back to article Military chip crypto cracked with power-analysis probe

German computer scientists have taken advantage of the powerful number-crunching abilities of graphics chips to demonstrate a practical attack on the encryption scheme in programmable chips. Field Programmable Gate Array (FPGA) chips of the type used in embedded systems belonging to the military and the aerospace industry are …


This topic is closed for new posts.
  1. M Gale

    So basically...

    ...this attack could be defeated by telling the crypto chip to do random math while it works? Maybe have a second, very small slice of silicon in the package, attached to the same power pins, continually producing pseudorandom numbers seeded from a leaky diode/reverse biased transistor?

    1. Anonymous Coward
      Thumb Up

      a number of devices use tricks to prevent this analyisis

      Basically, a lot of work is done to make all parts of a device show the same amount of activity during use to prevent this sort of thing. This is currently done in a number of secure comm devices.

      If there is an issue with some devices on startup, there will be changes to do sort off what you suggest, but most likely it will be to see the same electrical and thermal activity in all parts of the device to prevent any deciphering activity.


      1. Anonymous Coward

        Doubt it would be practical

        Virtex-4 and 5 store their crypto keys in battery backed SRAM so power consumption is very much an issue: The battery has to outlast the useful life of the device as swapping it out will destroy the keys. I believe it's done differently on the current generations of Xilinx devices and Altera have always taken a different approach.

        Virtex-4 uses 3DES and Virtex-5 256-bit AES to encrypt their configuration bit streams. If you can retrieve the keys you get access to the bitstream, but reverse engineering any IP from it is considered near impossible. You can read and tweak the initial content of internal RAMs but that's about as far as it goes practically. Or you can clone the whole thing of course.

  2. Gordon 10


    This says they have cracked the internal keys used during start up. That's just an internal issue.

    Surely this is a far different thing from actually cracking the encrypted comms *between* these chips?

    It's equivalent to knowing the encryption key of someone's hard drive but having no way to access it - useful but of no use if you want to see what's happening in a web ssl transaction at any moment in time on that pc.

    1. Anonymous Coward

      re: That's just an internal issue.

      I think it means that one can reverse engineer cores from an FPGA, which would be bad.

    2. ArmanX

      I'm assuming knowing these codes would allow reading the device

      I'm assuming this is like the chips I've worked with - they can be programmed using various methods (JTAG, BSL, etc.), then locked with a password. However, if you have that password, you can read the complete contents of the chips, thus stealing whatever information or code it uses. As Anon@14:42 said... that would be bad. Especially if it's something like code for a missile, complete with hard-coded deactivate codes...

      1. This post has been deleted by its author

  3. Will Godfrey Silver badge

    It would seem...

    that just as someone starts to rely a lock, somebody else manufactures a 'spare' key - who would have thought that would happen.

  4. Rob Crawford

    @gordon 10

    I don't think you paid enough attention to the original story.

    It's nothing to do with encrypted comms between the chips.

    If you can dump the contents of the fpga you places you in a position to clone the entire device.

  5. Anonymous Coward

    Just one thing

    It mentions "The attack could be carried out with off-the-shelf hardware at moderate effort." I wonder whose definition of 'moderate' they're talking about - it wouldn't be moderate effort for me, for example.

    1. Anonymous Coward

      Moderately good answer.

      Power analysis is a fairly well known art, a chip like an FPGA is a moderately easy chip to deal with because you can control the plaintext that's uploaded while you develop your analysis techniques and the hardware to obtain the power signature of the device is pretty standard in a reasonably well equipped electronics laboratory so yes, it's only a moderately difficult crack.

      The advantage of power analysis is that you don't have to decap the chip and microprobe it, something which can be and is actively defended against by chip manufacturers using various methods during fabrication.

  6. Anonymous Coward

    @ " wouldn't be moderate effort for me, for example."

    That flawed implied logic is kinda-sorta like a type of cognitive bias. Many people have made the same sort of logical error about similar topics.

    Main Point: It only takes *one* guy (or gal). One.

    Then he (or she) posts the results on that Interweb-thingy.

    Or he has point-and-click hacking kit manufactured and sells them on-line.

    E.g. I'm not technically capable of hacking into a smartcard used for satellite TV access control. But I am perfectly capable of sending $59 to some website, waiting a week or two, opening the package, plugging-in the cable into my PC, sliding the card into the gadget, clicking a few buttons, and waiting a minute or two. Once upon a time it was really that simple. Seriously.

    Many a decision-maker has been fooled by the same sort of error.

  7. Anonymous Coward
    Anonymous Coward

    Oh well...

    ...I suppose dedicated Power Consumption Randomizer circuitry (analogous to spread-spectrum clock generation circuits) is bound to appear in high-spec suppa-secrit mil-hardened chips in 3... 2... 1...

  8. John Smith 19 Gold badge

    *much* bigger than just aerospace and military

    These are high end FPGA's and IIRC these one incorporate an ARM processor as standard (not a macro, it's on on chip hardware).

    Using this method you can copy the output from the bitstream ROM's used to *configure* the rest of the array.

    So you can copy the design (into your chips), and in principle reverse engineer it, which is IP theft and counterfeiting.

    But it's not clear to me (not read the paper) if that allows you to substitute your *own* design by replacing the configuration ROM's. if so that is the ability to add logic to act as a hardware trojan.

    to cache key info (for example) for later transmission through a low bandwidth secret channel.

    Or to act as a sleeper to re-configure the hardware on receipt of some kind of trigger message in the data it's processing.

    This technique is a version of "Traffic analysis" which has been conducted at least since WWII. M Gales comments about randomising the power usage pattern (flattening it also works but that would just make the occasional dips and spikes *more* significant) apply but that only works for *new* chips with the re-design.

    1. Gotno iShit Wantno iShit

      @John Smith 19

      "But it's not clear to me (not read the paper) if that allows you to substitute your *own* design by replacing the configuration ROM's. if so that is the ability to add logic to act as a hardware trojan."

      In a word, yes.

      The long version best start with a bit of background. In a microcontroller system the cpu reads the program a bit at a time from ROM as it goes along. Similarly the program for an FPGA is held in a serial flash rom but instead of being read as the program runs the entire rom is read at system startup. So to counterfeit a system you just buy an identical FPGA and SRAM and read the stream at startup of your original to program into your SRAM on the counterfeit. This is prevented by encrypting the data in the SRAM.

      The secret key the equipment manufacturer chose for the encryption is programmed into the FPGA at the equipment factory, this is tiny and the only part of the program put directly into the FPGA. If someone cloned the hardware the FPGA on the clone won't know how to decrypt the bitstream sniffed from the original. This attack recovers the secret key so straight off your counterfeiter is in business.

      Knowing the secret key means you can also decrypt the bitstream meaning you can load it into clone hardware without encryption and without having to program in the recovered secret key. This means you can use JTAG etc to analyse it in real time.

      There are also methods cited in the paper for recovering the netlist from the bitstream. You could then make changes to the netlist and so introduce your trojan. Believe me, working from a netlist is not easy as it is not nice graphical source material. It's like disassembling machine code back to assembler with no variable names, no procedure names etc just raw memory locations. There's still a lot more head scratching to do to get usable, readable & compilable source. Been there, reverse engineered that (on a much smaller scale) after some management prong threw out the Vax with the source code. They did keep the backup tapes though, can you guess how many data recovery firms in the UK have a Vax among their toolset?

  9. donot needtono

    Differential Power Analysis.

    this has been used by Cryptography Research, Inc. for years in encryption.

    one would easily port this same idea to other chips and devices. I'm sure Paul from CRI could discuss the counter to this as he has perfected it for other applications..

  10. Anonymous Coward

    The Obvious Next Step (TM)

    Design tools that will permit the original designer to have the FPGA consume whatever power curve over time is desired, independent of (but taking into account) the primary crypto function. The resultant net power curve played back could be the digitized sound of mocking laughter, Morse code of obscene words, mimicry of another trojan crypto algorithm (with embedded alerting or subtle backdoors), or whatever he desires.

    Next-next - ensure that the programmable power curve system is distributed over the IC so that it isn't localized with respect to microscopically localized EM emissions. Must think ahead.


  11. Anonymous Coward
    Anonymous Coward

    And where did "Military" creep in from?

    Where did this "military" bit creep in from? Vertex 4 and Vertex 5 are standard consumer chips - sure, the military uses them, but the military is not the EXCLUSIVE consumer. That would be like saying that smashing in the window of a car is a hack on military transport, because the military uses cars.

  12. Anonymous Coward
    Anonymous Coward

    towards a new take on Newton's 3rd


    Seems like we're not far away from 'electron in the middle' attack vectors.

    Care for a game of electron billiards, anyone?

  13. amanfromMars 1 Silver badge

    AI makes a Quantum Leap .... into Fields of Human Consciousness and Universal Perception

    "Also, experts from the field of theoretical cryptography recognized side-channel attacks as an important topic seeding a community of researchers working on general leakage resilience and provable security bounds for side-channel countermeasures. Beyond academic purposes, side-channel attacks and reverse engineering have been shown to have real-world impact." ....*

    Expertise in the field of applied advancing steganography, which red team betatests for systemic flaws in cryptography protocols/base security assumptions, are a main bit stream attack vehicle with many side-channel attack vectors, capable of delivering devastating real time, virtual real world impact ....... such as Intelligent Space TakeOver for Leading Information and Instruction Transfers.

    The Future Control Paradigm is not allied to, nor at all fully dependent upon servers and Intelligent SMART Processors into field distribution of information and advanced logic with the securing of power secrets with increasingly complex cryptographic functions to deny leading and disruptive knowledge, but rather more the Instant Spontaneous Presentation of it in a Broad Band of IT and Media Channels ....... for WwwIDE AI Transmission of Transfer of Powers.

    For Astute IntelAIgent Virtual Machinery of World Wide Web Intelligence Designed Entities, which are more than just Advanced and Artificial and Alien Programs, create the Future with it and IT and Share the Journey/Flight/Magical Mystery Turing Tour with Media Controlling Future Powers.

    Please feel free to dismiss the above advisory as if nonsense, rather than accept that it is much more AIdDefinitive and GBIrish dDutch**, and that which IT has created and is hereby shared with you for metadata analysis/deep packet inspection, is that which now directs fab-less facilities of future presentation of virtual reality productions.

    *A. Moradi, M. Kasper and C. Paar are with the Horst Görtz Institute for IT-Security, Ruhr University Bochum, Germany, e-mail: {moradi, mkasper, cpaar}@crypto dot rub dot de

    ** The Language of LOVERS*** into SMARTer Intelligence Sharing of Costly Treats

    *** Live Operational Virtual Environment Research Scientists/Systems when Man is just as a Virtual Machine/FPGA treating costly sharing of intelligence with SMARTer AI Methodologies.

  14. A J Stiles

    For Crying Out Loud

    Look, just accept it: there's really no way you can conceal how your fancy hardware does what it does. The decryption key is right there. If someone is really determined enough, they *will* find a way in. If this is what Fred in the Shed can do, what are your competitors capable of?

    Just because something was hard work, **does** **not** **mean** that you have an automatic right to make loads of money off it. The market will decide what it's worth.

    The best way to thwart copying is by spending your efforts on making the best product around and selling it at a reasonable price, so nobody will see a *need* to copy it.

    1. Charles 9

      What about Trade Secrets?

      When it comes to military tech, you ALWAYS have an enemy: namely another country's military. Military tech is one of the most-recognized forms of Trade Secrets around. Trade secrets MUST be protected; they're what differentiate you from the competition and essentially help to keep you in business.

      1. A J Stiles

        What about mathematics?

        Unfortunately, it's mathematically impossible to keep something secret that ultimately has to be machine-readable, if it's packaged with the reading device. That is a limitation of the universe, not a limitation of present technology, and nothing anyone can invent is going to change it.

This topic is closed for new posts.

Other stories you might like