Side channel attack
|
|
In cryptography, a side channel attack is any attack based on information gained from the physical implementation of a cryptosystem, rather than weaknesses in the mathematical algorithms (compare cryptanalysis). For example, timing information, power consumption or even sound provide an extra "channel of information", which can be exploited to break the system. Many side-channel attacks require considerable technical knowledge of the internal operation of the system on which the cryptography is implemented.
Attacks on the people using cryptography, which are often the weakest security element, are not typically called side channel attacks. For information on them, see social engineering, or rubber-hose cryptanalysis. For attacks on computer systems themselves (which are often used to perform cryptography and so contain cryptographic keys, or plaintexts), see computer security.
| Contents |
General
General classes of side channel attack include:
- Timing attack — attacks based on measuring how much time various computations take to perform.
- Power monitoring attack — attacks which make use of varying power consumption by the hardware during computation.
- TEMPEST (aka van Eck or radiation monitoring) attack — attacks based on leaked electromagnetic radiation which can directly provide plaintexts and other information.
- Acoustic cryptanalysis — attacks which exploit sound produced during a computation (rather like power analysis).
In all cases, the underlying principle is that physical effects caused by the operation of a cryptosystem (on the side) can provide useful extra information about secrets in the system, for example, the cryptographic key, partial state information, full or partial plaintexts and so forth.
Examples
A timing attack watches data movement into and out of the CPU, or memory, on the hardware running the crypto system or algorithm. Simply by observing how long it takes to transfer key information, it is sometimes possible to determine how long the key is in this instance (or to rule out certain lengths which can also be cryptanalytically useful). Internal operational stages in many cypher implementations provide information (typically partial) about the plaintext, key values and so on, and some of this information can be inferred from observed timings. Alternatively, a timing attack may simply watch for the length of time an cryptographic algorithm requires -- this alone is sometimes enough information to be cryptanalytically useful.
A power monitoring attack can provide similar information by observing the power lines to the hardware, especially the CPU. As with a timing attack, considerable information is inferrable for some algorithm implementations under some circumstances.
As a fundamental and inevitable fact of electrical life, every current generates radio waves, making whatever is producing the currents subject -- at least in principle -- to a van Eck (aka, TEMPEST) attack. If the currents concerned are patterned in distinguishable ways (typically the case), the radiation can be recorded and used to infer information about the operation of the associated hardware. If the relevant currents are those associated with a display device (ie, highly patterned and intended to produce human readable images), the task is greatly eased. CRT displays use substantial currents to steer their electron beams and they have been 'snooped' in real time with minimum cost hardware from considerable distances (hundreds of meters have been demonstrated). LCDs require, and use, smaller currents and are less vulnerable -- which is not to say they are invulnerable.
Also as an inescapable fact of electrical life in actual circuits, flowing currents heat the materials through which they flow. Those materials also continually lose heat to the environment due to other equally fundamental facts of thermodynamic existence, so there is a continually changing thermally induced mechanical stress as a result of these heating and cooling effects. That stress appears to be the most significant contributor to low level acoustic (ie, noise) emissions from operating CPUs (ca 10 kHz in some cases). Recent research by Shamir et al has demonstrated that information about the operation of crypto systems and algorithms can be obtained in this way as well. This is an acoustic attack; if the surface of the CPU chip, or in some cases the CPU package, can be observed, infrared images can also provide information about the code being executed on the CPU. That's a thermal imaging attack.
Countermeasures
Because side channel attacks rely on emitted information (eg, TEMPEST attacks) or on relationship information (eg, timing and power attacks), the most reasonable methods of countering such attacks is to limit the release of such information or access to those relationships. Displays (ie, CRT monitors) are now commercially available which have been specially shielded to prevent (or at least greatly lessen) electromagnetic emissions, defeating or reducing susceptibility to TEMPEST attacks. Power line conditioning and filtering can help with power monitoring attacks, as can some continuous duty UPSes. Physical security of hardware can reduce the risk of surreptitious installation of microphones (ie, against noise attacks), and other micro monitoring devices (ie, against CPU power draw or thermal imaging attacks).
See also
External links
- Introduction to Side Channel Attacks (http://www.hbarel.com/publications/Introduction_To_Side_Channel_Attacks.pdf), an industrial 'White Paper' report (PDF file)ja:サイドチャネル攻撃