Global Sources
EE Times-Asia
Stay in touch with EE Times Asia
EE Times-Asia > Embedded

Guarding against side-channel attacks (Part 2)

Posted: 12 Oct 2012 ?? ?Print Version ?Bookmark and Share

Keywords:open source? cryptographic library? AES?

Part 1 provides a brief introduction to side-channel analysis, including timing analysis, as well as simple and differential power analysis. The second installment of this series begins with the electromagnetic (EM) analysis of mobile devices.

As smart mobile devices become ubiquitous, many applications requiring a high degree of security are being ported to the devices. Banking, mobile payments, stock trading, and digital rights management of downloaded content are all examples of applications requiring secure connections and the use of cryptographic keys. As the examples in this section show, however, many mobile devices currently in use do not contain side-channel protections. Hence, these devices are often extremely vulnerable to side-channel attacks, often from data collection occurring several yards away.

EM collection setup
The equipment used to collect the EM data is shown in figure 1.

Figure 1: Setup for collecting and processing EM emissions from mobile devices.

The emissions from the devices are captured with standard near field or far field antennas. The signals are sent to an Icom receiver where they are downconverted. The downconverted signals are then sent to the GNU digitizer, and the digitized signals are then processed on a standard workstation with the GNU software radio program and DPAWS software. The hardware for the entire setup can be purchased for under $2000.

Figure 2: Straightforward implementation of an elliptic curve point multiplication.

EM analysis of elliptic curve app on an iPod
The first example is an elliptic curve application running on an iPod. The application was written using an open source cryptographic library. It performs a point multiplication over the NIST curve P-521. The application computed a straightforward point multiplication using the algorithm shown in figure 2.

The emissions from the iPod were collected from several feet away using the far field antenna. The carrier frequency of the signal was 972.177MHz. The acquisition bandwidth was 200kHz, and the filtered bandwidth was 140kHz. A snapshot of the collected data is shown in figure 3.

Figure 3: Data collected from iPod touch from several feet away.

The double and add are very different operations, and the difference is easy to see directly. The thinner downward spikes are the doubling operations, while the wider downward spikes are the additions. In the straightforward implementation shown in figure 2, a double can be followed by either another double, or an addition. In contrast, an addition is always followed by a double. Hence, whenever there are two thin spikes in a row the corresponding bit of the secret multiplier is a zero. Similarly, a thin spike followed by a wide spike indicates the corresponding bit of the secret multiplier is a one. By analyzing the pattern of spikes, an attacker could extract the entire secret multiplier using a single trace.

EM analysis of RSA app on Android phone
The second example is an RSA application running on an HTC Evo 4G phone. The application was written using an open source cryptographic library. It performs a modular exponentiation with a 2048bit modulus, using the Chinese Remainder Theorem. The application computes a straightforward modular exponentiation using the algorithm shown in figure 1 of Part 1.

1???2?Next Page?Last Page

Article Comments - Guarding against side-channel attack...
*? You can enter [0] more charecters.
*Verify code:


Visit Asia Webinars to learn about the latest in technology and get practical design tips.

Back to Top