As of August 2020 the site you are on ( is deprecated, and content is now at


Jump to: navigation, search

Tutorial A5 Breaking AES-256 Bootloader

25 bytes added, 20:28, 10 October 2018
Continuing the Attack
The next step is to program our own leakage model. The following Python code models the Hamming weight model of the 13th round S-box:
<pre> syntaxhighlight lang="python">
# Imports for AES256 Attack
from chipwhisperer.analyzer.attacks.models.AES128_8bit import AESLeakageHelper
result = block
return self.inv_sbox((result[bnum] ^ guess[bnum]))
You can look back at the C code of the AES-256 decryption to see how this is implementing the decryption code. Note that because of the Inverse MixColumns operation, we need the entire input ciphertext -- otherwise, we would only need to operate on one byte of the ciphertext.
Finally, we need to convert this hypothetical key into the actual value of the 13th round key. We can do this by passing the key through ShiftRows and MixColumns to remove the effect of these two functions. This is easy to do in the Python console (assuming we had the recovered key <code>C6 BD 4E 50 AB CA 75 77 79 87 96 CA 1C 7F C5 82</code>, if you recovered a different key replace the <code>knownkey</code> value with yours):
>>> from chipwhisperer.analyzer.attacks.models.aes.funcs import shiftrows,mixcolumns
>>> knownkey = [0xC6, 0xBD, 0x4E, 0x50, 0xAB, 0xCA, 0x75, 0x77, 0x79, 0x87, 0x96, 0xCA, 0x1C, 0x7F, 0xC5, 0x82]
Approved_users, administrator

Navigation menu