Screaming Ch Channels When Electromagnetic Side Channels Meet Radio - PowerPoint PPT Presentation

Screaming Ch Channels When Electromagnetic Side Channels Meet Radio Transceivers Giovanni Camurati, Sebastian Poeplau, Marius Muench, Tom Hayes, Aurélien Francillon

What’s this all about? - A nov novel attack ex exploiting g EM side cha channels from om a di distance - A A PoC oC implementation on up up to 10m 0m di dist stance (with dem demo!) - Wher Where to go o from om he here?

Let’s start from the beginning

Leaks in rad adio io si signals AES128(K,P)

Agenda From the state of the art to a novel attack

Agen enda Introduction Part I Part II Part III Background Our Story Towards an attack - EM Side-Channels - Discovery of the leak - Building the attack - RF communications 101 - Explanation - Demo - Noise in mixed-signal ICs Conclusion

Agen enda Introduction Part I Part II Part III Background Our Story Towards an attack - EM Side-Channels - Discovery of the leak - Building the attack - RF communications 101 - Explanation - Demo - Noise in mixed-signal ICs Conclusion

Side channel bas asic ics • Even provably secure cryptography may be broken if some intermediate computations are visible • Physical implementations may leak intermediate data • Attackers observe the leaks and reconstruct cryptographic secrets

Side channel bas asic ics ChipWhisperer! https://wiki.newae.com/File:Cw1173_microusb.jpg

El Elect ctromagnetic ic Side-Channel els • Data-dependent EM leaks occur because: • Digital logic consumes current when switching • Current variations generate EM emissions • Similar to power side-channels • Known attacks: Kasper et al. [1] Genkin et al. [2] TEMPEST [3] Distance

Correla latio ion attack ck basic sics • An intuitive attack, there are many more • Ingredients: • Known Plaintext } Leak model • State non-linear in Plaintext and Key • Leak linear in the State K Leak P State

Correla latio ion attack ck basic sics • Recipe: 1. Encrypt many times and measure the Leaks 2. Guess a byte of the Key and compute the States 3. Check if the Measurements correlate with the Computations 4. Repeat for each byte of the key K Measured Computed P

Correla latio ion attack ck basic sics • Recipe: 𝑔𝑝𝑠 𝒄𝒛𝒖𝒇 𝑗𝑜 𝒍𝒇𝒛: 𝑔𝑝𝑠 𝒉𝒗𝒇𝒕𝒕 𝑗𝑜 𝟏 𝑢𝑝 𝟑𝟔𝟔: 1. Encrypt many times and measure the Leaks 𝑠𝑏𝑜𝑙𝑡[𝑕𝑣𝑓𝑡𝑡] = 𝑑𝑝𝑠𝑠𝑓𝑚𝑏𝑢𝑗𝑝𝑜(𝑚𝑓𝑏𝑙, 𝑕𝑣𝑓𝑡𝑡) 2. Guess a byte of the Key and the corresponding States 𝑕𝑣𝑓𝑡𝑡 𝑐𝑓𝑡𝑢 [𝑐𝑧𝑢𝑓] = 𝑏𝑠𝑕𝑛𝑏𝑦(𝑠𝑏𝑜𝑙𝑡) 3. The guess is right iff the Leaks are linear with the States 4. Repeat for each byte of the key K Leak P State

Agen enda Introduction Part I Part II Part III Background Our Story Towards an attack - EM Side-Channels - The Hypothesis - Building the attack - RF communications 101 - Explanation - Demo - Noise in mixed-signal ICs Conclusion

A Simple Wave 1.25 λ 1 Amplitude 0.75 a 0.5 0.25 0 -0.25 -0.5 c -0.75 -1 -1.25 Distance

A Simple Wave 1.25 λ Spectrum 1 Power Amplitude 0.75 a 0.5 0.25 0 f Frequency -0.25 -0.5 c -0.75 -1 -1.25 Distance

Mo Modula lation Basics sics Information Amplitude Carrier AM Signal Time

Mo Modula lation Basics sics Information Amplitude Spectrum Power Carrier f c +f i f c -f i f c AM Signal Time

Agen enda Introduction Part I Part II Part III Background Our Story Towards an attack - EM Side-Channels - Discovery of the leak - Building the attack - RF communications 101 - Explanation - Demo - Noise in mixed-signal ICs Conclusion

Mi Mixed ed-sig ignal l chip ips • Examples • Look around… • BT, WiFi, GPS, etc. • Idea • Combine digital processor and analog radio on a single chip • Integrate the two and provide an easy interface to the outside • Benefits • Cheap • Small • Power efficient • Nice for developers

A big proble lem: Noise • Digital logic produces noise • Close physical proximity facilitates noise propagation • Analog radio is sensitive to noise • Designers care about functionality

Wha What t if di digit ital l no nois ise e wi with th sensit itiv ive inf nform rmatio tion lea eaks s into the he ra radio o signal?

Agen enda Introduction Part I Part II Part III Background Our Story Towards an attack - EM Side-Channels - Discovery of the leak - Building the attack - RF communications 101 - Explanation - Demo - Noise in mixed-signal ICs Conclusion

So the journey y begin ins...

Di Disc scover ery of a leak • After months of trying: • Multiple chips • Custom firmware • One day: • Accidental tuning on "wrong" frequency • A leak dependent on our computations • So the investigation started

Di Disc scover ery of a leak Simple Firmware: P - TX off/on (CW) - Slow loop/fast loop - Controlled via UART f Software Mixed-signal 2.4 GHz Defined Radio chip

Di Disc scover ery of a leak P f Software Mixed-signal Defined Radio chip

Di Disc scover ery of a leak P - Slow loop - TX off - Close distance f Spectrum 64 MHz Mixed-signal Analyzer chip

Di Disc scover ery of a leak P - Fast loop - TX off - Close distance f Spectrum 64 MHz Mixed-signal Analyzer chip

Di Disc scover ery of a leak P - Slow loop - TX on f Spectrum 64 MHz Mixed-signal 2.4 GHz Analyzer chip

Di Disc scover ery of a leak P - Fast loop - TX on f Spectrum 64 MHz Mixed-signal 2.4 GHz Analyzer chip

Agen enda Introduction Part I Part II Part III Background Our Story Towards an attack - EM Side-Channels - Discovery of the leak - Building the attack - RF communications 101 - Explanation - Demo - Noise in mixed-signal ICs Conclusion

Logic ic Transmiss ssio ion Scheme P f 64 MHz 2.4 GHz 64 MHz Digital noise Radio Clock BT Carrier (64MHz) (2.4GHz)

Conventio ional P • Current consumption • Mixing f 64 MHz Digital noise Clock (64MHz)

Conventio ional 𝑾 𝑻𝒗𝒒𝒒𝒎𝒛 • Current consumption 𝑱 • Dependent on 𝑾 𝒋𝒐 𝑾 𝒑𝒗𝒖 transitions of logic values 𝑫 𝑸𝒃𝒔𝒃𝒕𝒋𝒖𝒋𝒅 • Mixing 𝑯𝒐𝒆 𝑱 t 𝑾 𝒑𝒗𝒖 : 𝟏 → 𝟐

Conventio ional 𝑾 𝑻𝒗𝒒𝒒𝒎𝒛 • Current consumption 𝑱 • Dependent on 𝑾 𝒋𝒐 𝑾 𝒑𝒗𝒖 transitions of logic values 𝑫 𝑸𝒃𝒔𝒃𝒕𝒋𝒖𝒋𝒅 • Mixing 𝑯𝒐𝒆 𝑱 t 𝑾 𝒑𝒗𝒖 : 𝟐 → 𝟏 𝑾 𝒑𝒗𝒖 : 𝟏 → 𝟐

Conventio ional • Current consumption 𝑬𝒃𝒖𝒃 𝒎𝒋𝒐𝒇 • Dependent on transitions of logic values • Mixing 𝑫𝒎𝒍 • Clock • 1: “direct” Carrier Modulation

Conventio ional • Current consumption • Dependent on transitions of logic 𝑱 𝒕𝒃𝒖 = α( 𝑾 𝟐 + 𝑾 𝟑 − 𝑾 𝒖𝒊 ) 𝟑 = values = 𝑾 𝟐 + 𝑾 𝟑 • Mixing 𝟑 𝑾 𝟐 × 𝑾 𝟑 + 𝒇𝒖𝒅. • Clock • 1: “direct” nMOS transistor • 2: non-linear in saturation components

Screa eaming Channels ls P • Digital to Analog propagation • Mixing f 64 MHz 2.4 GHz 64 MHz Digital noise Radio Clock BT Carrier (64MHz) (2.4GHz)

Screa eaming Channels ls 𝑾 𝑻𝒗𝒒𝒒𝒎𝒛 P • Digital to Analog propagation • 1: Substrate Coupling • Same silicon die • 2: Power Supply Coupling f 64 MHz • Same power supply • Mixing Digital noise Digital Analog Clock Substrate (64MHz)

Screa eaming Channels ls Noise from the P • Digital to Analog propagation digital domain 1. Substrate Coupling I • Same silicon die 2. Power Supply Coupling f 64 MHz • Same power supply 𝟏° • Mixing PA VCO Digital noise 𝟘𝟏° 1. Voltage Controlled Oscillator 2. Power Amplifier Q DAC 3. etc. Clock (64MHz) (Analog) TX

Summing Up Generation "Spectrum Spraying" Propagation Radio Transmission

Agen enda Introduction Part I Part II Part III Background Our Story Towards an attack - EM Side-Channels - Discovery of the leak - Building the attack - RF communications 101 - Explanation - Demo - Noise in mixed-signal ICs Conclusion

AES in the e sp spec ectrogram Radio On AES On Radio Off

AES in the e sp spec ectrogram Radio On AES On Radio Off

AES in the e sp spec ectrogram Radio On AES On Radio Off

AES in the e sp spec ectrogram Radio On AES On Radio Off

AES in the e sp spec ectrogram Radio On AES On Radio Off

AES in the e sp spec ectrogram Radio On AES On Radio Off

Ex Extract ctio ion and alignmen ent Packets Trigger Frequency

Ex Extract ctio ion and alignmen ent Self-correlation alignment Average