Fault Attack (DFA) on AES to implement

Question

Fault Attack (DFA) on AES to implement

Brissouille opened this issue 5 years ago · comments

Brissouille commented 5 years ago

The goal is to combine two AES (one with a fault and an other without) in order to write an equation and resolve it.

Brissouille · Answer 1 · Sun Jun 23 2019 22:23:25 GMT+0800 (China Standard Time)

The questions are :
How to combine the two AES ?
Is there an unique solution or not ?

Brissouille · Answer 2 · Thu Jun 27 2019 17:54:50 GMT+0800 (China Standard Time)

I think the number of solution is not unique but reasonable, so I try to user ForAll method in z3 or just a while .
For the combination, I must modify a little the aes primitive (aes.py) in order to output the intermediate value.
The solver takes account the intermediate value to exploit the fault.

Brissouille · Answer 3 · Tue Jul 09 2019 17:54:11 GMT+0800 (China Standard Time)

I had to modify the aes.py to exhib the intermediate value of the aes.
I try to insert a fault in the state 8 and reproduce the last rounds but it is not work.

Brissouille · Answer 4 · Wed Jul 10 2019 04:53:14 GMT+0800 (China Standard Time)

The Fault model work. I had to modify again the aes.py class.
I remove the reset solver function in the encryption function. Indeed without that, the value of the fault does not take account. To see, if I externalize or not the reset function

Brissouille · Answer 5 · Wed Jul 10 2019 05:21:44 GMT+0800 (China Standard Time)

I create the DFA class to perform the dfa. The class is composed with 2 attributs (aes).

Brissouille · Answer 6 · Thu Jul 18 2019 02:56:06 GMT+0800 (China Standard Time)

To perform an dfa, we need more 2 aes, so I create a list of aes pair (one safe and faulted). When the dfa is reset the list is deleted.

Brissouille · Answer 7 · Thu Jul 18 2019 03:05:11 GMT+0800 (China Standard Time)

To initialize the dfa we are the insert function (may be change the name) which create a list of aes safe and faulted. Nevertheless the exploit function just takes 2 arguments in parameters.
Does it take a list of safe and a list of faulted ?
Does it take a list of safe and faulted aes pair ?

Brissouille · Answer 8 · Thu Aug 08 2019 02:51:36 GMT+0800 (China Standard Time)

I took a list of safe and faulted aes pair.

Brissouille · Answer 9 · Thu Aug 08 2019 02:55:22 GMT+0800 (China Standard Time)

DFA works with a little tricks: I transform the intermediate state of the AES.
Thanks to this, the solver can find a solution to the K10.
I can attacked byte 0 and retrieve K10[0], K10[7], K10[10] and K10[13] according to the article and it works.

Brissouille · Answer 10 · Thu Aug 08 2019 03:00:31 GMT+0800 (China Standard Time)

I think about "how to attack by DFA": "First K10 and after MasterKey or directly MasterKey".
In the first case, there is a chance to not retrieve a byte but it can be detected and a brute force is possible.
In the second case, if there is a mistake when I retrieve the bytes and it is not detected.

Brissouille · Answer 11 · Tue Aug 13 2019 01:13:56 GMT+0800 (China Standard Time)

I choose to attack only K10, because it's too boring.
DFA class is just a POC to show the sat solver's application

Brissouille · Answer 12 · Tue Aug 13 2019 01:18:16 GMT+0800 (China Standard Time)

I save the byte attacked for the exploit function