Ways secret information can be extracted from electronic systems.
In last month’s Semiconductor Engineering article, we explored the basics of side channel attacks (SCAs). As we discussed, all cryptographic algorithms are subject to side channel attacks, with vulnerabilities extending across all platforms and form factors. In this article, we’ll be taking a closer look at the two primary categories of side channel attacks: simple power analysis (SPA) and differential power analysis (DPA) — techniques that were pioneered by Rambus Cryptography Research in the mid-1990s.
Simple Power Analysis (SPA)
As its name implies, simple power analysis is based on the direct observations of power or electromagnetic (EM) measurements, with secret information extracted from these (direct) measurements. Secret information can be extracted from any kind of integrated circuit, circuit board or processor that is consuming power and executing operations. A fundamental rule to keep in mind: if an electronic component is consuming power, it is also radiating electromagnetic fluctuations. These side-channels can be used as a window into the processing that is occurring, and this can leak secret information.
As we noted above, variations in power consumption occur as a circuit performs operations, whether cryptographic or otherwise. SPA takes a very direct look at power consumption as it relates to the cryptographic operation and can be used to discern the sequence of operations being calculated. For example, you can determine the sequence of squares and multiplies in the exponentiation operation of RSA, or the sequence of doubles and adds of an elliptic curve cryptography (ECC) algorithm. When cryptographic algorithms such as these process the information of a secret key serially, the sequence of operations reveals the key. As such, a secret key can potentially be extracted by simply monitoring the variations in power during the process.
Differential Power Analysis (DPA)
Differential power analysis is an extremely powerful technique that obtains and analyzes statistical measurements across multiple operations. This enables DPA to extract information from very minute power and electromagnetic (EM) fluctuations from a device. In fact, DPA can even extract information about individual gate-switching, an individual transistor turning on or off, or even the interaction between one gate and another.
Fundamentally, DPA can be thought of as a test that gauges the correlation between the bits that are being processed and the power the device consumes or the EM signals it emits. These power or EM measurements are known as traces, with trace measurements typically made across the entire operation. In the image below, we can see raw traces on the top, with the differential traces below. The secret key is revealed in the standout spikes of the differential traces.
The power – and threat – of using DPA against cryptographic implementations is that it allows the key to be “guessed” one byte at a time. For the correct key byte, we are correctly predicting certain bits inside of the process and this is reflected in the DPA leakage. If we guess the key byte incorrectly, then we will not have any correlation with the bit that we predict.
Let’s walk through a quick example of this. To analyze a system, we can either send it random messages, or just monitor the messages that are being sent to it. When we send these messages to the device, we collect the traces that measure the power that the circuit consumes while processing. Put simply, we measure the power (or EM) as it operates. Typically, we can identify the characteristics of an algorithm (such as round structure) because the trace will reflect the algorithm structure. The traces above reflect the EM of a 10 round AES-128 operation.
Let’s now look closely at the minute variations based on individual bits of that message – which could be the message directly or the message processed by the key.
For each of the traces that we collect, we model the algorithm state based on the known message. We may test the individual bits of the message for what we call input and output analysis, or we hypothesize bits of the internal state based on parts of the message – and parts of a hypothesized key. Then we test for correlation between this state and the power or EM measurement traces. This correlation can be either a statistical correlation as in the case of correlation power analysis (CPA), or a simple “difference of means” test in the case of differential power analysis.
If we see a statistically significant correlation, we call this a “leak.” Leakage of the message data (input or output bits) can help to calibrate our measurements and identify regions of interest, but these are generally not exploitable. However, when we see leakage of the internal data based on our hypothesis, it means the hypothesis – our key byte guess – was correct. We can do this for all the possibilities of a single byte of the key (which is 256 possibilities for a byte). The one that results in “leakage” (correlation between the hypothesized state and the traces) is the correct key byte. This can be repeated for all the remaining key bytes to recover the entire key.
SCA: Real world risks
Side channel attacks can be used to extract keys and bypass the security of an unprotected smart card. In real-world terms, this allows an attacker to load or reset balances and extract or reset device pins. A side channel attack may target the firmware itself or a key to the firmware that is running on the device. Either way, this technique enables an attacker to load unauthorized applications or modify applications to emulate or clone devices. Once this secret information is compromised, then everything protected by conventional cryptographic methods is unprotected.
Looking beyond smart cards, side channel attacks can target mobile devices, captured or stolen devices, high-value consumables, hardware security modules, or really any device or system with side channel access to data protected by conventional cryptography. If a device or system doesn’t have side channel protections or countermeasures explicitly built in, it is very likely that the device or system is vulnerable and can be compromised by either SPA or DPA.
Conclusion
All cryptographic algorithms are subject to side channel attacks, with vulnerabilities extending across all platforms and form factors. Put simply, it doesn’t matter how costly or inexpensive a target platform or system is, as all are vulnerable to side channel attacks. To protect systems and devices from side channel attacks (both SPA and DPA), we recommend implementing an effective layer of side channel countermeasures via hardware (DPA resistant cores), software (DPA resistant software libraries) or both. After implementation, systems should be carefully evaluated with a Test Vector Leakage Assessment (TVLA) platform to confirm the cessation of sensitive side channel leakage.
Additional Resources
Understanding Side-channel Attacks, Their Implications, and How to Test a System’s Resistance (Webinar)
Side-channel attack targets deep neural networks (DNNs) (Blog)
DPA Countermeasures
Leave a Reply