datasheets.com EBN.com EDN.com EETimes.com Embedded.com PlanetAnalog.com TechOnline.com
Events
UBM Tech
UBM Tech

Design Article

# Defending against side-channel attacks - Part 2

## 9/26/2012 5:50 AM EDT

3.4 EM analysis of an RSA application on an Android phone
The second example is an RSA application running on an HTC Evo 4G phone. The application was written using an open source cryptographic library. It performs a modular exponentiation with a 2048-bit modulus, using the Chinese Remainder Theorem. The application computes a straightforward modular exponentiation using the algorithm shown in Figure 1.

The emissions were collected by placing a magnetic field pickup coil behind phone. The carrier frequency of the signal was 39.99 MHz. The acquisition bandwidth was 500 KHz, and the filtered bandwidth was 250 KHz. A snapshot of the collected data is shown in Figure 12 below.

Figure 12: Data collected from HTC Evo 4G phone using near field antenna placed behind phone

In these traces, the widths and heights of the multiplication and addition operations are the same. In some of the cases, however, there is a very short gap between the operations, while in other cases there is larger gap. In the straightforward implementation shown in Figure 1, a square can be followed by either another square, or a multiply. In contrast, a multiply is always followed by a square. In the above trace, there are never two short gaps in a row. Hence, whenever there are two large gaps in a row the corresponding bit of the secret exponent is a zero. Similarly, a short gap indicates the corresponding bit of the secret exponent is a one. By analyzing the pattern of gaps, an attacker could extract the entire secret exponent using a single trace.

3.5 EM analysis of an AES application on an Android phone
The final example is an AES application running on an HTC phone. The application invokes the Bouncy Castle AES provider. The application performs a bulk AES encryption using a 128-bit key.

The emissions were collected with a baseband m-field trace capture on a sampling scope. The acquisition bandwidth was 100 MHz, and the filtered bandwidth was 60 MHz. A snapshot of the collected data is shown in Figures 13 and 14 below.

Figure 13: Data collected from HTC phone using m-field trace capture on a sampling scope

Figure 14: The individual AES operations in the bulk decryption

anne-francoise.pele

10/3/2012 8:13 AM EDT

Sign in to Reply

#### Please sign in to post comment

Navigate to related information

## Most Popular

 1 What do IBM layoffs mean for New York's chip initiative? 2 Intel processor outperforms Nvidia, Qualcomm, Samsung 3 Nokia, Samsung, Apple victims of smartphone 'tipping point' 4 Intel eDRAM attacks graphics in pre-3-D IC days 5 London Calling: What is ST's plan B? 6 Teardown: Samsung Galaxy S4 7 Atmel pays Infineon over MCU patent dispute 8 Nokia, Qualcomm invest in array camera startup 9 Assert() and other useful C language macros 10 Maximâ€™s CEO on analog, Intel, Samsung and more