General questions side channel attack

Hi all,

I am not yet very familiar with the topic of side channel attacks. So I have some general questions about it. I hope that you can help me.

If I have a known ciphertext and a known plaintext (fixed input and output), can I use the unknown key as a variable? That means I change after each calculation only the key byte and go through each key byte (subkey) from 00 to FF and measure the power consumption after every key byte change.

Is that possible? If I want to realize this with 3DES and AES (128 bit/16Byte Key), is the CHipWispherer Nano sufficient?

Thanks!

best regards
Gerd

Yes, that’s not quite how it works, but you’re not too far off!
Browse the documentation for our tutorials to get a better understanding of what you can do with the ChipWhisperer software and hardware:
https://chipwhisperer.readthedocs.io/en/latest/tutorials.html

You won’t be able to run the tutorials without the hardware, but reading through them should give you a more concrete idea of what’s possible. At the top of each tutorial you’ll see which HW platforms are supported for that tutorial – many can be run on the Nano.

Have fun on your journey into side channels – hope you stay!

Jean-Pierre

Hi Jean-Pierre,

thanks for the quick response. i ordered the nano yesterday. I will then work through the tutorial.

If I have understood it correctly, the Nano consists of two parts. One is the capture board and the other the target board (can be cancelled).

I can program an encryption calculation (like 3DES or AES) on the target board.

I have found this in the tutorial:

"Capturing Traces-
Below you can see the capture loop. The main body of the loop loads some new plaintext, arms the scope, sends the key and plaintext, then finally records and appends our new trace to the traces[] list.

My question is: Does it also work if you set the plaintext to fixed and the key to random. So that you have a loop where every subkey from 00 to FF is tried.

Best regards
Gerd

Yes, but you have to change/implement desired behavior yourself.

You can choose to send whatever plaintext and key you wish to the target, if that’s what you’re asking; in fact it’s very easy to do.

If you’re asking whether it’s possible to break AES or DES in this way, the answer is not so clear. The specific attack in our tutorial won’t work if you do that. It’s possible that some other attack works that way, but I don’t remember coming across such an attack. Normally the encryption key is unknown and cannot be controlled by the attacker in the manner that you are describing.

ChipWhisperer is a platform which allows you to conduct side-channel attacks. We provide worked examples of some attacks in our tutorials. ChipWhisperer can absolutely be used to carry out other attacks, even ones that haven’t been invented yet. If you develop a new attack that you can demonstrate with ChipWhisperer, we’d love to hear about it!

But going back to your initial statement:

I recommend you “learn to walk” before you “try to run”, which is why I originally pointed you in the direction of our tutorials, which are meant for exactly that :slight_smile: .

Good luck!
Jean-Pierre

Hi 31415, hi Jean-Pierre,

my idea was this: If I know the plaintext, the ciphertext and the algorithm (e.g. 3DES or AES), I can implement this on the target board (nano) and instead of a random plaintext I send a random key.
The question is, if someone has already done this (i.e. the key as random for known plaintext,ciphertext and algorithm).

I am absolutely no crypto expert. What I want to know is whether the theory regarding Hamming weight and dpa/cpa fits there. Or if I always need the (unknown) key as a whole.

But you are right. I’ll wait for the Chipwishper Nano and get used to the tutorials. I am already curious :slight_smile:

Thanks for your help! I’m sure there will be more questions in the near future :slight_smile:

Best Regards
Gerd

You can do it, but you will wait for results all your life and the universe.

Let’s do the math :slight_smile:
AES has an 128bit key length, so 2^128 possible keys.
Attached CPU can do ~50 encryptions/s.

How much time do you need to crack it? :smiley:

i did not mean a brutforce attack. I just mean for each key byte to try out from 00-FF and make a cpa.

00 00 00…
01 00 00…

FF 00 00 00…
00 01 00

00 FF 00…
00 00 01…

00 00 FF…

…00 00 00 00 00 00 00 00 00 00 00 00 00 00 FF

Just let every keybyte run through once from 00 to FF.

What if the key is 0x00112233445566778899AABBCCDDEEFF?

That’s exactly my question. Assuming the key is:
0x00112233445566778899AABBCCDDEEFF

For example, my random key will somewhen reach this one:
0x000000000000000000000000AA0000000000

My question is: Can I then use a CPA for byte position 10 (AA) to draw any conclusions about the value of this byte position?

Many side-channel attacks on AES center on the sbox. The sbox takes a byte of the plaintext, a byte of the key, and produces a byte of the ciphertext (that’s not 100% accurate but it essentially boils down to this). In general, the attack requires you to know one of these three things. Normally, the key is what is unknown, and so you need knowledge of either the plaintext or ciphertext. You then need to observe many different plaintexts being encrypted with the same static and unknown key.

I think what you are trying to describe is actually quite close to how the CPA attack works.

I think ultimately the best way to get a deeper understanding of the attacks is to run them yourself, which is one of the main objectives of the CW platform. You can read the attack code but I think it’s easier to really grok it if you can actually run it.

In the meantime you may also find this useful:
https://wiki.newae.com/Correlation_Power_Analysis

Thank you both. I am now waiting for my chipwishperer nano. Then I’ll try to familiarize myself with the tutorials.

The key is also unknown to me. But I find it very difficult to connect to an undocumented SOC (BGA) with the Chipwishperer.
Therefore I thought it might be possible to test the key bytes with known plaintext, ciphertext and algorithm.
Like in the example above. So no brutforce, but really every key byte only from 00 to FF.