Side-channel attacks
By Diana Ion.
Too many times overlooked by common security measures, side channels can offer attackers new avenues for information gathering and possibly much more.
A simple definition of a side-channel is something that enables you to find out something about a thing without directly observing that thing.
Think of a quiet neighborhood during wintertime. All roofs are covered by snow, except for one. Naturally, you would think about something shady going on there and you could be right. Meth labs release a lot of heat and the effect of this on the snowy roof gives you information about what is possibly happening inside without you needing to actually look. This is an example of a thermal channel.
Another example that should be familiar to you from one of the spy movies you have watched, is the classic trick of using a stethoscope to listen to a safe’s mechanism while rotating the dial with the obvious aim of opening the safe. The side channel in this case is the sound.
Up to this point, it should be clear that a side-channel constitutes a consequence of a particular action. Now it comes the most interesting part. Cryptographic implementations are based on computations at the bit/byte level. While performing these computations, computers are using electric power. If you are observing the power trace from a chip running AES or DES on an oscilloscope, you will see discernable patterns coming from the number of rounds, the memory access, or other algorithmic detail. This process is called simple power analysis and is a type of direct implementation attack.
An implementation attack targets faults in the hardware/software implementation of an algorithm and not in the design of the algorithm per se.
A more advanced attack that can also be used to find the key used in AES encryption is differential power analysis. Here, the attacker needs access to the device for collecting power traces during normal AES encryptions. With an available set of measurements, the attacker creates a model of the side-channel, inputs a hypothetical key, takes the given output, and performs a statistical analysis between his output and the real output. Perseverance and patience must be employed.
I am curious sometimes and, during one lazy quarantine day, I decided to give it a try myself and break AES encryption with power analysis. I found a dataset of measurements online and wrote a Python script. The key size was 128-bits, meaning 16 bytes. Probably you know that AES-128 consists of 10 rounds with each round, except the last one, performing some particular operations (SubBytes, ShiftRows, MixColumn, AddROundKey). If these are unfamiliar to you, please do a Google search for AES rounds. To make my life easier and prove that the key is breakable, I only attempted to break the first byte of the key, after the SubBytes operation. This means running through all the possible key values for the first byte (0 through 255), encrypting the plaintext with each one and compare the end results.
I will not go further into detail as I do not want you to get bored. My point here is that faulty implementations can leak sensitive. Do not underestimate the ingenuity of attackers when talking about methods for speeding up computations. There are profile attacks and deep learning techniques that need only a small number of measurements to break the encryption. Common methods of combating side-channel attacks are usually divided into ‘hiding’ and ‘masking’. These can be done at any level: transistor level, program level, algorithmic level, or protocol level. We will explore these in a future article.