TEMPEST Attacks Against AES Covertly stealing keys for $200 Craig - - PowerPoint PPT Presentation

TEMPEST Attacks Against AES

Covertly stealing keys for $200

Craig Ramsay & Jasper Lohuis September 22, 2017

Introduction

10101010010101 0010101 10

Your code just pushes electrons around.

10101010010101 0010101 10

Pushing electrons will make magnetic fjelds.

10101010010101 0010101 10

TEMPEST attacks measure this from a distance.

10101010010101 0010101 10

TEMPEST attacks measure this from a distance.

Project people

Duncan Lew First intern. Close-by FPGA attacks Freek van Tienen We’ll see! Craig Ramsay Radio-based workfmow & attacking ARM Jasper Lohuis Cheap shielding, SDRs & antennas

Thanks for feeding us, folks

Existing Work

TEMPEST attack On-package attack Asymmetric crypto Symmetric crypto Us! Possible? With what resources? Are existing norms enough?

Existing Work

TEMPEST attack On-package attack Asymmetric crypto Symmetric crypto Us! Possible? With what resources? Are existing norms enough?

Existing Work

TEMPEST attack On-package attack Asymmetric crypto Symmetric crypto Us! Possible? With what resources? Are existing norms enough?

Existing Work

TEMPEST attack On-package attack Asymmetric crypto Symmetric crypto Us! Possible? With what resources? Are existing norms enough?

Replicating On-Package Attack

Target Device Analogue Measurement Radio Recording Preprocessing Analysis

Overview

Target Device Analogue Measurement Radio Recording Preprocessing Analysis Target Device

Overview

Target Device Analogue Measurement Radio Recording Preprocessing Analysis Target Device E n c r y p t t h i s , p l e a s e . . .

Overview

Target Device Analogue Measurement Radio Recording Preprocessing Analysis Target Device E n c r y p t t h i s , p l e a s e . . . A l s t u . . .

Overview

Target Device Analogue Measurement Radio Recording Preprocessing Analysis Analogue Measurement

Overview

Target Device Analogue Measurement Radio Recording Preprocessing Analysis Radio Recording Radio Recording Mixer ADC 001010111101101

Overview

Target Device Analogue Measurement Radio Recording Preprocessing Analysis Preprocessing

Overview

Target Device Analogue Measurement Radio Recording Preprocessing Analysis Analysis Model of leakage

Overview

Measuring the fjeld

Measuring the fjeld

Recording —Low-end

Recording —Low-end

€20 2.4 MHz Bandwidth 5.2 MB/s

Positioning

Positioning

ARM Software Trace

0.2 0.4 0.6 0.8 1 1.2 1.4 1.6 1.8 2 ·10−4 6 7 8 9 ·103

Idle I/O Key Schedule 14 Rounds I/O Idle t

ARM Software Trace

0.2 0.4 0.6 0.8 1 1.2 1.4 1.6 1.8 2 ·10−4 6 7 8 9 ·103

Idle I/O Key Schedule 14 Rounds I/O Idle t

ARM Software Trace

0.2 0.4 0.6 0.8 1 1.2 1.4 1.6 1.8 2 ·10−4 6 7 8 9 ·103

Idle I/O Key Schedule 14 Rounds I/O Idle t

ARM Software Trace

0.2 0.4 0.6 0.8 1 1.2 1.4 1.6 1.8 2 ·10−4 6 7 8 9 ·103

Idle I/O Key Schedule 14 Rounds I/O Idle t

ARM Software Trace

0.2 0.4 0.6 0.8 1 1.2 1.4 1.6 1.8 2 ·10−4 6 7 8 9 ·103

Idle I/O Key Schedule 14 Rounds I/O Idle t

Nice… but still, how do you get a key?

(This part is just existing SCA techniques)

Our trace is related to “power consumption”.

P ≈ Pstatic + Pnoise + Pdata + Poperation

P ≈ Pstatic + Pnoise + Pdata + Poperation

Correlation Intro

4 1 6 (# ‘1’ bits) Power estimate 0011 0101 0100 0000 1101 1110 Input Byte Correlate!

Correlation Intro

4 1 6 (# ‘1’ bits) Power estimate 0011 0101 0100 0000 1101 1110 Input Byte Correlate!

Correlation Intro

4 1 6 (# ‘1’ bits) Power estimate 0011 0101 0100 0000 1101 1110 Input Byte Correlate!

Correlation Intro

4 1 6 (# ‘1’ bits) Power estimate 0011 0101 0100 0000 1101 1110 Input Byte Correlate!

Correlation Intro

4 1 6 (# ‘1’ bits) Power estimate 0011 0101 0100 0000 1101 1110 Input Byte Correlate!

Correlation Intro

4 1 6 (# ‘1’ bits) Power estimate 0011 0101 0100 0000 1101 1110 Input Byte Correlate!

I/O Correlation

We can detect data!

Let’s fjnd a value using 1 key byte and correlate for all 256 possibilities

32 × 28 guesses (instead of 2256)

8192 guesses (instead of 1077)

T Table Correlation

Easy & works (but could do better)

Known-key bitwise on T Table lookup

T Table Correlation

Easy & works (but could do better)

Known-key bitwise on T Table lookup

“You know can addresses leak too, right?” —Riscure, 2017

“Oh… thanks.” — Me, 2017

ARM T Table Addresses

1508: 4b4a ldr r3 , [ pc , #296] 150a : 681b ldr r3 , [ r3 , #0] 150 c : 0e1b l s r s r3 , r3 , #24 150e : 4a4d ldr r2 , [ pc , \#308] 1510: f852 2023 ldr.w r2, [r2, r3, lsl #2] 1 5 1 4 : 4b48 ldr r3 , [ pc , #288] 1 5 1 6 : 681b ldr r3 , [ r3 , #0] 1518 : 0c1b l s r s r3 , r3 , #16 151a b2db uxtb r3 , r3 151c : 494a ldr r1 , [ pc , #296]

T Table Address Correlation

Known-key bitwise on T Table lookup address ⊕ previous address

If the correlation for the correct key byte is biggest, we have an attack.

T Table Attack

Correct key byte…

HD on T Table lookup address (real attack)

T Table Attack

All key byte guesses. We win!

HD on T Table lookup address (real attack)

Repeat this for all 32 key bytes and we have the full key

On-package attack results

Bandwidth vs # traces

1 2 3 4 5 6 7 8 9 10 2 4 6 8 10 ·104

2.4 fclk = 140 MHz Bandwidth / MHz

Traces

Bandwidth vs # traces

1 2 3 4 5 6 7 8 9 10 2 4 6 8 10 ·104

2.4 fclk = 140 MHz Bandwidth / MHz

Traces

Bandwidth vs # traces

1 2 3 4 5 6 7 8 9 10 2 4 6 8 10 ·104

€20 Equipment cost

Time

Getting some distance

Only need to improve analogue side. Analysis is the same.

Loop size

Loop size

Amplifjcation and fjltering

Small loop distance

2 4 6 8 10 12 14 16 18 20 −30 −25 −20 −15 −10 −5

d / cm Power / dB

Demo time

(Click for video)

Small loops are amazing for under ≈ 5 cm. Won’t get us to 1 m though.

Log-periodic antenna

Log-periodic distance

5 10 15 20 25 30 35 −20 −15 −10 −5

d / cm Power / dB

Example setup

DIY shielding

Real setup

Best setup so far: Key from 30 cm away 400k traces ( 50 s recording) 200 equipment

Best setup so far: Key from 30 cm away 400k traces (≈ 50 s recording) 200 equipment

Best setup so far: Key from 30 cm away 400k traces (≈ 50 s recording) ≈ $200 equipment

…and in ideal conditions? (Thanks, OSPL)

Anechoic Chamber

Electrical isolation?

Key from 1 m away 2 4 M traces ( 5 mins recording) Same 200 setup + borrowed antenna

Key from 1 m away 2.4 M traces (≈ 5 mins recording) Same 200 setup + borrowed antenna

Key from 1 m away 2.4 M traces (≈ 5 mins recording) Same $200 setup + borrowed antenna

Conclusion

Conclusion

• Break OpenSSL’s AES with a wire and a $20 dongle
• Radio hardware → really speeds up attack
• Increase attack distance with new analogue

front-ends

• First known demonstration
• 1 m works in 5 minutes…

Thanks! Questions?

Backup slides

Selecting an intermediate

a0,0 a0,1 a0,2 a0,3 a1,0 a1,1 a1,2 a1,3 a2,0 a2,1 a2,2 a2,3 a3,0 a3,1 a3,2 a3,3 b0,0 b0,1 b0,2 b0,3 b1,0 b1,1 b1,2 b1,3 b2,0 b2,1 b2,2 b2,3 b3,0 b3,1 b3,2 b3,3 Round 0 Key

OpenSSL AES Round 0

a0,0 a0,1 a0,2 a0,3 a1,0 a1,1 a1,2 a1,3 a2,0 a2,1 a2,2 a2,3 a3,0 a3,1 a3,2 a3,3 b0,0 b0,1 b0,2 b0,3 b1,0 b1,1 b1,2 b1,3 b2,0 b2,1 b2,2 b2,3 b3,0 b3,1 b3,2 b3,3 Round 0 Key Attack XOR with key? ...Can do better!

OpenSSL AES Round 0

b0,0 b0,1 b0,2 b0,3 b1,0 b1,1 b1,2 b1,3 b2,0 b2,1 b2,2 b2,3 b3,0 b3,1 b3,2 b3,3 b0,0 b0,1 b0,2 b0,3 b1,0 b1,1 b1,2 b1,3 b2,0 b2,1 b2,2 b2,3 b3,0 b3,1 b3,2 b3,3 c0,0 c0,1 c0,2 c0,3 c1,0 c1,1 c1,2 c1,3 c2,0 c2,1 c2,2 c2,3 c3,0 c3,1 c3,2 c3,3 T0(...) T1(...) T2(...) T3(...) Round 1 Key

OpenSSL AES Round 1

b0,0 b0,1 b0,2 b0,3 b1,0 b1,1 b1,2 b1,3 b2,0 b2,1 b2,2 b2,3 b3,0 b3,1 b3,2 b3,3 b0,0 b0,1 b0,2 b0,3 b1,0 b1,1 b1,2 b1,3 b2,0 b2,1 b2,2 b2,3 b3,0 b3,1 b3,2 b3,3 c0,0 c0,1 c0,2 c0,3 c1,0 c1,1 c1,2 c1,3 c2,0 c2,1 c2,2 c2,3 c3,0 c3,1 c3,2 c3,3 T0(...) T1(...) T2(...) T3(...) Round 1 Key

OpenSSL AES Round 1

b0,0 b0,1 b0,2 b0,3 b1,0 b1,1 b1,2 b1,3 b2,0 b2,1 b2,2 b2,3 b3,0 b3,1 b3,2 b3,3 b0,0 b0,1 b0,2 b0,3 b1,0 b1,1 b1,2 b1,3 b2,0 b2,1 b2,2 b2,3 b3,0 b3,1 b3,2 b3,3 c0,0 c0,1 c0,2 c0,3 c1,0 c1,1 c1,2 c1,3 c2,0 c2,1 c2,2 c2,3 c3,0 c3,1 c3,2 c3,3 T0(...) T1(...) T2(...) T3(...) Round 1 Key

OpenSSL AES Round 1

b0,0 b0,1 b0,2 b0,3 b1,0 b1,1 b1,2 b1,3 b2,0 b2,1 b2,2 b2,3 b3,0 b3,1 b3,2 b3,3 b0,0 b0,1 b0,2 b0,3 b1,0 b1,1 b1,2 b1,3 b2,0 b2,1 b2,2 b2,3 b3,0 b3,1 b3,2 b3,3 c0,0 c0,1 c0,2 c0,3 c1,0 c1,1 c1,2 c1,3 c2,0 c2,1 c2,2 c2,3 c3,0 c3,1 c3,2 c3,3 T0(...) T1(...) T2(...) T3(...) Round 1 Key

OpenSSL AES Round 1

b0,0 b0,1 b0,2 b0,3 b1,0 b1,1 b1,2 b1,3 b2,0 b2,1 b2,2 b2,3 b3,0 b3,1 b3,2 b3,3 b0,0 b0,1 b0,2 b0,3 b1,0 b1,1 b1,2 b1,3 b2,0 b2,1 b2,2 b2,3 b3,0 b3,1 b3,2 b3,3 c0,0 c0,1 c0,2 c0,3 c1,0 c1,1 c1,2 c1,3 c2,0 c2,1 c2,2 c2,3 c3,0 c3,1 c3,2 c3,3 T0(...) T1(...) T2(...) T3(...) Round 1 Key Attack these lookups. The non-linearity is useful.

OpenSSL AES Round 1

Our setup vs traditional setup

Recording comparison — ’Scope

Arm

Recording comparison — ’Scope

Send 1 command

Recording comparison — ’Scope

Trigger

Recording comparison — ’Scope

Record

Recording comparison — ’Scope

Copy

Recording comparison — ’Scope

Recording comparison — ’Scope fclk

f

fs 2fclk

Recording comparison — ’Scope fclk

f

fs > 2fclk

Recording comparison — Radio

×e−j2πfclkt

BW fclk

f

fs 2 BW

Recording comparison — Radio

×e−j2πfclkt

BW fclk

f

fs 2 BW

Recording comparison — Radio

×e−j2πfclkt

BW fclk

f

fs 2 BW

Recording comparison — Radio

×e−j2πfclkt

BW fclk

f

fs > 2 × BW

Recording comparison — Radio

Record continuously

Recording comparison — Radio

Record continuously Send commands

Recording comparison — Radio