[ckastner]

This was the AES implementation this was tested against:

The trace below shows our signal for one block of AES-256 encryption running on a SmartFusion2 target. We use OpenSSL's implementation of AES on the ARM Cortex-M3 core of the SmartFusion2. There are clear, distinct patterns for each stage of processing. We see I/O to and from the Cortex-M3, calculations for the key schedule, and the 14 encryption rounds.

So it was a software implementation.

I wonder if and how effective this attack would be against devices with hardware implementations of AES.

[JoachimSchipper]

We (that is, our interns and my colleagues) also attacked a straightforward/naive hardware implementation in an FPGA (reconfigurable hardware); we/they achieved at least a few centimeters of distance (using the open-loop antenna shown.)

A truly hardened hardware implementation would be very hard to attack. The contribution of this work is mostly in showing that you can break realistic-but-not-great implementations very quickly, cheaply, and without needing to open most enclosures.

[5gaKanchAFD2]

The interesting work here is definitely on the measurement/acquisition side. Ultimately if it's an unprotected AES you're going to be able to exploit some leakage given enough measurements.

This is pretty consistent with recent results that attack more 'exotic' targets; the post-acquisition phase uses the same old techniques that were 'discovered' in the very early 2000's. It seems to be that once you've found the things you need to do to get clean measurements you can just use the straightforward linear-dependency related stuff or do a simple profiled attack if that suits.

[JoachimSchipper]

Fully agreed - the post-acquisition stuff is mostly Riscure's (very nice, but standard/not-novel-per-se) Inspector tool.

[hvidgaard]

All it does is messuring power consumtion and uses knowledge about the implementation to calculate the key.

Unless steps have been taken to equal power consumption between different paths, theoretically there is nothing stopping this from working on a hw implementaion of AES.

[user5994461]

There is a paper on stealing RSA keys, by listening to the sound the power supply of a laptop makes, from 4 meters away with a microphone. Works wonders!

[JoachimSchipper]

You're referring to https://www.tau.ac.il/~tromer/acoustic/ and the line of related papers.

That's absolutely great work, but this work uses very different techniques: the authors of that line of papers feed inputs to the crypto core that amplify the dependency on the key, e.g. by ensuring that a square-and-multiply does all or no squares depending on a single bit of the key.

AES doesn't have the kind of algebraic structure that would allow such amplification, so we mostly have to do it the hard way. Fortunately, we had some very talented interns and significant in-house (analog and digital) signal processing expertise. (From colleagues' previous jobs.)

[dom0]

> theoretically

Hardware implementations are designed to make this hard. They also use a lot less power, so any measurements are more difficult / take longer.

[devdoomari]

...how about a random-power-consumer? would it help?

[dom0]

No, not at all. A raised SNR can be overcome in almost all circumstances by making more measurements, i.e. correlation, since noise is not correlated, it is removed. For the same reason random delays don't help against timing attacks.

[Drdrdrq]

Curious: how about generating noise which is correlated to signal and actively tries to modify output to some "random" noise?

[Cyph0n]

That's how DPA works as far as I understand.

[Ferofluid]

Not if you calculate keys nonstop, then have another machine pick from a huge list later.

[tinus_hn]

Perhaps you could quantize the level.

[Klathmon]

Generally mitigations like adding random things only delay attacks like this, they don't prevent them.

Like adding random timings won't prevent timing attacks, adding random sized strings won't prevent chosen plaintext or padding attacks, etc...

[Gibbon1]

Wonder if you can hash the cryto algorithm.

[Dinux]

This was even tested with CTR and GCM (I know this for a fact), which were not a problem at all. Surprisingly GCM was somewhat easier than hashing modes. But also CBC was detectable after a few blocks.

[laydn]

Cryptography Research (now RAMBUS) developed solutions against these DPA attacks. Real solutions are much more complex than just "random-power-consuming"

See: https://www.rambus.com/security/dpa-countermeasures/