# Power-Based Side-Channel Attack for AES Key Extraction on a ATMega328 controller

Utsav Banerjee, Lisa Ho, and Skanda Koppula

Abstract—We demonstrate extraction of a private-key from Flash program memory on the ATMega328 microcontroller (the controller used on the popular Arduino Genuino/Uno board). We loaded a standard AVR-architecture AES implementation onto the chip and ran this implementation to encrypt 500 randomly chosen plaintexts. By carefully measuring the chips power consumption, we were able to correlate the consumed power with the input plaintexts and key values that might be used to encrypt each AES block, and back-derive the hard-coded key used for encryption. We describe here our test infrastructure for automated power trace collection, an overview of our correlation attack, sanitization of the traces and interesting stumbling blocks encountered during data collection and analysis, and the results of our attack.

Index Terms—AES, side-channel, power consumption, AT-Mega328, Correlation Power Analysis

#### I. INTRODUCTION

The recent wave of concern about data privacy has brought attention to the necessity for more broadly adopted encryption algorithms. One of the more popular symmetric-key algorithms, Advanced Encryption Standard (AES), has been the U.S. government standard since 2002 (ISO/IEC 18033-3), and used in a multitude of applications: SSL/TLS protocols [1], Kerberos [2], and demonstrably secure embedded devices [3]. This last application in particular, embedded devices, has seen much growth in recent years, given the advantages of computation on smaller embedded devices: low power, lower system latency, and generally smaller device size.

Small hardware implementations, however, are notoriously vulnerable to a range of side-channel attacks [4]. Timing, electromagnetic radiation, and power consumption are just three commonly exploited vectors used to leak information about ongoing computations and data on the chip. Knowing that a device architecture is amiable to side-channel exploitation is useful in deciding whether to execute unprotected sensitive computations or store data on devices with similar memory and processor characteristics.

We aim to demonstrate a reasonably realistic side-channel attack on AES on one such embedded device: the ATMega328 microcontroller produced by Atmel. The ATMega328 is the

All authors are with the Department of Electrical and Computer Engineering, Massachusetts Institute of Technology, Cambridge, MA, 02139 USA

To contact the authors: utsav@mit.edu, lisaho@mit.edu, and skandak@mit.edu

Manuscript completed for 6.858 Computer Systems Security; completed on December 5, 2015

basis for the widely popular development board, Arduino Uno

In section two, we review for the read the theoretical ideas underpinning our attack. In section three, we describe our implementations our hardware setup, power measurement infrastructure, correlation methodologies, instructive problems that we encountered, and overview the structure of our source code. In section four, we describe quantitatively describe the results of our attack.

#### II. PRELIMINARIES

## A. Controller Specifications

The ATMega328 family of chips is an 8-bit microcontroller series with 32 KB of NAND-type flash and 2KB of SRAM. The controller runs off a 16 MHz external clock on the Arduino board. Typical power consumption of the chip ranges from 7 to 12V, with a 20mA current draw, depending on the peripheral and I/O pin usage [?]. Out attack exploits the NAND-type flash memory architecture that consumes marginally more power when accessing addresses that store bits with lower Hamming weight (in order to charge and recharge the memory cell line) [?].

The encryption program running on our ATMega328 uses an Arduino-specific port of the avr-crypto-lib by Davy Landman and Bochum Hackerspace [5] [6]. AESLib is one of the more widely-used AES implementations for Arduino, and includes support for ECB and CBC-modes of AES. Our team decided that ECB-mode would be more amiable to a power correlation attack, and correspondingly chose to exploit the library's AES-ECB implementation. We discuss ECB in further depth in section 3.D.

#### B. Correlation Power Analysis

#### III. PROTOCOLS AND PROCEDURE

# A. Data Collection Infrastructure

- Discuss trigger with memoery mapped register with assembly sbi instruction, schematic for collection, oscilloscope model/programmer model GPIB with assembly sbi instruction.
- Faraday shield metal box
- fast frames

<sup>1</sup>Other models of the Arduino, such as the Arduino Mega and Arduino Genuino Micro use ATMega chips as well, that have a similar architecture to the ATMega328. It is possible that this attack could be adapted to those chips as well.

#### 2

#### B. Implementation of CPA and Power Model

- discuss different power models we've tried, faster correlation

#### C. Instructive Problems Encountered (and Panaceas)

-

- remove difAmp -¿ increase resistor value -¿ increase bandwidth?//used to measure current before
- · serial print adds noise
- · averaging to solve dc shift
- · interrupt introduces clock jitter
- · adding nops to prevent asyncronous / delay
- original hypothesis about sbox: SBox bad for correlation?
  the flash architecture -i bit block bit block bar
- FUNDAMENTALLY A PROBLEM WITH DATA

# D. Caveats

We address concerns and discuss the drawbacks for our chosen method of attack:

- We chose to attack the Arduino library's implementation AES-ECB mode. Althought ECB is not semantically secure (e.g. you can derive information about the plaintext from the ciphertext), ECB is still (unfortunately) used as the default option in a number of crypto-suites, avr-crypto-lib included. This is because of it's relatively simple implementation, compared to other more sophisticated modes of AES. Furthermore, our attack does not exploit the plaintext-ciphertext correlations in ECB to derive the key; rather, it uses our power sidechannel. For our team's first power-trace based attack, we chose a mode that we were confident that might have some correlation with the plaintext-key-guess XOR (the first computation in the first step of ECB). It might be possible to adapt our attack to CBC-mode as well. presence of trigger - more - go over the graphs, and timing/accuracy results of tests

#### E. Overview of Source Code

- overview everything in dropbox

#### IV. RESULTS

### ACKNOWLEDGMENT

The authors would like to extend our deepest thanks to Chiraag Juvekar of the Energy Efficient Digital Circuits group (where the authors work) for the time he spent with us aiding our debugging of data collection and analysis problems. We would also like to thank Albert Kwon, our TA, for his insightful advice over the course of the project.

#### REFERENCES

- Lee, Homin K and Malkin, Tal and Nahum, Erich, Cryptographic strength of ssl/tls servers: current and recent practices. Proceedings of the 7th ACM SIGCOMM conference on Internet measurement, 2007.
- [2] Rathore, Romendrapal Singh and Pal, BL and Kumar, Shiv. Analysis and Improvement in Kerberos 5. 2015.

- [3] Altera Corporation, FPGAs with built-in AES: The key to secure system designs. Embedded Computing Design, July 15, 2008.
- [4] Oswald, Elisabeth, et al. Side-Channel Analysis Resistant Description of the AES S-Box. 2005.
- [5] https://github.com/DavyLandman/AESLib. Arduino AESLib. 2015.
- [6] http://www.das-labor.org/wiki/AVR-Crypto-Lib/en. AVR-Crypto-Lib. 2013.