Changes

Tutorial A5 Breaking AES-256 Bootloader

722 bytes removed, 16:37, 21 June 2016
13th Round Key: Rewrite
== 13th Round Key ==
Unfortunately, we cannot use the GUI to attack the 13th round key. The system has no built-in model for round 13 of the AES-256 algorithm. Instead, we can write our own script and insert a custom model into the system. See [[#Appendix B: AES-256 14th Round Key Script]] for complete script used here.
Attacking The ChipWhisperer Analyzer software uses the 13th round key requires settings in the use of a GUI to automatically adjust an attack script. We cannot configure the system through Every time you change a setting in the GUI, as we have no built-in model for the second part of the AES-256 algorithmautogenerated script is overwritten. This will demonstrate how we can insert custom models into Fpr example, the system. See [[#Appendix B AES-256 14th Round Key Script]] for complete script used here.point range is mapped directly to an API call:
Remember that when you change settings in the GUI, the system is actually just automatically adjusting the attack script[[File:autoscript1. You could modify the attack script directly instead of changing GUI settings. Every time you touch the GUI the autogenerated script is overwritten however, so it would be easy to lose your changes. As an example here is how setting the point range maps to an API call:png|image]]
<blockquote>[[File:autoscript1.png|image]]</blockquote>We will first automatically configure a If we modified this scriptdirectly, and then it would be very easy for us to accidentally overwrite our custom script from the GUI. Instead, we'll use that as the autogenerated code to set up a base for script, then add in our full own attackmodel.To set up the base script, the procedure is as follows:
<ol style="list-style-type: decimal;"><li># Open the ChipWhisperer Analyzer software</li><li>From the ''File --&gt; Open Project'' option, navigate to the .cwp file containing the 13th again and 14th round power usage. This can be either reopen the aes256_round1413_key0_100.cwp project file downloaded, or the capture you performed.</li><li><p>View # Recall from the trace data as before, and notice how 14th round attack that the trace data becomes unsynchronizedaround sample 7000. This is due to the prescense of a non-constant AES implementation: the code does not always take the same amount of time to run for every input. There is (It's actually possible to do a timing attack in on this AES implementation, but we ignore that ! We'll stick with our CPA attack for now!</p>.)<p>#: [[File:syncproblems.png|image]]</p></li><li>Enable # Resynchronize the traces:## In the ''Attack Script Generator'' tab, enable the ''Resync: Sum of Difference'' preprocessing:##: [[File:resyncsad.png|image]]## Enable the moduleand configure the input points. To start, set the reference points to (9063, 9177) and the input window to (9010, 9080), but don't be afraid to change these ranges:</li></ol>##: [[File:resyncsad2.png|image]]## Redraw the traces and confirm we now have synchronization on the second half:##: [[File:resyncsad3.png|image]]
<blockquote>Now, we are ready to make a copy of this script:# Click on the auto-generated script# Hit ''Copy'' and save the file somewhere# Double-click on the description of the new file and give it a better name. # Finally, hit ''Set Active'' after clicking on your new file. The result should look like this:#: [[File:resyncsadaes256_customscript.png|image]]</blockquote><ol start="5" style="list-style-type: decimal;"><li>Configure You can now edit the reference points to (9063, 9177) and custom script file using the input window to (9010built-in editor OR with an external editor. In this example, 9080):the file would be </licode>C:\Users\Colin\AppData\Local\Temp\testaes256.py</olcode>.
<blockquote>[[File:resyncsad2The next step is to program our own leakage model.png|image]]</blockquote><ol start="6" style="list-style-type: decimal;"><li>Redraw The following Python code models the traces, confirm we now have synchronization on Hamming weight model of the second half13th round S-box:</li></ol>
<blockquotepre>[[File:resyncsad3.png|image]]</blockquote><ol start="7" style="list-style-type: decimal;"><li>We will again set the AES mode to ''Decryption''. Under the ''Attack'' tab on the ''Hardware Model'' settings, ensure you select ''Decryption''</li><li><p>We are now ready to insert the custom data into the attack module. On the ''General'' tab, make a copy of the auto-generated script. Do so by clicking on the autogenerated row, hit ''Copy'', save the file somewhere. Double-click on the description of the new file and give it a better name. Finally hit ''Set Active'' after clicking on your new file. The result should look like this:</p><p>[[File:aes256_customscript.png|image]]</p></li><li>You can now edit the custom script file using the built-in editor OR with an external editor. In this example the file would be <code>C:\Users\Colin\AppData\Local\Temp\testaes256.py</code>.</li></ol> The following defines the required functions for our AES-256 attack on the 2nd part of the decryption key (i.e. the 13th round key): <pre># Imports for AES256 Attack
from chipwhisperer.analyzer.attacks.models.AES128_8bit import getHW
from chipwhisperer.analyzer.models.aes.funcs import sbox, inv_sbox, inv_shiftrows, inv_mixcolumns, inv_subbytes
block = inv_shiftrows(block)
result = block
return getHW(inv_sbox((result[bnum] ^ guess)))</pre>You can look back at the C code of the AES-256 decryption to see how this is implementing the decryption code. Note that because of the Inverse MixCols MixColumns operation, we need the entire input ciphertext-- otherwise, and cannot use just a single we would only need to operate on one byte of the input ciphertext. The last step is to perform the attack using this model:# Add the above function to your custom script file.# Change the <code>setAnalysisAlgorithm</code> in the script to use your custom functions by making the following call:#:<pre>self.attack.setAnalysisAlgorithm(CPAProgressive, AES256Attack, 13)</pre># As we did in the 14th round attack, reducing the point range can speed up the attack. For example, to use a smaller range of points, try changing the <code>setPointRange()</code> function call to#:<pre>self.attack.setPointRange((8000,10990))</pre># Start the attack! Wait for the attack to complete, and you will determine the 13th round key:#: [[File:Tutorial-A5-Results-Round-13.PNG|image]] Note you can check [[#Appendix C AES-256 13th Round Key Script]] for the complete contents of the attack script.
<ol start="10" style="list-style-type: decimal;"><li>Add the above function Finally, we need to your custom script file.</li><li><p>Change convert this hypothetical key into the <code>setAnalysisAlgorithm</code> to use your custom functions byt making actual value of the following call:</p><pre>self13th round key.attack.setAnalysisAlgorithm(CPAProgressive, AES256Attack, 13)</pre></li><li><p>Check you have set We can do this by passing the attack direction to decryption, key through ShiftRows and you can reduce the point range MixColumns to speed up your attack. Simply ensure you have remove the following lines in the script:</p><pre>#... some more lines ...self.attack.setDirection('dec')#... some more lines ...self.attack.setPointRange((8000,10990))#... some more lines ...</pre></li><li>Note you can check [[#Appendix C AES-256 13th Round Key Script]] for the complete contents effect of that file, and just copy/paste the complete contentsthese two functions.</li><li><p>Run ''Start Attack'' as before! Wait for the attack This is easy to complete, and you will determine do in the 13th round keyPython console:</p><p>[[File:aes13roundresults.png|image]]</p></li></ol>
Remember the key we determined was actually the key passed through inverse mixcols and inverse shiftrows<pre>>>> from chipwhisperer. This means we need to pass the key through analyzer.models.aes.funcs import shiftrows and mixcols to remove the effect of those two functions, and determine the normal 13th round mixcolumns>>> = [0xC6, 0xBD, 0x4E, 0x50, 0xAB, 0xCA, 0x75, 0x77, 0x79, 0x87, 0x96, 0xCA, 0x1C, 0x7F, 0xC5, 0x82]>>> key= shiftrows(knownkey)>>> key = mixcolumns(key)>>> print &quot; &quot;. This can be done via the interactive Python console:join([&quot;%02x&quot; % i for i in key])c6 6a a6 12 4a ba 4d 04 4a 22 03 54 5b 28 0e 63</pre>
<pre>&gt;&gt;&gt; from chipwhisperer.analyzer.models.aes.funcs import shiftrows,mixcolumns&gt;&gt;&gt; knownkey = [0xC6, 0xBD, 0x4E, 0x50, 0xAB, 0xCA, 0x75, 0x77, 0x79, 0x87, 0x96, 0xCA, 0x1C, 0x7F, 0xC5, 0x82]&gt;&gt;&gt; key = shiftrows(knownkey)&gt;&gt;&gt; key = mixcolumns(key)&gt;&gt;&gt; print &quot; &quot;.join([&quot;%02x&quot; % i for i in key])c6 6a a6 12 4a ba 4d 04 4a 22 03 54 5b 28 0e 63</pre>At this point we have Our hard work has rewarded us with the 13th round key: , which is <code>c6 6a a6 12 4a ba 4d 04 4a 22 03 54 5b 28 0e 63</code>.
== Recovering the Encryption Key ==
Approved_users
510
edits