As of August 2020 the site you are on (wiki.newae.com) is deprecated, and content is now at rtfm.newae.com.

Changes

Jump to: navigation, search

Tutorial B5 Breaking AES (Straightforward)

1,274 bytes removed, 16:35, 9 October 2018
Flashing Firmware
{{Warningbox|This tutorial has been updated for ChipWhisperer 4.0.0 release. If you are using 3.x.x see the "V3" link in the sidebar.}} {{Infobox tutorial|name = Tutorial #B5: Breaking AES (Straightforward) |image =|caption = |software versions =|capture hardware = CW-Lite, CW-Lite 2-Part, CW-Pro|Target Device = |Target Architecture = XMEGA/ARM|Hardware Crypto = No|Purchase Hardware = }}
This tutorial will take you through a complete attack on a software AES implementation. The specific implementation being attacked is a well-known AES implementation written in C, which is likely to be similar to other implementations used by proprietary systems.
== Capturing ==
This tutorial runs on four different hardware targets. You only need to follow the steps for your given hardware.
=== Capturing with ChipWhisperer-Lite /Pro with default XMEGA Target (CW1173 + CW303) === WARNING: This video was recorded with API V3.x, some changes happened so please take note.
NOTE: You can see a Quick-Start Guide and Video for this target on the [[CW1173_ChipWhisperer-Lite]] page:
=== Hardware Setup ===
<ol style="list-style-type: decimal;">{{CollapsibleSection<li><p>Connect the |intro = ==== CW1173 by micro USB cable to computer.</p>(Lite) Hardware Setup ====<blockquote><p>[[File:cw1173_microusb.jpg|image]]</p></blockquote></li></ol>content= CWLite HW Setup}}
{{CollapsibleSection|intro === Capturing the Traces ==CW1200 (Pro) Hardware Setup ====|content= CW1200 HW Setup}}
<ol style{{CollapsibleSection|intro ="list-style-type: decimal;"><li>Close &amp; reopen the capture software ==== CW308 (to clear out any previous connection which may be invalidUFO).</li>Hardware Setup ====<li><p>From the ''Project'' menu elect the ''Example Scripts'' and then ''ChipWhisperer-Lite: AES SimpleSerial on XMEGA'' (make sure you don't select the &quot;SPA&quot; example):</p><p>[[File:runscript_cw1173xmega.png|image]]</p></li><li><p>The script will automatically connect to the capture hardware and run 2 example traces. You should see something that looks like the following screen:</p><p>[[File:capture_cw1173xmega.png|image]]</p><p>To complete the tutorial, follow these steps:</p><blockquote><ol stylecontent="list-style-type: decimal;"><li>Switch to the ''General Settings'' tab</li><li>If you wish to change the number of traces, do so here. The default of 50 should be sufficient to break AES though!</li><li>Hit the ''Capture Many'' button (M in a green triangle) to start the capture process.</li><li>You will see each new trace plotted in the waveform display.</li><li>You'll see the trace count in the status bar. Once it says ''Trace 50 done'' (assuming you requested 50 traces) the capture process is complete.</li></ol></blockquote></li><li>Finally save this project using the ''File --&gt; Save Project'' option, give it any name you want.</li><li>Skip ahead to [[#Analyzing_the_Traces]].</li></ol>CW308 HW Setup}}
== Capturing with ChipWhisperer= Building Firmware ===Note that for this tutorial, you'll need to use the <code>simpleserial-Lite aes</code> firmware.{{CollapsibleSection|intro = ==== Building for CWLite with NOTDuino (CW1173 + CW304) XMEGA Target ====|content=Building for XMEGA}}
{{CollapsibleSection|intro === Hardware Setup ==Building for CWLite with Arm Target ====|content= Building for Arm}}
<ol style="list-style-type: decimal;">{{CollapsibleSection<li>Set jumpers on NOTDuino to default position (see silkscreen on bottom of NOTDuino |intro = ==== Building for default positions).</li>Other Targets ====<li>Connect the NOTDuino using the SMA cable on the &quot;measure&quot; port, and the 20-pin IDC cable:</li><li><p>Connect the CW1173 by micro USB cable to computer.</p><p>[[File:cw1173_avr_microusb.jpg|image]]</p></li></ol>content= Building for Other Targets}}
=== Capturing Flashing Firmware ===Note that for this tutorial, you'll need to use the Traces <code>simpleserial-aes</code> firmware. We won't be modifying the firmware, so feel free to just build in the <code>simpleserial-aes</code> folder.{{CollapsibleSection|intro = ==== Programming the XMEGA Target ====|content=Programming XMEGA}}
<ol style{{CollapsibleSection|intro ="list-style-type: decimal;"><li>Close &amp; reopen ==== Programming the capture software STM32F3 (to clear out any previous connection which may be invalidCW303 Arm).</li>Target ====<li><p>From the ''Project'' menu elect the ''Example Scripts'' and then ''ChipWhisperer-Lite: AES SimpleSerial on ATMega328P''</p><p>[[File:runscript_cw1173avr.png|image]]</p></li><li><p>The script will automatically connect to the capture hardware and run 2 example traces. You should see something that looks like the following screen:</p><p>[[File:capture.png|image]]</p><p>To complete the tutorial, follow these steps:</p><blockquote><ol stylecontent="list-style-type: decimal;"><li>Switch to the ''General Settings'' tab</li><li>If you wish to change the number of traces, do so here. The default of 50 should be sufficient to break AES though!</li><li>Hit the ''Capture Many'' button (M in a green triangle) to start the capture process.</li><li>You will see each new trace plotted in the waveform display.</li><li>You'll see the trace count in the status bar. Once it says ''Trace 50 done'' (assuming you requested 50 traces) the capture process is complete.</li></ol></blockquote></li><li>Finally save this project using the ''File --&gt; Save Project'' option, give it any name you want.</li><li>Skip ahead to [[#Analyzing_the_Traces]].</li></ol>Programming Arm}}
{{CollapsibleSection|intro == Capturing with Capture Rev2 + Multi-Target (CW1002 + CW301) === Programming Other Targets ====|content= Programming Other}}
=== Hardware Setup Capturing the Traces ===
This tutorial uses the [[CW1002_ChipWhisperer_Capture_Rev2]] hardware along with the [[CW301_Multi-Target]] board. Note that you '''don't need hardware''' to complete the tutorial. Instead you can download [httpsFile://wwwcwsetup_scriptselection.assembla.com/spaces/chipwhisperer/wiki/Example_Captures example traces from the ChipWhisperer Sitepng|889x889px]].
This example uses # Switch to the Atmel AVR in 28-pin DIP programmed with a ''simpleserialPython Console'' communications protocoltab. This is the default firmware programmed into the devices, so you shouldn't need # The script selection window (2) lists available example scripts. Scroll down to do anything"connect_cwlite_simpleserial. If you've erased the device, you can py" and click on it.# You will see programming instructions the script contents appear in the [[Installing_ChipWhisperer]] section"Script Preview" window (3). You can either hit the "Run" button or double-click the filename of the script to execute it. Do either of those now.
The Multi-Target board window should be plugged into the ChipWhisperer Capture Rev2 via the 20-pin target cable. The ''VOUT'' SMA connector is wired change to indicate the ''LNA'' input on the ChipWhisperer-Capture Rev2 front panel. The general hardware setup is as followsconnect succeeded:
<blockquote>[[File:hw-1cwsetup_scriptselection_cwliterun.jpgpng|image889x889px]]
# 20<p><ol start="4" style="list-Pin Header connects Multistyle-Target to Capture Hardware# VOUT Connects to SMA Cable# SMA Cable connects to 'LNA' on CHA inputtype: decimal;"># USB<li>The console lists the exact script that is executed. Note you could have manually executed the script commands line-Mini connects to side (NB: Confirm jumper settings by-line in next section first)this console.</blockquoteli>Jumpers on the Multi-<li>The "Scope" and "Target Victim board are " buttons will show as follows:connected.</li><li>The Status Bar will show a connection.</li></ol></p>Note in previous software versions, this tutorial took you through manual setup. This can still be done (using the GUI), but instead now the API has been made more powerful, so the example configuration script will be used instead.
<blockquote>[[File:hw-2To do so, simply scroll down and select the "setup_cwlite_xmega_aes.py" if you're using the CW303 XMEGA target. If you're using the CW303 Arm target, select "setup_cwlite_stm32f_aes.py".jpg|600px|image]]
# NO jumpers mounted in XMEGA Portion or SmartCard Portion (JP10-JP15If you're using another target, JP19, JP7-JP8, JP17)# 3.3V IO Level use the setup script for that target (JP20 set to INTsuch as setup_cw308_esp32.py)# The 7.37 MHz oscillator Additionally, try capturing a trace and seeing how long the "Trigger Active Count" field is selected as under trigger setup. This will set an upper bound on how big "Total Samples" should be (since the CLKOSC source (JP18AES is completed by this point)# The CLKOSC is connected . Reducing "Total Samples" will give better correlation and take less time to the AVR CLock Networkcapture and analyze, along with connected to but lowering it too much will miss the FPGAIN pin (JP4)# The TXD &amp; RXD jumpers are set (JP5operations we're interest in! If your target lacks a script, "setup_cwlite_stm32f_aes.py" will probably work, JP6)# Power measurement taken from VCC shunt (JP1)# The TRIG jumper is set (JP28) (NOTE: Early revisions of but you should check the multi-wiki page for your target board do not have the TRIG jumper and you can ingore this)to make sure there aren't any differences.
For more information on these jumper settings see [[CW301_Multi-TargetFile:cwsetup_scriptselection_xmegaconfig_cwliterun.png|718x718px]] .</blockquote>=== Setting up the Software ===
It is assumed that you've already followed the guide in [[Installing_ChipWhisperer]]File:Stm32f aes. Thus it is assumed you are able to communicate with the ChipWhisperer Capture Rev2 hardware. Note in particular you must have configured the FPGA bitstream in the ChipWhisperer-Capture software, all part of the description in the [[Installing_ChipWhispererPNG|frameless|798x798px]] guide.
=== Capturing the Traces === This tutorial uses a simple script that ships with the ChipWhisperer Capture software. The easiest method of accomplishing the trace capture is as follows: <ol style="list-style-type: decimal;"><li>Close &amp; reopen the capture software (to clear out any previous connection which may be invalid).</li><li><p>From the ''Project'' menu elect the ''Example Scripts'' and then ''ChipWhisperer-Rev2: SimpleSerial Target''</p><p>[[File:runscript.png|image]]</p></li><li><p>The script will automatically connect to the capture hardware and run 2 example traces. You should see something that looks like the following screen:</p><p>[[File:capture.png|image]]</p><p>To complete the tutorial, follow these steps:</p><blockquote><ol start="7" style="list-style-type: decimal;">
<li>Switch to the ''General Settings'' tab</li>
<li>If you wish to change the number of traces, do so here. The default of 50 should be sufficient to break AES for most targets though!</li>
<li>Hit the ''Capture Many'' button (M in a green triangle) to start the capture process.</li>
<li>You will see each new trace plotted in the waveform display.</li>
<li>You'll see the trace count in the status bar. Once it says ''Trace 50 done'' (assuming you requested 50 traces) the capture process is complete.</li></ol></blockquote></li>
<li>Finally save this project using the ''File --&gt; Save Project'' option, give it any name you want.</li>
<li>Skip ahead to [[#Analyzing_the_Traces]].</li></ol>
== Capturing with PicoScope + Multi-Target (CW301) Analyzing the Traces ==
&lt;TODO&gt; == Analyzing the = Opening File & Viewing Traces ===
<ol style="list-style-type: decimal;">
<li>Open the Analyzer software</li>
<li>From the ''File --> Open Project'' option, navigate to the .cwp file you save previously. Open this file.</li>
<li><p>Select Switch to the ''Project --> Manage TracesTrace Output Plot'' option to open tab on the dialog, enable the captured traces by adding a check-mark in the boxright side. Close </li><li>Switch to the dialog with `ESC`:''Results'' setting tab on the left side</pli><li>Scroll down to the ''Trace Output Plot'' setting, highlighted below:<p>[[File:tracemanagev4_tracedraw.png|image500px]]</p></li><li>You can choose to plot a specific range of traces. For example type '''0-10''' in the ''Trace(s) to plot'' window.<p/li>If <li>Hit the ''Redraw'' button when you wish change the trace plot range.</li><li>You can right-click on the waveform to view change options, or left-click and drag to zoom.</li><li>Use the toolbar to quickly reset the zoom back to original.</li><li>Try more advanced plotting options, like '''0(r),4-7(b)''' to plot trace data0 in red, follow these steps:and 4-6 in blue. See a full list of possible commands on the page [[Plotting_Widget]].</pli></ol>
<ol style="list-style-type: decimal;"><li>Switch to the ''Waveform Display'' tab</li><li>Switch to the ''General'' parameter setting tab</li><li>You can choose to plot a specific range of traces</li><li>Hit the ''Redraw'' button when you change the trace plot range</li><li>You can right-click on the waveform to change options, or left-click and drag to zoom</li><li>(oops there is no 6)</li><li>Use the toolbar to quickly reset the zoom back to original</li></ol>== Running Attack Script ===
<p>[[File:traceplottingIn ChipWhisperer V4.png|image]]</p></li><li><p>You can view or change the 0, we now use attack options on scripts for everything. As in the capture program, switch to the ''Attack'Python Console''' parameter settings tab& find the attack scripts. There may be additional scripts there, but you should find one called "attack_cpa.py". It has the following contents: </psyntaxhighlight lang=python><ol styleimport chipwhisperer as cwfrom chipwhisperer.analyzer.attacks.cpa import CPAfrom chipwhisperer.analyzer.attacks.cpa_algorithms.progressive import CPAProgressivefrom chipwhisperer.analyzer.attacks.models.AES128_8bit import AES128_8bit, SBox_outputfrom chipwhisperer.analyzer.preprocessing.add_noise_random import AddNoiseRandom #self.project =cw.openProject("list2017-stylemar23-type: decimal;xmega-aes.cwp">)<li>The ''Hardware Model'' settings are correct for the software AES by default</li><li>The ''Point Setup'' makes the attack faster by looking over a more narrow range of pointstraces = self.project. Often traceManager() #Example: If you might have wanted to characterize your device to determine add noise, turn the location of specific attack points of interest.</li><li>''Traces per Attack'' allows you enabled to use only a subset of capture traces on each "True"self.ppmod[0] = AddNoiseRandom()self.ppmod[0].noise = 0.05self.ppmod[0].enabled = False attack = CPA()leak_model = AES128_8bit(SBox_output)attack. Or if you have for example 1000 tracessetAnalysisAlgorithm(CPAProgressive, you could average the results of attacking leak_model) attack.setTraceStart(0)attack.setTracesPerAttack(50 traces over 200 )attack runs.</li>setIterations(1)<li>''Reporting Interval'' is how often data is generatedattack. A smaller interval generates more useful output datasetReportingInterval(10)attack.setTargetSubkeys([0, but greatly increases computational complexity 1, 2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15])attack.setTraceSource(eself.gppmod[0])attack. slows down setPointRange((0, 3000)) self.results_table.setAnalysisSource(attack)self. If you only care about attacking the system, the reporting interval correlation_plot.setAnalysisSource(attack)self.output_plot.setAnalysisSource(attack)self.pge_plot.setAnalysisSource(attack)attack.processTraces()</syntaxhighlight> You can be set see this script has several sections: # Imports for needed functions.# Loading of project (if using a project from disk) & setting of trace information.# Configuration of attack.# Connecting output (drawing) widgets to the number of tracesattack. In which case # Running the attack runs completely, and . If you get need to modify the results. For this tutorial script, you can set edit the file in an external editor. You will need to a smaller number (such as 5)ensure your system is configured to open your preferred editor on ".</li></olpy" files, OR configure the editor under ''Help -->Preferences''.
The default options should work, but you can modify for example the ''Reporting Interval'' to see more detailed graphs. <p>[[Fileol style="list-style-type:attacksettings.png|image]]</p></lidecimal;"><li><p>Finally run the attack by switching to the ''Results Table'' tab and then hitting the ''AttackRun'' buttonwith the script selected:</p><p>[[File:attackv4_runscript.png|image400px]]</p></li>
<li><p>If you adjusted the ''Reporting Interval'' to a smaller number such as 5, you'll see the progression of attack results as more traces are used. If not you should simply see the final results, which should have the correct key highlighted in red. In the following case the correct key ''was'' recovered:</p>
<p>[[File:attack-done.png|image]]</p></li>
== Next Steps ==
This has only briefly outlined how to perform a CPA attack. You can move onto more advanced tutorials, especially showing you how the actual attack works when performed manually.This tutorial also utilized tiny-AES128-C for Arm targets, which uses the same operations as the XMEGA target. For a more typical 32 bit AES attack, see [[Tutorial A8 32bit AES]].  == Links == {{Template:Tutorials}}[[Category:Tutorials]]
Adewar
Approved_users, administrator
366
edits
Retrieved from "http://wiki.newae.com/Special:MobileDiff/9...3893"

Navigation menu