Understanding Side Channel Attacks

Side channel attacks (SCAs) differ considerably from conventional cryptographic attacks. Essentially, side channel attacks – which can be very low-cost and non-invasive – exploit data gathered from side channels. A side channel can be exploited by simply placing an antenna, magnetic probe, or other sensor near a device or system. This allows an attacker to measure power consumption, voltage fluctuations, or other side channels such as temperature or sound.

All cryptographic algorithms are subject to side channel attacks, with vulnerabilities extending across all platforms and form factors. Put simply, it doesn’t matter how costly or inexpensive a target platform or system is, as all are vulnerable to side channel attacks. Moreover, side channel attacks require minimal knowledge of the internal workings of a system to be effective.

Side channel attacks can be broken down into two primary categories. The first is simple power analysis (SPA). SPA is based on direct observations of power or EM measurements, with secret information extracted from these (direct) measurements. The second is differential power analysis (DPA). DPA and similar advanced attacks utilize statistical techniques that infer keys from minute correlations and measurements across multiple operations. It should be noted that white hat DPA and SPA techniques were pioneered by Rambus Cryptography Research in the mid-1990s.

Side channel attacks can be used to extract the keys from a device like a smart card. In real-world terms, this allows an attacker to load or reset balances and extract or reset device PINs. A side channel attack may target the firmware itself or a key to the firmware that is running on the device. Either way, this technique enables an attacker to load unauthorized applications or modify applications to emulate or clone devices. Once this secret information is compromised, then everything protected by conventional cryptographic methods is unprotected.

There is clearly a lot of money, effort and time being spent on cryptography to protect high value content and transactions. However, side channel attacks break cryptographic algorithms if a device isn’t sufficiently protected or equipped with countermeasures. Put simply, if a device or system is worth protecting with cryptographic algorithms it should also be protected against side channel attacks.

As we discussed above, a smart card is one example that illustrates the dangers of side channel attacks. This is because a smart card contains cryptographically protected secrets. Other examples include mobile devices, captured or stolen devices, high-value consumables, or really any device or system with side channel access to data protected by cryptography. If a device or system doesn’t have side channel protections or countermeasures explicitly built in, it is virtually certain that the device or system is vulnerable and can be compromised by either SPA or DPA.

To protect systems and devices from side channel attacks, we recommend implementing an effective layer of side channel countermeasures via hardware (DPA resistant cores), software (DPA resistant software libraries) or both. Countermeasures – including leakage reduction, noise introduction, obfuscation and the incorporation of randomness – are critical to ensuring the protection of sensitive keys and data. It should be noted that stand-alone noise introduction is incapable of sufficiently masking side channel emissions. Indeed, DPA conducted against a device can effectively bypass stand-alone noise countermeasures, ultimately allowing the signal to be isolated.

After layered countermeasures have been implemented, systems should be carefully evaluated with a Test Vector Leakage Assessment (TVLA) testing platform to confirm the mitigation of sensitive side channel leakage. More specifically, such a test platform should be capable of measuring a range of side channel attacks across a wide spectrum of devices and platforms. A side channel test platform should also support multiple side channel sensors, device protocols and form factors, with out-of-the-box support for third-party hardware. In addition, it should support full cipher coverage (AES, RSA, ECC, DES and SHA), large dataset handling, as well as high-speed collection and analysis of billions of traces.

In conclusion, all physical electronic systems routinely leak information about the internal process of computing via fluctuating levels of power consumption and electro-magnetic emissions. Much like safecracking, an electronic side channel attack eschews a brute force approach to extracting keys and other secret information from a device or system. To protect systems and devices from side channel attacks, we recommend implementing an effective layer of side channel countermeasures via hardware (DPA resistant cores), software (DPA resistant software libraries) or both. After implementation, systems should be carefully evaluated with a suitable testing platform employing Test Vector Leakage Assessment to validate the effectiveness of the countermeasures in reducing sensitive side channel leakage.