There’s actually a lot of situational decision making and reverse engineering work that goes into doing a real SCA attack. So long as you don’t care too much about being too invasive, here’s some basic setup that should work:
Hardware (assuming invasive shunt resistor measurement):
- Shunt resistor between the power supply and the Vcc pins of the chip. Ideally, you want to target only the power pin that supplies the operations you’re interested in (core voltage, crypto module supply)
- No decoupling capacitors on the low side of the shunt resistor
- A connection between the ChipWhisperer’s measurement port and the low side of the shunt resistor
- A trigger for the ChipWhisperer’s ADC. This one’s pretty specific to what the device is doing.
- A shared clock between the ChipWhisperer and the device. This one’s optional, but highly recommended as it vastly improves data collection
- Any other required electrical connections between the two devices (ground, communication lines, etc.).
- The device has to be manipulating the secret data
- You need to either know or actively be able to manipulated input or output data from the cryptographic core. What data you need to know/manipulate depends on the mode the crypto algorithm is being used in, as well potentially where the crypto leaks information at. Hardware AES often leaks pretty good data from the hamming distance between the input and last output of the last round, for example.
We’ve just released on online training course that would cover a lot of what you’re asking, available at https://learn.chipwhisperer.io/courses/power-analysis-101. It’s got some pretty comprehensive information and some examples of mounting side channel attacks against real devices, including what sort of reverse engineering and data collection work you need to do.