[en] Side-channel attacks are powerful tools for breaking systems that implement cryptographic algorithms. The Advanced Encryption Standard (AES) is widely used to secure data, including the communication within various network protocols. Major cryptographic libraries such as OpenSSL or ARM mbed TLS include at least one implementation of the AES. In this paper, we show that most implementations of the AES present in popular open-source cryptographic libraries are vulnerable to side-channel attacks, even in a network protocol scenario when the attacker has limited control of the input. We present an algorithm for symbolic processing of the AES state for any input configuration where several input bytes are variable and known, while the rest are fixed and unknown as is the case in most secure network protocols. Then, we classify all possible inputs into 25 independent evaluation cases depending on the number of bytes controlled by attacker and the number of rounds that must be attacked to recover the master key. Finally, we describe an optimal algorithm that can be used to recover the master key using Correlation Power Analysis (CPA) attacks. Our experimental results raise awareness of the insecurity of unprotected implementations of the AES used in network protocol stacks.
Disciplines :
Computer science
Author, co-author :
BIRYUKOV, Alex ; University of Luxembourg > Faculty of Science, Technology and Communication (FSTC) > Computer Science and Communications Research Unit (CSC)
DINU, Dumitru-Daniel ; University of Luxembourg > Interdisciplinary Centre for Security, Reliability and Trust (SNT)
LE CORRE, Yann ; University of Luxembourg > Faculty of Science, Technology and Communication (FSTC) > Computer Science and Communications Research Unit (CSC)
Agrawal, D., Archambeault, B., Rao, J.R., Rohatgi, P.: The EM side-channel(s). In: Kaliski, B.S., Koç, K., Paar, C. (eds.) CHES 2002. LNCS, vol. 2523, pp. 29–45. Springer, Heidelberg (2003). doi:10.1007/3-540-36400-5_4
Balasch, J., Gierlichs, B., Reparaz, O., Verbauwhede, I.: DPA, bitslicing and masking at 1 GHz. In: Güneysu, T., Handschuh, H. (eds.) CHES 2015. LNCS, vol. 9293, pp. 599–619. Springer, Heidelberg (2015). doi:10.1007/978-3-662-48324-4_30
Biryukov, A., Dinu, D., Großschädl, J.: Correlation power analysis of lightweight block ciphers: from theory to practice. In: Manulis, M., Sadeghi, A.-R., Schneider, S. (eds.) ACNS 2016. LNCS, vol. 9696, pp. 537–557. Springer, Cham (2016). doi:10. 1007/978-3-319-39555-5_29
Brier, E., Clavier, C., Olivier, F.: Correlation power analysis with a leakage model. In: Joye, M., Quisquater, J.-J. (eds.) CHES 2004. LNCS, vol. 3156, pp. 16–29. Springer, Heidelberg (2004). doi:10.1007/978-3-540-28632-5_2
cryptlib. The cryptlib Security Software Development Toolkit. http://www. cryptlib.com/.Accessed Apr 2017
Crypto++. Crypto++: a free C++ class library of cryptographic schemes. https://www.cryptopp.com/.Accessed Apr 2017
Daemen, J., Rijmen, V.: The Design of Rijndael: AES - The Advanced Encryption Standard. Springer, Heidelberg (2002)
Dworkin, M.J.: Recommendation for block cipher modes of operation: the CCM mode for authentication and confidentiality. NIST Special Publication 800-38C (2007)
GitHub. libtomcrypt: a fairly comprehensive, modular and portable cryptographic toolkit. https://github.com/libtom/libtomcrypt. Accessed Apr 2017
GitHub. mbed TLS - An open source, portable, easy to use, readable and flexible SSL library. https://github.com/ARMmbed/mbedtls/blob/development/library/aes.c. Accessed Apr 2017
Hofemeier, G., Chesebrough, R.: Introduction to intel AES-NI and intel secure key instructions. Technical report. https://software.intel.com/sites/default/files/m/d/4/1/d/8/Introduction to Intel Secure Key Instructions.pdf. Accessed Apr 2017
Housley, R.: Using Advanced Encryption Standard (AES) CCM Mode with IPsec Encapsulating Security Payload (ESP). RFC 4309, December 2005. https://tools. ietf.org/html/rfc4309
IEEE. IEEE Standard for Low-Rate Wireless Networks. https://standards.ieee. org/about/get/802/802.15.html
Jaffe, J.: A first-order DPA attack against AES in counter mode with unknown initial counter. In: Paillier, P., Verbauwhede, I. (eds.) CHES 2007. LNCS, vol. 4727, pp. 1–13. Springer, Heidelberg (2007). doi:10.1007/978-3-540-74735-2_1
Kocher, P., Jaffe, J., Jun, B.: Differential power analysis. In: Wiener, M. (ed.) CRYPTO 1999. LNCS, vol. 1666, pp. 388–397. Springer, Heidelberg (1999). doi:10. 1007/3-540-48405-1_25
Libgcrypt. Libgcrypt: a general purpose cryptographic library based on the code from GnuPG. https://www.gnu.org/software/libgcrypt/.Accessed Apr 2017
libsodium. The Sodium crypto library (libsodium). https://download.libsodium. org/doc/.Accessed Apr 2017
Lipp, M., Gruss, D., Spreitzer, R., Maurice, C., Mangard, S.: Armageddon: cache attacks on mobile devices. In: Holz, T., Savage, S. (eds.) 25th USENIX Security Symposium, USENIX Security 16, Austin, TX, USA, 10–12 August 2016, pp. 549–564. USENIX Association (2016)
LoRa Alliance. Wide Area Networks for IoT. https://www.lora-alliance.org/.Accessed Apr 2017
Nettle. Nettle - a low-level cryptographic library. http://www.lysator.liu.se/nisse/nettle/.Accessed Apr 2017
NIST. Specification for the Advanced Encryption Standard (AES). Federal Information Processing Standards Publication 197 (2001)
O’Flynn, C., Chen, Z.: Power Analysis Attacks Against IEEE 802.15.4 Nodes. In: Standaert, F.-X., Oswald, E. (eds.) COSADE 2016. LNCS, vol. 9689, pp. 55–70. Springer, Cham (2016). doi:10.1007/978-3-319-43283-0_4
OpenSSL. Cryptography and SSL/TLS Toolkit. https://www.openssl.org/.Accessed Apr 2017
Osvik, D.A., Shamir, A., Tromer, E.: Cache attacks and countermeasures: the case of AES. In: Pointcheval, D. (ed.) CT-RSA 2006. LNCS, vol. 3860, pp. 1–20. Springer, Heidelberg (2006). doi:10.1007/11605805_1
Saab, S., Rohatgi, P., Hampel, C.: Side-channel protections for cryptographic instruction set extensions. Cryptology ePrint Archive, Report 2016/700 (2016). http://eprint.iacr.org/2016/700
Sastry, N., Wagner, D.: Security considerations for IEEE 802.15.4 networks. In: Jakobsson, M., Perrig, A. (eds.) Proceedings of the 2004 ACM Workshop on Wireless Security, Philadelphia, PA, USA, 1 October 2004, pp. 32–42. ACM (2004)
Schwabe, P., Stoffelen, K.: All the AES you need on Cortex-M3 and M4. In: Selected Areas in Cryptography-SAC (2016)
Song, J., Poovendran, R., Lee, J., Iwata, T.: The AES-CMAC algorithm. RFC 4493, June 2006. https://tools.ietf.org/html/rfc4493