Knowledge Center
Knowledge Center

Side Channel Attacks

A class of attacks on a device and its contents by analyzing information using different access methods.


Side-channel attacks are a class of attacks where an attacker attempts to assess the state of a cryptographic device and its contents. This is accomplished by observing and analyzing information that can be observed using different access methodologies.

By analyzing the electromagnetic emissions coming out of the device, it is possible to non-invasively extract keys and other sensitive information from the device. Basically, DPA measures power levels at different parts of the chip and uses statistical analysis. Measuring these power fluctuation can identify the kind of computations are being run by DPA, and repeated permutations and analysis can reveal bits of the cryptokey. Enough repetitions will, eventually, produce the complete key. It is simply a matter of recording the waveforms of the cipher text and side channel leakage, applying post processing, and all of a sudden, the keys are

The more common types if side channel attacks include:

Electromagnetic. When the chip’s processors run their functions and algorithms, EM fields are produced. We all know that the movement of electrons causes a resultant electromagnetic field, however small, and armed with a bit of knowledge and the right equipment, that field can be measured and analyzed. Such fields are freely and universally available on just about any chip that doesn’t have some sort of RF shielding or leakage nullification processes.

The equipment used to capture and analyze the RF field emitted from a crypto processor is the same as any RF analysis setup. It just has to be able to capture minute EM fields. It includes probes; power – which is nothing more than a voltage or current sensing probe, and EM – some configuration of a coil and an LNA. Other equipment is a digital storage scope, a high-bandwidth amplifier and a workstation with RF/EM analysis software.

Power monitoring. Because different processes that run on chips have differing execution parameters, they have unique power signatures. Analyzing these power signatures can provide clues as to what the data contains. There are two types of power analysis, differential power analysis (DPA) and simple power analysis (SPA). Both techniques have to have direct access to power pins on the chip and analyze the data by either direct examination and translation, or statistical analysis of the fluctuations. Both techniques will be discussed, in depth, in a future article.

Acquiring power traces is relatively unsophisticated. All that is required is a resistor placed in parallel with the proper pins that monitors the power drawn by the cryptographic operation. A sampling device, such as an oscilloscope is placed across the resistor and the voltage changes across the resistor, are collected and analyzed.

SPA examines the features, such as timing, device attributes, algorithm structure, etc., which can be observed directly in a single power trace or by comparing power trace pairs. It relies more upon pattern recognition than mathematical analysis and is useful for larger-scale power variations. Its strong suit is that it can reveal the sequence of executed code. Consequently, it can reveal cryptographic information such as DES key schedule computations and permutations.

DPA is much more capable of analyzing power routines than SPA because it can analyze the anomalies attached to data values, using statistical analysis. The procedure analyzes the traces for subsets, takes the averages, and computes the differences of the averages. The subsets are then assigned to the traces (it doesn’t matter which subset is assigned to which trace). As it turns out, if the subsets are related to the traces, permutations of the subset will approach some finite number. If they are uncorrelated, then the permutations will approach zero. Eventually, given a sufficient number of traces, even very tiny correlations can be identified within the traces.

Timing attack. These attacks analyze the time it takes to execute various cryptographic operations. The attacker analyzes the algorithms and determines the timing intervals for them. Then, the measurements are fed into a statistical model that outputs some variation of a key, for example. While it may not be the exact key, it will have some measure of certainty. The process is used to perform the statistical correlation analysis of the timing information to, eventually, recover the correct key. Timing attacks are most effective against encryption algorithms such as RSA, ElGamal, and Digital Signatures.

The Fault Attack. These are a bit of a different animal in the sense that they do something to the chip to disrupt the functionality. They are still considered side channel attacks because they use the same analysis methodology as some of the non-invasive attacks, specifically the differential fault analysis. As with the DPA, DFA attempts to extract keys or cryptographic data in a similar fashion to the power analysis, except that it causes variances in the algorithms as one part of the process.

This creates a known anomaly in the cryptographic processes (for this discussion, DES algorithms, but the process can be applied to DES, RSA, IDEA, RC5, DSA and other ciphers, as well) to cause them to fault. Such faults may include heat, over/under voltage, clock shifts, EM fields, or radiation, for example. Dr. Axel York Poschmann, head of the Vulnerability Analysis Innovation Center Crypto & Security Business Unit Security & Connectivity at NXP Semiconductors notes, “A successful fault attack can result in a disturbed program flow. That may result in, say, a skipped PIN verification step. It may also be possible to dump the entire content of the memory, including the secret key, for example.’

While methodologies vary depending on the cipher, Poschmann describes it very elegantly: “The basic premise is to introduce a fault during the encryption process. For example, by voltage or clock glitching, or laser fault injection, and observe the resultant difference in the output of two or more encryption runs with the same plaintext and key. As the cryptographic algorithm is fully specified and known to the attacker, except for the secret key (Kerckhoff’s principle), it becomes possible to trace the difference, backwards through the algorithm.’

He adds that “block ciphers such as AES are optimized against cryptanalytic attacks (for example, linear and differential cryptanalysis), by having specific building blocks – so called S-boxes. These are highly non-linear, and have a uniform output distribution. This is achieved by reducing the probability of occurrences of fixed input-output patterns to this building block. In DFA, this characteristic is used to exclude many key candidates and thus reducing the search space significantly. Theoretically introducing a dozen faults is sufficient to retrieve an entire 128-bit AES key.’

These are the more visible of the side channel attacks. Other types include such approaches as acoustic cryptanalysis, which attempts to analyze data from acoustic signatures, and data remanence, which attempts to discover leftover sensitive data before it gets overwritten.