Addressing the risk of physical-level attacks

by Dr. François Koeune, UCLouvain

Generally speaking, the security of cryptographic algorithms is evaluated by considering them from an abstract point of view: cryptanalysts imagine an idealised version of the algorithm and focus on its input-output behaviour, without worrying about how a real computer would execute this program.

However, such practical aspects might represent a serious security issue. Carefully monitoring the physical behaviour of the processor running a cryptographic algorithm, such as its running time, the electricity it consumes over time, or the electromagnetic radiations it emits, can reveal important information about the device, the data it is handling, and, in the end, its cryptographic keys. These attacks, known under the name of side-channel attacks, were first publicly exposed in the nineties by Kocher et al., and turned out to be devastating in many embedded security contexts.

The Internet of Things is one of these adversarial contexts: edge devices often end up running in an open environment where an attacker can easily seize them, analyse them and monitor their physical behaviour without being detected. On the other and, IoT systems become increasingly responsible for critical operations, and handle more and more valuable data.

To defend against side-channel attacks different sets of countermeasures have been designed. However, they have some drawbacks. First, they are still largely heuristic. They are deemed satisfactory if they thwart known attacks performed by a “reasonable” attacker, but this says little about what a more determined attacker would have achieved. Second, they are expensive, especially for resource-constrained devices, and require dedicated equipment like hardened processors.

One of the ambitions of REWIRE is to provide very strong cryptographic protection, with particular focus on one cornerstone aspect: the secure distribution of software updates and their acknowledgements of receipt, in order to allow the system to remain up-to-date and monitored. For this, we aim to develop a communication channel ensuring that nobody can tamper with the messages being transmitted, even if this attacker has access to edge devices and can perform side-channel attacks against them.

In addition, our ambition is to overcome as much as possible the limitations raised above: we want to strongly limit the heuristic aspects, providing clear security properties that can be proven based on well-established assumptions, and we want to limit as much as possible the properties expected from the underlying equipment, ideally allowing the use of of-the-shelf hardware.

Leave a Reply