I am trying to use the NAE-HPROBE-15 in order to capture EM traces on the ChipWhispererPro. I have run a few tests with the XMEGA target, but so far it seems the traces I get are not correct. What I have done is that I have disconnected the probe cable from the J17 connector on the CW308, and connected it to the NAE-HPROBE-15.
If I run a capture while holding the probe nowhere near the target, I typically get a noise comprising 4 different values in the traces, as shown below:
Thanks, that helped a little. By setting the gain to the maximum value, I can distinguish some of the patterns in the AES. For example, the best I could get for the AddRoundKey is the following trace:
(Although I doubt the signal is sufficient for performing any differential attack…?)
I will try later with the stm32f1 or f3 to see if it gives better results.
It resembles noise rather than AES round patterns.
From my experience, I never recovered the AES key by capturing the EM traces.
It is much better to capture the power traces. At least you will be able to get reliable information to break AES.
It does not resemble noise, I can clearly see the patterns of the inner and outer iterations of the ARK, and they are aligned with the power traces.
I did a small test and run a CPA on 1000 traces (on all the samples of the SBox for all key bytes), and all 16 key bytes were correctly found. I guess that it is sufficient to prove the efficiency of the traces…
Of course, this proves that attack works but the traces you shared are shrunk and there are no visible AES patterns. At least, I don’t see them.
You are lucky. As I said, I tried many times many targets but didn’t recover any key.
At the same time classic “on-wire” SCA attacks work fine.