David Samyde

ElectroMagnetic Analysis (EMA): Measures and Counter-Measures for Smart Cards

A processor can leak information by different ways [1], electromagnetic radiations could bc one of them. This idea, was first introduced by Kocher, with timing and power measurements. Here we developed the continuation of his ideas by measuring the field radiated by the processor. Therefore we show that the electromagnetic attack obtains at least the same result as power consumption and consequently must be carefuly taken into account. Finally we enumerate countermeasures to be implemented.

On a new way to read data from memory

This paper explains a new family of techniques to extract data from semiconductor memory, without using the read-out circuitry provided for the purpose. What these techniques have in common is the use of semi-invasive probing methods to induce measurable changes in the analogue characteristics of the memory cells of interest. The basic idea is that when a memory cell, or read-out amplifier, is scanned appropriately with a laser, the resulting increase in leakage current depends on its state; the same happens when we induce an eddy current in a cell. These perturbations can be carried out at a level that does not modify the stored value, but still enables it to be read out. Our techniques build on it number of recent advances in semi-invasive attack techniques, low temperature data remanence, electromagnetic analysis and eddy current induction. They can be used against a wide range of memory structures, from registers through RAM to FLASH. We have demonstrated their practicality by reading out DES keys stored in RAM without using the normal read-out circuits. This suggests that vendors of products such as smartcards and secure microcontrollers should review their memory encryption, access control and other storage security issues with care.

Power Analysis of FPGAs: How Practical Is the Attack?

Recent developments in information technologies made the secure transmission of digital data a critical design point. Large data flows have to be exchanged securely and involve encryption rates that sometimes may require hardware implementations. Reprogrammable devices such as Field Programmable Gate Arrays are highly attractive solutions for hardware implementations of encryption algorithms and several papers underline their growing performances and flexibility for any digital processing application. Although cryptosystem designers frequently assume that secret parameters will be manipulated in closed reliable computing environments, Kocher et al. stressed in 1998 that actual computers and microchips leak information correlated with the data handled. Side-channel attacks based on time, power and electromagnetic measurements were successfully applied to the smart card technology, but we have no knowledge of any attempt to implement them against FPGAs. This paper examines how monitoring power consumption signals might breach FPGA-security. We propose first experimental results against FPGA-implementations of cryptographic algorithms in order to confirm that power analysis has to be considered as a serious threat for FPGA security. We also highlight certain features of FPGAs that increase their resistance against side-channel attacks.

Memories: A Survey of Their Secure Uses in Smart Cards

Smart cards are widely known for their tamper resistance, but only contain a small amount of memory. Though very small, this memory often contains highly valuable information (identification data, cryptographic key, etc). This is why it is subject to many attacks, as the other parts of the smart card, and thus requires appropriately chosen protections. The use of memories in smart cards induces security problems, but also other more particular ones. The main constraint is naturally the limited physical expansion and integration, but fault level, aging and power consumption are not to be discarded. Indeed, deducing the context of a ROM using a microscope has been proven to work. Interactions with light or eddy current on silicon can produce faults that might reveal important information, as well. This article details the role of memory in smart card industries, in current context and future perspectives of smart cards and their applications. It then gives a survey of published physical attacks targeting memory and all the existing techniques to counter them. Great efforts are undertaken by industries and academics to tackle specific memory problems introducing hardware and software countermeasures in the designs. This struggle between security and hackers permits in the one hand tremendous breakthroughs in research but in the other hand makes rather difficult for manufacturers to maintain cost effectiveness, that is one important factor for smart card.

Signal processing for smart cards

In 1998, Paul Kocher showed that when a smart card computes cryptographic algorithms, for signatures or encryption, its consumption or its radiations leak information. The keys or the secrets hidden in the card can then be recovered using a differential measurement based on the intercorrelation function. A lot of silicon manufacturers use desynchronization countermeasures to defeat power analysis. In this article we detail a new resynchronization technic. This method can be used to facilitate the use of a neural network to do the code recognition. It becomes possible to reverse engineer a software code automatically. Using data and clock separation methods, we show how to optimize the synchronization using signal processing. Then we compare these methods with watermarking methods for 1D and 2D signal. The very last watermarking detection improvements can be applied to signal processing for smart cards with very few modifications. Bayesian processing is one of the best ways to do Differential Power Analysis, and it is possible to extract a PIN code from a smart card in very few samples. So this article shows the need to continue to set up effective countermeasures for cryptographic processors. Although the idea to use advanced signal processing operators has been commonly known for a long time, no publication explains that results can be obtained. The main idea of differential measurement is to use the cross-correlation of two random variables and to repeat consumption measurements on the processor to be analyzed. We use two processors clocked at the same external frequency and computing the same data. The applications of our design are numerous. Two measurements provide the inputs of a central operator. With the most accurate operator we can improve the signal noise ratio, re-synchronize the acquisition clock with the internal one, or remove jitter. The analysis based on consumption or electromagnetic measurements can be improved using our structure. At first sight the same results can be obtained with only one smart card, but this idea is not completely true because the statistical properties of the signal are not the same. As the two smart cards are submitted to the same external noise during the measurement, it is more easy to reduce the influence of perturbations. This paper shows the importance of accurate countermeasures against differential analysis.