Bypassing Encryption With Side-Channel Attacks

A brief history of attacking cryptography through indirect means.

popularity

Devices and systems that implement robust encryption/decryption algorithms using cryptographic keys were historically considered secure. Nevertheless, there is a category of attacks that simply ignore the mathematic properties of a cryptographic system – and instead focuses on its physical implementation in hardware.

This vector is known as side-channel attacks, which are commonly referred to as SCA. Put simply, side-channel attacks monitor power consumption and electromagnetic emissions while a device is performing cryptographic operations. Early examples of side-channel attacks include the inadvertent discovery of the 131-B2’s electromagnetic pulse and the deliberate monitoring of click-sounds produced by a rotor-cipher machine in the Egyptian Embassy in London.

The 131-B2 encrypted teletype terminal
The Bell Telephone 131-B2 was a top secret encrypted teletype terminal used by the United States Army and Navy to securely transmit wartime communications during WWII. As Yossi Oren of Jane’s Intelligence Review notes, the encryption scheme utilized by the 131-B2 devices, known as the one-time pad, is completely unbreakable, at least in theory. However, in 1943 a researcher observed that the device emitted a high-powered electromagnetic pulse each time a letter was processed. With an antenna and amplifier, the pulses could be monitored and decoded almost 80 feet away.

The rotor-cipher machine
Another early instance of a side-channel attack occurred in 1965 when the British MI5 agency attempted to crack a cipher used by the Egyptian Embassy in London. After its efforts were thwarted by the limitations of mid-20th century computational power, a scientist by the name of P. Wright suggested placing a microphone near the rotor-cipher machine used by the Egyptians to monitor the click-sounds the device produced. By carefully listening to the clicks of the rotors as cipher clerks reset them each morning, MI5 agents managed to successfully deduce the core position of two or three of the machine’s rotors. This additional information significantly reduced the computation effort needed to break the cipher, enabling MI5 to effectively spy on the embassy’s communication for years.

The 1990s and beyond
Modern side-channel techniques were pioneered by Paul Kocher in the late 1990’s when the scientist observed that the mathematics of a cryptosystem could be effectively subverted. Moreover, Kocher determined that SCA conducted against electronic devices and systems are non-intrusive, relatively simple and inexpensive to execute. Essentially, this means malicious actors can exploit side-channel attacks to compromise cryptographic systems and the devices or platforms they reside in. These include medical devices, smart phones, smart cards, tablets, POS terminals, CPUs, TVs, set-top boxes, game consoles, automotive components, FPGAs and NFC tech.

Side-channel attacks comprise a wide range of techniques including Differential Power Analysis (DPA), Simple Power Analysis (SPA), Simple Electromagnetic Analysis (SEMA), Differential Electromagnetic Analysis (DEMA), Correlation Power Analysis (CPA) and Correlation Electromagnetic Analysis (CEMA). It is important to note that all physical electronic systems routinely leak information about the internal process of computing via fluctuating levels of power consumption and electromagnetic emissions. SCA countermeasures – including leakage reduction, noise introduction, obfuscation and the incorporation of randomness – are therefore critical to ensuring the protection of sensitive keys and data.

SCA countermeasures: DPA-resistant cores
In a previous Semiconductor Engineering blog post about side-channel attacks, we described how companies can thwart SCA with DPA-resistant software libraries. In this article, we’ll take a brief look at side-channel resistant hardware in the form of DPA-resistant hardware cores (DPARC).

Such cores – which feature cryptographic accelerators with integrated countermeasures – should be optimized for performance, area and security applications. In addition, DPA-resistant cores should be built around optimized implementations of industry accepted ciphers such as AES, SHA-256, RSA and ECC. These countermeasures should be designed and tested extensively to suppress leakage up to 100M traces. Such designs would show strong DPA resistance requiring an adversary to collect and analyze power or EM data from billions of operations to be able to successfully extract secret key material through side channels.

DPARC should also support a wide range of industry standard cryptographic algorithms, random number generators such as AES, TDES, SHA-2, HMAC SHA-2, RSA, ECC, ChaCha20 and modes including Electronic Code Book (ECB), Cipher Block Chaining (CBC), Counter Mode (CTR), Galois Counter Mode (GCM) and Counter Mode with Cipher Block Chaining – Message Authentication Code (CCM). Perhaps most importantly, DPA-resistant cores should be portable to any FPGA or ASIC technology, with pre-certification and pre-validation helping customers accelerate time to market by avoiding time-consuming validation cycles.

In conclusion, SCA can be effectively blocked by a layer of side-channel countermeasures that are implemented via hardware (DPA-resistant cores), software (DPA-resistant libraries) or both. After the implementation of countermeasures, systems should be carefully evaluated with a Test Vector Leakage Assessment (TVLA) platform to confirm the cessation of sensitive side-channel leakage.



Leave a Reply