On Wed, 15 Sep 1999 09:52:52 +0100 Markus Kuhn <[EMAIL PROTECTED]> writes:
> Andreas Bogk wrote on 1999-09-15 00:04 UTC:
> > The usual setup for DPA involves a 10 Ohm resistor which sits in the
> > power supply and measuring the voltage across that resistor. The
> > countermeasure we're talking about is an on-chip capacitor that
> > smoothes the power consumption, or a power supply inside an
> > tamper-resistant package such as the Dallas iButton, which essentially
> > serves the same purpose.
>
> (By the way, if you are seriously interested
> in working in this field, we have just received a substantial grant to
> develop invasive and non-invasive attacks on upcoming asynchronous
> high-security smartcard CPU technologies, and we will be offering very
> soon 2-3 research PhD student and post-doc positions for people with a
> strong interest in microelectronics, tamper resistance, digital signal
> processing and hardware security. Contact us me for details if you are
> interested. <http://www.cl.cam.ac.uk/Research/Security/tamper/>).
It's good to see this type research funded. I really look forward to seeing the
results of this project in the years to come.
> At typical smartcard frequencies, the information leaking in the power
> signal is spread across the entire HF and VHF band. It does not seem to
> be too practical to place sufficiently good passive RC or LC filters
> onto a chip given the current CMOS processes commonly used for 8-bit
> microcontrollers.
One approach that came to mind was the following:
According to Rohatgi (who did study the DPA problem at IBM), you really need a
few samples per clock cycle to do DPA succesfully. Clearly, using a capacitor
in parallel with the CPU on the power line will not help filter all the HF
frequencies, as you mentioned.
However, disconnecting the CPU from the power supply during processing should
help. Basically the idea is to charge a capacitor for a short time, and then
let the CPU run on its charge for a few cycles, then recharge the capacitor,
etc. For continuous operation you'd need two capacitors each switching
between charging or powering the CPU alternatingly. In a small picture:
=========
| |
----------- | --- ============= + smart card connector
| | | | | |
| 0 0 0 0 |
| \ / |
| 0 0 |
| | | |
| --- --- HF
CPU --- --- Switch external power
| | | Control supply
| 0 0 |
| / \ |
| 0 0 0 0 |
| | | | | |
----------- | --- ============= - smart card connector
| |
=========
This only reveals the total amount of power consumed during those few cycles,
which nicely blinds the HF signal in the actual power consumption during those
few cycles.
If the CPU consumes 20mA (which is the ETSI maximum for the whole card) at 5V
(ie it consumes 0.1W), and operates at 1Mhz, then the amount of energy in the
capacitor to supply power during 10 cycles must be 0.1 W * 10us (u = mu)
Then 1/2 C V^2 = 25/2 C = 0.1 W * 10us
In other words, the capacity of C equals 80nF.
The trick now is to embed a capacitor of this size on the smart card chip
itself such that it becomes even more difficult to monitor power consumption
even when one tries to tamper with the card.
Regards,
Jaap-Henk
--
Jaap-Henk Hoepman | Come sail your ships around me
Dept. of Computer Science | And burn these bridges down
University of Twente | Nick Cave - "Ship Song"
Email: [EMAIL PROTECTED] === WWW: www.cs.utwente.nl/~hoepman
Phone: +31 53 4893795 === Secr: +31 53 4893770 === Fax: +31 53 4894590
PGP ID: 0xF52E26DD Fingerprint: 1AED DDEB C7F1 DBB3 0556 4732 4217 ABEF
