As of August 2020 the site you are on (wiki.newae.com) is deprecated, and content is now at rtfm.newae.com.

# Changes

## Tutorial B11 Breaking RSA

, 21:40, 15 July 2017
Automating Attack
# Using the reference pattern, find the timing information and break the RSA power trace.

Loading the trace can be done with the ChipWhisperer software. Let's first do a few steps to load the data, as follows:
[[File:B11_plotreftrace.png|400px]]

=== Plotting a Reference ===
So what's a good reference location? This is a little arbitrary, we will just define it as a suitable-sounding piece of information. You could get a reference pattern with something like the following:
[[File:B11_diff_plot.png|400px]]

== Automating the Attack ==

The last step is almost the easiest. We'll now count the timing difference between locations we find the template. If we see a longer delay, we know that the system performed a square+multiply, instead of just a square.

You could find the location where it falls below some number (say 10) in a variety of ways. Let's do something like this:

<syntaxhighlight lang="python">
last_t = -1
for t,d in enumerate(diffs):
if d < 10:
if last_t > 0:
delta = t-last_t
print delta
last_t = t
</syntaxhighlight>

Which should give you an output like the following (specific numbers will vary):

<syntaxahighlight>
1855
1275
1275
1275
1275
1275
1275
1286
1275
1275
1275
1528
1275
1275
1275
</syntaxhighlight>

Not there is a pretty long delay in the first run through, but later runs have roughly a constant time. There is three possible delays used in later bits:

* 1275 - The standard delay, indicating a square only ('0' in key-bit).
* 1286 - The standard delay with a little extra since it has finished processing an 8-bit chunk ('0' in key-bit still).
* 1528 - A much longer delay resulting from a square+multiply.

We can recover the complete key by simply looking at the delay value. We will arbitrarily choose a delay of longer than 1500 cycles indicating that a '1' has occurred, meaning we can recover the complete key using something like the following piece of code:

<syntaxhighlight lang='python'>
recovered_key = 0x0000
bitnum = 17

last_t = -1
for t,d in enumerate(diffs):
if d < 10:
bitnum -= 1
if last_t > 0:
delta = t-last_t
print delta
if delta > 1300:
recovered_key |= 1<<bitnum

last_t = t
print("Key = %04x"%recovered_key)
</syntaxhighlight>

Note the following problems with this code:

* Requires you to specify bit-length.
* Does not determine if last bit is a '1' (as has nothing after the last bit to compare to).

You can try to extend the above code by (1) counting the number of matches of the template, and (2) attempting to template the processing of the '1' bit instead, and directly determining where a '1' processing is occurring. This may require to to experiment with the location of the reference template.

== Extending the Tutorial ==

The previous tutorial is a basic attack on the core RSA algorithm. There are several extensions of it you can try. As mentioned you can improve the automatic key recover algorithm. You can also try performing this attack on longer key lengths -- this is made much easier with the ChipWhisperer-Pro, as it can use "streaming mode" to recover an extremely long key.

The ChipWhisperer-Pro has a unique analog trigger feature. This can also be used to break the RSA algorithm by simply performing the pattern match in real-time, and measuring the time delay of triggger locations. This is demonstrated in the next section.

=== Use of SAD Trigger in ChipWhisperer-Pro ===

Performing the capture & post-processing of data may be difficult on a long capture. Instead we can use the hardware pattern matching block inside the ChipWhisperer-Pro to perform this attack, and avoid needing to carefully trigger the capture or even record the analog data at all.

This will require you to:

# Perform an example capture to program the SAD block.
# Configure the trigger out to be routed to an I/O pin.
# Using an external device (logic analyzer, scope, etc) record the trigger pattern.
# From the trigger pattern, directly read off the RSA secret key.