A Hardware-Centric Approach to Countering Side-Channel Threats

From laptops and mobile devices to cars and airplanes, we are seeing near-daily threats to the systems and devices we use. Systems being used and deployed in the aerospace and defense industry are facing the same problem. As their complexity has increased, so has their attack surface, making them increasingly vulnerable to security threats. There has also been substantial growth in malicious, state-sponsored organizations targeting defense systems that are adept at discovering vulnerabilities, and using them to compromise the integrity of systems and exfiltrate sensitive information.

Cryptography is a basic building block for ensuring system security. For example, within a single system, digital signatures can be used to verify the integrity of the code, allow for code updates, and configure data before they are executed on a system. In addition, encryption and message authentication codes are used to protect sensitive information kept on the system from leakage or modification. Lastly, communications between systems can be protected by public-key infrastructure, encryption and authentication.

However, cryptography itself relies on operations with secret keys that must be maintained securely to ensure the secrecy and integrity of the information it is defending, and protecting these secret keys can be a significant challenge. Given the large number of vulnerabilities in complex software-based systems, most well-secured systems used in the aerospace and defense industry rely on tamper-resistant hardware to securely store and operate these secret keys. But, even in well-secured systems, there is a class of attacks applicable to all software or hardware cryptographic implementations that can easily and non-invasively steal secret keys.

Known as “side-channel attacks,” these attacks measure information that comes out of a piece of hardware – biases in power consumption, EM, and heat emissions - with the intent of using that information to uncover secret cryptographic keys within a device. Once an attacker has gained access to this information – often remotely – they can analyze the collected data to recover the key. Unlike physical attacks, side-channel attacks are non-invasive, easily-automated, and can be mounted without knowing the design of the target device.

Adding to the threat is the fact that these attacks require a relatively low degree of sophistication, using tools as common as a laptop and an oscilloscope that can be easily purchased on the consumer market. Using an automated routine, an attacker can perform a side-channel attack on an unprotected device in minutes.

There are two classes of side-channel attacks. The first, known as a simple power analysis (SPA), recovers a key from a single cryptographic transaction. This requires a strong signal, close proximity to the target device, and is more commonly applied to public-key cryptography-based systems, where bits of the secret, private key control the sequences of operations performed within the device. In these settings, different operations create different observable features within the side-channel signal. By observing the sequence of features in the side-channel signal, the attacker gains information about the key-dependent sequence of operations that were performed in the device, from which the secret key can be deduced.

More concerning is Differential Power Analysis (DPA) and a related attack known as correlation power analysis, which can piece together a key from the statistical analysis of multiple sidechannel measurements from operations performed using the key. By leveraging the law of large numbers to exploit small sources of power variations – all the way down to single transistor switching – an attacker can conduct an extremely devastating intrusion. This means it can be applied to symmetric key-based algorithms, where the sequence of operations is key-independent and only the data processed by the operations varies, as well as in situations where the collected side-channel data is very noisy or of otherwise poor quality. In essence, DPA exploits the fact that every hardware component or subcomponent involved in cryptographic processing makes a data-dependent contribution to the overall power or EM measurement, and this contribution, however miniscule, compared to other unrelated activity or noise, can be detected and targeted using statistical analysis, given a sufficient number of traces.

A successful side-channel attack can give an attacker access to otherwise restricted systems within a device. For instance, keys can be used to decrypt or forge messages, issue rogue commands, clone a device, and insert Trojans. Given these significant security threats, there are requirements for power analysis countermeasures to be used in tamper-resistant products.

Early research into side-channel attacks focused on smartcard transactions, but time and study has shown that the threat goes far beyond smartcards into large, complex systems, mobile devices, point-of-sale devices, and much more. The integrity of many computer systems, and often entire networking infrastructures, can depend on a handful of critical root keys that can be discovered via side-channel attacks. Power-analysis attacks are a threat to any device or system that processes sensitive information and requires tamper resistance.

So, how can we ensure that sidechannel attacks are not used to penetrate sensitive pieces of hardware? One solution is to simply make hardware that does not show biases in power consumption. However, this is nearly impossible to achieve in a way that is affordable or scalable. Instead, we must secure the hardware available to us today, and the most secure approach is to have countermeasures built-in to the cryptographic hardware.

To thwart hostile electronic eavesdropping, researchers have developed countermeasures that negate or significantly limit the threat of DPA and SPA attacks. One technique is to add noise in the side-channel measurements to drown out the sensitive cryptographic activity with other unrelated activity or by activating noise generators (amplitude noise). A related technique is to add clock-jitter, random-delays, instruction sequence reordering, or dummy operations to introduce uncertainty as to when a particular operation occurred. These noise countermeasures decrease the signal-to-noise ratio for attackers, forcing them to collect a much larger number of traces to detect and target the cryptographic activity.

However, in practice, noise addition can be costly and is not a strong deterrent by itself as the number of traces grows quadratically with decrease in signal-to-noise. A stronger technique is to incorporate randomness in the cryptographic calculation itself. With this approach an internal hardwarebased random number generator is used to mask the data values that are processed within the cryptographic calculation, so that each data processing step, and thus the side-channel leakage from it, is statistically independent of secrets. The cryptographic calculation itself is modified so that it can operate on randomly masked data values and the random masks to still produce the correct result.

While these masking techniques do increase size of the implementation by a small factor, they increase the number of traces needed to perform an attack exponentially. Noise addition and random masking based techniques work in concert to ensure that information about the key contained within the side-channel measurements collected by any attacker are substantially reduced or dispersed, making key reconstruction from any reasonable number of traces statistically infeasible. These hardware solutions start with the core itself, ensuring that processing components powering aerospace or defense systems are immune to the threat of side-channel attacks from the moment they leave the production design.

This article was written by Pankaj Rohatgi, Fellow, Hardware Security Solutions, Rambus Cryptography Research Division (Sunnyvale, CA). For more information, Click Here .