Discussions of performing power analysis, techniques, implementations, etc. Does not need to use ChipWhisperer.
#368 by chocolate
Tue Aug 04, 2015 1:58 pm
I can't find a lot of resources on actually using a magnetic probe for power analysis. I've tried testing this probing method by touching a loop probe connected to the LNA to various points on the multi-target victim board while the simpleserial crypto (AES) program is running. So far I haven't found any interesting signals (nothing matching the waveform I get directly from Vout), just sine waves. Should I be expecting a similar waveform, or will the signal need some processing when I use this method?
#371 by coflynn
Thu Aug 06, 2015 4:39 pm
Hello,

There should be a similar waveform - but the signal from the AVR is fairly week, so I normally don't see as much. Can you post screen-shots of the waveforms you get?

Will be a little slower than usual due to travel for Defcon/Blackhat... also don't have any H-probes with me to validate things!
#372 by chocolate
Thu Aug 06, 2015 5:23 pm
Screenshots attached with descriptions. Let me know if you need anything else. Thanks!
Attachments
aes-probe-clkgen.PNG
Waveform with H-field probe, after changing the ADC clock source to CLKGEN x4 via DCM
aes-probe-clkgen.PNG (22.06 KiB) Viewed 5534 times
aes-probe.PNG
Waveform with H-field probe on the ATMega328P, still default script settings (EXTCLK x4)
aes-probe.PNG (20.59 KiB) Viewed 5534 times
aes-avr.png
Waveform from Vout with settings from script ChipWhisperer-Rev2: SImpleSerial Target
aes-avr.png (26.78 KiB) Viewed 5534 times
#373 by chocolate
Thu Aug 06, 2015 5:26 pm
For completeness, attached is the "signal" (or lack of one) that I get when the probe is not near the hardware.
Attachments
noise.PNG
When probe is away from the hardware
noise.PNG (8.75 KiB) Viewed 5533 times
#376 by coflynn
Sat Aug 08, 2015 12:19 pm
Some tests/notes:

1)How is it mounted to the board? Where is the probe top located?
2) Try playing with the "phase shift" option too, sometimes this is required with the probe.

I won't be able to do any tests until next week when I'm back in the lab!

-Colin
#382 by chocolate
Mon Aug 10, 2015 12:41 pm
To find the best signal, I'm really just manually "resting" the loop on the middle of the AVR (photo attached). Would this method pick up too much noise to be useful?
Attachments
20150810_094617.jpg
20150810_094617.jpg (374.8 KiB) Viewed 5492 times
#387 by aldaya
Thu Aug 13, 2015 4:50 am
@chocolate, what is the unit of the vertical axis at the captures that you posted ?
#388 by chocolate
Thu Aug 13, 2015 11:02 am
That's a good question, considering it's only labelled "Data". I don't have an answer to that, which may point to the source of my confusion about how this works. I'm using all out-of-the-box ChipWhisperer hardware and software, and so that's why I wondered whether I needed to do anything extra with the signal (e.g., integrating).
#396 by coflynn
Tue Aug 18, 2015 5:54 pm
Had a chance to replicate all this finally, think we can get this working. My setup for reference first, was the H-Probe in a similar position:
hprobe_c.jpg
hprobe_c.jpg (69.84 KiB) Viewed 5401 times


Note I've just got something to hold it down on the chip, that's the big black cylinder. You could tape it down or anything else stable. I also moved the jumper to "short out" the 50-ohm resistor (see jumpers in above image).

I ran the default capture script, then made the following adjustments:

  • Phase Adjust = 200
  • Gain Setting :Mode = high
  • Gain Setting :Setting = 65

The waveform looks like this:
hprobe_b.png
hprobe_b.png (17.46 KiB) Viewed 5401 times


Note the "phase adjust" is fairly critical - you might need to play around with it, as you want to get rid of that "envelope" which will change on each capture. Keep pressing "capture 1" to reduce this (might not eliminate completely - no worries).

Also perform more captures to start - say set to 500 traces, then do the attack. Just give it a try - a lot of the noise will go away on the attack.

That's a good question, considering it's only labelled "Data".


Yeah, it's a little ambiguous ;-) It's been left that way for a long time as there isn't precise calibration on the input gain, and users can add all sorts of additional probes. So rather than have some sort of incorrect units I just left them off... which was the very lazy solution.

Let me know how it goes!
#404 by chocolate
Wed Aug 19, 2015 12:14 pm
Thanks for the pointers (and convincing me that it's possible)! Using your parameters, I found a good location on the chip, taped down the probe, and got the attached waveform. I'm happy to say that I extracted the entire key! Next step for me: getting the same success with a "real" chip. Thank you again!
Attachments
aes-hprobe-good.png
aes-hprobe-good.png (33.89 KiB) Viewed 5391 times

Who is online

Users browsing this forum: No registered users and 1 guest