Breaking Crypto For Dummies

Breaking Crypto 

For Dummies 

Nikita Abdullin @

About me 

• @0xABD 

Abdullin@riscure.com 

• Background: fintech, payment security 

• Security analyst @ Riscure, evaluating payment tech 

• Who is Riscure? 

• Security lab in the Netherlands & USA 

• 80 hackers working on: 

• Security test tools 

• Security test services 

• We host the #RHme & #RHme2 hardware CTFs! 

• rhme.riscure.com 

• 500 players from 49 countries this year

Agenda 

Cryptography Crash Course 

Attacks on (Software) Crypto 

Side Channel Attacks 

Fault Injection Attacks 

DEMO 

Conclusions

Agenda


• Some history: how did people use and break cryptography? 

• Black room 

• “Cabinet noir” 

== Mallory peeks in the room == broken 

• Black box 

== Mallory peeks in the box == broken 

• Commercial encryption machines 

• Kerckhoffs's principle == Mallory has the key == broken 

• … 

• The present day: 

• All of the above 

• Internal state == Key 

• ???


• Black box 

Encrypt 

Decrypt 

Observe 

Alter


• Grey box 

Encrypt 

Decrypt 

Observe 

Alter


• White box 

Encrypt 

Decrypt 

Observe 

Alter


• Black box == Attacker cannot look inside 

• Grey box == Attacker can see something* inside and/or influence it 

• White box == Attacker has full control


• What is cryptography, when implemented in hardware and software? 

• Start with a Black box 

• Inputs 

• Data 

• Key 

• Output 

Input 

Key 

Output

Unintended 

functionality 

Unintended 

states 


• Crypto is executed by a machine 

• Sometimes, a “weird machine” (Sergey Bratus et al., 2011) 

• http://langsec.org/papers/Bratus.pdf 

Normal, 

intended 

functionality 

Normal, 

intended 

states



• Symmetric crypto 

• Done in (simple) steps – rounds 

• Key schedule 

• Use a new key every round 

• Linear operations (aka affine transformations) 

• Matrix operations 

• Register arithmetic: SHIFT XOR ADD OR AND NOT … 

• Non-linear operations 

• Table lookups (aka Look-Up Tables “LUT” aka S-boxes, …)



• Asymmetric crypto 

• Arithmetic on looooong numbers (> 4x wider than our CPU regs) 

• Modular arithmetic 

• Various optimizations to make it fit into register width 

• Various hacks to make it faster

Breaking Modern Cryptography 

Images (c) by Vasya Lozhkin http://vasya-lozhkin.ru/


The hipster way: 

• Classic Cryptanalysis 

• Linear Cryptanalysis 

• Differential Cryptanalysis 

• Formal verification of protocols 

• … 

• “3-AES will probably never be 

cryptanalyzed”


• Symmetric crypto: 

• Current view on computational 

complexity (Joan Daemen, 2016): 

• 80 bits: 

• 96 bits: 

• 128 bits: 

• 256 bits: 

lightweight 

solid 

secure for the 

foreseeable future 

for the clueless

The brutal way: 

1. Make assumptions on the 

internal state of the cipher 

2. Guess the state / edit the state 

3. Guessed/new state depends on 

key (and data) 

4. Measure & Calculate the key 

• Adjust your assumptions 

Grey box model – the attacker can 

see through the box and touch it 

Breaking Modern Cryptography

The brutal way: 

• Side Channel Analysis (SCA) 

• Timing analysis 

• Power analysis 

• Simple power analysis (SPA) 

• Differential power analysis (DPA) 

• Correlation power analysis (CPA) 

• … 

• Fault Injection (FI) 

• Differential fault analysis 

• … 

Breaking Modern Cryptography

Image source: www.wikihow.com 

Side-channel Basics

Side-channel Basics 

Example: PIN Verification and power measurements (traces) 

PIN 

???? 

8??? 

82?? 

827? 

8275


• Observe the whole cryptosystem 

• Find what is leaking (and, preferably, where) 

• Time 

• Power consumption 

• Electromagnetic field 

• Light / Sound / Temperature / … 

• … 

• Make an assumption on the dependencies between secret state and 

observable state 

• Leakage model 

• Process the observation data & Get the key


• Why it leaks? A hardware circuit is more complex than its schematics 

• Each switch (=bit) draws power when flipped (clocked) 

• A power consumption of a register is a function of its data (state) 

• Same for EM / temperature / other energy emissions


• Every wire is an antenna 

• Every loop is a coil 

• Works both ways (see later) 

• Noise is (usually) random/uniform, correctly modeled leakage is not 

• Acquire more measurements (traces) 

• Noise cancels itself, but data dependencies are amplified 

• If leakage model is correct, otherwise == becomes noise too


• For pure software, every shared hardware resource leaks 

• CPU caches 

• CPU branch predictor 

• Any resource of the memory controller 

• … 

• https://scholar.google.com/scholar?q=cross+vm+side+channel+attack 

• Lipp, M., Gruss, D., Spreitzer, R., & Mangard, S. (2015). Armageddon: Lastlevel 

cache attacks on mobile devices. arXiv preprint arXiv:1511.04897. 

• https://www.blackhat.com/docs/eu-16/materials/eu-16-Lipp-ARMageddon-How- 

Your-Smartphone-CPU-Breaks-Software-Level-Security-And-Privacy.pdf 

• https://github.com/IAIK/armageddon


• How to perform actual SCA attacks? 

1. Acquisition of many traces – extracting leakage out of the box 

2. Signal processing – leaving the good things 

3. Statistical analysis of the trace set


(1) arm 

(5) acquisition 

(7) attack 

(6) response 

(2) command 

(3) trigger 

(4) measurement 

Embedded 

System 

Current Probe


• Acquisition of many traces 

• Proper equipment 

• Proper setup 

• Or, “Garbage in – Garbage Out”


• Signal processing 

• Filtering 

• Alignment 

• Resampling 

• Cut/paste 

• Bucket


• Statistical analysis of the trace set 

• First-order analysis – single point on a trace vs. model 

• Differential 

• Correlation 

• Higher-order analysis – multiple points on a trace vs. model 

• Works against protected implementations 

• Other attacks


• Statistical analysis of the trace set – How? 

• FOSS tools: https://github.com/SideChannelMarvels 

• Entry-level hardware: ChipWhisperer 

• Commercial tools: Riscure Inspector


• Further reading 

• ZeroNights 2014, Roman Korkikyan, “Deriving cryptographic keys via 

power consumption” 

• http://2014.zeronights.org/assets/files/slides/korkikyan.pdf

Fault injection Basics 

• Hardware is FRAGILE 

• Introduce glitches in power supply 

• Introduce glitches in CLK 

• Directly supply energy to parts of the chip 

• Laser 

• EM field 

• Invasive techniques 

• Edit & Probe the silicon


• Cryptography is FRAGILE 

• Errors propagate 

• State depends on the key (and data) 

• (Error+State) propagates too 

• Output is now more a function of a key than before 

• Sometimes, a single-bit flip = key extracted 

• Most of the time = solve a system of (linear) equations


• Why symmetric crypto fails under FI? 

• Magic does not happen at once 

• Symmetric crypto is done in rounds 

• Data (fault) propagation per round is limited 

• Faults in state remove data dependencies 

• Key is linearly combined with the faulty state


• Why asymmetric crypto fails under FI? 

• All assumptions fail 

• Prime numbers become composite with a single bit flip 

• Points on a strong ECC curve become points on weaker curves 

• …

White-box Cryptography Basics 

• Side Channel and Fault Injection the gray box scenario 

• A hardware black box does not protect the state (the key) 

• Even gray boxes no longer sufficient to secure the current ecosystem 

• Hardware is not free and cannot be delivered over the wire 

• Can we make cryptography secure on an untrusted hardware? 

• Mobile (Payments/Banking/HCE) 

• Content Protection (DRM) 

• … 

• How to hide the key in plain sight of the attacker?


• Assumptions: 

• Even the hardware is now untrusted 

• The attacker can read the code AND the key 

• Can it still be secure? 

• Let’s mix the key in the algorithm. Code == Key 

• Tables 

• Dark magic 

• Tables & dark magic 

• And obfuscate the code, make the white-box self-aware 

• To avoid key extraction and arbitrary code reuse (lifting)


Images (c) Brecht Wyseur http://www.whiteboxcrypto.com/

Breaking White-box Cryptography 

• White-boxed algorithms 

• DES 

• AES 

• RSA 

• ECC 

• SHA256, SHA256-HMAC 

• … 

• Fight magic with magic?

• Fight magic with magic… 

Breaking White-box Cryptography


• Fight magic with magic… 

• Or apply brutal hardware attacks 

• Naïve white-box implementations do 

not solve the gray-box problems 

• If crypto happens, the state is there 

• If crypto happens, the fragile parts are 

there, too


• Eloi Sanfelix, Cristofaro Mune, Job de 

Haas, “Unboxing the White-Box” BH EU 

2015 

• https://www.blackhat.com/docs/eu- 

15/materials/eu-15-Sanfelix-Unboxing-The- 

White-Box-Practical-Attacks-Against- 

Obfuscated-Ciphers-wp.pdf 

• Joppe W Bos, Charles Hubain, Wil 

Michiels, Philippe Teuwen “Differential 

Computation Analysis: Hiding your 

White-Box Designs is Not Enough” 

• https://eprint.iacr.org/2015/753


• Side-channel attacks on WBC 

• Run on “hardware” 

• attack as if it was a pure hardware cipher 

• – What is leaking? – Everything! 

• Memory 

• Values in registers 

• “Trace” is now data dump over time


• Why (some) WBC fails under side channel? 

• Linearity = leakage 

• Sasdrich, Pascal, Amir Moradi, and Tim Güneysu. "White-Box Cryptography in 

the Gray Box.“ 

• http://eprint.iacr.org/2016/203.pdf


• Fault injection attacks on WBC 

• Run on “hardware” 

• attack as if it was a pure hardware cipher 

• – What can we glitch? – Anything! 

• Memory 

• Values in registers

Software Crypto Instrumentation 

• Need to tap into the code flow and data. How? 

• Manual code manipulation at run time (hook/inject/debug) 

• Decompile & recompile with probes 

• Dynamic Binary Instrumentation 

• Emulation (with probes) 

• Absolute worst case: run on real hardware and bring the big guns


• Manual code manipulation at run time (hook/inject/debug) 

• + Easy to start from a software RE/expl. background 

• – Lower speed (esp. when debugging, need to tap into everything) 

• – Need to bypass anti-debug countermeasures 

• – Scripting debuggers is ugly


• Decompile & recompile with probes 

• + Easy to start from a software RE/expl. background 

• + Speed 

• – lots of manual corrections 

• – some RE & understanding of the target needed



• Intel PIN 

• Valgrind 

• DynamoRIO 

• (Frida) http://www.frida.re/ 

• https://github.com/SideChannelMarvels already has one



• + Flexibility 

• + Stealth 

• – architecture-specific issues



• Platform-level emulation = The mighty QEMU 

• Unicorn Engine (not a platform, only a CPU) http://www.unicorn-engine.org/ 

• Standalone 

• IDA plugin 

• Awesome 

• PANDA (a full platform) https://github.com/moyix/panda 

• Record traces and replay 

• Plugin framework 

• Awesome (but slow)



• + Flexibility 

• + Stealth 

• + Speed 

• – Platform-level emulation is slow


• What to do? Side-channel: 

• Log all memory accesses 

• Address 

• Value & Size 

• Log all registers 

• What to do? Fault injection: 

• Flip bits in memory values and memory addresses 

• Flip bits in registers 

• KEEP TRACK OF THE PROGRAM COUNTER == TIME


• Narrow down the addresses and PC range 

• Compare execution traces, identifying data and key dependencies 

• Side-channel – easy optimizations 

• Memory writes are more useful than reads 

• Most registers are redundant (sometimes LSB is enough) 

• Data can be compressed/discarded on the fly 

• Fault injection – easy optimizations 

• Keep track of what you glitch

DEMO 1 

• White-boxed AES in JS from https://github.com/tsu-iscd/jcrypto 

• Fault injection attack in 9 th round 

• Using https://github.com/SideChannelMarvels/JeanGrey to extract 

the key

Software Crypto Instrumentation Challenges 

• Huge traces for SCA 

• ~1GHz CPUs, white-box can run in 0.1s, easily 100 M instructions x N bytes 

per instruction = a lot of data 

Compress and discard more aggressively


• Misalignment 

• Leakage location depends on input 

Do aggressive signal processing 

Smart emulation (CFG?)


• Glitching runs wild 

• Unwanted glitching of return addresses 

• Unwanted glitching of instruction loading addresses 

Simple heuristics when glitching, better focus

Bonus: Attacking Regular Software Crypto 

• Why? 

• Directly applicable on regular software crypto 

• Defeat obfuscation without deobfuscating 

• What is executable will be executed and WILL leak / WILL be glitchable 

• Minimum reverse engineering 

• Ideally, locate the target function in time domain only 

• Can be tailored into a point-and-click solution if needed

Bonus: Attacking Regular Software Crypto 

• But… hardware acceleration? AES-NI, etc.? 

• Only for symmetric crypto. 

• Maybe forbidden by obfuscator/protector 

• Often not applicable due to platform diversity 

• E.g. standard crypto extensions for ARM are not there yet, etc. 

• Or, emulate & get the key from emulator’s implementation 

• Or, emulate & apply DCA on the whole emulator 

• Worst case, debug & get the key from registers, as usual

DEMO 2 

• OLLVM-Obfuscated standard AES encryption 

• Side-channel leakage is memory accesses 

• Using Riscure Inspector to extract the key

SCA & FI: Beyond Attacking Crypto 

• Any state can be leaked via SCA 

• Any data dependency 

• PIN/Key/Password lengths 

• Hamming weights/distances of values 

• Code structure / CFG leaks too 

• Basic blocks in CFG may be recognizable


• Any state can be affected via FI 

• Most critical – bypass security mechanisms 

• MAC/Signature/PIN/Password checks 

• Secure Boot 

• … 

Niek Timmers, Albert Spruyt: “Bypassing Secure Boot using Fault Injection”, BH EU 2016 

https://www.blackhat.com/docs/eu-16/materials/eu-16-Timmers-Bypassing-Secure-Boot-Using- 

Fault-Injection.pdf


• Countermeasures exist 

• SCA countermeasures 

• FI countermeasures



• Most are patented, bad news for silicon and crypto vendors 

• Reduce leakages (double rail logic, shields, …) 

• Introduce noise and jitter 

• Shuffle the state in time domain 

• Masking 

• Encodings between rounds


• FI countermeasures 

• Most are patented, bad news for silicon and crypto vendors 

• Best idea: verify everything 

• Transform the algorithms 

• To allow verification on side effects of the calculations 

• To propagate errors DRAMATICALLY, diffusing the key dependencies 

• Hardware: 

• Awareness – sensors: glitch, light, EM, …


• State-of-the-art white-box crypto, as seen in highly competitive 

markets like content protection, is tough: 

• All of the above 


• FI countermeasures 

• State-of-the-art obfuscation, anti-debug, anti-emulation and anti-DBI 

• Attacking == Defusing an explosive black box with a hammer 

• If possible, uses encodings 

• Internal encoding: 

• LUT = g ∘ LUT ∘ f −1 

• External encoding: 

• AES k ′ = G ∘ AES k ∘ F −1 

• AES k ′ (m) is unusable by anyone, except the vendor who can decode


• More countermeasures for white-box crypto: 

• Remember, state = key. Diffuse the state so it is too large to easily extract or 

compress 

• Bogdanov, A., & Isobe, T.. (2015). White-Box Cryptography Revisited: Space-Hard 

Ciphers. ACM Conference on Computer and Communications Security. 

10.1145/2810103.2813699

Conclusions 

• It is still possible to break crypto without being a cryptographer 

• Academy is busy constructing funny whiteboxes 

• Thinking out of the box helps 

• Best hacks happen on an edge 

• Proper tools 

• Continuously evaluate your product before it hits the market 

• The fight goes on…

Questions?

References 

• http://langsec.org/papers/Bratus.pdf 

• http://2014.zeronights.org/assets/files/slides/korkikyan.pdf 

• https://www.blackhat.com/docs/eu-15/materials/eu-15-Sanfelix-Unboxing-The- 

White-Box-Practical-Attacks-Against-Obfuscated-Ciphers-wp.pdf 

• https://eprint.iacr.org/2015/753 

• http://eprint.iacr.org/2016/203.pdf 

• https://github.com/SideChannelMarvels 

• http://www.frida.re 

• http://www.unicorn-engine.org 

• https://github.com/moyix/panda 

• https://www.blackhat.com/docs/eu-16/materials/eu-16-Timmers-Bypassing- 

Secure-Boot-Using-Fault-Injection.pdf

Challenge your security 

We are hiring! 

www.riscure.com/careers 

Riscure B.V. 

Frontier Building, Delftechpark 49 

2628 XJ Delft 

The Netherlands 

Phone: +31 15 251 40 90 

Riscure North America 

550 Kearny St. 

Suite 330 

San Francisco, CA 94108 

+1 (650) 646 9979 

www.riscure.com 

inforequest@riscure.com

Breaking Crypto For Dummies

You also want an ePaper? Increase the reach of your titles

Delete template?

Save as template?