Advanced Cryptography Goes Mainstream
CRI, based in San Francisco, owns a number of patents on techniques for defeating DPA attacks and has decided to open up these patents to other vendors for licensing. This is a significant move for CRI because the company essentially has cornered the market on such countermeasures, and any vendor that wants to produce tamper-resistant smart cards or other cryptographic devices has to go through CRI. Advanced cryptographic devices such as smart cards, USB (Universal Serial Bus) authentication tokens and others once were solely the dominion of intelligence agencies, defense contractors and the more security sensitive. But in recent years, these devices have become much more prevalent in everyday life; even America Online has decided to begin giving its broadband customers the option of using RSA Security Inc.s SecurID Authenticator for two-factor authentication."The patent portfolio covers all of the fundamental ways to defend against DPA attacks," said Kit Rodgers, director of licensing at CRI. There are two main techniques for defeating these attacks: reducing the amount of information that leaks from the device and adding noise to the data that leaks. The goal in both cases is to prevent the attacker from getting an accurate reading of the information that is flowing from the device. One way to add noise to the data coming out of the device is to change the clock settings on the device at random intervals so that the attacker has no way to be sure when operations are occurring. Another technique involves changing the order of some operations or the execution path of the operations. "We can do a lot of different things, but so can the attackers," said Ben Jun, vice president of technology at CRI and one of the authors of the paper written on DPA. "We have the advantage of having discovered these attacks, and so we know how to defeat them. The best way to do it is to reduce the amount of data that leaks, and we have a number of ways to do that." Check out eWEEK.coms for the latest security news, reviews and analysis. And for insights on security coverage around the Web, take a look at eWEEK.com Security Center Editor Larry Seltzers Weblog.
The widespread use of strong cryptography in both software and hardware has given the DPA attacks and the countermeasures an increased importance.