Time duration calculation and Key to detect

liam · July 3, 2020, 7:19pm

Hi,
I have a few queries if anybody can help me understand:

On the manual CPA attack tutorial, I want to check the time stamp at the beginning of power trace collection and at the end of the power trace collection. From that, I want to calculate the duration of power trace collection. How can I do that? What I am doing so far is, I use time0= time.time() at the beginning of trace capture code and use time1= time.time() at the end of the trace capture code and then take the difference of the two time1-time0, does it calculate the time duration of trace capture correctly? If not what is the correct way to do that?
The manual CPA attack used a fixed key. Now if the key changes at every round (If I understand it AES algorithm correctly) like the actual AES 128 algorithm, what will be the ULTIMATE key to detect as the key is changing at every stage of encryption?

FYI, boards I am using: Capture ChipWhisperer Lite and target is XMEGA CW308 UFO

Thanks a lot for your time!

jpthibault · July 4, 2020, 2:33am

Hi Liam,

Depends what you want to measure exactly. With the CW-Lite, power traces are sampled and stored internally in the CW-lite FPGA, and after this they are transferred to your computer. Do you want to measure the time for all of this? Or just one of the parts of this?
In AES, the key provided gets “expanded” into 10 distinct round keys (or 12 for AES-192, or 14 for AES-256). AES attacks in general, including the ones in our tutorials, will target one of the round keys (typically the first or the last). Now if you work out the AES key expansion, you’ll see that you can get from any of the round keys to the original “master” key. In other words, if you know a round key, you can compute the master key. So, back to our CPA tutorial: it (and all our other AES tutorials) uses a “real” AES implementation, no shortcuts or tricks involved.

Hope this helps,
Jean-Pierre

liam · July 4, 2020, 4:57pm

Hello Jean-Pierre,
Thank you for the details.

I need to know the times individually. But, ultimately all of the parts actually.
In the “PA_CPA_2-Manual_CPA_Attack” tutorial, you mean key is expanded into 10 round keys. Then

Which round key actually we guessed in this tutorial? Last or first one and how do I know that?
Can you help me understand (or may be share any document) how to get to the “master key” from
recovering one of the round keys?
known_keys = np.asarray([trace.key for trace in traces]) # for fixed key, these keys are all the same [this line of code is from the tutorial , capture trace section]—> I am confused what it means by fixed key?

Thanks a lot again.

jpthibault · July 5, 2020, 2:20am

Hi Liam,

1- Trace collection is done in hardware, on the CW-lite FPGA, so the time to do this is approximately the time for the collected traces to be observed, i.e. # of samples times sampling period (plus maybe a few clock cycles). You can then infer the trace transfer time by subtracting that trace collection time from the time measured to do:

trace = cw.capture_trace(scope, target, text, key)

This of course will also capture the time to go through all the layers from the Python code down to the USB driver. You’ll find the trace transfer time is typically significantly greater than the collection time.

2- The CPA tutorial targets the first round key (which is actually equal to the input key). This is not stated explicitly; it’s implied by the fact that the recovered key is the input key. In contrast, the CW305 FPGA tutorial for example, we need to do the following extra step to get from the recovered round key to the input key:

recv_key = key_schedule_rounds(recv_lastroundkey, 10, 0)

There are lots of resources for understanding the AES key expansion schedule:

wikipedia: https://en.wikipedia.org/wiki/AES_key_schedule
the FIPS AES standard itself: https://nvlpubs.nist.gov/nistpubs/FIPS/NIST.FIPS.197.pdf
our own Python implementation: https://github.com/newaetech/chipwhisperer/blob/develop/software/chipwhisperer/analyzer/attacks/models/aes/key_schedule.py#L143

Now, as for this line in our tutorial:

known_keys = np.asarray([trace.key for trace in traces])  # for fixed key, these keys are all the same

is simply building an array where the elements are the input AES key for each trace; in this case, every trace used the same key, so this is a bit superfluous (the original intent is probably that in the case where power traces are saved to a file for later analysis, it’s good practice to explicitly attach the key to every collected trace, to prevent confusion).

Again, what’s fixed for every trace here is the input key. Every 16-byte block of input plaintext is encrypted with that same key. For each of these blocks, 10 distinct round keys are used.

I commend you for wanting to get a more than basic understanding of AES! If you want to get a deep understanding, I recommend making your way through the FIPS standard. It may seem complicated, but it’s actually pretty simple, no advanced math required.

Jean-Pierre