Side-Channel Attacks

Side-channel attacks against crypto-systems employ different measures to break cryptography by exploiting collateral information revealed by the algorithm’s physical execution. Targeting the actual hardware rather than the abstract algorithms present very serious security issues. A side-channel can be any unintended output channel that leaks some form of information through a physical device. Side-channel attacks focus on the way cryptographic algorithms are implemented instead of the algorithm itself. In practice, side-channel attacks often involve two phases: a preparation phase where an adversary profiles and characterizes the leakages through side-channel measurements, and an exploitation phase where the adversary mounts an attack against the target aimed at secret key recovery.

Examples such as power consumption, running time, software cache behavior, or electromagnetic behavior may all be exploited as side-channels to recover secret keys from their respective algorithms. This is because there is a correlation between physical measurements during computations and the internal state of the device. The adversary aims at monitoring these physical interactions where the measurements and output, or leakages, may reveal useful information in cryptanalysis. It is specifically this correlation between the output and the operation related to the secret key that side-channel attacks try to work out.  In their paper outlining the dangers of side-channel attacks, Zhou and Feng present a great illustration which shows many of the unintended output channels:

Timing Attack

In order to expand on an example of effective side-channel attacks we may consider a hypothetical timing attack against a device which requires a four-digit pin to unlock. Inside this device is a circuit board which looks for the correct four-digit pin entry. Each button press gets stored as a byte in memory and as the system receives input, it compares it with a known correct pin (which is also stored in memory). This standard memory compare function stops the moment it encounters an incorrect match for the right entry of the pin, this means that the longer the compare routine runs, the closer one is to guessing the correct pin. By employing a timing attack, an adversary trying to guess the right pin can greatly reduce the keyspace by exploiting the device’s execution time measurements. By measuring the output (which is directly related to the compare routine) the attacker can start guessing by inputting each possible digit (e.g.: 0000, then 1111, then 2222, etc.). This will reveal the first digit of the pin by observing which output shows the longest run time. The attacker can then continue the same sequence to easily recover the correct four-digit pin. In this scenario, the attacker effectively reduces the key space from and initial 10 x 10 x 10 x 10 possible codes to only 10 + 10 + 10 + 10 possible codes.

Non-Technical Side-Channel Attacks

Somewhat related to side-channel attacks, two physical methods used to circumvent cryptographic systems are known euphemistically as black-bag cryptanalysis and rubber-hose cryptanalysis. While not truly forms of cryptanalysis (as these are neither mathematical nor technical attacks), these are significant threats as they are often the simplest methods of acquiring cryptographic secrets. Black-bag cryptanalysis is simply the theft of cryptographic secrets. Its name is a reference to the term ‘black bag operation,’ which is a covert operation that usually entails breaking and entering as well as burglary. Examples of black-bag cryptanalysis may be stealing or copying a post-it note with someone’s password written on it or installing a keylogger or trojan horse on a target’s device to steal their credentials. Rubber-hose cryptanalysis is more crude: this is the method of extracting cryptographic secrets from a person through means of force or coercion (e.g. a subpoena or much something worse, like physical torture). The name refers to beating someone with a rubber hose to get information out of them. While neither of these can be considered novel (or even modern) methods of cryptanalysis, they can be extremely effective attacks, computationally inexpensive, and are worth noting.