Wonky AES — Differential Fault Analysis

Category: Cryptography | Fault Injection Attack

Vulnerability

The CipherFault function injects a single byte fault (XOR) into the AES state during Round 9 (Nr-1 for AES-128) just before MixColumns. This is a textbook scenario for Differential Fault Analysis (DFA).

if (is_fault && round == Nr - 1) {
    (*state)[pos % 4][pos / 4] ^= fault;
}
MixColumns(state); // Fault diffuses to 4 bytes

DFA Attack

A single byte fault in Round 9 diffuses through MixColumns to exactly 4 bytes in the final ciphertext. With correct/faulty ciphertext pairs:

Apply InvShiftRows to both ciphertexts
Identify active column (4 non-zero XOR bytes)
For each possible fault location and value, brute-force key byte candidates via Inverse S-Box equation
Intersect candidates across multiple pairs to isolate unique key bytes
Reconstruct K10, reverse key schedule to get K0 (master key)

Results

Recovered K10: ffaf5efa977bfaf5a94a856e7cff6629
Recovered K0:  b351160cac3e91a75458d28c8f1e12a5

Flag

HTB{d1d_y0u_kn0w_ab0ut_PQ_DF4?!}