PSP AES CAN BE CRACKED

[sadfman]

the good news, i do have a friend who has access to a machine that can use this process to crack hardware AES

bad news, dont know how well it can be used to crack it.

AES hardware encryption has been sucessfully cracked, using electromagnetism to measure power consumption of the p and n values before the *table switches are initilized. Cracking this with computers brute forcing is by far out of the question. So stop posting about it.

You can find papers about AES Hardware Encryption cracking online, use google, its your friend.

[beatwho]

You can find papers about AES Hardware Encryption cracking online, use google, its your friend.

or you can you the search function, which is also your friend

http://forums.ps2dev.org/viewtopic.php? ... sc&start=0

[jason]

the good news, i do have a friend who has access to a machine that can use this process to crack hardware AES

bad news, dont know how well it can be used to crack it.

AES hardware encryption has been sucessfully cracked, using electromagnetism to measure power consumption of the p and n values before the *table switches are initilized. Cracking this with computers brute forcing is by far out of the question. So stop posting about it.

You can find papers about AES Hardware Encryption cracking online, use google, its your friend.

Whatever you're on, please share!

"a machine" to crack AES, I guess the NSA is now monitoring this thread, fortunately this is all a joke.

Also, kocher's timming attack would be completely irrelevant in this case, if there's AES, then there's the key on the device itself, in rom or somewhere else, that's all it takes, one guy to find where it's stored.

[Neil Stevens]

Yeah, it's not AES being cracked here. If you monitor power consumption in cryptographic systems you can narrow down the keys being used, sometimes.

From what I've read, though, this has generally been with "smart cards." With everything going on in a PSP that would be causing a continus power drain while it's on, I doubt the attack applies here.

[sadfman]

no, its no joke, their are educational papers on it if you took the time to read. I have a freind at OSU who is studying electromagnetism, and came accross this in a book. software AES is NOT CRACKED, HOWEVER, the hardware AES, like the one psp uses, has been proven to be crackable using the methods involved in electromagnetism, like neil said though, it might not be applicable. I was just trying to end all the posts about AES with the definition that there is NO chance of breaking the software, and a very slim chance of breaking the psp hardware version

[Neil Stevens]

Oh, I just remembered another attack: Sometimes the radio emissions of computers while decrypting will give clues about the key used. That one might be applicable, but if I recall correctly it works better with cpus running at higher clock rates, so it might not work so well with the PSP either, since I doubt its CPU is ramped up like the typical workstation is.

[jason]

Oh, I just remembered another attack: Sometimes the radio emissions of computers while decrypting will give clues about the key used. That one might be applicable, but if I recall correctly it works better with cpus running at higher clock rates, so it might not work so well with the PSP either, since I doubt its CPU is ramped up like the typical workstation is.

What's the point of finding ONE key if each key is encapsulated in a public encryption scheme? Refer to the post "But... where is the key used with AES?" it's VERY unlikely that there's ONE key to encrypt them all, the PSP likely has a public key to decrypt the AES key on a per application basis. Therefore even cracking or bruteforcing AES or using kocher's attack would be USELESS. As USELESS as would be the Sony SDK anyway since nobody but Sony owns the secret key.

[TigerClaw27]

Presumably both the AES key and the executable's signature are in the RSA packet. So knowing the AES key wont allow you to encrypt your own executables, cause you still need to sign them and encrypt the KEY and SIGNATURE with Sony's private key. But it would allow you to decrypt that specific executable and disassemble it looking for vaunrabilities.

Power analysis or elecrotomagnetic anaylsis are both still relatively difficult to conduct when you dont know all the implemenation details. The papers that deal with power analysis mostly talk about 8bit MCUs (basic smartcards) running a software implementation of the block cipher (DES, AES, etc..). Since the assumption is that the PSP has a hardware coprocessor for AES, it could be very difficult to tell anything, as both processors would be running at the same time. Besides most newer security processors try to throw off power analysis via random interrupts and generating an internal clock that isnt syncronised to the external clock. Both these things make power analysis very difficult when you dont know the implementation details.

You'd probably be better off trying to microprobe the internal bus on the MIPS procoessor. But then you'd need some lab equipment, mainly a microscope, microprobes, chemicals to depackage the chip and remove an epoxy. Oh and a high speed logic analyser. I think this is probably the best way to get at the PSP.

I think we can all agree that the contents of the flash chip on the PSP is encrypted, and gets loaded into the 4Mb of internal ram on the PSP's main chip. I'm willing to bet that all the exectables get loaded into this space, and the external ram is only used for graphic models, objects, and data. So the PSP probably has an internal bootloader in ROM that starts the PSP, decrypts the encrypted flash BIOS into internal RAM, checks its signature and runs it.

Anyways thats my take on it. So you probably need to depackage the main chip on the PSP, and use a logic analyser to microprobe this bootup sequence. Even then there is no guarentee you'll get anywhere without finding a software flaw that you can exploit, since you cant easily replace the ROM when its on-chip.

Just my thoughts,
TC

[Guest]

Great! Because I am not sure all this talk about cracking PSP encryption has gone anywhere. I hope people can focus on other areas where it won't hurt as much when you need to beat your head against the wall.

[Saotome]

I think we can all agree that the contents of the flash chip on the PSP is encrypted, and gets loaded into the 4Mb of internal ram on the PSP's main chip. I'm willing to bet that all the exectables get loaded into this space, and the external ram is only used for graphic models, objects, and data. So the PSP probably has an internal bootloader in ROM that starts the PSP, decrypts the encrypted flash BIOS into internal RAM, checks its signature and runs it.

i dont agree at least on the 4MB internal RAM part. i've read somewhere that 2MB of the 4MB are used for the Media Engine (the second R4000 core) and the other 2MB are framebuffer/texturebuffer for the GPU.
the main memory (32MB) is used for the executables, the lower 8MB are reserved for the system/OS/firmware (or whaterver you want to call it).

just my thoughts ;)