|
|
(4 intermediate revisions by 3 users not shown) |
Line 1: |
Line 1: |
− | This tutorial will demonstrate how to perform a profiling attack against the same AES implementation we've been using. To begin with we'll be using the same Hamming Weight (HW) assumption as previous attacks, although later we'll look into an attack without such assumptions. | + | {{Warningbox|This tutorial has been updated for ChipWhisperer 5 release. If you are using 4.x.x see the "V4" or link in the sidebar.}} |
| | | |
− | Under this assumption, we are attempting to accurately determine the what leakage corresponds to the ''Hamming Weight'' of the sensitive value being targeted. This requires us to have similar knowledge to the CPA attack, mainly we are making an assumption that the system does indeed leak the Hamming Weight (HW).
| + | {{Infobox tutorial |
| + | |name = B7: Profiling Attacks (with HW Assumption) |
| + | |image = |
| + | |caption = |
| + | |software versions = |
| + | |capture hardware = CW-Lite, CW-Lite 2-Part, CW-Pro |
| + | |Target Device = |
| + | |Target Architecture = XMEGA/Arm/Other |
| + | |Hardware Crypto = No |
| + | |Purchase Hardware = |
| + | }} |
| | | |
− | Note that unlike the previous attack, we will require ''two'' acquisition campaigns. We must first create a template, which means we'll need a system which we control (or at least know the key for). In real life this would typically mean using another copy of the protected device; e.g. you have a protected device, but you buy another copy which you control. We use the copy we control to characterize the leakage, before applying what we have learned onto the real device with an unknown key.
| + | <!-- To edit this, edit Template:Tutorial_boilerplate --> |
| + | {{Tutorial boilerplate}} |
| | | |
− | == Setting up the Hardware and Software ==
| + | * Jupyter file: '''PA_Profiling_1-Template_Attacks_HW_Assumption.ipynb''' |
| | | |
− | In this tutorial, we'll be attacking AES-128 on the same devices we've worked with in previous tutorials. Take a look at [[Tutorial B5 Breaking AES (Straightforward)]] for details on how to set everything up.
| |
| | | |
− | == Capturing the Traces == | + | == XMEGA Target == |
| | | |
− | === Capturing the Template Traces ===
| + | See the following for using: |
| + | * ChipWhisperer-Lite Classic (XMEGA) |
| + | * ChipWhisperer-Lite Capture + XMEGA Target on UFO Board (including NAE-SCAPACK-L1/L2 users) |
| + | * ChipWhisperer-Pro + XMEGA Target on UFO Board |
| | | |
− | As mentioned, you will need to perform ''two'' capture campaigns. This tutorial uses a simple script that ships with the ChipWhisperer Capture software as the building block. The easiest method of accomplishing the trace capture is as follows:
| + | https://chipwhisperer.readthedocs.io/en/latest/tutorials/pa_profiling_1-openadc-cwlitexmega.html#tutorial-pa-profiling-1-openadc-cwlitexmega |
| | | |
− | <ol style="list-style-type: decimal;">
| + | == ChipWhisperer-Lite ARM / STM32F3 Target == |
− | <li>Close & reopen the capture software (to clear out any previous connection which may be invalid).</li>
| + | |
− | <li><p>From the ''Project'' menu elect the ''Example Scripts'' and then ''ChipWhisperer-Rev2: SimpleSerial Target''</p>
| + | |
− | <p>[[File:runscript.png|image]]</p></li>
| + | |
− | <li><p>The script will automatically connect to the capture hardware and run 2 example traces. You should see something that looks like the following screen:</p>
| + | |
− | <p>[[File:capture.png|image]]</p></li>
| + | |
− | <li><p>Change to the ''General Settings'' tab, and adjust the ''Key/Text Pattern'' to send a random encryption key along with a random plaintext. This is shown in the following diagram:</p>
| + | |
− | <p>[[File:campaignrandrand.png|image]]</p></li>
| + | |
− | <li>Save the project now, giving it a name indicating the '''key and text is random'''. For example you could call it <code>tut_randkey_randplain.cwp</code>. Note by saving the project ''before'' running the capture you will force all trace data to be saved into a directory with the same name. This will make it easier to find the data at a later time.</li>
| + | |
− | <li>Change the number of traces to be ''1000'': more traces are needed to form the profile. In this case 1000 is a very small capture, however for this unprotected implementation will be sufficient. An interesting experiment is to see how using more or less traces impacts your templates!</li>
| + | |
− | <li>Hit the ''Capture Many'' button (M in a green triangle) to start the capture process. You will see each new trace plotted in the waveform display. Once the capture is complete, save the project file again.</li>
| + | |
− | </ol>
| + | |
| | | |
− | === Capturing the Attack Traces ===
| + | See the following for using: |
| + | * ChipWhisperer-Lite 32-bit (STM32F3 Target) |
| + | * ChipWhisperer-Lite Capture + STM32F3 Target on UFO Board (including NAE-SCAPACK-L1/L2 users) |
| + | * ChipWhisperer-Pro + STM32F3 Target on UFO Board |
| | | |
− | # Make a new project (File->New).
| + | https://chipwhisperer.readthedocs.io/en/latest/tutorials/pa_profiling_1-openadc-cwlitearm.html#tutorial-pa-profiling-1-openadc-cwlitearm |
− | # Change the encryption key to fixed.
| + | |
− | # Save the project now in the same directory as the <code>.cwp</code> file from the previous section, giving it a name indicating the key is '''fixed''' and text is '''random'''. For example you could call it <code>tut_fixedkey_randplain.cwp</code>, again saving it in the same directory as the previous file.
| + | |
− | # Change the number of traces to be ''20'': by comparison the profiling attack will require less attack traces compared to the CPA attack. | + | |
− | # Hit the ''Capture Many'' button (M in a green triangle) to start the capture process. You will see each new trace plotted in the waveform display. Once the capture is complete, save the project file again.
| + | |
− | # Exit the capture application.
| + | |
| | | |
− | == Generating the Template == | + | == ChipWhisperer Nano Target == |
| | | |
− | The first step in the attack is to generate the template. Again for generating the template this typically requires access to a system almost identical to the device being attacked. It is assumed that the actual device differs from the device being attacked, but in our example we'll be using the same device.
| + | This tutorial is not available for the ChipWhipserer Nano |
− | | + | |
− | <ol style="list-style-type: decimal;">
| + | |
− | <li>Open the Analyzer software</li>
| + | |
− | <li>From the ''File --> Open Project'' option, navigate to the <code>tut_randkey_randplain.cwp</code> file you save previously. Open this file, ensure it is the file corresponding with the '''randomly changing encryption key'''!</li>
| + | |
− | <li>Open the ''Trace Explorer'' tab and Enable it.</li>
| + | |
− | <li><p>Change the "Comparison Mode" to "Sum of Absolute Difference" and the ''Partition Mode'' to ''HW AES Intermediate'', and select the ''Auto-Save Data to Project'' option:</p>
| + | |
− | <p>[[File:traceexplorer1.png|image]]</p></li>
| + | |
− | <li><p>Hit the ''Display'' button, and then select ''All On''. This displays the differences between the various groups of Hamming Weight (HW) values:</p>
| + | |
− | <p>[[File:traceexplorer2.png|image]]</p></li>
| + | |
− | <li><p>We now want to figure out the Points of Interest (POI), which we will use for our template. Hit the ''Open POI Table'' and perform the following:</p>
| + | |
− | <blockquote><ol style="list-style-type: decimal;">
| + | |
− | <li>Set the ''Num POI/Subkey'' to 3</li>
| + | |
− | <li>Set the ''Min Spacing between POI'' to 5</li>
| + | |
− | <li>Click the ''Recalc POI Values'' button</li>
| + | |
− | <li>Click the ''Set as POI in Project'' button</li></ol>
| + | |
− | </blockquote></li></ol>
| + | |
− | | + | |
− | <blockquote>[[File:traceexplorer3.png|image]]
| + | |
− | </blockquote>
| + | |
− | <ol start="7" style="list-style-type: decimal;">
| + | |
− | <li>Disable the Trace Explorer.</li>
| + | |
− | <li><p>Change the attack module to ''Profiling'':</p>
| + | |
− | <p>[[File:selectprofiling.png|image]]</p></li>
| + | |
− | <li><p>Go to the ''Template Generation'' section in the Attack tab, and ensure you select the appropriate trace range (0-999 in this example). Select the ''TraceExplorer Table'' as the POI source, since we had just populated this with a valid POI data. Notice that if you view the analysis script it will list the poi you selected, if not hit the ''Read POI'' button:</p>
| + | |
− | <p>[[File:templategeneration.png|image]]</p></li>
| + | |
− | <li>Click the ''Generate Templates'' button. This will dynamically load and run the <code>def generateTemplates(self):</code> function in the scripting window.</li>
| + | |
− | <li>Save the project file, which will save the location of the template file. We need to copy this information over to our second project, which is the traces we actually plan on attacking.</li>
| + | |
− | <li>From the ''Project'' menu select the ''Project File Editor (text)'', which gives you access to the raw project file. You will have to hit the ''Reload Editor from Disk'' button, which reads the changes you just saved into this special text editor. For more information on the project file editor see XREF TODO.</li>
| + | |
− | <li><p>Scroll down until you find a section titled <code>[Template Data 0001 - Templates]</code>. Note the number may change (e.g. 0002, etc), just use the largest number which will be the most recent saved change. Copy this section to a text editor, it will look something like this:</p>
| + | |
− | <pre>[Template Data 0001 - Templates]
| + | |
− | tracestart = 0
| + | |
− | traceend = 999
| + | |
− | poi = "[38, 30, 2290]", "[138, 1658, 1650]", "[2134, 238, 2402]", "[338, 2618, 2626]", "[438, 430, 2766]", "[1806, 538, 1690]", "[638, 2174, 2462]", "[738, 2886, 2658]", "[838, 830, 2282]", "[938, 1722, 1858]", "[2290, 1038, 2206]", "[1138, 2690, 2946]", "[1238, 1650, 1798]", "[1338, 1918, 1754]", "[1438, 2342, 2238]", "[2774, 1538, 2722]"
| + | |
− | partitiontype = PartitionHWIntermediate
| + | |
− | filename = avr_keyrand_plainrand_1000traces_data\analysis\templates-PartitionHWIntermediate-0-999.npz</pre></li>
| + | |
− | </ol>
| + | |
− | | + | |
− | == Applying the Template ==
| + | |
− | | + | |
− | <ol style="list-style-type: decimal;">
| + | |
− | <li>From the ''File --> Open Project'' option, navigate to the <code>tut_fixedkey_randplain.cwp</code> file you save previously. Open this file, ensure it is the file corresponding with the '''fixed encryption key'''!</li>
| + | |
− | <li>Open the project text editor if not already open.</li>
| + | |
− | <li><p>Append the ''Template Data'' section you copied from the previous project to your project file:</p>
| + | |
− | <p>[[File:projecteditor_addtemplate.png|image]]</p></li>
| + | |
− | <li>Use the ''Save Editor to Disk'' button to write these changes (and '''not the Save Project option'''). Note this assumes that both the <code>tut_fixedkey_randplain.cwp</code> and <code>tut_randkey_randplain.cwp</code> were saved in the same directory, as otherwise the reference to the template file will break!</li>
| + | |
− | <li>Re-open the same project file (e.g. <code>tut_fixedkey_randplain.cwp</code>), this step is needed to ensure the changes you added in are loaded into memory.</li>
| + | |
− | <li><p>Change the attack module to ''Profiling'':</p>
| + | |
− | <p>[[File:selectprofiling.png|image]]</p></li>
| + | |
− | <li><p>Change the ''Reporting Interval'' to 1, since we want to observe what happens on each added trace:</p>
| + | |
− | <p>[[File:reportinginterval_1.png|image]]</p></li>
| + | |
− | <li><p>Press the ''Attack'' button. Observe that with only a few traces you are able to determine the encryption key:</p>
| + | |
− | <p>[[File:attack_working.png|image]]</p></li></ol>
| + | |
− | | + | |
− | {{Template:Tutorials}}
| + | |
− | [[Category:Tutorials]]
| + | |
This tutorial will introduce you to measuring the power consumption of a device under attack. It will demonstrate how you can view the difference between assembly instructions. In ChipWhisperer 5 Release, the software documentation is now held outside the wiki. See links below.
Running the tutorial uses the referenced Jupyter notebook file.