Benjamin Jun, vice president of technology at Cryptography Research Inc. (CRI), has a message for FPGA designers regarding differential power analysis (DPA) attacks: "In general, if you want to use a key in cryptography and that key is not going to leave the device, this is going to be an issue."
I recently stopped by CRI's headquarters in San Francisco to meet with Jun as well as Carole Coplan, CRI's vice president of business development for tamper resistance solutions and Pankaj Rohatgi, technical director of hardware and security solutions. Rohatgi walked me through some brief demonstrations of DPA attacks.
Using equipment for monitoring power consumption, an attacker can extrapolate the key to a cryptographic code by making guesses of portions of the key and observing whether the guesses cause correlation spikes in the power consumption. If the guess is correct, the power correlation spikesquite noticeably.
If the guess is wrong, the power consumption correlation stays low and an attacker tries new numbers until he or she gets that portion of the key right. Then, they move on the next portion of the key and keep at it until they have the whole thing. The approach uses process of elimination, or what Rohatgi called "divide and conquer."
The thing that most struck me is just how easy to is to spot the power correlation spikes. You don't need a trained eye to spot the variation. There is some upfront work required for characterizing the device, but Rohatgi and Jun said an experienced attacker could extrapolate the key from a device in about 15 minutes. They emphasized that the attack is accomplished while observing a device performing its normal operations.
"The goal of deploying countermeasures is basically to frustrate this process," Jun said. "These aren't theoretical attacks. These are real attacks." He added that there is evidence of attackers using DPA attacks to try to break pay television systems.
|Cryptography Research uses a Sasebo-G board integrated with its workstation to test FPGA images against side channel attacks such as simple power analysis and differential power analysis.|
CRI had successes in the 1990s in the smart card arena, an early target for security threats because in many applications the person in possession of those devices was incentivized to break the code (to get free television channels, for example). The company maintains that its licensed DPA countermeasures are now found in more than 95 percent of smart cards produced annually.
But adoption of CRI's DPA countermeasures in other devices is growing, according to the company.
Last year more than than 4.5 billion security chips were manufactured under license to CRI's semiconductor security technologies, according to the company. Despite the recession, the privately held firm said it was profitable for the fourteenth consecutive year.
IN 2009, Atmel, EM Microelectronic, Inside Contactless, Samsung and ST Microelectronics joined Infineon, NXP and Renesas on the list of chip manufacturers to sign DPA countermeasures licensing agreements with CRI, according to the company. MasterCard in 2009 began requiring that its suppliers have a license from CRI, according to the firm.
CRI says adoption of its DPA countermeasures continued to increase last year in pay television set-top boxes, secure storage devices and mobile phones. In 2010, the company plans to broaden its licensing focus for DPA countermeasures, including additional efforts to enroll manufacturers of hardware for government products, mobile devices and other commercial and consumer products where security is important.
Jun said CRI is in discussions with FPGA vendors, but he could not discuss specific companies. He said the company is trying to educate the FPGA user base on the dangers associated with DPA attacks.
Jun and the other folks at CRI are excited about DPA
resistance being defined in the National Institute of Standards and Technology's FIPS 140-3 security requirements for tamper resistant devices. Jun said this inclusion would broaden awareness of DPA attacks and increase the likelihood of people incorporating countermeasures, even in devices that aren't considered high security threats.