“Cyber-threats and attacks are becoming increasingly sophisticated and pervasive. Thales products are designed to help organizations stay ahead of the security game by protecting sensitive information from compromise,” said Cindy Provin, chief strategy and marketing officer at Thales e-Security. “By adding Rambus DPA countermeasures, we are able to protect against side-channel attacks, which adds an important element in our robust data security solutions.”

Dr. Martin Scott, senior VP and general manager of the Security Division at Rambus, expressed similar sentiments.

“Thales recognizes the various threats posed by side-channel attacks and has developed solutions that help their customers in businesses, governments and technology sectors mitigate the growing risk associated with these types of attacks,” Scott explained. “Strong countermeasures against these attacks provide the security needed to protect sensitive data and make sure attacks are thwarted.”

As we’ve previously discussed on Rambus Press, Differential Power Analysis is a form of side-channel attack that monitors variations in the electrical power consumption or electro-magnetic emissions of a target device. The basic method involves partitioning a set of traces into subsets, then subsequently computing the difference of the averages of these subsets. Given enough traces, extremely minute correlations can be isolated—no matter how much noise is present in the measurements.

Image Credit: Rambus Security Division (via “Introduction to Differential Power Analysis”)

A typical DPA attack comprises 6 primary stages: communicating with a target device; recording power traces while the target device performs cryptographic operations; signal processing to remove errors and reduce noise; prediction and selection function generation to prepare and define for analysis; as well as computing the averages of input trace subsets and evaluating DPA test results to determine the most probable key guesses. Additional DPA variants include reverse engineering unknown S-boxes and algorithms, correlation power analysis (CPA), probability distribution analysis, high-order DPA and template attacks.

Specific DPA countermeasure techniques include decreasing the signal-to-noise ratio of the power side channel by reducing leakage (signal) or increasing noise, for example, by making the amount of power consumed less contingent upon data values and/or operation (balancing); introducing amplitude and temporal noise; incorporating randomness with blinding and masking by randomly altering the representation of secret parameters and implementing protocol-level countermeasures by continually refreshing and updating cryptographic protocols used by a device.

It should be noted that Rambus has licensed a range of DPA countermeasures to a number of prominent corporations such as Boeing, NVIDIA, Idaho Scientific, The Athena Group, NAGRA and Winbond.

“As the world begins to take security more seriously, it becomes evident that a device is only as secure as its weakest component. No device can be made secure by protecting against a single kind of attack,” Bailey explained. “Encryption and root of trust can add additional layers of protection. But even then, the system may not be secure.”

This is because every electronic device emits information about what it is doing, says Bailey, and that information can be used to pry open its defenses. This technique is generally referred to as a side-channel attack. Essentially, side-channel attacks, which include Simple Power Analysis (SPA) and Differential Power Analysis (DPA), can be exploited to analyze characteristics such as power, radiation and timing to infer what a system or chip is doing.

According to Bailey, a Rambus paper written by Gilbert Goodwill confirms that an unprotected AES128 algorithm running on a generic processor can be cracked with only 4 minutes of sample data collected and 10 minutes of analysis.

“When the same algorithm was implemented in an FPGA board, it increased the collection time to 50 minutes plus 12 minutes for analysis,” he noted. “Using that same board, but with a DPA-protected implementation, they were not able to crack it even after obtaining 3 hours of trace data. The statistics they collected also indicated that obtaining more traces would not enable them to crack the device.”

As Bailey points out, there are still many connected devices that have yet to be hacked.

“Lightbulbs never had to have security built into them, but they do now. Security didn’t matter until they become connected,” he added. “Now they provide a way into your network. One can only hope that more companies take hacking seriously, but early indications are that it is still an afterthought.”

As we’ve previously discussed on Rambus Press, all physical electronic systems routinely leak information about their internal process of computing. In practical terms, this means attackers can exploit various side-channel techniques to gather data and extract secret cryptographic keys from IoT endpoints. Regardless of specific instruction set architecture (ISA), most industry security solutions on the market today can be soundly defeated by side-channel attacks. Even a simple radio is capable of gathering side-channel information by eavesdropping on frequencies emitted by electronic devices. In some cases, secret keys can be recovered from a single transaction clandestinely performed by a device several feet away.

Worryingly, millions, if not billions, of connected IoT endpoints are powered by chips that are vulnerable to side-channel attacks. Such unprotected silicon can be found in a wide range of electronic devices including wearables, medical equipment, vehicles, smart appliances and rapidly evolving smart city infrastructure. Fortunately, specific DPA countermeasure strategies can be employed to protect IoT devices and related infrastructure. These include techniques to minimize information leakage, generating noise to drown out leakage signals, the use of randomness to mask computational intermediates, algorithm and implementation obfuscation as well as the use of protocols designed to preserve secrecy even in the presence of (some) leakage.

Interested in learning more about protecting silicon from side-channel attacks? You can check out our DPA countermeasures page here and our article archive on the subject here.

“Today’s leading aerospace and defense companies are looking for solutions to counter the increasing threat of side-channel attacks,” said Scott. “This licensing agreement will grant Idaho Scientific’s customers access to advanced DPA countermeasures – allowing them to safeguard the data integrity of applications requiring a high level of security, particularly those serving the aerospace and defense sectors.”

As Scott points out, broader and faster adoption of DPA countermeasures in the FPGA ecosystem will ensure that components are insulated from these types of vulnerabilities.

“Idaho Scientific has the ability to rapidly deliver solutions based on our DPA countermeasures that will bring significant benefits to the industries they serve, where safety and security are a top priority,” he added.

Dale Reese, president of Idaho Scientific, expressed similar sentiments.

“By incorporating Rambus’ technology into our IP cores, we provide our customers access to premier solutions that are immune to DPA attacks,” said Dale Reese, president of Idaho Scientific. “The Rambus DPA countermeasures enhance the efficiencies of our FPGA and ASIC encryption cores, which are especially critical to our aerospace and defense customers.”

DPA countermeasures, developed by Rambus Cryptography Research, consist of a broad range of software, hardware, and protocol techniques that protect devices from side-channel attacks. DPA is a type of side-channel attack that monitors variations in the electrical power consumption or electro-magnetic emissions from a target device. These measurements can then be used to obtain cryptographic keys and other sensitive information from semiconductors.

According to Rambus Security Fellow Pankaj Rohatgi, the industry is quite concerned over the potential extraction of keys or the reverse engineering of sensitive military algorithms using both Simple Power Analysis (SPA) and DPA.

“These attacks involve measuring and analyzing the power consumed by a device while it is performing its normal operations with secret keys and algorithms. Such passive, noninvasive attacks cannot be detected or audited by the device,” he told Military Embedded Systems. “Portable electronics, communications gear and ‘leave-behind’ equipment are the most vulnerable: They are easiest for an enemy to acquire and access. After conducting the attack, the enemy could eavesdrop on military communications and forge command-and-control messages. In a military setting, the enemy [is] much stealthier and successful attacks might not get discovered until it is too late.”

Specific countermeasures, says Rohatgi, include leakage reduction, noise introduction method, obfuscation and the incorporation of randomness. It should be noted that Rambus has licensed a range of DPA countermeasures to a number of prominent corporations such as Boeing, NAGRA, The Athena Group and Winbond.

As FCW’s Sean Lyngaas recently noted, cyber criminals can slice through a user’s communications without reliable random bit generators (RBGs).

“Security flaws in random number generators have been a significant source of vulnerabilities in cryptographic systems over many years,” Paul Kocher, chief scientist at the Cryptography Research Division of Rambus told the publication. “So it is crucially important to have random number generators that work well.”

According to Lyngass, the NIST draft specifies data that cryptographers can submit for entropy testing. The draft also describes the process of calculating initial entropy estimates, detailing how multiple noise sources of entropy can be factored into the calculation.

“The validation of an entropy source presents many challenges,” the NIST document reads. “No other part of an RBG is so dependent on the technological and environmental details of an implementation.”

Elaine Barker, one of the publication’s authors, told FCW that NIST was closely coordinating with those in charge of validating entropy sources.

“We don’t want to require anything that they can’t validate,” she explained. “As we deal with the various vendors, we get an idea of what they can and cannot do.”

The NIST is fielding feedback on its document via email through May 9^th and will also offer a public workshop.

“NIST knows it needs to rebuild credibility after the Dual EC DRBG controversy, and seems to be doing the right things,” Kocher added. “These drafts from NIST are uncontroversial, and don’t have controversial constructions of the sort found in Dual EC DRBG that can harbor backdoors.”

“[The cards use] AES-128, which is supposed to be virtually unbeatable by a brute-force attack, but turns out to be easy to defeat using side-channel analysis,” explained Iain Thomson of The Register. “Side-channel attacks measure things like power consumption, electromagnetic emissions and heat generation to work out what is going on in a chip. The technique has been around for years, and requires physical access to the target device.”

Have you read our primer?
– Side-channel attacks: explained

As Thomson reports, Yu Yu and his university team tracked power levels using an oscilloscope, monitored data traffic with an MP300-SC2 protocol analyzer and correlated the results with a SIM card reader and a standard PC.

“With this simple setup they cracked eight commercial SIM cards in between 10 and 80 minutes,” said Thomson. “Yu [also] demonstrated how the cloned SIM card can successfully impersonate the owner in class [and] showed how a cloned card could change the password on an Alipay and potentially drain the account.”

According to Yu, the above-mentioned hack is based on known differential power analysis attacks.

“The move to AES-based encryption algorithms in 3G/4G USIM cards did not systematically take advantage of state-of-the-art countermeasures against side-channel attacks,” he added. “Indeed, the USIM cards we analyzed essentially relied on plain (unprotected) software implementations of the AES.”

Helena Handschuh, a Director at Rambus’ Cryptography Research division, co-designed the MILENAGE standard discussed in Yu’s Black Hat paper. According to Handschuh, AES-128/Rijndael was chosen for MILENAGE in 2001 so that side-channel countermeasures could be easily incorporated in a SIM-class platform.

“Yu Yu’s paper demonstrates once again that, even though these algorithms are mathematically strong and unbroken, all implementers of crypto need to be aware of side-channel attacks and take appropriate steps to mitigate them,” Handschuh concluded.

As we’ve previously discussed on Rambus Press, physical electronic systems routinely leak information about the internal process of computing. In practical terms, this means attackers can exploit various side-channel techniques to gather data and extract secret cryptographic keys.

As such, the Rambus Cryptography Research division has designed a range of DPA countermeasures that offer a combination of software, hardware and protocol techniques specifically designed to protect tamper-resistant devices from side-channel attacks. These include leak reduction, incorporating randomness, generating amplitude and temporal noise, as well as executing protocol-level countermeasures.

Interested in learning more about how Rambus is helping to secure SoCs, devices and content? You can read more about our DPA countermeasures here, CryptoFireWall Cores here and CryptoManager platform here.