Exploiting the Physical Disparity: Side-Channel Attacks on Memory Encryption

  • Thomas UnterluggauerEmail author
  • Stefan Mangard
Conference paper
Part of the Lecture Notes in Computer Science book series (LNCS, volume 9689)


Memory and disk encryption is a common measure to protect sensitive information in memory from adversaries with physical access. However, physical access also comes with the risk of physical attacks. As these may pose a threat to memory confidentiality, this paper investigates contemporary memory and disk encryption schemes and their implementations with respect to Differential Power Analysis (DPA) and Differential Fault Analysis (DFA). It shows that DPA and DFA recover the keys of all the investigated schemes, including the tweakable block ciphers XEX and XTS. This paper also verifies the feasibility of such attacks in practice. Using the EM side channel, a DPA on the disk encryption employed within the ext4 file system is shown to reveal the used master key on a Zynq Z-7010 system on chip. The results suggest that memory and disk encryption secure against physical attackers is at least four times more expensive.


Memory encryption Side-channel attack Power analysis DPA Fault analysis DFA Ext4 



This work has been supported by the Austrian Research Promotion Agency (FFG) under grant number 845579 (MEMSEC).


  1. 1.
    IEEE Standard for Cryptographic Protection of Data on Block-Oriented Storage Devices. IEEE Std 1619–2007, April 2008Google Scholar
  2. 2.
    Dm-crypt: Linux Kernel Device-Mapper Crypto Target (2015).
  3. 3.
    Apple Inc.: Apple Technical White Paper: Best Practices for Deploying FileVault 2 (2012)Google Scholar
  4. 4.
    Biham, E., Shamir, A.: Differential fault analysis of secret key cryptosystems. In: Kaliski Jr., B.S. (ed.) CRYPTO 1997. LNCS, vol. 1294, pp. 513–525. Springer, Heidelberg (1997)CrossRefGoogle Scholar
  5. 5.
    Bilgin, B., Gierlichs, B., Nikova, S., Nikov, V., Rijmen, V.: A more efficient AES threshold implementation. In: Pointcheval, D., Vergnaud, D. (eds.) AFRICACRYPT 2014. LNCS, vol. 8469, pp. 267–284. Springer, Heidelberg (2014)CrossRefGoogle Scholar
  6. 6.
    Brier, E., Clavier, C., Olivier, F.: Correlation power analysis with a leakage model. In: Joye, M., Quisquater, J.-J. (eds.) CHES 2004. LNCS, vol. 3156, pp. 16–29. Springer, Heidelberg (2004)CrossRefGoogle Scholar
  7. 7.
    Choudary, O., Grobert, F., Metz, J.: Infiltrate the Vault: security analysis and decryption of lion full disk encryption. Cryptology ePrint Archive, report 2012/374 (2012).
  8. 8.
    Daemen, J., Rijmen, V.: The Design of Rijndael: AES-The Advanced Encryption Standard. Springer, Heidelberg (2002)CrossRefzbMATHGoogle Scholar
  9. 9.
    Elbaz, R., Champagne, D., Gebotys, C.H., Lee, R.B., Potlapally, N.R., Torres, L.: Hardware mechanisms for memory authentication: a survey of existing techniques and engines. Trans. Comput. Sci. 4, 1–22 (2009)Google Scholar
  10. 10.
    Fruhwirth, C.: New methods in hard disk encryption. Technical report (2005)Google Scholar
  11. 11.
    Fruhwirth, C.: LUKS On-Disk Format Specification (2011).
  12. 12.
    Longo, J., De Mulder, E., Page, D., Tunstall, M.: SoC it to EM: ElectroMagnetic side-channel attacks on a complex System-on-Chip. In: Güneysu, T., Handschuh, H. (eds.) CHES 2015. LNCS, vol. 9293, pp. 620–640. Springer, Heidelberg (2015)CrossRefGoogle Scholar
  13. 13.
    Google Inc.: Android Full Disk Encryption (2015).
  14. 14.
    Halderman, J.A., Schoen, S.D., Heninger, N., Clarkson, W., Paul, W., Calandrino, J.A., Feldman, A.J., Appelbaum, J., Felten, E.W.: Lest we remember: cold-boot attacks on encryption keys. Commun. ACM 52(5), 91–98 (2009)CrossRefGoogle Scholar
  15. 15.
    Hanley, N., Tunstall, M., Marnane, W.P.: Unknown plaintext template attacks. In: Youm, H.Y., Yung, M. (eds.) WISA 2009. LNCS, vol. 5932, pp. 148–162. Springer, Heidelberg (2009)CrossRefGoogle Scholar
  16. 16.
    Ishai, Y., Sahai, A., Wagner, D.: Private circuits: securing hardware against probing attacks. In: Boneh, D. (ed.) CRYPTO 2003. LNCS, vol. 2729, pp. 463–481. Springer, Heidelberg (2003)CrossRefGoogle Scholar
  17. 17.
    Jaffe, J.: A first-order DPA attack against AES in counter mode with unknown initial counter. In: Paillier, P., Verbauwhede, I. (eds.) CHES 2007. LNCS, vol. 4727, pp. 1–13. Springer, Heidelberg (2007)CrossRefGoogle Scholar
  18. 18.
    Kaliski, B.: PKCS# 5: Password-based Cryptography Specification Version 2.0 (2000)Google Scholar
  19. 19.
    Kocher, P.C., Jaffe, J., Jun, B.: Differential power analysis. In: Wiener, M. (ed.) CRYPTO 1999. LNCS, vol. 1666, p. 388. Springer, Heidelberg (1999)Google Scholar
  20. 20.
    Linux Kernel Organization Inc.: Linux Kernel 4.3 Source Tree (2015).
  21. 21.
    Halcrow, M., Savagaonkar, U., Ts’o, T., Muslukhov, I.: Ext4 Encryption Design Document.
  22. 22.
    Moradi, A., Poschmann, A., Ling, S., Paar, C., Wang, H.: Pushing the limits: a very compact and a threshold implementation of AES. In: Paterson, K.G. (ed.) EUROCRYPT 2011. LNCS, vol. 6632, pp. 69–88. Springer, Heidelberg (2011)CrossRefGoogle Scholar
  23. 23.
    Percival, C.: Stronger Key Derivation via Sequential Memory-Hard Functions. Self-published, pp. 1–16 (2009)Google Scholar
  24. 24.
    Piret, G., Quisquater, J.-J.: A differential fault attack technique against SPN structures, with application to the AES and KHAZAD. In: Walter, C.D., Koç, Ç.K., Paar, C. (eds.) CHES 2003. LNCS, vol. 2779, pp. 77–88. Springer, Heidelberg (2003)CrossRefGoogle Scholar
  25. 25.
    Rogaway, P.: Efficient instantiations of tweakable blockciphers and refinements to modes OCB and PMAC. In: Lee, P.J. (ed.) ASIACRYPT 2004. LNCS, vol. 3329, pp. 16–31. Springer, Heidelberg (2004)CrossRefGoogle Scholar
  26. 26.
    Rogers, B., Chhabra, S., Prvulovic, M., Solihin, D.: Using address independent seed encryption and Bonsai Merkle trees to make secure processors OS- and performance-friendly. In: 40th Annual IEEE/ACM International Symposium on Microarchitecture, MICRO 2007, pp. 183–196, December 2007Google Scholar
  27. 27.
    Saarinen, M.-J.O.: Encrypted watermarks and Linux laptop security. In: Lim, C.H., Yung, M. (eds.) WISA 2004. LNCS, vol. 3325, pp. 27–38. Springer, Heidelberg (2005)CrossRefGoogle Scholar
  28. 28.
    Saha, D., Mukhopadhyay, D., RoyChowdhury, D.: A diagonal fault attack on the advanced encryption standard. Cryptology ePrint Archive, report 2009/581 (2009).
  29. 29.
    Suh, G., Clarke, D., Gasend, B., van Dijk, M., Devadas, S.: Efficient memory integrity verification and encryption for secure processors. In: 36th Annual IEEE/ACM International Symposium on Microarchitecture, Proceedings 2003, MICRO-36, pp. 339–350, December 2003Google Scholar

Copyright information

© Springer International Publishing Switzerland 2016

Authors and Affiliations

  1. 1.Institute for Applied Information Processing and CommunicationsGraz University of TechnologyGrazAustria

Personalised recommendations