My Funding Provided By:

Similar documents
My Funding Provided By: Special Thanks: Dr. Zhizhang Chen. Cryptography Research Inc

Power Analysis for Cheapskates

Side Channel Analysis and Embedded Systems Impact and Countermeasures

POCKET SCOPE 2. The idea 2. Design criteria 3

81110A Pulse Pattern Generator Simulating Distorted Signals for Tolerance Testing

PHYS 2P32 Project: MIDI for Arduino/ 8 Note Keyboard

WHY DIFFERENTIAL? instruments connected to the circuit under test and results in V COMMON.

HP 8970B Option 020. Service Manual Supplement

The Effective Number of Bits (ENOB) of my R&S Digital Oscilloscope Technical Paper

(USB-) ME-Systems Manual

Horst Görtz Institute for IT-Security

Jitter in PCIe application on embedded boards with PLL Zero delay Clock buffer

UNDERSTANDING AND CONTROLLING COMMON-MODE EMISSIONS IN HIGH-POWER ELECTRONICS

Title: Low EMI Spread Spectrum Clock Oscillators

Embest DSO2300 USB Oscilloscope

EXPERIMENT NUMBER 5 BASIC OSCILLOSCOPE OPERATIONS

PL-277x Series SuperSpeed USB 3.0 SATA Bridge Controllers PCB Layout Guide

DAC Digital To Analog Converter

DEVELOPMENT OF DEVICES AND METHODS FOR PHASE AND AC LINEARITY MEASUREMENTS IN DIGITIZERS

Reading: HH Sections , (pgs , )

Op-Amp Simulation EE/CS 5720/6720. Read Chapter 5 in Johns & Martin before you begin this assignment.

STF & STF201-30

Special Topics in Security and Privacy of Medical Information. Reminders. Medical device security. Sujata Garera

AN4494 Application note

Tire pressure monitoring

Constructing a precision SWR meter and antenna analyzer. Mike Brink HNF, Design Technologist.

Designing VM2 Application Boards

Printed Circuit Boards. Bypassing, Decoupling, Power, Grounding Building Printed Circuit Boards CAD Tools

Atmel Norway XMEGA Introduction

1 Coffee cooling : Part B : automated data acquisition

An Ethernet Cable Discharge Event (CDE) Test and Measurement System

AD9741/3/5/6/7 Evaluation Board Quick Start Guide

AFG-100/200 series USB Modular Arbitrary Function Generator. Date: Oct, 2014

Case Study Competition Be an engineer of the future! Innovating cars using the latest instrumentation!

STF THRU STF203-33

Side Channel Attacks on Smartphones and Embedded Devices using Standard Radio Equipment

User s Manual of Board Microcontroller ET-MEGA2560-ADK ET-MEGA2560-ADK

Application Note AN:005. FPA Printed Circuit Board Layout Guidelines. Introduction Contents. The Importance of Board Layout

Arduino ADK Back. For information on using the board with the Android OS, see Google's ADK documentation.

DS1307 Real Time Clock Breakout Board Kit

User s Guide DSO-2150 USB PC Based Digital Oscilloscope Operation Manual

Timing Errors and Jitter

Balun Parameter Definitions & Measurement May 2004

Applying Remote Side-Channel Analysis Attacks on a Security-enabled NFC Tag

PicoScope 6000A/B Series

Engineering Sciences 151. Electromagnetic Communication Laboratory Assignment 3 Fall Term

Capacitor Self-Resonance

24-Bit Analog-to-Digital Converter (ADC) for Weigh Scales FEATURES S8550 VFB. Analog Supply Regulator. Input MUX. 24-bit Σ ADC. PGA Gain = 32, 64, 128

Current Loop Tuning Procedure. Servo Drive Current Loop Tuning Procedure (intended for Analog input PWM output servo drives) General Procedure AN-015

QUICK START GUIDE FOR DEMONSTRATION CIRCUIT BIT DIFFERENTIAL ADC WITH I2C LTC2485 DESCRIPTION

Recommendations for TDR configuration for channel characterization by S-parameters. Pavel Zivny IEEE GCU Singapore, 2011/03 V1.

Section 3. Sensor to ADC Design Example

AppNote 404 EM MICROELECTRONIC - MARIN SA. EM4095 Application Note RFID. Title: Product Family: TABLE OF CONTENT. Application Note 404

Experiment1: Introduction to laboratory equipment and basic components.

A+ Guide to Managing and Maintaining Your PC, 7e. Chapter 1 Introducing Hardware

Frequency Response of Filters

W a d i a D i g i t a l

DDS VFO CONSTRUCTION MANUAL. DDS VFO Construction Manual Issue 1 Page 1

USBSQ USB 2.0 Signal Quality Analysis Application. Electrical Testing Notes

PGA103+ Low noise, high dynamic range preamp for VHF and UHF

Introduction Page 4. Inspector SCA Page 6. Inspector FI Page 10. Service & Product support Page 13. Inspector Hardware Matrix Page 14

phonostage RIP YOUR VINYL TO BITS, WITH A USB Design

Performing Amplifier Measurements with the Vector Network Analyzer ZVB

US-Key New generation of High performances Ultrasonic device

11. High-Speed Differential Interfaces in Cyclone II Devices

Test Driven Development of Embedded Systems Using Existing Software Test Infrastructure

Controlling a Dot Matrix LED Display with a Microcontroller

VJ 6040 Mobile Digital TV UHF Antenna Evaluation Board

PGA103+ Low noise, high dynamic range preamp for VHF and UHF

USB2.0 Technical Manual

Successfully negotiating the PCI EXPRESS 2.0 Super Highway Towards Full Compliance

1. ANSI T T1

Massachusetts Institute of Technology

Pericom PCI Express 1.0 & PCI Express 2.0 Advanced Clock Solutions

USB 2.0/3.0 Droop/Drop Test Fixture

U1602A Handheld Oscilloscopes, 20 MHz

PIN CONFIGURATION FEATURES ORDERING INFORMATION ABSOLUTE MAXIMUM RATINGS. D, F, N Packages

IC-EMC v2 Application Note. A model of the Bulk Current Injection Probe

Lock - in Amplifier and Applications

The CW Machine Hardware

Bluetooth Stereo Network

3D modeling in PCI Express Gen1 and Gen2 high speed SI simulation

Building a Basic Communication Network using XBee DigiMesh. Keywords: XBee, Networking, Zigbee, Digimesh, Mesh, Python, Smart Home

Data Sheet. Adaptive Design ltd. Arduino Dual L6470 Stepper Motor Shield V th November L6470 Stepper Motor Shield

[F/T] [5] [KHz] [AMP] [3] [V] 4 ) To set DC offset to -2.5V press the following keys [OFS] [+/-] [2] [.] [5] [V]

SG Miniature Wi-Fi Radio

Output Ripple and Noise Measurement Methods for Ericsson Power Modules

EVAL-AD5680. Single Channel, 18-Bit, Serial Input, Voltage Output DAC Evaluation Board FEATURES GENERAL DESCRIPTION

PicoScope 3000 A and B Series

Current Probes. User Manual

High-Speed Gigabit Data Transmission Across Various Cable Media at Various Lengths and Data Rate

4 OUTPUT PCIE GEN1/2 SYNTHESIZER IDT5V41186

Agilent N8973A, N8974A, N8975A NFA Series Noise Figure Analyzers. Data Sheet

An Overview of the Electrical Validation of 10BASE-T, 100BASE-TX, and 1000BASE-T Devices

CANFI: Cheap Automatic Noise Figure Indicator. Frank Schmäling DL2ALF Wolf-Henning Rech DF9IC Alexander Kurpiers DL8AAU

Electrical Compliance Test Specification SuperSpeed Universal Serial Bus

Designing the NEWCARD Connector Interface to Extend PCI Express Serial Architecture to the PC Card Modular Form Factor

Analog Devices Welcomes Hittite Microwave Corporation NO CONTENT ON THE ATTACHED DOCUMENT HAS CHANGED

This application note is written for a reader that is familiar with Ethernet hardware design.

Transcription:

My Funding Provided By:

The Way Forward What the hell is Side Channel Analysis? Introducing ChipWhisperer Waveform Acqusition & Cheapskates Example Attack Some other Cheap Tools Where to go From Here?

Motivation Not for 1337 H4X0 25 You WILL have to learn how the attacks work, understand the (fairly small) amount of math You WILL have to learn about hardware design, software programming of both target & software, etc You WILL get frustrated, run into bugs with my tools, and have to fix/debug them yourself

THE SIDE CHANNEL

Side Channel? Main Channel Secret

Side Channel? Power Main Channel Secret

Power Channel.

Power Channel.

Data Bus Line

Data Bus Line

Power Channel.

Power Model? 1. Hamming Distance 2. Hamming Weight

Side Channel.

Looking at AES

Simple 4-Bit Example

Simple 4-Bit Example Plain Text Unavailable Output Key

Correlation Analysis Input Plaintext Hyp. Key Hyp Result Hyp HW 0100 (4) 0010 (2) 0110 (6) 2 0111 (7) 0010 (2) 0101 (5) 2 0010 (2) 0010 (2) 0000 (0) 0 0001 (1) 0010 (2) 0011 (3) 2 0000 (0) 0010 (2) 0010 (2) 1 0110 (6) 0010 (2) 0100 (4) 1 0101 (5) 0010 (2) 0111 (7) 3

Simple Example Failings Attacking XOR not ideal In real systems attack non-linear functions: S-Box (original & most common) MixCols (e.g. xtime() )

Looking at AES

Correlation Power Analysis 1. Input many plaintexts & measure power 2. For keyguess = 0,1,2,3,.,254,255: 1. Based on known plaintext calculate S-Box output for each trace 2. Use power model to predict what power trace should look like 3. Measure correlation between model & measured over all traces 3. Keyguess resulting in highest correlation is probably correct

www.chipwhisperer.com GIT Repository for tools shown here GIT Repository for hardware designs Mailing List for discussion Wiki for Documentation

Current Software Tools ChipWhisperer-Capture Capture tools, interfaces to OpenADC + target boards Records traces ChipWhisperer-Analyzer Applies attacks to power traces

About the Tools All tools Open Source (GPL License) Written in Python using PySide for GUI Uses trace file format from DPA Contest V3, which publishes some example captures, along with special project file format

Runs on Windows/Linux/Mac Supports multiple different targets Dockable preview window (to right) shows power as measurements occurring

Waveform Acquisition & Low- Cost Alternatives

What s a Normal Setup look like? Power Trace Trigger

Is this Really Typical? Author Work Year Scope Cost (Used, 2013) Dario Carluccio Youssef Souissi et al. Dakshi Agrawal et al. F.X. Standaert et al. Electromagnetic Side Channel Analysis Embedded Crypto Devices Embedded systems security: An evaluation methodology against Side Channel Attacks 2005 Infiniium 5432D MSO 2011 Infiniium 54855 The EM Side Channel(s) 2003 100 MHz, 12 bit Using subspace-based template attacks to compare and combine power and electromagnetic information leakages 2008 1 GHz bandwidth $8000 $20 000 $1000 $7500

Does Sample Rate Matter?

Does Sample Rate Matter?

Does Sample Rate Matter?

Does Sample Rate Matter?

Can We Do Better? Power Clock

Does Sample Rate Matter?

Using 4x Source Clock Power Clock

Synchronization, Synchronization, Synchronization

Explaining Trigger Jitter

Tips for using a Normal Oscilloscope Can hack scope to output sampling time-base, run D.U.T. from this clock or derived from this clock Some scopes tell you time between trigger & first sample, use this to upsample, shift offset, and downsample traces Agilent calls this XOffset parameter Sample at highest possible rate & downsample yourself

OpenADC Comparison

What about Phase Shift?

Desired Capture HW See A Case Study of Side-Channel Analysis using Decoupling Capacitor Power Measurement with the OpenADC by Colin O Flynn & Zhizhang Chen

OpenADC Spartan LX9 Board

OpenADC ZTEX Board ZTEX has Higher Speed USB interface More options on FPGA size for future development

ZTEX Adapter Board Not yet available, will be online soonish

Other FPGA Boards (from Wiki)

OpenADC Can use up to 105 MSPS in oscilloscope-like mode Supports synchronizing to sample clock of device, so can attack high-speed targets Built-in amplifier Open Source design!

Synchronous Sampling Scope e.g.: CleverScope with CS810 Option PicoScope PS6000 Almost any high-speed analog FPGA/ADC Board

Your First Attack

Should I Attack a Smartcard?

Attacks against Smart Card Shunt to measure current Clock, Sync, etc

SmartCard Capture Note we use a resistive divider to scale the 5V signals to 3V the 5V signal would immediately destroy the FPGA board!

SmartCard Capture - Cheap

SmartCard Capture - Cheap

SmartCard Capture - Cheap

So What do you Do? =

What does this Look Like?

What does this Look Like?

A PCB Version

Let s Do This: Shopping List AtMega8 / AtMega48 7.37 MHz Crystal 22pF Capacitors 100 ohm resistors 220uF (or bigger) capacitor 1uF Ceramic Capacitor 0.1uF Ceramic Capacitor Cables/Connectors Breadboard Capture HW Serial-USB Adapter Power? AVR Programmer

Notes on Step 1 Ideally Get ATMega8-16PU AtMega48A also works, note A suffix means a smaller geometry used in Production = smaller power signature Crystal not 100% needed but makes life easier Example here uses Colorado Micro Devices USB2UART, many other manufactures of USB/Serial Cables Need Capture HW too OpenADC used here, can use general purpose scope (Tiepie suggested as Differential versions, Picoscope popular too)

Step 2: Build your Target HW See schematic in ref material Insert resistor in power line Need AVR programmer. Can use: AVR-ISP MK-II Arduino setup as programmer Lots of other cheap AVR programmers (see EBay)

Step 2: Continued (Testing) Use serial port to confirm working

Step 3: Characterize Probe connected to VCC rail, not across shunt

Step 3: Characterize

Step 3: Characterize 2.2uF Ceramic Capacitor +680uF Electrolyctic +100 ohm series resistor

Step 3: Characterize

Step 3: Shunt

Step 3: Characterization Cont d Persistence Mode in Scope Adjust gain, trigger, etc to get reliable signal Fixed Plaintext

Step 4: Acquire Use AESExplorer Capture application, written in Python with PySide Included on Blackhat CD Capture ~2500 traces, 6000 samples/capture

text_in.txt & wave.txt are the needed files Step 4: Acquire

Step 5: Break It Copy wave.txt & text_in.txt to same directory as dpa_attack.py, run:

Step 6: Better Analysis Tools

MAGNETIC FIELD PROBES

Rohde & Schwarz

ETS-Lindgren

Bruce Carsten Associates, Inc.

Instek

DIY: Example Length of Semi-Rigid cable with SMA Connectors ($3 surplus) can be turned into a simple magnetic loop:

DIY: Example Wrap entire thing in non-conductive tape (here I used self-fusing + polyimide) to avoid shorting out anything:

DIY: Some Useful References http://www.compliance-club.com/archive/old_archive/030718.htm

DIY: Some Useful References Elke De Mulder: Electromagnetic Techniques and Probes for Side-Channel Analysis on Cryptographic Devices http://www.cosic.esat.kuleuven.be/publications/thesis-182.pdf

PRE-AMPLIFIER

Pre-amplifier Signal is too weak to be picked up, requires pre-amplifier in addition to probe.

Pre-amplifier: Buying One Assuming we are making a probe, there is no need to purchase the expensive preamplifier offered by that manufacture. Here is a 20 db amplifier for $90, it was shown being used in another photo.

Pre-amplifier: Buying One

Pre-Amplifier: Making One ~ $0.60

Pre-amplifier: Making One

Pre-Amplifier: Making One

Pre-Amplifier: Making One

20 db = 100x gain (~80 400+ MHz)

16 db = 40x gain (0.1 10 MHz)

DIFFERENTIAL PROBE

Common-Mode Noise

Background V = I R i.e. say signature was 0.2 ma, shunt was 75 ohms 0.0002 x 75 = 0.015 = 15 mv

Differential Probe From Side Channel Analysis of AVR XMEGA Crypto Engine by Ilya Kizhvatov

What was that?

We don t need 1000 MHz..

Uh what about E-Bay?

How Cheap are you? This chip is < $5 in single-unit quantities! Add a voltage supply & a few resistors/capacitors and you ve got a pretty good probe.

Full Details on ChipWhisperer Wiki / Whitepaper

Some Photos of Things

SASEBO-W Board http://www.morita-tech.co.jp/sakura/en/hardware.html This chip is < $5 in single-unit quantities! Add a voltage supply & a few resistors/capacitors and you ve got a pretty good probe.

Xmega Board

Arduino

Xmega Capture Hardware

Example Results - AVR avr-crypto-lib in C Straightforward C avr-crypto-lib in ASM This chip is < $5 in single-unit quantities! Add a voltage supply & a few resistors/capacitors and you ve got a pretty good probe.

Example Results XMega avr-crypto-lib in C Hardware Implementation This chip is < $5 in single-unit quantities! Add a voltage supply & a few resistors/capacitors and you ve got a pretty good probe.

Where to Go from Here?

Actions You Can Take Read the White Paper for more details including a Buying Guide to start playing around be SURE to check for updates to it on newae.com/blackhat Join ChipWhisperer Mailing List & discuss There is a good book that covers a LOT: This chip is < $5 in single-unit quantities! Add a voltage supply & a few resistors/capacitors and you ve got a pretty good probe. Read original DPA Paper by Kocher, look at CHES & COSADE Proceedings HINT: Local universities often have access to all these, so use a computer on their network (e.g. from library)

Questions Etc. Visit me on internet: newae.com/blackhat chipwhisperer.com E-mail me: Mailing List: coflynn@newae.com chipwhisperer.com

2026 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information