AES key recovery doesn't work for the PSOC62 target board

Embedded Security Side Channel Power Analysis
1

Hi.

I recently got another one target board to evaluate which is PSOC62 based target board (CW308T-PSoC62 - NewAE Hardware Product Documentation).
This board has pretty interesting MCU.
I didn’t find any information in the Newae resources regarding countermeasures to protect AES for the PSOC62 MCU.
At the first glance, there are no random delays but the AES-128 key cannot be recovered using the “lastround_HD_gen”, “sboxInOut_HD_gen”, “sbox_HW_gen” leakage models.

The complete picture of AES-128 pass looks:

psoc62_aes_whole
psoc62_aes_whole2808×1466 501 KB

This picture clearly reveals AES location in the power traces.

Zoomed in picture looks:

psoc62_aes_zoom
psoc62_aes_zoom1920×1020 187 KB

Using the “lastround_HD_gen” attack, we can take safely take the range [2000 … 2500] but for the “sbox_HW_gen”, “sboxInOut_HD_gen” the range [1500 … 2000].

More zoomed in picture which looks perfect in my opinion:

psoc62_more_zoomin
psoc62_more_zoomin2810×1484 419 KB

As a result I get only junk bytes for the key regardless of having perfect power traces:

psoc6_junk
psoc6_junk1478×650 55.7 KB

Does PSOC62 use masking to protect HW AES? Did someone break HW AES-128 on this MCU?

2

@coflynn Probably, you are a right person to ask this question…
I guess you originally developed this target board. Was this board developed with the intentions to get the HW AES implementation protected by masking?
Or PSoC62 has no masking protection?

3

Hi @NewDwarf, thanks to share your interesting experiments. Would you please provide the source of the firmware you used for this analysis. It would help a lot for comparing your result with mine.

4

I am not the OP and I have no specific experience with this target, but the datasheet does not suggest any side-channel attack protections.

I also don’t know whether the OP used the target’s HW AES capabilities here.

6

Finally, figured out the suitable leakage model. It is Sbox input. I am not sure why but using standard CW API didn’t revealed leak.

I just created a set of custom leak models and this one works for PSOC62 target

def model_hwf1(plaintext, key_guess, target_byte):
    """HWF1: HW(PT ⊕ KEY)"""
    return bin(plaintext[target_byte] ^ key_guess).count('1')

Here is the consolidated result for all different models with using the correct key 0x15

summary_byte2_key15
summary_byte2_key152083×1475 197 KB

Same, but for wrong key candidate

summary_byte2_key20
summary_byte2_key202080×1475 475 KB

So, HW(PT ⊕ KEY) leakage model is a solution for this target!