Cryptography Research Announces Power Analysis Training Program and Test Equipment in Support of Proposed FIPS 140-3 Standard
SAN FRANCISCO, California — August 6, 2007 — Cryptography Research, Inc. (CRI) today announced the availability of test equipment and a training program on power analysis attacks for FIPS 140-3 validation laboratories and product vendors. Federal Information Processing Standard 140 is a U.S. Government standard administered by the National Institute of Standards and Technology (NIST) which specifies validation requirements for cryptographic devices purchased by the US government. Last month NIST released a new draft, FIPS 140-3, which mandates security against Simple Power Analysis (SPA) and Differential Power Analysis (DPA) attacks for products validated at levels 4 and above.
SPA and DPA attacks find keys and other secrets by exploiting information leaked through variations in the amount of electrical power consumed by cryptographic devices. SPA involves direct observation of power consumption measurements, while DPA uses statistical techniques to extract keys from smaller variations within a set of power consumption measurements collected over many operations. Effective countermeasures to power analysis attacks are important to prevent adversaries from duplicating ID cards, accessing private communications systems, stealing digital content, or mounting other attacks. SPA, DPA and related attacks were first discovered at Cryptography Research by Paul Kocher, Joshua Jaffe and Benjamin Jun.
“As governments increasingly rely on devices such as smart cards, electronic passports, and mobile communication systems, it is critical that data and keys be protected with effective security and tamper resistance,” said Paul Kocher, president and chief scientist at Cryptography Research.
The FIPS 140-3 draft is currently under public review and is expected to be finalized in late 2007. Other widely adopted international industry standards require SPA and DPA countermeasures. FIPS 140-3 is the first major U.S. Government requirement to mandate power analysis protection countermeasures. “It is encouraging that the United States Government is recognizing the importance of protecting sensitive systems against power analysis attacks, and we are pleased to be able to provide training and assistance to companies involved in FIPS 140-3.”, said Ken Warren, smart card business manager at Cryptography Research.
As the leading security experts on power analysis attacks, Cryptography Research provides training to organizations seeking to build and evaluate devices with power analysis countermeasures. Cryptography Research also produces the DPA Workstation™ test platform for performing DPA analysis and licenses the fundamental patents covering SPA and DPA countermeasures.
The training program introduced today is not officially endorsed by NIST.