As of August 2020 the site you are on (wiki.newae.com) is deprecated, and content is now at rtfm.newae.com.

# Changes

## Tutorial B11 Breaking RSA

, 13:26, 29 July 2019
no edit summary
== RSA Attack Theory ==We won't go into what RSA is, see the [[wikipedia:RSA_(cryptosystem){{Warningbox|RSA Wikipedia]] article This tutorial has been updated for a quick backgroundChipWhisperer 5 release. What we really care about is If you are using 4.x.x or 3.x.x see the following pieces of sudocode from that article used "V4" or "V3" link in decrypting the sidebar.}}{{Warningbox|This tutorial works differently than in V4, now utilizing a message:fault attack instead of a power analysis attack.}}
<syntaxhighlight lang{{Infobox tutorial|name ="C">B11: Breaking RSA/**|image = * Decrypt|caption = *|software versions = * @param {c} int / bigInt: the 'message' to be decoded (encoded with RSA.encrypt())|capture hardware = * @param {d} int / bigInt: d value returned from RSA.generate() aka private key|Target Device = * @param {n} int / bigInt: n value returned from RSA.generate() aka public key (part I)|Target Architecture = Arm * @returns {bigInt} decrypted message|Hardware Crypto = No */RSA.decrypt |Purchase Hardware = function(c, d, n){ return bigInt(c).modPow(d, n); };}</syntaxhighlight!-- To edit this, edit Template:Tutorial_boilerplate -->{{Tutorial boilerplate}}
The most critical piece of information is that value * Jupyter file: ''d''Fault_5-RSA_Fault_Attack. It contains the private key, which if leaked would mean a compromise of the entire system. So letipynb''s assume we can monitor a target device while it decrypts any message (we don't even care what the message is). Our objective is to recover d.
Let's consider our actual target code, which will be the RSA implementation in avr-crypto-lib. This has been copied over to be part of the ChipWhisperer repository, and you can see the implementation [https://github.com/newaetech/chipwhisperer/blob/master/hardware/victims/firmware/crypto/avrcryptolib/rsa/rsa_basic.c#L163|in rsa_basic.c of rsa_dec()]. The function in question looks like this:
<syntaxhighlight lang="c">uint8_t rsa_dec(bigint_t* data, const rsa_privatekey_t* key){ if(key->n =XMEGA Target = 1){ bigint_expmod_u(data, data, &(key->components[0]), &key->modulus); return 0; } if(key->n == 5){ if (rsa_dec_crt_mono(data, key)){ return 3; } return 0; } if(key->n<8 || (key->n-5)%3 != 0){ return 1; } //rsa_dec_crt_multi(data, key, (key->n-5)/3); return 2;}</syntaxhighlight>
We'll consider the case where ''key->n == 5'', so we have the ''rsa_dec_crt_mono()'' to attackThis tutorial is not available for XMEGA targets. You can see that function [https://github.com/newaetech/chipwhisperer/blob/master/hardware/victims/firmware/crypto/avrcryptolib/rsa/rsa_basic.c#L53|at Line 53 of that same file]. I've removed all the debug code in the following so you can better see the program flow:
<syntaxhighlight lang="c">uint8_t rsa_dec_crt_mono(bigint_t* data, const rsa_privatekey_t* key){ bigint_t m1, m2; m1.wordv = malloc((keyChipWhisperer->components[0].length_B Lite ARM /* + 1 */) * sizeof(bigint_word_t)); m2.wordv STM32F3 Target == malloc((key->components[1].length_B /* + 1 */) * sizeof(bigint_word_t)); if(!m1.wordv || !m2.wordv){ //Out of memory error free(m1.wordv); free(m2.wordv); return 1; } bigint_expmod_u(&m1, data, &(key->components[2]), &(key->components[0])); bigint_expmod_u(&m2, data, &(key->components[3]), &(key->components[1])); bigint_sub_s(&m1, &m1, &m2); while(BIGINT_NEG_MASK & m1.info){ bigint_add_s(&m1, &m1, &(key->components[0])); }
bigint_reduceSee the following for using:* ChipWhisperer-Lite 32-bit (&m1, &(key->components[0])STM32F3 Target); bigint_mul_u(data, &m1, &(key* ChipWhisperer->components[4])); bigint_reduce(data, &Lite Capture + STM32F3 Target on UFO Board (keyincluding NAE->components[0]SCAPACK-L1/L2 users)); bigint_mul_u(data, data, &(key* ChipWhisperer->components[1])); bigint_add_u(data, data, &m2); free(m2.wordv); free(m1.wordv); return 0;}</syntaxhighlight>Pro + STM32F3 Target on UFO Board
Note all the calls to <code>bigint_expmod_u()</code> with the private key material. If we could attack that function, all would be lost. These functions are elsewhere - it's in the [https://github.com/newaetech/chipwhisperer/blob/master/hardware/victims/firmware/crypto/avrcryptolib/bigint/bigint.c#L812 bigint.c file at Line 812]. Again we can see the source code here:== ChipWhisperer Nano Target ==
362
edits