 School Dockets Jenna Kay, Marnie Allen June 20, 2019 Capital Facilities Plan & Impact Fee Updates Several school districts are updating CFPs and impact fees Evergreen, CPZ2019-00020 Hockinson, CPZ2019-00021 La

200 views • 7 slides

More recommend