• Home
  • Resources
    • Find Resources by Topic Tags
    • Cybersecurity Policy Chart
    • CSIAC Reports
    • Webinars
    • Podcasts
    • Cybersecurity Digest
    • Standards & Reference Docs
    • Journals
    • Certifications
    • Acronym DB
    • Cybersecurity Related Websites
  • Services
    • Free Technical Inquiry
    • Core Analysis Task (CAT) Program
    • Subject Matter Expert (SME) Network
    • Training
    • Contact Us
  • Community
    • Upcoming Events
    • Cybersecurity
    • Modeling & Simulation
    • Knowledge Management
    • Software Engineering
  • About
    • About the CSIAC
    • The CSIAC Team
    • Subject Matter Expert (SME) Support
    • DTIC’s IAC Program
    • DTIC’s R&E Gateway
    • DTIC STI Program
    • FAQs
  • Skip to primary navigation
  • Skip to main content
  • Skip to primary sidebar
  • Skip to footer
Login / Register

CSIAC

Cyber Security and Information Systems Information Analysis Center

  • Resources
    • Find Resources by Topic Tags
    • Cybersecurity Policy Chart
    • CSIAC Reports
    • Webinars
    • Podcasts
    • Cybersecurity Digest
    • Standards & Reference Docs
    • Journals
    • Certifications
    • Acronym DB
    • Cybersecurity Websites
  • Services
    • Free Technical Inquiry
    • Core Analysis Task (CAT) Program
    • Subject Matter Expert (SME) Network
    • Training
    • Contact
  • Community
    • Upcoming Events
    • Cybersecurity
    • Modeling & Simulation
    • Knowledge Management
    • Software Engineering
  • About
    • About the CSIAC
    • The CSIAC Team
    • Subject Matter Expert (SME) Support
    • DTIC’s IAC Program
    • DTIC’s R&E Gateway
    • DTIC STI Program
    • FAQs
  • Cybersecurity
  • Modeling & Simulation
  • Knowledge Management
  • Software Engineering
/ Journal Issues / Supervisory Control and Data Acquisition / Software Protection Against Side Channel Analysis Through a Hardware Level Power Difference Eliminating Mask

Software Protection Against Side Channel Analysis Through a Hardware Level Power Difference Eliminating Mask

Published in Journal of Cyber Security and Information Systems
Volume: 1 Number: 3 - Supervisory Control and Data Acquisition

Author: Capt John R. Bochert
Posted: 02/10/2016 | Leave a Comment

Side Channel Analysis (SCA) is a method by which an adversary can gather information about cryptographic keys by examining the physical environment surrounding the microprocessor while it is performing cryptographic operations. In this article, we present our research which is focused upon devising methods to increase the difficulty of conducting SCA successfully on a microprocessor running Advanced Encryption Standard (AES) encryption. We make use of the open-source, soft-core Java Optimized Processor (JOP) implemented on a Xilinx Virtex 5 ML506 Field Programmable Gate Array (FPGA) evaluation board to evaluate the effectiveness of SCA countermeasures in attacks against the cryptographic algorithm. The experimental results show that implementing a power normalizing mask can increase the security of a device by requiring an adversary to collect up to 87% more data to successfully attack AES.

I Introduction

Security and cryptography in electronics have played an integral part in society for several decades. Starting with securing military communication channels and in the civilian sector with Automated Teller Machines (ATMs), the need for security has been on the rise for decades. Secure crypto-processors in particular (microprocessors that process cryptographic algorithms) have become the backbone of modern security solutions. One can find crypto-processors in smart cards, cable and satellite TV set top boxes, lottery ticket vending machines, and mobile-phone systems. As adversarial techniques and skills have evolved to compromise crypto-processors, so have the means used by manufacturers to protect or prevent system tampering, reproduction, disabling, and reverse-engineering [3].

There are basically four different classes of attack by which an adversary can attack a crypto-processor: Semi-Invasive Attacks, Invasive Attacks, Remote Attacks, Local Noninvasive Attacks [3]. In this section, we briefly review the attributes of each of the attack classes. Semi-Invasive Attacks do not require damaging the coating of the semiconductor surface, known as the passivation layer, because it uses lasers to ionize atoms within the transistors and change its state. This method is difficult to employ in practice due to the variability inherent when attempting to ionize specific transistors making information extraction unreliable. Invasive Attacks involve actual damage to the device and monitoring of the device interior. Although this can be useful to gain information, it also destroys the device which is unacceptable when an adversary only has a limited number of devices, or only a single device, to analyze. Remote Attacks interface with a device in normal operation over a communication channel such as exploiting a buffer overflow exploit in a networked device. Remote attacks have their place, but they deal solely with programming vulnerabilities and not hardware vulnerabilities. Local Noninvasive Attacks involve gaining information about the device through close observation of the device in operation, watching Electromagnetic (EM) radiation emissions, current consumption, and other environmental effects surrounding the device. Local Noninvasive Attacks were chosen to be the focus of this research because of the magnitude of the risk they pose. They allow attackers to circumvent cryptographic algorithms just by having physical access to the device.  Side Channel Analysis (SCA) attacks, characterized as Local Non-Invasive attacks, are the method by which an adversary can cleverly deduce information about a cryptographic system by watching the interaction of a circuit with its surrounding environment. The three main branches of SCA are timing, power-analysis, and EM attacks. In all types, the basic idea is to determine a cryptographic device’s secret key by measuring its execution time, power consumption, and/or electromagnetic field [16].

In this paper, we present the findings of our initial research focused upon improving the security of cryptographic processors. The goal of our research is to propose new methods to protect cryptographic information by making dynamic changes to the underlying architecture of a microprocessor. To measure the effectiveness of different protection methods, we implemented the Advanced Encryption Standard (AES) cryptographic algorithm in a soft-core Java Optimized Processor (JOP) contained within an FPGA and measured the time required to expose the underlying cryptographic key using standard SCA methods.

II.    Related Work

A. Background

The basic premise of SCA attacks stem from the reality that the switching activity of Complementary Metal-Oxide Semiconductor (CMOS) circuits leak information. When a CMOS circuit charges to logic level ‘1’ or discharges to logic level ‘0’, a change in the electric potential creates a change in the electric field (or current) which is measurable outside the chip. Generally the quantization of the energy for a given value is derived from either the Hamming Weight (HW) or the Hamming Distance (HD). In the case of the HW, the value of a given data is the summation of the bits that are in a ‘non zero’ state. For example, the HW of 0x50 (0b01010000) and the HW of 0x03 (0b00000011) are both two. The HW of 0xFF (0b11111111) is eight. In contrast, the HD is a measure of the change of a value, measuring the number of bits that change from the previous state to the current state. For example the hamming distance between 0x50 and 0x03 is four, while the hamming distance between 0x50 and 0xFF is six. The Hamming Weight can also be thought of as the Hamming Distance between the given value and zero (0x00). Commonly, the model used to describe the information leakage off a chip is given by  , where  is the “exclusive or” (XOR) of a and b, HW is the Hamming Weight function , is the power consumption used by the circuit when inverting the bit, and  is the noise [4].

After monitoring the execution time, power consumption and/or the electric field from a microprocessor, the three main branches of SCA attacks used to find secret key information are: Simple Power Analysis (SPA), Differential Power Analysis (DPA), and Second Order Differential Power Analysis (SODPA) [14]. A SPA attack involves directly observing a system’s power consumption and can be done with only one trace. DPA is significantly more powerful than SPA, but is more complicated and requires the collection of many more traces. DPA looks at the changes in the trace values over time to narrow down using statistical hypothesis testing. DPA is normally done by looking at the difference of means or using Correlation Power Analysis (CPA). Lastly SODPA is a method often used to overcome many time variable masking countermeasures. It involves looking at the values of traces at several points in time for a trace so that all of the mask will be accounted for when various correlation methods are used.

Defenses against these SCA attacks fit into two high-level categories: algorithmic countermeasures (changes made to the algorithm of encryption) and circuit-level countermeasures (changes made to the actual hardware). Countermeasures can be further classified based on the method by which they try to decouple the power consumption with the data being processed, these are: masking countermeasures (trying to make data appear as a different value) and elimination countermeasures [14] (trying to remove any correlation of the data being processed and the power signatures being measured).

B. Masking Techniques

Many masking techniques at the circuit level introduce random power consumptions which are akin to noise. Examples include Random Switching Logic (RSL) [15], masking-AND [18], and Dynamic Voltage and Frequency Switching (DVFS) [19]. The RSL countermeasure adds in random logic paths, masking-AND masks every output with random inputs, and DVFS randomly modulates voltage and switching frequency to introduce randomness into power traces. All of these circuit level masking techniques, however, are still susceptible to glitches. Glitches are the transitions at the output of a gate that occur before the gate switches to the correct output. Because glitches add to the power signature, they are susceptible to leak information, especially when they leak key information before the correct mask is applied [9][2]. RSL uses random input and enable control signals to randomize the power signature and is thus able to avoid the information leakage posed by glitching, but the enable signals need to be carefully timed to ensure it functions properly [2].

Masking at the algorithmic level has the key notion of minimizing the correlation between intermediate values and the secret key [5]. One simple method to accomplish this is to introduce noise into the power consumption measurements. This method can be overcome by the collection of more samples. In theory, if the variance of the noise is great, then the necessary sample size might be large and infeasible.  However, this method is still surmountable by increasing the number of samples used in the analysis [7].

Another option for masking power traces at the algorithmic level is the introduction of Random Process Interrupts (RPI) during the cryptographic algorithm. This approach can be done by interleaving random dummy commands or “No Operation” (NOOP) commands randomly throughout the code thus masking the actual cryptographic algorithm execution sequence. To attack a circuit using RPIs, the correlation spikes can be reconstructed by integrating the signal over the number of consecutive clock cycles equal to the greatest variance in the clock cycles [6]. This method to overcome RPIs is called the “sliding window attack.” For this attack, several traces are integrated together and then compared against other integrated traces for the power spikes [8].

A more common method of masking however is to split a value Z into d shares  such that  and where  is a function like the XOR or modular addition [12]. A masking operation is said to be (d-1)th-order depending on the number of shares d. When a (d-1)th order masking is used, a dth-order DPA can be performed by combining the leakage signals at time intervals L(t1), … , L(td) resulting from the manipulation of the d shares that make up the value Z. This method of masking generally can be circumvented through the use of higher-order differential power analysis. By combing the leakage signals at time intervals L(t1), … , L(td) that are the resulting leakages from the manipulation of the d shares that make up the value Z, the differential power spike for correct key guesses can be reproduced [12][10][11].

C. Elimination Techniques

Elimination is another method that can be used to confound power variation. The key notion of elimination (hiding) is to remove power variation information from the attacker. Where masking seeks to decouple the power variation from the data being processed, elimination seeks to eliminate it. Four ways that elimination is used to protect circuitry are [7]:

  • Using constant execution path code
  • Choosing operations that leak less information in their power consumption
  • Balancing hamming weights and state transitions
  • By physically shielding the device

With the goal of elimination techniques to be no variation in power due to the key, no information is leaked through side channels. One example of this is Dynamic and Differential Logic (DDL), where elimination of power differences is done through ensuring that one of the outputs is charged for any input, be it the output or the complimented output, and it ensures that one output transition occurs in every clock cycle. More specifically, DDL logic is split into a precharge state, where all outputs are at zero, and then an evaluation phase, where at least one output or its compliment goes high [17]. Sense Amplifier Based Logic is an implementation of DDL that uses dynamic-CMOS logic. Using this method of DDL, requires the circuit designer to deal with the effects of cascading circuits and can introduce signal integrity issues that degrade the signal making it inefficient [17].

Wave Dynamic and Differential Logic (WDDL) is another type of DDL. WDDL uses a static CMOS implementation of AND and OR gates. Each gate in the WDDL has both the gate with the inputs and a complimentary gate with the inverse of the inputs. By introducing complementary structures, the information that is leaked via the side channel is reduced.

D.  Advanced Encryption Standard (AES)

Advanced Encryption Standard (AES), the cryptography algorithm used in this research, is a symmetric key crypto-algorithm. A symmetric cryptographic algorithm uses the same key to both encrypt and decrypt data. The AES algorithm is made up of eleven rounds. With the exception of the first and last round, each round is made up of the four functions: SubBytes, ShiftRows, MixColumns, and AddRoundKey. Of particular note for this research are SubBytes and AddRoundKey. SubBytes uses a simple substitution algorithm and takes the current hex values and substitutes the values with known quantities in a look-up table called a “substitution box” (also known as the Sbox). AddRoundKey is the function where the key, modified slightly for each round, is XORed with the current text state [1].

Of those four functions, only AddRoundkey directly manipulates the data based on key, which makes AddRoundkey the target for key extraction in SCA. The first call to AddRoundKey uses the original key, and each subsequent call to AddRoundKey uses a different version of the key. Following the AddRoundKey phase is SubBytes which uses a simple substitution algorithm where by the current state of the plain text is used to find the corresponding substitution value in the Sbox. The best place to attack the AES algorithm is between the AddRoundKey phase of the previous round and the SubBytes of the next round. This location is highly vulnerable because given the plaintext, an attacker knows exactly what the state of the plaintext is going into AddRoundKey, but he does not know what the state will be after returning from AddRoundKey as they do not yet know the key. The attacker does, however, know the simple look-up table used in SubBytes and if he can correlate power signatures to approximate values, it’s possible with enough traces to use a statistical algorithm to derive what the key is. The specific location of AES attack is shown in Figure 1.

Screen shot 2013-05-13 at 2_23_24 PM

Fig. 1.  Two rounds of  AES with location of attack noted with dotted lines

Pages: Page 1 Page 2 Page 3

Previous Article:
« The Efficacy and Challenges of SCADA and...
Next Article:
Case Study: Applying Agile Software Methods to... »

Disclaimer

The views expressed in this paper are those of the authors and do not reflect the official policy or position of the United States Air Force, the Department of Defense, or the U.S. Government.

References

FIPS 197, “Federal Information Processing Standards Publication 197 : Announcing the Advanced Encryption Standard (AES),” National Institute of Standards and Technology (NIST), November 26, 2001.

Alam, M., Golsh, S., Mohan, M.J., Mukhopadhyay, D., Chowdhury D.R., and Gupta I.S., “Effect of Glitches against Masked AES S-box Implementation and Countermeasure,” IET Information Security, 1 Oct, 2008.

Anderson, R., Bond, M., Clulow, J., and Skorobogatov, S., “Cryptographic Processors - A Survey,” University of Cambridge Computer Laboratory Technical Report UCAM-CL-TR-641, ISSN 1476-2986, 94(2), February 2006.

Aumonier, S., “Generalized Correlation Power Analysis,” Oberthur Card Systems SA, 2007.

Chari, S., Jutla, C.S., Rao, J.R., and Rohatgi P., “Towards sound approaches to counteract power-analysis attacks,” Proceedings of the 19th Annual International Cryptology Conference on Advances in Cryptology (CRYPTO ’99) Springer-Verlag, 398–412, 1999.

Clavier, C., Coron, J.S., and Dabbous, N., “Differential power analysis in the presence of hardware countermeasures,” Lectures Notes in Computer Science, 1965:252–263, 2000.

Kocher, P., Jaffee, J., and Jun, B, “Differential Power Analysis,” Lecture Notes in Computer Science, CRYPTO 1999; 1666:388–397, 1999.

Lu, Y., O’Neill, M. P., and McCanny J.V., “FPGA Implementation and Analysis of Random Delay Insertion Countermeasure against DPA,” ICECE Technology, FPT 2008 International Conference, Dec 2008.

Mangard, S., Popp, T., and Gammel B.M., “Side Channel Leakage of Masked CMOS Gates,” CT-RSA 2005, The Cryptographers’ Track at the RSA Conference, 3376:351–365, 2005.

Messerges, T.S., Dabbish, E.A. and Sloan, R.H., “Examining Smart- Card Security under the Threat of Power Analysis Attacks,” IEEE Transactions on Computers, 51(5), May 2002.

Nohl, K., Evans, D., Starbug, and Plotz H., “Reverse-Engineering a Cryptographic RFID Tag,” USENIX Security Symposium, Jul 2008.

Prouff, E., Matthiew, R., and Bevan R., “Statistical Analysis of Second Order Differential Power Analysis,” Transactions on Computers, 58(6), June 2009.

Schoeberl, M., “Java Optimized Processor,” http://www.jopdesign.com/.

Sundaresan, V., Srividhya, R., and Vermuri R., “Defense against Side-Channel Power Analysis Attacks on Microelectronics Systems,” Aerospace and Electronics Conference, 2008. NAECON 2008. IEEE National,  2008.

Suzuki, D., Saeki, M., and Ichikawa, T., “Random Switching logic: A New Countermeasure against DPA and Second-Order DPA at the logic level,” IEICE Transactions on Fundamentals of Electronics, Communications and Computer Sciences, E90-A(1):160–168, 2007.

Popp, T., Oswald, E., and Mangard, S., “Power Analysis Attacks and Countermeasures,” IEEE Design and Test of Computers, 535–543, 2007.

Tiri, K., Akmal, M., and Verbauwhede, I., “A Dynamic and Differential CMOS Logic with Signal Independent Power Consumption to Withstand Differential Power Analysis on Smart Cards,” Proc. of European Solid State Circuits Conference (ISSCIRC 2002), 403–406, 2002.

Trichina, E. “Combinational logic design for AES subbyte transformation on masked data,” Cryptology e-print archive: Report 2003/236, IACR, Nov 2003.

Yang, S., Wolf, W., Vijaykrishnan, N., Serpanos, D.N., and Xie, Y., “Power Attack Resistant Cryptosystem Design: A Dynamic Voltage and Frequency Switching Approach,” Proc. of Design Automation and Test in Europe Conference (DATA 2005), 351–365, 2005.

Author

Capt John R. Bochert
Capt John R. Bochert
Capt John R. Bochert, USAF, received his BS in Electrical Engineering from the Air Force Academy (AFA) in 2007 and his MS in Computer Engineering from the Air Force Institute in Technology (AFIT) in 2011 where worked on cryptography and VLSI systems. Capt Bochert is a member of the IEEE and his research interests include computer programming, parallel programming, network systems, graph theory, and finding evidence for God in science.

Reader Interactions

Leave a Comment Cancel

You must be logged in to post a comment.

sidebar

Blog Sidebar

Featured Content

The DoD Cybersecurity Policy Chart

The DoD Cybersecurity Policy Chart

This chart captures the tremendous breadth of applicable policies, some of which many cybersecurity professionals may not even be aware, in a helpful organizational scheme.

View the Policy Chart

Featured Subject Matter Expert (SME): Daksha Bhasker

A dynamic CSIAC SME, Senior Principal Cybersecurity Architect, Daksha Bhasker has 20 years of experience in the telecommunications services provider industry. She has worked in systems security design and architecture in production environments of carriers, often leading multidisciplinary teams for cybersecurity integration, from conception to delivery of complex technical solutions. As a CSIAC SME, Daksha's contributions include several published CSIAC Journal articles and a webinar presentation on the sophiscated architectures that phone carriers use to stop robocalls.

View SME's Contributed Content

CSIAC Report - Smart Cities, Smart Bases and Secure Cloud Architecture for Resiliency by Design

Integration of Smart City Technologies to create Smart Bases for DoD will require due diligence with respect to the security of the data produced by Internet of Things (IOT) and Industrial Internet of Things (IIOT). This will increase more so with the rollout of 5G and increased automation "at the edge". Commercially, data will be moving to the cloud first, and then stored for process improvement analysis by end-users. As such, implementation of Secure Cloud Architectures is a must. This report provides some use cases and a description of a risk based approach to cloud data security. Clear understanding, adaptation, and implementation of a secure cloud framework will provide the military the means to make progress in becoming a smart military.

Read the Report

CSIAC Journal - Data-Centric Environment: Rise of Internet-Based Modern Warfare “iWar”

CSIAC Journal Cover Volume 7 Number 4

This journal addresses a collection of modern security concerns that range from social media attacks and internet-connected devices to a hypothetical defense strategy for private sector entities.

Read the Journal

CSIAC Journal M&S Special Edition - M&S Applied Across Broad Spectrum Defense and Federal Endeavors

CSIAC Journal Cover Volume 7 Number 3

This Special Edition of the CSIAC Journal highlights a broad array of modeling and simulation contributions – whether in training, testing, experimentation, research, engineering, or other endeavors.

Read the Journal

CSIAC Journal - Resilient Industrial Control Systems (ICS) & Cyber Physical Systems (CPS)

CSIAC Journal Cover Volume 7 Number 2

This edition of the CSIAC Journal focuses on the topic of cybersecurity of Cyber-Physical Systems (CPS), particularly those that make up Critical Infrastructure (CI).

Read the Journal

Recent Video Podcasts

  • A Brief Side-by-Side Comparison Between C++ and Rust – Part 3 Series: Programming Language Comparisons
  • A Brief Side-by-Side Comparison Between C++ and Rust – Part 2 Series: Programming Language Comparisons
  • A Brief Side-by-Side Comparison Between C++ and Rust – Part 1 Series: Programming Language Comparisons
  • Digital Engineering Implementation Progress and Plans Series: CSIAC Webinars
  • Assessing the Operational Risk Imposed by the Infrastructure Deployment Pipeline Series: The CSIAC Podcast
View all Podcasts

Upcoming Events

Jan 28

Data Privacy Day

January 28, 2022
Jan 28

Data Privacy Day

January 28, 2023
View all Events

Footer

CSIAC Products & Services

  • Free Technical Inquiry
  • Core Analysis Tasks (CATs)
  • Resources
  • Events Calendar
  • Frequently Asked Questions
  • Product Feedback Form

About CSIAC

The CSIAC is a DoD-sponsored Center of Excellence in the fields of Cybersecurity, Software Engineering, Modeling & Simulation, and Knowledge Management & Information Sharing.Learn More

Contact Us

Phone:800-214-7921
Email:info@csiac.org
Address:   266 Genesee St.
Utica, NY 13502
Send us a Message
US Department of Defense Logo USD(R&E) Logo DTIC Logo DoD IACs Logo

Copyright 2012-2021, Quanterion Solutions Incorporated

Sitemap | Privacy Policy | Terms of Use | Accessibility Information
Accessibility / Section 508 | FOIA | Link Disclaimer | No Fear Act | Policy Memoranda | Privacy, Security & Copyright | Recovery Act | USA.Gov

This website uses cookies to provide our services and to improve your experience. By using this site, you consent to the use of our cookies. To read more about the use of our site, please click "Read More". Otherwise, click "Dismiss" to hide this notice. Dismiss Read More
Privacy & Cookies Policy

Privacy Overview

This website uses cookies to improve your experience while you navigate through the website. Out of these, the cookies that are categorized as necessary are stored on your browser as they are essential for the working of basic functionalities of the website. We also use third-party cookies that help us analyze and understand how you use this website. These cookies will be stored in your browser only with your consent. You also have the option to opt-out of these cookies. But opting out of some of these cookies may affect your browsing experience.
Necessary
Always Enabled

Necessary cookies are absolutely essential for the website to function properly. This category only includes cookies that ensures basic functionalities and security features of the website. These cookies do not store any personal information.

Non-necessary

Any cookies that may not be particularly necessary for the website to function and is used specifically to collect user personal data via analytics, ads, other embedded contents are termed as non-necessary cookies. It is mandatory to procure user consent prior to running these cookies on your website.

SAVE & ACCEPT