Re: Side Channel Attacks - inside out

From: Stefan Tillich (stefanti_at_sbox.tugraz.at)
Date: 07/10/05


Date: Sun, 10 Jul 2005 23:18:49 +0200


Galathas schrieb:

> Hi to everyone!!
>
> Is there, please, anyone more experienced, with good knowledge of side
> channels attack on cipher algorithms ?? If so, may those of you please,
> post here some info about what is it,

A side-channel attack targets an implementation of a crptographic
algorithm. When processing sensitive data (e.g. private keys),
information about it can leak out of the device (e.g. a smartcard) via
different physical effects (the so-called side-channels). Most prominent
are timing, power consumption and electromagnetic emanation.

Wikipedia has a definition:
http://en.wikipedia.org/wiki/Side_channel_attack

Also try Google with "Side channel analysis" or "Side channel attacks".

Paul Kocher's site has an introduction to Differential Power Analysis:
http://www.cryptography.com/resources/whitepapers/DPATechInfo.pdf

Another introduction can be found here:
http://www.iaik.at/aboutus/people/oswald/papers/dpa_tutorial.pdf

If you want a more scientific approach I'd recommend to start with the
papers from Paul Kocher:

"Timing Attacks on Implementations of Diffie-Hellman, RSA, DSS, and
Other Systems"
Available at
http://www.cryptography.com/resources/whitepapers/TimingAttacks.pdf

and

"Differential Power Analysis"
Available at
http://www.cryptography.com/resources/whitepapers/DPA.pdf

That should cover the basics of Side-channel analysis.

how it is applied when breaking
> cipher algorithms,

As stated before, you break implementations of cryptographic algorithms.
To put it in a nutshell:
1. Measure a physical value of the cryptographic device in operation
which is in some form dependent on the secret data you want to find out.
2. Make hypotheses about the secret data (i.e. guess a part of the
private key) and model the effect of your presumed value on the
side-channel.
3. Find the correct hypotheses by looking at the collected data from
step 1. And you're done :-)

and what are basic rules to secure algorithms
> against SC attacks ??

Simple: Make sure that there is no data-dependent effect on any
externally observable physical parameters (at least of sensitive data)
of your cryptographic device.

There is no general solution for thwarting SCA. There are two possible
approaches to breaking data-dependency of physical values:
- Make the effect constant (constant time, constant power consumption).
- Introduce randomization (masking, noise generators, randomized execution)
All countermeasures come at a cost (increased execution time, increased
power consumption, ...) so there is always a tradeoff of implementation
security and cost.

HTH
Steve



Relevant Pages

  • Re: Question about bit strength
    ... around with a hybrid block cypher. ... but I am still unsure as to the bit strength of these algorithms. ... Going in approximately the order I do in performing a basic attack: ... In a stream cipher ...
    (sci.crypt)
  • Re: SHA-1 vs. triple-DES for password encryption?
    ... even if the attack wasn't practical. ... > somehow break MD5 that was not done since 1992? ... >>> the hash algorithms as MD5 and MD4. ... >> than you would of SHA1 to get the difficulty up to the same level. ...
    (SecProg)
  • Re: Does shuffle() produce uniform result ?
    ... one encryption key, ... cryptographic attack on the algorithms used by the driver. ... block until there's enough entropy. ...
    (comp.lang.python)
  • Re: Somebody is keep trying to ssh into my systems, how can I stop that?
    ... algorithms used in RSA. ... The RSA patent expired a couple years ... from someone who was shown to be wrong and is not man enough to admit his ... You believe HIM when he says your wrong, you attack ME when I ...
    (comp.os.linux.security)