Simple Power Analysis (SPA) and Differential Power Analysis (DPA) are attacks which are performed by measuring the power consumption of a device as it operates, and then using these measurements to determine secret information such as secret cryptographic keys and/or user passwords. These robust attacks are often called “external monitoring attacks” or “side channel attacks”, as they are non-invasive and exploit observations of a device’s power consumption during its operation. The techniques are also not limited to power, and can be applied to any externally observable information, such as EM emissions.
With both SPA and DPA, the device under attack performs its ordinary cryptographic processing operations. As a result, the attacks generally cannot be stopped through traditional anti-tamper mechanisms such as intrusion sensors or other attack detectors.
SPA and DPA are effective against small single-chip devices, large systems on a chip (SoCs), and multi-chip products.
For systems where the cryptographic processing is only a small contributor to the overall variation in power consumption, a DPA attack is typically required to extract secrets.
Attackers who successfully attack a cryptographic device using SPA or DPA typically extract the secret cryptographic keys used by the device. With this information, the attacker can get access to otherwise restricted system secrets and capabilities of the device. For example, extracted secret keys can enable adversaries to decrypt or forge messages, issue rogue certificates, create unauthorized digital signatures, impersonate/clone a device, or perform other malicious activities. DPA has also been used to reverse engineer proprietary algorithms and thus circumvent digital rights management (DRM) systems and related protections. As a result, power analysis countermeasures are required for tamper resistant products.
SPA and DPA attacks are normally classified in security standards as requiring a low to moderate degree of attacker sophistication. The hardware typically used for the process consists of a PC and a digital storage oscilloscope. Suitable oscilloscopes are widely available, and sell for under $500 used. Once automated, SPA attacks are virtually instantaneous, and typical DPA attacks on unprotected devices take a few minutes to a few hours to complete.
No. SPA/DPA attacks are non-invasive. Data is collected by monitoring the power emanations of the device under attack. Today, many attacks can be carried out by analyzing electromagnetic (EM) power emanations via antennae. For example, small inductive probes can be located adjacent to a device. Depending on the device, some attacks can be performed using a remotely-placed antenna.
No. An attacker conducting an SPA or DPA attack simply records the power emanations of a device while it performs its normal cryptographic operations. This recording takes places on a computer or system separate from the device under attack.
SPA and DPA attacks primarily target cryptographic implementations in hardware such as PCs and servers, embedded systems, and mobile devices such as smartphones and tablets. Chips vulnerable to SPA and DPA range from simple integrated circuits (ICs) such as RFID tags and smart cards, to larger chips and systems such as field programmable gate arrays (FPGAs) and hardware security modules (HSMs).
Countermeasures to power analysis attacks are required for security in any product which needs to protect cryptographic keys and other secret information from external tampering. Industry sectors particularly vulnerable to SPA and DPA attacks include government, entertainment, finance, and telecommunications (GEFT).
No. Power analysis attacks are a threat to any device that processes sensitive information and requires tamper resistance. Successful real world attacks have been documented against very large secure semiconductor devices and multi-chip products, and can be achieved regardless of a product’s physical enclosure. Larger products have more timing variability and uncorrelated electrical activity, but DPA attacks can extract keys from even extremely noisy measurements.
The smart card industry was the first major industry to widely adopt countermeasures due to the magnitude of the threat to the financial and personal data they contain. Given their significant financial exposure, smart card manufacturers are required to incorporate DPA resistance in virtually all of their deployments and for many other security applications. Today, devices commonly at risk include ID cards, SIM cards, payment devices, storage products such as secure USB flash devices, pay television set-top boxes, optical disc players, audiovisual decoders, mobile phones, FPGAs, VPN appliances, secure radios, satellites, and government/military products.
Modern FPGAs perform cryptographic operations in at least three different places: within the programmable fabric of the FPGA, in the bitstream loader, and in embedded microprocessors. Without protection, each is susceptible to DPA attacks and it only takes a vulnerability in one of the three places for an FPGA to be compromised.
Smartphones and media tablets are increasingly used to store and access sensitive information, as well as perform financial transactions and content streaming. These operations are typically protected by cryptography, which is susceptible to both SPA and DPA attacks. Such attacks seek to sidestep or break a device’s tamper resistance and content protection defenses, leading at minimum to harmful information breaches, if not outright identity theft and material network damage. SPA and DPA attacks often target a mobile device’s secure element or other hardware-based chipset. They can also be directed at the application processor, an installed application, or even the operating system’s cryptographic libraries.
Yes. SPA/DPA attacks can be performed on software-based cryptographic systems, even when run on multicore microprocessors. For example, successful attacks have been executed on unprotected AES and RSA implementations running on Intel™, AMD™, and ARM™ processors.
All cryptographic algorithms, both symmetric and asymmetric, are susceptible to SPA and DPA attacks. Power analysis attacks have been successfully carried out against products implementing DES, AES, RSA, Elliptic Curve, SHA, MISTY, Diffie-Hellman, as well as proprietary algorithms.
Cryptographic algorithms are normally designed to be secure against attackers who can access the inputs and/or the outputs of the algorithm, but not the secret keys or information about computational intermediates. SPA and DPA can reveal computational intermediates, which violates assumptions behind the security analyses of the algorithms.
No. SPA and DPA attacks require that attackers have physical measurements of the target device. As a result, SPA and DPA are not normally a threat to typical Internet-based security applications, such as web browsing and e-mail.
Cryptography Research led by Paul Kocher, Joshua Jaffe, and Benjamin Jun initiated an ambitious research project in the mid-1990’s to understand the challenges involved in building secure semiconductors. SPA and DPA, as well as the countermeasures to these attacks, were discovered as part of this research.
Our research team’s backgrounds bridge many levels of secure system design, including transistor physics, ASIC engineering, software development, cryptographic algorithms, and protocols. Traditionally, system designers focus only on individual layers of a system design, but the multi-disciplinary scope of our research project enabled the team to identify power analysis as a potential area of concern, then perform the lab work required to ascertain that the issue was in fact a serious vulnerability.
After discovering power analysis, the research team undertook a major effort to identify solutions to the problem. This research led to the invention of the fundamental countermeasures used to protect over 7 billion licensed devices produced annually.
Yes. Defending against SPA and DPA is quite feasible. Cryptography Research discovered SPA and DPA in the 1990s and developed of the fundamental countermeasures to these attacks. CRI licenses the fundamental patents covering the countermeasures for SPA and DPA attacks. Each year, billions of products are manufactured with countermeasures licensed from CRI under these patents. Many of these products are certified and tested by independent laboratories which validate that power analysis countermeasures have been implemented correctly.
For additional information about DPA countermeasures, click here.
Numerous government and industry security standards have required countermeasures to side channel attacks for several years. The financial products industry was the initial market to address SPA and DPA vulnerabilities. Examples of current well-known standards mandating side channel attack resistance include:
Additionally, there are a variety of emerging security requirements for side channel attack resistance. FIPS 140-3, which will replace the 2001 FIPS 140-2 standard, will likely include requirements to mitigate side channel vulnerabilities. The smart grid industry, pay TV and other DRM (digital rights management) markets and other industries that suffer from piracy, counterfeiting, terrorism and other security vulnerabilities are also in the process of requiring side channel attack countermeasures.
Yes. Cryptography Research discovered SPA and DPA and has developed and patented the fundamental countermeasures for preventing DPA attacks. Cryptography Research owns more than eighty U.S. and international patents, granted and pending, covering countermeasures for SPA and DPA attacks. Over 7 billion products are made each year with SPA and DPA countermeasures licensed from Cryptography Research. For additional information about licensing, click here.
Since Cryptography Research’s discovery of SPA and DPA in the 1990s, a vast amount of research has been conducted on this topic by government, commercial, and academic groups around the world. In the non-classified literature, over 3500 academic papers cite Cryptography Research’s original paper introducing DPA, and over a third of the research papers presented at the Computer Hardware and Embedded Systems (CHES) conference during the last ten years have focused on DPA attacks.
The book entitled "Power Analysis Attacks - Revealing the Secrets of Smartcards" by Stefan Mangard, Elisabeth Oswald, and Thomas Popp provides a good introduction to the research on power analysis.
Additional research on side channel attacks and countermeasures can be found here: www.cryptography.com/technology/dpa/dpa-research.html