Breaking AES with ChipWhisperer - Piece of scake (Side Channel Analysis 100)

In this video we are going to recover a private cryptographic key in

side

the arduino just by observing its power consumption. We are going to perform a differential power

analysis

attack on an AES implementation. In the previous video we present what power

analysis

is and how the Arduino board can be prepared to perform these measurements. And now we are going to solve the first

side

channel

challenge of the expensive embedded hardware CTF. Piece of cake. S-C-A. Side

channel

analysis. 100 points. So this is really a low number of points and I have a lot of...erm...opinions on this.

You will see. This is a simple SCA challenge that uses an encryption implementation without any SCA, so side channels are analyzed and countermeasures are taken. Find the key used to encrypt and decrypt messages. attacks. To encrypt a message, send the letter 'e' followed by 16 bytes. To decrypt a message send the letter 'd' followed by 16 bytes. This sounds really easy. It should be something simple. Remember from the last video how you can break a terrible RSA implementation by identifying the square and multiplication operations in a power trace and simply reading the bits from the private key? It's like the simple example when introducing side channel analysis, because it's very simple. so from the beginning I set my mind on RSA.

This will be RSA. I simply send a decryption command via serial to the board, activate the oscilloscope at the right time, basically activate the collection of power consumption data after sending the data to decrypt, and then the board will use the private key for decryption and I can just read the bits from the trace. After several days of struggling with setup, soldering, learning the ground circuits and capacitors to remove, and requiring all this fancy equipment, I was sure this was what I had to do. I will be rewarded for learning all of this with a simple challenge.

Anyway, it's the introductory side channel challenge. God, I was wrong. So I'm sitting there, looking at the oscilloscope. Approaching trying different methods to acquire the data. How to average traces or different resistances. I just didn't see what I would expect from an RSA power trace. This has already killed me several nights. Until I was more or less told, this is not RSA… this is AES. Fuck my life. It also makes sense with the 16 bytes of data to encrypt or decrypt. That is the AES block size. A roller coaster of emotions. Happiness at learning something new, followed by pure anger and frustration.

So, this is the question. I knew the FAQ introduced differential power analysis. DPA. I also learned about this in a hardware security class in college. Then I knew it's a thing. And I knew what kind of equipment I need to do this. But I didn't expect this to be the case in the first 100 point challenge. In a few minutes you will see why they gave it 100 points, from a certain point of view it makes sense. But I completely disagree with that. So what is DPA? Differential power analysis is a more advanced form of power analysis that can allow an attacker to calculate intermediate values ​​within cryptographic calculations by statistically analyzing data collected from multiple cryptographic operations.

These were introduced to the open crypto community in 1998 by a company called Cryptography Research. And now they are filthy rich for discovering this and creating a consulting research company around it. I mean they deserve it I guess. It's a pretty crazy attack. With a simple power analysis, we assume that the implemented algorithm will perform different operations depending on the private key and therefore show a different energy footprint. But in the case of bad RSA implementation, you could just multiply and square on EVERY iteration and just keep the result of any current bit. Therefore, there is no difference anymore.

BUT there is a deeper layer than that. The power consumption comes directly from the individual bits, the transistors. So even if the algorithm performs the same operations regardless of the private key bits, those bits would still cause very, very small power consumption. This sounds even crazier than the simple RSA example. Because these bit changes are soooo small. That is why intelligent statistical analysis is performed on many collected traces. I don't actually want to explain this method in detail because it's quite complicated and there's a good video by Colin O'Flynn doing exactly the AES example. But the gist is that you collect many traces of energy from random inputs that you encrypt.

Then, guess what the first byte of the private key might be. And then part of the encryption algorithm is performed as if that were the correct key, and given the random input values ​​and that assumed key, it would lead to different intermediate values. Traces where this intermediate value is the same are then taken for further analysis. If the key assumption is correct, all energy traces should correlate with energy usage at that time. If the key assumption was wrong, the traces you selected based on that would have completely different intermediate values, therefore the power consumption would be random and nothing would correlate.

It would be cancelled. So you do this for every possible key and for every possible byte. And in the end you should find the correct key. But how is this actually done now? I knew I didn't want to implement this math myself. Additionally, I would have to write my own tools to automatically collect these traces from my oscilloscope, and the USB or network API seemed horrible. I wasted some time on it but then gave up. I knew what I needed. He was a ChipWhisperer. It is a

piece

of hardware designed specifically to do this. And it comes with software that already has all of these attacks implemented.

I initially thought about buying one, but figured an oscilloscope would be more flexible and I could learn more with it. I know some players bought a ChipWhisperer because it was recommended to use it for these hardware attacks. And it costs a little money. But I think without additional equipment like an additional oscilloscope it is difficult to troubleshoot. Anyway, I'm happy with my purchase choice. But I still wanted that ChipWhisperer for this challenge and I knew where to get it. Some of you know that I am still a student at the Technical University of Berlin. I'm still working on my master's degree and we have a small group at the university that researches hardware security.

That's where most of my theoretical knowledge about these attacks comes from and I have a pretty good relationship with them. And they obviously have a ChipWhisperer in their lab. So I wrote to one of the PhD students and asked if I could come and play with him. And that's the wonderful thing about a university: you can get access to amazing equipment, as well as help and advice. That's why I encourage all students to take advantage of these things. That's one of the reasons college can be really wonderful. So when I first used it, I just followed suit.

Which is a DPA attack on the test board that comes with Chip Whisperer. Everything is already set up for you. The breadboard has a connector for the probe. This is the measurement probe. And another large connector that carries the power as well as the RX and TX lines for serial communication. Then use the example script, which implements the serial protocol to communicate with the breadboard. Basically it also sends 16 bytes which must be encrypted. And with a click on Start, it starts collecting traces of energy. The trigger for power measurement and all other parameters are already set to the correct values.

Then you let the attack script run, do the DPA and after about a minute it finds the key where the energy spikes correlate. And you can look at all these fancy graphs and feel really cool that you broke AES with DPA, without knowing shit. And that's why this challenge only gives 100 points. Because in the end it is simply entering the correct parameters and clicking GO. and then the secret key drops. Well, there's a little more to that challenge. But essentially that's all. So I took the ChipWhisperer home and spent the next few days trying to do this on the CTF board.

There were so many failures. I will tell them now in sequential order, but you have to imagine that they were all intertwined and only slowly did I find all these errors. It wasn't a clear progression of "find bug", "fix it", "find next bug", "fix it". I tried many things and spent hours after hours until I discovered the problems. Although it may seem simple, it is not at all. It was hell. Ok, first of all, I had to learn how this ChipWhisperer framework works. I noticed that the test board is a little different from the CTF board.

So I just have to change things like how to turn on encryption or decryption. But before Chipwhisperer could communicate via serial with the baord, I had to solve the problem of different voltage levels. The Arduino Nano board runs on 5V, while the ChipWhisperer uses 3 volts. So I had to build a one-way level converter to convert the 3V signal to 5V and the 5V signal to 3V. But that worked surprisingly fast. So this is the configuration. Series connection via level converter. And then using a RIGOL probe to measure the voltage after the resistance. I was very happy and felt very smart using the Rigol probe because it fit into the socket.

I then copied the code from the example script and spent a few hours modifying it and was able to collect traces and run analyses. I thought the hard part now was finding the right time when crypto is happening. At some point I realized that one of the LEDs flashes just before the crypto starts, so you could use that as a trigger for Chipwhisperer. Again, don't forget the one-way level converter. But after a few days of not being able to find correlations in my captures, I became so frustrated that I finally decided to look into serial communication.

And I realized that I didn't send the raw data I wanted to encrypt, but sent it as a hexadecimal string. Obviously this was completely wrong. No wonder no analysis worked, because the data was simply wrong. So at some point I fixed it, but things still weren't working. And it's really hard to understand what's going on. The traces I took with the oscilloscope looked really good. I could easily see where the crypto is happening. AES has 10 cryptocurrency rounds and you can see them clearly. They are there. So my trigger was at the right time. But when I followed up with the chip whisperer, I didn't see that.

After many more hours and days, I realized that the problem was the RIGOL probe. You know that these probes are not just metal wires, but they have some components in there. In fact, this probe is a 10:1 probe. So on the oscilloscope you have to set a 10x multiplier. And ChipWhisperer didn't support that. One time I realized I was about to jump off the next building. What the hell. I then replaced the nice professional probes with a simple cable. And suddenly the measurements were great. Another challenge I had was setting the sample rate high enough, because you want to sample much faster than the microcontroller clock.

But setting that up is very strange for the chip consumer. And many other small problems. The software kept stopping working, I think it's a memory problem. I had to guess what certain parameters are for. And you can imagine that with all the problems I just told you about and not really knowing what was causing them, overall it was a very frustrating experience. Is it the capacitors, is something broken, is it interference, is the script wrong, are the aprameters wrong, am I not collecting enough traces, am I at the wrong time, is the trigger working, is the data even random?

I don't know. Oh. And I also pulled up a second pin from the atmega, because there are two VCC connections and I didn't know if that was maybe a problem. It was hell. RECORD HERE Anyway. Once all the setup was correct and working, I clicked Start to collect the traces and it started looking really good. Once you have a good set of traces, you need to align them, because the trigger is not perfect in timing. But there are modules for that. How to combine patterns. And then you can run the scan and the key magically appears.

There is. I transcribe the key and deliver it. 100 points. 100 points for hundreds of euros I spent on equipment and work days. 100 points. I'm so depressed. I also have to give credit to Andrés Moreno from riscure who despite my constant ranting and cursing still listened to me and helped me a lot. Thank you so much! Also thanks to my friend from TU Berlin and others from the riscure IRC channel. I needed a lot of help for this challenge. But regardless of my hatred for this challenge, I'm also very proud to have done it. It was clearly above my skill level and I did it in the end. and I learneda lot.