Troublesome people, hackers. A weekend with no interruptions and by Monday they will have dreamt up a clever new way to steal your electronic data. For a device with an accessible security chip (typically we’re talking about smartcards), a nice entry point is the information that leaks out through the way the chip operates.

By monitoring standard characteristics such as execution time, power consumption and electromagnetic radiation and then applying statistical analysis techniques, hackers have very quickly extracted security keys from microprocessors, DSP, FPGA and Asic-based encryption systems.

At the DAC conference last summer, Kris Tiri from UCLA in the US and Ingrid Verbauwhede of the University of Leuven in Belgium, presented a paper that described how they found the key of an unprotected Asic advanced encryption standard (AES) implementation in under three minutes using one of these non-invasive ‘side-channel’ attack techniques.

As ever more critical personal information gets stored in encrypted form on silicon chips (passports and now ID cards being prime examples), there is a growing need to find design techniques and methodologies that guard against such potential security breaches at the design start.

The best known side-channel attack is differential power analysis (DPA), first described by Paul Kocher in 1998 (this was what Tiri and Verbauwhede used). The DPA attack uses the fact that power is only drawn from the power supply when a zero to one output transition occurs. You measure the power consumption of the chip while it carries out several hundred cryptographic computations with different data.

Statistical analysis is used to retrieve information from the power consumption variation that is correlated to the secret key. It is only necessary to know which algorithm is being used and to have access to plain-text or cipher-text data.

A radical recent advance in this sort of attack is differential electromagnetic analysis in which a small coil or other magnetic sensor is brought to the surface of the chip itself. The attacker sees not just the gross power signal, which is a composite of the power drawn by all of the circuits in the chip, but also a local signal correlated with the power drawn by some target circuit.

Simon Moore

This can yield far more information, particularly if a number of coils or sensors are used together. “You could land one coil over what you know is a bus and something else over what you know is the processor and another over memory,” says Simon Moore, senior lecturer at the Cambridge Computer Lab.

Most smartcard chips are now designed to ensure that signals emanating from ‘leaky’ parts of the circuit are minimised by reducing power consumption and by adding noise. But these techniques cannot prevent an attack like DPA that relies on the elements of the signal being lined up and compared rather than being lost in noise.

A next line of security might be to add time-dependent countermeasures, says Ken Warren, Smart Card business manager for Cryptography Research (CRI), a firm founded by Paul Kocher to license IP for chip security. “If you can introduce indeterminacy and jitter in the timings either by variable clock periods or by introducing dummy calculations, that can help,” explains Warren.

Ken Warren

CRI has encountered implementations where conditional branching can be determined from observing differences in execution time from analysis of power consumption traces. “Balanced power consumption circuitry and execution timing techniques are most effective when embedded into the processor design,” he says.

More complicated software and hardware countermeasures also exist. CRI, for example, has IP for adding randomness to calculations. It also licenses algorithmic countermeasures that involve introducing transformations or permutations prior to the calculations.

At the protocol level, it has techniques such as diversifying a key faster than the circuit is leaking information. “If you calculate the circuit is leaking half a bit per transaction and you change the key every ten transactions, you know the attacker can’t get enough information to find the key,” Warren says.

Key diversification techniques have been used to design leak proof algorithms to secure financial transactions in banking smartcards.

An important way forward is to analyse as you design. Simon Moore and his colleagues Huiyun Li, and Theodore Markettos at Cambridge Computer Lab, for example, have just published a paper that shows a way to validate for security during design time, in this case looking at data dependent electromagnetic (EM) emissions coming from asynchronous and synchronous processors.

The most straightforward way to simulate EM waves propagating in a circuit is to use a 3D or planar EM simulator, which involves solving Maxwell’s equations for the electric and magnetic vector fields in either the frequency or time domain. However, a full-wave field simulator is too time-consuming for chip-level analysis.

In addition, different types of electric and magnetic sensors measuring in the near or far field are used in EM attacks, all of which require different simulation methods. And to add to the complications, you need to take account of modulated EM emissions as well as the direct EM emissions.

The Cambridge Computer Lab’s team has taken the approach of partitioning the system into two - the chip and the package. The package is simulated by an EM simulator and modelled with lumped components, R, L and C. The chip, incorporating the packaged lumped parameters is then simulated in a circuit simulator like Spice, which obtains the current consumption of the system.

The security evaluation methodology involves a procedure of data processing on the current consumption to simulate EM emissions. EM analysis on a small block such as an ALU can use a Verilog/Spice co-simulation that allows various instructions to be executed and modified through testbench files written in Verilog.

Once the current data for the desired block or whole processor is collected it is passed to Matlab and is processed to implement differential electromagnetic analysis according to the sensor types and emission types.

SSCO

Another group looking into design-time security analysis is the SSCO (small secure communicating objects) research project, which is part of CIM PACA (Centre Intégré de Microélectronique de Provence-Alpes-Côte d’Azur), a major co-operative scheme covering SoC design, physical characterisation, and micro-packaging.

The SSCO partners Atmel, ASK, Mentor, Philips, STMicroelectronics and University of Nice are developing a methodology for designing and optimising the configuration of communicating objects at the system level. The idea is to be able to simulate, analyse and verify the whole communication chain, taking into account the required frequency range, the protocols, the modulation, the baseband functions, the RF, the antenna, as well as the propagation channel.

“The interest is to be able to mix different levels of abstractions depending on the criteria or problem you’re interested in. VHDL-AMS will be the kernel of the simulation linked with Matlab Simulink. This allows us to go from specification all the way down to hardware implementation using the same environment and testbench and signal post-processing,” explains Professor Gilles Jacquemod, who is in charge of the project at the University of Nice.

Jean Oudinot

“Hackers can currently track the security protection through the weakness of the system by looking at hidden channels between analogue and digital blocks. Mixed-signal simulation enables better design and analysis of that part,” explains Jean Oudinot, Mentor’s European product specialist manager for analogue mixed signal.

Hacking techniques are a moving target but the industry can be equally ingenious. At SAME, for example, STMicroelectronics presented a paper on ways of making scan-chain test circuitry hack-proof.

One suggested countermeasure was to design the test circuitry so it re-scrambled itself into a completely different orientation every few nano­seconds. That will fool them for a while.