By Michael Mehlberg, senior director of business development, Rambus Cryptography Research
Protecting and securing military equipment, including avionics and electronics, from tampering, reverse engineering, and cryptanalysis is vital to ensuring mission success. While cyber-warfare has become increasingly sophisticated in recent years, side-channel attacks conducted against sensitive electronic gear are relatively simple to execute and can be performed with less than $5,000 of standard lab equipment. Such attacks include Simple Power Analysis (SPA) and Differential Power Analysis (DPA). These noninvasive techniques analyze power consumption while a device is performing routine operations with secret keys and algorithms. While no single countermeasure can effectively secure a system against all threats, a layered approach that includes resistance against SPA and DPA attacks should be integrated into critical electronic systems.
The USS Pueblo (AGER-2) was attacked, captured and boarded by North Korean forces in January 1968. As Richard A. Mobley of the CIA confirms, Pueblo was equipped with the latest and most sophisticated signals intelligence (SIGINT) collection equipment then in the U.S. inventory, with a capability to intercept and record North Korean voice and other communications – particularly in the ultra-high frequency (UHF) and very-high frequency (VHF) spectrums.
USS Pueblo. Image Credit: U.S. Navy Naval History and Heritage Command (via Wikipedia)
The ship also carried a standard WLR-1 electronic intelligence intercept receiver used throughout the fleet and had positions marked to intercept Soviet telemetry. Perhaps most importantly, the Pueblo crew utilized four cryptographic systems, associated keying materials, maintenance manuals, operating instructions and the general communications-security publications required to support a cryptographic operation. According to a now declassified NSA document, the crypto machines and manuals the North Koreans seized from the Pueblo and passed on to the Soviet Union were identical to those heavily in use by U.S. naval commands worldwide. Combined with U.S. keying material obtained by various Soviet spy rings, the USSR had all it needed to read select U.S. strategic and tactical encrypted communications.
K-13 and the Hainan Island incident
Additional notable compromises of sensitive military equipment include the AIM-9 Sidewinder missile reverse-engineered by the Soviet Union and a U.S. Navy EP-3E ARIES II signals intelligence aircraft which collided with a People's Liberation Army Navy (PLAN) J-8II interceptor fighter jet.
The first incident saw an AIM-9 Sidewinder – fired by a Taiwanese F-86 Sabres in 1958 – lodge in a Chinese MiG-17 aircraft without detonating. The missile was later transferred to the U.S.S.R. and reverse engineered by Soviet scientists, leading to the development of the K-13. According to Gennadiy Sokolovskiy, “the Sidewinder missile was to us a university offering a course in missile construction technology which […] upgraded our engineering education and updated our approach to production of future missiles.”
Damaged EP-3E on Hanian Island. Image Credit: Wikipedia
During the second incident in 2001, the crew of the damaged EP-3E ARIES II attempted to destroy sensitive items, such as electronic equipment related to intelligence gathering, before the aircraft was boarded by People's Liberation Army forces after it made an emergency landing on Hanian Island. Although no official information has been released, a number of sources speculate that the crew of the aircraft was only partially successful in its efforts to destroy on-board data and technology.
Military equipment and platforms may have evolved significantly since Soviet scientists reverse- engineered the Sidewinder missile in 1958 and North Korean soldiers boarded the Pueblo in 1968. Nevertheless, the threat of total mission compromise remains a clear and present danger, especially in close proximity to hostile territory. Indeed, equipment deployed at forward operating bases (FOBs) is particularly vulnerable.
Forward Operating Base Logar, Afghanistan. Image Credit: U.S. Army (via Wikipedia)
Although FOBs are routinely supported by Main Operating Bases, adverse conditions may act to temporarily delay resupply and reinforcements. Smaller Cooperative Security Locations (CSLs) – aka “lily pads” – face similar logistical difficulties as well. In addition, CSL personnel may be instructed to follow strict security protocols that effectively limit both incoming and outgoing communications. It is, therefore, critical for warfighters to be equipped with secure electronic equipment before they are deployed to FOBs and CSLs.
As is the case with many deployed electronic systems, developers and systems integrators must take care to protect important equipment against unauthorized access in the event of a battlefield loss. Electronic communications equipment is of particular interest to those who may wish to intercept battlefield transmissions and should be specifically secured against unauthorized access of any kind. To be sure, portable electronics, communications gear, and “leave-behind” equipment are the most vulnerable to exploitation and could potentially allow hostile forces to eavesdrop on military communications and forge command-and-control messages.
Therefore, equipment that employs cryptography to protect the sensitive transmission of data should be capable of resisting various forms of side-channel attacks, including Differential Power Analysis (DPA) and Simple Power Analysis (SPA). These powerful, non-invasive attacks can be exploited by hostile elements to allow the unauthorized extraction of secret cryptographic keys, potentially revealing classified data. To be sure, most tamper-resistant devices and cryptographic algorithms are susceptible to such attacks if they do not include countermeasures. Perhaps not surprisingly, general-purpose silicon – such as FPGAs and ASICs – receive more attacker attention because they are easier to acquire.
Differential power analysis
Differential power analysis is a form of side-channel attack that monitors variations in the electrical power consumption or electro-magnetic emissions of a target device. The basic method involves partitioning a set of traces into subsets, then subsequently computing the difference of the averages of these subsets. Given enough traces, extremely minute correlations can be isolated — no matter how much noise is present in the measurements.
Image Credit: Rambus Security Division (via “Introduction to Differential Power Analysis”)
A typical DPA attack comprises 6 primary stages:
- communicating with a target device;
- recording power traces while the target device performs cryptographic operations;
- signal processing to remove errors and reduce noise;
- prediction and selection function generation to prepare and define for analysis;
- as well as computing the averages of input trace subsets and
- evaluating DPA test results to determine the most probable key guesses.
Additional DPA variants include reverse engineering unknown S-boxes and algorithms, correlation power analysis (CPA), probability distribution analysis, high-order DPA, and template attacks.
Countering differential power analysis
As U.S. Air Force Second Lieutenant Austin W. Fritzke notes, the transfer of information has always been an integral part of military operations. Message encryption seeks to prevent all but the sender and recipient from viewing any encrypted data – although the secret key must remain hidden.
Image Credit: Austin W. Fritzke, Second Lieutenant, U.S. Air Force
Currently, the Advanced Encryption Standard (AES) is both the industry and military standard for symmetric-key encryption. Although AES remains “computationally infeasible” for attackers to break an encrypted message stream, it is nonetheless susceptible to DPA. Therefore, says Fritzke, DPA countermeasures are absolutely “crucial” to maintaining effective data security.
Such countermeasures include decreasing the signal-to-noise ratio of the power side channel by reducing leakage (signal) or increasing noise, for example, by making the amount of power consumed less contingent upon data values and/or operation (balancing); introducing amplitude and temporal noise; incorporating randomness with blinding and masking by randomly altering the representation of secret parameters and implementing protocol-level countermeasures by continually refreshing and updating cryptographic protocols used by a device. It should be noted that Rambus has licensed a wide range of DPA countermeasures to a number of prominent corporations, such as Boeing, NAGRA, The Athena Group, Winbond, and Idaho Scientific.
Simple power analysis
Simple power analysis (SPA) is a collection of methods for inspecting power traces to understand a device’s operation, including identifying data-dependent power variations during cryptographic operation. SPA is primarily focused on exploring features that are directly visible in a single power trace or made clear by comparing pairs of power traces.
Image Credit: Rambus Security Division (via “Introduction to Differential Power Analysis”)
Essentially, SPA exploits major variations in a power consumption, although this technique is typically incapable of extracting keys from noisy measurements. Nevertheless, SPA offers attackers an extremely effective and efficient method of obtaining the data necessary to determine secret keys. Indeed, implementations of modular exponentiation for public-key cryptography algorithms such as RSA [Rivest-Shamir-Adleman] and Diffie-Hellman may use a key-dependent sequence of square and multiply operations, while scalar multiplication in Elliptic Curve Cryptography [ECC] may be implemented using a key-dependent sequence of double and add operations. Both could potentially leak the value of the key from a single operation.
Thwarting simple power analysis
Eliminating significant leaks is a major first step to preventing SPA vulnerabilities. Specifically, system designers should employ constant execution paths and eschew taking conditional branches on secret data. When possible, processing primitives and instructions should be selected from those known to leak a reduced amount information in their power consumption.
Evaluating side-channel vulnerability
In addition to offering a full suite of DPA countermeasures, Rambus has designed a DPA Workstation (DPAWS) that evaluates resistance to a variety of side-channel attacks (SPA, DPA, HO-DPA and EMA) across a wide number of devices and platforms. including smartphones, tablets, PoS terminals, CPUs, TVs, set-top boxes, FPGAs, smart cards. and NFC tech.
Image Credit: Rambus Security Division
DPAWS provides security researchers with a highly intuitive UI paired with enhanced data visualization that creates an integrated, project-centric analytic environment specifically designed to optimize the efficiency of side-channel analysis. Both flexible and scalable, DPAWS easily integrates with a wide range of industry tools such as Matlab, as well as Python and other scripting languages. The DPA Workstation also supports full cipher coverage (AES, RSA, ECC, DES, and SHA), large dataset handling, as well as high-speed collection and analysis of billions of traces.
Side-channel countermeasures are critical for securing military equipment from tampering, reverse engineering and cryptanalysis. Without countermeasures, sensitive electronic equipment can be cracked in a matter of hours. Even if a power supply is inaccessible, properly trained hostile forces are capable of exploiting DPA attacks against the electromagnetic emissions of a device, system or platform. Because DPA attacks typically amplify leaked data via signal processing, optimal protection can be achieved by implementing multiple countermeasures simultaneously.
|About the author|
Michael Mehlberg is the senior director of business development at Rambus Cryptography Research. After earning a degree in Computer Science from Purdue University, Michael gained extensive experience in reverse-engineering, threat modeling, risk assessment, and system security technologies. He has lead multimillion-dollar commercial- and military-grade software protection, evaluation, and engineering projects for some of the most prominent companies in the world. Michael holds a patent on methods for automated protection measurement and insertion using artificial intelligence and formerly lead the roadmap and direction of Microsemi's product features, patents, research, and strategy for hardware, cryptography, software anti-tamper, and information assurance technologies. He now focuses on business development for government and defense.
Search the Aerospace & Defense Buyer's Guide
The go-to resource for Intelligent Aerospace technology news & information:
Covering key topics
Across all market segments
Subscribe to the free Intelligent Inbox e-newsletter
Subscribe to receive all the latest aerospace technology news & information, delivered directly to your e-mail inbox twice a week (Tuesdays and Thursdays). Sign upfor your free subscription to the Intelligent Inbox e-newsletter at http://www.intelligent-aerospace.com/subscribe.html.