[Cryptography] Side channel attack on OpenSSL ECDSA on iOS and Android

Peter Gutmann pgut001 at cs.auckland.ac.nz
Thu Mar 3 19:00:30 EST 2016


John Gilmore <gnu at toad.com> writes:

>Except OpenSSL, which says:
>
>  "hardware side-channel attacks are not in OpenSSL's threat model",
>  so no updates are planned to OpenSSL to mitigate our attacks.

I would agree with them there.  If your threat model is an attacker who's
going to walk up to your hardware and attach sensors to it or stick an antenna
next to it then you need to deal with it via hardware measures (shielding,
decoupling, etc), not try and patch around it with software.  Although coders
like to think that any hardware problem should be fixable via software, in
this case it can't.  If you want EM and whatnot resistance then you need to
design the hardware to deal with this.

For software countermeasures you've got the countermeasure version of Zooko's
Triangle, { EM resistance, timing resistance, performance }, choose any two.
It's even more complex than that, often making something more timing-resistant
makes its EM resistance worse and vice versa, so sometimes it's "choose any
one".

I've got some old crypto hardware lying around here that was designed before
Kocher et al's work was published, and was later subjected to every known
side-channel attack (EM/power/whatever).  Nothing worked.  When I asked one of
the hardware guys about this, his response was "we just designed it using
sound engineering practice".  It hadn't been specifically hardened to resist
EM and whatnot side-channel attacks, it just had a sound level of power supply
decoupling, filtering, and shielding built into the design.  It also probably
added $10-20 to the BOM, which is why no-one else designs like that, it's
cheaper to leave it all out.

Peter.


More information about the cryptography mailing list