Tempest attacks against AES: Stealing keys using minimal equipment [pdf] | Better HN

Tempest attacks against AES: Stealing keys using minimal equipment [pdf] | Better HN

65 comments

This was the AES implementation this was tested against:

The trace below shows our signal for one block of AES-256 encryption running on a SmartFusion2 target. We use OpenSSL's implementation of AES on the ARM Cortex-M3 core of the SmartFusion2. There are clear, distinct patterns for each stage of processing. We see I/O to and from the Cortex-M3, calculations for the key schedule, and the 14 encryption rounds.

So it was a software implementation.

I wonder if and how effective this attack would be against devices with hardware implementations of AES.

JoachimSchipper8y ago

We (that is, our interns and my colleagues) also attacked a straightforward/naive hardware implementation in an FPGA (reconfigurable hardware); we/they achieved at least a few centimeters of distance (using the open-loop antenna shown.)

A truly hardened hardware implementation would be very hard to attack. The contribution of this work is mostly in showing that you can break realistic-but-not-great implementations very quickly, cheaply, and without needing to open most enclosures.

5gaKanchAFD28y ago

The interesting work here is definitely on the measurement/acquisition side. Ultimately if it's an unprotected AES you're going to be able to exploit some leakage given enough measurements.

This is pretty consistent with recent results that attack more 'exotic' targets; the post-acquisition phase uses the same old techniques that were 'discovered' in the very early 2000's. It seems to be that once you've found the things you need to do to get clean measurements you can just use the straightforward linear-dependency related stuff or do a simple profiled attack if that suits.

hvidgaard8y ago

All it does is messuring power consumtion and uses knowledge about the implementation to calculate the key.

Unless steps have been taken to equal power consumption between different paths, theoretically there is nothing stopping this from working on a hw implementaion of AES.

user59944618y ago

There is a paper on stealing RSA keys, by listening to the sound the power supply of a laptop makes, from 4 meters away with a microphone. Works wonders!

dom08y ago

> theoretically

Hardware implementations are designed to make this hard. They also use a lot less power, so any measurements are more difficult / take longer.

devdoomari8y ago

...how about a random-power-consumer? would it help?

2sk218y ago

I remember reading about such attacks for the first time in Neal Stephenson's book Cryptonomicon under the term "Van Eck Phreaking". Looks like its gotten a lot easier in recent years!

Are there any modern crypto algorithms that are, by design, immune from an attack such as this? Would not having any key-dependent code paths be sufficient to prevent this attack?

If it is possible to be immune by design to power analysis, timing and tempest attacks, is there a list of such algorithms somewhere that I can look it up? My google-fu hasn't returned anything useful.

5gaKanchAFD28y ago

No algorithm is secure by design against these DPA attacks. They exploit data-dependencies.

The only 'provably secure' (e.g., on paper (+)) countermeasure you can apply to these symmetric schemes is something typically called masking. You can view masking as using secret sharing techniques to split up all intermediate computation into independent operations. To defeat masking an attacker needs to be able to re-combine the data dependent information leakage associated with all the split components. This is always a possibility.

Thus it becomes a risk/cost tradeoff. The more you mask, the more secure you become, but at a cost of speed/area/power draw.

(+) It's decidedly non-trivial to implement a masking scheme such that you get the theoretical security. This is an active research area.

simias8y ago

How about a "security through obscurity" countermeasure for sensitive systems where we'd use a special compiler that adds a bunch of "noise" in the generated algorithm (useless instructions etc...)?

Or alternatively run the algorithm through an emulator that does the same thing.

Chacha20 was designed to be immune to timing attacks. It's discussed on page three:

https://datatracker.ietf.org/doc/html/draft-irtf-cfrg-chacha...

JoachimSchipper8y ago

Side-channel-resistance is a property of the algorithm, not of the implementation.

As technion says, ChaCha20 was designed such that the evident software implementation resists such attacks; however, Schwabe and Kasper also have a high-quality software implementation of AES.

Hardware implementations are a different beast altogether, and a lot of expertise has gone into making hardened AES implementations in hardware (as forg0t_username says, masking helps - but this is an entire field of study. Look at some CHES conference papers to get an idea.)

SAI_Peregrinus8y ago

Side channel resistance can be increased in the implementation. Some things like comparisons can be done in constant time or in variable time. If the algorithm includes comparisons it might be side-channel resistant only with certain implementations.

oconnor6638y ago

> Side-channel-resistance is a property of the algorithm, not of the implementation.

I don't think this part is true. There are constant time software implementations of AES: https://crypto.stackexchange.com/a/92/21442

marcosdumay8y ago

ChaCha20 does not survive tempest attacks like this one. No algorithm does.

This attack is reading data directly from the bus between RAM and the CPU. You can not make an algorithm that survives that.

The most vulnerable part of symmetric crypto algorithms is the S-box tables, (8 to 8 bits in AES) in most AES implementation realized as 8 to 32 bit T-tables. It is possible, but harder and slower to implement AES without, so it is usually not done.

Of software implementations, the Serpent algorithm, that was one of the candidates for AES, can be implemented without any lookup tables and fully key-independent memory access patters. That will make an attack like this very unlikely to succeed.

forg0t_username8y ago

The keyword you're looking for is masking. Masked implementations of AES resist this exact attack without problem. Higher-order attacks are then needed, and those require exponentially more computation.

calculat0r8y ago

Check out Leakage-Resilient cryptography, which aims to provide security against a bounded number of bits leaking. Here's a good survey paper from 2010: https://cseweb.ucsd.edu/~pmol/Documents/RE.pdf

JoachimSchipper8y ago

Leakage-resilient cryptography is cool, but it's very much a mathematics-first approach: the independence assumptions required for the mathematical proofs simply don't hold in the physical world, and it's not clear what an assumption about "may not leak more than lambda effective bits" means (the attacker has 10 GB of measurements, mostly noise; can we expect to remain secure?)

The leakage-resilient work with which I'm most familiar also looks more like "algorithmic countermeasures" (e.g. changing keys frequently) than like something which would protect an AES core per se; but that's also a function of the work I'm most familiar with (the work of my old advisor Pietrzak.)

mhkool8y ago

An intelligent noise generator that runs as the second hardware thread on the same CPU using should be able to protect the encryption. If the second noise-generation thread is able to randomly stop the encryption thread and do itself some random crypto, it should be able to fool the eavesdropper which will assume that the signals of the noise thread is produced by the encryption thread.

One can also think about modifying the implemenation of OpenSSL and others by inserting a lot of noise in the algorithm itself.

One can also ask chip designers to modify the circuitry to produce a lot of noise during AES instructions. Or do the opposite in circuitry: use something comparable to active noise cancellation in headphones.

JoachimSchipper8y ago

This is research by my close colleagues; I'm happy to answer any questions.

calculat0r8y ago

What mode of operation of AES was used for the analysis?

JoachimSchipper8y ago

ECB, I think? The focus was definitely on attacking the crypto core per se.

(Of course, ECB is almost certainly a bad idea if you're trying to build an actual application!)

Doesn't the device case act as a faraday cage?

JoachimSchipper8y ago

Less so than we expected; a metallic case definitely reduces the signal strength, but IIRC for the one case we tried placing, the small-loop antenna directly on the case still gets you a good-enough signal to break this (pretty basic) AES implementation. Someone could definitely do more research into that, though - we only did a one-off experiment.

Of course, everyone uses plastic nowadays... ;-)

ishitatsuyuki8y ago

Well, in many cases AES keys are used one time, and there's also forward secrecy that guards it from decryption even if the key leaked.

Forward secrecy does not protect the data for which the key was leaked (which could be at-rest data), it only protects future transmissions.

5gaKanchAFD28y ago

This is a common countermeasure. You need to be aware that you maybe just be moving the problem. In settings in which key agreement techniques aren't used you'll be deriving new symmetric keys from an initial secret using a KDF. You now need to make sure that the KDF is DPA-resistant.

Forward secrecy is defined with respect to key agreement schemes and not symmetric crypto per se.

JoachimSchipper8y ago

"Algorithmic countermeasures" - that is, switching keys quickly - can indeed hinder side-channel attacks. Be careful not to introduce more problems than you solve, though - hand-rolling your own crypto is something to leave to a team of experts (because you definitely want someone reviewing your design!)

molticrystal8y ago

There was an attempt to do something similar with ps3 http://www.eurasia.nu/modules.php?name=Forums&file=viewtopic... , progress stopped though.

wdb8y ago

Off topic, but I always wondered how defense forces deal with encryption of channel when they collaborate with other forces from different countries. You would somehow be able to add a new participant to the group. Would this require re-issue of keys?

sqldba8y ago

I read it a few times and still don't understand how you can get like the 4k of private key data or whatever it is out of a radio signal - and they don't even mention keys they're talking about the algorithm itself.

Totally don't get it in the slightest.

buu7008y ago

https://en.wikipedia.org/wiki/Timing_attack. (Also, AES-256 keys are only 32 bytes, not 4 KB.)

JoachimSchipper8y ago

That gives the correct flavour, but note that we use a different side-channel than timing - this is really a hardware attack, so we e.g. pick up 0->1 transitions in the address bus.

alright, portable faraday cages for everyone!

xcz8y ago

Can someone ELI5 how this works? Would be much appreciated <3

forg0t_username8y ago

Basically, the current in a circuit is dependent of the data manipulated: changing a value from 0 to 1 or 1 to zero generates a current to (dis)charge the gate capacitances.

Maxwell's equations state that a current generates an electromagnetic field, and this field is perceived by the antenna. The attacker is then seeing electromagnetic waves related to the data manipulated.

By carefully comparing the waves with waves where the key is known, the attacker can then guess the key bit by bit.

This is an excellent summary.

u123u48y ago

Could this be used to break my existing hard drive encryption, or does it only apply to the key generation stage?

JoachimSchipper8y ago

In theory, yes. In practice, just grabbing your unlocked laptop and running off is a lot simpler than our/my colleagues' attack. ;-)

celticninja8y ago

it can read when the keys are used, i believe, but the attacker would need to know when the keys were used to identify the right time. However at 30cm this is someone standing at your desk waiting for you to fire up an instance or something.

amq8y ago

Guys, stop breaking the world! /s

celticninja8y ago

I'm all for the sharing of information and responsible disclosure etc, but when a company that makes stuff that is supposed to be protected from this sort of attack, then shows how if you dont buy their stuff you are at risk from anyone who can follow their plans and has $200, which they likely couldn't do yesterday, it doesnt seem to be as consumer friendly as it could be. more protection racket perhaps,

JoachimSchipper8y ago

We're just showing the capability; it's not like we're throwing a ready-made attack kit on the internet. And it's not like we could coordinate disclosure with "everyone who has ever shipped an AES implementation".

j / k navigate · click thread line to collapse