DPA Countermeasures

The rapid growth of connected devices and the sensitive data they generate poses a significant challenge for manufacturers seeking to comprehensively protect their devices from attack. Indeed, consumers expect their IoT devices and data to be adequately secured against a wide range of vulnerabilities and exploits. Put simply, high levels of security must now be implemented as a primary design parameter, rather than a tertiary afterthought.

Historically, solutions that included robust encryption/decryption algorithms with cryptographic keys were considered secure. This is because brute force attacks have ultimately become computationally infeasible due to the increased key length of the cryptographic algorithm.

Nevertheless, there is a category of attacks that simply ignore the mathematic properties of a cryptographic system – instead focusing on its physical implementation in hardware. More specifically, cryptographic systems routinely leak information about the internal process of computing. In practical terms, this means attackers can exploit various techniques to extract the key and other secret information from the device.

This vector is known as side-channel attacks, which are commonly referred to as SCA. Essentially, side-channel attacks monitor power consumption and electro-magnetic emissions while a device is performing cryptographic operations. Side-channel attacks conducted against electronic devices and systems are relatively simple and inexpensive to execute. This means attackers can exploit various side-channel techniques to gather data and extract secret cryptographic keys.

According to YongBin Zhou and DengGuo Feng, one of the earliest instances of side-channel attacks occurred in 1965 when the British MI5 agency attempted to crack a cipher used by the Egyptian Embassy in London. After its efforts were thwarted by the limitations of mid-20th century computational power, a scientist by the name of P. Wright suggested placing a microphone near the rotor-cipher machine used by the Egyptians to monitor the click-sounds the device produced. By carefully listening to the clicks of the rotors as cipher clerks reset them each morning, MI5 agents managed to successfully deduce the core position of two or three of the machine’s rotors. This additional information significantly reduced the computation effort needed to break the cipher, enabling MI5 to effectively spy on the embassy’s communication for years.

Modern side-channel techniques were pioneered by Paul Kocher in the late 1990’s when the scientist observed that the mathematics of a cryptosystem could be effectively subverted.

“Integrated circuits are built out of individual transistors, which act as voltage-controlled switches. Current flows across the transistor substrate when charge is applied to (or removed from) the gate. This current then delivers charge to the gates of other transistors, interconnect wires and other circuit loads. The motion of electric charge consumes power and produces electromagnetic radiation, both of which are externally detectable,” Kocher wrote in 1998.

“Therefore, individual transistors produce externally observable electrical behavior. Because microprocessor logic units exhibit regular transistor switching patterns, it is possible to easily identify macro-characteristics (such as microprocessor activity) by the simple monitoring of power consumption. DPA type attacks perform more sophisticated interpretations of this data.”

Interested in learning more about side-channel attacks? You can check out our eBook on the subject below.

Small devices, comprehensive protection

Cryptography experts at the National Institute of Standards and Technology (NIST) have kicked off an initiative to protect IoT devices that require a new class of cryptographic defenses against cyber-attacks. More specifically, the creation of such defenses is the goal of NIST’s lightweight cryptography initiative – which aims to develop cryptographic algorithmic standards that can function within the limited confines of a simple electronic device.

“Many of the sensors, actuators and other micromachines that will function as eyes, ears and hands in IoT networks will work on scant electrical power and use circuitry far more limited than the chips found in even the simplest cell phone,” NIST stated in a recent press release. “Similar small electronics exist in the keyless entry fobs to newer-model cars and the Radio Frequency Identification (RFID) tags used to locate boxes in vast warehouses.”

Lightweight encryption standards

As part of the initiative, NIST is seeking assistance in developing requirements and guidelines for such solutions. The “Draft Submission Requirements and Evaluation Criteria for the Lightweight Cryptography Standardization Process” is the first draft of this request – and can be downloaded here from the NIST website.

The ultimate goal, says NIST computer scientist Kerry McKay, is to develop lightweight encryption standards that benefit the entire market.

“The IoT is exploding, but there are tons of devices that have nothing for security,” McKay explained. “There’s such a diversity of devices and use cases that it’s hard to nail them all down. There are certain classes of attacks to consider, lots of variations. Our thinking had to be broad for that reason.”

According to McKay, the NIST team spent four years consulting with various industry groups, ranging from smart power grid experts to auto manufacturers. Their advice prompted the team to stipulate that submitted algorithms must have been published previously and been analyzed (though not necessarily adopted) by a third party.

“We feel it’s a fair request because people have been working on crypto for constrained environments for several years now,” McKay added. “We want to see things that the world has looked at already.”

Authenticated encryption with AEAD

These solutions, says McKay, typically utilize symmetric cryptography – with both the sender and recipient having an advance copy of a digital key that can encrypt and decrypt messages. However, the NIST team specifies that these algorithms should also provide authenticated encryption with associated data (AEAD), which allows a recipient to check the integrity of both the encrypted and unencrypted information in a message.

In addition, NIST researchers stipulate that if a hash function is used to create a digital fingerprint of the data, the function should share resources with the AEAD to reduce the cost of implementation.

Side-channel attack countermeasures

Moreover, the “Draft Submission Requirements and Evaluation Criteria for the Lightweight Cryptography Standardization Process” specifies that the implementations of the AEAD algorithms and the optional hash function algorithms should lend themselves to countermeasures against various side-channel attacks (SCA), including timing attacks, simple and differential power analysis (SPA/DPA), as well as simple and differential electromagnetic analysis (SEMA/DEMA).

As we’ve previously discussed on Rambus Press, all physical electronic systems routinely leak information about the internal process of computing via fluctuating levels of power consumption and electro-magnetic emissions.

Much like traditional safecracking, electronic side-channel attacks eschew a brute force approach to extracting keys and other secret information from a device or system. As such, SCA conducted against electronic devices and systems are non-intrusive, relatively simple and inexpensive to execute.

An effective layer of side-channel countermeasures should therefore be implemented via hardware (DPA resistant cores), software (DPA resistant software libraries) or both. Countermeasures – including leakage reduction, noise introduction, obfuscation and the incorporation of randomness – are critical to ensuring the protection of sensitive keys and data. It should be noted that stand-alone noise introduction is incapable of sufficiently masking side-channel emissions. Indeed, DPA conducted against a device can effectively bypass stand-alone noise countermeasures, ultimately allowing the signal to be isolated.

TVLA and Rambus DPAWS

After layered countermeasures have been implemented, systems should be carefully evaluated with a Test Vector Leakage Assessment (TVLA) platform such as the Rambus DPA Workstation (DPAWS) to confirm the cessation of sensitive side-channel leakage.

More specifically, DPAWS measures a range of side-channel attacks across a wide spectrum of devices and platforms including smart phones, tablets, POS terminals, CPUs, TVs, set-top boxes, FPGAs, smart cards and NFC tech. DPAWS provides users with a highly-intuitive UI paired with enhanced data visualization that creates an integrated, project-centric analytic environment specifically designed to optimize the efficiency of side-channel analysis.

Both flexible and scalable, DPAWS supports multiple side-channel sensors, device protocols and form factors, with out-of-the-box support for SASEBO and additional third-party hardware. DPAWS also easily integrates with a wide range of industry tools including Matlab, Python and other scripting languages. Moreover, the Rambus DPA Workstation supports full cipher coverage (AES, RSA, ECC, DES and SHA), large dataset handling, as well as high-speed collection and analysis of billions of traces. Source code is also available to facilitate increased flexibility.

Interested in learning more about protecting electronic systems from side-channel attacks? You can download our eBook on the subject below.

Rambus has signed a patent license agreement with Beijing Tongfang Microelectronics Co., Ltd, a fabless chip design company that focuses on smart cards and related technologies.

The agreement includes the use of Rambus patents such as Differential Power Analysis (DPA) Countermeasures, which protect devices and integrated circuits against DPA and other related side-channel attacks (SCA). Much like safecracking, electronic side-channel attacks eschew a brute force approach to extracting keys and other secret information from a device or system. SCA conducted against electronic devices and systems are non-intrusive, relatively simple and inexpensive to execute.

“We are excited to deliver critical technology for protecting sensitive keys and data to Beijing Tongfang Microelectronics Co., Ltd.,” said Bret Sewell, senior vice president and general manager of the Rambus Security Division.

Differential Power Analysis

Differential Power Analysis (DPA) is a form of side-channel attack that monitors variations in the electrical power consumption or electro-magnetic emissions of a target device. The basic method involves partitioning a set of traces into subsets, then subsequently computing the difference of the averages of these subsets. A trace refers to a set of power consumption measurements taken while the device is performing cryptographic operations. Given enough traces, extremely minute correlations can be isolated — no matter how much noise is present in the measurements.

An example of the traces collected during a cryptographic operation is shown below in Figure 1.

The top trace shows the DPA results showing the average power trace for an AES-128 operation running on an FPGA. The DPA process was used to find the bytes of the last round key used in the AES operation. The middle trace is a differential trace for a DPA test carried out with an incorrect guess of the first byte of the last round key and the bottom trace shows the corresponding differential trace for the correct key byte guess.

A typical DPA attack comprises 6 primary stages: communicating with a target device; recording power traces while the target device performs cryptographic operations; signal processing to remove errors and reduce noise; prediction and selection function generation to prepare and define for analysis; as well as computing the averages of input trace subsets and evaluating DPA test results to determine the most probable key guesses.

Additional DPA variants include reverse engineering unknown S-boxes and algorithms, correlation power analysis (CPA), probability distribution analysis, high-order DPA and template attacks.

DPA countermeasures

Specific DPA countermeasure techniques include decreasing the signal-to-noise ratio of the power side channel by reducing leakage (signal) or increasing noise, for example, by making the amount of power consumed less contingent upon data values and/or operation (balancing); introducing amplitude and temporal noise; incorporating randomness with blinding and masking by randomly altering the representation of secret parameters and implementing protocol-level countermeasures by continually refreshing and updating cryptographic protocols used by a device.

Because all physical electronic systems routinely leak information, an effective layer of side-channel countermeasures should be implemented via hardware (DPA resistant cores), software (DPA resistant libraries) or both. It should be noted that stand-alone noise introduction is incapable of sufficiently masking side-channel emissions. Indeed, DPA conducted against a device can effectively bypass stand-alone noise countermeasures, ultimately allowing the signal to be isolated. After layered countermeasures have been implemented, systems should be carefully evaluated with a Test Vector Leakage Assessment (TVLA) platform such as the Rambus DPA Workstation (DPAWS) to confirm the cessation of sensitive side-channel leakage.

Interested in learning more about Rambus’ DPA countermeasures? You can check out our product page here and download our eBook on the subject below.

Bart Stevens, the senior director of sales for the EMEA region in Rambus’ Security Division and Gary Kenworthy, a senior principal engineer in Rambus’ Security Division, recently penned an article for Semiconductor Engineering that discusses the evaluation of side-channel vulnerabilities with Test Vector Leakage Assessment (TVLA).

TVLA: Understanding the basics

Rather than mounting a time-consuming attack to recover secret key information, says Stevens and Kenworthy, TVLA seeks to detect and analyze leakage directly in a device under test.

“For its core statistical test, TVLA specifies and compares two subsets (A&B) of collected traces, with the subsets selected according to known sensitive intermediate bits,” the two explained.

“Differences will be immediately apparent between subsets A and B if the algorithm implementation not properly protected. This core statistical test employs Welch’s t-test for evaluating the significance of the ‘difference of means.’”

The specific test vectors, says Stevens and Kenworthy, are standardized to focus on common leakage modes for a particular algorithm. For example, TVLA testing for the AES algorithm targets S-box outputs, round output, XOR of round input and output and the values of 1st and 2nd byte of round output.

Another TVLA testing mode is the non-specific leakage test. This method, says the authors, looks for differences in the collected traces between operations on fixed vs. varying data. This is a powerful technique that can amplify leakages and identify vulnerabilities even when specific attacks that might exploit that leakage have not yet been discovered.

“When gauging the level of side-channel resistance, testers may also want to follow TVLA assessment with a key extraction attack to verify the real-world significance of said leakage. The leakage profile identified by TVLA will greatly simplify the key extraction attack,” they add.

DPAWS: A TVLA testing platform

Because side-channel attacks are so effective, even well-planned resistance strategies may still leak sensitive information. Therefore, it is critical to verify the actual performance of side-channel countermeasures. The Rambus DPA workstation (DPAWS), for example, is a powerful tool for testing and evaluating the results of hardware or software implementations.

“The TVLA-capable Rambus DPA Workstation Platform (DPAWS) measures a range of side-channel leakages across a wide spectrum of devices and platforms including smart phones, tablets, POS terminals, CPUs, TVs, set-top boxes, FPGAs, smart cards and NFC tech,” Stevens and Kenworthy elaborate. “DPAWS also provides users with a highly-intuitive UI paired with enhanced data visualization that creates an integrated, project-centric analytic environment specifically designed to optimize the efficiency of side-channel analysis.”

Both flexible and scalable, DPAWS supports multiple side-channel sensors, device protocols and form factors, with out-of-the-box support for SASEBO and additional third-party hardware. Moreover, DPAWS easily integrates with a wide range of industry tools including Matlab, Python and other scripting languages. In addition, the Rambus DPA Workstation supports cipher coverage across many standard algorithms (AES, RSA, ECC, DES and SHA), large dataset handling, as well as high-speed collection and analysis of billions of traces. Source code is also available to facilitate increased flexibility.

Rambus DPAWS comprises a custom-configured workstation with an oscilloscope; a DPAD FPGA testing platform; a smart card test fixture; support for PCI high-speed sampling cards; a signal amplifier; EM probes, filters and a power supply. On the software and firmware side, DPAWS includes a device interface and data collection environment; signal processing; hypothesis and prediction generation; as well as optimized DPA analysis utilities and tools.

Conclusion

Side-channel attacks conducted against electronic systems are relatively simple and inexpensive to execute. An attacker does not need to know specific implementation details of the cryptographic device to perform these attacks and extract keys.

“As all physical electronic systems routinely leak information, effective side-channel countermeasures such as Rambus’ DPA Resistant Hardware Cores (DPARC) or DPA Software Library (DPASL) should be implemented at the design stage to ensure protection of sensitive keys and data,” Stevens and Kenworthy conclude. “After the implementation of hardware or software countermeasures, systems should be carefully evaluated with a Test Vector Leakage Assessment (TVLA) platform such as the Rambus DPA Workstation (DPAWS) to confirm the cessation of sensitive side-channel leakage.”

Interested in learning more about Rambus’ DPA countermeasures? You can check out our product page here and download our eBook on the subject below.

Patent license agreement

Rambus has signed a patent license agreement with Gemalto that covers the use of our patented security technologies – including Differential Power Analysis (DPA) countermeasures, which protect devices against DPA and other related side-channel attacks (SCA).

Much like safecracking, electronic side-channel attacks eschew a brute force approach to extracting keys and other secret information from a device or system. SCA conducted against electronic devices and systems are non-intrusive, relatively simple and inexpensive to execute.

Differential Power Analysis

Differential Power Analysis (DPA) is a form of side-channel attack that monitors variations in the electrical power consumption or electro-magnetic emissions of a target device. The basic method involves partitioning a set of traces into subsets, then subsequently computing the difference of the averages of these subsets. A trace refers to a set of power consumption measurements taken while the device is performing cryptographic operations. Given enough traces, extremely minute correlations can be isolated — no matter how much noise is present in the measurements.

An example of the traces collected during a cryptographic operation is shown below in Figure 1.

The top trace shows the DPA results showing the average power trace for an AES-128 operation running on an FPGA. The DPA process was used to find the bytes of the last round key used in the AES operation. The middle trace is a differential trace for a DPA test carried out with an incorrect guess of the first byte of the last round key and the bottom trace shows the corresponding differential trace for the correct key byte guess.

A typical DPA attack comprises 6 primary stages: communicating with a target device; recording power traces while the target device performs cryptographic operations; signal processing to remove errors and reduce noise; prediction and selection function generation to prepare and define for analysis; as well as computing the averages of input trace subsets and evaluating DPA test results to determine the most probable key guesses.

Additional DPA variants include reverse engineering unknown S-boxes and algorithms, correlation power analysis (CPA), probability distribution analysis, high-order DPA and template attacks.

DPA countermeasures

Specific DPA countermeasure techniques include decreasing the signal-to-noise ratio of the power side channel by reducing leakage (signal) or increasing noise, for example, by making the amount of power consumed less contingent upon data values and/or operation (balancing); introducing amplitude and temporal noise; incorporating randomness with blinding and masking by randomly altering the representation of secret parameters and implementing protocol-level countermeasures by continually refreshing and updating cryptographic protocols used by a device.

Because all physical electronic systems routinely leak information, an effective layer of side-channel countermeasures should be implemented via hardware (DPA resistant cores), software (DPA resistant libraries) or both. It should be noted that stand-alone noise introduction is incapable of sufficiently masking side-channel emissions. Indeed, DPA conducted against a device can effectively bypass stand-alone noise countermeasures, ultimately allowing the signal to be isolated. After layered countermeasures have been implemented, systems should be carefully evaluated with a Test Vector Leakage Assessment (TVLA) platform such as the Rambus DPA Workstation (DPAWS) to confirm the cessation of sensitive side-channel leakage.

Interested in learning more about Rambus’ DPA countermeasures? You can check out our product page here and download our eBook on the subject below.

Exploiting the magnetic field with Odini

Researchers at Israel’s Ben Gurion University (BGU) have demonstrated how attackers can successfully bypass Faraday cages to monitor low-frequency magnetic radiation emitted by air-gapped electronic devices.

“While Faraday rooms may successfully block electromagnetic signals which emanate from computers, low-frequency magnetic radiation disseminates through the air, penetrating metal shields within the rooms,” explains Dr. Mordechai Guri, the director of the Cybersecurity Research Center at BGU.

“That’s why a compass still works inside of a Faraday room. Attackers can use this covert magnetic channel to intercept sensitive data from virtually any desktop PCs, servers, laptops, embedded systems and other devices.”

More specifically, Guri’s Odini method (named after escape artist Harry Houdini), exploits the magnetic field generated by a CPU to circumvent even the most securely equipped room. Put simply, Odini is specially coded malware designed to control the low frequency magnetic fields emitted from an infected computer by regulating the load of the CPU cores. This means arbitrary data can be modulated and transmitted on top of the magnetic emission – and received by a magnetic receiver (bug) placed nearby.

It should be noted that the malicious code does not require special privileges (e.g., root) and can successfully operate from within isolated virtual machines (VMs).

Magneto malware taps covert channels

In a separate attack, Guri and his team utilized malware keystrokes and passwords on an air-gapped computer to transfer data to a nearby smartphone via its magnetic sensor.

“We implement a malware that controls the magnetic fields emanating from the computer by regulating workloads on the CPU cores,” Guri and his research team explained in a recently publish abstract.

“Sensitive data such as encryption keys, passwords, or keylogging data is encoded and transmitted over the magnetic signals, [while] a smartphone located near the computer receives the covert signals with its magnetic sensor.”

The abstract also noted that the proposed covert channel works from a user-level process without requiring special privileges – and can successfully operate from within an isolated virtual machine (VM). Moreover, attackers can intercept the leaked data even when a smartphone is sealed in a Faraday bag or set to airplane mode.

Extracting stolen data

As Wired’s Andy Greenberg reports, Guri’s work aims to demonstrate that once a device is infected, attackers aren’t going to necessarily wait to establish a traditional connection before they exfiltrate stolen data.

“Instead, they can use more insidious means to leak information to nearby computers—often to malware on a nearby smartphone, or another infected computer on the other side of the air gap,” he writes.

According to Guri, challenging the concept of air-gapped devices involves thinking creatively about how computer components can be surreptitiously transformed into clandestine communication devices.

“It goes way beyond typical computer science: electrical engineering, physics, thermodynamics, acoustic science, optics,” he tells Wired. “It requires thinking ‘out of the box,’ literally.”