If the practice of security is the black art of the IT world, requiring esoteric knowledge and the ability to employ a bag of tricks and specialized techniques to safeguard data, then cryptography is the highest expression of the art.
Cryptographers spend their days immersed in the arcana of one-way functions and stream ciphers, dwelling in the shadowy world where computer science and higher math converge.
This discipline is not for the faint of heart; even seasoned, confident security specialists get a little spooked when the conversation turns to subjects such as quantum cryptography or differential power analysis attacks. That fear has not prevented enterprise IT departments from deploying cryptographic devices by the millions during the last few years.
Its not just authentication or access devices such as smart cards and tokens that rely on cryptographic operations. The use of public-key cryptography is so prevalent in todays world that even postage meters use it.
All these devices also share one other attribute: They leak. Cryptographic devices consume power and emit electromagnetic radiation when power flows through the logic gates that make up semiconductors. The amount of power that is consumed by a device changes in tiny increments during cryptographic operations, and researchers at Cryptography Research Inc. several years ago discovered a way to measure the changes in power usage.
Using those measurements, the researchers were able to gather enough data to find the secret keys involved in the operations.
“DPA [Differential Power Analysis] can be used to break implementations of almost any symmetric or asymmetric algorithm. We have even used the technique to reverse-engineer unknown algorithms and protocols by using DPA data to test hypotheses about a devices computational processes,” CRI researchers wrote in their original paper on DPA attacks, “Differential Power Analysis.”
Advanced Cryptography Goes Mainstream
CRI, based in San Francisco, owns a number of patents on techniques for defeating DPA attacks and has decided to open up these patents to other vendors for licensing. This is a significant move for CRI because the company essentially has cornered the market on such countermeasures, and any vendor that wants to produce tamper-resistant smart cards or other cryptographic devices has to go through CRI.
Advanced cryptographic devices such as smart cards, USB (Universal Serial Bus) authentication tokens and others once were solely the dominion of intelligence agencies, defense contractors and the more security sensitive. But in recent years, these devices have become much more prevalent in everyday life; even America Online has decided to begin giving its broadband customers the option of using RSA Security Inc.s SecurID Authenticator for two-factor authentication.
The widespread use of strong cryptography in both software and hardware has given the DPA attacks and the countermeasures an increased importance.
“The patent portfolio covers all of the fundamental ways to defend against DPA attacks,” said Kit Rodgers, director of licensing at CRI.
There are two main techniques for defeating these attacks: reducing the amount of information that leaks from the device and adding noise to the data that leaks. The goal in both cases is to prevent the attacker from getting an accurate reading of the information that is flowing from the device.
One way to add noise to the data coming out of the device is to change the clock settings on the device at random intervals so that the attacker has no way to be sure when operations are occurring. Another technique involves changing the order of some operations or the execution path of the operations.
“We can do a lot of different things, but so can the attackers,” said Ben Jun, vice president of technology at CRI and one of the authors of the paper written on DPA. “We have the advantage of having discovered these attacks, and so we know how to defeat them. The best way to do it is to reduce the amount of data that leaks, and we have a number of ways to do that.”
Check out eWEEK.coms for the latest security news, reviews and analysis. And for insights on security coverage around the Web, take a look at eWEEK.com Security Center Editor Larry Seltzers Weblog.