Taking Warfighter Protection to the Core



Why DPA countermeasures make more sense now than ever.

Warfighters have always relied on information, and such infor­mation has always needed to be protected from adversaries who attempt to defang, declaw, or otherwise render the protection useless. Cybersecurity is clearly at the forefront of such efforts today. And at a fundamental level, cybersecurity depends on the resistance of cryptographic protection against any form of attack.

For mil-aero and other applications, cryptography can protect both the confidentiality and integrity of information, including what DoD calls Critical Program Information (CPI). Cryptographic security is essentially the use of small secrets, in the form of cryptographic keys, to secure the big secrets. However, if an adversary obtains a key, then all data protected by that key—past, present, and future—is compro­mised. Experienced security architects know that key management, which includes the generation, storage and use of cryptographic keys, is absolutely critical to producing a secure system.

For nearly two decades, the well-known threat of side-channel attacks (SCAs) has proven capable of extracting cryptographic keys from otherwise highly secure equipment. Differential power analysis (DPA) and related attacks are among the most powerful SCAs and can be performed using non-invasive, electromag­netic techniques that leave no evidence that the system has been compromised. And although the threat of SCAs has been known for many years, in many cases nothing has been done.

Figure 1: With long and uncertain development schedules, uncertain results, and lack of trust in what has been produced due to immature testing methodologies at last in the rearview mirror, DPA countermeasures are available to protect the advanced technologies the warfighter relies on. (Courtesy http://www.defense.gov/Media/Photo- Gallery?igphoto=2001508544)

Figure 1: With long and uncertain development schedules, uncertain results, and lack of trust in what has been produced due to immature testing methodologies at last in the rearview mirror, DPA countermeasures are available to protect the advanced technologies the warfighter relies on. (Courtesy http://www.defense.gov/Media/Photo- Gallery?igphoto=2001508544)

Two justifications for not addressing this problem are commonly used: first, only sophisticated attackers with vast resources can successfully mount an SCA, and second, no solutions to the problem are readily avail­able. Neither of these justifications holds water.

The first justification, the idea that it takes a great deal of sophistication and vast resources to mount a successful SCA, is a myth. The very first SCAs were developed by individuals with literally hundreds of dollars invested in test equipment. Today, specialized equipment for performing SCAs is available on the open market (e.g., ChipWhisperer Lite at $250, see www.newae.com). The commoditization of tools and techniques for performing SCAs is lowering the bar­riers to widespread proliferation and automation of SCAs to the point where they are accessible to anyone, including unfunded hackers and college students.

The second justification for not fixing this problem, the unavailability of DPA and other SCA countermeasures, is simply no longer true. What is true is that developing new cryptographic implementations with countermeasures is an incredibly complex, time consuming and costly propo­sition. In the past, implementations were developed for very specific applications, such as payment card chips, where the astro­nomical cost of a successful attack justified the investment.

Today, cryptographic implementations with effective DPA counter­measures are commercially available as semiconductor intellectual property (IP) from multiple outlets, including FPGA vendors and common IP search portals such as Design-Reuse (www.design-reuse. com). These products are well-tested and deliver proven, compelling resistance to DPA attacks. An example of the robustness of an avail­able solution from The Athena Group (www.athena-group.com) is shown in Figure 2.

Figure 2: Test vector leakage assessment of AES-128 with and without countermeasures. The implementation without countermeasures shows exploitable leakage after encrypting less than 20 Kb of data, whereas the Athena countermeasures implementation shows no exploitable leakage after encrypting more than 100 Gb of data.

Figure 2: Test vector leakage assessment of AES-128 with and without countermeasures. The implementation without countermeasures shows exploitable leakage after encrypting less than 20 Kb of data, whereas the Athena countermeasures implementation shows no exploitable leakage after encrypting more than 100 Gb of data.

Evaluating Cryptographic Implementations

Asking the following questions can help assess the strengths of IP that aims to shield against DPA and other side-channel attacks.

Was the implementation tested? While a cryptographic IP core is a digital circuit, its side-channel leakage is fundamentally an analog phenomenon. In order to measure leakage, the implemen­tation must be assessed in hardware on the bench. Assessing or attacking an implementation without countermeasures is relatively easy and inexpensive; however, gathering and processing enough data to prove the robustness of a countermeasures implementa­tion can be time consuming and costly. Further, simply pointing to results claimed in an academic publication as the basis for claims of robustness is insufficient; many published countermeasures are only theoretical, and in practice do not work very well.

How was the implementation tested? Performing a successful key recovery attack on an implementation proves that the imple­mentation leaks; but, if the attack isn’t successful then the only thing that’s been demonstrated is that the specific attack failed. Nothing can be said about other attacks, especially those that might be developed in the future. Test vector leakage assessment (TVLA) is an established methodology employed by multiple suppliers and testing laboratories to identify whether there is any statistically significant—i.e., potentially exploitable—leakage. TVLA can also be used to compare the robustness of implementations provided by different vendors.

How difficult is it to integrate the implementation? FPGA and ASIC designers are used to digital IP cores that have few restric­tions, if any, on placement and routing. However, due to the analog nature of side-channel leakage and countermeasures, some imple­mentations have significant placement and routing dependencies that may dramatically increase the engineering effort required to achieve the desired robustness. Look for solutions that provide robust countermeasures independent of placement and routing. This provides a significant advantage when it comes to system integration.

Does the supplier have the appropriate patent licenses? Some vendors of countermeasures IP may have their own specific patents on their implementations, but that doesn’t mean that their imple­mentations are free of third-party patent claims. In particular, there are key patents in the field that are very broad. Make sure that your supplier can (1) supply a robust implementation, and (2) convey the licenses required to manufacture that implementation.

How Times Have Changed

For nearly 20 years, since the first patents were issued, SCA coun­termeasures have been the elephant in the room of the anti-tamper problem. The attitude was: “Don’t talk about it, don’t look for it, and definitely don’t try to defeat it.” But those days are now gone, and we cannot look back. Advances in testing and implementation of SCA countermeasures have revolutionized the field, IP is available for nearly any application, and strong SCA countermeasures are now table stakes. If you aren’t addressing this problem, it’s time to do your homework.


Warfighters_RuggPat Rugg is Vice President of Sales and Marketing, The Athena Group, Inc.

Share and Enjoy:
  • Digg
  • Sphinn
  • del.icio.us
  • Facebook
  • Mixx
  • Google
  • TwitThis

Tags: