A lot rides on the security of smart cards. They open doors but also can open bank accounts as financial institutions move to the credential. Pictured from ACTIVCARD is ActivIdentity Solo version 2.0, an ultra-portable, slimly designed and easy to use personal smart card reader for secure banking.
 

It is no secret that smart cards have enjoyed explosive growth. Shipments are more than 1.5 billion globally, according to research firm Frost & Sullivan. There are scores of security applications such as payment systems, mobile phones, physical/logical access control, secure ID, public transit and pay TV, just to name a few. Value-added includes secure storage for personalized information such as ID keys or biometric data. In addition, costs for deploying customized smart cards have dropped significantly in recent years. When combining these factors it is no wonder many enterprises and their security operations have enthusiastically embraced smart cards.

The business bottom line: The primary reason for smart card success in the marketplace is simple – security. Smart cards are self-contained security units, which can provide unparalleled barriers to fraud and piracy.

But what if all smart cards were actually discovered to be insecure?

Even worse, what if attackers could unobtrusively defeat a smart card’s security using inexpensive equipment? Would governments, businesses and consumers continue to rely on them for critical transactions?

This is the threat the industry has faced since the late 1990s when scientists at my firm, Cryptography Research Inc., discovered a vulnerability called Differential Power Analysis. DPA is a power analysis attack, which attempts to compromise data on a device by monitoring the electrical activity of the chip. Realizing the impact that these fraudulent attacks could have, smart card vendors and issuers were informed of the vulnerability, and were provided with patent-pending countermeasure techniques to help ensure subsequent smart cards would be secure.

Today, most smart card standards mandate DPA resistance an important component of the system’s overall security requirements. DPA resistant techniques are available to smart card manufacturers and silicon providers under a DPA Countermeasure Licensing program represented by a “lock” logo.

Figure 2 shows an example of traces from a typical DPA analysis. The top trace is the reference (mean) signal; the lower traces show DPA traces where correlation is observed (correct key guess) and no correlation (incorrect key guess).

What is DPA?

At the fundamental level DPA is a power analysis attack, which attempts to compromise data on a device by measuring the electrical activity of the chip. All device operations and programming activity involve specific electrical activity at the transistor level, which can be accurately monitored as power consumption. The power trace, or “signature,” is a direct function of the particular operation being performed and data that is being processed.
 

Simple Power Analysis

The least complex technique is known as Simple Power Analysis. An SPA attack directly observes a device’s power consumption – a process that has been likened to monitoring a patient’s heart beat on an EKG. Analysis of the resulting power traces on a smart card can reveal information about which computational process is being employed, distinguish non-volatile memory programming, or identify cryptographic routines as they execute. By studying detailed features of a power trace, individual device instructions can be distinguished, and data dependant variations in program flow can be observed.

In particular, key-dependant power variations during cryptographic processing can reveal secret key values.

A device, which is vulnerable to SPA, can be compromised by the analysis of a single power trace captured during a normal transaction. What’s worse, the attack can be automated and completed in seconds by even relatively unsophisticated fraudsters. The good news is that effective countermeasures against SPA are relatively straightforward.

Figure 1 shows an SPA trace of an RSA operation. At the macro level the power trace clearly shows that the algorithm is using the Chinese Remainder Theorem. More detailed study of the power signal (inset) enables individual squaring and multiplication steps to be identified, thus revealing key data values. Sound complicated? Unfortunately, it’s not complicated enough.

Differential Power Analysis

DPA is a more complex and more powerful variation of SPA. With DPA many power traces are gathered, and statistical analysis and error correction techniques are used to extract information leaked across multiple operations. The robustness of these techniques allows very small differences in power consumption to be isolated, even when the signal level is a good deal smaller than the “noise” from other processes, measurement errors and even deliberate attempts to obscure the signal.

In a typical DPA attack, the smart card is monitored while performing a number of cryptographic operations, and power traces are recorded for each operation (typically this information is stored on a computer hard drive). After suitable signal processing the attacker uses the collection of sampled traces to test “guesses” about the key or other secret information. If the attacker makes a correct guess, there will be statistically significant correlation in the set of power traces, resulting in an identifiable DPA signal. If the guess is incorrect or if suitable countermeasures are present, than there will be no correlation of the traces and no DPA signal will be observed.

The attack is completed by making multiple guesses about the key information, and using the DPA process to verify or refute successive guesses.

DPA attacks can also be automated, though this process usually takes between several minutes and several hours to conduct. DPA countermeasures can involve a combination of hardware, software, protocol and crypto designs.

Implications of a DPA attack

At a fundamental level, all smart cards aim to ensure that a particular asset is used or accessed in an authorized or permitted manner. Software and cryptographic keys on the smart card are used to protect these assets. A successful SPA or DPA attack on the smart card provides an attacker with means to access, bypass or clone the authorization criteria for the assets protected by the card.

In contrast to most other attacks on smart cards, SPA and DPA are non invasive and inexpensive to repeat, and in many situations the cardholder would have no idea that a successful attack has taken place. Since smart cards are nearly always relied upon for their security merits, resistance to SPA and DPA attacks is essential for nearly all smart card applications.

Alliance info

More information on general smart card topics is from the Smart Card Alliance, a not-for profit, multi-industry association working to accelerate the widespread acceptance of multiple application smart card technology. Its membership includes leading companies in the banking, financial services, computer, telecommunications, technology, healthcare, retail, and entertainment industries, as well as a number of government agencies. The convergence of these major industry players is unprecedented and represents a shared vision and commitment to providing an interoperable platform for the delivery of a new generation of products and services based on smart card technology.

Check out the Alliance at www.smartcardalliance.org or go to www.securitymagazine.com and use the LINX search engine, powered by Google.

Links

• Smart Card Alliance
• Smart Card Alliance