round modification analysis on aes using electromagnetic
play

ROUND MODIFICATION ANALYSIS ON AES USING ELECTROMAGNETIC GLITCH - PowerPoint PPT Presentation

Jun 20, 2023 •494 likes •815 views

ROUND MODIFICATION ANALYSIS ON AES USING ELECTROMAGNETIC GLITCH Amine DEHBAOUI , Amir-Pasha MIRBAHA , Nicolas MORO , Jean-Max DUTERTRE , Assia TRIA COSADE 2013 Paris, France (1) (2) OUTLINE Context Round Modification

  1. ROUND MODIFICATION ANALYSIS ON AES USING ELECTROMAGNETIC GLITCH Amine DEHBAOUI ¹ , Amir-Pasha MIRBAHA ² , Nicolas MORO ¹ , Jean-Max DUTERTRE ² , Assia TRIA ¹ COSADE 2013 Paris, France (1) (2)

  2. OUTLINE Context Round Modification Analysis on AES Proposed Round Modification Analysis on AES Proposed Round Modification Analysis on AES Electromagnetic Glitch Injection Technique Concrete Results with EMG Conclusion 19 MARS 2013 | PAGE 2

  3. CONTEXT : FAULT INJECTION Correct Ciphertext Plaintext 00001010101010101010 11001010101010101010 10011011101010100011 Faulty Ciphertext Ciphertext Fault injection means : Power supply glitch, Clock glitch, EM glitch, Laser shot … disturb the encryption/decryption process through unusual environmental conditions in order to : • reduce the encryption complexity (e.g. round reduction analysis), • differential fault analysis = comparison between correct and faulty ciphertexts. • safe errors, HW/SW reverse engineering , … retrieve information on the encryption process (i.e. information leakage) | PAGE 3 19 MARS 2013

  4. Round Modification Analysis on AES CEA | 10 AVRIL 2012 | PAGE 4 19 MARS 2013

  5. ADVANCED ENCRYPTION STANDARD 128 BITS REMINDER M Initial round cipher key K Rounds 1..9 round key K i Final round round key K 10 | PAGE 5 C

  6. STATE-OF-THE-ART OF ROUND MODIFICATIONS ANALYSIS R ound M odification A nalysis M Initial round � R ound R eduction A nalysis cipher key K decrease the number of executed rounds � R ound A ddition A nalysis increase the number of executed rounds increase the number of executed rounds Rounds 1..9 round key � R ound A lteration A nalysis K i modification of the round order Final round round key K 10 | PAGE 6 C

  7. STATE-OF-THE-ART OF ROUND MODIFICATIONS ANALYSIS R ound M odification A nalysis M Initial round � R ound R eduction A nalysis cipher key K H. Choukri et al. [2005] J.H. Park et al. [2011] iteration iteration K.S. Bae et al.[2011] K.S. Bae et al.[2011] Rounds 1..9 round key � R ound A ddition A nalysis K i J.M. Dutertre et al. #3 [2012] COMP ( RC , RC MAX ) � R ound A lteration A nalysis Final round round key J.M. Dutertre et al. #2 [2012] K 10 | PAGE 7 C

  8. STATE-OF-THE-ART OF ROUND MODIFICATIONS ANALYSIS Attack Target Mean Type Encryption sequence Req. Key texts search average time ≈ 1 second H. Choukri et al. PIC16F877 Power Round 2 R 0 -R m [FDTC’05] 8-bit Glitch Reduction ≈ 10 hours J.H. Park et al. ATmega128 Laser Round 10 R 0 -R 1 -R 10 [ETRI’11] 8-bit Reduction ≈ 1 second K.S. Bae et al. ATmega128 Laser Round 2 R 0 ..R 8 -R 10 [ICCIT’11] 8-bit Reduction ≈ 1 second J.M. Dutertre et al. Unknown mcu Laser Round 3 R 0 ..R 8 -R m -R f #2 [HOST’12] 0.35µm 8-bit Alteration ≈ 1 hour & J.M. Dutertre et al. Unknown mcu Laser Round 3 R 0 ..R 9 -R m=10 -R f=11’ #3 [HOST’12] 0.35µm 8-bit Addition 30 minutes | PAGE 8

  9. Proposed Round Modification Analysis on AES CEA | 10 AVRIL 2012 | PAGE 9 19 MARS 2013

  10. PROPOSED ROUND MODIFICATIONS ANALYSIS K 9 Round 9… ⊕ ARK ⊕ ⊕ ⊕ Fault model : Instruction alteration M 9 CR++ CR++ CR++ CR++ CR=10 CR=10 CR=9 CR=9 CR=9 CR=9 CR=10 CR=10 SB SR Round 10 KS ⊕ ⊕ ⊕ ⊕ ARK K 10 C C (correct ciphertext) = SR o SB( M 9 ) ⊕ K 10 10 | PAGE 10 C (correct ciphertext) = FR ( M 9 ) ⊕ K 10

  11. PROPOSED ROUND MODIFICATIONS ANALYSIS K 9 Round 9… ⊕ ARK ⊕ ⊕ ⊕ Fault model : Instruction alteration M 9 CR++ CR++ CR++ CR++ CR++ CR++ CR++ CR++ RC=10 RC=10 RC=10 RC=10 RC=9 RC=9 RC=9 RC=9 RC=10 RC=10 RC=9 RC=9 RC=9 RC=9 RC=10 RC=10 SB Round m=9’ Round f=10’ K’ 9 K’ K’ K’ 10 KS KS SR Round 10 ⊕ ⊕ ⊕ ⊕ ⊕ ⊕ ⊕ ⊕ MC SB SR KS ARK ARK D SB( M 9’ ) SR o SB( M 9’ ) MC o SR o SB( M 9 ) M 9’ ⊕ ⊕ ⊕ ⊕ ARK D (faulty ciphertext) = SR o SB [MC o SR o SB( M 9 ) ⊕ K’ 9 ] ⊕ K’ 10 D (faulty ciphertext) = FR [ MR[ M 9 ] ⊕ K’ 9 ] ⊕ K’ 10 K 10 C C (correct ciphertext) = SR o SB( M 9 ) ⊕ K 10 11 C (correct ciphertext) = FR ( M 9 ) ⊕ K 10

  12. PROPOSED ROUND MODIFICATIONS ANALYSIS D (faulty ciphertext) = FR [MR( M 9 ) ⊕ K’ 9 ] ⊕ K’ 10 1 plaintext C (correct ciphertext) = FR ( M 9 ) ⊕ K 10 2 plaintexts FR -1 ( D a ⊕ K’ 10 ) ⊕ FR -1 ( D b ⊕ K’ 10 ) = MC( C a ⊕ C b ) M a M b 2 hypothese on each K’ 10 byte (2^ 16 for a 128-bits AES key) Calculation time : < 1 second Alternative solution : 3 plaintexts, instead of 2 thus, 1 hypothesis for each K’ 10 byte | PAGE 12

  13. Electromagnetic Glitch injection Technique CEA | 10 AVRIL 2012 | PAGE 13 19 MARS 2013

  14. PRACTICAL ELECTROMAGNETIC GLITCH SETUP • Control computer • The target device • Motorized stage • Pulse generator • Coil antenna. • Pulse width : 10 ns • Rise and fall transition time : 2ns • Pulse amplitude : -200V / +200V The computer controls both the pulse generator (through a rs-232 link) and the target board (through a usb link). | PAGE 14

  15. PRACTICAL ELECTROMAGNETIC GLITCH SETUP Target Description • Up-to-date 32-bit microcontroller • Designed in a cmos 130nm technology • Based on the arm Cortex-M3 processor. • Operating frequency is set to 24MHz. • Can detect several types of hardware faults. • Can detect several types of hardware faults. • When a specific type of hardware fault is detected, the processor raises its associated interrupt. | PAGE 15

  16. Concrete Results with EMG CEA | 10 AVRIL 2012 | PAGE 16 19 MARS 2013

  17. EMG PROFILE OF THE TARGET EM Channel : main strengths Does not require depackaging the target. Does target the upper metal Layer (Power/Ground or Clock networks). Logical Effect : • 180V injected EMG during 20ns • negative spike of less than 50ns width and instruction alteration 300mV amplitude. | PAGE 17

  18. EXPERIMENTAL OUTLINE | PAGE 18

  19. TIMING CARTOGRAPHY OF EMG EFFECT | PAGE 19

  20. Conclusion CEA | 10 AVRIL 2012 | PAGE 20 19 MARS 2013

  21. Conclusion Round Modification Analysis by targeting the round counter Fault induced at the end of the penultimate round Execution of a second penultimate round EMG Fault model : instruction alteration EMG Fault model : instruction alteration High occurrence rate / without triggering hardware interrupts 19 MARS 2013 | PAGE 21

  22. Attack Target Mean Type Encryption sequence Req. Key texts search average time ≈ 1 H. Choukri et al. PIC16F877 Power Round 2 R 0 -R m [FDTC’05] 8-bit Glitch Reduction second ≈ 10 J.H. Park et al. ATmega128 Laser Round 10 R 0 -R 1 -R 10 [ETRI’11] [ETRI’11] 8-bit 8-bit Reduction Reduction hours hours ≈ 1 K.S. Bae et al. ATmega128 Laser Round 2 R 0 ..R 8 -R 10 [ICCIT’11] 8-bit Reduction second ≈ 1 J.M. Dutertre et al. Unknown mcu Laser Round 3 R 0 ..R 8 -R m -R f #2 [HOST’12] 0.35µm 8-bit Alteration second ≈ 1 hour J.M. Dutertre et al. Unknown mcu Laser Round 3 R 0 ..R 9 -R m=10 -R f=11’ #3 [HOST’12] 0.35µm 8-bit Addition & 30 minutes ≈ 1 Our experiment ARM Cortex-M3 EM Round 2 R 0 ..R 9 -R m=9’ -R f=10’ [COSADE’13] based 130nm Glitch Addition second 32-bit

  23. Annexe : RMA Exceptionnel case CEA | 10 AVRIL 2012 | PAGE 23 19 MARS 2013

  24. RMA – An Exceptional Case An exceptional case may happen when a byte value in D a is equal to K 9 the corresponding byte on the second encryption; Round 9… D a [ byte i ] = D b [ byte i ] ⊕ ⊕ ARK ⊕ ⊕ i.e. EMG M 9 CR++ CR++ CR++ CR++ CR++ CR++ CR++ CR++ CR=10 CR=10 CR=10 CR=10 CR=9 CR=9 CR=9 CR=9 CR=10 CR=10 CR=9 CR=9 CR=9 CR=9 CR=10 CR=10 SB Round m=9’ Round f=10’ K’ K’ 9 K’ 10 K’ KS KS SR Round 10 ⊕ ⊕ ⊕ ⊕ ⊕ ⊕ ⊕ ⊕ MC SB SR KS ARK ARK D SB( M 9’ ) SR o SB( M 9’ ) MC o SR o SB( M 9 ) M 9’ ⊕ ⊕ ⊕ ⊕ ARK D (faulty ciphertext) = SR o SB[MC o SR o SB( M 9 ) ⊕ K’ 9 ] ⊕ K’ 10 K 10 C (correct ciphertext) = SR o SB( M 9 ) ⊕ K 10 C | PAGE 24

  25. RMA – An Exceptional Case An exceptional case may happen when a byte value in D a is equal to the corresponding byte on the second encryption; D a [ byte i ] = D b [ byte i ] i.e. 32 43 F6 A8 88 5A 30 8D 31 31 98 A2 E0 37 07 34 19 84 B0 92 95 C8 B1 D9 C4 4E 4D 1E F2 C0 36 5E Round f=10’ 39 25 84 1D 02 DC 09 FB DC 11 85 97 19 6A 0B 32 39 25 84 1D 02 DC 09 FB DC 11 85 97 19 6A 0B 32 K’ 10 K’ 13 AB D8 4B 7B EA FA 58 47 58 48 A5 50 B3 B2 DC 49 4a b5 1f 3b 08 83 e0 d1 21 34 6b 32 cd 31 cb 8c fc 54 6b 3a 46 9e e0 b7 65 6d 0a 92 7b a0 e1 ⊕ ⊕ ⊕ ⊕ SR ARK D SR o SB( M 9’ ) | PAGE 25

  26. RMA – An Exceptional Case Ronde 9… 49 4a b5 1f 3b 08 83 e0 d1 21 34 6b 32 cd 31 cb 8c fc 54 6b 3a 46 9e e0 b7 65 6d 0a 92 7b a0 e1 SB -1 o SR -1 ( D a ⊕ K’ 10 ) ⊕ SB -1 o SR -1 ( D b ⊕ K’ 10 ) = MC( C a ⊕ C b ) 2 8 hypotheses on K’ 10 [7] (byte [7] of K’ 10 ) on K’ 10 [7] (byte [7] of K’ 10 ) 2 8 x 2 15 = 2 23 hypotheses 2 8 x 2 15 = 2 23 hypotheses and 2 hypotheses on the whole-K’ 10 on each other K’ 10 byte to be examined by using C a and D a , and by calculating K’ 9 and K 10 calculation time : still less than 1 second | PAGE 26

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

Dyninst: A Binary Analysis and Modification Framework Jeffrey K. Hollingsworth Ray Chen

Dyninst: A Binary Analysis and Modification Framework Jeffrey K. Hollingsworth Ray Chen

Dyninst: A Binary Analysis and Modification Framework Jeffrey K. Hollingsworth Ray Chen University of Maryland Department of Computer Science University of Maryland Binary modification Behavior Attack Detection Analysis Binary Program

492 views • 24 slides
What is Electromagnetic Radiation? The Electromagnetic Spectrum Interactions with Matter

What is Electromagnetic Radiation? The Electromagnetic Spectrum Interactions with Matter

Slide 1 / 147 Slide 2 / 147 8th Grade Electromagnetic Radiation 2015-10-23 www.njctl.org Slide 3 / 147 Slide 4 / 147 Table of Contents Click on the topic to go to that section What is Electromagnetic Radiation? What is Electromagnetic

525 views • 34 slides
Toy Example Toy Example Toy Example Toy Example Toy Example D 1 weak classifiers = vertical or

Toy Example Toy Example Toy Example Toy Example Toy Example D 1 weak classifiers = vertical or

Toy Example Toy Example Toy Example Toy Example Toy Example D 1 weak classifiers = vertical or horizontal half-planes Round 1 Round 1 Round 1 Round 1 Round 1 h 1 D 2 &quot; 1 =0.30 ! =0.42 1 Round 2 Round 2 Round 2 Round 2 Round

188 views • 5 slides
Differential Analysis of Round-Reduced AES Faulty Ciphertexts Amir-Pasha Mirbaha Jean-Max

Differential Analysis of Round-Reduced AES Faulty Ciphertexts Amir-Pasha Mirbaha Jean-Max

DFT 2013 Differential Analysis of Round-Reduced AES Faulty Ciphertexts Amir-Pasha Mirbaha Jean-Max Dutertre Assia Tria Outline Introduction State-of-the-art of the Round Reduction Analysis Theory of our attacks and the realizations

591 views • 14 slides
Broadband Electromagnetic and Stochastic Modelling and Signal Analysis of Multiconductor

Broadband Electromagnetic and Stochastic Modelling and Signal Analysis of Multiconductor

Broadband Electromagnetic and Stochastic Modelling and Signal Analysis of Multiconductor Interconnections Electrical &amp; Computer Engineering University of Toronto Distinguished Lecture Series 2017-2018 Danil De Zutter (Fellow IEEE) Ghent

596 views • 55 slides
Level Set Solution of an Inverse Electromagnetic Casting Problem using Topological Analysis A.

Level Set Solution of an Inverse Electromagnetic Casting Problem using Topological Analysis A.

Level Set Solution of an Inverse Electromagnetic Casting Problem using Topological Analysis A. Canelas 1 , A.A. Novotny 2 and J.R.Roche 3 1 Instituto de Estructuras y Transporte, Facultad de Ingeniera, UDELAR, J. Herrera y Reissig, CP 11300,

658 views • 29 slides
AFFECTING BEHAVIOR MODIFICATION IN DIABETIC PATIENTS A qualitative and quantitative analysis of

AFFECTING BEHAVIOR MODIFICATION IN DIABETIC PATIENTS A qualitative and quantitative analysis of

PSYCHOSOCIAL FACTORS AFFECTING BEHAVIOR MODIFICATION IN DIABETIC PATIENTS A qualitative and quantitative analysis of patients with Type II Diabetes Mellitus in a primarily Hispanic Population in Northeast Community Clinics, Downtown Los

428 views • 19 slides
DIAKOPTIC ANALYSIS OF COMPLEX 3-D ELECTROMAGNETIC SYSTEMS 1 School of Electrical Engineering,

DIAKOPTIC ANALYSIS OF COMPLEX 3-D ELECTROMAGNETIC SYSTEMS 1 School of Electrical Engineering,

A.R. Djordjevi 1 , D.I. Ol an 1 , B.M. Kolundija 1 , J.R. Mosig 2 , I.M. Stevanovi 3 DIAKOPTIC ANALYSIS OF COMPLEX 3-D ELECTROMAGNETIC SYSTEMS 1 School of Electrical Engineering, University of Belgrade, Serbia 2 Ecole Polytechnique

420 views • 20 slides
Stability for the electromagnetic scattering problem Luca R ONDI Universit di Trieste Joint

Stability for the electromagnetic scattering problem Luca R ONDI Universit di Trieste Joint

Stability for the electromagnetic scattering problem Luca R ONDI Universit di Trieste Joint work with Hongyu L IU and Jingni X IAO (Hong Kong Baptist University) Workshop Analysis and Numerics of Acoustic and Electromagnetic Problems Linz, 17

449 views • 20 slides
D.I.E.H.A.R.D. Data Analysis Presentation Demonstrating Intensity of Electromagnetic High

D.I.E.H.A.R.D. Data Analysis Presentation Demonstrating Intensity of Electromagnetic High

D.I.E.H.A.R.D. Data Analysis Presentation Demonstrating Intensity of Electromagnetic High Altitude Radiation Determination Mission Statement The University of Colorado at Boulder student team will determine the viability of high altitude

685 views • 49 slides
Slide 7 / 57 Slide 8 / 57 4 What speed do all electromagnetic waves travel at 5 Red light, a

Slide 7 / 57 Slide 8 / 57 4 What speed do all electromagnetic waves travel at 5 Red light, a

Slide 1 / 57 Slide 2 / 57 8th Grade Electromagnetic Radiation CW-HW Slides 2015-10-23 www.njctl.org Slide 3 / 57 Slide 4 / 57 1 What are some sources of electromagnetic radiation? Classwork #1: What is Electromagnetic Radiation c = f c

120 views • 10 slides
Symmetry analysis and multipole classification of eigenmodes in electromagnetic resonators Sergey

Symmetry analysis and multipole classification of eigenmodes in electromagnetic resonators Sergey

Symmetry analysis and multipole classification of eigenmodes in electromagnetic resonators Sergey Gladyshev, Kristina Frizyuk, Andrey Bogdanov ITMO University, St. Petersburg 197101, Russia Main idea Method 1 (based on RSE) Method 2 (based on

328 views • 8 slides
Game Plan modification? Lifestyle and behavioral modification involves altering long-

Game Plan modification? Lifestyle and behavioral modification involves altering long-

Lifestyle and Behavioral Modification: Disclosure Slide for Holly Wyatt, M.D. I nitial Approaches to Managing Book Author, Rodale/ State of Slim Obesity ( and stopping the Yo-Yo Ownership, Shakabuku LLC once and for all)

291 views • 6 slides
Electromagnetic, Thermal and Structural Analysis of the LUX Photoinjector Cavity using ANSYS S

Electromagnetic, Thermal and Structural Analysis of the LUX Photoinjector Cavity using ANSYS S

Electromagnetic, Thermal and Structural Analysis of the LUX Photoinjector Cavity using ANSYS S teve Virostek Lawrence Berkeley National Lab 13 December 2004 L AWRENCE B ERKELEY N ATIONAL L ABORATORY 13 December 2004 Steve Virostek

408 views • 15 slides
Nuclear Power Plants Extended Loss of All AC Power Analysis of Electromagnetic Pulse Joint

Nuclear Power Plants Extended Loss of All AC Power Analysis of Electromagnetic Pulse Joint

Nuclear Power Plants Extended Loss of All AC Power Analysis of Electromagnetic Pulse Joint FERC/NRC Meeting Jennifer Uhle, Deputy Director Office of Nuclear Reactor Regulation October 21, 2015 Projected Electric Capacity Dependent on License

323 views • 21 slides
Geant4 Electromagnetic Geant4 Electromagnetic Physics Physics Introduction Introduction

Geant4 Electromagnetic Geant4 Electromagnetic Physics Physics Introduction Introduction

Geant4 Electromagnetic Geant4 Electromagnetic Physics Physics Introduction Introduction Editors: Michel Maire (LAPP, Annecy, France) Vladimir Ivanchenko (CERN &amp; EMSU, Moscow) Sebastien Incerti ( CNRS/IN2P3, France) on behalf of the

803 views • 22 slides
Texas Municipal Retirement System Board Presentation/Executive Summary Period Ended: December 31,

Texas Municipal Retirement System Board Presentation/Executive Summary Period Ended: December 31,

Texas Municipal Retirement System Board Presentation/Executive Summary Period Ended: December 31, 2016 Capital Markets Update Capital Markets Review As of December 31, 2016 Fourth Quarter Economic Environment Key Economic Indicators Key

720 views • 22 slides
E a st Midto wn Gre e nwa y a st 53 rd 61 st Stre e t E Co mmunity Bo a rd 8 | Pro je c t I

E a st Midto wn Gre e nwa y a st 53 rd 61 st Stre e t E Co mmunity Bo a rd 8 | Pro je c t I

E a st Midto wn Gre e nwa y a st 53 rd 61 st Stre e t E Co mmunity Bo a rd 8 | Pro je c t I ntro duc tio n No ve mb e r 16, 2017 Ag e nda Ove rvie w - De ve lo pme nt o f the E a st Midto wn Wa te rfro nt E spla na de Curre

957 views • 36 slides
Second Quarter 2016 Financial Results July 28, 2016 Forward-Looking Statements Statements

Second Quarter 2016 Financial Results July 28, 2016 Forward-Looking Statements Statements

Second Quarter 2016 Financial Results July 28, 2016 Forward-Looking Statements Statements contained in this presentation about future performance, including, without limitation, operating results, capital expenditures, rate base growth,

631 views • 10 slides
Stereovision and augmented reality for closed-loop control of grasping in hand

Stereovision and augmented reality for closed-loop control of grasping in hand

Stereovision and augmented reality for closed-loop control of grasping in hand prosthesis Markovic et al. (Germany) in Journal Neu. Eng. 2014 Presented by Kory Mathewson at BLINC Journal Club July 24 2015 Motor Info

271 views • 16 slides
About Screentec Oy Founded in 1989, in Oulu ISO 13485 certified Turnover : 2,1

About Screentec Oy Founded in 1989, in Oulu ISO 13485 certified Turnover : 2,1

About Screentec Oy Founded in 1989, in Oulu ISO 13485 certified Turnover : 2,1 Million (2018) Roll 2 Roll Production Facilities Employees: 30+ Our Partners/Network Our services User Interfaces Medical Electrodes

288 views • 6 slides
Investor Presentation October 2018 Disclaimer IMPORTANT: Please read the following before

Investor Presentation October 2018 Disclaimer IMPORTANT: Please read the following before

Investor Presentation October 2018 Disclaimer IMPORTANT: Please read the following before continuing. This Presentation has been prepared by Jupiter Mines Limited ACN 105 991 740 (Jupiter or the Company) solely for information purposes. This

575 views • 26 slides
Welcome to UF! Introduction to UF Neurology Residency Christina Wilson, MD, PhD Assistant

Welcome to UF! Introduction to UF Neurology Residency Christina Wilson, MD, PhD Assistant

Welcome to UF! Introduction to UF Neurology Residency Christina Wilson, MD, PhD Assistant Professor, Vascular Neurology Division Residency Program Director Why University of Florida? Why Gainesville? Shands UF 850 beds Level-1 trauma

752 views • 38 slides
March 2018 Forward-Looking / Cautionary Statements This presentation, including any oral

March 2018 Forward-Looking / Cautionary Statements This presentation, including any oral

Corporate Presentation March 2018 Forward-Looking / Cautionary Statements This presentation, including any oral statements made regarding the contents of this presentation, contains forward-looking statements within the meaning of Section 27A of

735 views • 31 slides

More recommend