As of August 2020 the site you are on (wiki.newae.com) is deprecated, and content is now at rtfm.newae.com.

Difference between revisions of "Tutorial A5-Bonus Breaking AES-256 Bootloader"

From ChipWhisperer Wiki
Jump to: navigation, search
(Added brainstorm for IV attack)
 
(26 intermediate revisions by 4 users not shown)
Line 1: Line 1:
This tutorial is an add-on to [[Tutorial A5 Breaking AES-256 Bootloader]]. It continues working on the same firmware, showing how to obtain the hidden IV and signature in the bootloader. '''It is not possible to do this bonus tutorial without first completing the regular tutorial''', so please finish Tutorial A5 first.
+
{{Warningbox|This tutorial has been updated for ChipWhisperer 5 release. If you are using 4.x.x or 3.x.x see the "V4" or "V3" link in the sidebar.}}
  
''This tutorial is under construction! Check back in a few days.''
+
{{Infobox tutorial
 +
|name                  = A5: Breaking AES-256 Bootloader
 +
|image                  =
 +
|caption                =
 +
|software versions      =
 +
|capture hardware      = CW-Lite, CW-Lite 2-Part, CW-Pro
 +
|Target Device          =
 +
|Target Architecture    = XMEGA/Arm
 +
|Hardware Crypto        = No
 +
|Purchase Hardware      =
 +
}}
  
= Background =
+
<!-- To edit this, edit Template:Tutorial_boilerplate -->
== AES in CBC Mode ==
+
{{Tutorial boilerplate}}
* Repeat of theory from tutorial
+
== The IV ==
+
* Suggest some ideas
+
== The Signature ==
+
* Timing attack
+
* Show firmware
+
  
 +
* Jupyter file: '''PA_Multi_1-Breaking_AES-256_Bootloader.ipynb'''
  
= Attacking the IV =
 
Steps:
 
* Investigation
 
** Look at bootloader code
 
** Move trigger
 
** Record 1
 
** Show different instructions in trace
 
* Making the attack feasible
 
** Capture a bunch (500?)
 
** Apply decryption
 
** Look at one bit
 
** Find means + plot
 
** Find differences + plot
 
* Automating the attack
 
** Finding the attack points
 
** Getting a single bit
 
** Building the IV bytes
 
* Full script in appendix
 
  
Example:
+
== XMEGA Target ==
  
<pre>#Imports for IV Attack
+
See the following for using:
from Crypto.Cipher import AES
+
* ChipWhisperer-Lite Classic (XMEGA)
 +
* ChipWhisperer-Lite Capture + XMEGA Target on UFO Board (including NAE-SCAPACK-L1/L2 users)
 +
* ChipWhisperer-Pro + XMEGA Target on UFO Board
  
def initPreprocessing(self):
+
https://chipwhisperer.readthedocs.io/en/latest/tutorials/pa_multi_1-openadc-cwlitexmega.html#tutorial-pa-multi-1-openadc-cwlitexmega
    self.preProcessingResyncSAD0 = preprocessing.ResyncSAD.ResyncSAD(self.parent)
+
    self.preProcessingResyncSAD0.setEnabled(True)
+
    self.preProcessingResyncSAD0.setReference(rtraceno=0, refpoints=(6300,6800), inputwindow=(6000,7200))
+
    self.preProcessingResyncSAD1 = preprocessing.ResyncSAD.ResyncSAD(self.parent)
+
    self.preProcessingResyncSAD1.setEnabled(True)
+
    self.preProcessingResyncSAD1.setReference(rtraceno=0, refpoints=(4800,5100), inputwindow=(4700,5200))
+
    self.preProcessingList = [self.preProcessingResyncSAD0,self.preProcessingResyncSAD1,]
+
    return self.preProcessingList
+
  
class AESIVAttack(object):
+
== ChipWhisperer-Lite ARM / STM32F3 Target ==
  numSubKeys = 16
+
  
  @staticmethod
+
See the following for using:
  def leakage(textin, textout, guess, bnum, setting, state):
+
* ChipWhisperer-Lite 32-bit (STM32F3 Target)
      knownkey = [0x94, 0x28, 0x5D, 0x4D, 0x6D, 0xCF, 0xEC, 0x08, 0xD8, 0xAC, 0xDD, 0xF6, 0xBE, 0x25, 0xA4, 0x99,
+
* ChipWhisperer-Lite Capture + STM32F3 Target on UFO Board (including NAE-SCAPACK-L1/L2 users)
                  0xC4, 0xD9, 0xD0, 0x1E, 0xC3, 0x40, 0x7E, 0xD7, 0xD5, 0x28, 0xD4, 0x09, 0xE9, 0xF0, 0x88, 0xA1]
+
* ChipWhisperer-Pro + STM32F3 Target on UFO Board
      knownkey = str(bytearray(knownkey))
+
      ct = str(bytearray(textin))
+
  
      aes = AES.new(knownkey, AES.MODE_ECB)
+
https://chipwhisperer.readthedocs.io/en/latest/tutorials/pa_multi_1-openadc-cwlitearm.html#tutorial-pa-multi-1-openadc-cwlitearm
      pt = aes.decrypt(ct)
+
      return getHW(bytearray(pt)[bnum] ^ guess)</pre>
+
  
= Appendix D AES-256 IV Attack Script =
+
== ChipWhisperer Nano Target ==
  
'''NB: This script works for 0.10 release or later, see local copy in doc/html directory of chipwhisperer release if you need earlier versions'''
+
This tutorial is not available for the ChipWhisperer Nano.
 
+
Full attack script, copy/paste into a file then add as active attack script:
+
 
+
<pre>#IV Attack Script
+
from chipwhisperer.common.autoscript import AutoScriptBase
+
#Imports from Preprocessing
+
import chipwhisperer.analyzer.preprocessing as preprocessing
+
#Imports from Capture
+
from chipwhisperer.analyzer.attacks.CPA import CPA
+
from chipwhisperer.analyzer.attacks.CPAProgressive import CPAProgressive
+
import chipwhisperer.analyzer.attacks.models.AES128_8bit
+
# Imports from utilList
+
 
+
# Imports for AES256 Attack
+
from chipwhisperer.analyzer.attacks.models.AES128_8bit import getHW
+
 
+
#Imports for IV Attack
+
from Crypto.Cipher import AES
+
 
+
class AESIVAttack(object):
+
  numSubKeys = 16
+
 
+
  @staticmethod
+
  def leakage(textin, textout, guess, bnum, setting, state):
+
      knownkey = [0x94, 0x28, 0x5D, 0x4D, 0x6D, 0xCF, 0xEC, 0x08, 0xD8, 0xAC, 0xDD, 0xF6, 0xBE, 0x25, 0xA4, 0x99,
+
                  0xC4, 0xD9, 0xD0, 0x1E, 0xC3, 0x40, 0x7E, 0xD7, 0xD5, 0x28, 0xD4, 0x09, 0xE9, 0xF0, 0x88, 0xA1]
+
      knownkey = str(bytearray(knownkey))
+
      ct = str(bytearray(textin))
+
 
+
      aes = AES.new(knownkey, AES.MODE_ECB)
+
      pt = aes.decrypt(ct)
+
      return getHW(bytearray(pt)[bnum] ^ guess)
+
 
+
class userScript(AutoScriptBase):
+
    preProcessingList = []
+
    def initProject(self):
+
        pass
+
 
+
    def initPreprocessing(self):
+
        self.preProcessingResyncSAD0 = preprocessing.ResyncSAD.ResyncSAD(self.parent)
+
        self.preProcessingResyncSAD0.setEnabled(True)
+
        self.preProcessingResyncSAD0.setReference(rtraceno=0, refpoints=(6300,6800), inputwindow=(6000,7200))
+
        self.preProcessingResyncSAD1 = preprocessing.ResyncSAD.ResyncSAD(self.parent)
+
        self.preProcessingResyncSAD1.setEnabled(True)
+
        self.preProcessingResyncSAD1.setReference(rtraceno=0, refpoints=(4800,5100), inputwindow=(4700,5200))
+
        self.preProcessingList = [self.preProcessingResyncSAD0,self.preProcessingResyncSAD1,]
+
        return self.preProcessingList
+
 
+
    def initAnalysis(self):
+
        self.attack = CPA(self.parent, console=self.console, showScriptParameter=self.showScriptParameter)
+
        self.attack.setAnalysisAlgorithm(CPAProgressive, AESIVAttack, None)
+
        self.attack.setTraceStart(0)
+
        self.attack.setTracesPerAttack(100)
+
        self.attack.setIterations(1)
+
        self.attack.setReportingInterval(25)
+
        self.attack.setTargetBytes([0, 1, 2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15])
+
        self.attack.setTraceManager(self.traceManager())
+
        self.attack.setProject(self.project())
+
        self.attack.setPointRange((4800,6500))
+
        return self.attack
+
 
+
    def initReporting(self, results):
+
        results.setAttack(self.attack)
+
        results.setTraceManager(self.traceManager())
+
        self.results = results
+
 
+
    def doAnalysis(self):
+
        self.attack.doAttack()</pre>
+
 
+
= Attacking the Signature =
+

Latest revision as of 05:36, 29 July 2019

This tutorial has been updated for ChipWhisperer 5 release. If you are using 4.x.x or 3.x.x see the "V4" or "V3" link in the sidebar.

A5: Breaking AES-256 Bootloader
Target Architecture XMEGA/Arm
Hardware Crypto No
Software Release V3 / V4 / V5

This tutorial will introduce you to measuring the power consumption of a device under attack. It will demonstrate how you can view the difference between assembly instructions. In ChipWhisperer 5 Release, the software documentation is now held outside the wiki. See links below.

To see background on the tutorials see the Tutorial Introduction on ReadTheDocs, which explains what the links below mean. These wiki pages (that you are reading right now) only hold the hardware setup required, and you have to run the Tutorial via the Jupyter notebook itself. The links below take you to the expected Jupyter output from each tutorial, so you can compare your results to the expected/known-good results.

Running the tutorial uses the referenced Jupyter notebook file.

  • Jupyter file: PA_Multi_1-Breaking_AES-256_Bootloader.ipynb


XMEGA Target

See the following for using:

  • ChipWhisperer-Lite Classic (XMEGA)
  • ChipWhisperer-Lite Capture + XMEGA Target on UFO Board (including NAE-SCAPACK-L1/L2 users)
  • ChipWhisperer-Pro + XMEGA Target on UFO Board

https://chipwhisperer.readthedocs.io/en/latest/tutorials/pa_multi_1-openadc-cwlitexmega.html#tutorial-pa-multi-1-openadc-cwlitexmega

ChipWhisperer-Lite ARM / STM32F3 Target

See the following for using:

  • ChipWhisperer-Lite 32-bit (STM32F3 Target)
  • ChipWhisperer-Lite Capture + STM32F3 Target on UFO Board (including NAE-SCAPACK-L1/L2 users)
  • ChipWhisperer-Pro + STM32F3 Target on UFO Board

https://chipwhisperer.readthedocs.io/en/latest/tutorials/pa_multi_1-openadc-cwlitearm.html#tutorial-pa-multi-1-openadc-cwlitearm

ChipWhisperer Nano Target

This tutorial is not available for the ChipWhisperer Nano.