Workshop exposes deficiencies of electronic encryption

Elliptic Curve Cryptography (ECC) now used to protect electronic passports, mobile communications, and even MP3 players could be implemented incorrectly.

Robert Vamosi
Robert Vamosi Former Editor
As CNET's former resident security expert, Robert Vamosi has been interviewed on the BBC, CNN, MSNBC, and other outlets to share his knowledge about the latest online threats and to offer advice on personal and corporate security.
2 min read

On Monday, Cryptography Research Inc. (CRI) opened a three-day workshop in San Francisco on the security of embedded system cryptography. The workshop is intended for developers and architects of secure embedded systems. Participants will be given smart cards and challenged to crack passwords using various demonstrated techniques.

"These are not theoretical attacks," Benjamin Jun, vice president of technology at CRI, noting that his company published the first white paper on monitoring attacks during the 1990s.

The workshop's primary focus will be on attacks to Elliptic Curve Cryptography (ECC), a cryptographic algorithm that is now used to protect electronic passports, mobile communications, and even MP3 players. Jun said there are many ways for an attacker to monitor leakage. In the workshop, he said they will look specifically at Simple Power Analysis (SPA) and Differential Power Analysis (DPA).

"Almost every smart card you buy today is going to have countermeasures to Simple Power Analysis and Differential Power Analysis," said Jun, however some newer implementations of ECC "do in fact leak information." In particular he cited devices such as MP3 players and cell phones. These are devices that have not had 10 years of development, said Jun, and so some exhibit weaknesses found in early smart cards. The purpose of the workshop was to help developers avoid some common flaws.

Under SPA, an attacker can determine the passwords from simple patterns in the power consumption. CRI

To an observer, a power analysis looks something like an EKG. As the device processes the encryption algorithm, peaks and valleys display on the monitor; these ultimately correspond to 1s and 0s in a password. Thus, an attacker could look at the power consumption fluctuations emitted from a device and, based on the specific pattern of peaks and valleys, figure out whether the device used RSA, DES, or ECC for encryption. Knowing what algorithm was used, the attacker could then begin to figure out the password.

Under DPA, the attacker first guesses and then compares the guess against the actual result. CRI

Counter measures, said Jun, include increasing the signal-to-noise ratio. For example, if you want to have a private conversation, you could go to a large football stadium during a game, making it hard for someone trying to listen to separate our conversation from the surrounding noise. That's amplitudinal noise.

The other kind of noise, said Jun, is temporal, which, to a computer, means stuttering the information over longer spaces. For example, if the data value was 8, the code might be expressed as 2 plus 6. More defense can be achieved by randomness, changing the way you express the data value of 8; maybe the next reference you say 12 minus 4, then 5 plus 3, and so on.

The workshop concludes Wednesday. For an overview of the concepts involved in a monitored attack, CRI provides a Flash tutorial on its Web site.