Default key aes 128 ctr mode

Hello,
I changed the hardware/victims/firmware/simpleserial-aes-modes/simpleserial-aes.c BLOCK_MODE to CTR. Programed the target, collected traces, and saved the project.
What I don’t understand is when I print proj.keys I don’t get the default key
[2b 7e 15 16 28 ae d2 a6 ab f7 15 88 09 cf 4f 3c]
I get this key
[D0 14 F9 A8 C9 EE 25 89 E1 3F 0C C8 B6 63 0C A6]

I can’t seem to find where this key is hidden in the project variable. Any help?

Yep, because attacking CTR is a bit different than attacking ECB. In our tutorials, the attacks use a leakage model which require knowledge of the input plaintext that gets encrypted. In ECB mode, this is simply the input that you provide. In CTR mode, what gets encrypted is the provided plaintext XOR’d with a counter. Once you account for this you should recover the the correct key.
Jean-Pierre

I might have misunderstood something.


From the implementation in the GitHub and the diagram of ctr mode in Wikipedia I thought what was being encrypted was only the counter, which as I understood was simply a 1-byte counter.

Also, I don’t understand what is being colored red on the table of my original post.

Oops, my mistake! Sorry for the confusion.

The counter is typically much wider than 1 byte, since a one-byte counter would only allow 255 16-byte words to be encrypted before the counter repeats itself (which would be very bad). The counter width is typically defined by the protocol. But otherwise you have the right idea.

I hadn’t looked at your screenshot before – it looks like you’re doing everything exactly right there. The red-colored bytes are the correct key bytes. Your attack succeeded. The reason they are [D0, 14…] instead of [2B, 7E,…] is because you’re attacking the round 10 key (AES key schedule - Wikipedia).

See for yourself:

import chipwhisperer as cw
import chipwhisperer.analyzer as cwa

inputkey = [0x2b, 0x7e, 0x15, 0x16, 0x28, 0xae, 0xd2, 0xa6, 0xab, 0xf7, 0x15, 0x88, 0x09, 0xcf, 0x4f, 0x3c]
outputkey = [0xD0, 0x14, 0xF9, 0xA8, 0xC9, 0xEE, 0x25, 0x89, 0xE1, 0x3F, 0x0C, 0xC8, 0xB6, 0x63, 0x0C, 0xA6]

assert cwa.attacks.models.aes.key_schedule.key_schedule_rounds(inputkey, 0, 10) == outputkey