All data movement leaves an electronic trail.
When we think of the field of cryptography, we often tend to think of math-intensive software encryption schemes, algorithms trying to prevent sensitive data from getting into the wrong hands, and hackers poring over code searching for potential loopholes in data sent over secure channels.
However, we must also consider the fact that data has to physically make its way through transistors, printed circuit board traces and, eventually, through cables (USB, Ethernet, etc.) or an antenna (for wireless transmission). It might be surprising to many that the physics of current flow and the specific paths that the flow takes through the chip actually leave unintended clues about the chip’s functionality.
Most people might think that digital thieves physically intercept data by tapping into data streams at the input or output of chip or board circuitry, cables, or even air. Well, physically intercepting data bits certainly does open up plenty of room for stealing unsecure data, as you might discover if you fail to secure your WiFi network. However, it’s less likely to result in the security breach of well-encrypted data without the help of massive decryption algorithms run on supercomputers. Definitely low ROI for your typical, or even well-funded, hacker.
The view that data can only be compromised through direct access to data inputs/output, however, is long outdated, as Paul Kocher, Chief Scientist of Cryptography Research at Rambus, reminded us during his 2016 DesignCon keynote presentation, Silicon Foundations for Security. Present-day cryptography not only involves heightening data encryption schemes for safe transmission to end users, but also involves preventing security breaches that might take place through clever approaches to snooping data from physical characteristics displayed by chips themselves (that is, vulnerabilities not necessarily seen in the data transmitted by the chip).
Kocher illustrated how relatively easy it might be for one to decrypt an encryption key by monitoring and statistically processing the power consumption profile of the chip! Note that nowhere in the data stream is this information available, but it can be obtained by measuring the current through a simple resistor in series with the chip’s power supply. The analysis of numerous captured power profiles (say, from a smartcard or credit card chip) whose characteristics might initially look arbitrary, can actually be processed into meaningful signals correlated with a cryptographic chip operation, through the help of schemes such as Simple Power Analysis (SPA) and Differential Power Analysis (DPA).
The intent of these techniques is to exploit the data dependency of the power consumption of the chip. Each unique set of operations taking place on the chip can produce a unique current signature, hence the data dependency on power consumption patterns. An encryption key is simply another piece of data that can affect the current signature.
The idea of DPA in particular is to stimulate the chip with specific data patterns that amount to “guesses” on an encryption key, and then to decipher the validity of the guess by statistically processing the outputted current signatures. The data dependency on the power might initially seem too miniscule to detect, but averaging out the differences of these current profiles over enough samples can reveal otherwise. The processed waveform converges to zero for most time points, but time points that are correlated to the hacker’s intentional data patterns reveal non-zero spikes in current that indicate responsiveness to a correct key. Of course it might require a ton of guesses to actually decrypt this information (traditionally a strong point in preventing hacking things such as locks or consumer passwords), but time may not be a big factor here since a few minutes is essentially an eternity in the context of toggling through power profile cycles for multi-GHz chips.
Countermeasures to these so-called “power analysis attacks” might be to either randomize power consumption during cryptographic operations so that they don’t exhibit measurable data dependency, or to ensure that power consumption is not strongly data-dependent. Achieving either of these goals is impractical without the aid of simulation tools to predict the outcome. You could potentially monitor power profiles as different keys (stimulation vectors) are triggered, and then simulate the effectiveness of decryption schemes like DPA. Efficiently making sense of the resultant simulated data and correlating it to various aspects of the chip architecture and physical design would be equally as important as accurately capturing these power profiles in the first place. To be clear, the goal would not be to detect and counteract an attack while it’s happening, but rather to design the chip to minimize physical effects that may be correlated to sensitive data transmission, preventing hackers from successfully exploiting these physical signatures.
Finally, the DesignCon keynote also went on to discuss specific countermeasures involving on-chip hardware security solutions for SoCs and infrastructure needs for the manufacturing and management of complex connected devices.
As sensitive data is more frequently being transmitted through IoT-connected and wearable devices, security solutions for SoCs will play a bigger role in IC and system designs. In addition to power analysis attacks, several other physical effects can be exploited, such as electromagnetic emissions or even chip thermal profiles, which are also functions of on-chip activity generally classified under the umbrella of “side-channel attacks.” These data-dependent physical effects should be captured upfront and minimized before finalizing a design that may look functionally robust and secure, but is otherwise still seriously susceptible to data breaches through the physical characteristics it displays. The best way chip designers can expect to implement truly secure designs is to always be one step ahead of data thieves!
An example of how industry experts have already used commercially available simulation tools to demonstrate the feasibility of modeling one of these potential side channel attacks — specifically the magnetic component of electromagnetic radiation — can be found in a paper published by ANSYS, Inc. (Apache Design Solutions at the time of publishing), LIRMM, and STMicroelectronics, A Simulation Flow for Time Domain Magnetic Radiations of ICs. Measurement correlation to simulated results are also illustrated in the paper.