Check out all our recent certification news below or head over to our Certifications page for a more detailed look at our many certified security IP solutions.

Rambus is Certified ISO/SAE 21434 Compliant

We are now ISO/SAE 21434 automotive cybersecurity compliant!

We are pleased to share that the Rambus automotive cybersecurity process is now certified as compliant with the ISO/SAE 21434 automotive cybersecurity standard. This further demonstrates our commitment to cybersecurity best practices and to supporting our automotive customers in their UN R155 compliance journey with secure-by-design IP developed in an ISO/SAE 21434 compliant development environment.

Rambus RT-130 Root of Trust IP: SESIP & PSA Certified

Our RT-130 Root of Trust IP has received not just one, but two new certifications!
This hardware Root of Trust core for IoT servers, gateways and edge devices, has been awarded SESIP2 certification from SESIP (Security Evaluation Standard for IoT Platforms) and is also now a PSA (Platform Security Architecture) Certified Level 2 RoT component.

Rambus Public Key Accelerator (PKE) IP: Common Criteria Certified

Our PKE4 IP is now Common Criteria (CC) Certified!

We are excited to expand our offering of Common Criteria certified solutions with our PKE4 IP core with DPA and FIA protection. Our PKE core achieved EAL4+ level certification, meaning it is certified for the baseline EAL4 (Evaluation Assurance Level) with additional elements: AVA_VAN.5 for vulnerability analysis, ALC_DVS.2 for the development environment, and ATE_DPT.2 for the depth of testing performed. We look forward to continuing our work with the CC community to further advance the certification of soft IP cores and deliver solutions that enable our customer to achieve the highest security certification levels.

We describe how side-channel attacks work and detail some of the most common attack methodologies. We also explore differential power analysis (DPA), an extremely powerful side-channel attack capable of obtaining and analyzing statistical measurements across multiple operations. In addition, we provide a walkthrough of a DPA attack and explain how different countermeasures with varying levels of effectiveness can be used to prevent side-channel attacks.

Table of contents

1. What is a side-channel attack?
2. How does a side channel attack work?
3. What attacks use side channel analysis?
4. DPA explained
5. DPA & Paul Kocher
6. Technical example of a differential power analysis attack
7. Countermeasures: Preventing Side-channel attacks
8. Final thoughts

What is a side-channel attack?

A side-channel attack (SCA) is a security exploit that attempts to extract secrets from a chip or a system. This can be achieved by measuring or analyzing various physical parameters. Examples include supply current, execution time, and electromagnetic emission. These attacks pose a serious threat to modules that integrate cryptographic systems. Indeed, many side-channel analysis techniques have proven successful in breaking an algorithmically robust cryptographic operation and extracting the secret key.

How does a side channel attack work?

A side-channel attack does not target a program or its code directly. Rather, a side-channel attack attempts to gather information or influence the program execution of a system by measuring or exploiting indirect effects of the system or its hardware. Put simply, a side channel attack breaks cryptography by exploiting information inadvertently leaked by a system. One such example is van Eck phreaking attack, which is also known as a Transient Electromagnetic Pulse Emanation Standard (TEMPEST). This attack monitors the electromagnetic field (EMF) radiation emitted by a computer screen to view information before it is encrypted.

What attacks use side channel analysis?

There are a growing number of known side-channel attack vectors. Some of the most common attacks are:

• Timing attack: Analyzes the time a system spends executing cryptographic algorithms. Keep on reading: Timing Attacks on Implementations of Diffie-Hellman, RSA, DSS, and Other Systems »
• Electromagnetic (EM) attack: Measures and performs a signal analysis on the electromagnetic radiation emitted from a device.
• Simple power analysis (SPA): Directly observes the power and electromagnetic (EM) variations of a cryptographic system during operations.
• Differential power analysis (DPA): Obtains and analyzes detailed statistical measurements across multiple operations.
• Template attack: Recovers cryptographic keys by exploiting an identical “template” device and comparing side-channel data.

DPA explained: Why is this black-box attack considered one of the most efficient and dangerous attacks?

• Definition: A Differential Power Analysis (DPA) is a form of side-channel attack that monitors variations in the electrical power consumption or electro-magnetic emissions of a target device. The basic method involves partitioning a set of traces into subsets, then subsequently computing the difference of the averages of these subsets.
• Differences: DPA is an extremely powerful technique that obtains and analyzes statistical measurements across multiple operations.
• What makes DPA more efficient/dangerous? Given enough traces, extremely minute correlations can be isolated—no matter how much noise is present in the measurements. DPA can even extract information about individual gate-switching, an individual transistor turning on or off, or the interaction between one gate and another.

DPA & Paul Kocher: An introduction to differential power analysis

How does an attacker target a device or system using DPA? In the paper titled “Introduction to Differential Power Analysis,” Paul Kocher describes how information inadvertently leaked through power consumption and other side channels can be analyzed to extract secret keys from a wide range of devices.

The attacks are practical, non-invasive, and highly effective—even against complex and noisy systems where cryptographic computations account for only a small fraction of the overall power consumption.

Technical example of a differential power analysis attack

The following steps detail the DPA attack process.

1. Make power consumption measurements of the last few rounds of 1000 DES operations. Each sample set consists of 100000 data points. The data collected can be represented as a two-dimensional array S[0…999][0…99999], where the first index is the operation number and the second index is the sample. For this example, the attacker is also assumed to have the encrypted ciphertexts, C[0…999].

2. The attacker next chooses a key-dependent selection function D. In this case, the selection function would have the form D(Ki,C), where Ki is some key information and C is a ciphertext.

For example, the attacker’s goal will be to find the 6 bits of the DES key that are provided as the input to the DES S box 4, so Ki is a 6-bit input. The result of D(Ki,C) would be obtained by performing the DES initial permutation (IP) on C to obtain R and L, performing the E expansion on R, extracting the 6-bit input to S4, XORing with Ki, and using the XOR result as the input to the standard DES S4 lookup operation.

A target bit (for example, the most significant bit) of the S result is selected. The P permutation is applied to the bit. The result of the D(Ki,C) function is set to 0 if the single-bit P permutation result and the corresponding bit in L are equal, and otherwise D(Ki,C) yields 1.

3. A differential average trace T[0…63][0…99999] is constructed from the data set S using the results of the function D. In particular:

4. The attacker knows that there is one correct value for Ki; other values are incorrect. The attack goal is to identify the correct value. In the trace T[i][0…99999] where i=Ki, D(i,C[k]) for any k will equal the value of the target bit in L of the DES operation before the DES F function result was XORed. When the target device performed the DES operations, this bit value was stored in registers, manipulated in logic units, etc. — yielding detectable power consumption differences.

Thus, for the portions of the trace T[i=Ki] where that bit was present and/or manipulated, the sample set T[i] will show power consumption biases. However, for samples T[i != Ki], the value of D(i,C[k]) will not correspond to any operation actually computed by the target device. As a result, the trace T[i] will not be correlated to anything actually performed, and will average to zero. (Actually, T[i != Ki] will show small fluctuations due to noise and error that is not statistically filtered out, and due to biases resulting from statistical properties of the S tables. However, the largest biases will correspond to the correct value of Ki.)

5. The steps above are then repeated for the remaining S boxes to find the 48 key bits for the last round. The attack can then be repeated to find the previous round’s subkey (or the remaining 8 bits can be found using a quick search).

Countermeasures: Preventing Side-channel attacks

Countermeasures fall into two main categories:

Category 1: Eliminate or reduce the release of such information.

Countermeasures for category 1

• Jam the emitted channel with noise: Specifically, random delays are introduced to deter timing attacks. The arbitrary and artificial “noise” forces an adversary to collect more measurements. It should be noted that standalone noise introduction is incapable of sufficiently masking side-channel emissions. DPA conducted against a device can effectively bypass stand-alone noise countermeasures, ultimately allowing the signal to be isolated.
• Apply power line conditioning and filtering: Although somewhat effective, this method may not eliminate all minute correlations—and could potentially allow a determined attacker to compromise system security.
• Analyze and evaluate: All electronic systems should be carefully evaluated with a Test Vector Leakage Assessment (TVLA) platform such as the Rambus DPA Workstation (DPAWS) to identify sensitive side-channel leakage.
• Implement a silicon-based hardware root of trust: Rambus DPA Resistant hardware cores (DPARC)—which feature integrated countermeasures—are built around optimized implementations of industry accepted ciphers such as AES, SHA-256, RSA and ECC. These countermeasures have been designed and extensively validated using the Test Vector Leakage Assessment (TVLA) methodology revealing no leakage beyond 100 million traces, which means the cores are protected against univariate first and second-order side-channel attacks beyond 1 billion operations.

Category 2: eliminate the relationship between the leaked information and the secret data.

Countermeasures for category 2

• Apply blinding techniques: This technique alters the algorithm’s input (for asymmetric encryption schemes) into an unpredictable state to prevent leakage.
• Implement masking: This countermeasure randomly splits every sensitive intermediate variable occurring in the computation into d + 1 shares. Although widely used in practice, masking is often considered as an empirical solution and its effectiveness is rarely proved.

Final thoughts

Side-channel attacks conducted against electronic equipment and infrastructure are relatively simple and inexpensive to execute. An attacker does not necessarily need to know specific implementation details of the cryptographic device to perform these attacks and extract keys. Side-channel attacks have successfully cracked the hardware or software implementations of numerous cryptosystems including block ciphers such as DES, AES, Camellia, IDEA and Misty1. Side-channel attacks have also broken stream ciphers (RC4, RC6, A5/1 and SOBER-t32) and public key ciphers. Since all physical electronic systems routinely leak information, effective side-channel countermeasures should be implemented at the design stage to ensure protection of sensitive keys and data.

Here at Rambus, we developed fundamental solutions and techniques for protecting devices against DPA and related side-channel attacks, along with supporting tools, programs, and services. Learn more about our DPA Countermeasure solutions.

Explore more primers:
– Hardware root of trust: All you need to know
– PCI Express 5 vs. 4: What’s New?
– DDR5 vs DDR4 – All the Design Challenges & Advantages
– Compute express link: All you need to know
– MACsec Explained: From A to Z
– The Ultimate Guide to HBM2E Implementation & Selection

Read more about “Side-channel attacks” topic:

The importance of protecting military equipment from side-channel attacks

Side-Channel Attacks Target Machine Learning (ML) Models

Detecting and analyzing side-channel vulnerabilities with TVLA

Cracking SIM cards with side-channel attacks

Side-channel attack targets deep neural networks (DNNs)

TEMPEST side-channel attacks recover AES-256 encryption keys

Side-Channel Analysis Demo: FPGA Board

Since Kerckhoff’s days, cryptography has certainly evolved. A modern interpretation of Kerckhoff teaches that you shouldn’t rely on the obscurity of your crypto algorithm, but rely instead on standard algorithms with strong key sizes. A natural assumption might be that standard algorithms would be able to conceal themselves, making it difficult to determine the algorithm in use. This actually isn’t the case – and isn’t even necessary for a security sub-system to resist attacks. Suppose you’re using a NIST-standard algorithm in your device — how is anyone ever going to know? Can an adversary tell what algorithm you’re using? It turns out they can – but that’s ok.

Using inexpensive tools, electromagnetic and/or power data from a semiconductor can be captured. That data can used to determine what cryptographic algorithm is being deployed; experienced analysts are often able to readily identify the algorithm deployed simply by looking at a series of waveforms. For instance, a waveform with 10 distinct rounds may indicate a 128-bit AES encryption standard (shown in Figure 1), whereas a 14 round waveform may indicate a 256-bit AES. Other popular cryptographic algorithms like RSA (shown in Figure 2), SHA, and Elliptic Curve all have a distinct “signatures” which may inform the analyses (i.e. the adversary) what algorithm is being executed, the key size, and where it’s happening in the overall computational process.

So why Is knowledge of the algorithm deployed not a concern? This is the heart of Kerckhoff’s teachings. All NIST-standard algorithms derive security from the secrecy of the key and the cryptographic strength of the algorithm, but not the secrecy of the algorithm. And that secret key value is completely independent of the algorithm deployed – while the algorithm requires a certain size of key (e.g., AES-256 requires a 256-bit key value), the value of the key can be random set of digits. A 128-bit key has 2¹²⁸ possible key combinations: that’s 340,282,366,920,938,463,463,374,607,431,768,211,456 combinations, which is 39 digits long – not something easily guessed! Without knowing the secret key value, adversaries have no way to penetrate the security of the chip, even if they have perfect knowledge of the algorithms deployed within the chip. The attack vector thus shifts to extracting the key, not what cryptographic algorithm(s) the device is running.

There are a multitude of attack vectors that adversaries use to extract the secret key which are known as Side-Channel Attacks, which include Differential Power Analysis (DPA), Simple Power Analysis (SPA), Simple Electromagnetic Analysis (SEMA), Differential Electromagnetic Analysis (DEMA), Correlation Power Analysis (CPA) and Correlation Electromagnetic Analysis (CEMA). Side-channel attacks work on the reality that all physical electronic systems routinely leak information about the internal process of computing via fluctuating levels of power consumption and electromagnetic emissions. Rather than using brute force attacks, side-channel attacks exploit those leaks by repeatedly capturing and analyzing samples. Rambus’s Differential Power Analysis Workstation is a powerful tool in understanding a device’s resistance to attack.

Perhaps most concerning about side-channel attacks is that while they formerly may have taken a prohibitively expensive level of equipment and expertise, today these attacks can be executed relatively cheaply and easily using off-the-shelf equipment. To combat side-channel attacks, Rambus offers a series of side-channel resistant cryptographic algorithms. Through various techniques, including leakage reduction, noise introduction, obfuscation, and the incorporation of randomness, the protected algorithms are effective at resisting side-channel attacks up to and beyond 1 billion operations, securing our customers’ devices against attack.

Within the industry, we say that “security by obscurity” is a bad idea. While we don’t necessarily recommend publishing your security architecture on the front page of the New York Times, we believe that your architecture should be able to withstand attacks based on that amount of disclosure. Corporate espionage, accidents, vandalism, or even reverse engineering can reveal the design of security.  Accepted security best practices don’t involve hiding what security you are deploying, but rather spending your time and efforts on making sure your security is deployed in such a manner that when your security architecture is determined (and it will be!), it is as resistant to as many attacks as possible, just as Kerckhoff spoke of almost 150 years ago.

A team of North Carolina State University researchers recently published a paper that highlights the vulnerability of machine learning (ML) models to side-channel attacks. Specifically, the team used power-based side-channel attacks to extract the secret weights of a Binarized Neural Network (BNN) in a highly-parallelized hardware implementation.

“Physical side-channel leaks in neural networks call for a new line of side-channel analysis research because it opens up a new avenue of designing countermeasures tailored for deep learning inference engines,” the researchers wrote. “On a SAKURA-X FPGA board, [our] experiments show that the first-order DPA attacks on [an] unprotected implementation can succeed with only 200 traces.”

According to Jeremy Hsu of IEE Spectrum, machine learning algorithms that enable smart home devices and smart cars to automatically recognize various types of images or sounds such as words or music are among the artificial intelligence (AI) systems “most vulnerable” to such attacks.

“Such algorithms consist of neural networks designed to run on specialized computer chips embedded directly within smart devices, instead of inside a cloud computing server located in a data center miles away,” he explains. “This physical proximity enables such neural networks to quickly perform computations with minimal delay, but also makes it easy for hackers to reverse-engineer the chip’s inner workings using a method known as differential power analysis (DPA).”

Indeed, edge devices storing AI/ML models and data can be physically disassembled. If unprotected, an attacker can run malicious firmware, intercept network traffic, and employ various side-channel techniques to extract secret keys and steal sensitive information. Both AI/ML inference models, as well as input data and results, are often quite lucrative and should be shielded from criminal elements intent on financial gain. Moreover, the integrity of AI/ML systems must be secured from tampering to prevent malicious attackers from designing cloned or competitive devices, as well as altering training models, input data, and results.

To protect both silicon and data, edge devices running AI/ML algorithms should be built on top of a secure, tamper-proof foundation that ensures confidentiality, integrity, authentication, and availability (up-time). This can be achieved with a programmable security co-processor such as the Rambus CryptoManager Root of Trust (CMRT) which uses a combination of hardware and software countermeasures to thwart side-channel attacks. For AI/ML edge devices built without the Rambus CMRT, we recommend that system designers utilize a Test Vector Leakage Assessment (TVLA) platform like Rambus’ DPA Workstation Analysis Platform (DPAWS) to help detect side-channel leakage and implement appropriate countermeasures.

DPAWS includes all the hardware, software, and training material needed to evaluate and certify secure AI/ML edge devices. It offers a Windows-based, intuitive user interface that enables system designers to efficiently perform side-channel analysis on AI/ML edge devices to identify potential security flaws. Collected signals are examined using simple power and electromagnetic analysis (SPA/SEMA) or more powerful differential power and electromagnetic analysis (DPA/DEMA) to identify exposure of secret keys.

The recently released DPAWS 9.2 offers several new notable features, including sample leakage history plotting. This capability allows system designers to detect and better understand side-channel leakage. More specifically, confirming the increase of electronic leakage across time can help improve countermeasure design, detect additional locations vulnerable to potential leakage, and provide a baseline for comparing non-leaking locations.

DPAWS 9.2 also offers system designers access to bi-variate leakage detection; a form of higher-order side-channel analysis to which more robust designs may need to be resistant. Essentially, bi-variate analysis combines different points from within the analysis range to detect leakage. This methodology may reveal leaks in implementations that are univariate or first-order secure. Previously, separate tools were used to combine pairs of data points within the analysis window or perform bivariate analysis from the command line.

In summary, AI/ML edge devices, like all physical electronic systems, routinely leak information about the internal process of computing via fluctuating levels of power consumption and electro-magnetic emissions. To protect both silicon and data, edge devices running AI/ML algorithms should be built on top of a secure, tamper-proof foundation. As well, AI/ML edge devices should be carefully evaluated with a testing platform like Rambus DPAWS to validate the effectiveness of countermeasures in reducing sensitive side-channel leakage.

The Defense Advanced Research Projects Agency (DARPA) recently published an article that details the goals of its Automatic Implementation of Secure Silicon (AISS) program. As the name implies, AISS aims to automate the process of incorporating scalable defense mechanisms into chip designs, while enabling designers to explore economics versus security trade-offs and maximize design productivity.

“The security, design and economic objectives of a chip can vary based on its intended application. As an example, a chip design with extreme security requirements may have to accept certain tradeoffs,” explains Serge Leef, a program manager in DARPA’s Microsystems Technology Office (MTO). “Achieving the required security level may cause the chip to become larger, consume more power, or deliver slower performance. Depending on the application, some or all of these tradeoffs may be acceptable, but with today’s manual processes it’s hard to determine where tradeoffs can be made.”

According to DARPA, AISS aspires to develop a design tool and IP ecosystem – which includes tool vendors, chip developers, IP licensers and the open source community – that will enable security to be inexpensively incorporated into chip designs with minimal effort and expertise. More specifically, AISS addresses four specific attack surfaces: side channel attacks, reverse engineering attacks, supply chain attacks and malicious hardware attacks.

In addition to on-chip defenses, AISS seeks to ensure that silicon IP blocks remain secure throughout the design process. As such, the program aims to advance provenance and integrity validation techniques for preexisting design components by improving current methods or inventing novel technical approaches. Such techniques could include IP watermarking and threat detection to help validate the chip’s integrity and IP provenance throughout its lifetime.

Secure silicon in a post-Meltdown & Spectre world

From our perspective, DARPA’s AISS program is critical in a world haunted by the fallout of Meltdown and Spectre, which were independently disclosed in January 2018 by multiple security researchers, including senior Rambus technology advisor Paul Kocher and senior Rambus security engineer Mike Hamburg. Essentially, the two security flaws exploited critical vulnerabilities across a wide range of modern processors, including Intel, ARM and AMD. Although Meltdown and Spectre were certainly not the first high-profile semiconductor security flaws to gain widespread attention, they did represent a new class of vulnerabilities related to out-of-order and speculative execution.

As Kocher notes in a recent Rambus Press article, the industry is clearly in need of better ways to protect security-critical computations, ideally without the slowing of less sensitive performance-critical tasks.

“Processor design teams are radically rethinking the relationship between hardware and software,” he writes. “The one-size-fits-all philosophy that has historically limited thinking for computing architectures has been replaced with excitement about tailored designs. Looking toward 2019 and beyond, we’re going to see processors that are tailored for specific requirements, including security.”

According to Kocher, chipmakers and innovators are collectively leveraging open-source to develop better solutions and reduce time-to-market.

“The open source RISC-V architecture is particularly notable for its availability of unencumbered reference implementations and compiler/software support,” he explains. “As a result, RISC-V greatly reduces the amount of ancillary work required for a processor security project, allowing design teams to move more quickly and focus on areas of innovation – including security.”

Some of the largest initial gains, says Kocher, will be realized by adding separate security processors onto chips.

“For example, instead of building a chip with 16 identical performance-optimized cores, a chip designer can integrate 15 fast cores and one security-optimized core,” he elaborates. “The software stack for the secure core(s) can also be independent from the main processor, helping reduce software-related risks as well.”

Multiple roots of trust

Siloed from the primary processor, a security core can enable anti-tamper features that detect fault injection (glitch) attacks which push operating circuits outside their normal operating conditions.  Likewise, secure cores can integrate more aggressive protections against cache attacks, differential power analysis (DPA) and other side channel attacks.

Moreover, a security core can safely host multiple roots of trust, with hardware ensuring isolation of resources, keys and security assets. In real-world terms, this means each entity – such as a chip vendor, OEM or service provider – has access to its own ‘virtual’ security core and performs secure functions without having to ‘trust’ other entities. This allows individual entities to possess unique root and derived keys, as well as access only to specified features and resources such as OTP, debug and control bits. Moreover, support for multiple roots of trust enables the security core to assign or delegate permissions to other entities at any point in the device lifecycle, while isolating (in hardware) unique signed apps that are siloed away from other programs. These multiple roots of trust effectively create a hierarchical and secure execution environment in which mutually distrusting entities are safe to execute on the same CPU.

Interested in learning more about securing silicon with Rambus? You can check out our CryptoManager Security Platform product page here and our CryptoManager Root of Trust white paper here.

Have you read our primer?
– Side-channel attacks: explained

Attacking deep neural networks

Recently, a team of white hat researchers created a side-channel technique specifically designed to reveal the internal structure and parameters of deep neural network (DNN) computer vision models. As the researchers note in a paper published on arXiv, studies indicate that DNNs are vulnerable to adversarial attacks, which can be either white-box or black-box.

“During the computation process of the DNNs, the side-channel information shows strong correlations to the network structure and its parameters,” the researchers explain. “We envision that SCA can be used for embedded AI devices and reveal their network architectures and even the corresponding parameters. In other words, we intend to use SCA to open the black-box of DNNs, which can facilitate adversarial attacks by transforming a black-box attack to an at least partial white-box, or gray-box, attack.”

Image Credit: Yun Xiang, Zhuangzhi Chen, Zuohui Chen, Zebin Fang, Haiyang Hao, Jinyin Chen, Yi Liu, Member, IEEE, Zhefu Wu, Qi Xuan, Member, IEEE and Xiaoniu Yang (via arXiv)

To execute their SCA against a DNN, the researchers designed a Raspberry-Pi based platform to derive the power signature of embedded AI devices. The team then utilized machine learning algorithms to identify specific DNN architectures. As the researchers note, the Raspberry Pi is an ARM cortex-based system that shares the common architecture of many existing devices. As such, the experiments performed on the Pi can be easily applied to similar systems.

“One critical observation is that different components [convolutional layers, pooling layers, fully connected layers and activation function] require different computational cost,” the researchers state. “Therefore, different architectures have different power consumption patterns, which makes DNN architectures vulnerable to SCAs. In general, our technique can identify both the architecture and model parameters with quite high accuracy, indicating that we should pay strong attention to the security problem of many AI applications.”

In the future, the white hat security team plans to improve its experimental platform by analyzing additional DNN architectures and parameters with advanced machine learning algorithms that more precisely identify DNN models.

SCA resistance and countermeasures

To protect the internal structure and parameters of deep neural networks (DNNs), we recommend implementing an effective layer of side-channel countermeasures via hardware (DPA resistant cores), software (DPA resistant software libraries) or both. Countermeasures – including leakage reduction, noise introduction, obfuscation and the incorporation of randomness – are critical to ensuring the protection of sensitive keys and data. It should be noted that stand-alone noise introduction is incapable of sufficiently masking side-channel emissions. Indeed, DPA conducted against a device can effectively bypass stand-alone noise countermeasures, ultimately allowing the signal to be isolated.

After layered countermeasures have been implemented, systems should be carefully evaluated with a Test Vector Leakage Assessment (TVLA) platform such as the Rambus DPA Workstation (DPAWS) to confirm the cessation of sensitive side-channel leakage. More specifically, DPAWS measures a range of side-channel attacks across a wide spectrum of devices and platforms. DPAWS also provides users with a highly intuitive UI paired with enhanced data visualization that creates an integrated, project-centric analytic environment specifically designed to optimize the efficiency of side-channel analysis.

Both flexible and scalable, DPAWS supports multiple side-channel sensors, device protocols and form factors, with out-of-the-box support for SASEBO and additional third-party hardware. DPAWS also easily integrates with a wide range of industry tools including Matlab, Python and other scripting languages. Moreover, the Rambus DPA Workstation supports full cipher coverage (AES, RSA, ECC, DES and SHA), large dataset handling, as well as high-speed collection and analysis of billions of traces. Source code is also available to facilitate increased flexibility.

Interested in learning more about protecting systems from side-channel attacks?

>> Download our eBook << 

The standards body that regulates the FIPS 140 standard recognizes that as well. Earlier this year, the US Secretary of Commerce approved the Federal Information Processing Standards Publication (FIPS) 140-3, Security Requirements for Cryptographic Modules. The new FIPS 140-3 standard is effective on September 22, 2019,  with testing on the new standard beginning exactly one year later. While not official, it is suspected that current modules validated to FIPS 140-2 (like ours) will remain on the active validation list until the 140-2 sunset date. This is typically five years after date of validation, which implies that FIPS 140-2 would remain valid until at least September 22, 2026. So, the takeaway here would be that our work in getting 140-2 certification will continue to benefit our customers for at least the next half decade.

For us, the most interesting thing in the new FIPS 140-3 specification is the inclusion of language around non-invasive attacks. The 140-2 specification listed non-invasive attacks only as a definition item, with no specific requirement. The 140-3 specification specifically calls out a heightened importance of mitigations against non-invasive attacks.

For those new to non-invasive (i.e. side channel) attacks: a side-channel attack is a method for an adversary to gain access to information about the internal activity of a chip by capturing and analyzing “unintentional” data, for example power consumption, EM emissions, behavior during voltage spikes, and others. These low-cost, non-invasive methods enable attackers to stealthily extract secret cryptographic keys used during normal device operations. Once the keys have been extracted, attackers can easily gain unauthorized access to a device, decrypt or forge messages, steal identities, clone devices, create unauthorized signatures and perform additional unauthorized transactions. Essentially, a side channel attack is a way to steal all a device’s secrets without having to physically hack a device. If you’re interested in learning more about DPA and how to test resistance, join us at our next DPA Workstation Training, happening in late August in Atlanta.

Rambus sees resistance against side channel attacks as a critical item for securing devices, both now and in the future. Rambus pioneered DPA back in the mid-1990s, and we continue fundamental research into, and development of, products based on side channel attacks. We’ve long spoken of the importance of not only testing devices to understand their resistance to side channel attacks (using our DPA Workstation), but also building protections against these attacks into devices via our DPA-resistant software libraries, DPA-resistant hardware cores, and our more recently released combo DPARC and fault Injection-resistant hardware cores.

The formal recognition of the risk of side channel attacks via its inclusion in the FIPS 140-3 standard validates our assertion that side channel attacks are no longer the domain of state actors, but a real, everyday threat to devices. We hope that the new standard will continue to drive awareness beyond government and military applications, and we stand ready to address our customer’s needs to make their devices as secure as possible.

In 1995, NIST established a method for testing and validating cryptographic algorithms such as Rambus’ Crypto Accelerators and DPA Resistant Cores. Called the Cryptographic Algorithm Validation Program (CAVP), it provides validation testing of FIPS (Federal Information Processing Standards)-approved and NIST-recommended cryptographic algorithms and their individual components. Once successfully tested and validated, NIST adds this information to their publicly-available validation list.

The CAVP certification provides 3^rd–party verification that a specific algorithm has been tested and has met independent standards for robustness. Consumers of cryptographic algorithms, generally chip designers, can rely on this certification as a determination of an algorithm’s effectiveness for their designs. Even designs for commercial applications often adopt FIPS certification as a means of ensuring robust security.

Rambus was recently notified that many of our algorithms have received CAVP FIPS 140-2 certification by NIST. Highlights include our Differential Power Analysis (DPA)-resistant and standard AES (Advanced Encryption Standard) and HMAC-SHA2 (Hash-based Message Authentication Code, Secure Hash Algorithm) cores. A full list of certifications can be found on the NIST website, along with the Crypto Accelerators and DPA Resistant Cores product pages on Rambus.com. Many of the certified algorithms are included in standard configurations of our CryptoManager Root of Trust family of products.

We see the CAVP certification as especially important for our most security-conscious customers, typically those designing SoCs for government, military and automotive use. However, the importance of this certification is not unique to those markets. Regardless of what use a chip might be destined, semiconductor designers understand the growing importance of security in any connected application. The certification of cryptographic algorithms and cores to the FIPS standard provides customers with assurance of the robustness, quality and applicability of cryptographic solutions.

Today, the Differential Power Analysis WorkStation 9.0 (or DPAWS 9.0) is bringing a point and click user experience to test and security engineers at semiconductor and defense companies.  The DPAWS 9.0 system allows those engineering staffs to assess differential power analysis (DPA) and fault injection attack (FIA) resistance to chips under test.

Previously, side channel attack testing was a long, cumbersome exercise in custom-built command line code, typically only performed by highly trained, experienced engineers. Today, DPAWS 9.0 offers a Windows-based user interface that allows test and security engineers, efficient, quick and easy operational use.  Pre-loaded code allows them to automatically run one or more tests as opposed to running a large amount of command line code.  A test or security engineer simply clicks on the selected test and hits the “execute” key.

Avoid Custom Script

Without having to write custom script, the engineering user achieves immediate results in a considerably more efficient manner by not going through dozens of command line interfaces.  The point and click top feature of DPAWS 9.0 provides instant feedback on testing.

If there are failures, those are immediately seen since there is a visualizer built into the test platform. Before, test and security engineering had to wait until the end of the testing process, collect all the raw data, and then run that raw data to understand whether or not a chip under test was leaking or not.  However, with the built-in DPAWS 9.0 visualizer, test and security engineers see results in real time.

In instances where DPAWS 9.0 indicates the chip under test has a low resistance to DPA, Rambus offers users DPA software libraries (DPASL), which can be added to in-production silicon if enough memory is on that particular chip.

Or, chipmakers have the option of embedding DPA resistant hardware cores (DPARC) in their chips. These are easy-to-integrate technology-independent soft-macro security solutions with built-in side-channel resistance for cryptographic functions across a wide array of devices. As part of a chip’s design, these DPA cores expand security safety to a certain number of operations.  Some DPA cores are resistant to 100 million traces; others are resistant to a billion traces.

DPAWS 9.0 Takes Less Know-how

Earlier, identifying and testing chip security flaws required highly trained and specialized technicians.  Those operations required considerable skill, and they were largely performed manually, taking hours and days in some cases.

Conversely, DPAWS 9.0 allows less-experienced technicians to run the testing.  To operate DPAWS 9.0, personnel with a basic working knowledge of this system can run these tests. This ease of operation and point and click alleviates a company from relying on only a few highly specialized technical personnel.  Rather, engineers of virtually any discipline can easily become adept at operating DPAWS 9.0 and be available as backups in case they’re needed.

As Lu notes, glitching, or fault injection, has been used for quite some time to attack software running on allegedly secure execution environments. This is because fault injections can cause a malfunction in the target’s SoC that enable an attacker to assume full control over a device. Voltage glitching, he says, is a specific kind of fault injection that is particularly appealing to attackers, as it is inexpensive to deploy and widely applicable to most chips. Crowbar glitching, he adds, was implemented in the ChipWhisperer open hardware platform and brought such attacks to the mainstream.

“It works by abusing the capacitance ringing effect caused by introducing a crowbar circuit into the existing system,” he explains. “The ringing causes faults that can be exploited.”

For the Vita attack, Lu closely examines how voltage glitches introduce timing violations into a digital circuit. He then finds snippets of code to glitch. Once a target is identified, he searches for the correct timing parameters for the crowbar circuit to cause a fault. Finally, the injected fault introduces a software vulnerability that is exploited to gain code execution.

“All of this can be done at a low cost thanks to the open hardware interface of the ChipWhisperer. With a custom script written for ChipWhisperer, we created a working attack on a security hardened consumer device,” he concludes.

From our perspective, the fault injection attack against the PlayStation Vita’s SoC could have been prevented if it had included a hardware-based security core. Siloed from the primary processor, such a security core is specially designed to securely run sensitive code, processes and algorithms. Indeed, a hardware-based security core can utilize advanced anti-tamper techniques to provide the highest level of security and protection against fault injection and other attacks. These include a canary core for the detection of glitching and over-clocking, logic and crypto redundancy, secure state encoding and ephemeral keys that are generated on-the-fly from multiple splits and flushed immediately after use.

In addition, a hardware-based security core can protect the host processor from compromise, as well as thwart non-volatile memory (NVM) key extraction, tearing and other attacks against NVM writes, corruption of non-volatile memory or fuses, probing of external buses, man-in-the-middle and replay attacks. Last, but certainly not least, a hardware-based security core can help protect SoCs against test and debug interface attacks, power/EM analysis (SPA/DPA) and other side-channel attacks, including timing attacks.

Interested in learning more about hardware-based security cores? You can check out our CryptoManager Root of Trust product page here.