On dangerous ground: The rise and fall of military systems power: Q&A with Dr. Pankaj Rohatgi, technical director at Cryptography Research, Inc.
StoryJuly 14, 2010
Editor's Note: When we in the industry think about military embedded systems power, we typically think about Size, Weight, and Power (SWaP) requirements. But a new - and perilous - practice is arising pertaining to mil embedded power: Simple Power Analysis (SPA) or Differential Power Analysis (DPA) attacks, which proffer sensitive military algorithms to hackers. And these noninvasive attacks are so passive that they can't be detected by the device until it's too late. Editor Sharon Schnakenburg-Hess's recent interview with Cryptography Research Inc.'s Dr. Pankaj Rohatgi reveals more about this security threat - and how to thwart it. Edited excerpts follow.
MIL EMBEDDED: Security for military embedded electronics is a hot topic these days. What do you think is the most serious type of security breach in that industry?
ROHATGI: One very strong area of concern is the extraction of keys or the reverse-engineering of sensitive military algorithms using Simple Power Analysis [SPA] and Differential Power Analysis [DPA].
These attacks involve measuring and analyzing the power consumed by a device while it is performing its normal operations with secret keys and algorithms. Such passive, noninvasive attacks cannot be detected or audited by the device.
MIL EMBEDDED: That makes me wonder two things: Which types of devices are most vulnerable, and are these attacks truly never detected?
ROHATGI: To answer your first question, portable electronics, communications gear, and “leave-behind” equipment are the most vulnerable: They are easiest for an enemy to acquire and access. After conducting the attack, the enemy could eavesdrop on military communications and forge command-and-control messages.
The answer to your second question about detection of attacks is that commercial systems are regularly attacked using SPA and DPA, but these attacks are discovered when fraud or crimes are committed with the extracted information. In a military setting, the enemy will be much stealthier, and successful attacks might not get discovered until it is too late.
MIL EMBEDDED: So what are SPA and DPA attacks, technically speaking? How are they used to access secret information?
ROHATGI: The energy consumed by a hardware device depends on the switching activity of its transistors, which in turn depends on the operations it is performing. An attacker who is passively measuring a device’s power consumption or electromagnetic emissions will recover some aggregated and noisy information about the sensitive data being processed. As I mentioned, SPA and DPA attacks use the information available from power measurements to extract secret keys from a device.
MIL EMBEDDED: OK, let’s start with SPA attacks and go into more depth.
ROHATGI: OK, so in an SPA attack, the attacker recovers the secret keys by directly observing features within individual power consumption measurements. Implementations that have very different power consumption profiles for different keys are most vulnerable to SPA. For example, implementations of modular exponentiation for public-key cryptography algorithms such as RSA [Rivest-Shamir-Adleman] and Diffie-Hellman may use a key-dependent sequence of square and multiply operations. And scalar multiplication in Elliptic Curve Cryptography [ECC] may be implemented using a key-dependent sequence of double and add operations. Such implementations can leak the value of the key from a single operation. The square and multiply operations have visibly different power profiles that are easy to distinguish. The secret exponent has been recovered from the sequence of squares and multiplies.
Figure 1: SPA – Power trace of an RSA exponentiation showing the square and multiply sequence and the recovered secret exponent.
(Click graphic to zoom by 1.9x)
MIL EMBEDDED: Now that we’ve covered SPA attacks, let’s delve a bit more into what a DPA attack is.
ROHATGI: Right. DPA attacks employ statistical techniques over multiple power consumption measurements to extract secrets, even when the information available within any individual measurement is small and masked by other activity and noise. The basic concept behind DPA is that the overall power consumption is correlated to the bits of computational intermediates during device computation. By focusing on intermediates that depend only on a few bits of the key, it is possible to use power measurements to determine those bits of key. For every possible guess of these key bits, the attacker can predict the computational intermediate and compute the correlation between the power measurements and bits of the predicted intermediate. [As shown in Figure 2], for a correct guess of these key bits, the attacker will observe correlation spikes whenever the intermediate is being processed. For an incorrect guess, there won’t be any correlation spikes or the spikes would be smaller. Once these key bits are determined, the same divide-and-conquer approach can be repeated with other intermediates to determine the other bits of the key.
Figure 2: DPA – Correlation of power traces with a predicted intermediate for a correct guess (top) versus an incorrect guess (bottom).
(Click graphic to zoom by 1.9x)
MIL EMBEDDED: So are these attacks executed by sophisticated attackers or ordinary Joes trying to get ahead?
ROHATGI: The level of sophistication and investment required to perform these attacks is quite low. SPA and DPA are straightforward to implement and can be performed with less than $5,000 of standard lab equipment.
MIL EMBEDDED: What makes a system or application most vulnerable to DPA or SPA attacks, specifically?
ROHATGI: All tamper-resistant devices and cryptographic algorithms are susceptible to these attacks if they do not contain countermeasures. In our experience, systems without countermeasures are often broken in a matter of hours. Devices where the power supply is inaccessible remain vulnerable to DPA-like attacks on the device’s electromagnetic emissions.
The degree of vulnerability depends on the ratio of information leakage relative to noise. Implementations that perform different sets of operations for different values of the key are the most vulnerable to SPA attacks and may be broken from a single power measurement.
MIL EMBEDDED: You are on record as saying that applications utilizing FPGAs are particularly vulnerable to DPA. Why is that? Are you suggesting that military technology should not include FPGAs?
ROHATGI: Without countermeasures, all forms of silicon, including FPGAs and ASICs, are susceptible to DPA. General-purpose silicon such as FPGAs and microprocessors receive more attacker attention because they are easier to acquire. And by investing time in characterizing the specific leakages present in that device, the attacker can target multiple systems that use the same FPGA or microprocessor.
Security differences between FPGAs and ASICs are relatively minor, however, and both technologies will require countermeasures for security. Once countermeasures have been adopted, FPGAs offer valuable advantages: It is much easier to test and refine FPGA designs for DPA resistance, and there is the flexibility to upgrade a design in the field if a security vulnerability is discovered.
MIL EMBEDDED: DPA attacks are alive and well, but how can they be prevented or circumvented – or can they?
ROHATGI: Cryptography Research discovered SPA and DPA in the 1990s and developed the fundamental techniques for securing systems against DPA. Defending against DPA is quite feasible: Commercial products such as chip-card based payment systems routinely pass stringent requirements and tests for DPA resistance.
MIL EMBEDDED: So countermeasures can be invoked, as you said?
ROHATGI: That’s correct. At a general level, the fundamental categories of countermeasures to DPA include things like leakage reduction. Leakage reduction includes techniques to make the set or sequence of operations independent of the key as well as hardware and software balancing techniques to reduce variation in the power consumption for different data. This reduces the leakage-signal to noise ratio and increases the number of power measurements needed for a successful attack.
Then there’s the noise introduction method. This includes techniques for adding different types of noise into the power consumption measurements available to the attacker, thus reducing the leakage-signal to noise ratio.
Another method is obfuscation: By keeping algorithms secret, the attacker is forced to perform reverse-engineering along with power analysis. While we do not recommend this countermeasure, it is better than having no countermeasure at all.
MIL EMBEDDED: So we’ve got leakage reduction, noise introduction, and obfuscation. Have we missed any methods?
ROHATGI: Those wanting to prevent SPA or DPA attacks can also incorporate randomness. This includes methods for randomizing the data manipulated by the device in a way that still produces the correct result and encompasses techniques such as the masking or blinding of data and keys. These techniques force the attacker to employ more complex attacks, such as higher-order DPA and a larger number of measurements.
And finally, there are protocol-level countermeasures that can be applied when there is flexibility to modify cryptographic protocols used by the device. Protocols are modified so that secrets can be continually refreshed and updated during the lifetime of the device, so that an attacker is never able to get sufficient information about any particular secret.
MIL EMBEDDED: So which of these countermeasure methods is best – or should they be used in concert?
ROHATGI: Because DPA attacks amplify leaked information through signal processing, systems generally benefit from using multiple countermeasures. However, several commercial and government security standards require leakage testing to determine the overall effectiveness of a countermeasure implementation.
MIL EMBEDDED: Where does Cryptography Research come into the picture?
ROHATGI: There are several labs and testing platforms, including our DPA Workstation, which can evaluate devices for information leakage and DPA vulnerabilities. Given the magnitude of the threat and the increasing requirements for DPA resistance, we recommend that vendors use these or similar testing resources to obtain a baseline assessment of information leakage from their cryptographic device – before the perhaps unimaginable becomes an unfortunate reality.
Dr. Pankaj Rohatgi is Technical Director, hardware security solutions at Cryptography Research, Inc. Prior to joining Cryptography Research, Pankaj spent 13 years at IBM, conducting research in cryptography, secure hardware, systems, and network security. Prior to IBM, he was the security architect for the OpenTV operating system at Thomson R&D labs and at a Thomson/Sun Microsystems joint venture. He received his Ph.D. in Computer Science from Cornell University. Pankaj can be reached at [email protected].
Cryptography Research, Inc. 415-397-0123 www.cryptography.com