AES-CCM Attack

Revision as of 09:13, 2 November 2016 by Coflynn (Talk | contribs)

Revision as of 09:13, 2 November 2016 by Coflynn (Talk | contribs)

WARNING: This page under construction!

The following is an overview of the AES-CMM attack done by Eyal Ronen, detailed in his paper IoT Goes Nuclear: Creating a ZigBee Chain Reaction. If using this attack please do not cite this page, instead cite the original research. Note as of now (Nov/2016) the paper has not been submitted to any conference, so this is still very much new/draft research.

This page is presented as an example of using Python/ChipWhisperer to perform attacks against the AES-CCM cipher, without needing to do a more complex attack against AES-CTR mode.

AES-CCM Overview

AES-CCM provides both encryption and authentication using the AES block cipher. This is a widely used mode since it requires only a single cryptographic primitive. That primitive is used in two different modes: CBC and CTR mode. The difference is explained below:

Cipher Block Chaining (CBC): The plaintext is XORed with the previous ciphertext before being encrypted. There is no ciphertext before the first plaintext, so a randomly chosen initialization vector (IV) is used instead:

Block-Cipher-CBC.png

Counter (CTR): An incrementing counter is encrypted to produce a sequence of blocks, which are XORed with the plaintexts to produce the ciphertexts:

Block-Cipher-CTR.png


Background on Attack

The following uses the notation from IoT Goes Nuclear: Creating a ZigBee Chain Reaction.

Assume first the basic AES-ECB cipher is $CT = E_k(PT)$, where we are encrypting a block with secret key $k$.

AES-CCM combines AES-CTR mode and AES-CBC mode as mentioned. We could consider AES-CTR to be performing the following operation:


PT = E_k({IV || m}) \oplus CT


Performing Attack

Building Example

Collecting Traces

Step #1: AES-CBC MAC Block #1

Step #2: AES-CBC MAC Block #2

Step #3: Recovery of AES-CTR Nonce

Step #4: Recovery of AES-CBC I.V.

Step #5: AES-CTR Pad