Rambus

At Rambus, we create cutting-edge semiconductor and IP products, spanning memory and interfaces to security, smart sensors and lighting.

Home > DPA Countermeasures

DPA Countermeasures

Below is an archive of the blog posts related to DPA Countermeasures. To learn more about our solutions and techniques for protecting devices against DPA and related side-channel attacks, click here.

Thales e-Security’s Countermeasure Validation Certification

by Leave a Comment

Side-channel analysis, and specifically Differential Power Analysis (DPA), can be used as an attack, statistically analyzing power consumption measurements from a cryptosystem. DPA attacks exploit biases in the varying power consumption of microprocessors or other hardware while performing operations using secret keys. With DPA, an attacker can obtain secret keys by analyzing power consumption measurements from multiple cryptographic operations performed by a vulnerable device.

Historically, solutions that included robust encryption/decryption algorithms with cryptographic keys were considered secure, as brute force attacks have ultimately become infeasible due to the increased key length of the cryptographic algorithm. However, side-channel attacks bypass some of the mathematical properties of a cryptographic system, instead, focusing on its implementation in hardware or software. Specifically, cryptographic systems routinely leak information about the internal state of computations. As a result, attackers can exploit various techniques to extract the key and other secret information from the device.

Rambus’ Countermeasure Validation Program

To address DPA attacks, the Countermeasure Validation Program is a comprehensive and rigorous security testing procedure that uses independent accredited testing labs. The program specifies procedures for independent testing of chipsets and System on Chips (SoC) to evaluate their resistance to DPA and other side-channel attacks. As it is important for products to have DPA resistance, the Countermeasure Validation Program helps chip purchasers and downstream customers identify licensed devices with the most robust and effective security against DPA attacks.

Side Channel Attack

Thales, a DPA Countermeasure Validation Licensee

In December, 2016, Thales renewed its DPA countermeasures license agreement with Rambus. Under the new five-year agreement, the Thales line of Hardware Security Modules (HSMs licensed to include protections against side-channel attacks, including high-performance data center appliances. To date, Thales is the only HSM company to have passed the DPA Countermeasures Validation program, thereby certifying that its products meet a stringent level of protection against side-channel attacks.

What is crucial is that, in an HSM, the master key is tamper-resistant and that only authorized users can request specific operations with the key. It is important that this process is secured, and as with any use of secrets, there is a possibility that the key could be leaked via a side-channel if not adequately protected.

“Cyber-threats and attacks are becoming increasingly sophisticated and pervasive,” said Cindy Provin, chief strategy and marketing officer at Thales. “By adding Rambus DPA countermeasures, we are able to protect against side-channel attacks, which adds an important element in our robust data security solutions.”

The Countermeasure Validation Program has also found use outside of HSM, with companies such as Boeing, Nvidia, Idaho Scientific, the Athena Group, NAGRA, and Winbond signing on as licensees. However, as far as HSM companies are concerned, Thales is the only HSM vendor who has gone through the program.

The Bottom Line

While systems have bolstered themselves against brute force attacks through robust encryption/decryption algorithms with cryptographic keys, DPA attacks can bypass those security measures. As a result, protection against side-channel attacks is crucial. Rambus’ DPA Countermeasures Program is a rigorous testing program that aims to certify products that have DPA resistance, and Thales is the only HSM provider that has taken on the challenge of building leak-resistant, secure solutions that can resist side-channel attacks.  The successful completion of the Countermeasure Validation Program is a significant step towards making data safer.

Protecting Electronic Systems from Side-Channel Attacks hbspt.cta.load(418219, ‘d909ff58-4235-490f-a525-50d75a9a667b’, {});

The importance of a hardware root-of-trust in an anti-counterfeiting IC

by

Scott Best, a technical director at Rambus Security, has written an article for Semiconductor Engineering about the important role a hardware root-of-trust plays in an anti-counterfeiting IC. As Best explains, during manufacture, an anti-counterfeiting security IC is securely programmed with secret data. Subsequently, during operation, it proves to a verifying host that it knows that secret data.

“This prove-you-know-the-secret authentication process between the security IC and a verifying host can be implemented in many ways, from incredibly simple to incredibly secure,” he explained. “For example, the security IC might contain nothing more than non-volatile storage, and the verifying host could simply read the secret data to confirm that the security IC is authentic.”

According to Best, the above-mentioned scenario isn’t secure, as an adversary who wishes to impersonate an authentic chip (e.g., to ship a cloned or counterfeit consumable product, such as a cellphone replacement battery) would simply have to monitor the data exchange between the verifying host and the security IC.

“A more secure proof-of-knowledge protocol involves cryptographic functions and there are as many possible protocols as there are cryptographic functions. [However], one aspect all secure protocols have in common is the concept of ‘challenge response,’” he stated. “That is, a verifying host creates a random challenge and delivers that message to the security IC. The security IC then uses its secret data to operate on the challenge in some cryptographic manner, and then returns a response.”

Put simply, this means an adversary monitoring the communication between the verifying host and the security IC would observe only random challenge values and the cryptographically-secure outputs, which, by definition, also appear random, or uncorrelated to both the challenge and secret-data input values. Nevertheless, despite the strength of the cryptographic primitives used to secure a challenge-response protocol, a determined adversary will be merely delayed, not defeated.

Indeed, certain markets for electronic consumables (e.g., printer ink and toner cartridges) are worth more than $50B USD annually, creating high incentive for skilled adversaries to penetrate security barriers. Moreover, there are dozens of techniques in an attacker’s arsenal, with most of them relying on a simple truth: to prove that it knows the secret data, the security IC must perform a calculation involving that secret key data.

“While cryptographic functions are probably secure at the mathematical level, that perfection is compromised when the math is executed in circuits – semiconductor processors utilize structures that are typically not reflected in the math, including power delivery, data busses, clocking, setup and hold margins, etc,” he explained. “All of these imperfect transformations between math and circuit create ‘side-channels’ [such as Differential Power Analysis, or DPA] that can be exploited by an adversary to determine the secret-key data utilized during a challenge-response calculation.”

As Best points out, the Cryptography group of the Rambus Security Division pioneered the Differential Power Analysis (DPA) technique, along with the most effective countermeasures to prevent information leakage due to that side channel.

“Once a side-channel attack is effective and the adversary has obtained the secret data of an authentic security IC, are counterfeits close behind? The answer is usually yes,” said Best. “While there are as many different challenge-response protocols in market as there are anti-counterfeiting security IC vendors, they almost all rely on standard cryptographic algorithms (e.g., AES, SHA, Elliptic Curve, etc.). So once an adversary has obtained the secret-data, it is relatively straightforward for them to program a low-cost, off-the-shelf MCU to imitate the challenge-response behavior of an authentic chip.”

According to Best, these types of anti-counterfeiting solutions can be broadly categorized as software root-of-trust systems. Meaning, their security depends on algorithms and data, which – though the algorithms execute in hardware and the data is stored in transistor-based non-volatile memory – can be effectively executed and represented in software. In contrast, a more difficult-to-copy solution is known as a hardware root-of-trust. In this approach, part of the cryptographic processing is performed in a circuit that cannot be cost-effectively executed in software running on a low-cost MCU.

“Suppose, for example, that the anti-counterfeiting security IC contained a customized processor that could complete the equivalent of one-billion 128-bit transformations every few milliseconds. Suppose further that this processing engine applied its algorithm to every input challenge,” he wrote. “In this case, even if the adversary learned the chip’s secret-data, they could not program a low-cost off-the-shelf MCU to mimic the transformation circuit necessary to mimic the protocol. Well, they could, but the low-cost MCU would require several hours to complete a single challenge-response calculation. In this way, a hardware root-of-trust can add a ‘proof-of-work’ layer in addition to proof-of-knowledge security.”

Most importantly, Best emphasizes, an adversary can no longer copy a hardware root-of-trust security IC simply by copying the software and data – they must expend the effort to copy the customized hardware itself.

“Semiconductor hardware is much more expensive and time-consuming to copy than the software and data within the semiconductor. This is how anti-MCU, or anti-emulation transformation circuits elevate typical software root-of-trust solutions into more robust hardware root-of-trust anti-counterfeiting solutions and how such solutions can deter and delay an adversary’s introduction of counterfeit products into the market,” he concluded.

Keep reading: Hardware Root of Trust: Everything you need to know »

An introduction to side-channel attacks

by

The rapid growth of connected devices and the sensitive data they generate poses a significant challenge for manufacturers seeking to comprehensively protect their devices from attack. Indeed, consumers expect their IoT devices and data to be adequately secured against a wide range of vulnerabilities and exploits. Put simply, high levels of security must now be implemented as a primary design parameter, rather than a tertiary afterthought.

Historically, solutions that included robust encryption/decryption algorithms with cryptographic keys were considered secure. This is because brute force attacks have ultimately become computationally infeasible due to the increased key length of the cryptographic algorithm.

waveform

Nevertheless, there is a category of attacks that simply ignore the mathematic properties of a cryptographic system – instead focusing on its physical implementation in hardware. More specifically, cryptographic systems routinely leak information about the internal process of computing. In practical terms, this means attackers can exploit various techniques to extract the key and other secret information from the device.

This vector is known as side-channel attacks, which are commonly referred to as SCA. Essentially, side-channel attacks monitor power consumption and electro-magnetic emissions while a device is performing cryptographic operations. Side-channel attacks conducted against electronic devices and systems are relatively simple and inexpensive to execute. This means attackers can exploit various side-channel techniques to gather data and extract secret cryptographic keys.

According to YongBin Zhou and DengGuo Feng, one of the earliest instances of side-channel attacks occurred in 1965 when the British MI5 agency attempted to crack a cipher used by the Egyptian Embassy in London. After its efforts were thwarted by the limitations of mid-20th century computational power, a scientist by the name of P. Wright suggested placing a microphone near the rotor-cipher machine used by the Egyptians to monitor the click-sounds the device produced. By carefully listening to the clicks of the rotors as cipher clerks reset them each morning, MI5 agents managed to successfully deduce the core position of two or three of the machine’s rotors. This additional information significantly reduced the computation effort needed to break the cipher, enabling MI5 to effectively spy on the embassy’s communication for years.

Modern side-channel techniques were pioneered by Paul Kocher in the late 1990’s when the scientist observed that the mathematics of a cryptosystem could be effectively subverted.

“Integrated circuits are built out of individual transistors, which act as voltage-controlled switches. Current flows across the transistor substrate when charge is applied to (or removed from) the gate. This current then delivers charge to the gates of other transistors, interconnect wires and other circuit loads. The motion of electric charge consumes power and produces electromagnetic radiation, both of which are externally detectable,” Kocher wrote in 1998.

“Therefore, individual transistors produce externally observable electrical behavior. Because microprocessor logic units exhibit regular transistor switching patterns, it is possible to easily identify macro-characteristics (such as microprocessor activity) by the simple monitoring of power consumption. DPA type attacks perform more sophisticated interpretations of this data.”

Interested in learning more about side-channel attacks? You can check out our eBook on the subject below.

Download Introduction to Side-Channel Attacks

NIST eyes lightweight cryptography to protect small electronics

by Leave a Comment

Small devices, comprehensive protection

Cryptography experts at the National Institute of Standards and Technology (NIST) have kicked off an initiative to protect IoT devices that require a new class of cryptographic defenses against cyber-attacks. More specifically, the creation of such defenses is the goal of NIST’s lightweight cryptography initiative – which aims to develop cryptographic algorithmic standards that can function within the limited confines of a simple electronic device.

“Many of the sensors, actuators and other micromachines that will function as eyes, ears and hands in IoT networks will work on scant electrical power and use circuitry far more limited than the chips found in even the simplest cell phone,” NIST stated in a recent press release. “Similar small electronics exist in the keyless entry fobs to newer-model cars and the Radio Frequency Identification (RFID) tags used to locate boxes in vast warehouses.”

Lightweight encryption standards

As part of the initiative, NIST is seeking assistance in developing requirements and guidelines for such solutions. The “Draft Submission Requirements and Evaluation Criteria for the Lightweight Cryptography Standardization Process” is the first draft of this request – and can be downloaded here from the NIST website.

The ultimate goal, says NIST computer scientist Kerry McKay, is to develop lightweight encryption standards that benefit the entire market.

“The IoT is exploding, but there are tons of devices that have nothing for security,” McKay explained. “There’s such a diversity of devices and use cases that it’s hard to nail them all down. There are certain classes of attacks to consider, lots of variations. Our thinking had to be broad for that reason.”

According to McKay, the NIST team spent four years consulting with various industry groups, ranging from smart power grid experts to auto manufacturers. Their advice prompted the team to stipulate that submitted algorithms must have been published previously and been analyzed (though not necessarily adopted) by a third party.

“We feel it’s a fair request because people have been working on crypto for constrained environments for several years now,” McKay added. “We want to see things that the world has looked at already.”

Authenticated encryption with AEAD

These solutions, says McKay, typically utilize symmetric cryptography – with both the sender and recipient having an advance copy of a digital key that can encrypt and decrypt messages. However, the NIST team specifies that these algorithms should also provide authenticated encryption with associated data (AEAD), which allows a recipient to check the integrity of both the encrypted and unencrypted information in a message.

In addition, NIST researchers stipulate that if a hash function is used to create a digital fingerprint of the data, the function should share resources with the AEAD to reduce the cost of implementation.

Side-channel attack countermeasures

Moreover, the “Draft Submission Requirements and Evaluation Criteria for the Lightweight Cryptography Standardization Process” specifies that the implementations of the AEAD algorithms and the optional hash function algorithms should lend themselves to countermeasures against various side-channel attacks (SCA), including timing attacks, simple and differential power analysis (SPA/DPA), as well as simple and differential electromagnetic analysis (SEMA/DEMA).

As we’ve previously discussed on Rambus Press, all physical electronic systems routinely leak information about the internal process of computing via fluctuating levels of power consumption and electro-magnetic emissions.

Much like traditional safecracking, electronic side-channel attacks eschew a brute force approach to extracting keys and other secret information from a device or system. As such, SCA conducted against electronic devices and systems are non-intrusive, relatively simple and inexpensive to execute.

An effective layer of side-channel countermeasures should therefore be implemented via hardware (DPA resistant cores), software (DPA resistant software libraries) or both. Countermeasures – including leakage reduction, noise introduction, obfuscation and the incorporation of randomness – are critical to ensuring the protection of sensitive keys and data. It should be noted that stand-alone noise introduction is incapable of sufficiently masking side-channel emissions. Indeed, DPA conducted against a device can effectively bypass stand-alone noise countermeasures, ultimately allowing the signal to be isolated.

TVLA and Rambus DPAWS

After layered countermeasures have been implemented, systems should be carefully evaluated with a Test Vector Leakage Assessment (TVLA) platform such as the Rambus DPA Workstation (DPAWS) to confirm the cessation of sensitive side-channel leakage.

More specifically, DPAWS measures a range of side-channel attacks across a wide spectrum of devices and platforms including smart phones, tablets, POS terminals, CPUs, TVs, set-top boxes, FPGAs, smart cards and NFC tech. DPAWS provides users with a highly-intuitive UI paired with enhanced data visualization that creates an integrated, project-centric analytic environment specifically designed to optimize the efficiency of side-channel analysis.

Both flexible and scalable, DPAWS supports multiple side-channel sensors, device protocols and form factors, with out-of-the-box support for SASEBO and additional third-party hardware. DPAWS also easily integrates with a wide range of industry tools including Matlab, Python and other scripting languages. Moreover, the Rambus DPA Workstation supports full cipher coverage (AES, RSA, ECC, DES and SHA), large dataset handling, as well as high-speed collection and analysis of billions of traces. Source code is also available to facilitate increased flexibility.

Interested in learning more about protecting electronic systems from side-channel attacks? You can download our eBook on the subject below.

Download Protecting Electronic Systems from Side-Channel Attacks

Rambus licenses DPA countermeasures to Beijing Tongfang Microelectronics

by

Rambus has signed a patent license agreement with Beijing Tongfang Microelectronics Co., Ltd, a fabless chip design company that focuses on smart cards and related technologies.

The agreement includes the use of Rambus patents such as Differential Power Analysis (DPA) Countermeasures, which protect devices and integrated circuits against DPA and other related side-channel attacks (SCA). Much like safecracking, electronic side-channel attacks eschew a brute force approach to extracting keys and other secret information from a device or system. SCA conducted against electronic devices and systems are non-intrusive, relatively simple and inexpensive to execute.

“We are excited to deliver critical technology for protecting sensitive keys and data to Beijing Tongfang Microelectronics Co., Ltd.,” said Bret Sewell, senior vice president and general manager of the Rambus Security Division.

Differential Power Analysis

Differential Power Analysis (DPA) is a form of side-channel attack that monitors variations in the electrical power consumption or electro-magnetic emissions of a target device. The basic method involves partitioning a set of traces into subsets, then subsequently computing the difference of the averages of these subsets. A trace refers to a set of power consumption measurements taken while the device is performing cryptographic operations. Given enough traces, extremely minute correlations can be isolated — no matter how much noise is present in the measurements.

An example of the traces collected during a cryptographic operation is shown below in Figure 1.

The top trace shows the DPA results showing the average power trace for an AES-128 operation running on an FPGA. The DPA process was used to find the bytes of the last round key used in the AES operation. The middle trace is a differential trace for a DPA test carried out with an incorrect guess of the first byte of the last round key and the bottom trace shows the corresponding differential trace for the correct key byte guess.

A typical DPA attack comprises 6 primary stages: communicating with a target device; recording power traces while the target device performs cryptographic operations; signal processing to remove errors and reduce noise; prediction and selection function generation to prepare and define for analysis; as well as computing the averages of input trace subsets and evaluating DPA test results to determine the most probable key guesses.

Additional DPA variants include reverse engineering unknown S-boxes and algorithms, correlation power analysis (CPA), probability distribution analysis, high-order DPA and template attacks.

DPA countermeasures

Specific DPA countermeasure techniques include decreasing the signal-to-noise ratio of the power side channel by reducing leakage (signal) or increasing noise, for example, by making the amount of power consumed less contingent upon data values and/or operation (balancing); introducing amplitude and temporal noise; incorporating randomness with blinding and masking by randomly altering the representation of secret parameters and implementing protocol-level countermeasures by continually refreshing and updating cryptographic protocols used by a device.

Because all physical electronic systems routinely leak information, an effective layer of side-channel countermeasures should be implemented via hardware (DPA resistant cores), software (DPA resistant libraries) or both. It should be noted that stand-alone noise introduction is incapable of sufficiently masking side-channel emissions. Indeed, DPA conducted against a device can effectively bypass stand-alone noise countermeasures, ultimately allowing the signal to be isolated. After layered countermeasures have been implemented, systems should be carefully evaluated with a Test Vector Leakage Assessment (TVLA) platform such as the Rambus DPA Workstation (DPAWS) to confirm the cessation of sensitive side-channel leakage.

Interested in learning more about Rambus’ DPA countermeasures? You can check out our product page here and download our eBook on the subject below.

Download Protecting Electronic Systems from Side-Channel Attacks

Detecting and analyzing side-channel vulnerabilities with TVLA

by

Bart Stevens, the senior director of sales for the EMEA region in Rambus’ Security Division and Gary Kenworthy, a senior principal engineer in Rambus’ Security Division, recently penned an article for Semiconductor Engineering that discusses the evaluation of side-channel vulnerabilities with Test Vector Leakage Assessment (TVLA).

TVLA: Understanding the basics

Rather than mounting a time-consuming attack to recover secret key information, says Stevens and Kenworthy, TVLA seeks to detect and analyze leakage directly in a device under test.

“For its core statistical test, TVLA specifies and compares two subsets (A&B) of collected traces, with the subsets selected according to known sensitive intermediate bits,” the two explained.

“Differences will be immediately apparent between subsets A and B if the algorithm implementation not properly protected. This core statistical test employs Welch’s t-test for evaluating the significance of the ‘difference of means.’”

The specific test vectors, says Stevens and Kenworthy, are standardized to focus on common leakage modes for a particular algorithm. For example, TVLA testing for the AES algorithm targets S-box outputs, round output, XOR of round input and output and the values of 1st and 2nd byte of round output.

Another TVLA testing mode is the non-specific leakage test. This method, says the authors, looks for differences in the collected traces between operations on fixed vs. varying data. This is a powerful technique that can amplify leakages and identify vulnerabilities even when specific attacks that might exploit that leakage have not yet been discovered.

“When gauging the level of side-channel resistance, testers may also want to follow TVLA assessment with a key extraction attack to verify the real-world significance of said leakage. The leakage profile identified by TVLA will greatly simplify the key extraction attack,” they add.

DPAWS: A TVLA testing platform

Because side-channel attacks are so effective, even well-planned resistance strategies may still leak sensitive information. Therefore, it is critical to verify the actual performance of side-channel countermeasures. The Rambus DPA workstation (DPAWS), for example, is a powerful tool for testing and evaluating the results of hardware or software implementations.

“The TVLA-capable Rambus DPA Workstation Platform (DPAWS) measures a range of side-channel leakages across a wide spectrum of devices and platforms including smart phones, tablets, POS terminals, CPUs, TVs, set-top boxes, FPGAs, smart cards and NFC tech,” Stevens and Kenworthy elaborate. “DPAWS also provides users with a highly-intuitive UI paired with enhanced data visualization that creates an integrated, project-centric analytic environment specifically designed to optimize the efficiency of side-channel analysis.”

Both flexible and scalable, DPAWS supports multiple side-channel sensors, device protocols and form factors, with out-of-the-box support for SASEBO and additional third-party hardware. Moreover, DPAWS easily integrates with a wide range of industry tools including Matlab, Python and other scripting languages. In addition, the Rambus DPA Workstation supports cipher coverage across many standard algorithms (AES, RSA, ECC, DES and SHA), large dataset handling, as well as high-speed collection and analysis of billions of traces. Source code is also available to facilitate increased flexibility.

Rambus DPAWS comprises a custom-configured workstation with an oscilloscope; a DPAD FPGA testing platform; a smart card test fixture; support for PCI high-speed sampling cards; a signal amplifier; EM probes, filters and a power supply. On the software and firmware side, DPAWS includes a device interface and data collection environment; signal processing; hypothesis and prediction generation; as well as optimized DPA analysis utilities and tools.

Conclusion

Side-channel attacks conducted against electronic systems are relatively simple and inexpensive to execute. An attacker does not need to know specific implementation details of the cryptographic device to perform these attacks and extract keys.

“As all physical electronic systems routinely leak information, effective side-channel countermeasures such as Rambus’ DPA Resistant Hardware Cores (DPARC) or DPA Software Library (DPASL) should be implemented at the design stage to ensure protection of sensitive keys and data,” Stevens and Kenworthy conclude. “After the implementation of hardware or software countermeasures, systems should be carefully evaluated with a Test Vector Leakage Assessment (TVLA) platform such as the Rambus DPA Workstation (DPAWS) to confirm the cessation of sensitive side-channel leakage.”

Interested in learning more about Rambus’ DPA countermeasures? You can check out our product page here and download our eBook on the subject below.

Download Protecting Electronic Systems from Side-Channel Attacks

FREE Webinar: Secure Silicon IP Series: Complexity vs. Security

Register Today