Skip to content

Latest commit

 

History

History
127 lines (92 loc) · 4.53 KB

notes.org

File metadata and controls

127 lines (92 loc) · 4.53 KB
Raw

Install the dependencies for attack.py

The attack are reproduced on an Arch Linux system, without Docker, with the latest version of the different packages at date of [2023-08-01 mar.].

For a Debian distribution:

sudo apt-get install python3-click python3-scipy python3-statsmodels python3-sklearn python3-pycryptodome

For an Arch Linux installation:

sudo pacman -S python-click python-scipy python-statsmodels python-scikit-learn python-pycryptodome

Or using Pip:

pip3 install --break-system-packages click scipy statsmodels scikit-learn pycryptodome

Test attacks on the “small sample set”

We will demonstrate the attacks on the “small sample set” of the EURECOM-s3.GitHub.io page (30 MB).

Either download the dataset:

wget -O /tmp/sample_traces.tar.gz https://drive.usercontent.google.com/download?id=1raM1NZGQ65km2BWIu03-y75Gq5FqrdsT&export=download&confirm=t&uuid=92b84cd2-8ada-4126-90e6-c0c1f7779811

Or use the copy in this repository:

cp ./traces/sample_traces.tar.gz /tmp

Then extract the traces:

cd /tmp
tar xzvf sample_traces.tar.gz
rm -rf sample_traces.tar.gz
export TRACES_SAMPLE=/tmp/sample_traces
cd $TRACES_SAMPLE
ls

The template/training set (hackrf_20cm/attack_tx_500) is composed of 2000 traces with a fixed key and a variable plaintext.

The template/training set (hackrf_20cm/template_tx_500) is composed of 5000 traces with a variable key and a variable plaintext.

CCS18 – Correlation Radio Attack (CRA)

This is how to launch a CRA, but it will not work on sample_traces.tar.gz because there is not enough traces.

# Plot and adjust points.
./attack.py --plot --data-path=$data_path --start-point=0 --end-point=0 --num-traces=1000 cra
# Attack (use fixed key set).
./attack.py --data-path=$data_path --start-point=0 --end-point=0 cra

CHES20 – Profiled Correlation Attack (PCC)

  1. Create a profile: 
    ./attack.py --plot --norm --data-path $TRACES_SAMPLE/hackrf_20cm/template_tx_500/ --start-point 400 --end-point 700 --num-traces 5000 profile /tmp/sample_traces --pois-algo r --num-pois 2 --poi-spacing 1 --variable p_xor_k

    The profile will be stored in the /tmp/sample_traces directory:

    ls -lh /tmp/sample_traces | grep .npy
    
    -rw-r--r-- 1 drac drac  384  1 août  16:04 POIS.npy
-rw-r--r-- 1 drac drac 129K  1 août  16:04 PROFILE_COVS.npy
-rw-r--r-- 1 drac drac  65K  1 août  16:04 PROFILE_MEANS.npy
-rw-r--r-- 1 drac drac 1,3K  1 août  16:04 PROFILE_MEAN_TRACE.npy
-rw-r--r-- 1 drac drac  38K  1 août  16:04 PROFILE_RS.npy
-rw-r--r-- 1 drac drac  38K  1 août  16:04 PROFILE_RZS.npy
-rw-r--r-- 1 drac drac  65K  1 août  16:04 PROFILE_STDS.npy
  2. Attack re-using the profile on only 400 traces: 
    ./attack.py --norm --data-path $TRACES_SAMPLE/hackrf_20cm/attack_tx_500/ --start-point 400 --end-point 700 --num-traces 400 --bruteforce attack /tmp/sample_traces --attack-algo pcc --variable p_xor_k

    The attack is quite fast (< 1 minute) and is able to retrieve half of the key with only 400 traces:

    Best Key Guess:   40   f9   32   50   15   23   51   94   ab   b7   7d   ff   c6   5a   d0   75  
Known Key:        40   f9   32   53   15   23   51   96   ab   b7   7c   fe   c4   5b   d1   77  
PGE:             000  000  000  001  000  000  000  001  000  000  002  001  001  001  001  002  
SUCCESS:           1    1    1    0    1    1    1    0    1    1    0    0    0    0    0    0  
NUMBER OF CORRECT BYTES: 8

CHES20 – Template Attack (PDF)

First, create a profile just like the CHES20 – Profiled Correlation Attack (PCC) attack. Then, we can attack:

./attack.py --norm --data-path $TRACES_SAMPLE/hackrf_20cm/attack_tx_500/ --start-point 400 --end-point 700 --num-traces 500 --bruteforce attack /tmp/sample_traces --attack-algo pdf --variable p_xor_k --pooled-cov --num-pois 2

The attack is longer (~ 5 minutes) but is able to retrieve 3 additional bytes of the key compared to the previous one.