Brissouille
commented
5 years ago The questions are : How to combine the two AES ? Is there an unique solution or not ?
Closed Brissouille closed 5 years ago
Brissouille
commented
5 years ago The questions are : How to combine the two AES ? Is there an unique solution or not ?
Brissouille
commented
5 years ago I think the number of solution is not unique but reasonable, so I try to user ForAll method in z3 or just a while . For the combination, I must modify a little the aes primitive (aes.py) in order to output the intermediate value. The solver takes account the intermediate value to exploit the fault.
Brissouille
commented
5 years ago I had to modify the aes.py to exhib the intermediate value of the aes. I try to insert a fault in the state 8 and reproduce the last rounds but it is not work.
Brissouille
commented
5 years ago The Fault model work. I had to modify again the aes.py class. I remove the reset solver function in the encryption function. Indeed without that, the value of the fault does not take account. To see, if I externalize or not the reset function
Brissouille
commented
5 years ago I create the DFA class to perform the dfa. The class is composed with 2 attributs (aes).
Brissouille
commented
5 years ago To perform an dfa, we need more 2 aes, so I create a list of aes pair (one safe and faulted). When the dfa is reset the list is deleted.
Brissouille
commented
5 years ago To initialize the dfa we are the insert function (may be change the name) which create a list of aes safe and faulted. Nevertheless the exploit function just takes 2 arguments in parameters. Does it take a list of safe and a list of faulted ? Does it take a list of safe and faulted aes pair ?
Brissouille
commented
5 years ago I took a list of safe and faulted aes pair.
Brissouille
commented
5 years ago DFA works with a little tricks: I transform the intermediate state of the AES. Thanks to this, the solver can find a solution to the K10. I can attacked byte 0 and retrieve K10[0], K10[7], K10[10] and K10[13] according to the article and it works.
Brissouille
commented
5 years ago I think about "how to attack by DFA": "First K10 and after MasterKey or directly MasterKey". In the first case, there is a chance to not retrieve a byte but it can be detected and a brute force is possible. In the second case, if there is a mistake when I retrieve the bytes and it is not detected.
Brissouille
commented
5 years ago I choose to attack only K10, because it's too boring. DFA class is just a POC to show the sat solver's application
Brissouille
commented
5 years ago I save the byte attacked for the exploit function
The goal is to combine two AES (one with a fault and an other without) in order to write an equation and resolve it.