DPA Countermeasures FAQ

Answers to Frequently Asked Questions (FAQs) About Simple and Differential Power Analysis (SPA and DPA)

1. What are Simple Power Analysis and Differential Power Analysis?

Simple Power Analysis (SPA) and Differential Power Analysis (DPA) are attacks which are performed by measuring the power consumption of a device as it operates, and then using these measurements to determine secret information such as secret cryptographic keys and/or user passwords. These robust attacks are often called “external monitoring attacks” or “side channel attacks”, as they are non-invasive and exploit observations of a device’s power consumption during its operation. The techniques are also not limited to power, and can be applied to any externally observable information, such as EM emissions.

SPA attacks recover the secret keys from direct observation of a single or several power consumption measurements. They are most effective when there is a significant amount of sensitive information leakage in each observation.

DPA attacks employ statistical techniques to extract information from multiple power consumption measurements. They are highly effective at extracting secrets even when the information available within any individual measurement is much smaller than unknown electrical activity, measurement error, or other noise sources. These techniques are highly robust in the presence of noise.

With both SPA and DPA, the device under attack performs its ordinary cryptographic processing operations. As a result, the attacks generally cannot be stopped through traditional anti-tamper mechanisms such as intrusion sensors or other attack detectors.

SPA and DPA are effective against small single-chip devices, large systems on a chip (SoCs), and multi-chip products.

For systems where the cryptographic processing is only a small contributor to the overall variation in power consumption, a DPA attack is typically required to extract secrets.

2. What do these attacks achieve?

Attackers who successfully attack a cryptographic device using SPA or DPA typically extract the secret cryptographic keys used by the device. With this information, the attacker can get access to otherwise restricted system secrets and capabilities of the device. For example, extracted secret keys can enable adversaries to decrypt or forge messages, issue rogue certificates, create unauthorized digital signatures, impersonate/clone a device, or perform other malicious activities. DPA has also been used to reverse engineer proprietary algorithms and thus circumvent digital rights management (DRM) systems and related protections. As a result, power analysis countermeasures are required for tamper resistant products.

3. How hard is it to implement power analysis attacks against an unprotected product?

SPA and DPA attacks are normally classified in security standards as requiring a low to moderate degree of attacker sophistication. The hardware typically used for the process consists of a PC and a digital storage oscilloscope. Suitable oscilloscopes are widely available, and sell for under $500 used. Once automated, SPA attacks are virtually instantaneous, and typical DPA attacks on unprotected devices take a few minutes to a few hours to complete.

4. Do SPA/DPA attacks require physical access to the device being attacked?

No. SPA/DPA attacks are non-invasive. Data is collected by monitoring the power emanations of the device under attack. Today, many attacks can be carried out by analyzing electromagnetic (EM) power emanations via antennae. For example, small inductive probes can be located adjacent to a device. Depending on the device, some attacks can be performed using a remotely-placed antenna.

5. Do SPA/DPA attacks leave a signature?

No. An attacker conducting an SPA or DPA attack simply records the power emanations of a device while it performs its normal cryptographic operations. This recording takes places on a computer or system separate from the device under attack.

6. What products are vulnerable?

SPA and DPA attacks primarily target cryptographic implementations in hardware such as PCs and servers, embedded systems, and mobile devices such as smartphones and tablets. Chips vulnerable to SPA and DPA range from simple integrated circuits (ICs) such as RFID tags and smart cards, to larger chips and systems such as field programmable gate arrays (FPGAs) and hardware security modules (HSMs).

Countermeasures to power analysis attacks are required for security in any product which needs to protect cryptographic keys and other secret information from external tampering. Industry sectors particularly vulnerable to SPA and DPA attacks include government, entertainment, finance, and telecommunications (GEFT).

7. Are smart cards and other single chip products the only types of devices that can be attacked?

No. Power analysis attacks are a threat to any device that processes sensitive information and requires tamper resistance. Successful real world attacks have been documented against very large secure semiconductor devices and multi-chip products, and can be achieved regardless of a product’s physical enclosure. Larger products have more timing variability and uncorrelated electrical activity, but DPA attacks can extract keys from even extremely noisy measurements.

The smart card industry was the first major industry to widely adopt countermeasures due to the magnitude of the threat to the financial and personal data they contain. Given their significant financial exposure, smart card manufacturers are required to incorporate DPA resistance in virtually all of their deployments and for many other security applications. Today, devices commonly at risk include ID cards, SIM cards, payment devices, storage products such as secure USB flash devices, pay television set-top boxes, optical disc players, audiovisual decoders, mobile phones, FPGAs, VPN appliances, secure radios, satellites, and government/military products.

8. What DPA threats do FPGAs face?

Modern FPGAs perform cryptographic operations in at least three different places: within the programmable fabric of the FPGA, in the bitstream loader, and in embedded microprocessors. Without protection, each is susceptible to DPA attacks and it only takes a vulnerability in one of the three places for an FPGA to be compromised.

9. What DPA threats do mobile devices face?

Smartphones and media tablets are increasingly used to store and access sensitive information, as well as perform financial transactions and content streaming. These operations are typically protected by cryptography, which is susceptible to both SPA and DPA attacks. Such attacks seek to sidestep or break a device’s tamper resistance and content protection defenses, leading at minimum to harmful information breaches, if not outright identity theft and material network damage. SPA and DPA attacks often target a mobile device’s secure element or other hardware-based chipset. They can also be directed at the application processor, an installed application, or even the operating system’s cryptographic libraries.

10. Can SPA/DPA be performed on devices running software-based cryptographic systems ?

Yes. SPA/DPA attacks can be performed on software-based cryptographic systems, even when run on multicore microprocessors. For example, successful attacks have been executed on unprotected AES and RSA implementations running on Intel™, AMD™, and ARM™ processors.

11. What algorithms can be broken using SPA and DPA?

All cryptographic algorithms, both symmetric and asymmetric, are susceptible to SPA and DPA attacks. Power analysis attacks have been successfully carried out against products implementing DES, AES, RSA, Elliptic Curve, SHA, MISTY, Diffie-Hellman, as well as proprietary algorithms.

Cryptographic algorithms are normally designed to be secure against attackers who can access the inputs and/or the outputs of the algorithm, but not the secret keys or information about computational intermediates. SPA and DPA can reveal computational intermediates, which violates assumptions behind the security analyses of the algorithms.

12. Can SPA and DPA be used to attack systems over the Internet?

No. SPA and DPA attacks require that attackers have physical measurements of the target device. As a result, SPA and DPA are not normally a threat to typical Internet-based security applications, such as web browsing and e-mail.

13. How were SPA and DPA discovered?

Cryptography Research led by Paul Kocher, Joshua Jaffe, and Benjamin Jun initiated an ambitious research project in the mid-1990’s to understand the challenges involved in building secure semiconductors. SPA and DPA, as well as the countermeasures to these attacks, were discovered as part of this research.

Our research team’s backgrounds bridge many levels of secure system design, including transistor physics, ASIC engineering, software development, cryptographic algorithms, and protocols. Traditionally, system designers focus only on individual layers of a system design, but the multi-disciplinary scope of our research project enabled the team to identify power analysis as a potential area of concern, then perform the lab work required to ascertain that the issue was in fact a serious vulnerability.

After discovering power analysis, the research team undertook a major effort to identify solutions to the problem. This research led to the invention of the fundamental countermeasures used to protect over 7 billion licensed devices produced annually.

14. Can SPA and DPA attacks be prevented?

Yes. Defending against SPA and DPA is quite feasible. Cryptography Research discovered SPA and DPA in the 1990s and developed of the fundamental countermeasures to these attacks. CRI licenses the fundamental patents covering the countermeasures for SPA and DPA attacks. Each year, billions of products are manufactured with countermeasures licensed from CRI under these patents. Many of these products are certified and tested by independent laboratories which validate that power analysis countermeasures have been implemented correctly.

For additional information about DPA countermeasures, click here.

15. What requirements exist to protect devices against SPA and DPA?

Numerous government and industry security standards have required countermeasures to side channel attacks for several years. The financial products industry was the initial market to address SPA and DPA vulnerabilities. Examples of current well-known standards mandating side channel attack resistance include:

  • Global Platform Card Security Requirements, Dec 2005: embedded technologies used in various chips – such as smart cards, application processors, SD cards, USB tokens and secure elements – for protecting assets (data, keys and applications) from physical or software attacks.
  • CC Security IC Platform Protection Profile, Version 1.0, 23 August 2007: smart cards and related devices
  • Common Methodology for IT Security Evaluation methodology, Version 3.1, July 2009: smart cards and related devices
  • ePassport Protection Profile, Version 2.1, June 2010: U.S. passports
  • PCI PIN Transaction Security POI, Version 3.0, April 2010: Point of sale (POS) payment terminals
  • ISO 19790: 2012: specifies the security requirements for a cryptographic module utilised within a security system protecting sensitive information in computer and telecommunication systems
  • MasterCard Network security requirements: requirements for payment devices used within the MasterCard Network

Additionally, there are a variety of emerging security requirements for side channel attack resistance. FIPS 140-3, which will replace the 2001 FIPS 140-2 standard, will likely include requirements to mitigate side channel vulnerabilities. The smart grid industry, pay TV and other DRM (digital rights management) markets and other industries that suffer from piracy, counterfeiting, terrorism and other security vulnerabilities are also in the process of requiring side channel attack countermeasures.

16. Is a patent license from CRI necessary to make, use, sell, offer for sale or to import products with countermeasures against SPA and DPA?

Yes. Cryptography Research discovered SPA and DPA and has developed and patented the fundamental countermeasures for preventing DPA attacks. Cryptography Research owns more than eighty U.S. and international patents, granted and pending, covering countermeasures for SPA and DPA attacks. Over 7 billion products are made each year with SPA and DPA countermeasures licensed from Cryptography Research. For additional information about licensing, click here.

17. What other research has been conducted on SPA and DPA?

Since Cryptography Research’s discovery of SPA and DPA in the 1990s, a vast amount of research has been conducted on this topic by government, commercial, and academic groups around the world. In the non-classified literature, over 3500 academic papers cite Cryptography Research’s original paper introducing DPA, and over a third of the research papers presented at the Computer Hardware and Embedded Systems (CHES) conference during the last ten years have focused on DPA attacks.

The book entitled "Power Analysis Attacks - Revealing the Secrets of Smartcards" by Stefan Mangard, Elisabeth Oswald, and Thomas Popp provides a good introduction to the research on power analysis.

Additional research on side channel attacks and countermeasures can be found here: www.cryptography.com/technology/dpa/dpa-research.html