The Simple Way To Steal Data

Side channel and fault attacks are a low-cost, quick, and relatively easy way to siphon data.

popularity

Given all the propaganda that is currently floating around about what the IoT/E, CoT is or isn’t, will or won’t be, one thing is for sure – it will be flooded with autonomous objects, most of which most will be cheap, simple, and, as it stands now, unsecured.

And, given the equation that: a) side channel attacks are relatively easy, and b) that many of the chips of IoT/E, CoT objects are low-end and unsecured, the extrapolation just might raise an eyebrow or two. In fact, it does and this article will delve into side channel data exfiltration and expose some of the techniques and what can be done to derail such attacks.

The formal term for these types of attacks is cryptanalysis. This methodology attempts to expose weaknesses in ciphers and other cryptographic primitives via mathematical analysis. It is primarily used to uncover secret keys and secure, or protected, data in cryptosystems. But it isn’t just restricted to them. As was mentioned previously, It is most often performed against lower-end chips such as those in RFID and smart cards because they are relatively unsophisticated and unprotected, requiring fewer complex resources and techniques to compromise them.

For other areas of the device that don’t run mathematical ciphers, cryptanalysis also can be used to ascertain weaknesses. For example, it can be used to analyze memory contents as the R/W cycles run. And poorly designed protocols often can be undermined by the reuse of data captured from an earlier exchange (known as a replay attack). Another area is where an attacker can intercept and modify messages. The attacker changes their appearance, so they resemble a different participant in a protocol, to the rest (called the man-in-the-middle attack).

The side channel attack
One of the more common and unsophisticated of these threat vectors is called the side channel attack (SCA). Side-channel attacks are a class of attacks where an attacker attempts to assess the state of a cryptographic device and its contents. This is accomplished by observing and analyzing information that can be observed using different access methodologies.

The more common types if side channel attacks include:

Electromagnetic. When the chip’s processors run their functions and algorithms, EM fields are produced. We all know that the movement of electrons causes a resultant electromagnetic field, however small, and armed with a bit of knowledge and the right equipment, that field can be measured and analyzed. Such fields are freely and universally available on just about any chip that doesn’t have some sort of RF shielding or leakage nullification processes.

The equipment used to capture and analyze the RF field emitted from a crypto processor is the same as any RF analysis setup. It just has to be able to capture minute EM fields. It includes probes; power – which is nothing more than a voltage or current sensing probe, and EM – some configuration of a coil and an LNA. Other equipment is a digital storage scope, a high-bandwidth amplifier and a workstation with RF/EM analysis software.

Power monitoring. Because different processes that run on chips have differing execution parameters, they have unique power signatures. Analyzing these power signatures can provide clues as to what the data contains. There are two types of power analysis, differential power analysis (DPA) and simple power analysis (SPA). Both techniques have to have direct access to power pins on the chip and analyze the data by either direct examination and translation, or statistical analysis of the fluctuations. Both techniques will be discussed, in depth, in a future article.

Acquiring power traces is relatively unsophisticated. All that is required is a resistor placed in parallel with the proper pins that monitors the power drawn by the cryptographic operation. A sampling device, such as an oscilloscope is placed across the resistor and the voltage changes across the resistor, are collected and analyzed.

SPA examines the features, such as timing, device attributes, algorithm structure, etc., which can be observed directly in a single power trace or by comparing power trace pairs. It relies more upon pattern recognition than mathematical analysis and is useful for larger-scale power variations. Its strong suit is that it can reveal the sequence of executed code. Consequently, it can reveal cryptographic information such as DES key schedule computations and permutations. Figure 1 is an example of an SPA power trace from a smart card running an AES-128 encryption.

Figure 1. Example of a SPA power trace from a smart card running an AES-128 encryption (Courtesy “Introduction to differential power analysis.” By Paul Kocher, Joshua Jaffe, Benjamin Jun and Pankaj Rohatgi).

Figure 1. Example of a SPA power trace from a smart card running an AES-128 encryption (Courtesy “Introduction to differential power analysis.” By Paul Kocher, Joshua Jaffe, Benjamin Jun and Pankaj Rohatgi).

DPA is much more capable of analyzing power routines than SPA because it can analyze the anomalies attached to data values, using statistical analysis. The procedure analyzes the traces for subsets, takes the averages, and computes the differences of the averages. The subsets are then assigned to the traces (it doesn’t matter which subset is assigned to which trace). As it turns out, if the subsets are related to the traces, permutations of the subset will approach some finite number. If they are uncorrelated, then the permutations will approach zero. Eventually, given a sufficient number of traces, even very tiny correlations can be identified within the traces (see Figure 2).

Figure 2. Typical DPA result showing (from top to bottom) the average of the traces where the LSB of the output of first S-box in round 1 is 1, the average of traces where the LSB is 0, the difference between the top two traces, and the difference with the Y-axis magnified by a factor of 15. (Courtesy “Introduction to differential power analysis.” By Paul Kocher, Joshua Jaffe, Benjamin Jun and Pankaj Rohatgi).

Figure 2. Typical DPA result showing (from top to bottom) the average of the traces where the LSB of the output of first S-box in round 1 is 1, the average of traces where the LSB is 0, the difference between the top two traces, and the difference with the Y-axis magnified by a factor of 15. (Courtesy “Introduction to differential power analysis.” By Paul Kocher, Joshua Jaffe, Benjamin Jun and Pankaj Rohatgi).

Timing attack. These attacks analyze the time it takes to execute various cryptographic operations. The attacker analyzes the algorithms and determines the timing intervals for them. Then, the measurements are fed into a statistical model that outputs some variation of a key, for example. While it may not be the exact key, it will have some measure of certainty. The process is used to perform the statistical correlation analysis of the timing information to, eventually, recover the correct key. Timing attacks are most effective against encryption algorithms such as RSA, ElGamal, and Digital Signatures.

The Fault Attack. These are a bit of a different animal in the sense that they do something to the chip to disrupt the functionality. They are still considered side channel attacks because they use the same analysis methodology as some of the non-invasive attacks, specifically the differential fault analysis. As with the DPA, DFA attempts to extract keys or cryptographic data in a similar fashion to the power analysis, except that it causes variances in the algorithms as one part of the process.

This creates a known anomaly in the cryptographic processes (for this discussion, DES algorithms, but the process can be applied to DES, RSA, IDEA, RC5, DSA and other ciphers, as well) to cause them to fault. Such faults may include heat, over/under voltage, clock shifts, EM fields, or radiation, for example. Dr. Axel York Poschmann, head of the Vulnerability Analysis Innovation Center Crypto & Security Business Unit Security & Connectivity at NXP Semiconductors notes, “A successful fault attack can result in a disturbed program flow. That may result in, say, a skipped PIN verification step. It may also be possible to dump the entire content of the memory, including the secret key, for example.”

While methodologies vary depending on the cipher, Poschmann describes it very elegantly: “The basic premise is to introduce a fault during the encryption process. For example, by voltage or clock glitching, or laser fault injection, and observe the resultant difference in the output of two or more encryption runs with the same plaintext and key. As the cryptographic algorithm is fully specified and known to the attacker, except for the secret key (Kerckhoff’s principle), it becomes possible to trace the difference, backwards through the algorithm.”

He adds that “block ciphers such as AES are optimized against cryptanalytic attacks (for example, linear and differential cryptanalysis), by having specific building blocks – so called S-boxes. These are highly non-linear, and have a uniform output distribution. This is achieved by reducing the probability of occurrences of fixed input-output patterns to this building block. In DFA, this characteristic is used to exclude many key candidates and thus reducing the search space significantly. Theoretically introducing a dozen faults is sufficient to retrieve an entire 128-bit AES key.”

These are the more visible of the side channel attacks. Other types include such approaches as acoustic cryptanalysis, which attempts to analyze data from acoustic signatures, and data remanence, which attempts to discover leftover sensitive data before it gets overwritten.

Countermeasures
There are two basic approaches for defending against side channel attacks. The first is to eliminate or minimize the leaked data. The other is to create a disconnect between the leaked information and the sensitive data though some form of randomization. The latter attempts to create a non-linear association between data so that the receiver cannot make sense of it, even if it is correct data.

Poschmann says the best way to do that with SCA is to address the signal-to noise parameter. “The success rate of an attacker boils down to the signal-to-noise ratio (S/N) that can be obtain from the measurements. Consequently, countermeasures against SCA are aimed at either reducing the signal, or increasing the noise. Approaches range from custom-cell design, over customized standard-cell libraries, timing jitters, noise generators, masking and reducing the number of times a key is used. Furthermore, Poschmann notes that hardware-software solutions, individually or combined, and algorithmic countermeasures also are effective in raising the bar for successful attacks. “In practice,” he says, “a combination of different countermeasures on all levels offers the best solutions.”

On the fault attack side, Poschmann notes that “voltage, clock and light sensors in a secure element act like an alarm system and shut down the chip when unusual operating environment conditions are detected. On the algorithmic side, checksums are calculated and encryptions are performed several times and cross-checked to significantly raise the bar for a successful attack.

Conclusion
Side channel attacks are a relatively easy method to capture data from the lower end of the chip spectrum. The hard swallow is that, as the IoT/E, CoT matures, RFID, NFC, smart cards, and the like are going to have a significant presence as intelligence in objects of the IoT/E, CoT. These chips are very easy to compromise and can contain significant sensitive data. As Poschmann notes, “the information obtained can range from a chip’s netlist to its firmware or even the secret key of a security solution. With this data, an attacker can clone devices and products, and perform all kinds of unauthorized transactions (e.g. access, payment, identity theft, etc.). Basically, physical attacks are nowadays the weakest link in many security concepts and thus require the usage of a secure element to ensure maximum security.”

What does this mean in real terms? That discarded smart toothbrush may be the next vector into reducing your retirement account to a share or two of Walmart stock, or turning your bank account into a nice fishing boat for some hacker.