As of August 2020 the site you are on (wiki.newae.com) is deprecated, and content is now at rtfm.newae.com.

# Changes

## Tutorial B11 Breaking RSA

, 13:26, 29 July 2019
no edit summary
{{Warningbox|This tutorial has been updated for ChipWhisperer 4.0.0 5 release. If you are using 4.x.x or 3.x.x see the "V4" or "V3" link in the sidebar.}}{{Warningbox|This tutorial does not work with non-XMEGA targets due to differences works differently than in how RSA is done on other platforms. A tutorial with V4, now utilizing a fault-based attack is available with ChipWhisperer 5instead of a power analysis attack.}}
{{Infobox tutorial
|capture hardware =
|Target Device =
|Target Architecture = XMEGAArm
|Hardware Crypto = No
|Purchase Hardware =
}}
<!-- To edit this, edit Template:Tutorial_boilerplate -->
{{Tutorial boilerplate}}
== RSA Attack Theory ==We won't go into what RSA is, see the [[wikipedia* Jupyter file:RSA_(cryptosystem)|RSA Wikipedia]] article for a quick background'''Fault_5-RSA_Fault_Attack. What we really care about is the following pieces of sudocode from that article used in decrypting a message:ipynb'''
<syntaxhighlight lang="C">
/**
* Decrypt
*
* @param {c} int / bigInt: the 'message' to be decoded (encoded with RSA.encrypt())
* @param {d} int / bigInt: d value returned from RSA.generate() aka private key
* @param {n} int / bigInt: n value returned from RSA.generate() aka public key (part I)
* @returns {bigInt} decrypted message
*/
RSA.decrypt = function(c, d, n){
return bigInt(c).modPow(d, n);
};
</syntaxhighlight>
The most critical piece of information is that value ''d''. It contains the private key, which if leaked would mean a compromise of the entire system. So let's assume we can monitor a target device while it decrypts any message (we don't even care what the message is). Our objective is to recover d.== XMEGA Target ==
Let's consider our actual target code, which will be the RSA implementation in avr-crypto-lib. This has been copied over to be part of the ChipWhisperer repository, and you can see the implementation [https://github.com/newaetech/chipwhisperer/blob/master/hardware/victims/firmware/crypto/avrcryptolib/rsa/rsa_basic.c#L163|in rsa_basic.c of rsa_dec()]tutorial is not available for XMEGA targets. The function in question looks like this:
<syntaxhighlight lang="c">uint8_t rsa_dec(bigint_t* data, const rsa_privatekey_t* key){ if(key->n == 1){ bigint_expmod_u(data, data, &(keyChipWhisperer->components[0]), &key->modulus); return 0; } if(key->n Lite ARM / STM32F3 Target == 5){ if (rsa_dec_crt_mono(data, key)){ return 3; } return 0; } if(key->n<8 || (key->n-5)%3 != 0){ return 1; } //rsa_dec_crt_multi(data, key, (key->n-5)/3); return 2;}</syntaxhighlight>
We'll consider See the case where ''keyfollowing for using:* ChipWhisperer->n == 5'', so we have the ''rsa_dec_crt_monoLite 32-bit (STM32F3 Target)'' to attack. You can see that function [https:* ChipWhisperer-Lite Capture + STM32F3 Target on UFO Board (including NAE-SCAPACK-L1//github.com/newaetech/chipwhisperer/blob/master/hardware/victims/firmware/crypto/avrcryptolib/rsa/rsa_basic.c#L53|at Line 53 of that same file]. I've removed all the debug code in the following so you can better see the program flow:L2 users)* ChipWhisperer-Pro + STM32F3 Target on UFO Board
<syntaxhighlight lang="c">uint8_t rsa_dec_crt_mono(bigint_t* data, const rsa_privatekey_t* key){ bigint_t m1, m2; m1.wordv = malloc((key->components[0].length_B https:/* + 1 */) * sizeof(bigint_word_t)); m2chipwhisperer.wordv = malloc((key->components[1]readthedocs.length_B io/* + 1 *en/) * sizeof(bigint_word_t)); if(!m1.wordv || !m2.wordv){ latest/tutorials/Out of memory error free(m1fault_5-openadc-cwlitearm.wordv); free(m2.wordv); return 1; } bigint_expmod_u(&m1, data, &(keyhtml#tutorial->components[2]), &(keyfault->components[0])); bigint_expmod_u(&m2, data, &(key5->components[3]), &(key->components[1])); bigint_sub_s(&m1, &m1, &m2); while(BIGINT_NEG_MASK & m1.info){ bigint_add_s(&m1, &m1, &(keyopenadc->components[0])); }cwlitearm
bigint_reduce(&m1, &(key->components[0])); bigint_mul_u(data, &m1, &(key->components[4])); bigint_reduce(data, &(key->components[0])); bigint_mul_u(data, data, &(key->components[1])); bigint_add_u(data, data, &m2); free(m2.wordv); free(m1.wordv); return 0;}</syntaxhighlight>== ChipWhisperer Nano Target ==