458
edits
| As of August 2020 the site you are on (wiki.newae.com) is deprecated, and content is now at rtfm.newae.com. |
Changes
no edit summary
This tutorial is an add-on to [[Tutorial A5 Breaking AES-256 Bootloader]]. It continues working on the same firmware, showing how to obtain the hidden IV and signature in the bootloader. '''It is not possible to do this bonus tutorial without first completing the regular tutorial''', so please finish Tutorial A5 first.
== Exploring the Bootloader ==
In this tutorial, we have the luxury of seeing the source code of the bootloader. This is generally not something we would have access to in the real world, so we'll try not to use it to cheat. (Peeking at <code>supersecret.h</code> counts as cheating.) Instead, we'll use the source to help us identify important parts of the power traces.
=== Bootloader Source Code ===
Inside the bootloader's main loop, it does three tasks that we're interested in:
* it decrypts the incoming ciphertext;
We'll use both of the source files throughout the tutorial.
=== Power Traces ===
After the bootloader is finished the decryption process, it executes a couple of distinct pieces of code:
* To apply the IV, it uses an XOR operation;
Let's grab a lot of traces so that we don't have to come back later. Save the project somewhere memorable, set up the capture routine to record 1000 traces, hit ''Capture Many'', and grab a coffee.
== Attacking the IV ==
We need to find the IV before we can look at the signature, so the first half of the attack will look at the IV bytes.
=== Attack Theory ===
The bootloader applies the IV to the AES decryption result by calculating
This is effectively a DPA attack on a single bit of the IV. We can repeat this attack 128 times to recover the entire IV.
=== A 1-Bit Attack ===
Unfortunately, we can't use the ChipWhisperer Analyzer to attack this XOR function. Instead, we'll write our own Python code. One thing that we ''don't'' need to do is write our own AES-256 implementation: there's some perfectly fine code in the PyCrypto library. [https://pypi.python.org/pypi/pycrypto Install PyCrypto] and make sure you can use its functions:
<pre>
for i in range(numTraces):
ct = str(bytearray(textin[i]))
d = [bytearray(pt)[i] for i in range(16)]
dr.append(d)
[[File:Tutorial-A5-Bonus-Diff-0.PNG]]
However, one of these spikes is meaningless to us. The spike around sample 1600 is caused by the signature check, which we aren't attacking yet. You can get a better feel for this by plotting an overlay of the power trace itself: <pre>plt.hold(True)plt.plot(traces[0], 'r')plt.plot(diff, 'b') plt.grid()plt.show()</pre> You can notice the input data is often "pegging" to the 0.5 limit, indicating that spike may be caused by data overload! At any rate, it's clear the actual XOR is occurring where the group of 16 identical operations happens. Let's ignore this large peak and zoom in on the smaller spikes at the start of the trace:
[[File:A5-Bonus-Diff-0-Zoom.PNG]]
These peaks are about 60 samples later (or 15 cycles, since we're using an ADC clock that's 4 times faster than the microcontroller). Also, most of these peaks are upside down! This is a pretty clear indicator that we can find the IV bits from these differential traces. The only thing that we can't tell is the polarity of these signals; there's no way to tell if right-side-up peaks indicate a bit that's set or cleared. However, that means we can narrow down the IV to two possibilities, which is a lot better than <math>2^{128}</math>.
=== The Other 127 ===
The best way to attack the IV would be to repeat the 1-bit conceptual attack for each of the bits. Try to do this yourself! (Really!) If you're stuck, here are a few hints to get you going:
* One easy way of looping through the bits is by using two nested loops, like this:
If you're ''really, really'' stuck, there's a working attack in [[#Appendix A: IV Attack Script]]. You should find that the secret IV is <code>C1 25 68 DF E7 D3 19 DA 10 E2 41 71 33 B0 EB 3C</code>.
== Attacking the Signature ==
The last thing we can do with this bootloader is attack the signature. This final section will show how one byte of the signature could be recovered. If you want more of this kind of analysis, a more complete timing attack is shown in [[Tutorial B3-1 Timing Analysis with Power for Password Bypass]].
=== Attack Theory ===
Recall from earlier that the signature check in C looks like:
The short-circuiting conditions are perfect for us. We can use our power traces to watch how long it takes for the signature check to fail. If the check takes longer than usual, then we know that the first byte of our signature was right.
=== Finding a Single Byte ===
Okay, we know that our power trace will look a lot different for one of our choices of signatures. Let's figure out which one. We'll start by finding the average over all of our 1000 traces:
To finish this attack, you could force the capture software to send more specific text. To find the next byte of the signature, you'd want to fix byte 0 at 0x00 and make byte 1 random. Then, the plaintext should be XORed with the known IV and encrypted with the known AES-256 key. This is left as an exercise for the reader.
== Appendix A: IV Attack Script ==
This is the author's script to automatically attack the secret IV. If you've completed [[#A 1-Bit Attack]], you can paste this snippet immediately after it:
0 0 1 1 1 1 0 0 3c
</pre>
== Links ==
{{Template:Tutorials}}
[[Category:Tutorials]]
