Because it does not demand access to sophisticated analysis machinery such as electron microscopes or focused ion beam etching equipment, side-channel analysis can provide the attacker with a more practical method for reverse engineering circuitry and cryptographic key recovery.
Every IC leaks information through its activity. Typical examples of side-channel information are changes in power consumption as different logic paths are triggered on-chip, timing behavior and electromagnetic radiation.
Simple power analysis (SPA) and differential power analysis (DPA) have become widely recognized methods for reliably recovering information from ICs where the designers have not implemented countermeasures.4
The principle behind power analysis is to detect regions in the power consumption of a device that are correlated with a cryptographic key.
An SPA-based attack can be performed using just an ordinary digital oscilloscope to track the changes in the power consumption of a microprocessor as it runs different parts of an algorithm (see figure 6). The processor performs modular exponentiation for an RSA public key operation using a square-and-multiply algorithm. The square operation takes less power than the multiplication. Because the sequence of square and multiply operations is key dependent, it is possible to deduce the value of the key simply by looking at the change in power consumption. It is possible to use similar techniques to extract the key from elliptic curve cryptosystems because they use a key-dependent sequence of doubling and addition operations.
Figure 6: Oscilloscope trace shows the changes in power consumption of a microprocessor as it runs different parts of an algorithm
SPA can also be used for password attacks, as shown by Sergei Skorobogatov of the University of Cambridge on a microcontroller.5
The power consumption of the microcontroller in his demonstration changed based on whether each byte of the password was correct or not—one in 256 attempts would lead to a distinctive power trace, providing the identity of the correct byte (see figure 7). Password recovery for an 8-byte password was successful in 2,048 attempts. The overall attack took less than ten minutes to carry out because it was possible to test the password one byte at a time rather than having to guess the 64-bit password as one unit. These are examples in which the leaked information is so obvious that it can be seen using simple measurements. DPA makes it possible to extract similar information in situations in which noise masks the changes in power dissipation from the cryptographic circuits or code.
Figure 7: A simple power analysis (SPA) based password attack leverages changes in power consumption to capture passwords.
DPA uses statistical methods that combine multiple power consumption measurements to extract information such as cryptographic keys. The core concept of DPA is that the overall power consumption of a device at a single point in time is correlated to the computational intermediates it is processing at that time. By concentrating on intermediates that depend on only a few bits of the key, it is possible to use power measurements to determine those key bits. To extract this information, the attacker predicts the computational intermediates for each possible value of these key bits and then looks for correlations between those values and the power measurements.
When the correct key of the key bits is predicted, the attacker will see correlation spikes when the predicted intermediate is being processed. If the value is incorrect, the correlation will be much lower. Once the correct key bits have been identified, a divide-and-conquer approach can be used to determine other bits of the key. A successful attack may take just hundreds, or possibly millions, of attempts, which might require anywhere from seconds to several hours to execute, depending on factors like noise level. It is relatively straightforward to automate the process of generating key values and analyzing the correlation spikes, however.
A number of papers have been published demonstrating the effectiveness of SPA and DPA against FPGA- based cryptographic systems.6,7,8
These papers show that in the absence of countermeasures, FPGA-based cryptographic systems can be highly vulnerable to DPA-based attacks and can even fall to SPA.
A DPA-based attack performed on the sample AES implementation provided with AIST’s Side-Channel Attack Standard Evaluation Board (SASEBO) GII platform took just 10,000 individual measurements.9
With less than 5 ms of actual cryptographic computation time, an entire 16-byte key was extracted in less than one minute. Without countermeasures, FPGAs cannot be considered to be secure against side-channel attacks such as these.