Jump to content

Power analysis: Difference between revisions

From Wikipedia, the free encyclopedia
Content deleted Content added
Baransam (talk | contribs)
Simple power analysis: clarification and grammatical correction
 
(21 intermediate revisions by 18 users not shown)
Line 1: Line 1:
{{Short description|Form of side channel attack}}
{{For|power analysis in statistics|Statistical power}}
{{For|power analysis in statistics|Statistical power}}
{{Multiple issues|
{{More footnotes|date=March 2009}}
{{More footnotes|date=March 2009}}
{{Refimprove|date=March 2009}}
{{Refimprove|date=March 2009}}
}}


[[File:Differential power analysis.svg|right|thumbnail|300px|A diagram of differential power analysis.]]
[[File:Differential power analysis.svg|right|thumbnail|300px|A diagram of differential power analysis.]]
[[File:Power attack full.png|thumb|300px|An attempt to decode [[RSA (algorithm)|RSA]] key bits using power analysis. The left peak represents the CPU power variations during the step of the [[Exponentiation by squaring|algorithm]] without multiplication, the right (broader) peak - step with multiplication, allowing to read bits 0, 1.]]
[[File:Power attack full.png|thumb|300px|Observing [[RSA (algorithm)|RSA]] key bits using power analysis: The left peak shows the power consumption during the [[Exponentiation by squaring|squaring-only]] step, the right (broader) peak shows the multiplication step, allowing exponent bits 0 and 1 to be distinguished.]]


In [[cryptography]], '''power analysis''' is a form of [[side channel attack]] in which the attacker studies the power consumption of a cryptographic hardware device (such as a [[smart card]], [[tamper resistance|tamper-resistant]] "black box", or [[integrated circuit]]). The attack can non-invasively extract cryptographic keys and other secret information from the device.
'''Power analysis''' is a form of [[side channel attack]] in which the attacker studies the power consumption of a cryptographic hardware device. These attacks rely on basic physical properties of the device: semiconductor devices are governed by the laws of physics, which dictate that changes in voltages within the device require very small movements of electric charges (currents). By measuring those currents, it is possible to learn a small amount of information about the data being manipulated.


'''Simple power analysis''' ('''SPA''') involves visually interpreting power ''traces'', or graphs of electrical activity over time. '''Differential power analysis''' ('''DPA''') is a more advanced form of power analysis which can allow an attacker to compute the intermediate values within cryptographic computations by statistically analyzing data collected from multiple cryptographic operations. SPA and DPA were introduced in the open cryptologic community in 1998 by [[Cryptography Researchers]] [[Paul Kocher]], [[Joshua Jaffe]] and [[Benjamin Jun]].<ref>P. Kocher, J. Jaffe, B. Jun, "[http://www.rambus.com/differential-power-analysis/ Differential Power Analysis]," technical report, 1998; later published in Advances in Cryptology - Crypto 99 Proceedings, Lecture Notes In Computer Science Vol. 1666, M. Wiener, ed., Springer-Verlag, 1999.</ref>
'''Simple power analysis''' ('''SPA''') involves visually interpreting power ''traces'', or graphs of electrical activity over time. '''Differential power analysis''' ('''DPA''') is a more advanced form of power analysis, which can allow an attacker to compute the intermediate values within cryptographic computations through statistical analysis of data collected from multiple cryptographic operations. SPA and DPA were introduced to the open cryptography community in 1998 by [[Paul Carl Kocher|Paul Kocher]], [[Joshua Jaffe]] and [[Benjamin Jun]].<ref>P. Kocher, J. Jaffe, B. Jun, [https://www.paulkocher.com/doc/DifferentialPowerAnalysis.pdf Differential Power Analysis], technical report, 1998; later published in Advances in Cryptology Crypto 99 Proceedings, Lecture Notes in Computer Science Vol. 1666, M. Wiener, ed., Springer-Verlag, 1999.</ref>

==Background==
In [[cryptography]], a [[side channel attack]] is used to extract secret data from some secure device (such as a [[smart card]], [[tamper resistance|tamper-resistant]] "black box", or [[integrated circuit]]). Side-channel analysis is typically trying to non-invasively extract cryptographic keys and other secret information from the device. A simple example of this is the [[German tank problem]]: the serial numbers of tanks provide details of the production data for tanks. In physical security, a non-invasive attack would be similar to [[lock-picking]], where a successful attack leaves no trace of the attacker being present.


==Simple power analysis==
==Simple power analysis==
'''Simple power analysis''' ('''SPA''') is a [[side-channel attack]] which involves visual examination of graphs of the [[electrical current|current]] used by a device over time. Variations in power consumption occur as the device performs different operations. For example, different instructions performed by a microprocessor will have differing power consumption profiles. As a result, in a power trace from a smart card using [[Data Encryption Standard|DES]] encryption, the sixteen rounds can be seen clearly. Similarly, squaring and multiplication operations in RSA implementations can often be distinguished, enabling an adversary to compute the secret key. Even if the magnitude of the variations in power consumption are small, standard digital [[oscilloscopes]] can easily show the data-induced variations. Frequency filters and averaging functions (such as those built into oscilloscopes) are often used to filter out high-frequency components.
'''Simple power analysis''' ('''SPA''') is a [[side-channel attack]] which involves visual examination of graphs of the [[electrical current|current]] used by a device over time. Variations in power consumption occur as the device performs different operations. For example, different instructions performed by a microprocessor will have differing power consumption profiles.

Codeflow that depends on a secret value will thus leak the code-flow via the power consumption monitoring (and thus also leak the secret value). As a simple example, consider a password check as follows:

<syntaxhighlight lang="c">
bool check_password(const char input[]){
const char correct_password[] = "hunter2";

if (strlen(input) != strlen(correct_password)) return false;

for (int i = 0; i < strlen(correct_password); i++){
if (input[i] != correct_password[i]) {
return false;
}
}

return true;
}
</syntaxhighlight>

This password check potentially contains a [[Timing attack]], since the execution time is not constant. Observing the power consumption will make clear the number of loops executed. However, there is a mitigation possible. The function may not output to the user an exploitable result if, for example, there is a compensating delay before the response is returned. Or the code is structured to complete all the loops irrespective of the character position mismatching between the input and the secret-password. We can see one such sample code in the algorithm section of [[Timing attack]].

Similarly, squaring and multiplication operations in RSA implementations can often be distinguished, enabling an adversary to compute the secret key. Even if the magnitude of the variations in power consumption are small, standard digital [[oscilloscopes]] can easily show the data-induced variations. Frequency filters and averaging functions (such as those built into oscilloscopes) are often used to filter out high-frequency components.


==Differential power analysis==
==Differential power analysis==
Line 22: Line 50:
==Power analysis and algorithmic security==
==Power analysis and algorithmic security==


Power analysis provides a way to "see inside" otherwise 'tamperproof' hardware. For example, DES's [[key schedule]] involves rotating 28-bit key registers. Many implementations check the least significant bit to see if it is a 1. If so, the device shifts the register right and prepends the 1 at the left end. If the bit is a zero, the register is shifted right without prepending a 1. Power analysis can distinguish between these processes, enabling an adversary to determine the bits of the secret key.
Power analysis provides a way to "see inside" otherwise 'tamperproof' hardware. For example, DES's [[key schedule]] involves rotating 28-bit key registers. Many implementations check the least significant bit to see if it is a 1. If so, the device shifts the register right and prepends the 1 at the left end. If the bit is a zero, the register is shifted right without prepending a 1. Power analysis can distinguish between these processes, enabling an adversary to determine the bits of the secret key.


Implementations of algorithms such as [[Advanced Encryption Standard|AES]] and [[triple DES]] that are believed to be mathematically strong may be trivially breakable using power analysis attacks. As a result, power analysis attacks combine elements of algorithmic cryptanalysis and implementation security.
Implementations of algorithms such as [[Advanced Encryption Standard|AES]] and [[triple DES]] that are believed to be mathematically strong may be trivially breakable using power analysis attacks. As a result, power analysis attacks combine elements of algorithmic cryptanalysis and implementation security.
Line 28: Line 56:
==Standards and practical security concerns==
==Standards and practical security concerns==


For applications where devices may fall into the physical possession of an adversary, protection against power analysis is generally a major design requirement. Power analyses have also been reportedly used against conditional access modules used in pay television systems.<ref>[http://www.hackhu.com] http://www.hackhu.com</ref>
For applications where devices may fall into the physical possession of an adversary, protection against power analysis is generally a major design requirement. Power analyses have also been reportedly used against conditional access modules used in pay television systems.<ref>{{cite web|url=http://hackhu.com/|archive-url=http://webarchive.loc.gov/all/20021113042526/http://hackhu.com/ |title=Home Page - Cyber-Piracy: The Truth |archive-date=2002-11-13 }}</ref>


The equipment necessary for performing power analysis attacks is widely available. For example, most digital storage oscilloscopes provide the necessary data collection functionality, and the data analysis is typically performed using conventional PCs. Commercial products designed for testing labs are also available.<ref>[http://www.rambus.com/security/dpa-countermeasures/dpa-workstation-platform/] http://www.rambus.com/security/dpa-countermeasures/dpa-workstation-platform/</ref>
The equipment necessary for performing power analysis attacks is widely available. For example, most digital storage oscilloscopes provide the necessary data collection functionality, and the data analysis is typically performed using conventional PCs. Commercial products designed for testing labs are also available.<ref>{{cite web|url=https://www.rambus.com/security/dpa-countermeasures/dpa-workstation-platform/|title=DPA Workstation Analysis Platform|website=Rambus}}</ref> The open-source [[ChipWhisperer]] project was the first complete toolchain of open-source hardware & software for power analysis experiments.<ref>[https://eprint.iacr.org/2014/204.pdf ChipWhisperer: An Open-Source Platform for Hardware Embedded Security Research]</ref>


==Preventing simple and differential power analysis attacks==
==Preventing simple and differential power analysis attacks==
Line 38: Line 66:
Simple power analysis can easily distinguish the outcome of conditional branches in the execution of cryptographic software, since a device does different things (consuming different power) depending on whether the conditional branch is taken. For this reason, care should be taken to ensure there are no secret values which affect the conditional branches within cryptographic software implementations. Other sources of variation, such as microcode differences, branches introduced by compilers, and power consumption variations in multipliers, also commonly lead to SPA vulnerabilities.
Simple power analysis can easily distinguish the outcome of conditional branches in the execution of cryptographic software, since a device does different things (consuming different power) depending on whether the conditional branch is taken. For this reason, care should be taken to ensure there are no secret values which affect the conditional branches within cryptographic software implementations. Other sources of variation, such as microcode differences, branches introduced by compilers, and power consumption variations in multipliers, also commonly lead to SPA vulnerabilities.


Differential power analysis is more difficult to prevent, since even small biases in the power consumption can lead to exploitable weaknesses. Some countermeasure strategies involve algorithmic modifications such that the cryptographic operations occur on data that is related to the actual value by some mathematical relationship that survives the cryptographic operation. One approach involves [[Blinding (cryptography)|blinding]] parameters to randomize their value. Other countermeasure strategies to reduce the effectiveness of DPA attacks involve hardware modifications: varying the chip internal clock frequency has been considered to desynchronize electric signals, which lead in return to algorithmic enhancements of traditional DPA.<ref>Xavier Charvet, Herve Pelletier, "[http://csrc.nist.gov/groups/STM/cmvp/documents/fips140-3/physec/physecdoc.html Improving the DPA attack using wavelet transform (2005)]"</ref><ref>Jasper van Woudenberg, Mark Witteman, Bram Bakker "[http://dl.acm.org/citation.cfm?id=1964632 Improving differential power analysis by elastic alignment (2011)]"</ref>
Differential power analysis is more difficult to prevent, since even small biases in the power consumption can lead to exploitable weaknesses. Some countermeasure strategies involve algorithmic modifications such that the cryptographic operations occur on data that is related to the actual value by some mathematical relationship that survives the cryptographic operation. One approach involves [[Blinding (cryptography)|blinding]] parameters to randomize their value. Other countermeasure strategies to reduce the effectiveness of DPA attacks involve hardware modifications: varying the chip internal clock frequency has been considered to desynchronize electric signals, which lead in return to algorithmic enhancements of traditional DPA.<ref>Xavier Charvet, Herve Pelletier, "[http://csrc.nist.gov/groups/STM/cmvp/documents/fips140-3/physec/physecdoc.html Improving the DPA attack using wavelet transform (2005)] {{Webarchive|url=https://web.archive.org/web/20160304061330/http://csrc.nist.gov/groups/STM/cmvp/documents/fips140-3/physec/physecdoc.html |date=2016-03-04 }}"</ref><ref>Jasper van Woudenberg, Marc Witteman, Bram Bakker "[http://dl.acm.org/citation.cfm?id=1964632 Improving differential power analysis by elastic alignment (2011)]"</ref>

==Patents==

U.S. and international patents<ref>[http://www.rambus.com/security/dpa-countermeasures/licensed-countermeasure/] http://www.rambus.com/security/dpa-countermeasures/licensed-countermeasure/</ref> covering countermeasures to power analysis attacks are licensed by [[Cryptography Research]] and other companies.


==References==
==References==
Line 49: Line 73:
{{DEFAULTSORT:Power Analysis}}
{{DEFAULTSORT:Power Analysis}}
[[Category:Side-channel attacks]]
[[Category:Side-channel attacks]]
[[Category:Articles with example C code]]

Latest revision as of 07:12, 10 October 2024

A diagram of differential power analysis.
Observing RSA key bits using power analysis: The left peak shows the power consumption during the squaring-only step, the right (broader) peak shows the multiplication step, allowing exponent bits 0 and 1 to be distinguished.

Power analysis is a form of side channel attack in which the attacker studies the power consumption of a cryptographic hardware device. These attacks rely on basic physical properties of the device: semiconductor devices are governed by the laws of physics, which dictate that changes in voltages within the device require very small movements of electric charges (currents). By measuring those currents, it is possible to learn a small amount of information about the data being manipulated.

Simple power analysis (SPA) involves visually interpreting power traces, or graphs of electrical activity over time. Differential power analysis (DPA) is a more advanced form of power analysis, which can allow an attacker to compute the intermediate values within cryptographic computations through statistical analysis of data collected from multiple cryptographic operations. SPA and DPA were introduced to the open cryptography community in 1998 by Paul Kocher, Joshua Jaffe and Benjamin Jun.[1]

Background

[edit]

In cryptography, a side channel attack is used to extract secret data from some secure device (such as a smart card, tamper-resistant "black box", or integrated circuit). Side-channel analysis is typically trying to non-invasively extract cryptographic keys and other secret information from the device. A simple example of this is the German tank problem: the serial numbers of tanks provide details of the production data for tanks. In physical security, a non-invasive attack would be similar to lock-picking, where a successful attack leaves no trace of the attacker being present.

Simple power analysis

[edit]

Simple power analysis (SPA) is a side-channel attack which involves visual examination of graphs of the current used by a device over time. Variations in power consumption occur as the device performs different operations. For example, different instructions performed by a microprocessor will have differing power consumption profiles.

Codeflow that depends on a secret value will thus leak the code-flow via the power consumption monitoring (and thus also leak the secret value). As a simple example, consider a password check as follows:

bool check_password(const char input[]){
  const char correct_password[] = "hunter2";

   if (strlen(input) != strlen(correct_password)) return false;

   for (int i = 0; i < strlen(correct_password); i++){
       if (input[i] != correct_password[i]) {
           return false;
       }
   }

   return true;
}

This password check potentially contains a Timing attack, since the execution time is not constant. Observing the power consumption will make clear the number of loops executed. However, there is a mitigation possible. The function may not output to the user an exploitable result if, for example, there is a compensating delay before the response is returned. Or the code is structured to complete all the loops irrespective of the character position mismatching between the input and the secret-password. We can see one such sample code in the algorithm section of Timing attack.

Similarly, squaring and multiplication operations in RSA implementations can often be distinguished, enabling an adversary to compute the secret key. Even if the magnitude of the variations in power consumption are small, standard digital oscilloscopes can easily show the data-induced variations. Frequency filters and averaging functions (such as those built into oscilloscopes) are often used to filter out high-frequency components.

Differential power analysis

[edit]

Differential power analysis (DPA) is a side-channel attack which involves statistically analyzing power consumption measurements from a cryptosystem. The attack exploits biases varying power consumption of microprocessors or other hardware while performing operations using secret keys. DPA attacks have signal processing and error correction properties which can extract secrets from measurements which contain too much noise to be analyzed using simple power analysis. Using DPA, an adversary can obtain secret keys by analyzing power consumption measurements from multiple cryptographic operations performed by a vulnerable smart card or other device.

High-order differential power analysis

[edit]

High-Order Differential Power Analysis (HO-DPA) is an advanced form of DPA attack. HO-DPA enables multiple data sources and different time offsets to be incorporated in the analysis. HO-DPA is less widely practiced than SPA and DPA, as the analysis is complex and most vulnerable devices can be broken more easily with SPA or DPA.[2]

Power analysis and algorithmic security

[edit]

Power analysis provides a way to "see inside" otherwise 'tamperproof' hardware. For example, DES's key schedule involves rotating 28-bit key registers. Many implementations check the least significant bit to see if it is a 1. If so, the device shifts the register right and prepends the 1 at the left end. If the bit is a zero, the register is shifted right without prepending a 1. Power analysis can distinguish between these processes, enabling an adversary to determine the bits of the secret key.

Implementations of algorithms such as AES and triple DES that are believed to be mathematically strong may be trivially breakable using power analysis attacks. As a result, power analysis attacks combine elements of algorithmic cryptanalysis and implementation security.

Standards and practical security concerns

[edit]

For applications where devices may fall into the physical possession of an adversary, protection against power analysis is generally a major design requirement. Power analyses have also been reportedly used against conditional access modules used in pay television systems.[3]

The equipment necessary for performing power analysis attacks is widely available. For example, most digital storage oscilloscopes provide the necessary data collection functionality, and the data analysis is typically performed using conventional PCs. Commercial products designed for testing labs are also available.[4] The open-source ChipWhisperer project was the first complete toolchain of open-source hardware & software for power analysis experiments.[5]

Preventing simple and differential power analysis attacks

[edit]

Power analysis attacks cannot generally be detected by a device, since the adversary's monitoring is normally passive. In addition, the attack is non-invasive. As a result, physical enclosures, auditing capabilities, and attack detectors are ineffective. Instead, cryptosystem engineers must ensure that devices' power variations do not reveal information usable by adversaries.

Simple power analysis can easily distinguish the outcome of conditional branches in the execution of cryptographic software, since a device does different things (consuming different power) depending on whether the conditional branch is taken. For this reason, care should be taken to ensure there are no secret values which affect the conditional branches within cryptographic software implementations. Other sources of variation, such as microcode differences, branches introduced by compilers, and power consumption variations in multipliers, also commonly lead to SPA vulnerabilities.

Differential power analysis is more difficult to prevent, since even small biases in the power consumption can lead to exploitable weaknesses. Some countermeasure strategies involve algorithmic modifications such that the cryptographic operations occur on data that is related to the actual value by some mathematical relationship that survives the cryptographic operation. One approach involves blinding parameters to randomize their value. Other countermeasure strategies to reduce the effectiveness of DPA attacks involve hardware modifications: varying the chip internal clock frequency has been considered to desynchronize electric signals, which lead in return to algorithmic enhancements of traditional DPA.[6][7]

References

[edit]
  1. ^ P. Kocher, J. Jaffe, B. Jun, Differential Power Analysis, technical report, 1998; later published in Advances in Cryptology – Crypto 99 Proceedings, Lecture Notes in Computer Science Vol. 1666, M. Wiener, ed., Springer-Verlag, 1999.
  2. ^ Paul Kocher, Joshua Jaffe, Benjamin Jun, "Introduction to Differential Power Analysis and Related Attacks (1998)"
  3. ^ "Home Page - Cyber-Piracy: The Truth". Archived from the original on 2002-11-13.
  4. ^ "DPA Workstation Analysis Platform". Rambus.
  5. ^ ChipWhisperer: An Open-Source Platform for Hardware Embedded Security Research
  6. ^ Xavier Charvet, Herve Pelletier, "Improving the DPA attack using wavelet transform (2005) Archived 2016-03-04 at the Wayback Machine"
  7. ^ Jasper van Woudenberg, Marc Witteman, Bram Bakker "Improving differential power analysis by elastic alignment (2011)"