reverse engineering of a secret aes like cipher by
play

Reverse Engineering of a Secret AES-like Cipher by Ineffective Fault - PowerPoint PPT Presentation

Jul 02, 2023 •25 likes •535 views

Introduction Scope of the Attack Attack Steps Conclusion Reverse Engineering of a Secret AES-like Cipher by Ineffective Fault Analysis Antoine Wurcker Christophe Clavier antoine.wurcker@xlim.fr christophe.clavier@unilim.fr Universit e

  1. Introduction Scope of the Attack Attack Steps Conclusion Reverse Engineering of a Secret AES-like Cipher by Ineffective Fault Analysis Antoine Wurcker Christophe Clavier antoine.wurcker@xlim.fr christophe.clavier@unilim.fr Universit´ e de Limoges FDTC 2013 20-08-2013 Antoine Wurcker (Universit´ e de Limoges) Reverse AES by IFA FDTC 2013 1 / 33

  2. Introduction Scope of the Attack Attack Steps Conclusion Outline Introduction 1 Advanced Encryption Standard Ineffective Fault Analysis Scope of the Attack 2 Modifications on AES Constraints on Attacker Attack Steps 3 Conclusion 4 Global Results Future Works Antoine Wurcker (Universit´ e de Limoges) Reverse AES by IFA FDTC 2013 2 / 33

  3. Introduction Scope of the Attack Attack Steps Conclusion Outline Introduction 1 Advanced Encryption Standard Ineffective Fault Analysis Scope of the Attack 2 Modifications on AES Constraints on Attacker Attack Steps 3 Conclusion 4 Global Results Future Works Antoine Wurcker (Universit´ e de Limoges) Reverse AES by IFA FDTC 2013 3 / 33

  4. Introduction Scope of the Attack Attack Steps Conclusion AES AES Datapath S r − 1 S 9 M SubBytes SubBytes ShiftRows ShiftRows MixColumns AddRoundKey ( K 0 ) AddRoundKey ( K r ) AddRoundKey ( K 10 ) S 0 S r C r = 1 , . . . , 9 r = 0 r = 10 Figure: The AES encryption path. Antoine Wurcker (Universit´ e de Limoges) Reverse AES by IFA FDTC 2013 4 / 33

  5. Introduction Scope of the Attack Attack Steps Conclusion AES AES KeySchedule K r − 1 RotWord SubWord � Rcon ( r ) � � � � K r Figure: The AES key schedule. Antoine Wurcker (Universit´ e de Limoges) Reverse AES by IFA FDTC 2013 5 / 33

  6. Introduction Scope of the Attack Attack Steps Conclusion IFA Ineffective Fault Analysis Fault Model: Stuck at 0 a precise byte. Fault effect: Ciphertext not modified ⇒ the value was already 0. Ciphertext modified ⇒ the value was not 0. Remark: IFA by-pass dual-execution countermeasure. Antoine Wurcker (Universit´ e de Limoges) Reverse AES by IFA FDTC 2013 6 / 33

  7. Introduction Scope of the Attack Attack Steps Conclusion IFA M M ⇓ ⇓ . . . . . . 45 00 98 34 44 98 34 44 AF 13 9C 59 AF 13 9C 59 23 77 08 B6 23 77 08 B6 E5 75 1A EE E5 75 1A EE . . . . . . ⇓ ⇓ � = C ′ C Figure: Example of no-occurrence of IFA. Antoine Wurcker (Universit´ e de Limoges) Reverse AES by IFA FDTC 2013 7 / 33

  8. Introduction Scope of the Attack Attack Steps Conclusion IFA M M ⇓ ⇓ . . . . . . 00 00 C6 67 34 C6 67 34 31 DE 90 58 31 DE 90 58 5F 4C 58 78 5F 4C 58 78 AB 45 11 6F AB 45 11 6F . . . . . . ⇓ ⇓ = C C Figure: Example of occurrence of IFA. Antoine Wurcker (Universit´ e de Limoges) Reverse AES by IFA FDTC 2013 7 / 33

  9. Introduction Scope of the Attack Attack Steps Conclusion Notations Notations m i : Byte number i of the input plaintext M . c i : Byte number i of the output ciphertext C . K r : 128-bit Key of round number r . k r , i : Byte number i of the round key K r . S (): Function SubBytes . S − 1 (0) : Preimage of 0 value by S-Box table µ i = k 0 , i ⊕ S − 1 (0) X r = { x r , 0 , . . . , x r , 15 } : Input state of SubBytes step of round r Y r = { y r , 0 , . . . , y r , 15 } : Input state of ShiftRows step of round r Z r = { z r , 0 , . . . , z r , 15 } : Input state of MixColumns step of round r T r = { t r , 0 , . . . , t r , 15 } : Input state of AddRoundKey step of round r Antoine Wurcker (Universit´ e de Limoges) Reverse AES by IFA FDTC 2013 8 / 33

  10. Introduction Scope of the Attack Attack Steps Conclusion Outline Introduction 1 Advanced Encryption Standard Ineffective Fault Analysis Scope of the Attack 2 Modifications on AES Constraints on Attacker Attack Steps 3 Conclusion 4 Global Results Future Works Antoine Wurcker (Universit´ e de Limoges) Reverse AES by IFA FDTC 2013 9 / 33

  11. Introduction Scope of the Attack Attack Steps Conclusion Modifications on AES Modifications on AES The modifications allowed have to respect the constraints from the NIST document describing the AES: The SBOX operation is a permutation table. 1 ⇒ 256! possible SBOX ( ≃ 2 1684 ). The ShiftRows operation keeps shifting rows. 2 ⇒ 2 8 possible ShiftRows. The MixColumns matrix stays circulant with four parameters ( � = 0). 3 ⇒ 255 4 possible MixColumns ( ≃ 2 32 ). The RotWord operation keeps shifting word. 4 ⇒ 2 2 possible RotWord. The Rcon vectors keeps the form [ ρ r − 1 , 0 , 0 , 0]. 5 ⇒ 2 8 possible sets of Rcon vectors. Antoine Wurcker (Universit´ e de Limoges) Reverse AES by IFA FDTC 2013 10 / 33

  12. Introduction Scope of the Attack Attack Steps Conclusion Modifications on AES ⊳ σ 0   α 0 α 1 α 2 α 3 ⊳ σ 1 α 3 α 0 α 1 α 2   ⊳ σ 2   α 2 α 3 α 0 α 1   ⊳ σ 3 α 1 α 2 α 3 α 0 Figure: ShiftRows parameters. Figure: MixColumns matrix. ⊕ ρ r − 1 △ η Figure: RotWord parameter. Figure: Rcon [ r ] parameter. Antoine Wurcker (Universit´ e de Limoges) Reverse AES by IFA FDTC 2013 11 / 33

  13. Introduction Scope of the Attack Attack Steps Conclusion Constraints Constraints on Attacker We placed main constraints on an attacker: The SBOX table is unknown. 1 The MixColumns coefficients are unknown. 2 The ShiftRows coefficients are unknown. 3 The fault can only be applied on SBOX output. 4 The key K is unknown. 5 The Key-Schedule operation is also constrained: RotWord coefficient is unknown. 1 Rcon parameter is unknown. 2 Unavailable to fault injection (e.g. pre-computation). 3 Antoine Wurcker (Universit´ e de Limoges) Reverse AES by IFA FDTC 2013 12 / 33

  14. Introduction Scope of the Attack Attack Steps Conclusion Outline Introduction 1 Advanced Encryption Standard Ineffective Fault Analysis Scope of the Attack 2 Modifications on AES Constraints on Attacker Attack Steps 3 Conclusion 4 Global Results Future Works Antoine Wurcker (Universit´ e de Limoges) Reverse AES by IFA FDTC 2013 13 / 33

  15. Introduction Scope of the Attack Attack Steps Conclusion Retrieving K 0 up to a Constant Byte Retrieving K 0 up to a Constant Byte Antoine Wurcker (Universit´ e de Limoges) Reverse AES by IFA FDTC 2013 14 / 33

  16. Introduction Scope of the Attack Attack Steps Conclusion Retrieving K 0 up to a Constant Byte Retrieving K 0 up to a Constant Byte We obtain µ i = k 0 , i ⊕ S − 1 (0) by exhausting m i while faulting the output of i th S-Box of first round. Eventually an IFA occurs and we obtain the equation: S ( m i ⊕ k 0 , i ) = 0 m i ⊕ k 0 , i = S − 1 (0) m i = k 0 , i ⊕ S − 1 (0) m i = µ i We retrieve every µ i values by applying this method on each position. ⇒ The set of candidates for K 0 is reduced from 2 128 to 2 8 . Antoine Wurcker (Universit´ e de Limoges) Reverse AES by IFA FDTC 2013 14 / 33

  17. Introduction Scope of the Attack Attack Steps Conclusion Lemma: ”Choosing” S-Box Input Lemma: ”Choosing” S-Box Input Antoine Wurcker (Universit´ e de Limoges) Reverse AES by IFA FDTC 2013 15 / 33

  18. Introduction Scope of the Attack Attack Steps Conclusion Lemma: ”Choosing” S-Box Input Lemma: ”Choosing” S-Box Input Lemma The knowledge of µ i values allows us to choose any value x 1 , i up to the constant value S − 1 (0) . Proof. Playing value m i = v ⊕ µ i implies that: x 1 , i = m i ⊕ k 0 , i x 1 , i = v ⊕ µ i ⊕ k 0 , i x 1 , i = v ⊕ S − 1 (0) ⊕ k 0 , i ⊕ k 0 , i x 1 , i = v ⊕ S − 1 (0) Remark: if v = 0 it implies x 1 , i = S − 1 (0) ⇒ y 1 , i = 0 Antoine Wurcker (Universit´ e de Limoges) Reverse AES by IFA FDTC 2013 15 / 33

  19. Introduction Scope of the Attack Attack Steps Conclusion Reversing ShiftRows Operation Reversing ShiftRows Operation Antoine Wurcker (Universit´ e de Limoges) Reverse AES by IFA FDTC 2013 16 / 33

  20. Introduction Scope of the Attack Attack Steps Conclusion Reversing ShiftRows Operation Reversing ShiftRows Operation Fault position: first S-Box of second round. First step: Playing random messages until an IFA occurs. Second step: Playing previous message with only one byte modified each time. On each row 1 position will break the IFA when 3 will not. We play the second step until we get the 4 values that break IFA, revealing the 4 ShiftRows parameters. ⇒ The ShiftRows operation is reversed. Antoine Wurcker (Universit´ e de Limoges) Reverse AES by IFA FDTC 2013 16 / 33

  21. Introduction Scope of the Attack Attack Steps Conclusion Reversing ShiftRows Operation Reversing ShiftRows Operation ⊕ K 0 SB SR ⇒ ⇒ ⇒ MC ⇓ ⊕ K 1 SB ⇐ ⇐ Figure: Position of IFA Antoine Wurcker (Universit´ e de Limoges) Reverse AES by IFA FDTC 2013 17 / 33

  22. Introduction Scope of the Attack Attack Steps Conclusion Reversing ShiftRows Operation Reversing ShiftRows Operation � = � = � = � = ⊕ K 0 SB SR ⇒ ⇒ ⇒ MC ⇓ � = � = � = � = � = � = SB ⊕ K 1 ⇐ ⇐ � = � = � = � = � = � = Figure: Proof: shift parameter of second row is not 0 Antoine Wurcker (Universit´ e de Limoges) Reverse AES by IFA FDTC 2013 17 / 33

Recommend

Reverse Engineering CS 166 Armen Boursalian 30 Apr 2018 Reverse Engineering Take a

Reverse Engineering CS 166 Armen Boursalian 30 Apr 2018 Reverse Engineering Take a

Reverse Engineering CS 166 Armen Boursalian 30 Apr 2018 Reverse Engineering Take a product, understand how it works Usually limited to certain aspects, not full systems Need to know a little bit about a lot of topics to gain

636 views • 11 slides
Helping RE with LLVM lionel@lse.epita.fr 1) Reverse Engineering 2) Obfuscation objectives -

Helping RE with LLVM lionel@lse.epita.fr 1) Reverse Engineering 2) Obfuscation objectives -

Helping RE with LLVM lionel@lse.epita.fr 1) Reverse Engineering 2) Obfuscation objectives - confuse tools * hack binary loading * unaligned instructions - confuse human * junk code * proxy calls / vm * cipher 3) unaligned instructions //

789 views • 25 slides
Reverse Engineering TCP/ IP Reverse Engineering TCP/ IP Steven Low EAS, Caltech Joint work

Reverse Engineering TCP/ IP Reverse Engineering TCP/ IP Steven Low EAS, Caltech Joint work

Reverse Engineering TCP/ IP Reverse Engineering TCP/ IP Steven Low EAS, Caltech Joint work with: Li J W Li, J. Wang, Pongsajapan, Tan, Tang, M. Wang P j T T M W Outline Background Layering as optimization decomposition L

932 views • 47 slides
Next-Generation Debuggers For Reverse Engineering For Reverse Engineering The ERESI team

Next-Generation Debuggers For Reverse Engineering For Reverse Engineering The ERESI team

Next-Generation Debuggers For Reverse Engineering For Reverse Engineering The ERESI team eresi@asgardlabs.org This presentation is about .. The Embedded ERESI debugger : e2dbg The Embedded ERESI tracer : etrace The ERESI reverse

849 views • 47 slides
CS 166: Information Security Reverse Engineering & Digital Rights Management Prof. Tom

CS 166: Information Security Reverse Engineering & Digital Rights Management Prof. Tom

CS 166: Information Security Reverse Engineering & Digital Rights Management Prof. Tom Austin San Jos State University SRE Software Reverse Engineering Also known as Reverse Code Engineering (RCE) Or simply reversing

1.04k views • 80 slides
Classical Ciphers Playfair Cipher Polyalphabetic Ciphers Cryptography Vigen` ere Cipher

Classical Ciphers Playfair Cipher Polyalphabetic Ciphers Cryptography Vigen` ere Cipher

Cryptography Classical Ciphers Caesar Cipher Monoalphabetic Ciphers Classical Ciphers Playfair Cipher Polyalphabetic Ciphers Cryptography Vigen` ere Cipher Vernam Cipher One Time Pad School of Engineering and Technology CQUniversity

687 views • 64 slides
Classical Ciphers Playfair Cipher Polyalphabetic Ciphers Cryptography Vigen` ere Cipher

Classical Ciphers Playfair Cipher Polyalphabetic Ciphers Cryptography Vigen` ere Cipher

Cryptography Classical Ciphers Caesar Cipher Monoalphabetic Ciphers Classical Ciphers Playfair Cipher Polyalphabetic Ciphers Cryptography Vigen` ere Cipher Vernam Cipher School of Engineering and Technology One Time Pad CQUniversity

1.02k views • 64 slides
Problem 1 k zero bits n bits IV Block Block Block Block Cipher Cipher Cipher Cipher

Problem 1 k zero bits n bits IV Block Block Block Block Cipher Cipher Cipher Cipher

Problem 1 k zero bits n bits IV Block Block Block Block Cipher Cipher Cipher Cipher removed January 27, 2011 Practical Aspects of Modern Cryptography 2 Problem 1 IV Inverse Inverse Inverse Inverse Cipher Cipher Cipher Cipher

464 views • 20 slides
Reverse Engineering MAC: A Non-Cooperative Game Model Jianwei Huang Information Engineering The

Reverse Engineering MAC: A Non-Cooperative Game Model Jianwei Huang Information Engineering The

Reverse Engineering MAC: A Non-Cooperative Game Model Jianwei Huang Information Engineering The Chinese University of Hong Kong Joint work with J.-W. Lee, A. Tang, M. Chiang and A. R. Canderbank J. Huang (CUHK) Reverse Engineering MAC Nov.

605 views • 38 slides
Vigenre Cipher Like Csar cipher, but use a phrase Example Message THE BOY HAS THE

Vigenre Cipher Like Csar cipher, but use a phrase Example Message THE BOY HAS THE

Vigenre Cipher Like Csar cipher, but use a phrase Example Message THE BOY HAS THE BALL Key VIG Encipher using Csar cipher for each letter: key VIGVIGVIGVIGVIGV plain THEBOYHASTHEBALL cipher OPKWWECIYOPKWIRG May

304 views • 26 slides
TOP SECRET CONFIDENTIAL 1 TOP SECRET WITCHCRAFT SECRETS CONFIDENTIAL 2 Witchcraft Secrets

TOP SECRET CONFIDENTIAL 1 TOP SECRET WITCHCRAFT SECRETS CONFIDENTIAL 2 Witchcraft Secrets

TOP SECRET CONFIDENTIAL 1 TOP SECRET WITCHCRAFT SECRETS CONFIDENTIAL 2 Witchcraft Secrets ...from a reverse-engineer Alyssa Rosenzweig Starswirls First Law Magic can neither be created nor destroyed 4 Starswirls First Law

1.23k views • 54 slides
Reverse Engineering Closed, heterogeneous platforms and the defenders dilemma Looking back at

Reverse Engineering Closed, heterogeneous platforms and the defenders dilemma Looking back at

Reverse Engineering Closed, heterogeneous platforms and the defenders dilemma Looking back at the last 20 years of RE and looking ahead at the next few SSTIC 2018 -- Thomas Dullien (Halvar Flake) Progress in Reverse Engineering 2010

941 views • 64 slides
Cryptanalysis, Reverse-Engineering and Design of Symmetric Cryptographic Algorithms Lo Perrin

Cryptanalysis, Reverse-Engineering and Design of Symmetric Cryptographic Algorithms Lo Perrin

Cryptanalysis, Reverse-Engineering and Design of Symmetric Cryptographic Algorithms Lo Perrin SnT, University of Luxembourg April 25, 2017 PhD Defence Introduction On S-Box Reverse-Engineering On Lightweight Cryptography Conclusion

1.76k views • 137 slides
Deck-Based Wide Block Cipher Modes and an Exposition of the Blinded Keyed Hashing Model Aldo

Deck-Based Wide Block Cipher Modes and an Exposition of the Blinded Keyed Hashing Model Aldo

Deck-Based Wide Block Cipher Modes and an Exposition of the Blinded Keyed Hashing Model Aldo Gunsing, Joan Daemen and Bart Mennink FSE 2020 1 / 15 Block cipher K n n P B C Plaintext P encrypted to ciphertext C with secret key K

632 views • 41 slides
Reverse engineering basics @KirilsSolovjovs on twitter Mg.sc.comp. Kirils Solovjovs

Reverse engineering basics @KirilsSolovjovs on twitter Mg.sc.comp. Kirils Solovjovs

Reverse engineering basics @KirilsSolovjovs on twitter Mg.sc.comp. Kirils Solovjovs http://kirils.org for more Possible Security Reverse engineering? www.indiamart.com Contents Hardware architecture Processors and machine language

536 views • 25 slides
Block Cipher Modes of Operation Electronic Code Book Cipher Block Chaining Mode Cryptography

Block Cipher Modes of Operation Electronic Code Book Cipher Block Chaining Mode Cryptography

Cryptography Block Cipher Modes of Operation Block Ciphers with Multiple Blocks Block Cipher Modes of Operation Electronic Code Book Cipher Block Chaining Mode Cryptography Cipher Feedback Mode School of Engineering and Technology

428 views • 32 slides
Caesar Cipher If he had anything confidential to say, he wrote it in cipher, that is, by so

Caesar Cipher If he had anything confidential to say, he wrote it in cipher, that is, by so

Caesar Cipher If he had anything confidential to say, he wrote it in cipher, that is, by so changing the order of the letters of the alphabet, that not a word could be made out. If anyone wishes to decipher these, and get at their meaning, he

1.03k views • 5 slides
Understanding human speech recognition: Reverse-engineering the engineering solution using

Understanding human speech recognition: Reverse-engineering the engineering solution using

Cai Wingfield CSLB, Department of Psychology Workshop on Neurocomputation: From Brains to Machines University of Cambridge 25 November 2015 Understanding human speech recognition: Reverse-engineering the engineering solution using EMEG

196 views • 18 slides
Reverse Engineering CAPTCHAs Abram Hindle, Micheal W. Godfrey, Richard C. Holt Software

Reverse Engineering CAPTCHAs Abram Hindle, Micheal W. Godfrey, Richard C. Holt Software

Reverse Engineering CAPTCHAs WCRE 2008 Reverse Engineering CAPTCHAs Abram Hindle, Micheal W. Godfrey, Richard C. Holt Software Architecture Group David R. Cheriton School of Computer Science University of Waterloo Canada

726 views • 57 slides
Reverse engineering AT32UC3As JTAG Introduction Overview LSE Summer Week 2014 TAP

Reverse engineering AT32UC3As JTAG Introduction Overview LSE Summer Week 2014 TAP

Reverse engineering AT32UC3As JTAG Pierre Surply Reverse engineering AT32UC3As JTAG Introduction Overview LSE Summer Week 2014 TAP Controller Scan Chain Pierre Surply Boundary Scan UC3 JTAG EPITA 2016 Reverse engineering Jul

968 views • 72 slides
Reverse Engineering Dr. Vadim Zaytsev aka @grammarware UvA, MSc SE, 9 November 2015 Roadmap

Reverse Engineering Dr. Vadim Zaytsev aka @grammarware UvA, MSc SE, 9 November 2015 Roadmap

Reverse Engineering Dr. Vadim Zaytsev aka @grammarware UvA, MSc SE, 9 November 2015 Roadmap W44 Introduction V.Zaytsev W45 Metaprogramming J.Vinju W46 Reverse Engineering V.Zaytsev W47 Software Analytics M.Bruntink W48 Clone

751 views • 31 slides
Reverse Engineering DSP Code GameCube DSP Analyzing GCN DSP code Pierre Bourdon Conclusion

Reverse Engineering DSP Code GameCube DSP Analyzing GCN DSP code Pierre Bourdon Conclusion

Reverse Engineering DSP Code Pierre Bourdon Introduction DSP Reverse Engineering DSP Code GameCube DSP Analyzing GCN DSP code Pierre Bourdon Conclusion delroth@lse.epita.fr http://lse.epita.fr February 12, 2013 Context Reverse

856 views • 18 slides
CS 241 Data Organization Ciphers March 22, 2018 Cipher In cryptography, a cipher (or

CS 241 Data Organization Ciphers March 22, 2018 Cipher In cryptography, a cipher (or

CS 241 Data Organization Ciphers March 22, 2018 Cipher In cryptography, a cipher (or cypher) is an algorithm for performing encryption or decryption. When using a cipher, the original information is known as plaintext , and the

449 views • 41 slides
Introduction .NET Reverse Engineering Eric DePree Introduction to .NET Programs written for

Introduction .NET Reverse Engineering Eric DePree Introduction to .NET Programs written for

Introduction .NET Reverse Engineering Eric DePree Introduction to .NET Programs written for .NET are easy to reverse engineer. This is not in any way a fault in the design of .NET; it is simply a reality of modern, intermediate-compiled

132 views • 10 slides

More recommend