Differential Electromagnetic Attacks on a 32-bit Microprocessor Using Software Defined Radios

Side-channel analysis has been used to successfully attack many cryptographic systems. However, to improve trace quality and make collection of side-channel data easier, the attacker typically modifies the target device to add a trigger signal. This trigger implies a very powerful attacker with virt...

Full description

Saved in:
Bibliographic Details
Published inIEEE transactions on information forensics and security Vol. 8; no. 12; pp. 2101 - 2114
Main Authors Montminy, David P., Baldwin, Rusty O., Temple, Michael A., Oxley, Mark E.
Format Journal Article
LanguageEnglish
Published New York, NY IEEE 01.12.2013
Institute of Electrical and Electronics Engineers
Subjects
Online AccessGet full text

Cover

Loading…
Abstract Side-channel analysis has been used to successfully attack many cryptographic systems. However, to improve trace quality and make collection of side-channel data easier, the attacker typically modifies the target device to add a trigger signal. This trigger implies a very powerful attacker with virtually complete control over the device. This paper describes a method to collect side-channel data using a software defined radio (SDR) in real-time without requiring a collection device trigger. A correlation-based frequency-dependent leakage mapping technique is introduced to evaluate a 32-bit microprocessor, revealing that individual key bytes leak at different frequencies. Key byte-dependent leakage is observed in both SDR collected and triggered oscilloscope-based collections (which serve to validate the SDR data). This research is the first to demonstrate effective differential attack using SDRs. Successful attacks are presented using two SDRs, including a US20 digital television receiver with modified drivers.
AbstractList Side-channel analysis has been used to successfully attack many cryptographic systems. However, to improve trace quality and make collection of side-channel data easier, the attacker typically modifies the target device to add a trigger signal. This trigger implies a very powerful attacker with virtually complete control over the device. This paper describes a method to collect side-channel data using a software defined radio (SDR) in real-time without requiring a collection device trigger. A correlation-based frequency-dependent leakage mapping technique is introduced to evaluate a 32-bit microprocessor, revealing that individual key bytes leak at different frequencies. Key byte-dependent leakage is observed in both SDR collected and triggered oscilloscope-based collections (which serve to validate the SDR data). This research is the first to demonstrate effective differential attack using SDRs. Successful attacks are presented using two SDRs, including a US20 digital television receiver with modified drivers.
Author Baldwin, Rusty O.
Montminy, David P.
Oxley, Mark E.
Temple, Michael A.
Author_xml – sequence: 1
  givenname: David P.
  surname: Montminy
  fullname: Montminy, David P.
  email: david.montminy@afit.edu
  organization: Department of Electrical and Computer Engineering, U.S. Air Force Institute of Technology, Wright-Patterson AFB, OH, USA
– sequence: 2
  givenname: Rusty O.
  surname: Baldwin
  fullname: Baldwin, Rusty O.
  email: rusty.baldwin@afit.edu
  organization: Department of Electrical and Computer Engineering, U.S. Air Force Institute of Technology, Wright-Patterson AFB, OH, USA
– sequence: 3
  givenname: Michael A.
  surname: Temple
  fullname: Temple, Michael A.
  email: michael.temple@afit.edu
  organization: Department of Electrical and Computer Engineering, U.S. Air Force Institute of Technology, Wright-Patterson AFB, OH, USA
– sequence: 4
  givenname: Mark E.
  surname: Oxley
  fullname: Oxley, Mark E.
  email: mark.oxley@afit.edu
  organization: Department of Electrical and Computer Engineering, U.S. Air Force Institute of Technology, Wright-Patterson AFB, OH, USA
BackLink http://pascal-francis.inist.fr/vibad/index.php?action=getRecordDetail&idt=28073840$$DView record in Pascal Francis
BookMark eNo9kE1rAjEQhkOxULX9AaWXXHpcm6_NZo_iRytYClWPZYnZiaTVRJJA6b-vi-JpBuZ9hplngHo-eEDokZIRpaR-WS_mqxEjlI8YU5Uk5Ab1aVnKQhJGe9ee8js0SOmbECGoVH30NXXWQgSfnd7j2R5MjuGgdx6yM3icszY_CQePNeas2LqM352J4RiDgZRCxJvk_A6vgs2_OgKegnUeWvypWxfSPbq1ep_g4VKHaDOfrSdvxfLjdTEZLwvDucqFMKLSQrRVbVlLSkUMtcSUVJRCglWWbbkQW0p0WzEO7PQG0aVuaysrWdWy5ENEz3tPp6UUwTbH6A46_jWUNJ2fpvPTdH6ai58T83xmjjoZvbdRe-PSFWSKVFyJLvd0zjkAuI6lFEoqyv8BNSxv0Q
CODEN ITIFA6
CitedBy_id crossref_primary_10_1016_j_cose_2021_102471
crossref_primary_10_1109_MSP_2018_2888893
crossref_primary_10_3390_s16091453
crossref_primary_10_1142_S0218127422501103
crossref_primary_10_1109_ACCESS_2019_2944902
crossref_primary_10_3390_e25030505
Cites_doi 10.1007/978-3-642-21040-2_9
10.1007/s13389-011-0006-y
10.1007/3-540-45418-7_17
10.1007/978-3-642-37288-9_17
10.1145/1854099.1854126
10.2307/2331838
10.1109/JRPROC.1949.232969
10.1109/MSP.2011.942308
ContentType Journal Article
Copyright 2015 INIST-CNRS
Copyright_xml – notice: 2015 INIST-CNRS
DBID 97E
RIA
RIE
IQODW
AAYXX
CITATION
DOI 10.1109/TIFS.2013.2287600
DatabaseName IEEE All-Society Periodicals Package (ASPP) 2005-present
IEEE All-Society Periodicals Package (ASPP) 1998-Present
IEEE Electronic Library Online
Pascal-Francis
CrossRef
DatabaseTitle CrossRef
DatabaseTitleList
Database_xml – sequence: 1
  dbid: RIE
  name: IEEE Electronic Library Online
  url: https://proxy.k.utb.cz/login?url=https://ieeexplore.ieee.org/
  sourceTypes: Publisher
DeliveryMethod fulltext_linktorsrc
Discipline Engineering
Computer Science
Applied Sciences
EISSN 1556-6021
EndPage 2114
ExternalDocumentID 10_1109_TIFS_2013_2287600
28073840
6648681
Genre orig-research
GroupedDBID 0R~
29I
4.4
5GY
5VS
6IK
97E
AAJGR
AASAJ
ABQJQ
ACGFS
ACIWK
AENEX
AETIX
AKJIK
ALMA_UNASSIGNED_HOLDINGS
ATWAV
BEFXN
BFFAM
BGNUA
BKEBE
BPEOZ
CS3
DU5
EBS
EJD
HZ~
IFIPE
IPLJI
JAVBF
LAI
M43
O9-
OCL
P2P
PQQKQ
RIA
RIE
RIG
RNS
IPNFZ
IQODW
PQEST
AAYXX
AGSQL
CITATION
ID FETCH-LOGICAL-c338t-4c47a44d79f2d0580c1f0c514546ef8f2b344b10ad723e26010a5ad9f67679653
IEDL.DBID RIE
ISSN 1556-6013
IngestDate Fri Dec 06 04:03:55 EST 2024
Thu Nov 24 18:34:28 EST 2022
Mon Nov 04 11:48:52 EST 2024
IsDoiOpenAccess false
IsOpenAccess true
IsPeerReviewed true
IsScholarly true
Issue 12
Keywords Side channel attack
Differential cryptanalysis
frequency mapping
Electromagnetism
Digital television
Leak
software defined radio
Television receiver
Real time
sub-Nyquist
Frequency effect
Physical attacks
Differential analyzer
differential attack
Side-channel analysis
Private key
information leakage
Public key
Nyquist criterion
Microprocessor
Cryptography
Computer security
Software radio
Language English
License CC BY 4.0
https://ieeexplore.ieee.org/Xplorehelp/downloads/license-information/USG.html
LinkModel DirectLink
MergedId FETCHMERGED-LOGICAL-c338t-4c47a44d79f2d0580c1f0c514546ef8f2b344b10ad723e26010a5ad9f67679653
OpenAccessLink https://doi.org/10.1109/tifs.2013.2287600
PageCount 14
ParticipantIDs crossref_primary_10_1109_TIFS_2013_2287600
pascalfrancis_primary_28073840
ieee_primary_6648681
PublicationCentury 2000
PublicationDate 2013-12-01
PublicationDateYYYYMMDD 2013-12-01
PublicationDate_xml – month: 12
  year: 2013
  text: 2013-12-01
  day: 01
PublicationDecade 2010
PublicationPlace New York, NY
PublicationPlace_xml – name: New York, NY
PublicationTitle IEEE transactions on information forensics and security
PublicationTitleAbbrev TIFS
PublicationYear 2013
Publisher IEEE
Institute of Electrical and Electronics Engineers
Publisher_xml – name: IEEE
– name: Institute of Electrical and Electronics Engineers
References barenghi (ref18) 2011; 6633
(ref24) 2012
jun (ref15) 2012
agrawal (ref5) 2003; 2523
quisquater (ref3) 2001
tuttlebee (ref11) 2002
ref17
(ref19) 2012
mangard (ref4) 2007
markgraf (ref12) 2012
(ref10) 2011
hutter (ref16) 2007; 4727
daemen (ref8) 1999
(ref26) 2012
ref23
ref20
ref22
ref21
brier (ref9) 2004
(ref25) 2012
taeubel (ref14) 2013
(ref7) 2001
ref6
(ref29) 2009
studio (ref28) 2013
gandolfi (ref2) 2001; 2162
kocher (ref1) 1999; 1666
blossom (ref13) 2004
(ref27) 2013
References_xml – year: 2007
  ident: ref4
  publication-title: Power Analysis Attacks Revealing the Secrets of Smart Cards (Advances in Information Security)
  contributor:
    fullname: mangard
– volume: 6633
  start-page: 128
  year: 2011
  ident: ref18
  publication-title: Information Security Theory and Practice. Security and Privacy of Mobile Devices in Wireless Communication
  doi: 10.1007/978-3-642-21040-2_9
  contributor:
    fullname: barenghi
– year: 2012
  ident: ref19
  publication-title: Stellaris LM4F232H5QD Microcontroller Data Sheet
– start-page: 16
  year: 2004
  ident: ref9
  article-title: Correlation power analysis with a leakage model
  publication-title: Proc 6th Int Workshop CHES
  contributor:
    fullname: brier
– ident: ref6
  doi: 10.1007/s13389-011-0006-y
– volume: 1666
  start-page: 388
  year: 1999
  ident: ref1
  publication-title: Advances in Cryptology
  contributor:
    fullname: kocher
– year: 2012
  ident: ref24
  publication-title: LFRX Daughterboard 1?250 MHz Rx
– start-page: 200
  year: 2001
  ident: ref3
  article-title: Electromagnetic analysis (EMA): Measures and counter-measures for smart cards
  publication-title: Proc Int Conf Research Smart Cards Smart Card Programming and Security (E-smart)
  doi: 10.1007/3-540-45418-7_17
  contributor:
    fullname: quisquater
– year: 2013
  ident: ref27
  publication-title: Simulink-RTL-SDR A Simulink Interface for RTL-SDR
– year: 2002
  ident: ref11
  publication-title: Software Defined Radio Origins Drivers and International Perspectives
  contributor:
    fullname: tuttlebee
– year: 2013
  ident: ref14
  publication-title: High Definition Software Defined Radio (HDSDR)
  contributor:
    fullname: taeubel
– year: 2009
  ident: ref29
  publication-title: Using PicoScope PC Oscilloscopes for Fast USB Data Acquisition
– year: 2011
  ident: ref10
  publication-title: icWaves Inspector Data Sheet
– volume: 2523
  start-page: 29
  year: 2003
  ident: ref5
  publication-title: Cryptographic Hardware and Embedded Systems
  contributor:
    fullname: agrawal
– year: 2012
  ident: ref26
  publication-title: Elonics E4000 Product Page
– year: 2012
  ident: ref12
  publication-title: RTL-SDR OsmoSDR
  contributor:
    fullname: markgraf
– year: 2013
  ident: ref28
  publication-title: DSO Nano v3
  contributor:
    fullname: studio
– ident: ref20
  doi: 10.1007/978-3-642-37288-9_17
– ident: ref17
  doi: 10.1145/1854099.1854126
– ident: ref21
  doi: 10.2307/2331838
– volume: 4727
  start-page: 320
  year: 2007
  ident: ref16
  publication-title: Cryptographic Hardware and Embedded Systems
  contributor:
    fullname: hutter
– year: 2001
  ident: ref7
  publication-title: Advanced Encryption Standard (AES)
– ident: ref22
  doi: 10.1109/JRPROC.1949.232969
– ident: ref23
  doi: 10.1109/MSP.2011.942308
– start-page: 1
  year: 2012
  ident: ref15
  article-title: Is your mobile device radiating keys?
  publication-title: Proc RSA Conf Present
  contributor:
    fullname: jun
– volume: 2162
  start-page: 251
  year: 2001
  ident: ref2
  publication-title: Cryptographic Hardware and Embedded Systems
  contributor:
    fullname: gandolfi
– year: 2012
  ident: ref25
  publication-title: Realtek rtl2832u
– year: 1999
  ident: ref8
  publication-title: The Rijndael Block Cipher Version 2
  contributor:
    fullname: daemen
– start-page: 4
  year: 2004
  ident: ref13
  article-title: GNU radio: Tools for exploring the radio frequency spectrum
  publication-title: Linux J
  contributor:
    fullname: blossom
SSID ssj0044168
Score 2.1822155
Snippet Side-channel analysis has been used to successfully attack many cryptographic systems. However, to improve trace quality and make collection of side-channel...
SourceID crossref
pascalfrancis
ieee
SourceType Aggregation Database
Index Database
Publisher
StartPage 2101
SubjectTerms Applied sciences
Bandwidth
Broadcasting. Videocommunications. Audiovisual
Computer science; control theory; systems
Correlation
Cryptography
differential attack
Encryption
Exact sciences and technology
frequency mapping
information leakage
Information, signal and communications theory
Memory and file management (including protection and security)
Memory organisation. Data processing
Oscilloscopes
Radiocommunications
Side-channel analysis
Signal and communications theory
Software
software defined radio
Software radio
sub-Nyquist
Telecommunications
Telecommunications and information theory
Television
Title Differential Electromagnetic Attacks on a 32-bit Microprocessor Using Software Defined Radios
URI https://ieeexplore.ieee.org/document/6648681
Volume 8
hasFullText 1
inHoldings 1
isFullTextHit
isPrint
link http://utb.summon.serialssolutions.com/2.0.0/link/0/eLvHCXMwjV1LS8NAEB60Jz1Yn1gfZQ-exNQ0u9l0j0UtKtSDD-hFwmazEVGT0qYI_npnsmmp4sFbIMkSdvYxX_b7vgE4EdZgaBPlGdOznrASp5SMAg9z40QqHXDJSTs8vJPXT-J2FI5W4GyhhbHWVuQz26HL6iw_LcyMfpWdSyl6knTWq5GSTqs1X3VxV3eytzCUHoIMXp9gdn11_ngzeCASF-8EiA8kidmW9qCqqApRIvUUeyVz5SyW9phBE4bzr3PUkrfOrEw65uuXceN_P38TNupkk_Xd6NiCFZtvQ3NeyIHV83ob1pdcCXfg-bIumoKT_51duTo5H_olJ70j65clyfJZkTPNeIDIumRDYvWNneSgmLCKhsAecIH_1BPLLm2GjafsXqevxXQXngZXjxfXXl2FwTMIX0tPGBFpIdJIZUHqhz3fdDPfYJ4VCmmzXhYkXIik6-s0CrglhzJfhzpVGVnBKRnyPWjkRW73ganUcsExA8p0gkgrUVog_FFkgENpq2rB6Twu8diZbcQVSPFVTEGMKYhxHcQW7FAXLx6se7cF7R-RXNwn2x-OcPbg7_cOYY1ad0yVI2iUk5k9xnyjTNrVQPsGKarQfg
link.rule.ids 314,780,784,796,27924,27925,54758
linkProvider IEEE
linkToHtml http://utb.summon.serialssolutions.com/2.0.0/link/0/eLvHCXMwjV3JTsMwEB0hOAAHdkRZfeCESEljx62PFaUqSzlAkbigyHEchICkKqmQ-Hpm4rQqiAO3SNk9dvxePO8NwLGwBkMbK8-YlvWElTikZDPwEBvHUumAS07a4f6t7D2Iq8fwcQ5Op1oYa22ZfGbrtFmu5Se5GdOvsjMpRUuSznohFIhznVpr8t3Fed0J38JQekgzeLWG2fDV2eCye09pXLweIEOQJGebmYXKsiqUFKk_sF1SV9BiZpbprkJ_8nwuueS1Pi7iuvn6Zd343xdYg5UKbrK26x_rMGezDVidlHJg1cjegOUZX8JNeOpUZVNw-L-xC1cp510_Z6R4ZO2iIGE-yzOmGQ-QWxesT3l9Qyc6yEesTERg9_iJ_9Qjyzo2xYsn7E4nL_nHFjx0LwbnPa-qw-AZJLCFJ4xoaiGSpkqDxA9bvmmkvkGkFQpp01YaxFyIuOHrpBlwSx5lvg51olIyg1My5Nswn-WZ3QGmEssFRwyU6hi5Vqy0QAKkyAKHgKuqwckkLtHQ2W1EJU3xVURBjCiIURXEGmxSE08PrFq3Boc_IjndT8Y_HAnt7t_nHcFib9C_iW4ub6_3YInu5PJW9mG-GI3tAaKPIj4sO903TwnT0Q
openUrl ctx_ver=Z39.88-2004&ctx_enc=info%3Aofi%2Fenc%3AUTF-8&rfr_id=info%3Asid%2Fsummon.serialssolutions.com&rft_val_fmt=info%3Aofi%2Ffmt%3Akev%3Amtx%3Ajournal&rft.genre=article&rft.atitle=Differential+Electromagnetic+Attacks+on+a+32-bit+Microprocessor+Using+Software+Defined+Radios&rft.jtitle=IEEE+transactions+on+information+forensics+and+security&rft.au=MONTMINY%2C+David+P&rft.au=BALDWIN%2C+Rusty+O&rft.au=TEMPLE%2C+Michael+A&rft.au=OXLEY%2C+Mark+E&rft.date=2013-12-01&rft.pub=Institute+of+Electrical+and+Electronics+Engineers&rft.issn=1556-6013&rft.eissn=1556-6021&rft.volume=8&rft.issue=11-12&rft.spage=2101&rft.epage=2114&rft_id=info:doi/10.1109%2FTIFS.2013.2287600&rft.externalDBID=n%2Fa&rft.externalDocID=28073840
thumbnail_l http://covers-cdn.summon.serialssolutions.com/index.aspx?isbn=/lc.gif&issn=1556-6013&client=summon
thumbnail_m http://covers-cdn.summon.serialssolutions.com/index.aspx?isbn=/mc.gif&issn=1556-6013&client=summon
thumbnail_s http://covers-cdn.summon.serialssolutions.com/index.aspx?isbn=/sc.gif&issn=1556-6013&client=summon