Using Electromagnetic Emissions to Intercept AES-128 Cryptographic Keys from a Raspberry Pi

I am even finished and today I'll be speaking about using electro magnet in emissions to intercept is 128 cryptographic keys from a raw speed apart so basically as we know today the volume of sensitive data just exponential our devices are continuously just producing exponential amount of data daily and it's just it's our cellphones as a IOT devices any device that can transmit ages reduce indicted today and however we are trying to protect this information we would like to have this information protected theoretically but these so many information allottee that that we track particular information and one of these ways of protecting information is cryptographic algorithms these can store graphic algorithms are mathematically secured sometimes we'll use a

mathematically secured it it's not feasible you can't crack it in one day and normally if you want to break it mathematically you need quantum computing or at least thousands of years of just breaking the Elven themselves however they've been shown that these algorithms are vulnerable the side channel analysis this is basically the study we monitor the side information of the device that actually gives a correlation between what it was happening on the device and the side information this side information can be power iam radiation that can be anything that leaks off for the from the device as you can see this is just an example of part of power analysis where the adversary can actually as physical

contact to the device and its model monitoring in the power waves while something is happening say for example the encryption is running so you just monitor the power waves and then from there you can actually find a correlation between the encryption algorithm and the power and the power waves are ever we know that getting sometimes getting physical access to ones device could be tricky therefore they moved on to electromagnetic devices or literal magnetic attacks we you can actually monitor the in frequency from a device and you can use won't be able the double units need physical access to device so you can as you can see this example is sitting in the different room so someone could be sitting in the room

and just intercepting all our evening from and this is why this is more feasible than the conventional conventional power power analysis and this is one of my favorite examples over here is as you can see they hid a device to scan the e/m waves in a pita bread so you go to work you see someone sitting there with a lunch we know it's not the Atlantic but he's stealing your information and as you can see this is an example of the device ID in the pita bread and scanning and stealing information from a laptop so this is just specially a simple example of power analysis this is the artist I implement a ssin so the power

was captured while the Audis I implementation was executed and what we know from Oris is that they're square multiply and then based on this they were they could actually tell the difference of actually recover the secret information just paste it's just looking at the power traces and then from this they what this what you could see is that the big power spikes over here you can see this big wants a little and so the big ones is basically your multiplication and this little ones is zero you're screwed and so you form that you can actually recover the secret key but I'll talk today we'll be focusing on the attack in the age 128 our tack point

is basically at the subroutine of the sub substitution box what we do is we capture the e/m traces from the device the beauty of the since you can either use the input to the plaintext or you can even use the cipher text you don't even need to know what the key is so you can either use the input or the output ticks so what you do is you just plug your information into this lovely equation and you will get your answer so basically what you need to know is that the e says sixteen sixteen subkeys so because there's sixteen sub kids you can actually attack each sub key individually so you can just say focus

on sub T zero sub T five and then because we actually know what the sub key is we can actually build our casing entropy or we can determine a ranking system for the sake the determine way if the if the equation we use can get the McCarrick sub key and then this is just an example over here of the program as you can see that the sub key normally rises to the top of in the location entropy zero so from this we can actually evaluate our results and see if we are getting the correct subkey or not so this is our setup what we did was we took two raspberry PI's a fun cube dango thus

cost us about six six dollars so instead of buying a $300 a car if we just bought the six dollar SDR we connected to each field prayer which squashes about ten dollars as well and as you can see we have a tacher the tech is Easter Raspberry Pi and the victim is another Raspberry Pi what we did for the victim is we actually install the fully fledged operating system so I think lubuntu 14 point Oh fours are an anomaly so they're fully operating system that we use daily and what we also did was we we limited the Switchback to 600 megahertz this is just to prevent some internal power power saving features and then for the

attacker we did with everything stayed the same we just use the device as ease and we use basically canoer idea all open-source gets to interface with the funky dango this is just sulphate the acquisition form as you can see here we talked in the 600 megahertz range because that's the base frequency of the raspberry pi as like I said before we use canoer idea to interface with the SDR so we can see the first stage they actually just pumped the signal through a fast fourier transform and then you can see what we also did was we cut all the baseband from all the other side because we just wanted to focus on the 600 megahertz and then this is the first

stage the second step is skip the slit the second stage is to actually find the region of interest so this is just across time so you monitor the in frequency across time then you execute the AES algorithm and as you can see here this big power spike or iam spike that's actually where the a is 128 increasing algorithm is executing in the third stage of data acquisition is to actually do something noisy and removing the unwanted signal so as you can see that is the signal that we actually captured in the raw format and as we apply out the noise in techniques we can see the signal curve becomes much smooth and so one of the the issues that we had was

trigger trigger Jetta and fry chef this is because we are captioning the signals at the at the answer it not unsynchronized so the signal each time you capture signal could good perform the next one so there was a lot of chance because of three Gidget and face shifting and then we this is a actually our solution that we came up with so we took the signal we segmented it into various parts so we take a third of sigmet in three parts or a third a third and then from that segmented signal will actually a perform elastic alignment electrical language is very interesting it's a speech recognition technique where they used to align speech recognition so we can we actually apply

some speech recognition techniques to align the signal once we do that we then combine all three separate signals into one and then we apply out the noise in technique where we use various mathematical operations but as you can see here these various options to apply so once once alignment is complete you can add seen it straight to the tape equation that I showed earlier or you can apply the noise in techniques or resyncing techniques and in another elastic alignment so this will continuously around and around Anto falling Reese's are exhausted to to determine Omni subkeys has been recovered this is just an example of misaligned data as you can see the power trace the M traces are very similar but

they're all over the show however if you throw it into our alignment solution technique that you will see that the traces actually become more aligned and in this data is then synced as the input data for the equation to determine the subkeys and this is just our result so as you can see if we apply now alignment we've seen the traces as is we actually recovered we can cover the one subkey and this is fascinating because we didn't lose apply in your language techniques and it's telling us our ad that in this signal the these information being leaked out there is subkeys coming and then we remember said earlier we didn't apply the elastic alignment we actually saw that from just

applying some alignment techniques onto the signal we were able to recover six subkeys and then from that we applied that all the other Dino Asian and all other possible factors or possible combinations of just recovery in sub keys and were able to recover 12 South keys 12 of 16 sub kids just using old techniques as being used against Michael contra Willis as well so then we actually applied our new technique so we looked at removing the frequencies so we looked at removing the frequency between 0 to 5 kilohertz within that captured signal and as this example of how the signal looks now and in Internet City the results over here we recovered 12 1212 the subs 12 of the

16 sub keys as well however in this application as you can see it's different 12 different sub keys but just by removing the 0 to 5 kilohertz we were actually getting different sub keys in the previous yes so what we did next was we incremented the champ so instead of 0 to 5 we looked at removing 5 to think alerts this is just an example of the of our our signal and now once we remove the 15 to 10 killers we actually we actually were able to recover 15 of the sub of the 16 sub keys as you can see as we perform more data analysis removing more frequencies we are actually able to recover more and more of the sub keys

eventually we actually remove the 10 to 15 kilohertz and this is an example of the new signal and we were yet again able to recover another 15 of all the sixteen sub these however on this occasion you will see that subkey 9 was not located in I think previously we had yes previously if sub P 4 was not recovered so we can see these overlap between removing the signals and the information that we are actually recovering so so what we did next was we just remove everything from 0 to 15 killers and we and we will see in the next slide we remove 0 to 15 killers and that's our new input signal this input signal gets

into our equation and then from that this is a comparison so we started here on the left that's our signal and this is the new signal that we have now so as you can see that by performing data analysis removing signals we got actually able to recover the entire sub key and that's all this is just a graph showing that as we removed the various signals different sub keys were obtained and as I said before if we remove the 0 to 15 killers we are able to recover 16 sub keys it's also noted that we we didn't go about 50 kilohertz so what the range we're looking in is between 15 and 50 kilowatts so anything

above the killer s as well was removed so as we can see that the entire sub key is aligning the 600 meter frequency and actually we remove the signals between 0 and 15 and anything above 50 we are able to recover the full the full encryption key so this is just some more tight n LS as you can see we use we actually just needed 50 traces of 50 the acquisitions to recover the the the en key and this is very easy so you set the day just setting scanning someone as you set outside companies though someone comes out I'm sure that it's possible for 50 times someone who came out here just the amount of people it works out in and out

of a company and you just monitor the sign in the the badge numbers you are able to easily acquire 50 intelligence within a day and this is why this is so interesting and easily of deployable because you can easily capture game signals so so easily without the user even knowing that you're capturing the air you can see that one of the interesting stuff was that were to figure out what subkeys two four eight and twelve was located in in all in all the traces as you can see we use linked to the economic top 10 so we go 10 20 30 40 so this is just to show that by 30 traces we really got in 10 of 16 sub

keys so depending on your position or your lineman techniques you can actually reduce the number of traces required so as you can see we did more analysis we try to determine them the minimum value of the of the sub keys required as you can see once we got about 45 subkeys we were able to get 45 traces we were able to get fourteen of the sixteen sub keys and then we use for the a traces will get 15 and like I said we only use 50 50 traces to get the entire sake so from this we applied more more analysis to determine why why we need 50 traces so what we did was we swapped the subsets B

and C around so substituting trace 20 traces 316 to 20 and traces 20 to 30 were swapped around interestingly before on the other graph you could see that the figures here in red are the ones that we lost but previously when we keep the dimple in this fund ABC order those sub keys were found however these ones here in green are the new sub P that we were able to recover so it shows you that actually if you the data that you have if you actually if you actually switch swap it around or actually a bit the data you will actually get different sub keys as well and then what we did was we actually so

we keep the sub the second and third sub P subsets the same and then we swap the the for fourth and fifth one around interestingly we can actually see that this is the same as our first our first result we all.we what we actually noticed was that the 20th and 30th analysis it's it's a place so once the basis you sit the equation doesn't look for the period the key that's already found that looks for new keys so as you can see the price of a day's been said we we found basically from 0 to 0 to 2 and then 4 to 9 so what that what that equation actually does is a box of

pointed nerves ok there's a key to that look for it anymore so from that you can see once the pays off the 30 set it actually looks for the furthering my in sub keys and then it goes back to our previous graph which you can see over here that once the place was hit on this side and started looking on on that side for the traces and then what we did was as you can see it's a big red doctor with a that was just the traces 30 we note we actually were trying to figure out that found sake 6 in 10 and 20 traces but then it suddenly lost it and another recovered it again so we did

some deeper analysis and we actually determined that in that subset there was the data over they were just too a lot into misaligned or touches there was too many anomalies in there tighter so what we did was we recaptured their data and we just the beauty of this is that you can actually capture the stained traces swap it in with another teen traces so up so this is so you can easily eat the changes so you can so as you take it out to and you put beta trace alignment in there the traces in there you are able to recover all the six sub key was a capital out you seen at the game so we spoke about we spoke

about intercept in Oak Creek a teens hitting the dice have kids but now we actually talked abut we actually developed our own countermeasure to prevent this subkeys what we focused on was basically some basic arithmetic sample Bonacci some just generating prime numbers as an as a noise demon in the background so why do you execute your IES program or you encrypt the program there's a demon in the background just generating am noise filter and what we did was we focus on creating are they men or out there even all the AES encryption in a threaded environment so what we've because we are running actually on a fully fledged operating system we had access to all

the other traits such as p38 sea level traits the TPP and the open mp3's trade environment so what we we focus on the multi-threading techniques because we eventually we want to upscale this to use on our mobile phones on our IT devices because we we have so we have so many devices that there's multi-threading capabilities you have to be not actually using it we sit with the fancy phones and how many times do we know that they're actually using all the cores all the multi threading so we thought that this will be a perfect perfect opportunity to actually put out a countermeasure on our phones as well and our IOT devices we will despawn a

first-rate executing the payment so this is just the iam signatures as you can see these are the the different implements the thread implementations this is just as you can see the p3 the C limit rates but you over here you can see this boxes you were still able to actually visually see the AES encryption algorithm even though because in the threaded environment and if if you know if you can see it you can easily like a shown before extract that data and then recover the sub keys and then we then implemented our countermeasure we will just in the background will the spirit will scale collect prime numbers and probably nachi numbers but yeah as you can see

here in the first sequence it was a prime number calculation and it couldn't be detected and then in the next sequence the prime numbers was calculating I mean the AES encryption was depicted so we did further analysis and we actually saw that we notice Queen the Lok the Lok prime numbers you could actually still see the the ACE encryption but once the prime numbers increase the amount though the calculations also had to increase and then that actually generated more employs and just doing some low calculations but this is as you can see it's a Eton Mess so you don't want to say Oh 60% of the time it will actually prevent it so we actually moved on the

bitter formula we actually replace the prime number calculations with the secure algorithm so instead of calculating prime numbers we will just calculate some ashes and in the implementation we focused on was the like Crippler crypto plus plus new mutations of securities this especially just our operations or what the diamond that so a generate firstly generates a random string within ash that the random string we split the ash into off then there's a coin toss to depending so it has a coin toss and opinion weigh that with the coin law lens so that I take the first off of the headstone the second off of edge and then once you take that off that often gets bet

flipped and anyway once you have a bit flat let's flip off and gets added to the first the first off that got what segmented and then from that to discontinuously do that in a loop and toe especially this increases the interplay of the actions that we produce so one of the issues of doing this is our CPU utilization through the roof shaker and because of that the device actually went into a slow down state and then from there slow down stage we could actually see that we could still see that a is so we we escaped in some ashes some M theta but then device go into the slowdown state so this was important to

understand that device as well so as you can see this is just example of then you guys can see clearly that these this is the inspector many as you can see the device at the end of the scenes usage so you can actually see there's a some some some missions are ID 18 out then that's that correlate to that a is so what we did was we didn't actually replace the likely of the version with the open SSL version of the just sadistic calculator ashes and what we saw was that the open SSL version was actually using a hundred percent of the CPU however didn't put the CP or the device in that slowdown state so there's

actually doing some management way you would calculate the ashes without compromising the device or pushing it to the limit and actually leaking out information as you can see on the left was the basically the likely of the version and this is the open SSL version as you can see this it's a nice there's no in there's no spikes in in this version and over there in that verse you can still will be able to see the spikes another example we can see we put the the diamond is on so that's when we running our new improved version and then we put it off and we can still see the AES so this just visually shows you

that you can actually see the is when the implementation or execution when the daemon is off in the diamond ISM and the diamond is on you can't actually see it so what we what we saw was that once a diamond is actually on we try to perform the CPA attack and we failed because it was there wasn't any useful information that we could extract there wasn't we couldn't say pinpoint okay in that Pacific region that's where the ACE encryption is running so we couldn't actually perform the CPA attack and that that ID so our countermeasure really prevents out there so then what we did was with perform statistical analysis of specific attacks on this data so one of the text

was the stress create this and then this is just the results of the of the charge before as you can see the that's countermeasures we called it the price count Amir elbow freeze countermeasure and as you can see these other two friendlies the different counter means of interaction so we went through that's the prime numbers the prime numbers we really could see the AES encryption and those are just when we pump the the the count'em is adjusting to a multi threading technique and then what this shows you that 95% there's a 95% probability that we're not just using the multi threading technique or the prime numbers we it was possible this is a 95% probability that that signal still

resides within the noise generator and windus prime numbers where you could not see the not actually see the AES encryption algorithm it sure that these a 50% chance that that signal still lives within that with within the countermeasure however if you use the out countermeasure that we introduced with the open SSL implementation that is only a 1% chance that that signal could be in Eden in the countermeasure so as you can see that we actually use some nice this is some action to actually prevent the in the in capturing so the significance of this is that we developed the software countermeasure as you know developing Nord we count the misses this could be and as you

have to ask as a consumer on if he wants to upgrade or update Assad where he has to actually come in replace Assad we and this could be tedious and the cost to manufactures could be increased because they had to replace hard we we as we can do a software approach you can easily just remotely update the software or the device instead of the user just coming in so what do you hope this will do is that we hope that this would like smartphones are IOT devices just as we know that the age of we in the age we want our information secured and we know that everyone is trying to steal our information and then this is just

another process to actually mitigate to obfuscate the interception of it about information through the EM spectrum so as you can see we just introduced a new based of attack and a new type of countermeasure we we actually use all techniques combined with new techniques to actually recover the AES encryption keys off of a Raspberry Pi as we know that these devices are whoa he's currently saturated in our ohms right now that does our own automation so it is very important that we secure these devices and IRT devices and then this hopefully these attacks can be prevented now and in the future thank you okay we just focus on the near-field just to show the concept that

we are able to intercept but there are other antennas that you can actually buy just commercially just buy so the range can actually increase tremendously so we just focus on near field to show that the concept of stealing from the raspberrypi can work but they are in tennis yeah yeah exactly yeah yeah not that they there's been research out there that's proven that that's just not feasible right now as well so what we were we're out my point was showing that multi-threading can work but if you're welcome to expand it and actually just the research on that format or just actually does not spawn in one spawn in maybe depending on the course a 3G just

born in the random garbage is as well

sorry I think you can actually run into all this poutine in as well because this is just our first iteration or first iteration as you as you could see but we are trying to expand it as well so we were looking at different avenues to expand it and as I said to implement it on different devices but that sounds like an interesting idea to start implementing it at boot time already Thanks

that one yeah yeah yeah because I think like as we remove the different signals the the upper level got removed as well so it's rare to actually zoom because as we remove the signal where they actually zoom in to see where the signals are so this is just a more zoomed in version between that course that one starts at under erupted over as well but it's just a straight line so you can yeah yeah yeah 55 zero you know there can be different yeah that's what I said we over here

like over here as I said before we know the sub key right so as we can compare to our kitchen inter P because the casing enthalpy will rank it so this is it captures all four so we apply we throw out fifty traces in there right and then this will become this whole this is our actual our answer so it'll spit out the entire sub key like it and paste on that so if you take some other unknown subkey right so you can take a random sub k and apply this as well it will actually get you the critics out because so we just knew that what the sub P was but if you actually put our

unknowns up key and then it will actually predict this the reco answer yeah yeah we use the elastic alignment

yeah basically you can depending on how big you want to make your radius as well

because our regional approach was to look at the small codes so we basically started on smokers but we saw after world it wasn't multi-threading support for small codes then from that we moved to microcontrollers and eventually to type the iPod or I frequency devices as the raspberry pi but yes I really read that book so that's our first starting point were the small towards not really because no no not really because in our earlier work we focus on microcontrollers first we actually show that our method outperforms the existing ones as well so we did do a comparison so if you interested in wanted to we can do clear up some papers that we did we

actually perform the test on microcontrollers to show a comparison between the existing work and our work as well I think like GP at the beginning of the year someone did the release paper was showing demonstrating that they just use the normal mobile phone to scan and the SIPP data as well and there's no but you can just even write your own application because you have you can as actually goes through the receiver and seen this

this is because these we actually wrote that in a way that one of the options is run in the daemon or the other option is actually just making calls to the come to the noise generator as well so you actually can't call it from your existing program as well yeah yeah exactly yeah yeah because we were talking about as I said like use it on your smart phone for mobile banking and then you start the mobile banking app with us and then once you done with your banking application you shut down the app so depending on your your power constraints you can use it as you feel sounds but yeah okay thanks [Applause]