Changes

V3:Tutorial B3-1 Timing Analysis with Power for Password Bypass

14 bytes removed, 21:01, 24 September 2017
Attacking a Single Letter
Now that we can record one power trace, we can start the timing attack. Our goal here is to automatically find the first letter of the Super Secret (tm) password.
<li><p>Look at this example of the power traces when 0 and 1 bytes are correct. We can see a clear point that appears to shift forward in time:</p>
<blockquote><p>[[File:Passwordcrackerpts.png|image]]</p></blockquote>
<p>When we guess the first byte incorrectly, there is a distinct power spike at sample number 153. However, when we guess correctly, the target spends more time processing the password, and this spike moves 72 samples forward. This means that we can check if our first byte is correct by checking this data point: if we're right, it will have an amplitude greater than -0.2. Note the specific point will change for different hardware, and may also change if you use different versions of avr-gcc to compile the target code. The example code here was compiled with WinAVR 20100110, which has avr-gcc 4.3.3. If you view the video version of this tutorial the point numbers are different for example, so be sure to check what they are for your specific system.</p></li>
<li> Add a loop to your script that does the following:
* Sets the ''Go Command'' to the next character we want to try
* Captures a power trace
Approved_users, bureaucrat, administrator
1,956
edits