Problems getting Lab 1_1B to work

Hi,

I’m using CW 5.3 on Windows 10, and am going through the different glitching tutorials, but I’m having problems getting results for the “Lab 1_1B - AES Loop Skip Fault Attack in Practice” tutorial on the STM32F3 UFO board. I simply don’t get any key_guess results, its usually just an empty array (sometimes when it’s not empty, it’s less than 16 bytes, sometimes just 1 byte).

All the tutorials leading up to that works fine, and from the “Fault 1_2 - Clock Glitching to Bypass Password” tutorial I have this collection of workable width/offset pairs:

image

For the AES loop skip attack I therefore use these parameters:

glitch_loc = range(180,260)
scope.glitch.clk_src = “clkgen”
scope.glitch.output = “clock_xor”
scope.glitch.trigger_src = “ext_single”
scope.glitch.repeat = 1
scope.io.hs2 = “glitch”
scope.glitch.width = 3.5
scope.glitch.offset = -12.5

I do get glitches, but the key_guess remains empty. What I do is, given the range of (180,260), if I get a glitch at say, 182, but empty key_guess, I change glitch_loc to (183,260), and so forth. I also change the width and offset slightly, but nothing better comes out of it.

Any ideas of what I could do to get good results in this tutorial?

A few things:

  1. Have you modified the round variable in Cipher()?
  2. Are you able to see the AES loop ending early in a power trace?

Alex

Hi,

  1. Yes I have. This is a snippet of the modified code:

image

  1. As for this question, I’m not sure, cause I’m not very familiar with how the power trace ought to look like. In any case, it looks like this:

image

You’re not actually breaking out of the loop there. That repeated pattern in the power trace is the rounds of AES. The correct power trace should basically look like a single one of those rounds (though you’ll be missing the MixColumns operation, so it’ll be a bit shorter). You’ll know it when you see it, as it will look very different to the rest of the power traces.

Ok, thanks. I’ll work more on it, and get back if I’m still stuck.

These earlier sca201 labs are actually quite a bit tougher than the last one I think, so you may want to skip these and come back if you really get stuck

You mean fault201, right? I’m just quite eager to get my hands on, and understanding, the “Lab 1_3B - DFA Attack on AES” tutorial, but I’m taking it in the steps according to the tutorial numbers

Since I’m new to these glitch attacks, I hope you don’t mind me asking some mundane questions. With some other slightly different parameters (scope.glitch.width = 3.58) and a glitch at 110, I get this plot, I am just curious as to how to interpret it compared to my previous posted plot:

image

I believe that’s the target crashing. Do you get any output back from the target in that case? If you’ve got it, you should still have this section, without the square-ish section:

image

Silly question, but what kind out output back do you refer to? If I zoom in to your scale, I get this plot:

image

Oh, the output is the ciphertext returned from the target. No need to zoom in here, just the part I highlighted should still be in the final trace. For the one where I think the target crashed, you only see the very beginning (which would be the AddRoundKey operation). You should see AddRoundKey, SubBytes, ShiftRows (very short, not really visible) and AddRoundKey again.