SPA and DPA Possible Testing Solutions and Associated
SPA and DPA Possible Testing Solutions and Associated Costs Stan Kladko, Ph. D. , BKP Security Labs
Introduction § Simple Power Analysis (SPA) and Differential Power Analysis (DPA) § Introduced by P. Kocher, J. Jaffe, and B. Jun § Can be potentially used to compromise keys and critical security parameters
SPA and DPA § Simple power analysis requires measurement and observation of time-resolved power traces § Differential power analysis includes statistical sampling and analysis of correlations § Other physical characteristics can be used such as intensity of electromagnetic emissions (EMA)
SPA and DPA § Do not require expensive equipment and are relatively easy to implement § Descriptions of techniques and experimental setups are readily available
Proposed Countermeasures § § § § Physical shielding Random power consumption elements Randomizing algorithm execution Randomizing circuit timing Interleaving code with dummy instructions Redesigning cryptographic algorithms Redesigning circuit layouts …
FIPS 140 -2 § Currently lacks SPA and DPA requirements § This makes it somewhat outdated as a security standard, in particular for smartcards § Adding SPA and DPA requirements could be a logical step to consider for FIPS 140 -3
FIPS 140 -2 Security Levels § Level 1 – no significant physical security requirements § Level 2 – tamper evidence or ability to detect key compromise § Level 3 and Level 4 – key destruction in case of compromise
FIPS 140 -2 Security Levels § SPA and DPA = key compromise without traces of tampering § Level 2 seems to be appropriate
FIPS 140 -2 Module Types § single-chip (e. g. smartcard) § multiple-chip embedded (crypto accelerator card) § multi-chip standalone (router or PC) § most published SPA/DPA attacks – single chip modules § SPA/DPA requirements could be limited to single-chip modules only
Testing Lab Considerations § Typical FIPS 140 -2 testing costs < $50 K § Assuming 20% of total costs one has $5 K-10 K for SPA/DPA testing § 1 -2 person/weeks § Typical equipment items: digital oscilloscope, DC power supply, function generator, PC. § Total < $5 K
SPA/DPA Testing Requirements Simple Reproducible Standard experimental setup across labs Standard testing methods for each Approved algorithm § Standard software (could be developed by NIST) § §
Staff Training § Need staff members familiar with applied physics and electrical engineering concepts § DPA requires familiarity with a number of concepts in statistics § NVLAP Handbook 150 -17 for CMVP labs would need to be revised to include SPA/DPA training requirements
Criteria for SPA/DPA requirements § Simple criteria should be preferred § Having to analyze all measures and countermeasures would put undue burden on the lab § Physically measurable criteria would be preferred § Many papers list signal-to-noise ratio as a sensible criterion
Criteria for SPA/DPA requirements § The exact definition of the signal-to-noise ratio would be left to experts § Could be different for SPA vs. DPA § Any signal-to-noise ratio definition would not guarantee security due to feasibility of various noise-cancellation techniques § Signal-to-noise threshold could deter attackers with low attack potential
Summary § Adding SPA/DPA requirements to future versions of FIPS 140 seems justified § Candidate testing requirements shall be reviewed to assess potential implications for labs and vendors § Simple and well-defined requirements are preferred
- Slides: 15