1. ID and IP Theft with
Side-Channel Attacks
David Oswald, Ruhr-Uni Bochum
david.oswald@rub.de
Breaking One-Time Password Tokens and
FPGA Bitstream Encryption

2. 2http://fb.com/WorldBeatClubTanzenUndHelfen

3. 3
No, I did not do all this stuff alone
 Christof Paar
 Timo Kasper
 Amir Moradi
 Pawel Swierczynski
 Bastian Richter

4. 4

5. 5
Sabre: Madboy74

6. 6
Ruhr-University Bochum: beautiful.

7. 7
Chameleon Mini
https://github.com/emsec/ChameleonMini

8. 8

9. Embedded systems
everywhere

10. 10
(The life of) a typical pirate
Pegleg
Eye patch
Pirate hat
Pirate laughter

11. 11

12. 12

13. 13

14. 14

15. 15
Report
flaws
Improve

16. Implementation Attacks:
…

17. 17Based on Skoborogatov

18. 18
Implementation Attacks: A Short History
 Known for many decades (e.g. TEMPEST)
 Poor understanding prior to 1996
(at least outside intelligence agencies)
 End 1990s: „golden era“
– Fault attacks (RSA CRT), 1996
– Timing attacks, 1996
– SPA, DPA, 1998
 Since 1999: hundreds of research papers

19. 19
Side-Channel Attacks:
In a nutshell

20. 20
Principle of Side-Channel Analysis
(here: listen to sound)
A Bank Robbery

21. 21
Principle of Side-Channel Analysis
The world is changing…

22. 22
Principle of Side-Channel Analysis
(Now: measure the power consumption / EM)
The world is changing …
… the tools are, too.

23. 23
Side-Channel Analysis: Leakage
Power consumption / EM depends on
processed data
Data = 1111
Data = 0000
Data = 1010

24. 24
Evaluation Methods: SPA
Simple Power Analysis: Directly analyze (few)
traces, for example RSA:

25. 25
Evaluation Methods: DPA / CPA
Differential Power Analysis
 Detect statistical dependency:
Key guess ⟺ Side-channel
 Idea: Brute-force w/ additional information
 Use a statistical test...

26. Implementation Attacks:
From Theory to Practice

27. 28
Theory versus Practice
Academia
 8-bit µC
 Interfaces and
implementation
known / controlled
 Ideal setup
White-box attack
Real World
 HW / SW impl.
 Interfaces and
implementation
unknown
 Many unknown factors
Black-box attack

28. 29
Case Studies
Yubikey 2Altera Stratix II

29. 30
Home Port
Bochum

30. 31
FPGA
2013

31. 32
Case Studies
Yubikey 2Altera Stratix II

32. 33
FPGAs widely used in
• Routers
• Consumer products
• Cars
• Military
Problem:
FPGA design (bitstream)
can be easily copied
FPGAs

33. 34
FPGA 1
Flash
Bitstream
FPGA Power-Up

34. 35
FPGA 1
Flash
Bitstream
FPGA 2
Clone
Problem: IP Theft

35. 36
FPGA 1
Flash
Encrypted
bitstream
Industry‘s Solution

36. 37
FPGA 1
Flash
Encrypted
bitstream
= ?
Industry‘s Solution

37. 38
Related Work
 Bitstream encryption scheme of
several Xilinx product lines broken
– Virtex 2 (3DES)
– Virtex 4 & 5 (AES256)
– Spartan 6 (AES256)
 Method: Side-Channel Analysis (SCA)

38. 39
What about Altera?
 Target: Stratix II
 Bitstream encryption („design security“)
uses AES w/ 128-bit key
 Side-Channel Analysis possible?
 Problem: Proprietary and undocumented
mechanisms for key derivation and for
encryption

39. 40
Reverse-Engineering
 Reverse-engineer proprietary mechanisms from
Quartus II software
 IDA Pro (disassembler / debugger)

40. 41
KEY1 / KEY2 file
for FPGA

41. 42
Key derivation
real key =
f(KEY1,KEY2)
KEY1 / KEY2 file
for FPGA

42. 43
Why this key derivation?
 Real key cannot be set directly
 Key derivation is performed once when
programming the FPGA
 Idea: When real key is extracted, KEY1 and
KEY2 cannot be found
 Prevent cloning: real key of blank FPGA
cannot be set

43. 44
„real key“ = AESKEY1(KEY2)
Is f (KEY1,KEY2) „good“?

44. 45
Good idea?
 In principle: Yes
 But: AES (in this form) is not one-way:
 Pick any KEY1*
 KEY2* = AES-1
KEY1*(real key)
 This (KEY1*, KEY2*) leads to same real key

45. 46
real key =
AESKEY1(KEY2)
KEY1 / KEY2 file
for FPGA

46. 47
real key =
AESKEY1(KEY2) encreal key(...)
KEY1 / KEY2 file
for FPGA

47. 48
Encrypted block i =
AES128real key(IVi)  plain block i
Encryption method:
AES in Counter mode

48. 49
Reverse-Engineering: Summary
 All „obscurity features“ reverse-engineered
 Further details: file format, coding, ...
 Black-box  white box
 Side-channel analysis possible
(target: 128-bit real key)

49. 50
Side-Channel
Attack on Stratix II

50. 51

51. 52
Average trace: unencrypted vs. encrypted

52. 53
Average trace: unencrypted vs. encrypted

53. 55
With further experiments
and signal processing ...

54. 56
... we recovered the 128-bit AES key with 30,000
traces (~ 3 hours of measurement)
Key Recovery

55. 57
... and came up with a hypothetical architecture
of the AES engine
Architecture Recovery

56. 58
Management Summary
 Full 128-bit AES key of Stratix II can be
extracted using 30,000 traces (3 hours)
 Key derivation does not prevent cloning
 Proprietary security mechanisms can be
reverse-engineered from software
 Software reverse-engineering enables
hardware attack

57. 59
Secure Bitstream Encryption?
Virtex 2
Virtex 4 and 5
Spartan 6
Altera Stratix II and III
Microsemi ProASIC3
(Skorobogatov
et al.)

58. 60
By Eva K.

59. 61

60. 62

61. 63
RAID
2013

62. 64

63. 65
Case Studies
Yubikey 2Altera Stratix II

64. 66
Two-Factor Authentication
Past: One factor: Password/PIN
Today: Two factors: Password/PIN and additionally

65. 67
Yubikey 2: Overview
 Simulates USB keyboard
 Generates and enters One-Time
Password (OTP) on button press
 Based on AES w/ 128-bit key

66. 68
Yubikey OTP Generation (1)
...
dhbgnhfhjcrl rgukndgttlehvhetuunugglkfetdegjd
dhbgnhfhjcrl trjddibkbugfhnevdebrddvhhhlluhgh
dhbgnhfhjcrl judbdifkcchgjkitgvgvvbinebdigdfd
...

67. 69
Yubikey OTP Generation (2)
AES-128
Encryption
Modhex Encoding
?

68. 70
Yubikey Hardware

69. 71
Measurement Setup
 Resistor in USB ground for power measurement
 EM measurement with near-field probe
 Connecting (capacitive) button to ground triggers
the Yubikey

70. 72
Power vs. EM Measurements
 Trigger on falling edge (Yubikey's LED off)
 EM yields better signal
 AES rounds clearly visible
1 2 3 4 5 6 7 8 9 10

71. 73
Key Recovery (Power)
 Attacking final AES round
 Power model hi = HW(SBOX-1(Ci  rk))
 ~ 7000 traces needed
 ~ 10.5 hours for data acquisition
Byte 1 Byte 2 Byte 8 Byte 9

72. 74
Key Recovery (EM)
 Attacking final AES round
 Power model hi = HW(SBOX-1(Ci  rk))
 ~ 700 traces needed
 ~ 1 hour for data acquisition
Byte 1 Byte 2 Byte 8 Byte 9

73. 75
Implications
 128-bit AES key of the Yubikey 2 can be recovered
(700 EM measurements = 1 hour physical access)
 Attacker can compute OTPs w/o Yubikey
 Impersonate user:
Username and password still needed
 Denial-of-Service:
Send an OTP with highly increased useCtr
→ Improved FW version 2.4 for Yubikey 2

74. Responsible Disclosure
When pirates do good ...

75. 77
By RedAndr, Wikimedia Commons

76. 78

77. 79
Responsible Disclosure
 Altera:
– Informed ~ 6 months before
– Acknowledged our results
 Yubikey:
– Informed ~ 9 months before
– Improved firmware version 2.4
 More examples ...

78. Countermeasures

79. 81
Countermeasures
 Implementation attacks: Practical threat, but:
 First line of defense: Classical countermeasures
– Secure hardware (certified devices)
– Algorithmic level
 Second line of defense: System level
– Detect: Shadow accounts, logging
– Minimize impact (where possible):
Key diversification

80. 82
Different Scenarios, different threats
Yubikey 2
 Time per key: 1 h
 Diversified keys (?)
 Each token: One ID
→ Attack does not scale
FPGA
 Time per key: 3 h
 One key: All IP
 Attack one FPGA
→ Attack scales

81. 83

82. Thanks for your attention
Questions now?
or later: david.oswald@rub.de
http://fb.com/WorldBeatClubTanzenUndHelfen