0 00:00:00,000 --> 00:00:30,000 Dear viewer, these subtitles were generated by a machine via the service Trint and therefore are (very) buggy. If you are capable, please help us to create good quality subtitles: https://c3subtitles.de/talk/109 Thanks! 1 00:00:10,460 --> 00:00:12,919 So I will I will just 2 00:00:12,920 --> 00:00:15,019 start my talk right now without any 3 00:00:15,020 --> 00:00:17,029 without any slides, and so who knows 4 00:00:17,030 --> 00:00:18,350 about side channel attacks, 5 00:00:19,700 --> 00:00:21,919 so many people and who of 6 00:00:21,920 --> 00:00:24,079 us already picked a mechanical lock here 7 00:00:24,080 --> 00:00:26,419 at three three? 8 00:00:26,420 --> 00:00:27,439 So not so many. 9 00:00:27,440 --> 00:00:29,359 This is basically also a form of a side 10 00:00:29,360 --> 00:00:30,619 channel attack. 11 00:00:30,620 --> 00:00:32,449 So when you pick a mechanical lock or 12 00:00:32,450 --> 00:00:34,309 when you open the mechanical safe by 13 00:00:34,310 --> 00:00:36,439 listening to the clicks of the lock 14 00:00:36,440 --> 00:00:38,989 or by fiddling with the where you have to 15 00:00:38,990 --> 00:00:41,159 push the pins down, then you use 16 00:00:41,160 --> 00:00:43,369 the side channel of the sound 17 00:00:43,370 --> 00:00:45,449 in the case of a safe box or 18 00:00:45,450 --> 00:00:47,809 as a side channel of your feeling 19 00:00:47,810 --> 00:00:50,119 in your hand to get all the pins 20 00:00:50,120 --> 00:00:51,120 down. 21 00:00:52,070 --> 00:00:54,229 And this is a very similar principles 22 00:00:54,230 --> 00:00:56,809 that we apply to embedded devices 23 00:00:56,810 --> 00:00:58,909 in in our research, and I 24 00:00:58,910 --> 00:01:01,129 say our research because this has been, 25 00:01:01,130 --> 00:01:03,049 yeah, work with quite so many people 26 00:01:03,050 --> 00:01:05,208 actually. Like if if we had 27 00:01:05,209 --> 00:01:07,339 slides, then I could, I could show 28 00:01:07,340 --> 00:01:08,340 it to you. 29 00:01:09,380 --> 00:01:10,380 So. 30 00:01:12,360 --> 00:01:14,479 So we, of course, do not listen to 31 00:01:14,480 --> 00:01:16,849 the mechanical sound of an electronic 32 00:01:16,850 --> 00:01:18,499 device like a chip, although this has 33 00:01:18,500 --> 00:01:20,809 been in the media, I think a couple 34 00:01:20,810 --> 00:01:21,969 of days ago. 35 00:01:21,970 --> 00:01:24,529 So this story by Sharma has 36 00:01:24,530 --> 00:01:26,629 anybody read us said 37 00:01:26,630 --> 00:01:28,459 or also many people, the story is 38 00:01:28,460 --> 00:01:30,889 actually over 10 years old, 39 00:01:30,890 --> 00:01:32,809 but somehow, magically it reappeared. 40 00:01:32,810 --> 00:01:35,089 I don't know how it happened and 41 00:01:35,090 --> 00:01:37,159 what what we use in our our 42 00:01:37,160 --> 00:01:39,379 research is usually the power consumption 43 00:01:39,380 --> 00:01:41,449 of the electromagnetic emanation of 44 00:01:41,450 --> 00:01:42,859 of a chip. 45 00:01:42,860 --> 00:01:44,929 So you can imagine if if a 46 00:01:44,930 --> 00:01:47,269 transistor switches inside a processor, 47 00:01:47,270 --> 00:01:49,969 inside a microcontroller, inside an FPGA 48 00:01:49,970 --> 00:01:52,249 or wherever, you 49 00:01:52,250 --> 00:01:54,349 always have some small variation 50 00:01:54,350 --> 00:01:56,809 of the power consumption or ZM, Signal 51 00:01:56,810 --> 00:01:57,769 also whizzes. 52 00:01:57,770 --> 00:02:00,349 And this is the rationale behind 53 00:02:00,350 --> 00:02:02,479 all side channel attacks, basically that 54 00:02:02,480 --> 00:02:04,939 you can detect as very small changes 55 00:02:04,940 --> 00:02:06,860 and that you then can, 56 00:02:08,030 --> 00:02:09,859 yeah, extract secret keys. 57 00:02:09,860 --> 00:02:11,929 Was it in the simple case you just read 58 00:02:11,930 --> 00:02:13,309 off a secret key? 59 00:02:13,310 --> 00:02:15,559 So thinking of 60 00:02:15,560 --> 00:02:17,539 RSA algorithm, for instance, I think 61 00:02:17,540 --> 00:02:19,719 everybody's familiar with said what 62 00:02:19,720 --> 00:02:21,620 the basic operation is there is 63 00:02:22,730 --> 00:02:24,319 you do a lot of squaring and 64 00:02:24,320 --> 00:02:25,520 multiplications, right? 65 00:02:26,720 --> 00:02:28,399 And depending on whether a key build is 66 00:02:28,400 --> 00:02:30,499 set when you generate a signature, for 67 00:02:30,500 --> 00:02:33,139 instance, you do is a multiplier 68 00:02:33,140 --> 00:02:36,439 or multiply and a square operation. 69 00:02:36,440 --> 00:02:38,959 So multiply operation 70 00:02:38,960 --> 00:02:41,119 on an on a process has 71 00:02:41,120 --> 00:02:43,449 a different power consumption, then 72 00:02:43,450 --> 00:02:45,049 send a squaring operation. 73 00:02:45,050 --> 00:02:46,759 So in the simple case, when the device 74 00:02:46,760 --> 00:02:48,889 unprotected, you simply see, OK, the 75 00:02:48,890 --> 00:02:50,989 power consumption is higher here, lower 76 00:02:50,990 --> 00:02:53,279 here. So I will have 77 00:02:53,280 --> 00:02:55,009 multiply it in the square, which means 78 00:02:55,010 --> 00:02:56,569 the keyboard is set to one. 79 00:02:56,570 --> 00:02:58,849 And otherwise you have 80 00:02:58,850 --> 00:03:00,829 just the square operation and you know, 81 00:03:00,830 --> 00:03:03,289 it was two zero and this was actually 82 00:03:03,290 --> 00:03:04,969 also houses. The text were 83 00:03:06,140 --> 00:03:08,839 or became popular in the 84 00:03:08,840 --> 00:03:10,009 academic world, let's say. 85 00:03:10,010 --> 00:03:12,079 So actually, I had on 86 00:03:12,080 --> 00:03:14,269 my first slide, it's a small logo and 87 00:03:14,270 --> 00:03:15,499 it's a free year. 88 00:03:15,500 --> 00:03:18,379 But now I go back a bit to NSA also. 89 00:03:18,380 --> 00:03:20,689 They had a back in Z. 90 00:03:20,690 --> 00:03:22,849 I think back in the day we 91 00:03:22,850 --> 00:03:24,139 need presentation slides. 92 00:03:24,140 --> 00:03:25,849 Maybe I have a USB. 93 00:03:27,590 --> 00:03:28,950 Yeah, sure. 94 00:03:34,640 --> 00:03:37,459 So I'll speak on from down here 95 00:03:37,460 --> 00:03:38,809 for full action. 96 00:03:43,160 --> 00:03:45,439 So it was the NSA initially or 97 00:03:45,440 --> 00:03:47,539 American Census tampers program as it 98 00:03:47,540 --> 00:03:49,909 tried to read for this bulky old cipher 99 00:03:49,910 --> 00:03:52,609 machine presses that were were 100 00:03:52,610 --> 00:03:54,469 done from a distance or read your screen 101 00:03:54,470 --> 00:03:56,269 from a distance through a wall. 102 00:03:56,270 --> 00:03:58,429 And this is the first instance of a side 103 00:03:58,430 --> 00:04:00,019 channel attack in this case. 104 00:04:00,020 --> 00:04:02,689 But in academia, it became like popular, 105 00:04:02,690 --> 00:04:04,879 starting in roundabout 106 00:04:04,880 --> 00:04:06,399 ninety six. 107 00:04:06,400 --> 00:04:08,749 So then some biology student 108 00:04:08,750 --> 00:04:10,879 Paul Kocher, actually, he had his 109 00:04:10,880 --> 00:04:13,489 oscilloscope connected to back then 110 00:04:13,490 --> 00:04:15,979 banking cards and could really performs. 111 00:04:15,980 --> 00:04:18,109 Is this a text 112 00:04:18,110 --> 00:04:19,398 and read of the secret key? 113 00:04:19,399 --> 00:04:21,559 And now, oh, we're good 114 00:04:21,560 --> 00:04:22,519 to go. 115 00:04:22,520 --> 00:04:24,959 Great. So, yeah, let's 116 00:04:24,960 --> 00:04:26,149 have a fun. 117 00:04:34,920 --> 00:04:36,839 So it was good that we had this plan 118 00:04:36,840 --> 00:04:38,999 problem here. Was, of course, on purpose, 119 00:04:39,000 --> 00:04:40,769 and now I can skip over all the slides. 120 00:04:40,770 --> 00:04:43,049 There are of no importance anywhere. 121 00:04:43,050 --> 00:04:45,179 So this are the people I've been. 122 00:04:45,180 --> 00:04:47,159 I've been working with quite some long 123 00:04:47,160 --> 00:04:48,959 list during the past few years 124 00:04:50,040 --> 00:04:52,199 and this introduction already gave 125 00:04:52,200 --> 00:04:54,359 where right now here and keeps 126 00:04:54,360 --> 00:04:55,559 this map layout in place. 127 00:04:55,560 --> 00:04:57,479 It has some meaning for the presentation 128 00:04:57,480 --> 00:04:59,759 and beautiful book is here where this 129 00:04:59,760 --> 00:05:01,829 is based, where all the 130 00:05:01,830 --> 00:05:04,139 research about 18 security 131 00:05:04,140 --> 00:05:06,299 is done in Belgium looks 132 00:05:06,300 --> 00:05:08,159 like this. As I said, very beautiful on a 133 00:05:08,160 --> 00:05:10,439 non rainy day 134 00:05:10,440 --> 00:05:12,629 and both met some 135 00:05:12,630 --> 00:05:13,529 problems in the past. 136 00:05:13,530 --> 00:05:15,779 While Nokia was based in Belgium 137 00:05:15,780 --> 00:05:17,939 and they left Balkans, they are almost 138 00:05:17,940 --> 00:05:20,249 bankrupt now, went 139 00:05:20,250 --> 00:05:22,469 to Romania and closed it down since then. 140 00:05:22,470 --> 00:05:24,599 So we have this 141 00:05:24,600 --> 00:05:26,939 loss. This industry open will also 142 00:05:26,940 --> 00:05:29,699 close down very soon, 143 00:05:29,700 --> 00:05:30,959 so we have to do something new and 144 00:05:30,960 --> 00:05:32,819 Balkan, which is ideal security and there 145 00:05:32,820 --> 00:05:35,129 is with with this guy comes 146 00:05:35,130 --> 00:05:37,349 into play and also small companies 147 00:05:37,350 --> 00:05:39,479 that I founded together with Timor, 148 00:05:39,480 --> 00:05:41,579 which is called Casben Oswald or short 149 00:05:41,580 --> 00:05:42,580 course. 150 00:05:43,110 --> 00:05:44,550 As you could see in the introduction 151 00:05:46,260 --> 00:05:47,789 this hour and you said here is that you 152 00:05:47,790 --> 00:05:50,279 are ready for the mini chameleon 153 00:05:50,280 --> 00:05:52,049 until you see that we actually build it 154 00:05:52,050 --> 00:05:53,669 and that it actually works. 155 00:05:53,670 --> 00:05:56,249 I tested it successfully already with the 156 00:05:56,250 --> 00:05:58,459 hotel lock here and. 157 00:06:00,020 --> 00:06:01,020 So. 158 00:06:06,620 --> 00:06:08,480 And as I said, we have 159 00:06:09,770 --> 00:06:11,569 or come into a side channel attacks, we 160 00:06:11,570 --> 00:06:13,469 have embedded systems everywhere. 161 00:06:13,470 --> 00:06:15,019 Is this where such an attack usually 162 00:06:15,020 --> 00:06:17,339 makes sense? This BGP thing, which 163 00:06:17,340 --> 00:06:19,399 mirrors kind of an exception 164 00:06:19,400 --> 00:06:21,559 that you perform such an attack on 165 00:06:21,560 --> 00:06:23,599 a PC, usually you target embedded 166 00:06:23,600 --> 00:06:25,069 devices. 167 00:06:25,070 --> 00:06:27,179 So is this my protagonist for 168 00:06:27,180 --> 00:06:28,519 the presentation? 169 00:06:28,520 --> 00:06:29,989 It's a typical pirate. 170 00:06:29,990 --> 00:06:32,179 I took him for no reason 171 00:06:32,180 --> 00:06:34,249 because pirates are cool, and 172 00:06:34,250 --> 00:06:36,649 she has the typical hat, eyepatch peg leg 173 00:06:36,650 --> 00:06:37,729 and the laughter. 174 00:06:37,730 --> 00:06:39,889 By the way, on this most graphics 175 00:06:39,890 --> 00:06:42,229 that look like this, I painted them in Ms 176 00:06:42,230 --> 00:06:44,179 Paint with sand. 177 00:06:44,180 --> 00:06:45,180 Not all of them. 178 00:06:49,490 --> 00:06:51,109 So by the Pirate, of course, lives in the 179 00:06:51,110 --> 00:06:52,789 modern world, for instance, he has his TV 180 00:06:52,790 --> 00:06:54,769 set connected to some set top box, or 181 00:06:54,770 --> 00:06:56,269 maybe that's already built in. 182 00:06:56,270 --> 00:06:58,549 Inside, you'll find FPGA 183 00:06:58,550 --> 00:07:00,290 or reprogramable logic chips. 184 00:07:02,270 --> 00:07:04,369 Yes, of course, a treasure chest like 185 00:07:04,370 --> 00:07:06,079 every good pirate, but it's not locked in 186 00:07:06,080 --> 00:07:07,819 a mechanical way, but with an electronic 187 00:07:07,820 --> 00:07:10,309 lock. So you need some electronic token 188 00:07:10,310 --> 00:07:12,499 that sends radio signals out to unlock 189 00:07:12,500 --> 00:07:13,789 the chest and inside of some 190 00:07:13,790 --> 00:07:16,219 microcontroller that does all the 191 00:07:16,220 --> 00:07:18,139 cryptographic operations necessary. 192 00:07:19,280 --> 00:07:21,469 Yes, of course, computer likes this 193 00:07:21,470 --> 00:07:22,909 beautiful netbook says. 194 00:07:22,910 --> 00:07:25,159 And so working so fine and to lock 195 00:07:25,160 --> 00:07:27,439 in. He doesn't use this password only, 196 00:07:27,440 --> 00:07:29,719 but a one time password token. 197 00:07:29,720 --> 00:07:31,159 Also like this YubiKey. 198 00:07:31,160 --> 00:07:33,409 And this will actually be the 199 00:07:33,410 --> 00:07:35,539 three examples for this presentation I'm 200 00:07:35,540 --> 00:07:36,559 going to talk about. 201 00:07:36,560 --> 00:07:38,629 I hope I managed to fit it into 202 00:07:38,630 --> 00:07:40,699 the times that has reduced a bit more 203 00:07:40,700 --> 00:07:41,719 now. 204 00:07:41,720 --> 00:07:44,029 So as this important circle of its 205 00:07:44,030 --> 00:07:46,099 security puts a beaver that 206 00:07:46,100 --> 00:07:48,619 I obviously did not paint myself 207 00:07:49,880 --> 00:07:52,189 as the constructive side of it security 208 00:07:52,190 --> 00:07:54,019 because this is the nature's engineer, 209 00:07:54,020 --> 00:07:56,119 you know, and the hacker is 210 00:07:56,120 --> 00:07:57,229 a pirate on the other side. 211 00:07:57,230 --> 00:07:58,939 And there's the very important circles 212 00:07:58,940 --> 00:08:00,349 that the hacker analyzes. 213 00:08:00,350 --> 00:08:02,429 Real world products reports the 214 00:08:02,430 --> 00:08:04,489 flaw to the developer, 215 00:08:04,490 --> 00:08:06,229 and he can then improve and in a 216 00:08:06,230 --> 00:08:08,359 continuous cycle, more secure 217 00:08:08,360 --> 00:08:10,339 products for for a modern world. 218 00:08:11,570 --> 00:08:13,759 So this already 219 00:08:13,760 --> 00:08:15,679 explained a bit sideshow analytics that 220 00:08:15,680 --> 00:08:17,929 work like in a bank robbery when you have 221 00:08:17,930 --> 00:08:20,199 a side channel of sound and nowadays use 222 00:08:20,200 --> 00:08:22,729 side channel of emanation 223 00:08:22,730 --> 00:08:23,659 or power consumption. 224 00:08:23,660 --> 00:08:25,189 And of course, you don't use a stitch 225 00:08:25,190 --> 00:08:28,099 scope but an oscilloscope 226 00:08:28,100 --> 00:08:30,199 to attack a cryptographic socket, for 227 00:08:30,200 --> 00:08:31,999 instance. And this is like this, for 228 00:08:32,000 --> 00:08:34,249 instance, such an electromagnetic probe 229 00:08:34,250 --> 00:08:36,529 to records the emanations. 230 00:08:38,570 --> 00:08:40,849 This again, shows what I also 231 00:08:40,850 --> 00:08:42,379 explained. Depending on the data you 232 00:08:42,380 --> 00:08:44,449 process, the power consumption 233 00:08:44,450 --> 00:08:46,699 varies a tiny bit as one clock cycle 234 00:08:46,700 --> 00:08:48,829 of an atom figure here, and depending 235 00:08:48,830 --> 00:08:51,049 on if all bets bits are set 236 00:08:51,050 --> 00:08:52,579 or all are set to zero. 237 00:08:52,580 --> 00:08:54,529 You have a different power consumption 238 00:08:54,530 --> 00:08:55,530 here. 239 00:08:56,890 --> 00:08:59,039 This is example for the hours 240 00:08:59,040 --> 00:09:00,739 where you can directly read of the key, 241 00:09:00,740 --> 00:09:02,719 which was the first instance of a side 242 00:09:02,720 --> 00:09:03,769 channel attack, actually. 243 00:09:05,360 --> 00:09:07,999 So usually we use 244 00:09:08,000 --> 00:09:10,129 another technique because our 245 00:09:10,130 --> 00:09:12,589 example works fine for algorithms like 246 00:09:12,590 --> 00:09:14,689 RSA, which involve multiplications and 247 00:09:14,690 --> 00:09:15,589 square rings. 248 00:09:15,590 --> 00:09:17,659 But for Blocks Cipher, you have a 249 00:09:17,660 --> 00:09:20,119 very atomic operations and work on 250 00:09:20,120 --> 00:09:21,919 a larger stage usually. 251 00:09:21,920 --> 00:09:23,359 And this is where differential power 252 00:09:23,360 --> 00:09:24,529 analysis comes into play. 253 00:09:24,530 --> 00:09:26,719 It is based on a statistical 254 00:09:26,720 --> 00:09:28,909 test to match the 255 00:09:28,910 --> 00:09:31,369 measured side channel signal with small 256 00:09:31,370 --> 00:09:33,319 key hypotheses. 257 00:09:33,320 --> 00:09:35,449 So it's like brute force attack, but you 258 00:09:35,450 --> 00:09:37,639 look into the cipher and then are able 259 00:09:37,640 --> 00:09:39,829 to find, for instance, eight bit of the 260 00:09:39,830 --> 00:09:41,899 ASCII at a time because you have some 261 00:09:41,900 --> 00:09:43,009 side channel. 262 00:09:43,010 --> 00:09:44,929 I explain it usually like this. 263 00:09:44,930 --> 00:09:47,239 So this is from the comics about the 264 00:09:47,240 --> 00:09:49,399 Higgs boson, how it was detected. 265 00:09:49,400 --> 00:09:51,079 So you have basically two options. 266 00:09:51,080 --> 00:09:53,029 There is no Higgs boson or there was the 267 00:09:53,030 --> 00:09:55,309 Higgs boson, and there is a tiny, tiny 268 00:09:55,310 --> 00:09:58,669 difference between these two hypotheses. 269 00:09:58,670 --> 00:10:00,949 And to detect this hypothesis, 270 00:10:00,950 --> 00:10:03,579 which in our case is no Higgs boson, 271 00:10:03,580 --> 00:10:05,449 it's the wrong key candidate. 272 00:10:05,450 --> 00:10:07,459 Or yes, Higgs boson is the correct 273 00:10:07,460 --> 00:10:09,589 candidate. You need to record a lot of 274 00:10:09,590 --> 00:10:11,719 measurements to average out the noise 275 00:10:11,720 --> 00:10:13,819 and then try to find the small 276 00:10:13,820 --> 00:10:14,729 difference. 277 00:10:14,730 --> 00:10:17,449 He says. You need a huge amount of data 278 00:10:17,450 --> 00:10:19,549 for our case. It varies a bit between 279 00:10:19,550 --> 00:10:21,469 100 measurements and millions of 280 00:10:21,470 --> 00:10:23,359 measurements, depending on whether you 281 00:10:23,360 --> 00:10:25,369 look at a modern smartcard or a simple 282 00:10:25,370 --> 00:10:26,370 microcontroller. 283 00:10:27,590 --> 00:10:29,839 Yes, so sorry about this speed 284 00:10:31,070 --> 00:10:32,869 with this introduction, but I want to 285 00:10:32,870 --> 00:10:33,799 come to practice. 286 00:10:33,800 --> 00:10:35,869 And for this, I want to look 287 00:10:35,870 --> 00:10:37,759 at three case studies and the first our 288 00:10:37,760 --> 00:10:39,859 FPGA is who does not know what 289 00:10:39,860 --> 00:10:41,839 an FPGA is? 290 00:10:41,840 --> 00:10:43,699 Nobody wants to himself. 291 00:10:43,700 --> 00:10:46,369 So I can skip the explanation here 292 00:10:46,370 --> 00:10:48,689 and we start in our home part of Pokémon 293 00:10:48,690 --> 00:10:50,779 Go to the go 294 00:10:50,780 --> 00:10:53,329 to us is always the conference locations 295 00:10:53,330 --> 00:10:55,309 where this was presented. 296 00:10:55,310 --> 00:10:58,039 More precisely, choose the FPGA 2013 297 00:10:58,040 --> 00:10:59,539 conference in Monterrey 298 00:11:01,670 --> 00:11:02,809 and look at FPGA. 299 00:11:02,810 --> 00:11:05,119 So FPGA is, as you know, reconfigurable 300 00:11:05,120 --> 00:11:06,409 a hardware device, and they're used 301 00:11:06,410 --> 00:11:08,059 everywhere where you need high bandwidth 302 00:11:08,060 --> 00:11:10,429 or low latency. 303 00:11:10,430 --> 00:11:12,499 Things like in routers, consumer products 304 00:11:12,500 --> 00:11:14,599 like set top boxes, cars and 305 00:11:14,600 --> 00:11:16,339 militaries. There was some video I could 306 00:11:16,340 --> 00:11:18,709 not find about this huge machine 307 00:11:18,710 --> 00:11:20,419 gun, which then has an FPGA. 308 00:11:20,420 --> 00:11:22,339 It's a side I could not find is. 309 00:11:22,340 --> 00:11:24,409 Unfortunately, the 310 00:11:24,410 --> 00:11:26,389 problem was FPGA is they have a large 311 00:11:26,390 --> 00:11:28,279 configuration bitstream, and this can be 312 00:11:28,280 --> 00:11:30,499 usually easily copied because it's stored 313 00:11:30,500 --> 00:11:32,599 externally because you cannot fit it 314 00:11:32,600 --> 00:11:34,729 all into the FPGA, except for a flash 315 00:11:34,730 --> 00:11:36,499 FPGA, as that also exists. 316 00:11:36,500 --> 00:11:38,209 But here we look at this at pages that 317 00:11:38,210 --> 00:11:40,309 have external memory, so you 318 00:11:40,310 --> 00:11:42,529 have some on the PCB, you have some flash 319 00:11:42,530 --> 00:11:44,599 memory and the FPGA on and on 320 00:11:44,600 --> 00:11:46,659 every boot up a complete. 321 00:11:46,660 --> 00:11:48,739 Figuration or bitstream is copied 322 00:11:48,740 --> 00:11:50,959 into the FPGA, so obviously 323 00:11:50,960 --> 00:11:53,119 it's a pirate who comes along here, 324 00:11:53,120 --> 00:11:56,029 you can easily 325 00:11:56,030 --> 00:11:58,249 get this bitstream and put it into 326 00:11:58,250 --> 00:12:00,409 a second FPGA, for instance, or try to 327 00:12:00,410 --> 00:12:02,509 reverse engineer that this is now 328 00:12:02,510 --> 00:12:04,699 a product pirate chances our political 329 00:12:04,700 --> 00:12:06,679 correct term for this. 330 00:12:06,680 --> 00:12:09,049 He can simply copy the speedster. 331 00:12:09,050 --> 00:12:10,969 Made this happen as far as I know, for 332 00:12:10,970 --> 00:12:13,099 instance, to Cisco 333 00:12:13,100 --> 00:12:15,169 in certain countries that the market was 334 00:12:15,170 --> 00:12:17,269 taken over by us copied products. 335 00:12:19,100 --> 00:12:21,049 So the solution, of course, is to encrypt 336 00:12:21,050 --> 00:12:22,339 our cryptographers. 337 00:12:22,340 --> 00:12:23,539 We encrypt. 338 00:12:23,540 --> 00:12:25,339 So the idea ideas, you put a 339 00:12:25,340 --> 00:12:27,949 cryptographic key ones at manufacturing 340 00:12:27,950 --> 00:12:30,079 time in the FPGA, then encrypt 341 00:12:30,080 --> 00:12:32,059 the bitstream was key, put it in 342 00:12:32,060 --> 00:12:34,339 encrypted form into the external memory. 343 00:12:34,340 --> 00:12:35,929 And now, without the knowledge of this 344 00:12:35,930 --> 00:12:38,209 key, the adversary cannot 345 00:12:38,210 --> 00:12:40,339 produce a second second 346 00:12:40,340 --> 00:12:42,469 FPGA that accepts this 347 00:12:42,470 --> 00:12:43,939 bitstream. And of course, you can also 348 00:12:43,940 --> 00:12:45,949 not reverse engineer it. 349 00:12:45,950 --> 00:12:48,319 So the security officers approach 350 00:12:48,320 --> 00:12:50,209 license the secrecy of this key, of 351 00:12:50,210 --> 00:12:51,210 course. 352 00:12:52,850 --> 00:12:54,929 The motivation for this work was now 353 00:12:54,930 --> 00:12:57,019 is that a colleague of mine, 354 00:12:57,020 --> 00:12:59,239 Amir Moradi, has already analyzed 355 00:12:59,240 --> 00:13:02,149 a lot of products from Xilinx, which is a 356 00:13:02,150 --> 00:13:04,399 market leader. An FPGA is like 357 00:13:04,400 --> 00:13:07,039 virtually all families up to the new 358 00:13:07,040 --> 00:13:09,319 six series by means of the side 359 00:13:09,320 --> 00:13:11,419 channel attacks and note here, 360 00:13:11,420 --> 00:13:13,819 all the refugees have very analytically 361 00:13:13,820 --> 00:13:16,309 still believed secure ciphers 362 00:13:16,310 --> 00:13:18,230 like the ace or triple digits or so. 363 00:13:19,280 --> 00:13:21,859 And the question was not what about 364 00:13:21,860 --> 00:13:24,109 Atara, which has a share of, I believe, 365 00:13:24,110 --> 00:13:26,839 30 percent or something in the market? 366 00:13:26,840 --> 00:13:28,489 So here's the situation was a bit 367 00:13:28,490 --> 00:13:31,609 different than with Xilinx because 368 00:13:31,610 --> 00:13:33,589 there was no documentation altogether 369 00:13:33,590 --> 00:13:35,599 available on the functioning of the 370 00:13:35,600 --> 00:13:37,759 device, so it was a 371 00:13:37,760 --> 00:13:39,889 complete black box to us. 372 00:13:39,890 --> 00:13:42,979 They were totally undocumented mechanisms 373 00:13:42,980 --> 00:13:44,869 that are used for some key derivation, 374 00:13:44,870 --> 00:13:46,939 which I'll explain in a bit. 375 00:13:46,940 --> 00:13:49,039 And for encryption 376 00:13:49,040 --> 00:13:51,259 also. So we had to get to that first. 377 00:13:52,580 --> 00:13:54,679 Fortunately, we could do that 378 00:13:54,680 --> 00:13:56,839 from the design software of Altera, 379 00:13:56,840 --> 00:13:59,089 which is called Quashes 380 00:13:59,090 --> 00:14:01,279 Tool with Ida Pro, which probably 381 00:14:01,280 --> 00:14:02,959 also all of you know here. 382 00:14:02,960 --> 00:14:05,779 And the nice thing is ultra left, all 383 00:14:05,780 --> 00:14:08,359 function names and odd symbols in there. 384 00:14:08,360 --> 00:14:10,429 So it was, 385 00:14:10,430 --> 00:14:11,430 yeah. 386 00:14:14,530 --> 00:14:16,769 It was really helpful, they 387 00:14:16,770 --> 00:14:18,539 simply forgot it, and my favorite is this 388 00:14:18,540 --> 00:14:20,189 functions and main functions called do 389 00:14:20,190 --> 00:14:21,699 some things as the original. 390 00:14:21,700 --> 00:14:23,879 And so this 391 00:14:23,880 --> 00:14:25,489 do something actually does this. 392 00:14:27,750 --> 00:14:30,629 It takes two keys in this case 393 00:14:30,630 --> 00:14:32,789 and the unencrypted bitstream, and 394 00:14:32,790 --> 00:14:34,949 it outputs some files that 395 00:14:34,950 --> 00:14:36,959 also can be programed into the FPGA with 396 00:14:36,960 --> 00:14:40,139 six keys and encrypted bitstream. 397 00:14:40,140 --> 00:14:42,959 So we had to get back both parts of that 398 00:14:42,960 --> 00:14:45,209 OSes. One thing is why two keys. 399 00:14:45,210 --> 00:14:47,429 So the idea behind this is 400 00:14:47,430 --> 00:14:49,859 they have some key derivation in there. 401 00:14:49,860 --> 00:14:52,109 So the two keys are put 402 00:14:52,110 --> 00:14:54,209 in the software and on the FPGA 403 00:14:54,210 --> 00:14:56,669 on programing into some function, 404 00:14:56,670 --> 00:14:59,009 which actually derives the real keys 405 00:14:59,010 --> 00:15:00,959 that is used for encryption. 406 00:15:00,960 --> 00:15:03,329 So the idea behind this is if you can, 407 00:15:03,330 --> 00:15:05,519 you need key one and two to 408 00:15:05,520 --> 00:15:07,719 program certain real key into 409 00:15:07,720 --> 00:15:09,839 the FPGA. So even if you get 410 00:15:09,840 --> 00:15:11,549 this real key, let's say with such a low 411 00:15:11,550 --> 00:15:13,649 tech or by probing or so, 412 00:15:13,650 --> 00:15:16,019 you have to 413 00:15:16,020 --> 00:15:17,939 inverts this function to programs the 414 00:15:17,940 --> 00:15:20,189 same key again into an FPGA into 415 00:15:20,190 --> 00:15:22,679 another Etheridge's to impede cloning. 416 00:15:24,420 --> 00:15:26,519 So we looked at 417 00:15:26,520 --> 00:15:28,709 this and found 418 00:15:28,710 --> 00:15:30,659 it's constructed like this after some 419 00:15:30,660 --> 00:15:32,549 weeks of reverse engineering. 420 00:15:32,550 --> 00:15:34,919 So the real key is derived by taking 421 00:15:34,920 --> 00:15:37,409 this key to a encrypting 422 00:15:37,410 --> 00:15:39,599 it under key one. 423 00:15:39,600 --> 00:15:41,999 So this should be a function that is, 424 00:15:42,000 --> 00:15:44,219 of course, only works in one 425 00:15:44,220 --> 00:15:46,349 way. So it should be hard to get back 426 00:15:46,350 --> 00:15:48,599 from here to Q1 and Q2 427 00:15:48,600 --> 00:15:50,519 is that generate a certain real key? 428 00:15:50,520 --> 00:15:52,409 So is this a good option? 429 00:15:52,410 --> 00:15:53,879 So we looked at it for a second. 430 00:15:53,880 --> 00:15:56,009 And then if I ask like there's 431 00:15:56,010 --> 00:15:58,379 no two to no, it's obviously not 432 00:15:58,380 --> 00:16:00,449 because the ACARS has an 433 00:16:00,450 --> 00:16:01,619 inverse function. 434 00:16:01,620 --> 00:16:03,899 So you can pick any 435 00:16:03,900 --> 00:16:06,779 key one and then decrypt 436 00:16:06,780 --> 00:16:09,179 the real key under this 437 00:16:09,180 --> 00:16:10,949 key one stars that you picked. 438 00:16:10,950 --> 00:16:12,869 So actually, there are two to the power 439 00:16:12,870 --> 00:16:14,939 of one on the 28 pairs that mapped to the 440 00:16:14,940 --> 00:16:16,499 same same real key. 441 00:16:16,500 --> 00:16:18,839 So again, the idea 442 00:16:18,840 --> 00:16:21,029 behind this was not bet, but 443 00:16:21,030 --> 00:16:23,489 the implementation here was surprising 444 00:16:23,490 --> 00:16:24,449 to us, I would say. 445 00:16:24,450 --> 00:16:25,919 But yeah. 446 00:16:31,530 --> 00:16:33,659 So having done this, we 447 00:16:33,660 --> 00:16:36,269 looked how the encryption is performed. 448 00:16:36,270 --> 00:16:38,819 So how is this real and goes 449 00:16:38,820 --> 00:16:40,739 is used to encrypt the bitstream here 450 00:16:42,600 --> 00:16:44,909 for this, it turned out to use simple 451 00:16:44,910 --> 00:16:46,349 as encounter mode. 452 00:16:46,350 --> 00:16:48,619 So you have some, I've said, 453 00:16:48,620 --> 00:16:50,699 to an incremented for every block. 454 00:16:50,700 --> 00:16:52,949 You want to encrypt 455 00:16:52,950 --> 00:16:55,049 a yes, encrypted under the 456 00:16:55,050 --> 00:16:56,639 real key and then exiled with the 457 00:16:56,640 --> 00:16:58,259 plaintext block. 458 00:16:58,260 --> 00:17:00,269 So there are some issues with that, but 459 00:17:00,270 --> 00:17:02,369 they're not really so severe as 460 00:17:02,370 --> 00:17:04,559 it seems seems to be fine. 461 00:17:04,560 --> 00:17:06,689 No, to the 462 00:17:06,690 --> 00:17:08,858 idea of why we reverse engineered, all 463 00:17:08,859 --> 00:17:10,799 that was to do our side channel attacks 464 00:17:10,800 --> 00:17:12,719 without this information, how all the 465 00:17:12,720 --> 00:17:14,368 encryption is done. A side channel attack 466 00:17:14,369 --> 00:17:15,899 cannot be mounted because you need to 467 00:17:15,900 --> 00:17:17,699 know what it's encrypted where. 468 00:17:17,700 --> 00:17:19,919 So we did a bit more, got 469 00:17:19,920 --> 00:17:21,868 all the file form and some coding, and 470 00:17:21,869 --> 00:17:23,848 turned the black box into a white box and 471 00:17:23,849 --> 00:17:25,519 went on with our analysis. 472 00:17:27,750 --> 00:17:29,999 So is this what the set up looks 473 00:17:30,000 --> 00:17:32,429 like? You have bought with the FPGA 474 00:17:32,430 --> 00:17:34,439 here, our own programmer to be able to 475 00:17:34,440 --> 00:17:36,719 send encrypted bits, streams or 476 00:17:36,720 --> 00:17:39,089 data of our choosing 477 00:17:39,090 --> 00:17:40,799 to the FPGA. 478 00:17:40,800 --> 00:17:43,409 So then you have on top of oscilloscope 479 00:17:43,410 --> 00:17:45,689 and the side channel signals here 480 00:17:45,690 --> 00:17:48,419 are measured with this insanely 481 00:17:48,420 --> 00:17:51,239 thick cable and inflexible cable. 482 00:17:51,240 --> 00:17:53,369 It's better for the electrons, you 483 00:17:53,370 --> 00:17:56,039 know, so it was just handy. 484 00:17:56,040 --> 00:17:58,289 And here is a trigger signal that 485 00:17:58,290 --> 00:18:00,399 starts. Oscilloscope starts 486 00:18:00,400 --> 00:18:02,309 the measurement on the oscilloscope, but 487 00:18:02,310 --> 00:18:04,619 when a pin is raised by this programmer. 488 00:18:06,330 --> 00:18:07,829 So in this plot, you see what you 489 00:18:07,830 --> 00:18:09,909 actually measure on the oscilloscope. 490 00:18:09,910 --> 00:18:11,789 There are two curves here. 491 00:18:11,790 --> 00:18:14,309 The black one is when bitstream 492 00:18:14,310 --> 00:18:17,039 encrypted bitstream is put into the FPGA 493 00:18:17,040 --> 00:18:19,229 and decrypted on there and not 494 00:18:19,230 --> 00:18:20,489 decrypted on the FPGA. 495 00:18:20,490 --> 00:18:22,229 Sorry. So the black one is when the 496 00:18:22,230 --> 00:18:24,539 encryption feature is totally disabled 497 00:18:24,540 --> 00:18:26,999 and the red one is when the encryption or 498 00:18:27,000 --> 00:18:29,099 the encryption on the FPGA is enabled. 499 00:18:29,100 --> 00:18:31,289 So you already see some 500 00:18:31,290 --> 00:18:33,179 difference here. There's a higher energy 501 00:18:33,180 --> 00:18:35,249 consumption altogether and zooming 502 00:18:35,250 --> 00:18:37,329 in, you can actually figure out where 503 00:18:37,330 --> 00:18:39,569 the Aztecs takes part. 504 00:18:39,570 --> 00:18:41,669 So they're always small, small 505 00:18:41,670 --> 00:18:44,069 periods that relate to this as operation. 506 00:18:44,070 --> 00:18:45,689 And here from this period, we actually 507 00:18:45,690 --> 00:18:48,509 want to extract a secret key. 508 00:18:48,510 --> 00:18:50,609 So since I'm here was this, it 509 00:18:50,610 --> 00:18:53,369 was obviously successful. 510 00:18:53,370 --> 00:18:55,439 And here you can see a result of 511 00:18:55,440 --> 00:18:57,629 this. So this is what 512 00:18:57,630 --> 00:18:59,729 I already explained this approach 513 00:18:59,730 --> 00:19:01,499 of differential power analysis that you 514 00:19:01,500 --> 00:19:03,599 test small hypothesis for 515 00:19:03,600 --> 00:19:05,819 the key. And here in gray, you do not 516 00:19:05,820 --> 00:19:08,249 really see two hundred 517 00:19:08,250 --> 00:19:10,649 fifty four curves in this case 518 00:19:10,650 --> 00:19:13,349 that relates to the wrong key candidates. 519 00:19:13,350 --> 00:19:15,389 And this curves at peak. 520 00:19:15,390 --> 00:19:17,549 Here are the correct key 521 00:19:17,550 --> 00:19:19,619 candidates with this message, you can 522 00:19:19,620 --> 00:19:21,839 identify each as each 523 00:19:21,840 --> 00:19:23,909 key for each spoke separately, 524 00:19:23,910 --> 00:19:26,249 and with this gets the complete key. 525 00:19:26,250 --> 00:19:28,499 And this two takes all together. 526 00:19:28,500 --> 00:19:31,019 Three. So two thousand measurements 527 00:19:31,020 --> 00:19:33,299 are we call them traces very often, 528 00:19:33,300 --> 00:19:35,549 which is three hours 529 00:19:35,550 --> 00:19:37,199 of playing around with the device and a 530 00:19:37,200 --> 00:19:39,690 bit of off-line pre post-processing. 531 00:19:40,770 --> 00:19:42,900 So result of first case study. 532 00:19:44,370 --> 00:19:46,619 The full 128 bit ASCII 533 00:19:46,620 --> 00:19:48,719 of psychotics tool can be extracted 534 00:19:48,720 --> 00:19:51,299 with round about three hours. 535 00:19:51,300 --> 00:19:52,979 And this key derivation mechanism, of 536 00:19:52,980 --> 00:19:54,749 course, does not prevent the product 537 00:19:54,750 --> 00:19:55,769 powered from cloning. 538 00:19:55,770 --> 00:19:57,390 He can just do this 539 00:19:58,440 --> 00:20:00,689 stuff with the s and another 540 00:20:00,690 --> 00:20:02,429 important lesson here for a more general 541 00:20:02,430 --> 00:20:04,019 perspective. 542 00:20:04,020 --> 00:20:06,119 You can do a software reverse engineering 543 00:20:06,120 --> 00:20:07,259 to do hardware techs. 544 00:20:07,260 --> 00:20:08,879 After that, if you have a very complex 545 00:20:08,880 --> 00:20:10,979 system, you can reverse engineer 546 00:20:10,980 --> 00:20:13,109 parts from software if available and then 547 00:20:13,110 --> 00:20:16,229 use that knowledge to attack the system. 548 00:20:16,230 --> 00:20:18,419 So with this, we're done with the 549 00:20:18,420 --> 00:20:20,639 FPGA story and they'll 550 00:20:20,640 --> 00:20:22,739 go on because pirates do not only 551 00:20:22,740 --> 00:20:25,049 FPGA but also, for instance, 552 00:20:25,050 --> 00:20:26,039 a door locks. 553 00:20:26,040 --> 00:20:28,289 And for this, we go up the coast a bit 554 00:20:28,290 --> 00:20:29,519 to Canada. 555 00:20:29,520 --> 00:20:31,559 Here, Canada identified with the beaver, 556 00:20:31,560 --> 00:20:32,849 which has nothing to do with this 557 00:20:32,850 --> 00:20:35,049 engineered. Just identify 558 00:20:35,050 --> 00:20:36,599 it like this. 559 00:20:36,600 --> 00:20:38,759 And we look at the locking system, which 560 00:20:38,760 --> 00:20:41,969 is kept anonymous in this talk 561 00:20:41,970 --> 00:20:44,279 for the obvious reason. 562 00:20:44,280 --> 00:20:46,409 So here you have 563 00:20:46,410 --> 00:20:48,899 a typical door and an electronic 564 00:20:48,900 --> 00:20:51,149 locking system the user has some form 565 00:20:51,150 --> 00:20:53,039 of token, can be some small hardware 566 00:20:53,040 --> 00:20:55,469 device, some RFID card, whatever 567 00:20:55,470 --> 00:20:57,599 he touches the to the 568 00:20:57,600 --> 00:20:59,639 lock or holds it in proximity to the 569 00:20:59,640 --> 00:21:02,429 lock, and then the door can be opened. 570 00:21:02,430 --> 00:21:04,049 And now we look at the hardware, which 571 00:21:04,050 --> 00:21:06,239 was used in this particular system here 572 00:21:06,240 --> 00:21:08,970 to to realize this functionality. 573 00:21:10,990 --> 00:21:12,779 In this case, there was a pretty complex 574 00:21:12,780 --> 00:21:15,419 authentication protocol was L11 messages 575 00:21:15,420 --> 00:21:17,729 being exchanged and we had no 576 00:21:17,730 --> 00:21:19,949 clue how to what say what's 577 00:21:19,950 --> 00:21:20,950 it actually meant? 578 00:21:22,350 --> 00:21:24,659 So this was again the total black box. 579 00:21:24,660 --> 00:21:26,879 However, we tried to turn this into 580 00:21:26,880 --> 00:21:28,649 a white box, and for this we looked at 581 00:21:28,650 --> 00:21:30,489 the components of the system. 582 00:21:30,490 --> 00:21:32,619 We open both tokens and locks and 583 00:21:32,620 --> 00:21:35,019 found a pick microcontroller here 584 00:21:35,020 --> 00:21:37,329 and also custom ASICs 585 00:21:37,330 --> 00:21:38,549 put there by the manufacturer. 586 00:21:38,550 --> 00:21:40,959 So our first intuition was OK. 587 00:21:40,960 --> 00:21:42,969 Every other cryptos in the A-Z, of 588 00:21:42,970 --> 00:21:45,129 course, who would build an ASEC to 589 00:21:45,130 --> 00:21:46,299 do non crypto stuff. 590 00:21:46,300 --> 00:21:48,549 So we looked at this and 591 00:21:48,550 --> 00:21:50,619 open it, and this is what other 592 00:21:50,620 --> 00:21:52,689 people here can tell you even more 593 00:21:52,690 --> 00:21:53,949 about us seeing Dmitry. 594 00:21:53,950 --> 00:21:55,929 I will give a talk on very invasive 595 00:21:55,930 --> 00:21:58,059 attacks, and Starbucks also 596 00:21:58,060 --> 00:21:59,439 knows this stuff and so on. 597 00:21:59,440 --> 00:22:01,809 You first solve 598 00:22:01,810 --> 00:22:03,579 a chip to look at a silicon dye. 599 00:22:03,580 --> 00:22:04,959 So we did this. 600 00:22:04,960 --> 00:22:07,389 You put some acid on top 601 00:22:07,390 --> 00:22:08,979 that it react. 602 00:22:08,980 --> 00:22:11,289 And finally, you have the chip after 603 00:22:11,290 --> 00:22:14,019 iterating this a few times. 604 00:22:14,020 --> 00:22:15,579 So this is basic. 605 00:22:15,580 --> 00:22:17,689 We actually then took pictures of this 606 00:22:17,690 --> 00:22:19,809 is actually a 10 mega, I 607 00:22:19,810 --> 00:22:22,149 think, 10000 pixel wide image stitched 608 00:22:22,150 --> 00:22:24,609 from a lot of microscope 609 00:22:24,610 --> 00:22:27,159 shots. It's very old device 610 00:22:27,160 --> 00:22:29,079 in the gate, every technical technology. 611 00:22:29,080 --> 00:22:30,189 So it's kind of a 612 00:22:31,240 --> 00:22:33,369 pre FPGA where you just put the metal 613 00:22:33,370 --> 00:22:34,569 ization on the laser. 614 00:22:34,570 --> 00:22:36,939 And all the doping areas already given 615 00:22:36,940 --> 00:22:40,209 its old two micrometers 616 00:22:40,210 --> 00:22:42,999 has some mixed signal stuff for analog 617 00:22:43,000 --> 00:22:44,589 stuff also, and it was pretty much 618 00:22:44,590 --> 00:22:46,209 utilized, but already that we could have 619 00:22:46,210 --> 00:22:47,169 sold OK. 620 00:22:47,170 --> 00:22:49,329 So there's probably no crypto in one 621 00:22:49,330 --> 00:22:50,949 thousand seven hundred transistors on 622 00:22:50,950 --> 00:22:53,229 this very bad crypto. 623 00:22:53,230 --> 00:22:55,869 Nevertheless, one master student 624 00:22:55,870 --> 00:22:58,539 reverse engineered it on and off 625 00:22:58,540 --> 00:22:59,540 it was. 626 00:23:07,540 --> 00:23:09,279 And this is the result and what turns 627 00:23:09,280 --> 00:23:11,469 out, OK, it's all some communication 628 00:23:11,470 --> 00:23:14,289 logic for counting 629 00:23:14,290 --> 00:23:16,839 some flipping bits and 630 00:23:16,840 --> 00:23:18,849 waking up some microcontroller every five 631 00:23:18,850 --> 00:23:20,229 hundred milliseconds or so. 632 00:23:20,230 --> 00:23:21,489 Yeah, whatever. 633 00:23:21,490 --> 00:23:22,899 We did it and looked at the other 634 00:23:22,900 --> 00:23:25,099 components. This is the 635 00:23:25,100 --> 00:23:26,139 ZaPik microcontroller. 636 00:23:26,140 --> 00:23:27,969 And here we were fortunate that there 637 00:23:27,970 --> 00:23:30,129 were no one attacks on these devices to 638 00:23:30,130 --> 00:23:33,639 extract the program code because 639 00:23:33,640 --> 00:23:35,199 these devices would, you have to know, 640 00:23:35,200 --> 00:23:37,119 have some configuration bits that can 641 00:23:37,120 --> 00:23:39,249 turn out turn off the readout 642 00:23:39,250 --> 00:23:40,809 of the program code. 643 00:23:40,810 --> 00:23:42,429 And this was, of course, enabled, but we 644 00:23:42,430 --> 00:23:44,619 wanted to see what is inside the system. 645 00:23:44,620 --> 00:23:46,719 So we went to circumvent this 646 00:23:46,720 --> 00:23:49,029 looked first at the chip so you can find 647 00:23:49,030 --> 00:23:50,679 a text for similar microcontrollers on 648 00:23:50,680 --> 00:23:51,680 the internet. 649 00:23:52,990 --> 00:23:54,939 And we found, OK, everything looks as you 650 00:23:54,940 --> 00:23:55,899 would expect on the pick. 651 00:23:55,900 --> 00:23:57,519 You have some memories here. 652 00:23:57,520 --> 00:23:59,409 You have some analog stuff here and 653 00:23:59,410 --> 00:24:01,449 particularly this area, which covers this 654 00:24:01,450 --> 00:24:02,450 few bits. 655 00:24:03,850 --> 00:24:05,919 So the fewest 656 00:24:05,920 --> 00:24:07,749 bits. One interesting bit is somewhere 657 00:24:07,750 --> 00:24:09,249 under this, under this metal. 658 00:24:09,250 --> 00:24:11,559 Here we check that it's really 659 00:24:11,560 --> 00:24:13,439 then microchip implemented it in a way 660 00:24:13,440 --> 00:24:15,309 that can be circumvented by intel. 661 00:24:15,310 --> 00:24:16,809 Things that happened. 662 00:24:16,810 --> 00:24:19,059 So what you do is you open it, 663 00:24:19,060 --> 00:24:21,249 you put some tape with your hand over 664 00:24:21,250 --> 00:24:22,569 the memories that you don't want to 665 00:24:22,570 --> 00:24:23,739 erase, like the flash. 666 00:24:23,740 --> 00:24:25,179 And so you prom. 667 00:24:25,180 --> 00:24:27,369 And then you put it at an angle under UV 668 00:24:27,370 --> 00:24:29,589 lamp. And after a half an hour, when 669 00:24:29,590 --> 00:24:31,419 enough photons have bounced under this 670 00:24:31,420 --> 00:24:33,739 metal layers onto the floating gate, 671 00:24:33,740 --> 00:24:36,009 then you can so suddenly 672 00:24:36,010 --> 00:24:37,630 disable this without protection. 673 00:24:39,550 --> 00:24:40,550 So. 674 00:24:46,840 --> 00:24:49,029 So this was was 675 00:24:49,030 --> 00:24:50,979 pretty useful because we could get all 676 00:24:50,980 --> 00:24:53,199 the code from this pick, which is, by 677 00:24:53,200 --> 00:24:54,789 the way, horrible to reverse engineer 678 00:24:54,790 --> 00:24:57,039 because it has certain segmented 679 00:24:57,040 --> 00:24:59,679 memories and whatever for such a small 680 00:24:59,680 --> 00:25:02,199 device. But we eventually did it in 681 00:25:02,200 --> 00:25:04,299 again and turned a black box 682 00:25:04,300 --> 00:25:05,769 into white box the second time. 683 00:25:05,770 --> 00:25:08,169 And from this resultant now, several 684 00:25:08,170 --> 00:25:10,239 attacks said I want to briefly 685 00:25:10,240 --> 00:25:12,549 summarize just him due to the time 686 00:25:12,550 --> 00:25:14,619 that we have so good 687 00:25:14,620 --> 00:25:16,809 singers, each token here had own 688 00:25:16,810 --> 00:25:18,729 unique keys. So if you get out this key, 689 00:25:18,730 --> 00:25:20,419 you can only duplicate one tokens. 690 00:25:20,420 --> 00:25:21,939 It's like a mechanical key. 691 00:25:21,940 --> 00:25:24,039 You can also easily copy it with 692 00:25:24,040 --> 00:25:25,040 wax or so. 693 00:25:25,960 --> 00:25:27,999 However, each lock has an installation 694 00:25:28,000 --> 00:25:30,429 white key that is then used to derive 695 00:25:30,430 --> 00:25:32,499 all the keys of the token based on 696 00:25:32,500 --> 00:25:34,869 the idea and says installation, 697 00:25:34,870 --> 00:25:37,569 white key and heavens is 698 00:25:37,570 --> 00:25:40,179 key obtained once you can 699 00:25:40,180 --> 00:25:42,429 visually emulate every token and 700 00:25:42,430 --> 00:25:44,289 open every door in the system. 701 00:25:44,290 --> 00:25:46,419 So one option was to perform 702 00:25:46,420 --> 00:25:48,579 this invasive attack with UV light. 703 00:25:48,580 --> 00:25:50,559 So this gives you the key, or you can 704 00:25:50,560 --> 00:25:52,719 also do a side channel attack 705 00:25:52,720 --> 00:25:54,819 with an M probe, which you barely 706 00:25:54,820 --> 00:25:57,309 see here on top of the microcontroller. 707 00:25:57,310 --> 00:26:00,259 And this takes around about 15 minutes 708 00:26:00,260 --> 00:26:02,439 communicating with the the lock to 709 00:26:02,440 --> 00:26:04,209 get Ötzi's installation white keys and 710 00:26:04,210 --> 00:26:06,879 then walk into any door 711 00:26:06,880 --> 00:26:09,149 and say or some more or worse, 712 00:26:09,150 --> 00:26:11,109 some more severe attacks that are due to 713 00:26:11,110 --> 00:26:12,219 the protocol design. 714 00:26:12,220 --> 00:26:14,049 I cannot unfortunately explain 715 00:26:14,050 --> 00:26:15,670 everything. Maybe next year 716 00:26:16,720 --> 00:26:18,909 one system is the cryptography inside 717 00:26:18,910 --> 00:26:20,649 what some mix of good crypto and bad 718 00:26:20,650 --> 00:26:23,589 crypto. So some vendor design stuff 719 00:26:23,590 --> 00:26:25,849 and the most more 720 00:26:25,850 --> 00:26:28,149 severe thing were with random numbers 721 00:26:28,150 --> 00:26:29,439 you will know about random number 722 00:26:29,440 --> 00:26:30,549 generator. 723 00:26:30,550 --> 00:26:32,709 And here was that internal values 724 00:26:32,710 --> 00:26:34,929 were reused in the next protocol 725 00:26:34,930 --> 00:26:37,419 run asset values that were sent out. 726 00:26:37,420 --> 00:26:38,710 So you based on this 727 00:26:40,420 --> 00:26:42,289 with clever mathematics, you can derive 728 00:26:42,290 --> 00:26:44,349 from the text that gives you for 729 00:26:44,350 --> 00:26:47,199 one gives you the key for a transparent 730 00:26:47,200 --> 00:26:49,269 transponder just by interacting 731 00:26:49,270 --> 00:26:51,399 with the door without being able to 732 00:26:51,400 --> 00:26:52,479 open it. 733 00:26:52,480 --> 00:26:55,060 So, yeah, this was pretty surprising. 734 00:26:56,200 --> 00:26:58,359 Nevertheless, we 735 00:26:58,360 --> 00:27:00,669 had, of course, communicated 736 00:27:00,670 --> 00:27:03,189 with the vendor about this, 737 00:27:03,190 --> 00:27:05,499 and I talk about this 738 00:27:05,500 --> 00:27:07,299 at the end a short bit. 739 00:27:09,240 --> 00:27:10,989 They could roll out a firmware update 740 00:27:10,990 --> 00:27:13,599 that at least could fix this analytical 741 00:27:13,600 --> 00:27:15,519 attacks that allow us to open every door 742 00:27:15,520 --> 00:27:17,589 just by walking to it, talking to 743 00:27:17,590 --> 00:27:18,519 it a few times. 744 00:27:18,520 --> 00:27:20,679 And then, yeah, having have an 745 00:27:20,680 --> 00:27:23,139 exit here, the hardware 746 00:27:23,140 --> 00:27:25,449 techs are of course, difficult 747 00:27:25,450 --> 00:27:27,099 to replace because you have to replace 748 00:27:27,100 --> 00:27:29,289 all components and they're working 749 00:27:29,290 --> 00:27:31,689 on their next product generation, which 750 00:27:31,690 --> 00:27:33,819 shall contain some more secure 751 00:27:33,820 --> 00:27:35,979 hardware where we then need other guys 752 00:27:35,980 --> 00:27:38,079 like Dimitriou. And so, 753 00:27:38,080 --> 00:27:39,080 yeah. 754 00:27:39,700 --> 00:27:41,769 So is this lesson learned here? 755 00:27:41,770 --> 00:27:43,899 Hardware reverse engineering can enable 756 00:27:43,900 --> 00:27:45,909 mathematical attacks and also as a side 757 00:27:45,910 --> 00:27:46,910 channel attacks. 758 00:27:47,920 --> 00:27:50,349 And with this, we come to our final 759 00:27:50,350 --> 00:27:52,569 point we go actually 760 00:27:52,570 --> 00:27:54,249 to the heart of all the piracy as a 761 00:27:54,250 --> 00:27:55,839 Caribbean where this conference was 762 00:27:55,840 --> 00:27:56,949 really beautiful. 763 00:27:56,950 --> 00:27:59,229 Raid 2013, it looks like this is 764 00:27:59,230 --> 00:28:01,329 one picture we took, so 765 00:28:01,330 --> 00:28:03,309 it's pretty a pretty nice place to 766 00:28:03,310 --> 00:28:05,379 present research and we looked at 767 00:28:05,380 --> 00:28:06,380 this device. 768 00:28:08,160 --> 00:28:10,329 This is a YubiKey to who is 769 00:28:10,330 --> 00:28:12,429 familiar with YubiKey and who 770 00:28:12,430 --> 00:28:13,929 has one. 771 00:28:13,930 --> 00:28:16,009 Yes and no worries. 772 00:28:16,010 --> 00:28:18,219 And this is a two 773 00:28:18,220 --> 00:28:19,719 factor authentication token. 774 00:28:19,720 --> 00:28:20,769 You know about this. 775 00:28:20,770 --> 00:28:22,549 In the past, everybody just was typing in 776 00:28:22,550 --> 00:28:24,249 this password. Now we know this 777 00:28:24,250 --> 00:28:26,559 eavesdropping on data 778 00:28:26,560 --> 00:28:27,819 from all over the world. 779 00:28:27,820 --> 00:28:29,439 You can have trojans on your computer and 780 00:28:29,440 --> 00:28:31,329 so on you. So we want a hardware factor 781 00:28:31,330 --> 00:28:33,489 in one of our smart cards. 782 00:28:33,490 --> 00:28:36,129 Or is this as some as transaction 783 00:28:36,130 --> 00:28:37,149 numbers to lock in? 784 00:28:37,150 --> 00:28:39,879 You can have the infamous RSA token 785 00:28:39,880 --> 00:28:41,979 or you can have the YubiKey 786 00:28:41,980 --> 00:28:43,119 runs at this device. 787 00:28:43,120 --> 00:28:44,859 We had a closed loop from our side 788 00:28:44,860 --> 00:28:45,890 channel perspective. 789 00:28:47,110 --> 00:28:49,789 So just to explain it very, very briefly, 790 00:28:49,790 --> 00:28:52,029 the YubiKey X like a USB keyboard 791 00:28:52,030 --> 00:28:53,799 to your computer so you can use it 792 00:28:53,800 --> 00:28:54,819 without any drive us. 793 00:28:54,820 --> 00:28:56,949 Basically, it 794 00:28:56,950 --> 00:28:59,229 generates and enters one time 795 00:28:59,230 --> 00:29:01,149 password every time you press a small 796 00:29:01,150 --> 00:29:02,739 button on top. 797 00:29:02,740 --> 00:29:04,819 And this is based on on the. 798 00:29:04,820 --> 00:29:06,469 So again, a secure cipher. 799 00:29:06,470 --> 00:29:08,079 I'd say so. 800 00:29:08,080 --> 00:29:10,239 And on the bottom of the slide, 801 00:29:10,240 --> 00:29:11,829 you enter your credentials and then you 802 00:29:11,830 --> 00:29:14,140 press this button and it enters this 803 00:29:15,340 --> 00:29:16,719 string of characters. 804 00:29:16,720 --> 00:29:18,909 And they chose some encoding here 805 00:29:18,910 --> 00:29:20,979 to make it compatible across all keyboard 806 00:29:20,980 --> 00:29:23,079 layouts, so you will not find any 807 00:29:23,080 --> 00:29:25,269 umlaut or so or so in 808 00:29:25,270 --> 00:29:26,229 this. 809 00:29:26,230 --> 00:29:27,759 So every time you press it, generate 810 00:29:27,760 --> 00:29:29,599 some, some stuff. 811 00:29:29,600 --> 00:29:31,809 Here's always some fixed idea, and this 812 00:29:31,810 --> 00:29:33,909 part is encrypted here and then 813 00:29:33,910 --> 00:29:34,899 and called it. 814 00:29:34,900 --> 00:29:37,599 And what it contains is basically, 815 00:29:37,600 --> 00:29:39,909 again, an ID and several 816 00:29:39,910 --> 00:29:42,549 counters that are incremented every time 817 00:29:42,550 --> 00:29:44,709 you press a button and in a certain way. 818 00:29:46,740 --> 00:29:48,869 So all these fields are then put into an 819 00:29:48,870 --> 00:29:51,089 AC and coded, as I said, and the question 820 00:29:51,090 --> 00:29:53,299 is, can we get back to Mexico key? 821 00:29:53,300 --> 00:29:56,009 Because this, of course, enables us to 822 00:29:56,010 --> 00:29:58,019 duplicate the YubiKey again or just 823 00:29:58,020 --> 00:29:59,729 duplicated in software because it 824 00:29:59,730 --> 00:30:01,859 generates a string so we don't need the 825 00:30:01,860 --> 00:30:02,940 hardware device for that. 826 00:30:05,070 --> 00:30:06,929 Yeah. So for this, we started again 827 00:30:06,930 --> 00:30:08,069 looking what is inside? 828 00:30:08,070 --> 00:30:10,079 So there was a smart card chip inside or 829 00:30:10,080 --> 00:30:11,829 is there a simple microcontroller? 830 00:30:11,830 --> 00:30:14,309 Here's this video is from an HD 831 00:30:14,310 --> 00:30:16,139 videos that you can find on YouTube on 832 00:30:16,140 --> 00:30:17,249 the production. 833 00:30:17,250 --> 00:30:19,859 So HD videos can also leak information 834 00:30:19,860 --> 00:30:20,999 where the circuit is. 835 00:30:21,000 --> 00:30:23,219 Justin's is plastic molded plastic 836 00:30:23,220 --> 00:30:24,389 packet. 837 00:30:24,390 --> 00:30:26,459 So we know news and which drills 838 00:30:26,460 --> 00:30:28,229 a hole puts the acid. 839 00:30:28,230 --> 00:30:30,539 And the result is this is looks 840 00:30:30,540 --> 00:30:32,699 like some microcontroller to the 841 00:30:32,700 --> 00:30:34,829 Trent eye with some memories and so on. 842 00:30:34,830 --> 00:30:36,809 And we finally also found some markings 843 00:30:36,810 --> 00:30:37,739 on that, says some. 844 00:30:37,740 --> 00:30:39,959 Plus it probably nobody 845 00:30:39,960 --> 00:30:42,239 notices, but it's in like 846 00:30:42,240 --> 00:30:44,579 virtually every keyboard 847 00:30:44,580 --> 00:30:47,159 or mouse or so. It's a cheap 848 00:30:47,160 --> 00:30:49,289 USB microcontroller, and it has this 849 00:30:49,290 --> 00:30:51,599 feature to do this keyboard emulation. 850 00:30:53,400 --> 00:30:55,799 So this was what's the basic 851 00:30:55,800 --> 00:30:57,839 best use tier. We did not try to read on 852 00:30:57,840 --> 00:30:59,819 any program code because we do not even 853 00:30:59,820 --> 00:31:02,309 know what kind of processors is Intel. 854 00:31:02,310 --> 00:31:04,799 And there's no documentation on that. 855 00:31:04,800 --> 00:31:07,009 So here comes the magic of side channel 856 00:31:07,010 --> 00:31:08,759 attacks, who can also do an attack 857 00:31:08,760 --> 00:31:10,769 without exact knowledge on the on the 858 00:31:10,770 --> 00:31:13,439 hardware and without need to do that. 859 00:31:13,440 --> 00:31:15,389 If you know the exact protocols which 860 00:31:15,390 --> 00:31:17,609 were all open in case of the Yubico 861 00:31:17,610 --> 00:31:19,709 YubiKey, which is a nice device, by the 862 00:31:19,710 --> 00:31:22,109 way. It's a good open source design, 863 00:31:23,280 --> 00:31:24,869 so we did both. 864 00:31:24,870 --> 00:31:26,069 We tried to measure the power 865 00:31:26,070 --> 00:31:28,259 consumption. Putin was a small, 866 00:31:28,260 --> 00:31:30,659 hand-crafted adapter here, a measurement 867 00:31:30,660 --> 00:31:33,269 resistor into the USB power supply, 868 00:31:33,270 --> 00:31:35,219 and we also put in the M probe on top of 869 00:31:35,220 --> 00:31:37,379 the device to make a noninvasive 870 00:31:37,380 --> 00:31:39,329 attack, and this turned out to be a 871 00:31:39,330 --> 00:31:41,519 better way to press this 872 00:31:41,520 --> 00:31:42,429 button automatically. 873 00:31:42,430 --> 00:31:44,369 We just took tin foil on the tin foil, 874 00:31:44,370 --> 00:31:46,489 absorbs everything and connect 875 00:31:46,490 --> 00:31:48,239 if you connect it to grounded, simulates 876 00:31:48,240 --> 00:31:50,369 your fingers and press the button so you 877 00:31:50,370 --> 00:31:52,109 don't have to press thousands times 878 00:31:52,110 --> 00:31:53,110 manually. 879 00:31:53,730 --> 00:31:56,309 And was this we took our measurements. 880 00:31:56,310 --> 00:31:58,619 We found out that M Signal 881 00:31:58,620 --> 00:31:59,999 gives better signals. 882 00:32:00,000 --> 00:32:00,989 This is the one here. 883 00:32:00,990 --> 00:32:03,359 On top of the power signal is somewhat 884 00:32:03,360 --> 00:32:06,179 low pass filter through some 885 00:32:06,180 --> 00:32:08,099 voltage regulators on the chip. 886 00:32:08,100 --> 00:32:09,389 And here you can. 887 00:32:09,390 --> 00:32:11,549 As a side channel, you can clearly see 888 00:32:11,550 --> 00:32:13,709 the 10 rounds of the ace was the 889 00:32:13,710 --> 00:32:15,750 10th round. Little short to 890 00:32:17,280 --> 00:32:19,559 the end from Z was playing around 891 00:32:19,560 --> 00:32:21,359 what we have to attack here. 892 00:32:21,360 --> 00:32:23,309 And finally, words were able to get out 893 00:32:23,310 --> 00:32:25,529 the full ASCII from this device and 894 00:32:25,530 --> 00:32:27,629 actually seven no measurements with 895 00:32:27,630 --> 00:32:28,539 some optimization. 896 00:32:28,540 --> 00:32:31,199 So this is one hour of 897 00:32:31,200 --> 00:32:33,479 physical access to the device to get 898 00:32:33,480 --> 00:32:35,279 the AC out here. 899 00:32:35,280 --> 00:32:37,409 So again, you see this gray 900 00:32:37,410 --> 00:32:38,999 wrong candidates and this one was the 901 00:32:39,000 --> 00:32:41,369 peak. The red one is the correct bud 902 00:32:41,370 --> 00:32:43,439 actually for for a few, 903 00:32:43,440 --> 00:32:45,839 for a few bytes of the key, just to 904 00:32:45,840 --> 00:32:46,840 explain it. 905 00:32:48,900 --> 00:32:51,059 So management 906 00:32:51,060 --> 00:32:53,489 summary Again, we can extract 907 00:32:53,490 --> 00:32:55,619 the key with side channel and text. 908 00:32:55,620 --> 00:32:57,089 And then after that, of course, you can 909 00:32:57,090 --> 00:32:59,369 impersonate the YubiKey. 910 00:33:01,080 --> 00:33:03,119 Of course, any way you still need the 911 00:33:03,120 --> 00:33:05,429 username and password, which reduces 912 00:33:05,430 --> 00:33:07,199 also the risk. So you have two factors 913 00:33:07,200 --> 00:33:08,200 also to attack. 914 00:33:09,870 --> 00:33:12,029 Luckily, there was there is 915 00:33:12,030 --> 00:33:14,189 an improved firmware version, so 916 00:33:14,190 --> 00:33:16,259 all new devices since a few 917 00:33:16,260 --> 00:33:18,419 months ship with this improved firmware 918 00:33:18,420 --> 00:33:20,789 that it's not a tech move in this manner 919 00:33:20,790 --> 00:33:21,790 easily anymore. 920 00:33:23,790 --> 00:33:26,129 So we come already on still 921 00:33:26,130 --> 00:33:28,049 fine, fine with time timeout. 922 00:33:28,050 --> 00:33:30,239 So we come already to the final 923 00:33:30,240 --> 00:33:33,029 part when pirates do good or responsible 924 00:33:33,030 --> 00:33:34,769 disclosure. 925 00:33:34,770 --> 00:33:37,549 So here comes the pirate A2Z 926 00:33:37,550 --> 00:33:39,719 to the designer and informs them, 927 00:33:39,720 --> 00:33:41,819 Hey, we have a problem with your 928 00:33:41,820 --> 00:33:44,159 device. And preferably he does 929 00:33:44,160 --> 00:33:46,409 this before, before he 930 00:33:46,410 --> 00:33:48,479 publishes. Ever since this is how we 931 00:33:48,480 --> 00:33:50,669 did it, by the way, pirates 932 00:33:50,670 --> 00:33:52,769 can. And I was like, some Huawei pirates 933 00:33:52,770 --> 00:33:54,299 can do good here. 934 00:33:54,300 --> 00:33:56,339 Maybe someone is familiar with this crap. 935 00:33:56,340 --> 00:33:58,529 So with a previous talk 936 00:33:58,530 --> 00:34:00,089 we have, here's a number of pirates 937 00:34:00,090 --> 00:34:02,279 approximate decreasing your thirty 938 00:34:02,280 --> 00:34:04,799 five thousand eighteen twenty and only 939 00:34:04,800 --> 00:34:06,959 17 real pirates left 940 00:34:06,960 --> 00:34:08,979 in two thousand, and with this increase, 941 00:34:08,980 --> 00:34:11,549 the global temperature 942 00:34:11,550 --> 00:34:13,109 by almost two degrees. 943 00:34:13,110 --> 00:34:14,110 So. 944 00:34:22,380 --> 00:34:24,749 Yeah. Correlation is not causation. 945 00:34:24,750 --> 00:34:26,849 This is a mystery, I'm just to 946 00:34:26,850 --> 00:34:28,979 show that pirates can do some good. 947 00:34:28,980 --> 00:34:31,079 We also did this and talked to the people 948 00:34:31,080 --> 00:34:33,448 always at least six months before 949 00:34:33,449 --> 00:34:35,698 we published our stuff, since it's a 950 00:34:35,699 --> 00:34:38,339 bit variable due to our publication 951 00:34:38,340 --> 00:34:39,569 times and so on. 952 00:34:39,570 --> 00:34:41,189 So for the locking system, it was 953 00:34:41,190 --> 00:34:43,259 approximately one year before actually it 954 00:34:43,260 --> 00:34:44,759 got public. 955 00:34:44,760 --> 00:34:46,979 And as I said, the vendor was 956 00:34:46,980 --> 00:34:48,629 able to deploy a fix for this. 957 00:34:48,630 --> 00:34:50,939 Most severe mathematical attacks 958 00:34:50,940 --> 00:34:52,859 a terror. We talk to them six months 959 00:34:52,860 --> 00:34:55,049 before they said, Yeah, it's like 960 00:34:55,050 --> 00:34:57,269 this, and 961 00:34:58,580 --> 00:35:00,719 it has 962 00:35:00,720 --> 00:35:02,419 to be seen what happens in the future. 963 00:35:02,420 --> 00:35:04,679 Then this FPGA field, it's an interesting 964 00:35:04,680 --> 00:35:05,659 field how to protect. 965 00:35:05,660 --> 00:35:07,739 It's all too complicated and with 966 00:35:07,740 --> 00:35:09,719 you because we also talked round about 967 00:35:09,720 --> 00:35:11,639 nine months before publishing it. 968 00:35:11,640 --> 00:35:13,049 And as I said, there is an improved 969 00:35:13,050 --> 00:35:15,209 firmware version 2.4 now 970 00:35:15,210 --> 00:35:17,070 that mitigates these issues. 971 00:35:18,450 --> 00:35:21,149 So come in briefly to how to mitigate 972 00:35:21,150 --> 00:35:22,649 such stuff like such an honor. 973 00:35:22,650 --> 00:35:24,719 Text one to show my two final 974 00:35:24,720 --> 00:35:26,699 slides and then we come to your questions 975 00:35:28,620 --> 00:35:31,019 so you can have a first line of defense. 976 00:35:31,020 --> 00:35:32,639 That means you can put all those 977 00:35:32,640 --> 00:35:34,469 classical countermeasures against side 978 00:35:34,470 --> 00:35:36,269 channel attacks and implementation 979 00:35:36,270 --> 00:35:38,519 attacks or invasive attacks in general. 980 00:35:38,520 --> 00:35:41,099 So you can take secure smartcard 981 00:35:41,100 --> 00:35:43,589 circuits which are certified 982 00:35:43,590 --> 00:35:45,449 and you can modify the device on the 983 00:35:45,450 --> 00:35:46,349 algorithmic level. 984 00:35:46,350 --> 00:35:48,539 So put randomness inside since 985 00:35:48,540 --> 00:35:50,819 the measurements are misaligned or that 986 00:35:50,820 --> 00:35:53,309 they involve as a random values that 987 00:35:53,310 --> 00:35:54,479 stay internal. 988 00:35:54,480 --> 00:35:56,549 So who won? Who 989 00:35:56,550 --> 00:35:57,629 wants information on this? 990 00:35:57,630 --> 00:35:59,579 There are a lot of books and papers and 991 00:35:59,580 --> 00:36:01,079 there was the press conference and there 992 00:36:01,080 --> 00:36:02,579 were half of some people just do that. 993 00:36:03,660 --> 00:36:05,729 And however, what I 994 00:36:05,730 --> 00:36:07,139 want to strengthen is that's also the 995 00:36:07,140 --> 00:36:08,669 second line of defense, which is the 996 00:36:08,670 --> 00:36:10,469 system level, which you can very often 997 00:36:10,470 --> 00:36:12,719 also use. 998 00:36:12,720 --> 00:36:14,619 On the one hand, you can try to detect 999 00:36:14,620 --> 00:36:16,499 the Texans in the back end. 1000 00:36:16,500 --> 00:36:18,119 So for a payment system, let's say you 1001 00:36:18,120 --> 00:36:20,339 could have a shadow account for logging 1002 00:36:20,340 --> 00:36:22,649 system you for a logging system, 1003 00:36:22,650 --> 00:36:25,409 you could have a log file if 1004 00:36:25,410 --> 00:36:27,419 the legal situation permits it and your 1005 00:36:27,420 --> 00:36:28,530 privacy policies. 1006 00:36:29,610 --> 00:36:31,199 And on the other end, you can try it 1007 00:36:32,790 --> 00:36:34,679 instead of. This detection tried to 1008 00:36:34,680 --> 00:36:36,599 minimize the impact, and this is where 1009 00:36:36,600 --> 00:36:38,839 key diversification comes into play. 1010 00:36:38,840 --> 00:36:41,049 This means give every device a unique 1011 00:36:41,050 --> 00:36:43,439 key, as it should be never shared keys 1012 00:36:43,440 --> 00:36:45,119 between devices where possible. 1013 00:36:48,030 --> 00:36:50,099 So and this I want to briefly, 1014 00:36:50,100 --> 00:36:53,129 briefly illustrate with my final slide 1015 00:36:53,130 --> 00:36:55,079 let's look at the YubiKey and to locking 1016 00:36:55,080 --> 00:36:57,179 system. So for the YubiKey, it would be 1017 00:36:57,180 --> 00:36:59,849 very well possible to give every token 1018 00:36:59,850 --> 00:37:01,529 a unique key. 1019 00:37:01,530 --> 00:37:03,359 And then an attacker will once, let's 1020 00:37:03,360 --> 00:37:05,699 say, a bridge into a corporate network 1021 00:37:05,700 --> 00:37:07,859 cannot simply take any key and 1022 00:37:07,860 --> 00:37:09,959 extract tokens and go into that 1023 00:37:09,960 --> 00:37:10,919 network. 1024 00:37:10,920 --> 00:37:12,839 But he has to repeat the attack over and 1025 00:37:12,840 --> 00:37:14,909 over again and talking about one 1026 00:37:14,910 --> 00:37:17,579 hour of physical access to such a token, 1027 00:37:17,580 --> 00:37:19,499 which you are likely to keep an eye on, 1028 00:37:19,500 --> 00:37:21,299 especially if it's important. 1029 00:37:21,300 --> 00:37:23,609 Yeah, it will would be very 1030 00:37:23,610 --> 00:37:25,499 complicated in reality, and this attack 1031 00:37:25,500 --> 00:37:26,879 does not scale. 1032 00:37:26,880 --> 00:37:28,649 On the other hand, case of the locking 1033 00:37:28,650 --> 00:37:31,319 system, you need 50 minutes per 1034 00:37:31,320 --> 00:37:33,629 extracting this system wide key, 1035 00:37:33,630 --> 00:37:35,309 which is of no importance and could also 1036 00:37:35,310 --> 00:37:36,900 be one hour or so, actually. 1037 00:37:37,980 --> 00:37:40,289 However, this one key allows you to 1038 00:37:40,290 --> 00:37:42,839 open all doors and one installation. 1039 00:37:42,840 --> 00:37:44,909 So here you have a text that scales. 1040 00:37:44,910 --> 00:37:47,039 You have to attack one door and then 1041 00:37:47,040 --> 00:37:48,029 get full access. 1042 00:37:48,030 --> 00:37:50,159 So this shows the two sides of the 1043 00:37:50,160 --> 00:37:52,739 coin. Oh, somewhat, 1044 00:37:52,740 --> 00:37:54,959 yeah. And was this the pirate ship 1045 00:37:54,960 --> 00:37:57,179 goes back to the Iranian 1046 00:37:57,180 --> 00:37:59,369 shores of boom to 1047 00:37:59,370 --> 00:38:01,469 bust way movements directly connection, 1048 00:38:01,470 --> 00:38:04,499 while some small harbor and some rivers 1049 00:38:04,500 --> 00:38:06,809 and anchors 1050 00:38:06,810 --> 00:38:08,129 anchors there. 1051 00:38:08,130 --> 00:38:11,129 Yeah. Two new adventures. 1052 00:38:11,130 --> 00:38:13,619 So thank you and 1053 00:38:13,620 --> 00:38:15,239 sorry for the technical problem at the 1054 00:38:15,240 --> 00:38:16,240 beginning. 1055 00:38:35,430 --> 00:38:36,149 Question. 1056 00:38:36,150 --> 00:38:37,150 Yeah. If. 1057 00:38:40,950 --> 00:38:41,969 Thank you. 1058 00:38:41,970 --> 00:38:43,079 Here's a question about that. 1059 00:38:43,080 --> 00:38:44,429 How can you be key 1060 00:38:44,430 --> 00:38:46,659 if you actually increase that use counter 1061 00:38:46,660 --> 00:38:48,899 by 700 while doing the task is 1062 00:38:48,900 --> 00:38:50,579 the key to any use anymore? 1063 00:38:50,580 --> 00:38:53,639 Or would system level rejecting 1064 00:38:53,640 --> 00:38:55,559 passports after that? 1065 00:38:55,560 --> 00:38:57,279 So it's not it's not like this. 1066 00:38:57,280 --> 00:38:59,999 So the YubiKey has to count as actually 1067 00:39:00,000 --> 00:39:02,009 it has one counter every time you power 1068 00:39:02,010 --> 00:39:02,999 ups the device. 1069 00:39:03,000 --> 00:39:04,529 This is incremental, and so this is a 1070 00:39:04,530 --> 00:39:06,489 permanent counter, and then it has the 1071 00:39:06,490 --> 00:39:08,549 second counter that goes up to two 1072 00:39:08,550 --> 00:39:09,779 hundred fifty six. 1073 00:39:09,780 --> 00:39:11,669 And only if this counter reps, you also 1074 00:39:11,670 --> 00:39:13,769 incrementally use the permanent 1075 00:39:13,770 --> 00:39:15,569 counter. So you would have an increase 1076 00:39:15,570 --> 00:39:17,849 maybe by three or so, by 1077 00:39:17,850 --> 00:39:19,769 two to three. Yeah. 1078 00:39:19,770 --> 00:39:22,259 So this is relatively unlikely 1079 00:39:22,260 --> 00:39:23,260 to be detected. 1080 00:39:25,140 --> 00:39:26,140 Microphone one 1081 00:39:27,630 --> 00:39:30,269 Yeah. You uh, you had, 1082 00:39:30,270 --> 00:39:32,909 uh, you had a question mark with the 1083 00:39:32,910 --> 00:39:34,799 other unique keys for the YubiKey. 1084 00:39:34,800 --> 00:39:37,499 So, uh, do you know if the 1085 00:39:37,500 --> 00:39:39,299 if ever YubiKey has a unique key? 1086 00:39:39,300 --> 00:39:41,279 Or are you unsure about this? 1087 00:39:41,280 --> 00:39:43,229 Or do you know that some of them have the 1088 00:39:43,230 --> 00:39:44,249 same key? 1089 00:39:44,250 --> 00:39:45,389 No, you can set it yourself. 1090 00:39:45,390 --> 00:39:47,699 So there is the utility where you can. 1091 00:39:47,700 --> 00:39:49,619 The key is right only. 1092 00:39:49,620 --> 00:39:51,419 So you can always set a new key, but you 1093 00:39:51,420 --> 00:39:53,369 will render the device useless if you 1094 00:39:53,370 --> 00:39:54,929 override the old key. 1095 00:39:54,930 --> 00:39:57,359 So everybody is free to do whatever 1096 00:39:57,360 --> 00:39:59,789 he once was. YubiKey So you can 1097 00:39:59,790 --> 00:40:01,499 perfectly set up a secure system with 1098 00:40:01,500 --> 00:40:02,189 that. 1099 00:40:02,190 --> 00:40:04,919 So you can. Default keys are random or 1100 00:40:04,920 --> 00:40:07,019 the default keys are, 1101 00:40:07,020 --> 00:40:09,149 I don't know, but they do not, and it's 1102 00:40:09,150 --> 00:40:10,859 probably the zero, I would say. 1103 00:40:10,860 --> 00:40:12,689 But I mean, if you set up your system and 1104 00:40:12,690 --> 00:40:14,879 you put the keys that you cannot read 1105 00:40:14,880 --> 00:40:16,769 into or you put a zero key into your 1106 00:40:16,770 --> 00:40:18,449 database and it's your fault. 1107 00:40:22,530 --> 00:40:24,059 So you said there's an updated firmware 1108 00:40:24,060 --> 00:40:24,989 now for YubiKey. 1109 00:40:24,990 --> 00:40:27,059 Do you know how they protect against your 1110 00:40:27,060 --> 00:40:28,889 attack and are you allowed to tell? 1111 00:40:28,890 --> 00:40:31,739 Um, I know personally, 1112 00:40:31,740 --> 00:40:33,329 I would rather not speak about this now. 1113 00:40:33,330 --> 00:40:34,330 OK, well, thanks. 1114 00:40:35,370 --> 00:40:37,439 Um, so you can you can 1115 00:40:37,440 --> 00:40:38,889 perfectly contact them. 1116 00:40:38,890 --> 00:40:40,529 OK, so they are very open with this, I 1117 00:40:40,530 --> 00:40:41,639 think. 1118 00:40:41,640 --> 00:40:43,829 Um, yeah. 1119 00:40:43,830 --> 00:40:45,299 I was just wondering, what's the reason 1120 00:40:45,300 --> 00:40:47,939 for that? Ninety two and uh, 1121 00:40:47,940 --> 00:40:50,219 one to the last slide 1122 00:40:50,220 --> 00:40:52,799 for what? And there was a ninety two here 1123 00:40:52,800 --> 00:40:53,800 in 1124 00:40:54,270 --> 00:40:56,879 ninety four as this is a slight no, 1125 00:40:56,880 --> 00:40:57,779 it's everywhere. 1126 00:40:57,780 --> 00:40:59,909 Really, this is 1127 00:40:59,910 --> 00:41:01,800 like crazy, 1128 00:41:03,790 --> 00:41:04,790 right? 1129 00:41:06,330 --> 00:41:08,699 OK. The last remark is just to use 1130 00:41:08,700 --> 00:41:10,260 this as exit and. 1131 00:41:12,840 --> 00:41:14,969 Don't forget to tweet these amazing 1132 00:41:14,970 --> 00:41:16,739 talk. Thank you, thank.