Evolving differential power analysis targets SIM cards

This entry was posted on Wednesday, September 23rd, 2015.

Ernest Worthman of Semiconductor Engineering recently noted that differential power analysis (DPA) has been a threat vector on the chip landscape for a number of years.

“[DPA] was discovered around the mid 1990s by the teams at Rambus’ Cryptography Research Division,” he explained. “It turned out to be a very effective tool for compromising the ubiquitous SIM card environment.”

According to Simon Blake-Wilson, VP of products and marketing at Rambus, DPA has historically targeted smart cards due to their widespread deployment and security limitations.


“The most traditional market for DPA has been with smart cards because of their limitations – consumer goods type of devices, low cost, limited power,” he told the publication. “That makes them a fertile landscape for DPA. Of course, DPA is capable of side channel attacks on just about any chip, but the relative lack of control over, and ease with which one could obtain SIM cards made them easy pickings for such power analysis techniques.”

Perhaps not surprisingly, evolving DPA techniques have reached sophisticated levels, while DPA kits are now available for sale on the Internet.

“Edge-of-the-envelope hardware and software [offer] tremendous analysis capabilities [for] side channel attacks,” Pankaj Rohatgi, director of engineering at Cryptography Research told Semiconductor Engineering. “Therefore, the data collected is of much better quality, from better equipment, which in turn, allows for more sophisticated attacks.”

Although progress has been made in protecting SIM cards, the attack platform is never more than a step behind, says Worthman.

“DPA continues to be thorn in the side of the semiconductor industry,” he confirmed. “Unless the ‘non-security-centric manufacturers’ suddenly become concerned, it’s likely that DPA will become more prevalent as more and more low/no-security chips are embedded or install in lower-end Internet of Everything (IoE) devices.”

As Worthman notes, it is somewhat difficult to predict the future of DPA relative to the IoE.

“[Nevertheless], there are a couple of things that are a given. One, the IoE will be flush with SIM-type chips. They are cheap, easy to produce and offer plenty of resources for low-end devices,” he added. “They also tend to have weak or no security. Programmable SIMs have yet to develop a clear track so it is difficult to see exactly where, or even if, they will find wide-scale adoption. And the resources for DPA attacks are now easily acquired and relatively cheap.”

Indeed, a Jiao Tong University researcher recently exploited side-channel attack techniques to crack the AES-128 encryption codes protecting 3G and 4G cards. According to Iain Thomson of The Register, Yu Yu and his university team tracked power levels using an oscilloscope, monitored data traffic with an MP300-SC2 protocol analyzer and correlated the results with a SIM card reader and standard PC.

“With this simple setup they cracked eight commercial SIM cards in between 10 and 80 minutes,” Thomson reported. “Yu [also] demonstrated how the cloned SIM card can successfully impersonate the owner in class [and] showed how a cloned card could change the password on an Alipay and potentially drain the account.”

As Yu confirmed, the above-mentioned hack is based on known differential power analysis attacks.

“The move to AES-based encryption algorithms in 3G/4G USIM cards did not systematically take advantage of state-of-the-art countermeasures against side-channel attacks,” he added. “The USIM cards we analyzed essentially relied on plain (unprotected) software implementations of the AES.”

Helena Handschuh, a Director at Rambus’ Cryptography Research division, co-designed the MILENAGE standard discussed in Yu’s Black Hat paper. According to Handschuh, AES-128/Rijndael was chosen for MILENAGE in 2001 so that side-channel countermeasures could be easily incorporated in a SIM-class platform.

“Yu Yu’s paper demonstrates once again that, even though these algorithms are mathematically strong and unbroken, all implementers of crypto need to be aware of side-channel attacks and take appropriate steps to mitigate them,” Handschuh concluded.

As we’ve previously discussed on Rambus Press, physical electronic systems routinely leak information about the internal process of computing. In practical terms, this means attackers can exploit various side-channel techniques to gather data and extract secret cryptographic keys.

As such, the Rambus Cryptography Research division has designed a range of DPA countermeasures that offer a combination of software, hardware and protocol techniques specifically designed to protect tamper-resistant devices from side-channel attacks. These include leak reduction, incorporating randomness, generating amplitude and temporal noise, as well as executing protocol-level countermeasures.

Interested in learning more about how Rambus is helping to secure SoCs, devices and content? You can read more about our DPA countermeasures here, CryptoFireWall Cores here and CryptoManager platform here.