Son Pour Analyse

hardware side channel attacks FCSC 2021 solved on

star star star

Description

An embedded equipment, a tablet, includes a mechanism to exchange data securely with a data server.

To authenticate the data sent by this tablet, a signature is appended to each file sent. The signature is calculated as follows:

RSA-CRT(SHA256(fichier))

which can for instance be implemented this way in Python:

import hashlib
f = open('public/ANSSI_ref.png','rb')
raw = bytearray(f.read())
m = hashlib.sha256(raw).digest()
m = int.from_bytes(m, byteorder='big', signed=False)
signature = pow_crt(m, d, p, q)
print(f"{signature.hex()}")

The signature for the reference image ANSSI_ref.png would therefore be:

39eb497f830a302f41818784cf83bff1d245e2a2d5e1dc04996d57443bcc4a5fde3650ad11a70267fd4c34d922c47633d2decb21d30d42215766485acf6399d1f9639419d2104376070045b8401470e56fc3b21cc4b2e5d6443cb1beef4815db6725cf0226d49d8e17199c6075dd78f393e265ad350ac79c5be18fc6c9981de1

that could easily be verified using the RSA public key:

e = 65537
n = 114181065031786564590139505995090932681603488058093695383755920020714540043378009781380110655253006728353171921382633045444731450267353184468441566668432893992049978192406103162591416659000523363797206479008373775089128981682147631692898693610665109453356689955829711356078688003770094519986009441791800904261

One of our side channel intern discovered a strange behaviour concerning the implementation of RSA-CRT on this tablet: despite the usage of classical side channel attack countermeasures to prevent timing attacks and simple power analysis (SPA), it seems that sensitive information leaks in the audible spectrum! The countermeasure used is the Montgomery method: it consists in the use of a modular exponentiation which does not show any difference in calculation between the different bits of the RSA secret exponents dp and dq.

def montgomery(a, e, n):
    exp = map(int, f"{e:b}")
    out = [1, a]
    for i in exp:
        out[1 - i] = (out[0] * out[1]) % n
        out[i] = (out[i] ** 2) % n
    return out[0]

However, this apprentice who has perfect pitch, noticed a slight sound difference. To do this, she slowed down the computing speed of the tablet to the minimum and recorded the sounds made by the tablet while computing a cryptographic signature. As she did, can you find the RSA secrets using this recording?

Prove it by calculating the SHA256 of the signature of the audio file containing the recording you just analyzed. The flag can be calculated as follows:

import hashlib
f = open('public/RSA.wav', 'rb')
raw = bytearray(f.read())
m = hashlib.sha256(raw).digest()
m = int.from_bytes(m, byteorder = 'big', signed = False)
sig = pow(m, d, n)
flag = hashlib.sha256(sig.to_bytes(128, byteorder = "big")).digest()
print(f"FCSC{{{flag.hex()}}}")

Files

  • ANSSI_ref.png
    241.62 KiB – 9bb8cd76365a5fbca814c6a0817752bd6337bd892f70b6b09f6147a398fec6ed
  • RSA.wav
    5.29 MiB – 53e2d4d94c963e7f9fa546dc4117ff386c9390998ac2a78dbf59e506e311e219

Author

Guena

Flag

Share my success on Fediverse, Twitter, Linkedin, Facebook, or via email.

Submit your solution

You can submit your writeup for this challenge. Read the FAQ to learn how to proceed.

You need to be logged in to submit a writeup.

Writeups

There are no public solutions for this challenge yet, but you can submit yours after getting the flag.