An experimental setup for practical differential ...

Int. J. Internet Technology and Secured Transactions, Vol. 6, No. 1, 2015

An experimental setup for practical differential electromagnetic and power analysis of AES cryptosystem Massoud Masoumi* Department of Computer Science, University of Houston, 501 Philip G. Hoffman Hall, Houston, TX, 77204-3010, USA Email: [email protected] *Corresponding author

Mohammad Hadi Rezayati Sajad University of Technology, P.O. Box 4664-91375, No. 64, North Jalal-Ale-Ahmad Blvd., Mashad, Iran Email: [email protected]

Weidong Shi Department of Computer Science, University of Houston, 501 Philip G. Hoffman Hall, Houston, TX, 77204-3010, USA Email: [email protected] Abstract: Differential electromagnetic analysis implies measuring electromagnetic radiations of a cipher-circuit in an attempt to uncover part of a cipher key. Cryptographic security gets compromised if the electromagnetic emissions correlate with those from a hypothetical model of the cipher circuit. This article describes experimental setup for performing electromagnetic analysis as well as the measurement probe that is the critical piece of equipment for performing electromagnetic attacks. Most of the probes that are used for electromagnetic attacks in the published papers are self-made and no detailed specification is available for them. The accuracy and efficiency of the designed setup was verified by practical results obtained from real implementation of both attacks on an AT89C51AC2 microcontroller. The results of this work can be served for protecting microprocessor-based security tokens such as smart cards that are vulnerable to these kinds of attacks. Keywords: differential electromagnetic analysis; DEMA; differential power analysis; DPA; advanced encryption standard algorithm; microcontroller implementation; side-channel attacks.

Copyright © 2015 Inderscience Enterprises Ltd.

9

10

M. Masoumi et al. Reference to this paper should be made as follows: Masoumi, M., Rezayati, M.H. and Shi, W. (2015) ‘An experimental setup for practical differential electromagnetic and power analysis of AES cryptosystem’, Int. J. Internet Technology and Secured Transactions, Vol. 6, No. 1, pp.9–24. Biographical notes: Massoud Masoumi received his BSc (Hons.) from Guilan University, Rasht, Iran in 1996, and MSc and PhD (Hons.) from the K.N. Toosi University of Technology, Tehran, Iran in 1999 and 2006, respectively, all in Electronics Engineering. In 2009, he finished post-doctoral research in the context of power analysis attack to symmetric key cipher systems in K.N. Toosi University of Technology. In 2014, he worked as a senior research associate at Computer Science Department of University of Houston, Houston, TX. His research interests include side-channel attacks and related countermeasures and efficient very large scale integration and nanoscale architecture design for digital signal processing, coding and cryptosystems. Mohammad Hadi Rezayati received his BS in Electronic and Electrical Engineering from the Sadjad University of Technology, Mashad, Iran in 2012, and MS in Electronic Engineering from Islamshahr Azad University, Teharn, Iran in 2014. His research interests include image processing, cryptography, side-channel attacks, network security, and field-programmable gate array programming. Weidong (Larry) Shi received his PhD in Computer Science from Georgia Institute of Technology where he did research in design of secure micro-processors and secure computer systems. He was previously a senior research staff member at Motorola Research Lab, Nokia Research Center at Palo Alto. In the past, he contributed to the ASIC design of Nvidia platform products. In addition, he authored and co-authored over 50 peer-reviewed publications covering research topics in computer architecture, cloud computing, system security, and mobile computing. His current research efforts include, identity management, cloud computing, hardware support for security and privacy, impact of emerging technologies and nanoscale devices to computer architecture and sensing systems. He was the inventor and co-inventor of multiple issued and pending USPTO patents. His research team is funded by National Science Foundation and Department of Homeland Security.

1

Introduction

More than fourteen years after the first publications of Kocher’s attacks, a lot of improvements have been proposed for power and electromagnetic-based (EM) side-channel attacks (Chen et al., 2008; Masoumi, 2012). It has been shown that EM radiations of a circuit can leak sensitive information. It is well known that defense organisations across the world are paranoid about limiting EM emanations from their equipment and facilities and conduct research on EM attacks and defenses in total secrecy. It has been shown that most of the well-known encryption algorithms such as AES, DES, ECC, … are easily broken by using differential electromagnetic analysis (DEMA) or differential power analysis (DPA) with low cost and common laboratory tools (Masoumi et al., 2010). Indeed, the main threat to a cryptographic token in the real world is not the cryptanalysis of the actual algorithm, but rather the exploration of

An experimental setup for practical differential electromagnetic

11

weaknesses of the implementation. Another form of these attacks, the so called correlation power and electromagnetic analysis (CPA/CEMA) technique based on the correlation between the real power consumption or EM radiation of the device and a sidechannel leakage model, has been widely studied in the literature (Real and Valette, 2009). In recent years, the security of the advanced encryption standard (AES) against DEMA has received considerable attention and there is a growing interest in efficient and secure realisation of the AES. As a result of these attacks, numerous hardware, software and algorithmic countermeasures have been proposed (Maghrebi et al., 2011). The contribution of this paper is that compared with other published papers that give few detail about the critical parts of equipment needed for mounting EM attack such as EM probes (Gu et al., 2011; Wu et al., 2009), we present our own hand made measurement probe, RF amplifier and experimental setup of attack in the near field with detailed specification. The results presented in this paper can be used to better protect some microprocessor-based security tokens such as smart cards from adversaries in future research. The reminder of paper is organised as follows: Section 2 illustrates the AES algorithm briefly. In Section 3, the background of power and electromagnetic attacks is described briefly. The measurement setup for implementation of the attacks is illustrated in Section 4. The results of attack on a real system and discussions will be presented in Section 5. Finally, we summarise the results of our work in the conclusions.

2

Background of EM attacks

Almost every digital circuit built today is based on CMOS technology. If a CMOS gate changes its state, this change can be measured at the Vdd (or Vss) pin. The more circuits change their state, the more power is dissipated. Power dissipated by the circuit can be monitored by using a small resistor, Rm, in series between Vdd (or Vss) and the true source (or ground). Since the changes in states or switching activity is data dependent, it is not surprising that the key used in a cryptographic algorithm can be inferred from the power consumption statistics gathered over a wide range of input data. The transition count leakage gives information about the number of changed bits; while the Hamming weight leakage is related to the number of ‘1’ bits being processed simultaneously. There are two different degrees of sophistication involved in such power analysis, simple and differential. If the power consumption pattern of the hardware depends on the instruction being executed, the attacker can deduce the sequence of instructions. Using this power information and by knowing the underlying algorithm being implemented, such information can reveal the secret key. This type of attack is called simple power analysis (SPA) attack, and typically is applicable to devices that depend on external power supplies, e.g., smart cards. DPA attacks use multiple measurements and apply statistical methods to recover secret information. DPA attacks have been proven to be very effective and efficient. Just like the power side-channel, the EM side-channel signals can be used to perform attacks like simple/differential electromagnetic attacks (SEMA/DEMA) which are the analogues of SPA and DPA. This is because, like power signals, EM emanations are correlated to each active bit in the state of device at an instant in time. Also, by comparing the correlation plots of DEMA/DPA for a particular algorithmic bit using different EM channels as well as the power side-channel, one can compare how a particular bit leaks in the various side-channels. EM emanations can

12

M. Masoumi et al.

propagate both via radiation and via conduction. Often, EM emanations arrive at an intercept point by a complex combination of radiation and conduction. The EM side-channel differs in a number of ways from the power consumption side-channel. The most important difference is that a power consumption measurement is a simple amplitude waveform over time, while the electromagnetic side-channel is a three dimensional vector field that changes over time. The major benefit of electromagnetic analysis over power analysis is the possibility of making local measurements. In DPA and DEMA, an attacker uses a so-called hypothetical model of the attacked device. The quality of this model is dependent on the knowledge of the attacker. The output of first subbytes is usually attacked in practice since that is the only function in AES in which data and cipher key enter a direct operation. Attacking the output of MixColumns is too costly as the function is defined for 32 bits.

3

Measurement setups for power and EM attacks in the near field

Measurement setups for power and EM attacks are very similar in practice. In both attacks, the attack system requires sample collection equipment such as a digital oscilloscope or a sampling board as well as software for controlling device operations, triggering and controlling data collection and for signal processing and analysis. The only difference is the probe that is used for EM attack. The size and the shape of a magnetic sensor are the most important characteristics that determine the accuracy of the sensor. The EM attack is conducted based on measuring the electromagnetic field surrounding a device. Every current flowing in a device affects the electromagnetic field. In general, near-field magnetic fields are dominant if a current is flowing in a wire along a path that is not straight. Near-field electric fields on the other hand overpower the magnetic field when the current amplitude is not high but significant electric potential differences exist. Because varying currents are more important than large differences in electric potential in a normal CMOS chip, it is widely accepted that the most important near-field component for measuring direct radiation for side-channel analysis is the magnetic field. The size of the magnetic loop sensors is one of the most important characteristic to ensure the ability to make a detailed mapping of the field. Loop antennas are often used for measuring the electromagnetic component of electromagnetic waves radiated from a source. Figure 1 shows the general schematics of a loop antenna. Figure 1

General schematics of a loop antenna (see online version for colours)

The voltage induced at the two loop terminals is as equation (1).

An experimental setup for practical differential electromagnetic

V=

2πAE cos θ λ

13

(1)

In equation (1), V is the voltage induced at the two loop terminals, A is the loop area, E is the electric field strength, λ is the wavelength and θ is the angle between loop plane and signal source. Magnetic probes are divided into two major categories: shielded and unshielded loops. Unshielded loops are sensitive to electric field and hence are not appropriate for electromagnetic field measurements. Figure 6 shows an example of a shielded loop. The most important item to notice is the gap in the shield. As with a normal loop, the induced voltage at the terminals is generated through the change in magnetic flux captured by the loop in accordance with the law of Faraday-Lenz. The voltage is induced over the slit at the outer surface of the conductor. Because of the skin effect, the inner side of the shield is electrically separated from the outer side of the shield. The transmission line consisting out of the inner surface of the shield and the inner is driven by the induced voltage over the slit. In a shielded loop the shield itself is the actual antenna. The current runs on the outer side of the shield. At the gap the current will return along the inside of the outer conductor. This current induces the current in the inner conductor. As a rule of thumb, for small loops, total wire length of loop should not be more than 0.1 of wavelength. Figure 2 shows four different configuration of a shielded loop. Figure 3(a) shows the basic configuration in which the inner conductor is connected to the outer conductor and grounded at the col of the probe. This configuration suffers from imbalance and asymmetry. Figure 6(b) is the modified version of the later probe and is called symmetrical probe. A loop is formed by the connection of centre and outer conductor at the end of the coaxial cable to the outer conductor of the coaxial cable at the beginning of the loop (Mulder, 2010). In this way, a line integral similar to the one of the non-shielded loop is obtained. This antenna is indeed less sensitive to the electric field, compared to the non-shielded loops, due to the shielding of the outer conductor. Figure 2(c) which is called balanced loop has an advantage compared to Figure 2(b) and it causes less distortion in the pattern of antenna. Starting from a balanced shielded loop, cutting the inner conductor at the slit and connecting the inner conductor of the left part of the loop to the outer conductor of the right part and vice versa, results in a Moebius loop, with two turns. This configuration is shown in Figure 3(d). This type is made with and without the short between adjacent outer conductors before and behind the loop. Before designing the antenna, an appropriate configuration for the frequency range of 10 kHz–200 MHz was chosen. We fabricated several antennas for our experiments and measured their return loss, as it is shown in Figure 3. As it is seen from Figure 4, the behaviour of Mobius and Mobius with short is almost similar. The peaks in the characteristics of Mobius loop are due to imperfect impedance characteristics of the coaxial cable. It was found that the best configuration is the balanced shielded loop antenna. Figure 4 shows some of the probes made in this project for EM attack in the near field.

14 Figure 2

Figure 3

M. Masoumi et al. Four different configuration of a shielded loop

(a)

(b)

(c)

(d)

Return loss for different configurations of loop antenna (see online version for colours)

An experimental setup for practical differential electromagnetic Figure 4

15

Some of the probes made for EM attack in the near field in this research (see online version for colours)

The designed probe based on a balanced loop is shown in Figure 5. Balanced loop is connected to an unbalanced line via a balun. This balun is composed of a ferrite core with seven turns of #24 wire. Without balun, the system suffers from the matching problem and the antenna effect, i.e., the balanced current of the loop will run at the outer side of the outer conductor of the coax and will hence pick up signals and influence the output signal of the sensor. A standard BNC connector is used at the end of the probe to connect it to some measurement equipment such as EMI receiver or spectrum analyser. The sensor was matched sufficiently over the entire frequency range, less than 200 MHz. Figure 5

Structure of the proposed EM probe (see online version for colours)

The specifications of the designed probe are shown in Table 1. Figure 6 shows two balanced antenna designed and fabricated in this project. Table 1

Specifications of the proposed probe

Loop diameter (2r) Diameter of coaxial cable (d) Shield gap (g) Balun type

7 cm 4.6 mm 2 mm Ferrite core with 7 turns wire

16 Figure 6

M. Masoumi et al. Two balanced antennas designed and fabricated in this research (see online version for colours)

In order to amplify the signal received by the probe, an appropriate high-frequency amplifier is needed to obtain a reasonable signal-to-noise ratio. We used an MAR8 that is a four terminals IC with 1 GHz bandwidth to make an amplifier. Maximum amplification level of this IC is 30 dBm. This IC needs a driver which its schematic is shown in Figure 7. In an experiment, a 500 MHz signal with –70 dBm level was given to the input of the amplifier. The output signal level was –27 dBm which shows that the performance of the amplifier is acceptable for our experiments. Figure 8 shows the amplifier connected to a spectrum analyser. Figure 7

Schematic of the MAR8 amplifier driver (see online version for colours)

An experimental setup for practical differential electromagnetic Figure 8

4

17

The designed probe amplifier connected to a spectrum analyser (see online version for colours)

Attack on a real system

In its original form, differential power (electromagnetic) Analysis of AES requires a selection function D that we define as computing the value of a bit b which is part of the intermediate vector S1. One can write b as follows (Chen et al., 2008). b = one output bit of S1 ( Pi ⊕ K1 )

(2)

In equation (2), S1 is the subbytes transformation, Pi represents the ith random plain text and K1 is the first subkey byte. In order to improve the SNR and accuracy of the attack, we have used a four-bit selection function, i.e., our selection function returns one when hamming weight of the output is greater than four, and otherwise it returns zero. It has been shown that the efficiency of the attack is increased since the ghost peaks and secondary peaks are lowered when four bits are considered together (Masoumi et al., 2010). To investigate the accuracy and efficiency of the proposed experimental setup, AES was implemented on an AT89C51AC2 microcontroller. We designed a board for both power and electromagnetic analysis. A PC was used for providing input data to the attacked cryptographic IC and to perform the analysis of the recorded power or electromagnetic traces and an AD-Link PCI-9850 sampling board with sampling frequency of 90 MHz and bandwidth of 40 MHz. Figure 9 shows the photograph of the designed target module.

18

M. Masoumi et al.

Figure 9

Figure 10

Photograph of the target module designed for EM and power attack (see online version for colours)

A metallic enclosure designed for reducing the effect environmental noise on EM measurements (see online version for colours)

For reducing the effects of environmental noise on the EM measurements, the target module was placed in a metallic enclosure as is shown in Figure 10. Figure 11 shows the recorded power traces of the module while executing the AES. Figure 12 shows the recorded power traces of 16 subbytes operations at the first round of the algorithm execution. Figure 13 shows the differential power trace for the correct subkey guess in the unprotected implementation. As it is seen, the correct subkey is revealed due to

An experimental setup for practical differential electromagnetic

19

existence of a clear peak in the differential power trace. Figure 14 shows the same experiment on a wrong subkey guess. As it is seen, there is no clear peak in the differential power trace which means that the guessed subkey is not correct. Figure 11

Power signal of ten rounds of an AES execution (see online version for colours)

Note: Each of the ten spikes indicates the beginning of one round. Figure 12

Power consumption of the subbytes operation of the first round on 16 input bytes (see online version for colours)

Note: This evidence suggests that the pattern may represent the calculations of 16 SBox on 16 input bytes.

20

M. Masoumi et al.

Figure 13

Differential power traces for the correct subkey guess in the unprotected implementation (see online version for colours)

Note: A clear peak indicates that the correct subkey is recovered. Figure 14

Differential power traces for a wrong subkey guess in the proposed implementation (see online version for colours)

Note: There is no clear peak in the differential power trace which means that the guessed subkey is not correct.

An experimental setup for practical differential electromagnetic

21

Figure 15 shows EM radiation of the chip while performing four rounds of the AES encryption and Figure 16 shows EM radiation while 16 SBox operations at the first round are being executed in the chip. In comparison with power traces, the operations are more distinguishable in EM traces. These traces simply show that the electromagnetic radiation is the highest information leakage in comparison with other side channels. Figure 17 and Figure 18 show the execution of DEMA with a correct and wrong subkey guess respectively. The existence of a clear peak demonstrates that the correct key has been recovered. Figure 15

EM signal from execution of four rounds of the AES encryption (see online version for colours)

Figure 16

EM signal from execution of 16 subbytes operation of the first round of the AES encryption (see online version for colours)

22

M. Masoumi et al.

Figure 17

Differential EM traces for a correct subkey guess in the unprotected implementation (see online version for colours)

Figure 18

Differential EM traces for a wrong subkey guess (see online version for colours)

We also performed CEMA on the implementation. To implement CEMA, for each of the N encrypted plaintexts, the attacker first selects the target (first) SBox for the selection function D. Then, he predicts the value of D (i.e., the number of bit flips inside a target register) for the 256 subkey guesses by using a simulation tool. The result of the prediction phase is an N × 256 selected prediction matrix containing integers between 0 and 7. Thus, we compute the correlation coefficient between the global consumption matrix and all the columns of the selected prediction matrix (corresponding to all the

An experimental setup for practical differential electromagnetic

23

256 key guesses). If the attack is successful, we expect that only one value, corresponding to the correct subkey guess, leads to a high correlation coefficient. The results of all of these correlations for the first byte of the key is shown in Figure 19, the correct value appears as a clear peak. Figure 19

5

Recovering the correct subkey using CEMA on real measurements (see online version for colours)

Conclusions

In this article, we presented a low cost experimental setup for practical implementation of DEMA/DPA attacks. We conducted relevant experimental tests and verified the accuracy and correctness of our works practically. The result of this work will help to better protect embedded cryptosystems against DEMA and DPA. Many solutions would allow improving the measurements and a lot of questions concerning the physical and hardware security of microprocessor-based tokens and hardware security modules remain open. Protecting against sophisticated side-channel attacks exploiting the sensitive information, however, is still a challenge, costly and must be done with care. The development of efficient countermeasures to thwart first-order and higher-order side-channel attacks represents an open issue which should be further investigated in the future researches.

References Chen, K., Zhao, Q., Zhang, P. and Deng, G. (2008) ‘The power of electromagnetic analysis on embedded cryptographic ICs’, ICESS, pp.197–201. Gu, K., Wu, L., Li, X. and Zhang, X. (2011) ‘Design and implementation of an electromagnetic analysis system for smart cards’, 7th Int. Conf. on Computational Intelligence and Security, pp.653–656. Maghrebi, H., Guilley, S. and Danger, J-L. (2011) Leakage Squeezing Countermeasure against Higher Order Attacks, WISTP, Heraklion, June.

24

M. Masoumi et al.

Masoumi, M. (2012) ‘Differential power analysis, a serious threat to FPGA security’, Int. J. Internet Tech. and Secured Transactions, Vol. 4, No. 1. Masoumi, M., Masoumi, M. and Ahmadian, M. (2010) A Practical Differential Power Attack against an FPGA Implementation of AES Cryptosystem, IEEE I-Society, London, UK. Mulder, E.D. (2010) Electromagnetic Techniques and Probes for Side-Channel Analysis on Cryptographic Devices, PhD thesis, KU Leuven. Real, D. and Valette, F. (2009) ‘Enhancing correlation electromagnetic attack using planar near-field cartography’, DATE, pp.628–633. Wu, K., Li, H., Chen, T. and Yu, F. (2009) ‘Electromagnetic analysis on elliptic curve cryptosystems: measures and counter-measures for smart cards’, 3rd Int. Symp. on Intelligent Inf. Tech. Application, pp.40–43.