Rambus

At Rambus, we create cutting-edge semiconductor and IP products, spanning memory and interfaces to security, smart sensors and lighting.

Home > DPA Countermeasures

DPA Countermeasures

Below is an archive of the blog posts related to DPA Countermeasures. To learn more about our solutions and techniques for protecting devices against DPA and related side-channel attacks, click here.

Validating Cryptographic Algorithms to FIPS 140-2

by Leave a Comment

NIST, the National Institute of Standards and Technology, is a United States Department of Commerce agency tasked with both the creation and maintenance of a country-wide measurement infrastructure.  From their website: “From the smart electric power grid and electronic health records to atomic clocks, advanced nanomaterials, and computer chips, innumerable products and services rely in some way on technology, measurement, and standards provided by the National Institute of Standards and Technology. Today, NIST measurements support the smallest of technologies to the largest and most complex of human-made creations—from nanoscale devices so tiny that tens of thousands can fit on the end of a single human hair up to earthquake-resistant skyscrapers and global communication networks.”

In 1995, NIST established a method for testing and validating cryptographic algorithms such as Rambus’ Crypto Accelerators and DPA Resistant Cores. Called the Cryptographic Algorithm Validation Program (CAVP), it provides validation testing of FIPS (Federal Information Processing Standards)-approved and NIST-recommended cryptographic algorithms and their individual components. Once successfully tested and validated, NIST adds this information to their publicly-available validation list.

The CAVP certification provides 3rdparty verification that a specific algorithm has been tested and has met independent standards for robustness. Consumers of cryptographic algorithms, generally chip designers, can rely on this certification as a determination of an algorithm’s effectiveness for their designs. Even designs for commercial applications often adopt FIPS certification as a means of ensuring robust security.

Rambus was recently notified that many of our algorithms have received CAVP FIPS 140-2 certification by NIST. Highlights include our Differential Power Analysis (DPA)-resistant and standard AES (Advanced Encryption Standard) and HMAC-SHA2 (Hash-based Message Authentication Code, Secure Hash Algorithm) cores. A full list of certifications can be found on the NIST website, along with the Crypto Accelerators and DPA Resistant Cores product pages on Rambus.com. Many of the certified algorithms are included in standard configurations of our CryptoManager Root of Trust family of products.

We see the CAVP certification as especially important for our most security-conscious customers, typically those designing SoCs for government, military and automotive use. However, the importance of this certification is not unique to those markets. Regardless of what use a chip might be destined, semiconductor designers understand the growing importance of security in any connected application. The certification of cryptographic algorithms and cores to the FIPS standard provides customers with assurance of the robustness, quality and applicability of cryptographic solutions.

Fault Injection Attacks PlayStation Vita’s SoC

by Leave a Comment

Security researcher Yifan Lu recently published a detailed paper that examines how voltage glitching causes critical timing violations in CMOS behavior. More specifically, Lu closely analyzes CMOS transistor behavior to better understand when the combinational logic is most susceptible to voltage glitch induced faults. The paper also describes a real-world fault injection attack against the PlayStation Vita’s SoC that gains early (boot time) execution control and dumps the secure boot ROM.

Picture of a lock on the board

As Lu notes, glitching, or fault injection, has been used for quite some time to attack software running on allegedly secure execution environments. This is because fault injections can cause a malfunction in the target’s SoC that enable an attacker to assume full control over a device. Voltage glitching, he says, is a specific kind of fault injection that is particularly appealing to attackers, as it is inexpensive to deploy and widely applicable to most chips. Crowbar glitching, he adds, was implemented in the ChipWhisperer open hardware platform and brought such attacks to the mainstream.

“It works by abusing the capacitance ringing effect caused by introducing a crowbar circuit into the existing system,” he explains. “The ringing causes faults that can be exploited.”

For the Vita attack, Lu closely examines how voltage glitches introduce timing violations into a digital circuit. He then finds snippets of code to glitch. Once a target is identified, he searches for the correct timing parameters for the crowbar circuit to cause a fault. Finally, the injected fault introduces a software vulnerability that is exploited to gain code execution.

“All of this can be done at a low cost thanks to the open hardware interface of the ChipWhisperer. With a custom script written for ChipWhisperer, we created a working attack on a security hardened consumer device,” he concludes.

From our perspective, the fault injection attack against the PlayStation Vita’s SoC could have been prevented if it had included a hardware-based security core. Siloed from the primary processor, such a security core is specially designed to securely run sensitive code, processes and algorithms. Indeed, a hardware-based security core can utilize advanced anti-tamper techniques to provide the highest level of security and protection against fault injection and other attacks. These include a canary core for the detection of glitching and over-clocking, logic and crypto redundancy, secure state encoding and ephemeral keys that are generated on-the-fly from multiple splits and flushed immediately after use.

In addition, a hardware-based security core can protect the host processor from compromise, as well as thwart non-volatile memory (NVM) key extraction, tearing and other attacks against NVM writes, corruption of non-volatile memory or fuses, probing of external buses, man-in-the-middle and replay attacks. Last, but certainly not least, a hardware-based security core can help protect SoCs against test and debug interface attacks, power/EM analysis (SPA/DPA) and other side-channel attacks, including timing attacks.

Interested in learning more about hardware-based security cores? You can check out our CryptoManager Root of Trust product page here.

Fault Injection Attacks: Bart Stevens Explains In eeweb.com/EE Times Article

by Leave a Comment

We’ve all heard about micro-architectural vulnerabilities, Meltdown, Spectre, and Foreshadow.  Volumes have been written about them in the trade and popular press. Indeed, they are the top villains of the electronics world.

Chip

Meanwhile, academicians and scholars are closely investigating yet another group of bad actors that – like those vulnerabilities – are up to no good and are also attacking electronics systems. These are fault injection attacks or FIAs.

Bart Stevens, Sr. Director, Product Management for the Cryptography Product Group, recently wrote a piece for eeweb.com/EE Times network to explain to SoC and system designers what FIAs are all about and how best to skirt them in their next generation designs.

Simply put, he says, the whole idea of an FIA is to make silicon do something else besides what it’s intended to. The attackers objective is to create a transient fault during the execution of some particular chip operation or lead to the reduction or disabling of security features and countermeasures.

Two examples Stevens writes about are voltage and clock glitching.  In the first one, he says the attacker increases voltage or creates a fake glitch in the system. As for clock glitching, he says one or more short pulses in the external clock are introduced to temporarily accelerate the chip’s clock.

Stevens tells eeweb.com/EE Times network readers that embedded security establishes the barriers to guard against FIAs and chip vulnerabilities.

“Certain key countermeasures like those in Rambus’ Root-of-Trust core are critical to assure the SoC and system designer an attacker is completely deprived of any attack avenue.  Those countermeasures include items such as critical control signal redundancy, canary logic, separated key bus logic and logic to protect cryptographic algorithm implementations,” Stevens asserts.

Check out Rambus’ DPA Workstation (DPAWS) that’s available with Riscure fault injection products offering complete fault injection functionality and differential fault analysis (DFA).

Best-in-class Security Testing Platform for Side-channel Analysis by Rambus and Riscure

by Leave a Comment

Today, on October 16th, 2018, Rambus has announced the collaboration with Riscure, a global security lab based in San Francisco, to deliver cutting-edge security testing solutions to chip manufacturers, government institutions and security evaluation laboratories worldwide. As part of a combined solution, Rambus will expand its Differential Power Analysis (DPA) Workstation (DPAWS) to include the Riscure Inspector Fault Injection products to deliver a comprehensive side-channel analysis platform.

The collaboration enables Rambus to offer Riscure’s unique fault injection products and capabilities in combination with the Rambus DPA Workstation, allowing our customers to source a combined side-channel testing platform from a single vendor. The combined solution is a powerful and flexible testing platform that includes an integrated suite of hardware and software for analyzing the vulnerabilities of cryptographic chips and systems to attacks such as fault, power and electromagnetic (EM) side-channel attacks.

chips

Dr. Martin Scott, Senior Vice President and General Manager of Cryptography, as well as Chief Technical Officer at Rambus has noted that as the number of widespread chip vulnerabilities continues to grow, hardware-level security and resistance to side-channel attacks is becoming a critical requirement for secure chip design. “As leaders in side-channel testing, Rambus and Riscure have a long-standing collaborative relationship and this agreement strengthens that alliance to provide the best overall solutions and services for both company’s customers,” said Scott.

Speaking about Fault Injection, Marc Witteman, Chief Executive Officer at Riscure said that it has become an alarmingly widespread hardware attack technique. He also noted that, on an adversary level, the cost of performing such an attack also decreases. “To outpace this development, hardware vendors should test their products for robustness against all kinds of hardware vulnerabilities using cutting-edge equipment and attack know-how. Riscure Inspector Fault Injection accumulates more than 10 years of experience in hardware security testing. Thanks to our partnership with Rambus, the world-class fault injection tools and software from Riscure now become available to a wider range of businesses worldwide.”

The Bottom Line

The announcement of the collaboration between Rambus and Riscure, which will expand Rambus’ already comprehensive DPAWS platform to include Riscure’s unique Fault Injection products represents a positive step forward for security against hardware attacks. With the advent of widespread chip vulnerabilities such as Meltdown/Spectre and Foreshadow, it is becoming imperative for companies to implement hardware-level security and resistance to side-channel attacks into their hardware.

Thales e-Security’s Countermeasure Validation Certification

by Leave a Comment

Side-channel analysis, and specifically Differential Power Analysis (DPA), can be used as an attack, statistically analyzing power consumption measurements from a cryptosystem. DPA attacks exploit biases in the varying power consumption of microprocessors or other hardware while performing operations using secret keys. With DPA, an attacker can obtain secret keys by analyzing power consumption measurements from multiple cryptographic operations performed by a vulnerable device.

Historically, solutions that included robust encryption/decryption algorithms with cryptographic keys were considered secure, as brute force attacks have ultimately become infeasible due to the increased key length of the cryptographic algorithm. However, side-channel attacks bypass some of the mathematical properties of a cryptographic system, instead, focusing on its implementation in hardware or software. Specifically, cryptographic systems routinely leak information about the internal state of computations. As a result, attackers can exploit various techniques to extract the key and other secret information from the device.

Rambus’ Countermeasure Validation Program

To address DPA attacks, the Countermeasure Validation Program is a comprehensive and rigorous security testing procedure that uses independent accredited testing labs. The program specifies procedures for independent testing of chipsets and System on Chips (SoC) to evaluate their resistance to DPA and other side-channel attacks. As it is important for products to have DPA resistance, the Countermeasure Validation Program helps chip purchasers and downstream customers identify licensed devices with the most robust and effective security against DPA attacks.

Side Channel Attack

Thales, a DPA Countermeasure Validation Licensee

In December, 2016, Thales renewed its DPA countermeasures license agreement with Rambus. Under the new five-year agreement, the Thales line of Hardware Security Modules (HSMs licensed to include protections against side-channel attacks, including high-performance data center appliances. To date, Thales is the only HSM company to have passed the DPA Countermeasures Validation program, thereby certifying that its products meet a stringent level of protection against side-channel attacks.

What is crucial is that, in an HSM, the master key is tamper-resistant and that only authorized users can request specific operations with the key. It is important that this process is secured, and as with any use of secrets, there is a possibility that the key could be leaked via a side-channel if not adequately protected.

“Cyber-threats and attacks are becoming increasingly sophisticated and pervasive,” said Cindy Provin, chief strategy and marketing officer at Thales. “By adding Rambus DPA countermeasures, we are able to protect against side-channel attacks, which adds an important element in our robust data security solutions.”

The Countermeasure Validation Program has also found use outside of HSM, with companies such as Boeing, Nvidia, Idaho Scientific, the Athena Group, NAGRA, and Winbond signing on as licensees. However, as far as HSM companies are concerned, Thales is the only HSM vendor who has gone through the program.

The Bottom Line

While systems have bolstered themselves against brute force attacks through robust encryption/decryption algorithms with cryptographic keys, DPA attacks can bypass those security measures. As a result, protection against side-channel attacks is crucial. Rambus’ DPA Countermeasures Program is a rigorous testing program that aims to certify products that have DPA resistance, and Thales is the only HSM provider that has taken on the challenge of building leak-resistant, secure solutions that can resist side-channel attacks.  The successful completion of the Countermeasure Validation Program is a significant step towards making data safer.

Protecting Electronic Systems from Side-Channel Attacks hbspt.cta.load(418219, ‘d909ff58-4235-490f-a525-50d75a9a667b’, {});

The importance of a hardware root-of-trust in an anti-counterfeiting IC

by

Scott Best, a technical director at Rambus Security, has written an article for Semiconductor Engineering about the important role a hardware root-of-trust plays in an anti-counterfeiting IC. As Best explains, during manufacture, an anti-counterfeiting security IC is securely programmed with secret data. Subsequently, during operation, it proves to a verifying host that it knows that secret data.

“This prove-you-know-the-secret authentication process between the security IC and a verifying host can be implemented in many ways, from incredibly simple to incredibly secure,” he explained. “For example, the security IC might contain nothing more than non-volatile storage, and the verifying host could simply read the secret data to confirm that the security IC is authentic.”

According to Best, the above-mentioned scenario isn’t secure, as an adversary who wishes to impersonate an authentic chip (e.g., to ship a cloned or counterfeit consumable product, such as a cellphone replacement battery) would simply have to monitor the data exchange between the verifying host and the security IC.

“A more secure proof-of-knowledge protocol involves cryptographic functions and there are as many possible protocols as there are cryptographic functions. [However], one aspect all secure protocols have in common is the concept of ‘challenge response,’” he stated. “That is, a verifying host creates a random challenge and delivers that message to the security IC. The security IC then uses its secret data to operate on the challenge in some cryptographic manner, and then returns a response.”

Put simply, this means an adversary monitoring the communication between the verifying host and the security IC would observe only random challenge values and the cryptographically-secure outputs, which, by definition, also appear random, or uncorrelated to both the challenge and secret-data input values. Nevertheless, despite the strength of the cryptographic primitives used to secure a challenge-response protocol, a determined adversary will be merely delayed, not defeated.

Indeed, certain markets for electronic consumables (e.g., printer ink and toner cartridges) are worth more than $50B USD annually, creating high incentive for skilled adversaries to penetrate security barriers. Moreover, there are dozens of techniques in an attacker’s arsenal, with most of them relying on a simple truth: to prove that it knows the secret data, the security IC must perform a calculation involving that secret key data.

“While cryptographic functions are probably secure at the mathematical level, that perfection is compromised when the math is executed in circuits – semiconductor processors utilize structures that are typically not reflected in the math, including power delivery, data busses, clocking, setup and hold margins, etc,” he explained. “All of these imperfect transformations between math and circuit create ‘side-channels’ [such as Differential Power Analysis, or DPA] that can be exploited by an adversary to determine the secret-key data utilized during a challenge-response calculation.”

As Best points out, the Cryptography group of the Rambus Security Division pioneered the Differential Power Analysis (DPA) technique, along with the most effective countermeasures to prevent information leakage due to that side channel.

“Once a side-channel attack is effective and the adversary has obtained the secret data of an authentic security IC, are counterfeits close behind? The answer is usually yes,” said Best. “While there are as many different challenge-response protocols in market as there are anti-counterfeiting security IC vendors, they almost all rely on standard cryptographic algorithms (e.g., AES, SHA, Elliptic Curve, etc.). So once an adversary has obtained the secret-data, it is relatively straightforward for them to program a low-cost, off-the-shelf MCU to imitate the challenge-response behavior of an authentic chip.”

According to Best, these types of anti-counterfeiting solutions can be broadly categorized as software root-of-trust systems. Meaning, their security depends on algorithms and data, which – though the algorithms execute in hardware and the data is stored in transistor-based non-volatile memory – can be effectively executed and represented in software. In contrast, a more difficult-to-copy solution is known as a hardware root-of-trust. In this approach, part of the cryptographic processing is performed in a circuit that cannot be cost-effectively executed in software running on a low-cost MCU.

“Suppose, for example, that the anti-counterfeiting security IC contained a customized processor that could complete the equivalent of one-billion 128-bit transformations every few milliseconds. Suppose further that this processing engine applied its algorithm to every input challenge,” he wrote. “In this case, even if the adversary learned the chip’s secret-data, they could not program a low-cost off-the-shelf MCU to mimic the transformation circuit necessary to mimic the protocol. Well, they could, but the low-cost MCU would require several hours to complete a single challenge-response calculation. In this way, a hardware root-of-trust can add a ‘proof-of-work’ layer in addition to proof-of-knowledge security.”

Most importantly, Best emphasizes, an adversary can no longer copy a hardware root-of-trust security IC simply by copying the software and data – they must expend the effort to copy the customized hardware itself.

“Semiconductor hardware is much more expensive and time-consuming to copy than the software and data within the semiconductor. This is how anti-MCU, or anti-emulation transformation circuits elevate typical software root-of-trust solutions into more robust hardware root-of-trust anti-counterfeiting solutions and how such solutions can deter and delay an adversary’s introduction of counterfeit products into the market,” he concluded.