Approved_users
510
edits
| As of August 2020 the site you are on (wiki.newae.com) is deprecated, and content is now at rtfm.newae.com. |
Changes
→13th Round Key
[[File:Tutorial-A5-Results-Wrong-Key.PNG|image]]
{{warningbox|The default capture stores the WRONG knownkey, so you will have highlighted bytes that are not the correct key. We are looking instead for a large delta between the best-guess and all other guesses. For example for Byte 0 we have the most likely as 0.8141, and 2nd best guess as 0.3551. If our best guess was 0.8141 and 2nd best guess was 0.7981 this would indicate we likely haven't broken the key.}}
Finally, the ''Output vs Point Plot'' shows the correlation against all of the sample points. The spikes on this plot show exactly where the attack was successful (ie: where the sensitive data was leaked):
## Redraw the traces and confirm we now have synchronization on the second half:
##: [[File:resyncsad3.png|image]]
{{warningbox|Make sure you get a nice aligned last section of the traces, as in the above figure. You may need to adjust the "input window" or "reference points" slightly. If you do not see the nice alignment the remaining attack will fail!}}
Now, we are ready to make a copy of this script:
name = 'Our model'
def leakage(self, pt, ct, guess, bnum):
knownkey = <PUT YOUR 14TH ROUND KEY YOU RECOVERED HERE> #For example: knownkey = [0xea, 0x79, 0x79, 0x20, 0xc8, 0x71, 0x44, 0x7d, 0x46, 0x62, 0x5f, 0x51, 0x85, 0xc1, 0x3b, 0xcb]
xored = [knownkey[i] ^ pt[i] for i in range(0, 16)]
block = xored
Note you can check [[#Appendix C AES-256 13th Round Key Script]] for the complete contents of the attack script.
Finally, we need to convert this hypothetical key into the actual value of the 13th round key. We can do this by passing the key through ShiftRows and MixColumns to remove the effect of these two functions. This is easy to do in the Python console(assuming we had the recovered key <code>C6 BD 4E 50 AB CA 75 77 79 87 96 CA 1C 7F C5 82</code>, if you recovered a different key replace the <code>knownkey</code> value with yours):
<pre>
