SCHaiku

Description

An embedded device, a tablet, that has a secure exchange system with a data server has just been analyzed by one of our interns on side channels.

To authenticate the server, a challenge-response system is implemented as defense-in-depth. More specifically, this step goes as follows. The server sends a challenge P (a random 128-bit plaintext) to the tablet. The tablet computes a ciphertext C from P and a secret key K (shared between the tablet and the server) with:

C = AES128-ECB(K, P)

and then sends C to the server to authenticate itself. (The same steps are performed in the other direction to reach mutual authentication).

In parallel to the encryption, the tablet displays an image on its screen. Our colleague noticed that interference appeared on some part of the image during this computation.

Can you find the key from these potential information leaks?

To do so, he has prepared an animated PNG (SCHaiku.png) showing the reference image and those corresponding to different encryptions. The ordered list of challenges corresponding to each of the parasitized images is also given (challenges.txt).

Additional information: the display is done using elementary blocks of 4 pixels. The synchronization between the display of the elementary blocks and the cryptographic computation is not perfect: the only thing we can be sure of is that the interference only occurs on exactly one pixel among the 4 in a block.

The flag is obtained by finding the challenge corresponding to this ciphertext sent by the server: d048821b99bca6758115e7a403bff427.