Global Sources
EE Times-Asia
Stay in touch with EE Times Asia
?
EE Times-Asia > Embedded
?
?
Embedded??

Guarding against side-channel attacks (Part 1)

Posted: 03 Oct 2012 ?? ?Print Version ?Bookmark and Share

Keywords:differential power analysis? authentication codes? EM emissions?

Cryptography is an essential building block for securing systems and communications. It is widely deployed in embedded systems used for commercial and defense applications. Basic cryptographic operations such as encryption/decryption, message-authentication and digital signatures rely on secret keys that must be kept securely within a device and protected from disclosure. Modern cryptographic algorithms, when used with appropriate-sized keys, are designed to resist all known attacks where the attacker can observe (or manipulate) the inputs or outputs of the algorithm, but does have any other information about the secret key or about the execution of the algorithm.

In practice, however, an attacker who has access to a device that is performing a cryptographic operation can easily obtain additional information about the operation, beyond just the inputs and outputs. For example, even a remote attacker can obtain a (noisy) estimate of the time taken to perform cryptographic operations. An attacker who is physically close to the device could also measure the power consumed by the device or its EM emissions while it is performing the operation. These additional sources of information about cryptographic operations are known as side-channels, and in the mid-1990s Kocher et al [1,4] showed that side-channels such as timing and power consumption contained enough information to easily extract the secret key from na?ve implementations of all cryptographic algorithms. They also proposed several fundamental techniques for protecting cryptographic implementations from such attacks.

Subsequently, substantial R&D activity has been directed toward understanding side-channel attacks and implementing defenses. Many industry and government standards as well security certifications now require tamper resistant devices to defend against side-channel attacks. Non-invasive side-channel attacks such as timing attacks, and simple and differential power analysis (SPA and DPA), should be addressed by all systems that require any significant degree of tamper resistance since these attacks can be carried out by attackers with modest skill and resources, and timing and power measurements can be collected easily.

This paper provides a brief introduction to side-channel analysis, including timing analysis and simple and differential power analysis (SPA and DPA). It then discusses CRI's recent side-channel analysis of popular mobile devices, in which cryptographic keys are extracted from the devices using EM emissions from the processor as it performs certain cryptographic calculations. (These are unintended emissions from the devices, and not related to the emissions from the devices' ordinary communications channels.) Also, we propose a new suite of standardized tests intended to help analysts look for potential problems in their devices. These tests have been designed to enable consistent testing by validation labs, as well as help developers find problems in their devices without the need for custom tests.

Side-channel analysis
This section provides a very brief introduction to some of the more commonly exploited side-channel analysis techniques. While the majority of the examples in this paper use power analysis, the techniques presented are largely agnostic to how the data is collected. Other physical measurements used in side-channel analysis include, but are not limited to, RF signals and E-Field data. Other sources such as sound, heat and photon emissions have been proposed and researched.

Timing attacks
Timing attacks exploit small differences in execution time to extract secret information from systems. Commonly discovered sources of timing leaks include, but are not limited to:

???Data dependent differences in instruction times;
???Early exit;
???Data dependent code branches;
???Cache access times.
A very commonly seen timing attack exploits the early exit from loops comparing passwords or message authentication codes (MACs). This allows the attacker to use the verifier as an oracle to extract the secret key. Although these attacks are decades old, they are still found in systems that are both currently deployed and still under development.

1???2???3?Next Page?Last Page



Article Comments - Guarding against side-channel attack...
Comments:??
*? You can enter [0] more charecters.
*Verify code:
?
?
Webinars

Seminars

Visit Asia Webinars to learn about the latest in technology and get practical design tips.

?
?
Back to Top