1 / 15

SPA and DPA

SPA and DPA. Possible Testing Solutions and Associated Costs. Stan Kladko, Ph. D., BKP Security Labs. Introduction. Simple Power Analysis (SPA) and Differential Power Analysis (DPA) Introduced by P. Kocher, J. Jaffe, and B. Jun

mmorrison
Télécharger la présentation

SPA and DPA

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. SPA and DPA Possible Testing Solutions and Associated Costs Stan Kladko, Ph. D., BKP Security Labs

  2. Introduction • Simple Power Analysis (SPA) and Differential Power Analysis (DPA) • Introduced by P. Kocher, J. Jaffe, and B. Jun • Can be potentially used to compromise keys and critical security parameters

  3. SPA and DPA • Simple power analysis requires measurement and observation of time-resolved power traces • Differential power analysis includes statistical sampling and analysis of correlations • Other physical characteristics can be used such as intensity of electromagnetic emissions (EMA)

  4. SPA and DPA • Do not require expensive equipment and are relatively easy to implement • Descriptions of techniques and experimental setups are readily available

  5. Proposed Countermeasures • Physical shielding • Random power consumption elements • Randomizing algorithm execution • Randomizing circuit timing • Interleaving code with dummy instructions • Redesigning cryptographic algorithms • Redesigning circuit layouts • …

  6. FIPS 140-2 • Currently lacks SPA and DPA requirements • This makes it somewhat outdated as a security standard, in particular for smartcards • Adding SPA and DPA requirements could be a logical step to consider for FIPS 140-3

  7. FIPS 140-2 Security Levels • Level 1 – no significant physical security requirements • Level 2 – tamper evidence or ability to detect key compromise • Level 3 and Level 4 – key destruction in case of compromise

  8. FIPS 140-2 Security Levels • SPA and DPA = key compromise without traces of tampering • Level 2 seems to be appropriate

  9. FIPS 140-2 Module Types • single-chip (e.g. smartcard) • multiple-chip embedded (crypto accelerator card) • multi-chip standalone (router or PC) • most published SPA/DPA attacks – single chip modules • SPA/DPA requirements could be limited to single-chip modules only

  10. Testing Lab Considerations • Typical FIPS 140-2 testing costs < $50K • Assuming 20% of total costs one has $5K-10K for SPA/DPA testing • 1-2 person/weeks • Typical equipment items: digital oscilloscope, DC power supply, function generator, PC. • Total < $5K

  11. SPA/DPA Testing Requirements • Simple • Reproducible • Standard experimental setup across labs • Standard testing methods for each Approved algorithm • Standard software (could be developed by NIST)

  12. Staff Training • Need staff members familiar with applied physics and electrical engineering concepts • DPA requires familiarity with a number of concepts in statistics • NVLAP Handbook 150-17 for CMVP labs would need to be revised to include SPA/DPA training requirements

  13. Criteria for SPA/DPA requirements • Simple criteria should be preferred • Having to analyze all measures and countermeasures would put undue burden on the lab • Physically measurable criteria would be preferred • Many papers list signal-to-noise ratio as a sensible criterion

  14. Criteria for SPA/DPA requirements • The exact definition of the signal-to-noise ratio would be left to experts • Could be different for SPA vs. DPA • Any signal-to-noise ratio definition would not guarantee security due to feasibility of various noise-cancellation techniques • Signal-to-noise threshold could deter attackers with low attack potential

  15. Summary • Adding SPA/DPA requirements to future versions of FIPS 140 seems justified • Candidate testing requirements shall be reviewed to assess potential implications for labs and vendors • Simple and well-defined requirements are preferred

More Related