160 likes | 309 Views
SPA and DPA. Possible Testing Solutions and Associated Costs. Stan Kladko, Ph. D., BKP Security Labs. Introduction. Simple Power Analysis (SPA) and Differential Power Analysis (DPA) Introduced by P. Kocher, J. Jaffe, and B. Jun
E N D
SPA and DPA Possible Testing Solutions and Associated Costs Stan Kladko, Ph. D., BKP Security Labs
Introduction • Simple Power Analysis (SPA) and Differential Power Analysis (DPA) • Introduced by P. Kocher, J. Jaffe, and B. Jun • Can be potentially used to compromise keys and critical security parameters
SPA and DPA • Simple power analysis requires measurement and observation of time-resolved power traces • Differential power analysis includes statistical sampling and analysis of correlations • Other physical characteristics can be used such as intensity of electromagnetic emissions (EMA)
SPA and DPA • Do not require expensive equipment and are relatively easy to implement • Descriptions of techniques and experimental setups are readily available
Proposed Countermeasures • Physical shielding • Random power consumption elements • Randomizing algorithm execution • Randomizing circuit timing • Interleaving code with dummy instructions • Redesigning cryptographic algorithms • Redesigning circuit layouts • …
FIPS 140-2 • Currently lacks SPA and DPA requirements • This makes it somewhat outdated as a security standard, in particular for smartcards • Adding SPA and DPA requirements could be a logical step to consider for FIPS 140-3
FIPS 140-2 Security Levels • Level 1 – no significant physical security requirements • Level 2 – tamper evidence or ability to detect key compromise • Level 3 and Level 4 – key destruction in case of compromise
FIPS 140-2 Security Levels • SPA and DPA = key compromise without traces of tampering • Level 2 seems to be appropriate
FIPS 140-2 Module Types • single-chip (e.g. smartcard) • multiple-chip embedded (crypto accelerator card) • multi-chip standalone (router or PC) • most published SPA/DPA attacks – single chip modules • SPA/DPA requirements could be limited to single-chip modules only
Testing Lab Considerations • Typical FIPS 140-2 testing costs < $50K • Assuming 20% of total costs one has $5K-10K for SPA/DPA testing • 1-2 person/weeks • Typical equipment items: digital oscilloscope, DC power supply, function generator, PC. • Total < $5K
SPA/DPA Testing Requirements • Simple • Reproducible • Standard experimental setup across labs • Standard testing methods for each Approved algorithm • Standard software (could be developed by NIST)
Staff Training • Need staff members familiar with applied physics and electrical engineering concepts • DPA requires familiarity with a number of concepts in statistics • NVLAP Handbook 150-17 for CMVP labs would need to be revised to include SPA/DPA training requirements
Criteria for SPA/DPA requirements • Simple criteria should be preferred • Having to analyze all measures and countermeasures would put undue burden on the lab • Physically measurable criteria would be preferred • Many papers list signal-to-noise ratio as a sensible criterion
Criteria for SPA/DPA requirements • The exact definition of the signal-to-noise ratio would be left to experts • Could be different for SPA vs. DPA • Any signal-to-noise ratio definition would not guarantee security due to feasibility of various noise-cancellation techniques • Signal-to-noise threshold could deter attackers with low attack potential
Summary • Adding SPA/DPA requirements to future versions of FIPS 140 seems justified • Candidate testing requirements shall be reviewed to assess potential implications for labs and vendors • Simple and well-defined requirements are preferred