“We show that co-location can be achieved and detected by monitoring the last level cache in public clouds,” the Worcester team explained in an article extract. “More significantly, we present a full-fledged attack that exploits subtle leakages to recover RSA decryption keys from a collocated instance.”

To be sure, the researchers targeted a recently patched Libgcrypt RSA implementation by mounting Cross-VM Prime and Probe cache attacks in combination with other tests to detect co-location in a cloud-based service. As a preparatory step, the team reversed engineered the unpublished nonlinear slice selection function for a leading server processor powering the cloud service, which significantly helped accelerate the attack.

After co-location was detected and verified, the researchers performed the Prime and Probe attack to recover noisy keys from a carefully monitored cloud service VM running the vulnerable libgcrypt library. The noisy data was subsequently processed, allowing the team to obtain the complete 2048-bit RSA key used during encryption.

This work, says the Worcester team, reaffirms privacy concerns and underlines the need for deploying stronger isolation techniques in public clouds. Chris Gori, a Technical Director at Rambus Cryptography Research concurred.

“Physical electronic systems routinely leak information about the internal process of computing. In practical terms, this means attackers can exploit various side-channel techniques to gather data and extract secret cryptographic keys,” Gori told Rambus Press. “This is true for enterprise servers and data centers, as well as mobile devices, PCs and SIM cards.”

As we’ve previously discussed, the Rambus Cryptography Research division has designed a range of DPA countermeasures that offer a combination of software, hardware and protocol techniques specifically designed to protect tamper-resistant devices from side-channel attacks. These include leak reduction, incorporating randomness, generating amplitude and temporal noise, as well as executing protocol-level countermeasures.

Interested in learning more about how Rambus is helping to secure SoCs, devices and content? You can read more about our DPA countermeasures here, CryptoFireWall Cores here and CryptoManager platform here.

“[The cards use] AES-128, which is supposed to be virtually unbeatable by a brute-force attack, but turns out to be easy to defeat using side-channel analysis,” explained Iain Thomson of The Register. “Side-channel attacks measure things like power consumption, electromagnetic emissions and heat generation to work out what is going on in a chip. The technique has been around for years, and requires physical access to the target device.”

Have you read our primer?
– Side-channel attacks: explained

As Thomson reports, Yu Yu and his university team tracked power levels using an oscilloscope, monitored data traffic with an MP300-SC2 protocol analyzer and correlated the results with a SIM card reader and a standard PC.

“With this simple setup they cracked eight commercial SIM cards in between 10 and 80 minutes,” said Thomson. “Yu [also] demonstrated how the cloned SIM card can successfully impersonate the owner in class [and] showed how a cloned card could change the password on an Alipay and potentially drain the account.”

According to Yu, the above-mentioned hack is based on known differential power analysis attacks.

“The move to AES-based encryption algorithms in 3G/4G USIM cards did not systematically take advantage of state-of-the-art countermeasures against side-channel attacks,” he added. “Indeed, the USIM cards we analyzed essentially relied on plain (unprotected) software implementations of the AES.”

Helena Handschuh, a Director at Rambus’ Cryptography Research division, co-designed the MILENAGE standard discussed in Yu’s Black Hat paper. According to Handschuh, AES-128/Rijndael was chosen for MILENAGE in 2001 so that side-channel countermeasures could be easily incorporated in a SIM-class platform.

“Yu Yu’s paper demonstrates once again that, even though these algorithms are mathematically strong and unbroken, all implementers of crypto need to be aware of side-channel attacks and take appropriate steps to mitigate them,” Handschuh concluded.

As we’ve previously discussed on Rambus Press, physical electronic systems routinely leak information about the internal process of computing. In practical terms, this means attackers can exploit various side-channel techniques to gather data and extract secret cryptographic keys.

As such, the Rambus Cryptography Research division has designed a range of DPA countermeasures that offer a combination of software, hardware and protocol techniques specifically designed to protect tamper-resistant devices from side-channel attacks. These include leak reduction, incorporating randomness, generating amplitude and temporal noise, as well as executing protocol-level countermeasures.

Interested in learning more about how Rambus is helping to secure SoCs, devices and content? You can read more about our DPA countermeasures here, CryptoFireWall Cores here and CryptoManager platform here.

“The risk of breaches continues to explode and customers need to quickly get secure solutions into the market,” said Blake-Wilson.

“This is why Barco Silex will be utilizing differential power analysis, or DPA, countermeasure technology to help protect against security risks in a variety of point-of-sale applications. These include banking, retailing, mass transit and wireless telecommunications.”

Sébastien Rabou, Product Manager at Barco Silex, expressed similar sentiments.

“Side-channel attacks are becoming more prevalent and we need a sound solution to combat this growing risk to ensure customer confidence and protect high value assets,” Rabou explained. “The partnership with Rambus provides us with access to world-class cryptography engineers – while developing solutions to benefit the point-of-sale market.”

As Blake-Wilson notes, concerns about DPA security breaches originally surfaced in the smartcard space. Nevertheless, the potential for such attacks is quickly spreading into numerous markets.

“For this reason, there is a need for DPA countermeasures to be adopted across all markets where valuable financial and personal data is being handled,” he added. “Today, products commonly at risk include point-of-sale devices, mobile phones, secure USB flash drives, pay television set-top boxes and optical disc players, among others.”

As we’ve previously discussed on Rambus Press, DPA countermeasures developed by the company’s Cryptography Research Division offer a combination of software, hardware and protocol techniques specifically designed to shield tamper-resistant devices from side-channel attacks. These include leak reduction, incorporating randomness, generating amplitude and temporal noise, as well as executing protocol-level countermeasures.

Interested in learning more about how Rambus is helping to secure SoCs, devices and content? You can read more about our DPA countermeasures here, CryptoFireWall Cores here and CryptoManager platform here.