Secure encryption systems against side-channel attacks(3)

Because these large systems consisted of many components, they had their own power supplies and regulators to supply different voltages to different components. As a result it was assumed that any power signal collected from the outside the secure location would be too noisy to be practical threat – a fact that was easy to observe and verify. In addition, these complex systems suffered from a variety of remotely exploitable software vulnerabilities, so addressing the remote vulnerabilities was prioritized over exploring physical attacks. Side-channel countermeasures in these larger systems, if any existed, were limited to protections against remotely exploitable timing attacks. Over time, a myth developed that side-channel attacks were just a smart-card problem and large systems were largely immune to these attacks.

Evolution of the threat to large systems
The ubiquitous deployment of cryptography in mobile, embedded, IoT, vehicular, smart-grid, and hosted/cloud-based systems, however, has meant that many systems performing sensitive cryptographic operations are no longer in physically secure locations. Over the last few years, then, attention has once again returned to the side-channel vulnerabilities of large systems.

In looking at these vulnerabilities, researchers and attackers had to confront the obvious challenge that measuring and isolating power consumption related to cryptographic operations on large, complex system with many components is not easy, nor is dealing with the large amount of noise generated by unrelated activity. However, as it has turned out, just a bit more sophistication on the side-channel acquisition side has resulted in tremendous improvements in the quality of side-channel signals available from larger devices. As a result, these larger devices are now subject to the same simple and differential side-channel attacks that were applicable to smart-cards a decade ago! In fact, even the most basic, low-cost smart-cards available today offer substantially more resistance to side-channel attacks than even FIPS certified, large, tamper resistant systems that don't implement side-channel countermeasures.

Two key improvements have greatly extended the reach of side-channel attacks on large systems. One is the use of cheap near-field and far-field probes to capture EM emissions from large devices rather than focusing on the power line. The other is the use of elementary signal processing techniques—such as filtering and demodulation—to isolate and enhance the leakage information-bearing signal from the noise.

The use of near-field emissions arose because while some large systems produce strong cryptography-related emissions that can be captured from several feet away using a standard, far-field RF antenna tuned to the emission frequency, most large systems produce weaker emissions that are only available from shorter distances or in the near-field. For example, when operating with a typical M-field probe (which is essentially a loop of wire) in close proximity to the device, it becomes possible to isolate different EM emission sources by moving the probe across different parts of the device. Signal processing can then substantially increase the signal-to-noise ratio of the captured signal because cryptography-related emissions may be prominent in only certain parts of the spectrum.

The first step in a side-channel attack against a large device family, therefore, is to identify the best probe position and the spectral bands where the best leakage can be found. This task can be greatly simplified if it is possible to operate the device in a mode where it performs the cryptographic operation intermittently and observe the probe signal's spectrogram. Figure 1 shows such a spectrogram from a 1cm M-field probe placed behind a modern smart-phone while it is performing the RSA operation intermittently.

Figure 1: Spectrogram of EM signal collected by M-field probe placed behind a modern mobile phone that is intermittently performing the RSA cryptographic algorithm in software. Bands of energy that appear only during the cryptographic operation identify the frequency bands where information about the RSA operation leaks into the EM side-channel.

The spectrogram clearly shows energy bands that appear only during the RSA operation and indicates that the probe in its current position is picking up emissions related to the RSA operation. The spectrogram further identifies the frequency bands where this information is being leaked. With this information the attacker can then further adjust the probe position to maximise the RSA leakage energy pickup and set analogue and digital filters, and other signal processing parameters for the bands identified in the spectrogram, to further isolate the RSA related signal from other unrelated signals and noise.

After signal processing, the resulting RSA EM leakage signal in this example was clear enough for an attack using simple side-channel analysis. In fact, our lab has analysed more than 30 modern 4G smartphones, with different operating systems and manufacturers, and has successfully extracted the secret keys used by RSA software running within them using simple EM analysis. In addition, we found symmetric algorithms such as AES running in software on these devices to be attackable using differential EM analysis.

Other researchers have used similar techniques to extract secret keys from PCs using ground potential leakage (signal obtained by grounding the chassis) using low-cost, custom acquisition hardware. These attacks seriously call into question the security of server machines that use RSA to set up secure HTTPS or SSL connections with customer browsers, yet are kept not in secure corporate data centres but rather in co-located server hosting facilities with server cages for physical protection.

More threats
In addition to exploring threats to large systems, recent research activity has focused on attacks on cryptographic operations occurring within a small hardware core embedded within in a large SoC (system on chip), such as an FPGA, set-top box chip, or a mobile application processor. In this setting, the positioning of the EM probe on either the chip surface or on a bypass capacitor on the system board to localise the leakage signal is critical. But other than that, these SoCs can fall prey to the same differential power analysis attacks in as the smart-cards from the 1990s.