Differential Power Analysis Paul Kocker, Joshua Jaffe, Benjamin Jun Crypto '99 Moderator - Joel Hegg Summary: Smartcards are becoming increasingly popular as security tools. Kocker, et. al. discovered that mathematical analysis of the power consumption of a smartcard sampled at a very high frequency can reveal information about the operations the smartcard is performing. More specifically, it has allowed them to retrieve DES and RSA keys as well as reverse engineer previously unknown protocols. Even worse, this can all be done with less than $400 worth of hardware. This paper highlighted the need to quickly rethink some of the directions security has been going. Pros - Suvda Myagmar: 1) the advantage of power analysis is that this approach tests the cryptographic device as a whole system. This way one can analyze the combined tamper resistance of the cryptographic algorithm, its software implementation, and the underlying hardware. For example, the power trace depends ont only on data set and instruction sequence, but also on signal-to-noise ration present in the device and physical aspects of circuits used in the device. This is a far better realistic testing as opposed to isolated testing of the mathematical algorithm. 2) The authors show the actual power traces of sampls. This provides a visual aid in understanding the concepts of power analysis. 3) The paper explains the basic concept by applying it on a popular algorithm, DES. Then the authors describe how power analysis can be applied on alternative algorithms: asymmetric, symmetric, including triple DES. They also try to minimize the number of power measurement samples. 4) The authors are honest in their assesment that there is no solid, reliable solution to prevent this type of attack. They give some suggestions on how to minimize the risks, and describe side effects of these methods. The best way to prevent is to have realistic assumptions about the underlying hardware, and designers of algorithm, software, and hardware work closely together. For example, cryptosystem designer must define what leakage rates the cryptography can survive. Then implementers can try to reduce this leakage rate. Cons - Amir Behgooy: 1. Their focus is on symmetrical cryptosystems such as DES (Data Encryption Standard) and the AES candidates, but public-key cryptosystems have since been shown to be also vulnerable to the DPA attacks. 2. In some small systems, to avoid attacks like DPA, one often alters the base point on every run of the protocol. Hence one never actually uses the special optimizations for multiplying a base point and all point multiplications become general ones. 3. Their work has been extended in a paper titled "On Boolean and Arithmetic Masking against Differential Power Analysis" by Jean-Sebastien Coron and Louis Goubin available at http://citeseer.nj.nec.com/coron00boolean.html 4. I found the paper to be a little too high level, requiring some background knowledge about cryptanalysis and electronic circuits. Discussion questions: -Does this sound like a feasible attack? -What are the tradeoffs when deciding to use smart cards, biometric security, and more traditional security? -The paper mentioned shielding as a way to prevent against DPA. Is this accurate? Doesn't shieding keep EM information secret, not power consumption? -The best way to crack a piece of security is through the path of least resistance. Is this it for smartcards? What could be other concerns? -What is the future of smartcards? What are the most realistic ways to secure them? -Are smartcards just another WEP? If so, what do we do now to prevent their widespread use? -Biometric devices and smartcards are there to make up for the inadequacies of passwords and to make life easier for humans. However, the problem is that they don't really rely on secret information. Is this just a terrible oversight? -What is the best way to handle security in a ubiquitous computing environment? You can't always rely on keyboards being there. As shown here, smartcards have issues. Biometric security has its own problems. What are our options? -Would a pin input coupled with a smartcard work? -What is the right tradeoff between security and cost? How do you quantify this? -Are leakage rates important to publish? If so, whose job is it? What does this mean to the user and administrator? Conclusion: Smart cards are most likely here to stay. Built in keypads may help with security. However, the only really solution to avoiding DPA and DFA is to buy quality cards, and never let them out of your sight. Of the 15 people at the seminar six gave this paper a "Weak Accept" and nine gave it a "Strong Accept".