Who cares about side-channel attacks?

Thierry Moreau thierry.moreau at connotech.com
Thu Oct 30 00:41:40 EDT 2008

Peter Gutmann wrote:

> Ben Laurie <ben at links.org> writes:
>>Peter Gutmann wrote:
>>>Given the string of
>>>attacks on crypto in embedded devices (XBox, iPhone, iOpener, Wii, some
>>>not-yet-published ones on HDCP devices :-), etc) this is by far the most
>>>at-risk category because there's a huge incentive to attack them, the result
>>>affects tens/hundreds of millions of devices, and the attacks are immediately
>>>and widely actively exploited (modchips/device unlocking/etc, an important
>>>difference between this and academic proof-of-concept attacks), so this is the
>>>one where I'd expect the vendors to care most.
>>But they've all been unlocked using easier attacks, surely?
> The published ones seem to be the (relatively) easy ones, but the ones that
> have been tried (and either not published or just had the easy outcome
> published) have been pretty amazing.  This is another one of these things
> where real figures are going to be near-impossible to come by, even harder
> than my hypothetical public vendor survey of who uses SCA protection.  You'd
> have to read about 20 blogs and a hundred mailing lists, many private, just to
> keep up, but from various informal contacts with people working in this area
> it seems you're not looking at anything like the conventional "identify the
> weakest point, then attack there" approach.  Instead what's being done is more
> like the Iraqi weapons program prior to 1991 where they were using every
> imaginable type of approach, including ones like calutrons that had been
> abandoned decades earlier by everyone else, for a first-past-the-post finish,
> they'd try anything and everything and whatever got them there first would be
> declared the winner.  It's the same with these attacks, whenever I've asked
> "have you tried X" the answer is invariably "yes, we have".
> This style of attack is quite different from the usual academic model, it
> neatly illustrates Bruce Schneier's comment that a defender has to defend
> every single point along the line while an attacker only has to find a single
> weakness.  In this case it seems to be literally true, and the weakness won't
> necessarily be the actual weakest point but merely the point where an attacker
> with sufficient skill and access to the right tools got in.  Look at the XBox
> attacks for example, there's everything from security 101 lack of
> checking/validation and 1980s MSDOS-era A20# issues through to Bunnie Huang's
> FPGA-based homebrew logic analyser and use of timing attacks to recover device
> keys (oh, and there's an example of a real-world side-channel attack for you),
> there's no rhyme or reason to them, it's just "hammer away at everything with
> anything you've got and exploit the first bit that fails".

Now you seem to answer the question yourself: SCA protections apply to a 
single class of attacks, while there are many.

Going back to "who cares", having done certification consulting 
assignments for some devices with crypto, when there was no 
checklist-based standard to apply, "good practice" security criteria (to 
be briefly documented in the report) would include the following questions:

(A) Is the secret key inside a device unit applicable to this single 
unit, or is it a system-wide, or domain-wide key?

That's a key management scheme question.

(B) Is the attack destructive? Which device unit features (especially 
"be in working order", but also "be absent of actual tampering evidence" 
or even "remain under the control of the legitimate user without 
interruptions longer than X" ) need to be impaired for a given class of 
attack to succeed? This question pertains to the secret key as in (A) 
and also to any public-key-to-be-integrity-protected which would prevent 
malicious code download.

That's a product design question.

(C) What are the incentives, if any, for the legitimate user to remain 
well-behaved in the human aspects of device protection? (E.g. a merchant 
has some incentive to maintain a payment authorization device in good 
working order.) This leads to the question of insider threats, so 
satisfactory answers in this area are seldom present.

This is an application design question.

This gives an idea of analyses that drives security-related spendings 
(in my limited experience). Clients (intend to) pay for protections that 
will prevent financial losses and major public relations impacts (and 
then cut operating budgets soon after the project gets its 
authorization!). The consultant study must clearly link attackers' 
motivations to impacts and to countermeasures.

Refinements to the above analysis methodology call for the same creative 
mind that you assume from the part of the attackers. E.g. the usefulness 
of a device unit clone for the attacker should be considered for 
questions (B) and (C).

Does SCA protection enter the picture? Marginally at best.



- Thierry Moreau

CONNOTECH Experts-conseils inc.
9130 Place de Montgolfier
Montreal, Qc
Canada   H2M 2A1

Tel.: (514)385-5691
Fax:  (514)385-5900

web site: http://www.connotech.com
e-mail: thierry.moreau at connotech.com

The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to majordomo at metzdowd.com

More information about the cryptography mailing list