10,471 bytes added,
13:08, 29 July 2019 {{Warningbox|This tutorial has been updated for ChipWhisperer 4.0.0 release. If you are using 3.x.x see the "V3" link in the sidebar.}}
{{Infobox tutorial
|name = B5: Breaking AES (Straightforward)
|image =
|caption =
|software versions =
|capture hardware = CW-Lite, CW-Lite 2-Part, CW-Pro
|Target Device =
|Target Architecture = XMEGA/ARM
|Hardware Crypto = No
|Purchase Hardware =
}}
This tutorial will take you through a complete attack on a software AES implementation. The specific implementation being attacked is a well-known AES implementation written in C, which is likely to be similar to other implementations used by proprietary systems.
== Capturing ==
This tutorial runs on four different hardware targets. You only need to follow the steps for your given hardware.
=== Capturing with ChipWhisperer-Lite/Pro with default XMEGA Target (CW303) ===
WARNING: This video was recorded with API V3.x, some changes happened so please take note.
NOTE: You can see a Quick-Start Guide and Video for this target on the [[CW1173_ChipWhisperer-Lite]] page:
[[File:Cwlite_demo_video.png|link=http://www.youtube.com/watch?v=MJmkYqA-LeM&hd=1]]
=== Hardware Setup ===
{{CollapsibleSection
|intro = ==== CW1173 (Lite) Hardware Setup ====
|content= CWLite HW Setup}}
{{CollapsibleSection
|intro = ==== CW1200 (Pro) Hardware Setup ====
|content= CW1200 HW Setup}}
{{CollapsibleSection
|intro = ==== CW308 (UFO) Hardware Setup ====
|content= CW308 HW Setup}}
=== Building Firmware ===
Note that for this tutorial, you'll need to use the <code>simpleserial-aes</code> firmware.{{CollapsibleSection
|intro = ==== Building for CWLite with XMEGA Target ====
|content= Building for XMEGA}}
{{CollapsibleSection
|intro = ==== Building for CWLite with Arm Target ====
|content= Building for Arm}}
{{CollapsibleSection
|intro = ==== Building for Other Targets ====
|content= Building for Other Targets}}
=== Flashing Firmware ===
Note that for this tutorial, you'll need to use the <code>simpleserial-aes</code> firmware. We won't be modifying the firmware, so feel free to just build in the <code>simpleserial-aes</code> folder.{{CollapsibleSection
|intro = ==== Programming the XMEGA Target ====
|content= Programming XMEGA}}
{{CollapsibleSection
|intro = ==== Programming the STM32F3 (CW303 Arm) Target ====
|content= Programming Arm}}
{{CollapsibleSection
|intro = ==== Programming Other Targets ====
|content= Programming Other}}
=== Capturing the Traces ===
[[File:cwsetup_scriptselection.png|889x889px]]
# Switch to the ''Python Console'' tab.
# The script selection window (2) lists available example scripts. Scroll down to "connect_cwlite_simpleserial.py" and click on it.
# You will see the script contents appear in the "Script Preview" window (3). You can either hit the "Run" button or double-click the filename of the script to execute it. Do either of those now.
The window should change to indicate the connect succeeded:
[[File:cwsetup_scriptselection_cwliterun.png|889x889px]]
<p>
<ol start="4" style="list-style-type: decimal;">
<li>The console lists the exact script that is executed. Note you could have manually executed the script commands line-by-line in this console.</li>
<li>The "Scope" and "Target" buttons will show as connected.</li>
<li>The Status Bar will show a connection.</li>
</ol>
</p>
Note in previous software versions, this tutorial took you through manual setup. This can still be done (using the GUI), but instead now the API has been made more powerful, so the example configuration script will be used instead.
To do so, simply scroll down and select the "setup_cwlite_xmega_aes.py" if you're using the CW303 XMEGA target. If you're using the CW303 Arm target, select "setup_cwlite_stm32f_aes.py".
If you're using another target, use the setup script for that target (such as setup_cw308_esp32.py). Additionally, try capturing a trace and seeing how long the "Trigger Active Count" field is under trigger setup. This will set an upper bound on how big "Total Samples" should be (since the AES is completed by this point). Reducing "Total Samples" will give better correlation and take less time to capture and analyze, but lowering it too much will miss the operations we're interest in! If your target lacks a script, "setup_cwlite_stm32f_aes.py" will probably work, but you should check the wiki page for your target to make sure there aren't any differences.
[[File:cwsetup_scriptselection_xmegaconfig_cwliterun.png|718x718px]]
[[File:Stm32f aes.PNG|frameless|798x798px]]
To complete the tutorial, follow these steps:<ol start="7" style="list-style-type: decimal;">
<li>Switch to the ''General Settings'' tab</li>
<li>If you wish to change the number of traces, do so here. The default of 50 should be sufficient to break AES for most targets though!</li>
<li>Hit the ''Capture Many'' button (M in a green triangle) to start the capture process.</li>
<li>You will see each new trace plotted in the waveform display.</li>
<li>You'll see the trace count in the status bar. Once it says ''Trace 50 done'' (assuming you requested 50 traces) the capture process is complete.</li>
<li>Finally save this project using the ''File --> Save Project'' option, give it any name you want.</li>
<li>Skip ahead to [[#Analyzing_the_Traces]].</li></ol>
== Analyzing the Traces ==
=== Opening File & Viewing Traces ===
<ol style="list-style-type: decimal;">
<li>Open the Analyzer software</li>
<li>From the ''File --> Open Project'' option, navigate to the .cwp file you save previously. Open this file.</li>
<li>Switch to the ''Trace Output Plot'' tab on the right side.</li>
<li>Switch to the ''Results'' setting tab on the left side</li>
<li>Scroll down to the ''Trace Output Plot'' setting, highlighted below:
<p>
[[File:v4_tracedraw.png|500px]]
</p></li>
<li>You can choose to plot a specific range of traces. For example type '''0-10''' in the ''Trace(s) to plot'' window.</li>
<li>Hit the ''Redraw'' button when you change the trace plot range.</li>
<li>You can right-click on the waveform to change options, or left-click and drag to zoom.</li>
<li>Use the toolbar to quickly reset the zoom back to original.</li>
<li>Try more advanced plotting options, like '''0(r),4-7(b)''' to plot trace 0 in red, and 4-6 in blue. See a full list of possible commands on the page [[Plotting_Widget]].</li>
</ol>
=== Running Attack Script ===
In ChipWhisperer V4.0, we now use attack scripts for everything. As in the capture program, switch to the '''Python Console''' tab & find the attack scripts. There may be additional scripts there, but you should find one called "attack_cpa.py". It has the following contents:
<syntaxhighlight lang=python>
import chipwhisperer as cw
from chipwhisperer.analyzer.attacks.cpa import CPA
from chipwhisperer.analyzer.attacks.cpa_algorithms.progressive import CPAProgressive
from chipwhisperer.analyzer.attacks.models.AES128_8bit import AES128_8bit, SBox_output
from chipwhisperer.analyzer.preprocessing.add_noise_random import AddNoiseRandom
#self.project = cw.openProject("2017-mar23-xmega-aes.cwp")
traces = self.project.traceManager()
#Example: If you wanted to add noise, turn the .enabled to "True"
self.ppmod[0] = AddNoiseRandom()
self.ppmod[0].noise = 0.05
self.ppmod[0].enabled = False
attack = CPA()
leak_model = AES128_8bit(SBox_output)
attack.setAnalysisAlgorithm(CPAProgressive, leak_model)
attack.setTraceStart(0)
attack.setTracesPerAttack(50)
attack.setIterations(1)
attack.setReportingInterval(10)
attack.setTargetSubkeys([0, 1, 2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15])
attack.setTraceSource(self.ppmod[0])
attack.setPointRange((0, 3000))
self.results_table.setAnalysisSource(attack)
self.correlation_plot.setAnalysisSource(attack)
self.output_plot.setAnalysisSource(attack)
self.pge_plot.setAnalysisSource(attack)
attack.processTraces()
</syntaxhighlight>
You can see this script has several sections:
# Imports for needed functions.
# Loading of project (if using a project from disk) & setting of trace information.
# Configuration of attack.
# Connecting output (drawing) widgets to the attack.
# Running the attack.
If you need to modify the script, you can edit the file in an external editor. You will need to ensure your system is configured to open your preferred editor on ".py" files, OR configure the editor under ''Help --> Preferences''.
The default options should work, but you can modify for example the ''Reporting Interval'' to see more detailed graphs.
<ol style="list-style-type: decimal;">
<li><p>Finally run the attack by switching to the ''Results Table'' tab and then hitting the ''Run'' button with the script selected:</p>
<p>[[File:v4_runscript.png|400px]]</p></li>
<li><p>If you adjusted the ''Reporting Interval'' to a smaller number such as 5, you'll see the progression of attack results as more traces are used. If not you should simply see the final results, which should have the correct key highlighted in red. In the following case the correct key ''was'' recovered:</p>
<p>[[File:attack-done.png|image]]</p></li>
<li><p>You can also switch to the ''Output vs Point Plot'' window to see ''where'' exactly the data was recovered:</p>
<ol style="list-style-type: decimal;">
<li>Switch to the ''Output vs Point Plot'' tab</li>
<li>Turn on one of the bytes to see results.</li>
<li>The ''known correct'' guess for the key is highlighted in red. The wrong guesses are plotted in green. You can see that the attacked operation appeared to occur around sample 40 for key 0. Remember you can click-drag to zoom in, then right-click and select ''View All'' to zoom back out.</li>
<li>Turn on another byte to see results for it.</li>
<li>This byte occured much later - sample 1240. By exploring where the maximum correlation was found for the correct key-guess of each byte, you can determine where exactly the attacked operation occured.</li></ol>
<p>[[File:attack-done2.png|image]]</p></li></ol>
== Next Steps ==
This has only briefly outlined how to perform a CPA attack. You can move onto more advanced tutorials, especially showing you how the actual attack works when performed manually. This tutorial also utilized tiny-AES128-C for Arm targets, which uses the same operations as the XMEGA target. For a more typical 32 bit AES attack, see [[Tutorial A8 32bit AES]].
== Links ==
{{Template:Tutorials}}
[[Category:Tutorials]]