Rising Threats From Differential Power Analysis

How DPA has evolved and why it’s so dangerous to the IoE.

popularity

Differential power analysis (DPA) has been a threat vector on the chip landscape for a number of years. It was discovered around the mid 1990s by the teams at Rambus’ Cryptography Research Division, and turned out to be a very effective tool for compromising the ubiquitous SIM card environment.

“The most traditional market for DPA has been with smart cards because of their limitations – consumer goods type of devices, low cost, limited power,” says Simon Blake-Wilson, vice president of products and marketing at Rambus. “That makes them a fertile landscape for DPA. Of course, DPA is capable of side channel attacks on just about any chip, but the relative lack of control over, and ease with which one could obtain SIM cards made them easy pickings for such power analysis techniques.

Today, DPA has reached some very sophisticated levels. In fact, one can actually buy a DPA kit off of the Internet. “There is really nothing new in the probes used for DPA, other than the standard advancements in specific technology, but edge-of-the-envelope hardware and software lay tremendous analysis capabilities at the disposal of side channel attacks,” says Pankaj Rohatgi, director of engineering at Cryptography Research. “Therefore, the data collected is of much better quality, from better equipment, which in turn, allows for more sophisticated attacks.”

differential equationa

Chowdary Yanamadala, vice president of business development at ChaoLogix, agrees: “It is nothing now to collect and store several million traces for analysis. The data acquisition, storage, and processing has become cheaper over time, and that becomes the advantage to the hacker.”

While progress has been made in protecting SIM cards, the attack platform is never more than a half step behind. DPA continues to be thorn in the side of the semiconductor industry. “On the chip manufacturer side there are two main camps. One of the camps is very much in tune with what is happening in DPA. They understand the emerging trends and try to understand the mentality of the hackers. The other camp is the non-security-centric manufacturers,” says Yanamadala.

So unless the “non-security-centric manufacturers” suddenly become concerned, it’s likely that DPA will become more prevalent as more and more low/no-security chips are embedded or install in lower-end Internet of Everything devices.

Playing that forward, virtually every machine and electronic device will be tethered to the IoE. That means the number of SIM/microSIM, or SIM-like chips will be in the billions. While there is talk of the SIM card’s demise, that is unlikely for a number of reasons. SIM chips are an inexpensive and mature technology with a great deal of flexibility because they are what contain the intelligence. Moreover, they can relocate the intelligence from device to device. The advantages of portability, along with other properties such as cost, reusability, and soon, programmability [see reference 1], are key elements for many of the objects of the IoE.

All of this requires better security, both physically (knowing where the chip is), and cryptographically.

However, there are some metric changes coming to SIMs. The most significant is the low-and ultra-low power edicts. Such metrics will change the electrical makeup of the SIM and, consequently, how side channel attacks will move forward. In that vein, according to Rohatgi, “there is some interesting research going on with ground plane analysis and looking at other components, such as capacitor banks that play into the leakage game.”

A quick review
Power analysis, simple or differential, is a side channel attack where the attacker analyzes the power footprint of a cryptographic hardware device. “It is almost like the second law of thermodynamics,” notes Richard Newell, senior principal product architect for the SoC products group at Microsemi. “If you are consuming energy doing computations, you are also leaking energy. And that leaked energy contains information about what is going on inside the device.”

By analyzing the electromagnetic emissions coming out of the device, it is possible to non-invasively extract keys and other sensitive information from the device. Basically, DPA measures power levels at different parts of the chip and uses statistical analysis. Measuring these power fluctuation can identify the kind of computations are being run by DPA, and repeated permutations and analysis can reveal bits of the cryptokey. Enough repetitions will, eventually, produce the complete key. It is simply a matter of recording the waveforms of the cipher text and side channel leakage, applying post processing, and all of a sudden, the keys are exposed.

microsemi
Graphic of an EM probe on a chip and the resultant spectral display. Source: Microsemi

Even if the chip is specifically shielded against leaking the EM field generated by electrical activity, or countermeasures such as noise are applied to obscure detection in a chip, such emissions can still be captured and analyzed against the various signatures of the operations running on the chip.

The actual theory is quite simple, but the application is a bit more involved. It takes someone with a reasonably high level of cryptographic knowledge to understand the signatures and know what is valuable data versus noise.

This is a quick recap of the basic principle of DPA. The interesting thing is how all of this will play out going forward into the IoE with low power as the mantra.

Power analysis and low-power platforms
One would think that this downsizing of chips and lighter-weight operations would translate into easier DPA attacks. To some degree that is true, just due to the scaling. Ramesh Karri, Professor of Electrical and Computer Engineering at Polytechnic School of Engineering, New York University, notes that “with lightweight cryptography, since it does consume smaller amount of power, that adds some difficulty in measuring those smaller emissions.”

Additionally, because smaller geometries use less power and generally reduce the peripheral components (R/C/L), lower power chips are a bit less resistant to traditional power analysis attacks.

While that makes sense logically, it doesn’t necessarily scale linearly, and there are some mitigating factors. “One big reason for that is, as the technologies scales and move to lower voltages, so do the capabilities of the hackers to analyze,” says Yanamadala.

But overall, side channel attacks on low- and ultra-low-power chips use the same methodology as standard chips. So, in the empirical sense, DPA on low power chips should be more difficult—but not always, and not in all cases. “One still has to focus on DPA-resistant designs, such as to make both meaningful and meaningless computations have the same power consumption, independent of the input,” Karri explains. “That is easy to say, but difficult to implement.”

Another good approach to DPA-resistant designs is to run asynchronous communications. By not timing everything to the clock, it becomes more difficult to synchronize with the data being leaked.

How to get that power down
There are a number of ways to lower power in chips. One is to cut down on chip real estate and component count by removing functionality and the components that go with it. Another way is to run lighter-weight operations, such as 8- vs. 16-bit, or 16- vs. 32-bit operations or code. Another way is to simply design a lower power platform, but that involves a lot of variables, and it can be expensive and limiting as to what can be done with it.

Unfortunately, those vendors that are not focused on security look more to removing functionality and the components that go with it. In many cases, today’s security mentalities, by those not on the front lines, the first choice is to weaken, or even remove, cryptographic functionality. That is a key reason why DPA on low-power chips is still a major threat. And it is an open invitation to disaster with the billions of devices expected to be part of the IoE, many of which will be SIM, or SIM-like chip based.

Andes Technology, for one, has created ultra low power multi-core IP with one of those cores designed to protect against physical attacks and malicious debugging. The company also develops custom instruction-set software, with both 16-bit and 32-bit code used for its cores depending upon power and efficiency needs. By combining the two, along with other custom code specifically written for security, it makes it much more difficult to hack into devices.

“With the IoT, the focus is on very low power devices and security,” said Emerson Hsiao, senior vice president of sales and technical service for North America Operations at Andes Technology. “People have developed this kind of technology in high-end mobile devices, but not in the embedded and IoT markets. The challenge is that the customer needs to identify where there is a bottleneck for their software and where there are vulnerabilities. What we find is that they can identify the critical path and the vulnerabilities, but they don’t necessarily have the capabilities in house to customize it.”

Cycling devices vs. always on or always monitoring can save a lot of power, especially if the device is used irregularly (a smart light vs. a smart thermostat, for example). But such devices are not necessarily “low-power” technology, just low-power utilization. So traditional DPA analysis easily can be done on that light bulb with the embedded SIM card found in the trash.

However, focusing on real low-power technology for a moment, low-power doesn’t always mean less leakage. As one reduces power, it may or may not be reflected in the parameters of the device. Recall that DPA generally looks at the operations going on in the chip. Common Si or Ge transistors must run at a specified supply voltage and consume a specific amount of power during operation. Generally, that is not where low-power metrics are applied, so the signature of the switch is the same.

There are, of course, semiconductors that can run on very low voltages, but such devices are not likely to be the main component of most of the IoE devices—or at least not for some time. So for this discussion, we assume low-power devices to be reduced current consumption devices, via any number of approaches.

Then there is the issue of signal vs. noise. In some cases, scaling down can increase noise, which can aid the hacker in waveform analysis. This is due to a couple of factors. One is that transistors are imperfect devices. Second, as semiconductor nodes move toward the very deep submicron region, leakage current and circuit reliability become problematic. Both of these issues aid in DPA analysis.

There are other issues in scaling, as well. On the physical side, as geometries shrink, quantum effects start to show up and heat can become an issue. The fabrication process becomes more critical and needs tighter bounds. That, in turn, drives up fabrication costs.

It also makes it harder to move data around chips because increasingly thin wires create more resistance for electrons, requiring more power to drive signals, creating more leakage in the form of heat, and potentially opening up new attack vectors. This is of particular concern to makers of memory, which serve as the data repositories on a chip.

“There are two aspects of memory security for IoT—data security and key security,” said Linh Hong, vice president of worldwide sales at Kilopass. “Antifuse one-time programmable solutions are the best in class for key security. You cannot change the content of the memory after programming, and to date they have never been hacked using passive, semi-invasive or invasive methods.”

There are other approaches, as well. Antifuse — which literally works in reverse of a fuse by keeping a circuit open — is aimed at cost-sensitive IoT applications. There also are more complex and costly memory security approaches that make it harder for hackers to determine if the last digit stored was a one or a zero.

On a final note, scaling cryptography devices down to low double-digit geometries is a bit more of a challenge. They don’t scale as well as due to the complex operations that are required to run cryptography. “Even when all is done to make the chip as low-power as possible, it is still offset by two things, says Yanamadala. “One is the increasing capabilities of the hacker. The second thing has to do with the security chips in the chain, themselves.”

All of these are new or peripheral challenges to DPA, but not all of them affect DPA. As Yanamadala noted earlier, the logarithmic ramp in technology puts tremendous processing and analysis power at the fingertips of the hacker. That is the most challenging issue.

Next big threat
On the horizon, is something called High-Order Differential Power Analysis (HO-DPA). This is a very strong attack platform. It has been around for several years but wasn’t used much because it requires expensive hardware and the analysis is very complex. But with today’s determined and well-funded attack organizations, it is likely to be practiced more and more, especially on high value targets. It succeeds where simple power analysis (SPA) and DPA fail.

Its claim to fame is its ability to circumvent the common countermeasure of masking. Masking takes the sensitive variable of cryptographic algorithms and splits it into random shares, which consist of the random mask and the mask data. This has the advantage of keeping the information on subparts of the shares separate from the sensitive data itself. HO-DPA can defeat masking schemes by combining shares, which can defeat all, or part of the mask.

Missive
It is difficult to predict the future of DPA relative to the IoE. But there are a couple of things that are a given. One, the IoE will be flush with SIM-type chips. They are cheap, easy to produce and offer plenty of resources for low-end devices. They also tend to have weak or no security. Programmable SIMs have yet to develop a clear track so it is difficult to see exactly where, or even if, they will find wide-scale adoption. And the resources for DPA attacks are now easily acquired, and relatively cheap.

It’s likely that DPA will become more and more common, for the aforementioned reasons and because the pool of chips will increase orders of magnitude with the IoE. And they will be much more available to hackers, like the smart light bulb thrown into the trash.

That is a tall order for the cryptography community – to convince the industry of the dangers of unprotected chips and the future of DPA. It will be interesting to see what happens.

Reference 1. There are two main two types of reprogrammable SIMs, the Embedded UICC (or eUICC) and the Soft SIM. Most likely, the eUICC will become the de facto standard because the soft SIM has widespread security concerns, whereas the eUICC is much better in that vein. The eUICC, per the GSMA definition, is a small trusted hardware component that will run secure network access applications and enable the secure interchange of subscription identity and other subscription data. It is really a UICC with reprogrammable capabilities.