As of August 2020 the site you are on (wiki.newae.com) is deprecated, and content is now at rtfm.newae.com.

Changes

Jump to: navigation, search

Tutorial A5 Breaking AES-256 Bootloader

1,561 bytes removed, 19:03, 5 November 2017
13th Round Key
Unfortunately, we cannot use the GUI to attack the 13th round key. The system has no built-in model for round 13 of the AES-256 algorithm. Instead, we can write our own script and insert a custom model into the system. See [[#Appendix D: AES-256 13th Round Key Script]] for complete script used here.
The ChipWhisperer Analyzer software uses the settings in the GUI to automatically adjust an attack script. Every time you change a setting in the GUI, the autogenerated script is overwritten. Fpr example, the point range is mapped directly to an API call: [[File:autoscript1.png|image]] If we modified this script directly, it would be very easy for us to accidentally overwrite our custom script from the GUI. Instead, we'll use the autogenerated code to set up a base script, then add in our own attack model. To set up the base script, the procedure is as follows: # Open the ChipWhisperer Analyzer software again and reopen the project file(if closed).
# Recall from the 14th round attack that the trace data becomes unsynchronized around sample 7000. This is due to a non-constant AES implementation: the code does not always take the same amount of time to run for every input. (It's actually possible to do a timing attack on this AES implementation! We'll stick with our CPA attack for now.)
#: [[File:syncproblems.png|image]]
# Resynchronize the traces:## In the ''Attack Script Generator'' tab, enable see the separate 'Preprocessing'Resync: Sum of Difference'' preprocessing:##: [[File:resyncsad.png|image]]## Enable the module and configure the input points. To start, set the reference points to tutorial (9063, 9177) and the input window to (9010, 9080), but don't be afraid to change these rangesNB:##: [[File:resyncsad2.png|image]]## Redraw the traces and confirm we only in slides right now have synchronization on the second half:##: [[File:resyncsad3.png|image]]!)
{{warningbox|Make sure you get a nice aligned last section of the traces, as in the above figure. You may need to adjust the "input window" or "reference points" slightly. If you do not see the nice alignment the remaining attack will fail!}}
 
Now, we are ready to make a copy of this script:
# Click on the auto-generated script
# Hit ''Copy'' and save the file somewhere
# Double-click on the description of the new file and give it a better name.
# Finally, hit ''Set Active'' after clicking on your new file. The result should look like this:
#: [[File:aes256_customscript.png|image]]
You can now edit the custom script file using the built-in editor OR with an external editor. In this example, the file would be <code>C:\Users\Colin\AppData\Local\Temp\testaes256.py</code>.
The next step is to program our own leakage model. The following Python code models the Hamming weight model of the 13th round S-box:
<pre>
# Imports for AES256 Attack
from chipwhisperer.analyzer.attacks.models.base import ModelsBasefrom chipwhisperer.analyzer.attacks.models.AES128_8bit import AESLeakageHelper, AES128_8bit
class AES256_ModelAES256_Round13_Model(AESLeakageHelper): name = 'Our model'
def leakage(self, pt, ct, guess, bnum):
knownkey = <PUT #You must but YOUR 14TH ROUND KEY YOU RECOVERED HERE>recovered 14th round key here - this example may not be accurate! #For example: knownkey calc_round_key = [0xea, 0x79, 0x79, 0x20, 0xc8, 0x71, 0x44, 0x7d, 0x46, 0x62, 0x5f, 0x51, 0x85, 0xc1, 0x3b, 0xcb] xored = [knownkeycalc_round_key[i] ^ pt[i] for i in range(0, 16)]
block = xored
block = self.inv_shiftrows(block)
# Add the above function to your custom script file.
# Change the <code>setAnalysisAlgorithm</code> in the script to use your custom functions by making the following call:
#:<pre>leakage_object leak_model = AES128_8bit(AES256_Model)</pre>
# As we did in the 14th round attack, reducing the point range can speed up the attack. For example, to use a smaller range of points, try changing the <code>setPointRange()</code> function call to
#:<pre>self.attack.setPointRange((8000,10990))</pre>
Coflynn
Approved_users, bureaucrat, administrator
1,956
edits
Retrieved from "http://wiki.newae.com/Special:MobileDiff/3058"

Navigation menu