Cryptography Reference
In-Depth Information
always takes a fixed amount of time (or at least an amount of time that is not
related to the cryptographic key in use). The second possibility is to pseudo-
randomly and reversably transform the data on which the cryptographic oper-
ation is applied (i.e., the data is blinded). Both possibilities have the disadvan-
tage that they lead to performance penalties.
•
Differential fault analysis
takes advantage of and exploits the fact that er-
rors on cryptographic operations that depend on a particular cryptographic
key may also leak some information about the key in use. The errors, in
turn, can be random, latent (e.g., due to a buggy implementation), or—most
interestingly—induced. In fact, people have tried all kinds of physical pressure
to induce such errors, and they have been surprisingly successful in analyzing
them (e.g., [14, 15]). Protection against differential fault analysis seems to be
more involved than protection against timing attacks.
•
A conceptually similar but still very different side-channel attack is sometimes
called
failure analysis
. Failure analysis takes advantage of and exploits the
fact that many implementations of cryptographic operations return notifica-
tions (e.g., error messages) if they fail. Consequently, these implementations
provide a one-bit oracle that depends on the cryptographic operation and key
in use. It has been shown that such an oracle—when invoked a very large num-
ber of times—can eventually be used to misuse the key (e.g., [16]). Designing
and implementing cryptographic systems in a way that is resistant to failure
analysis is a currently very active area of research and development.
•
Differential power analysis
exploits the fact that any hardware device con-
sumes power, because this power consumption can be monitored and analyzed
while a cryptographic operation is going on. Based on the fact that the power
consumption varies significantly during the different steps of a cryptographic
operation, it may be possible to derive information about the cryptographic
key in use (e.g., [17]). In general, the smaller and the more specialized a hard-
ware device is, the more successful a differential power analysis is likely to
be. For example, differential power analysis has been shown to be particularly
successful against smartcards. There are a couple of possibilities to protect
against differential power analysis, such as keeping the power consumption
stable or blinding the data before the cryptographic operations are applied.
In addition to these side-channel attacks, many other attacks (against tam-
per resistant hardware devices) employ invasive measuring techniques (e.g., [18,
19]). This field of study has a long tradition in computer security. For example, the
U.S. government has invested a lot of time and money in the classified TEMPEST
