Cryptography Reference
In-Depth Information
measure the computation time. All of these scenarios are rather speculative,
however, and depend a lot on the operating system and the applications. But
where there is a flaw, it will be exploited for sure sooner or later. Eavesdroppers
usually sit inside their own companies rather than attacking from the outside.
How can these attacks be prevented? Timing attacks are actually not directed
against algorithms, but against their implementations. It would be ideal if every
ciphering/deciphering process took exactly the same number of CPU clocks.
The downside is that it would cause the performance to drop since all ciphering
processes would have to run as slowly as the
worst case
. Rivest thinks that
this does not represent a dramatic deterioration in RSA: he states that the
computation time grows by 10 % to 20 % at most. However, it is rather difficult
to create a corresponding implementation. As a sideline, randomly interfering
with the computation time is ineffective because interferences can be filtered
statistically.
Power Analysis and Differential Power Analysis (DPA)
We have learned that the novelty in the timing attack was to exploit side
effects — varying execution times of operations in this case — rather than attack-
ing the algorithm itself. An intuitive consequence was to exploit parameters
other than the execution time. The first approach in this direction was the
power
analysis
, also referred to as the
Simple Power Analysis
(
SPA
) in 1995. The
SPA is an attack that measures the fluctuating power consumption of a chip
card. This is helpful, for example, to distinguish multiplication and squaring on
RSA cards based on the power consumption. This new method is yet another
one invented by Kocher.
SPA is powerful; it can normally find secret keys in a matter of seconds.
The method turns a smartcard that can be activated without a PIN into a
security risk: it is pretty easy for somebody to non-destructively read the key,
and you won't have the slightest idea later on how and where on earth this
happened. On the other hand, it is not particularly difficult to protect smartcards
against this attack. The only thing is that the manufacturers have to know about
it first.
A much more powerful attack is the
Differential Power Analysis
(
DPA
), also
developed by Kocher, this time in cooperation with Jaffe and Jun. Though a
DPA normally takes several hours, the authors found not a single smartcard
then on the market that would have resisted it! In contrast to SPA, DPA statisti-
cally evaluates large data sets, which means that even a single bit flipped in the
