How to break AES encryption using a side-channel attack?

Introduction

    Encryption is a fundamental part of modern digital systems. It protects sensitive information such as passwords, financial transactions, and personal data from unauthorized access. One of the most widely used encryption algorithms today is the Advanced Encryption Standard (AES). It is trusted across industries because of its strong mathematical design, which makes it extremely difficult to break using conventional cryptographic attacks.

    So I know what you might be thinking. If AES is so secure, is it impossible to extract the secret key? 

    The answer is not as simple as it seems. While AES itself is mathematically secure, it is always implemented on physical hardware such as micro-controllers, embedded systems, or processors. These physical devices do not operate in a perfectly isolated environment. During execution, they exhibit observable behavior such as power consumption, timing variations, and electromagnetic emissions. These behaviors depend on the internal data being processed.

     This is where side-channel attacks come into the picture. Instead of attacking the encryption algorithm directly, side-channel attacks focus on these physical leakages. By carefully observing how a device behaves while performing encryption, it is possible to infer information about the secret key without ever accessing it directly.

 Understanding Power Leakage

     To understand how this works, it is important to look at how a micro-controller works at a low level. A micro-controller consists of millions of transistors that switch between ON and OFF states during computation. Every time a transistor switches, it consumes a small amount of electrical power.

         The key point here is that the amount of power consumed is not constant. It depends on the data being processed.

    If more bits in a binary value are ‘1’, more switching activity occurs, and more power is consumed. If fewer bits are ‘1’, the switching activity is lower, and less power is used. This creates a relationship between the data inside the device and the power it consumes. 

    So, even though we cannot directly see the data being processed, we can observe its effect through power consumption.

Where Does the Key Come into Play?

To understand how the secret key leaks, it is necessary to examine how AES processes data during encryption. AES does not use the key in a single isolated step; instead, the key is combined with the data at multiple stages throughout the algorithm.

One of the most important points for side-channel analysis occurs in the first round of AES, specifically during the transition from the AddRoundKey operation to the SubBytes (S-box) transformation.

 

 

    At the beginning of encryption, the plaintext is combined with the secret key using a bitwise XOR operation: 

Intermediate Input = Plaintext ⊕ Key

    This operation produces a new value where each bit depends on both the plaintext and the corresponding bit of the key. Since the plaintext is known and the key is unknown, this step establishes a direct relationship between known and unknown values.

     This result is then passed through the S-box, which performs a non-linear substitution: 

Intermediate Value = SBOX(Plaintext ⊕ Key)

 

    This intermediate value crucial for side-channel analysis for two main reasons. 

    First, it is the earliest point in the AES algorithm where the key directly influences the computation. Targeting early operations is beneficial because the signal is less affected by noise introduced in later stages of the algorithm.

    Second, this value is actually processed by the hardware. It is stored in registers and manipulated by the micro-controller, meaning that its computation involves physical switching activity inside the device, which causes measurable variations in power consumption.

What Physically Happens Inside the Device

 When the intermediate value is computed:

  • The micro-controller loads the value into a register.
  • Bits transition between 0 and 1.
  • Transistors switch ON and OFF.
  • Electrical current flows through the circuit

 The amount of switching depends on the bit pattern of the intermediate value.

For example:

  • A value with many ‘1’s causes more switching activity.
  • A value with fewer ‘1’s causes less switching

    Since switching activity directly affects power consumption, different intermediate values produce different power patterns.

    Because this intermediate value depends on the key, the power consumption indirectly carries information about the key.

Why This Step Is Targeted in the Attack

     The Sub-bytes input/output is chosen for side-channel analysis because it satisfies three critical conditions:

  • Dependency on Known and Unknown Values 

         The intermediate value depends on both plaintext (known) and key (unknown), making it suitable for guessing the key.

  • Non-Linearity 

          The S-box introduces a non-linear transformation, which creates unique patterns for different key guesses. This helps distinguish the correct key from incorrect ones.

  • Direct Hardware Interaction 

         The intermediate value is actively processed by the micro-controller, causing observable power consumption changes.

How This Enables the Attack

Since the plaintext is known, an attacker can simulate this computation for every possible key guess:

  1. Assume a key value
  2. Compute: SBOX(Plaintext ⊕ Key Guess)
  3. Estimate power consumption using a model (Hamming Weight)
  4. Compare with actual measured power

If the guessed key is correct:

  • The predicted intermediate values match the real internal values.
  • The predicted power aligns with the actual measured traces.

If the guess is incorrect:

  • The predicted values do not match.
  • No consistent pattern is observed.
  • Correlation remains low.

This difference in correlation is what allows the correct key to be identified.

Capturing the Power Traces

    Once the point of leakage is identified, the next step is observe it. This is done by measuring the power consumed by the device while it performs encryption. 

    In this project, the ChipWhisperer Nano is used to capture power consumption from a STM32F103 micro-controller which is the Device Under Test(DUT). The DUT is connected in such a way that all the current flowing into the micro-controller can be monitored. As the micro-controller executes a software implementation of AES and starts encrypting plaintext, the ChipWhisperer records how the power changes over time.

    Each encryption operation produces a power trace, which is essentially a sequence of voltage or current measurements taken at very small-time intervals. This trace represents how the power varies over time during the execution of AES.

    However, a single trace is not sufficient for analysis. This is because real-world measurements are affected by noise from various sources such as electrical interference, measurement limitations, and internal hardware variations. As a result, the leakage related to the key is not clearly visible in any individual trace.

To overcome this, the encryption process is repeated multiple times.

For each iteration:

  • A new random plaintext is used
  • The same secret key is retained
  • A new power trace is captured

By collecting thousands of such traces, we obtain a dataset where the effect of noise can be reduced through statistical analysis, while the underlying patterns related to the key remain consistent.

 

 

x-axis → Time / Sample Index 

y-axis → Power Consumption 

 Triggering and Alignment

    An important challenge in capturing traces is ensuring that all measurements are aligned in time.

The micro-controller does not automatically indicate when encryption starts, so a trigger mechanism is used. The ChipWhisperer Nano is configured to begin recording power consumption exactly when the encryption operation starts.
This ensures that:

  • The same operation occurs at the same time index in every trace
  • All traces are properly aligned

    Without alignment, even small timing differences would shift the position of operations across traces, making it impossible to compare them accurately.

 Making Sense of the Data

    After collecting a large number of traces, the next step is to extract meaningful information from them. At this stage, the raw traces are just numerical data representing power over time, and the relationship with the key is not immediately visible.

    To interpret the data, we need a model that connects internal computations to power consumption. This is achieved using the Hamming Weight model.

    The Hamming Weight of a value is defined as the number of bits set to ‘1’ in its binary representation. Since more ‘1’s generally result in more switching activity, the Hamming Weight provides a simple estimate of power consumption.

    For each trace and each key guess:

  1. The known plaintext is taken
  2. A key guess is assumed
  3. The intermediate value is computed: SBOX(Plaintext ⊕ Key Guess)
  4. The Hamming Weight of this value is calculated

    This produces a predicted power value for each trace.

Comparing Prediction with Reality

    Now we have two sets of data:

  • Predicted power values (from the leakage model)
  • Actual power traces (from measurements)

    The goal is to determine how closely these two sets match.

    This is done using Correlation Power Analysis (CPA), which computes the Pearson correlation between predicted and actual values.
 

    If the key guess is correct:

  • The predicted power reflects the actual internal computations
  • A strong correlation is observed
  • A distinct peak appears in the correlation graph

    If the key guess is incorrect:

  • The prediction does not match the real behavior
  • Correlation remains low and scattered

Finding the Correct Key

    The next step is to compare the predicted power values with the actual measured traces. This is done using Correlation Power Analysis (CPA).CPA measures how closely the predicted power matches the actual power consumption. This comparison is performed using a statistical measure called the Pearson correlation coefficient. 

    If the key guess is incorrect, there will be no meaningful relationship between the predicted and actual power, resulting in low correlation. However, if the guess is correct, the predicted values will closely match the measured traces, producing a high correlation value.

    By evaluating all possible key guesses and selecting the one with the highest correlation, the correct key can be identified. 

What This Means?

    The outcome of this experiment shows that it is possible to recover the secret key without breaking the AES algorithm itself. Instead, the attack relies entirely on analyzing physical leakage from the hardware. This highlights an important insight in modern security. The strength of an encryption algorithm alone is not enough. The way it is implemented in hardware plays an equally important role.

  Even a mathematically secure algorithm can become vulnerable if its implementation leaks information.

Final Thoughts

    Side-channel attacks demonstrate that security is not just about strong algorithms but also about secure implementations. As embedded systems continue to grow in importance, understanding and mitigating such vulnerabilities becomes essential.

    Thus side-channel attacks serve as a practical example of how physical observations, combined with statistical analysis, can reveal secrets that are otherwise considered secure. 

Comments

Post a Comment

Popular posts from this blog

Application of the ISO26262 Functional Safety standard for MCAL development

  Introduction      In my previous blogs we have talked about AUTOSAR and MCAL and briefly about how to develop a plug-in for Elektrobit's EBTresos. In this blog we will talk about how to apply the ISO26262 FuSa(Functional Safety) standard when developing a MCAL.         The ISO26262 standard, which is based on IEC61508, is a risk-based safety standard where the risk of hazardous operational situations is qualitatively assessed and safety measures are defined to avoid or control systematic failures and to detect or control random hardware failures, or mitigate their effects.      Goals of ISO 26262: Provides an automotive safety lifecycle (management, development, production, operation, service, decommissioning) and supports tailoring the necessary activities during these lifecycle phases. Covers functional safety aspects of the entire development process (including such activities as requirements specification, design, ...
Read more

What's AUTOSAR and MCAL?

Image
  What is AUTOSAR and MCAL?   Introduction        AUTOSAR ( AUT omotive O pen S ystem AR chitecture) which is a global development partnership, was started in 2003. It is a open architecture which enables OEMs to reduce the development time for ECUs by the use of configuration over code development. The objectives are scalability to different vehicle and platform variants, transferability of software, consideration of availability and safety requirements, cooperation between different partners, sustainable use of natural resources and maintainability during the product lifecycle .The philosophy of AUTOSAR is to collaborate on the development of the standard and compete on the implementation.           AUTOSAR follows a layered approach to software development with the complete software split into multiple layers such as Application layer(SW-Cs), Runtime environment (RTE) and the Basic software (BSW).     ...
Read more

MCAL development using Elektrobit's EBTresos MCG

  Introduction           In my previous blog I have talked about what the open architecture AUTOSAR is and how it helps OEMs in rapidly developing and deploying their solutions. I have also covered the role of MCAL as the layer closest to the HW and which interacts with the HW directly. We have also understood that any module in the BSW consists of a static code and a generated configuration. The configuration is generated using a MCG(Module Configuration Generator) tool. In this blog we look at how we can use 2 of the most commonly used MCG tools viz. Elektrobit's EBTresos and Vector Informatik's DaVinci Configurator Pro to develop the MCAL. Development of the MCAL as a EBTresos plugin Identifying the configuration parameters           The process of developing a MCAL for any tool begins with identifying the different containers and the configuration parameters which are under the specific containers. The process of ide...
Read more