Chip and system designers are engaged in a cat-and-mouse battle against hackers to try to prevent information leaking from their circuits that can be used to reveal supposedly secure cryptographic keys and other secrets.
Traditionally, such side-channel attacks have relied on expensive bench-top instruments such as digital-storage oscilloscopes, but the development of an open-source platform dubbed ChipWhisperer based on affordable programmable integrated circuits (ICs) has widened the potential user base, as well as making it easier for designers to assess the vulnerability of their own designs. The latest addition to the Chip Whisperer platform developed by Colin O'Flynn, a doctoral student at Dalhousie University in Nova Scotia, Canada, and colleague Zhizhang Chen is based on a $90 board that is able to recover secret keys from simple microcontroller-based targets in a matter of minutes, although it is by no means an automated process.
"Because the way in which the attack works, it's very important to understand the theory behind it," O'Flynn points out. However, an important feature of this class of attack is that it focuses on the core algorithm, rather than on the idiosyncrasies of a particular implementation.
To Patrick Schaumont, associate professor of electrical and computer engineering and the director of the Center for Embedded Systems for Critical Applications at Virginia Polytechnic Institute and State University (Virginia Tech), "What makes side-channel analysis so impressive and so scary is that people who have access to your implementation need to make very few assumptions on what is actually happening inside. They are able to work toward success based purely on statistics."
The key to side-channel analysis is that changes in data as they are processed by algorithms running on a microprocessor or dedicated hardware unit yield a detectable fingerprint, which may be picked up as changes in the power consumed by the target or as heat or electromagnetic emissions. Daniel Mayer, senior applications security consultant at New York City-based security research firm Matasano Security, explained at the recent Black Hat USA conference: "They are all related to the computation that the system does at a given time. Using that information, picked up outside the application, you can infer something about the secret it contains."
Even the sounds from the windings of a transformer in a power supply have been used to collect information about the operation of a circuit in research by leading cryptologist Adi Shamir, based at the Weizmann Institute of Science and working with colleagues from Tel Aviv University. Changes in the amount of current passing through the transformer cause oscillations that can be heard as subtle changes in sound.
Timing-based attacks provide the basis for some of the simplest forms of side-channel analysis. O'Flynn cites a now-discontinued hard drive that used a PIN code entered on its panel to provide access to users. An attacker could measure how long the drive's firmware took to analyze different codes by simply iterating through integers at each position in the six-digit PIN. "As soon as the while-loop to check the PIN fails, it just exits. There should be a million combinations of this password. But even in the worst case for this drive, it takes just 60 tries to guess the PIN."
Measuring timing makes it possible to perform side-channel attacks across a network instead of requiring that the target equipment be in the hands of the hacker. Some network services tend to be highly vulnerable. "Web API keys are places where developers commonly perform comparisons insecurely," says Joel Sandin, a security consultant at Matasano Security who worked with Mayer on side-channel analysis research.
The Matasano researchers and others have confirmed that statistical analysis can help the attacker to discern data-dependent changes in execution time, although actual exploitation is not straightforward as there is no direct way to separate application execution time from network latency. "With a remote-timing attack, we can't measure execution time directly; we can only measure round-trip time," says Sandin.
Algorithms can be written to avoid giving away information easily, but power and electromagnetic emissions provide more subtle clues about the data being processed, even if the application designer takes precautions. Some attacks focus on the differences in the complexity of logic blocks used to perform cryptographic operations.
A naïve implementation of the modular exponentiation operations common to many cryptographic algorithms calls for a squaring operation when the relevant key bit is 0, and a square and a multiply when the key bit is 1. A binary multiply operation generally involves many more logic steps than the squaring operation, which can be implemented as a simple shift of the data in the word to the left. As a result, the multiply's power consumption should be higher.
Typically, the attacker will, as with the timing attacks, provide known text to the target system. As the text changes, the attacker can record the shifts in power consumption caused by different logic blocks being activated. The power and activity difference between the shift and multiply operations makes the analysis relatively simple, and has successfully uncovered keys on the low-end microcontrollers used in early smartcards using less than 100 different pieces of source plaintext.
As designers have implemented techniques to hide the differences between operations, sometimes by performing fake multiplications, attention in side-channel analysis has focused on the data itself. O'Flynn says the Hamming weightthe number of logic ones in a binary wordprovides important clues about the state of the target as data moves through it.
Algorithms can be written to avoid giving away information easily, but power and electromagnetic emissions provide more subtle clues about the data being processed.
"Inside a digital device there will be different modules. In between them there will be a data bus. It takes physical electrons to change logic levels, which takes power. If, at one instant in time, it takes more power than at another, it is probably setting more bits high," O'Flynn explains, and that difference in power can be described using the Hamming weight.
The connection between power and Hamming weight is linear. Some algorithms, such as the S-box part of the AES algorithm, have a more obvious, non-linear relationship between source data and result. This, says O'Flynn, provides potentially richer data for side-channel analysis if designers do not find ways to disguise what the algorithms are doing internally.
Countermeasures against side-channel attacks mainly focus on ways to disguise the data being leaked, increasing the number of operations the attacker needs to collect for a successful breach. One key technique is masking, in which a random value is combined with real data on the way into the cryptoprocessor. The use of random values obscures the Hamming weights of successive pieces of data, reducing the correlation between the predictions made by the attacker's model of the algorithm and the results of the cryptographic operations. The effect of this operation is reversed after processing, to recover the properly encrypted data.
To try to give designers a better understanding of the effectiveness of countermeasures, researchers have tried to model them analytically. A team led by Virginia Tech's Schaumont has developed the first of a series of algorithms that calculate at the source-code level the resistance to attacks that different masking schemes can achieve. Mayer and Sandin demonstrated a tool at Black Hat that helps analyze the vulnerability of software running on a server to timing-based attacks. In other work, Yensu Fei and colleagues from Northeastern University developed a statistical model to calculate the degree to which activity from other modules in the target chip can mask the emissions that could be used by an attacker.
Researchers maintain countermeasures cannot render crypto circuitry immune to side-channel attacks. Says Chris Woods, researcher at Quo Vadis Labs and a member of a team from the University of Cambridge in the U.K. that developed techniques for optimizing such attacks, "Side-channel attacks can break any countermeasure, given enough time; the countermeasure can only delay the process. Any chip will leak information; it's just a matter of trying to mitigate the leakage."
Hackers have found profitable targets that make the breaking of countermeasures worthwhile. Embedded systems such as set-top boxes can provide rich pickings for pirates if they are able to crack master keys in such a way that enables them to provide access codes to users who pay for them. Some hackers are prepared to invest in sophisticated hardware and manpower to improve their chances of success of recovering keys.
Some devices contain counters and other circuitry to detect anomalous usewiping the secret keys if the attacker exceeds a threshold value, which is much more likely if masking is used in the core algorithm. Yet even here, the hackers have tools they can use to prevent the counters being employed. Targeted electrical glitches can prevent these protection circuits from operating correctly. More sophisticated attacks use lasers fired at a key part of the chip surface, taking advantage of the sensitivity to some wavelengths of light that silicon transistors exhibit.
"Side-channel attacks can break any countermeasure, given enough time; the countermeasure can only delay the process."
Peter Ateshian, a researcher at Dutch security specialist Riscure and at the Naval Postgraduate School in Monterey, CA, says, "Pirates will spend up to $10 million or so for cracking a new system-on-chip or new set-top box element. They will build their own devices to see how to extract information from the video stream."
Governments can find reasons to invest even more in breaking the encryption on a device they have captured or confiscated. "If we are talking about national governments, they have effectively unlimited resources," Ateshian says.
Woods warns if the attacker's model of the system's behavior is good enough, "you will be able to break the device no matter what."
Kocher, P.C., Jaffe, J., Jun, B.
Differential Power Analysis, Proceedings of the 19th Annual Conference on Advances in Cryptology (CRYPTO '99) http://bit.ly/1zODaKr
O'Flynn, C., Chen, Z.
ChipWhisperer: An Open-Source Platform for Hardware Embedded Security Research, Constructive Side-Channel Analysis and Secure Design Lecture Notes in Computer Science (2014) https://eprint.iacr.org/2014/204.pdf
Eldib, H., Wang, C., Taha, M., Schaumont, P.
QMS: Evaluating the Side-Channel Resistance of Masked Software from Source Code, Proceedings of the 51st Annual Design Automation Conference (2014). http://dl.acm.org/citation.cfm?id=2593193
Fei, Y., Ding, A.A., Lao, J., Zhang, L.
A Statistics-based Fundamental Model for Side-channel Attack Analysis, IACR Cryptology ePrint Archive 2014, 152 (2014) https://eprint.iacr.org/2014/152
©2015 ACM 0001-0782/15/04
Permission to make digital or hard copies of part or all of this work for personal or classroom use is granted without fee provided that copies are not made or distributed for profit or commercial advantage and that copies bear this notice and full citation on the first page. Copyright for components of this work owned by others than ACM must be honored. Abstracting with credit is permitted. To copy otherwise, to republish, to post on servers, or to redistribute to lists, requires prior specific permission and/or fee. Request permission to publish from firstname.lastname@example.org or fax (212) 869-0481.
The Digital Library is published by the Association for Computing Machinery. Copyright © 2015 ACM, Inc.
No entries found