|capture hardware = CW-Lite, CW-Lite 2-Part, CW-Pro
|Target Device =
|Target Architecture = XMEGA/ARM
|Hardware Crypto = No
|Purchase Hardware =
This tutorial will take you through a complete attack on a software AES implementation. The specific implementation being attacked is a well-known AES implementation written in C, which is likely to be similar to other implementations used by proprietary systems.
== Capturing ==
This tutorial runs on four different hardware targets. You only need to follow the steps for your given hardware.
=== Capturing with ChipWhisperer-Lite/Pro with default XMEGA Target (CW303) ===
WARNING: This video was recorded with API V3.x, some changes happened so please take note.
NOTE: You can see a Quick-Start Guide and Video for this target on the [[CW1173_ChipWhisperer-Lite]] page:
=== Hardware Setup ===
<ol style="list-style-type: decimal;">{{CollapsibleSection<li><p>Connect the |intro = ==== CW1173/CW1200 by USB cable to computer.</p>(Lite) Hardware Setup ====<blockquote><p>[[File:cw1173_microusb.jpg|image]]</p></blockquote></li><li> The software AES implementation that will run on the target is located in <code>chipwhisperer\hardware\victims\firmware\simpleserial-aes</code>. In a terminal window, navigate here and run the command <code>make</code> to build the firmware. content= CWLite HW Setup}}
As in previous tutorials, ensure that the firmware has been built for the correct board. Here, the output of <code>make</code> should end like{{CollapsibleSection<pre>|intro = ==== CW1200 (Pro) Hardware Setup ====AVR Memory Usage----------------Device: atxmega128d3|content= CW1200 HW Setup}}
Program: 3078 bytes {{CollapsibleSection|intro = ==== CW308 (2.2% FullUFO)Hardware Setup ====(.text + .data + .bootloader)|content= CW308 HW Setup}}
Data: 352 bytes (4=== Building Firmware ===Note that for this tutorial, you'll need to use the <code>simpleserial-aes</code> firmware.3% Full){{CollapsibleSection(.data + .bss + .noinit)|intro = ==== Building for CWLite with XMEGA Target ====|content= Building for XMEGA}}
{{CollapsibleSection
|intro = ==== Building for CWLite with Arm Target ====
|content= Building for Arm}}
Built {{CollapsibleSection|intro = ==== Building for platform CW-Lite XMEGAOther Targets ====|content= Building for Other Targets}}
=== Flashing Firmware ===Note that for this tutorial, you'll need to use the <code>simpleserial-aes</code> firmware. We won't be modifying the firmware, so feel free to just build in the <code>simpleserial------- end --------aes</precode>folder.{{CollapsibleSectionMake sure that |intro = ==== Programming the platform is correct.XMEGA Target ====</li>|content= Programming XMEGA}}
<li> Upload the firmware to the target chip. The process to do this is the same as the previous tutorials:{{CollapsibleSection* Open |intro = ==== Programming the ChipWhisperer Capture software.* Connect to the ChipWhisperer. STM32F3 (You can do this using a script or by filling out the generic settings and connecting to the board yourself.CW303 Arm)Target ====* Open the XMEGA Programmer (**Tools > ChipWhisperer-Lite XMEGA Programmer**).|content= Programming Arm}}* Find the hex file you compiled and program it onto the target.</li>{{CollapsibleSection|intro = ==== Programming Other Targets ====</ol>|content= Programming Other}}
=== Capturing the Traces ===
Note in previous software versions, this tutorial took you through manual setup. This can still be done (using the GUI), but instead now the API has been made more powerful, so the example configuration script will be used instead.
To do so, simply scroll down and select the "setup_cwlite_xmega_aes.py" file:if you're using the CW303 XMEGA target. If you're using the CW303 Arm target, select "setup_cwlite_stm32f_aes.py".
[[File:cwsetup_scriptselection_xmegaconfig_cwliterunIf you're using another target, use the setup script for that target (such as setup_cw308_esp32.py). Additionally, try capturing a trace and seeing how long the "Trigger Active Count" field is under trigger setup. This will set an upper bound on how big "Total Samples" should be (since the AES is completed by this point). Reducing "Total Samples" will give better correlation and take less time to capture and analyze, but lowering it too much will miss the operations we're interest in! If your target lacks a script, "setup_cwlite_stm32f_aes.py" will probably work, but you should check the wiki page for your target to make sure there aren't any differences.png]]
<p>[[File:cwsetup_scriptselection_xmegaconfig_cwliterun.png|718x718px]] [[File:Stm32f aes.PNG|frameless|798x798px]] To complete the tutorial, follow these steps:
</p><ol start="7" style="list-style-type: decimal;">
<li>Switch to the ''General Settings'' tab</li>
<li>If you wish to change the number of traces, do so here. The default of 50 should be sufficient to break AES for most targets though!</li>
<li>Hit the ''Capture Many'' button (M in a green triangle) to start the capture process.</li>
<li>You will see each new trace plotted in the waveform display.</li>
<li>Skip ahead to [[#Analyzing_the_Traces]].</li></ol>
== Capturing with ChipWhisperer-Lite/Pro with NOTDuino (CW304) Analyzing the Traces ==
=== Hardware Setup Opening File & Viewing Traces ===
<ol style="list-style-type: decimal;">
<li>
Set jumpers on NOTDuino to default position (see silkscreen on bottom of NOTDuino for default positions).Open the Analyzer software</li><li>
Connect From the
NOTDuino using the SMA cable on the "measure" port''File --> Open Project'' option,
and navigate to the
20-pin IDC cable:.cwp file you save previously. Open this file.</li><li>
<p>Connect Switch to the
CW1173''Trace Output Plot'' tab on the right side.</
CW1200 by USB cable li><li>Switch to
computer.the ''Results'' setting tab on the left side</
pli>
<li>Scroll down to the ''Trace Output Plot'' setting, highlighted below:<p>[[File:
cw1173_avr_microusbv4_tracedraw.
jpgpng|
image500px]]</p></li>
<li>You can choose to plot a specific range of traces. For example type '''0-10''' in the ''Trace(s) to plot'' window.</li><li>Hit the ''Redraw'' button when you change the trace plot range.</li><li>You can right-click on the waveform to change options, or left-click and drag to zoom.</li><li>Use the toolbar to quickly reset the zoom back to original.</li><li>Try more advanced plotting options, like '''0(r),4-7(b)''' to plot trace 0 in red, and 4-6 in blue. See a full list of possible commands on the page [[Plotting_Widget]].</li></ol>
=== Capturing the Traces Running Attack Script ===
<ol style="list-style-type: decimal;"><li>Close & reopen the capture software (to clear out any previous connection which may be invalid).</li><li><p>From the ''Project'' menu elect the ''Example Scripts'' and then ''In ChipWhisperer-Lite: AES SimpleSerial on ATMega328P''</p><p>[[File:runscript_cw1173avrV4.png|image]]</p></li><li><p>The script will automatically connect to the capture hardware and run 2 example traces0, we now use attack scripts for everything. You should see something that looks like As in the following screen:</p><p>[[File:capture.png|image]]</p><p>To complete the tutorialprogram, follow these steps:</p><blockquote><ol style="list-style-type: decimal;"><li>Switch switch to the ''General Settings'Python Console''' tab</li><li>If you wish to change & find the number of traces, do so hereattack scripts. The default of 50 should There may be sufficient to break AES though!</li><li>Hit the ''Capture Many'' button (M in a green triangle) to start the capture process.</li><li>You will see each new trace plotted in the waveform display.</li><li>You'll see the trace count in the status bar. Once it says ''Trace 50 done'' (assuming you requested 50 traces) the capture process is complete.</li></ol></blockquote></li><li>Finally save this project using the ''File --> Save Project'' optionadditional scripts there, give it any name but you wantshould find one called "attack_cpa.</li><li>Skip ahead to [[#Analyzing_the_Traces]]py".</li></ol>It has the following contents:
<syntaxhighlight lang== Capturing with PicoScope + Multi-Target (CW301) ==python>import chipwhisperer as cwfrom chipwhisperer.analyzer.attacks.cpa import CPAfrom chipwhisperer.analyzer.attacks.cpa_algorithms.progressive import CPAProgressivefrom chipwhisperer.analyzer.attacks.models.AES128_8bit import AES128_8bit, SBox_outputfrom chipwhisperer.analyzer.preprocessing.add_noise_random import AddNoiseRandom
<TODO>#self.project = cw.openProject("2017-mar23-xmega-aes.cwp")traces = self.project.traceManager()
= Analyzing #Example: If you wanted to add noise, turn the Traces .enabled to "True"self.ppmod[0] = AddNoiseRandom()self.ppmod[0].noise = 0.05self.ppmod[0].enabled =False
<ol styleattack ="list-style-type: decimal;">CPA()<li>Open the Analyzer software</li>leak_model = AES128_8bit(SBox_output)<li>From the ''File --> Open Project'' option, navigate to the attack.cwp file you save previously. Open this file.</li><li><p>Select the ''Project --> Manage Traces'' option to open the dialog, enable the captured traces by adding a check-mark in the box. Close the dialog with `ESC`:</p><p>[[File:tracemanage.png|image]]</p></li><li><p>If you wish to view the trace datasetAnalysisAlgorithm(CPAProgressive, follow these steps:</p>leak_model)
<ol style="list-style-type: decimal;">attack.setTraceStart(0)<li>Switch to the ''Waveform Display'' tab</li>attack.setTracesPerAttack(50)<li>Switch to the ''General'' parameter setting tab</li>attack.setIterations(1)<li>You can choose to plot a specific range of traces</li><li>Hit the ''Redraw'' button when you change the trace plot range</li>attack.setReportingInterval(10)<li>You can right-click on the waveform to change optionsattack.setTargetSubkeys([0, or left-click and drag to zoom</li>1, 2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15])<li>attack.setTraceSource(oops there is no 6self.ppmod[0])</li><li>Use the toolbar to quickly reset the zoom back to original</li></ol>attack.setPointRange((0, 3000))
<p>[[File:traceplottingself.png|image]]</p></li><li><p>You can view or change the results_table.setAnalysisSource(attack options on the ''Attack'' parameter settings tab:</p>)<ol style="list-style-type: decimal;"><li>The ''Hardware Model'' settings are correct for the software AES by default</li><li>The ''Point Setup'' makes the attack faster by looking over a more narrow range of pointsself.correlation_plot. Often you might have to characterize your device to determine the location of specific setAnalysisSource(attack points of interest.</li>)<li>''Traces per Attack'' allows you to use only a subset of capture traces on each attackself. Or if you have for example 1000 traces, you could average the results of attacking 50 traces over 200 attack runs.</li><li>''Reporting Interval'' is how often data is generatedoutput_plot. A smaller interval generates more useful output data, but greatly increases computational complexity setAnalysisSource(e.g. slows down attack)self. If you only care about attacking the system, the reporting interval can be set to the number of tracespge_plot. In which case the setAnalysisSource(attack)attack runs completely, and you get the results. For this tutorial you can set to a smaller number processTraces(such as 5).</li></olsyntaxhighlight>
<p>[[FileYou can see this script has several sections:
attacksettings # Imports for needed functions.
png|image]]</p# Loading of project (if using a project from disk) & setting of trace information.# Configuration of attack.# Connecting output (drawing) widgets to the attack.# Running the attack. If you need to modify the script, you can edit the file in an external editor. You will need to ensure your system is configured to open your preferred editor on ".py" files, OR configure the editor under ''Help -->
Preferences''. The default options should work, but you can modify for example the ''Reporting Interval'' to see more detailed graphs. <
/liol style="list-style-type: decimal;"><li><p>Finally run the attack by switching to the ''Results Table'' tab and then hitting the ''
AttackRun'' button
with the script selected:</p><p>[[File:
attackv4_runscript.png|
image400px]]</p></li>
<li><p>If you adjusted the ''Reporting Interval'' to a smaller number such as 5, you'll see the progression of attack results as more traces are used. If not you should simply see the final results, which should have the correct key highlighted in red. In the following case the correct key ''was'' recovered:</p>
<p>[[File:attack-done.png|image]]</p></li>
<p>[[File:attack-done2.png|image]]</p></li></ol>
== Next Steps == This has only briefly outlined how to perform a CPA attack. You can move onto more advanced tutorials, especially showing you how the actual attack works when performed manually. This tutorial also utilized tiny-AES128-C for Arm targets, which uses the same operations as the XMEGA target. For a more typical 32 bit AES attack, see [[Tutorial A8 32bit AES]].
This has only briefly outlined how to perform a CPA attack. You can move onto more advanced tutorials, especially showing you how the actual attack works when performed manually.== Links ==
{{Template:Tutorials}}
[[Category:Tutorials]]
