By Ken Warren, Smart Card Business Manager Europe, Cryptography Research
The primary reason for smart card technologies growing success in the marketplace is simple – security. Smart cards are self-contained security units that can provide unparalleled barriers to fraud and piracy. But what if they were actually discovered to be insecure? Even worse, what if attackers could unobtrusively defeat a smart card’s security using inexpensive equipment? Would governments, businesses, and consumers continue to rely on them for critical transactions?
This is the threat the industry has faced since the late 90’s when scientists at Cryptography Research Inc., discovered a vulnerability called Differential Power Analysis (DPA). DPA is an attack that attempts to compromise data on a device by monitoring the electrical activity of the chip.
Realizing the impact that these fraudulent attacks could have on the industry, smart card vendors and issuers were informed of the vulnerability and were provided with patent-pending countermeasure techniques to help ensure subsequent smart cards would be secure. Today, most smart card standards mandate DPA resistance as an important component of the system’s overall security requirements. DPA resistant techniques are available to smart card manufacturers and silicon providers under a DPA Countermeasure Licensing program represented by a “lock” logo.
What is DPA?
At the fundamental level DPA is a power analysis attack which attempt to compromise data on a device by measuring the electrical activity of the chip. All device operations and programming activity involves specific electrical activity at the transistor level, which can be accurately monitored as power consumption. The power trace, or ‘signature’, is a direct function of the particular operation being performed and data that is being processed.
SPA – Simple Power Analysis
The least complex technique is known as Simple Power Analysis (SPA). An SPA attack directly observes a device’s power consumption – a process which has been likened to monitoring a patient’s heart beat on an EKG. Analysis of the resulting power traces on a smart card can reveal information about which computational process are being employed, distinguish non-volatile memory programming, or identify cryptographic routines as they execute. By studying detailed features of a power trace, individual device instructions can be distinguished, and data dependant variations in program flow can be observed. In particular, key-dependant power variations during cryptographic processing can reveal secret key values.
Sound complicated? Unfortunately, it’s not complicated enough. A device that is vulnerable to SPA can be compromised by the analysis of a single power trace captured during a normal transaction. What’s worse, the attack can be automated and completed in seconds by even relatively unsophisticated fraudsters. The good news is that effective countermeasures against SPA are relatively straightforward.
DPA – Differential Power Analysis
DPA is a more complex and more powerful variation of SPA. With DPA many power traces are gathered, and statistical analysis and error correction techniques are used to extract information leaked across multiple operations. The robustness of these techniques allows very small differences in power consumption to be isolated, even when the signal level is a good deal smaller than the ‘noise’ from other processes, measurement errors and even deliberate attempts to obscure the signal.
In a typical DPA attack the smart card is monitored whilst performing a number of cryptographic operations, and power traces are recorded for each operation (typically this information is stored on a computer hard drive). After suitable signal processing the attacker uses the collection of sampled traces to test ‘guesses’ about the key or other secret information. If the attacker makes a correct ‘guess’ there will be statistically significant correlation in the set of power traces, resulting in an identifiable DPA signal. If the guess is incorrect or if suitable countermeasures are present, than there will be no correlation of the traces and no DPA signal will be observed.
The attack is completed by making multiple guesses about the key information and using the DPA process to verify or refute successive guesses.
DPA attacks can be automated and usually take between several minutes and several hours to conduct. DPA countermeasures are described in further detail below, and can involve a combination of hardware, software, protocol, and crypto designs.
What are the implications of a DPA attack?
At a fundamental level all smart cards aim to ensure that a particular ‘asset’ is used or accessed in an ‘authorised’ or permitted manner. Software and cryptographic keys on the smart card are used to protect these assets.
A successful SPA or DPA attack on the smart card provides an attacker with means to access, bypass, or clone, the authorisation criteria for the assets protected by the card.
In any applications this has a significant business impact, as fraudulent misuse of mobile phones, transportation services and pay TV signals result in lost provider revenue. In applications such as banking and digital identity the consequences can be catastrophic. Copying or cloning of banking cards enables fraudulent credit and debit card transactions to be conducted; criminals possessing keys for prepaid cards or e-purse applications can create electronic money. But perhaps the most worrying scenarios involve the cloning or forgery of Smart Card used for government-issued ID credentials.
In contrast to most other attacks on smart cards, SPA and DPA are non invasive and inexpensive to repeat, and in many situations the cardholder would have no idea that a successful attack has taken place. Since smart cards are nearly always relied upon for their security merits, resistance to SPA and DPA attacks is essential for nearly all smart card applications.
The fundamental countermeasures to DPA and other power analysis attacks are patented. Effective deployment of DPA countermeasures requires careful design and implementation. Although many smart card products in the market today include DPA defenses, some are considerably more effective than others.
As previously stated successful DPA countermeasures generally involve a combination of hardware, software, protocol and crypto design. Some of the common types of DPA countermeasures are:
- noise generation – increase the amount of noise detected by an attacker
- leakage reduction – reduce the amount of detectable key related signal
- leak resistance – design protocols which maintain security even when information does leak
Smart card customers need to know that the products they are purchasing are secure against DPA attacks. A DPA Countermeasure Licensing Program has been designed to assist vendors in ensuring that countermeasures in their products are effectively implemented. Vendors which have successfully implemented and tested licensed countermeasures in their devices will be able to display the ‘DPA Lock’ logo on their products and in marketing literature.
Going forward the smart card industry will continue to evolve, building upon its outstanding growth in recent years. Smart cards offer a highly cost effective and flexible solution for a range of applications benefiting commerce, governments and consumers. But above all else smart cards offer security, and an essential component security are robust defenses against would be attackers. Effective DPA countermeasures are a vital component in protecting the smart card, and its future success.
The security promise of smart cards still exists, though it is worth being sure the cards you are issuing are properly protected.
DPA Patents Issued
In April 2004 broad patent coverage for DPA countermeasures were granted to Cryptography Research Inc., and in November 2004 it officially announced its DPA Countermeasure Licensing Program to the smart card industry. CRI is already in discussions with each of the leading smart card manufactures and silicon providers who wish to negotiate the best possible terms to deploy excellent DPA countermeasures in their products.
History of DPA
The smart card industry first became aware of DPA, and the related technology SPA (Simple Power Analysis), in the late 90’s, following the discovery by scientists at Cryptography Research Inc. (CRI) that smart cards were vulnerable to power analysis attacks. CRI quietly and discreetly informed smart card vendors and issuers of the vulnerability, and shared its fundamental patent pending countermeasure techniques to help ensure subsequent smart cards would be secure.The industry was informed of CRI’s intention to license these countermeasures once its patents had issued.
It is not surprising that news of DPA eventually reached the press (Australian Financial Times, 6th June 1998), and in order to prevent the story being over sensationalized and misrepresented, CRI went on record with a measured response to put the threat in perspective (New York Times, 10th June 1998). It was made clear to consumers that CRI’s countermeasures could effectively combat DPA, and the smart card industry breathed a collective sigh of relief as the issue faded from public scrutiny.
Since then DPA has continued to be a major area of research in the security and smart card communities, building upon the fundamental technology patented by CRI. In fact nearly half of the papers presented at the 2004 Cryptographic Hardware and Embedded Systems (CHES) conference were related to power analysis, and most smart card standards mandate DPA resistance as an important component of the system’s overall security.requirements.
Visit Cryptography Research on the web at www.cryptography.com.