Your Mobile Device Could Be Leaking Your Encryption Keys

Your Mobile Device Could Be Leaking Your Encryption Keys

Prof Bill Buchanan OBE FRSE Prof Bill Buchanan OBE FRSE

Prof Bill Buchanan OBE FRSE

Old World Breaker, New World Creator

发布日期: 2016年7月27日
+ 关注

We have been beavering away on analysing cryptography on embedded devices, and we are shocked by the information that they give away. For this we don't even have to look at the data busses or into the running program, we just look at the power drain on the device, and out pops things like the encryption key.

Dr Owen Lo, who is analysing differential power analysis from devices, and Charley Celice, who is looking at detecting malware on devices using side channel methods, have thus been working with Keysight on analysing these side channels, and they're going to demo it live at:

The basic theory is that if I change a single bit from a 0 to 1, I will see an upward spike in the power drain, and if I change from a 1 to 0, I will see a downward spike. If I only change one bit in my data, then the spike is due to that single bit. So the first stage of AES takes the data bits and EX-ORs with the key bits. If we look at the least significant bits (D0 and K0), and then if D0 is a 0 and K0 is a 1, we get a 1 output, else if D1 is a 1 and K0 is a 1 we get a 0 output. Now if K0 is a 1, and we change D0 from a 0 to 1, we will see the output change from 1 to 0, otherwise if K0 was a 0, it would change from a 0 to a 1:

So all we have to do is change a single bit in the data value, and then we watch for a single bit change, by monitoring the power rail. If change the least significant bit of the data value, and we see a positive spike then we know that the least significant bit of the key is a 0, otherwise if it is a negative spike it is a 1. The way we normally do the test is to perform two runs, and then look at the difference between the traces, where a single bit has changed.

So with our trusty Keysight scope we can capture extremely fast changes in signals:

We then add a probe to detect the changes in current moving into the device (by adding in a resistor to the power supply) and then we apply the data values of 0x00, 0x01, 0x02, and 0x03, and then start the scope capturing at the first round of the AES process, and then just detect the spikes. With this we can then pick of the key by observing the EX-OR function of the first round of AES:

We then look at the difference between the plots where a single bit has changed (the Hamming function), and we get the positive or negative spike from there. In this way, in just a few rounds, we have cracked the uncrackable AES. This shows the spike for a single change:

and then when we analyse them together for the difference in power between the traces, we can see the differences appearing:

Come and see a demo live at the Cryptography conference. Book now, and see how bad devices are in giving away their secrets. We also have Prof Woodward outining a future where most public key methods will be broken.

Our overall our vision is to analyse the security of embedded devices:

So, don't trust that 256-bit AES cryptography, your device could give your keys away ... even through walls:

and even through an air-gap:

A few more pictures

We love getting some hands-on with devices, and sometime we even has to get some foil out, to stop noise affecting our measurements:

and smark ideas comes through a white board first:

Dissemination is the best way to inform:

We are so lucky to work with a great company like Keysight ... a live demo from Charley and Owen:

要查看或添加评论,请登录

Prof Bill Buchanan OBE FRSE的更多文章

社区洞察

其他会员也浏览了