SlideShare une entreprise Scribd logo

J-J.Quisquater

Information Security Awareness Group
Information Security Awareness Group

J-J.Quisquater

TechnologieActualités & Politique
1  sur  6
septembre 2002 – SÉcurité des Communications sur Internet– SECI02 Side channel cryptanalysis J-J. Quisquater & D. Samyde Université catholique de Louvain Groupe Crypto 3 Place du Levant B-1348 Louvain la Neuve, Belgium jjq@dice.ucl.ac.be samyde@dice.ucl.ac.be Abstract Cryptology includes cryptography and cryptanalysis technics. Cryptography is managed by Kerckhoffs principles, so any information related to a cryptosystem can be public except the keys. The cryptanalysis is the sum of a lot of very advanced technics in order to find these keys. The controversy about the Data Encryption Standard security has highly contributed to the development of new cryptanalysis methods based on mathematics. The linear and differentials analysis are the most convincing examples. Although these techniques often require great quantities of plain texts and ciphered texts, there are other very powerful methods based on the involuntary "information leakage". Indeed a cryptosystem can leak information in various manners, thus significant data can be extracted from physical signals emitted by the ciphering device. Temperature, acoustic waves, electromagnetic radiations, time or light (radiated, laser, infrared, ...) signs which can be extremely dangerous. It is then possible to define side channel. The side channel cryptanalysis has been the speciality of secret services for a long time, but ten years ago, the scientific world started contributing to develop new side channel very effective technics. Keywords Side channel cryptanalysis, Tempest, Timing attack, Power & ElectroMagnetic Analysis, Fault Analysis Introduction The history of the conventional cryptanalysis and the development of the most powerful computers are closely dependent. The undeniable proof is the brilliant cryptanalysis of the naval Enigma by A. Turing and both GHCQ’s Colossus at Bletchley Park during the World War II. As conventional cryptanalysis side channel’s power can really be frightening, their successes remained in the shadow for a long time. In the past, the most advanced automats were based on mechanical principles that are well known today. But with the evolution of sciences, electricity become stronger and stronger, so electromechanic appeared and then electronic. Although the desired physical effects were advisely used as the principal component of a device, other parasitic effects can sometimes be neglected. In this case it is sometimes possible to extract significant information from the handled data [1]. As a current runs through a wire, it creates an electric field, a magnetic field as well as a heating. These effects are known and described by the Maxwell’s equations and the Joules’s law. But when some of these existing physical effects are not desired by the designer of the automata, they can create leakages. It is possible to remotely collect the electromagnetic field with an adapted antenna, to reamplify it, and to do a demodulation in order to obtain information. In the case of a cathode ray tube or a computer screen, the pixel of the screen is obtained thanks to the projection of an electron beam on sensitive molecules. But the position of the electron beam is controlled by coils. If the radiated field is collected, amplified and then introduced at the input of other coils, it makes possible to copy the image of the remote screen. Concerning heat, some thermal cameras have a good resolution, they permit to construct a signature. These signature characterizes the device. The manufacturers of cryptoprocessors also try to limit the heat to reveal 179
J-J. Quisquater & D. Samyde information on calculation in progress into their chip. The exhaustive list of the undesirable edge effects during the processing of a device can not be given here, however this article tries to point out the importance of side channel cryptanalysis and to draw up a list of the attacks most currently used against the cryptographic implementations. People often forget to underline the important part played by the side channel in successful cryptanalyses. There are several manners to conceive cryptanalysis. The most conventional one consists in looking at the cryptographic primitives as a mathematical objects or an algorithm. Another one is interested in the implementation of the primitive in a ciphering device. It is then interesting to analyze the side channel obtained. A good side channel source is then inherent to the structure of the physical implementation. It is important to notice that it can considerably facilitate the work of a possible attacker. History Figure 1 : Information leakage by one of the designers of Arpanet It is quite difficult to fix with precision the birth of the side channel cryptanalysis. But it would be false to think it was at the end of XXth century. It even seems this date is rather at the end of XIXth century or the whole beginning of XXth. The discovery of the existence of side channel obviously did not give place to publications and international communications. J. Maxwell establishes its theory on electromagnetic waves in  ¢¡¤£¦¥ . But at the end of the 19th century some cross talk problems in telephone links were mentioned. During the First World War, these coupling problems were used to spy communications. Information obtained was only copied on another media and then listened. The signal processing was non-existent in such interceptions. But in  ¨§© ¢¡ , H. Yardley and its team discovered that classified information could leak from electric materials. But this knowledge make it possible to find the handled secrets. The data contained in a 180
Side channel cryptanalysis cryptographic device modulated a signal on the tape of a close recording source. In the middle of the thirties, the study of the IBM typewriter indicated that the leakage of information was important and must be considered. Military people started to seriously consider this kind of leakage; and the various western armies paid great attention to limit the radiations on their sensitive devices at the time of the Second World War, particularly for the embedded oscillators. That did not prevent the communist’s Teletype from "being intercepted" in Berlin. Reception antennas were placed in close tunnels. During the fifties, the Chinese authorities also used acoustic techniques to spy embassies, whereas Russian sent microwaves on metal bars contained in statues, in order to recover the acoustic waves of an American embassy. The creation of the NSA in  ¢§¥ immediately gave a crucial importance to the recovery of the compromising signals. The word SIGINT which is the acronym of SIGnal INTelligence took all its meaning then. Using telephone wire as an antenna carried one of the first interceptions of electromagnetic radiations out. In the future, this kind of technique continued to be applied successfully for data interceptions of some computer screens. It worked for at least a distance of several hundreds of kilometers. These first experiments were carried out with the M.I.T. The beginning of the great series of the American NATO military standards for the limitation of the compromising electromagnetic radiations and the use of shield appeared in the middle of the fifties. The American armies worried about this new threat and initiated the tempest program. At the beginning of the sixties, the Russian embassy and some French devices were spied in London, thanks to their electromagnetic radiations. While demodulating the recovered signal correctly, English people managed to find classified information. This time the signal processing was introduced and continuously took an increasingly place in the future. One example is related to the cryptanalysis of a Russian code during the crisis of Cuba. The American Oxford interceptor succeeded in recovering the electromagnetic radiations emitted by a Soviet ciphering device located on the island. Moreover the American marine carried out that the measurement of the radiated noise make it possible to know the position of the rotors inside some cryptographic devices. The civils did not yet know a lot about the interception possibilities, as this kind of methods was still confidential. But quickly, at the beginning of the seventies, people mentioned cases of interferences between some of their electronic materials. And the cases of young researchers playing music with their screen or their printer into a radio receiver or a device including a demodulation, were not isolated. However the uses of the side channel analysis continued to exist and the Kilderkin operation which consisted in the interception of the electromagnetic emanations of the Russian embassy in Canada took place in the middle of the seventies. Quite at the same time, the Polish services were surprised spying Soviet military material; once more time, the electromagnetic radiations were blamed. This time, in fact, it was the power wire that was listened. In  ¢§¡ the NSA introduced the new concept of safety zone around a measurement point and it is the next year that IBM builded its first armored PC [2]. At the end of twenties, I. Murphy a.k.a Captain Zap published the first plans of tempest receivers, just after British television showed demonstrations on this subject. At this time, the French army started to be very interested in the development of a tempest chain, and the Bulgarian services used equipped trucks with hidden antennas to spy and to intercept military communications in Western countries. In nineties R. Anderson and M. Kuhn worked on the reduction of radiations and published new fonts. For healthy reasons, the manufacturers had to drastically reduce screen radiations. In  ¢§§ P. Kocher published his work based on timing measurement. Using the processing time of a cryptosystem, his timing attack, exploited by F. Koeune, make it possible to recover a © ¢ bits RSA private key with a few hundreds of thousands of samples in a few minutes, whereas the factorization of an equivalent number required several intensive months of processing. The work of P. Kocher and its team then concentrated on power and consumption analysis. He unleashed the full of differential measurements. Then the large banking accounts asked silicon founders to quickly find fast and effective solutions to solve this problem. During the last ten years, another analysis appeared, based on fault injection. The idea was very simple: if it was not possible to extract keys from the leakage, maybe was possible to disturb the processor during a critic processing. The history reports even cases where the sides channels were voluntary introduced in order to be able to recover the significant data easier thereafter. Finally, the cryptanalysis using side channel has developed more and more to become today one of the serious components for intelligence collection. 181
J-J. Quisquater D. Samyde Electromagnetic leakage The electromagnetic radiations can still be used nowadays against recent systems. The quality of the antennas is very important, and it is possible to find several kinds (logarithmic, planar...) of them. In the same way, the frequency stability of the local oscillators are necessary to obtain a good result; the best receivers authorize a precision of  ¨ Hz, using phase locked loop. The level of classical countermeasures has been improved in a significant manner since few years. In the case of a cathode ray tube, it is difficult to obtain a valid interception farther than ten meters, using an old material. This distance and this level of radiations must be compared to the distances obtained by the satellites who listen two aligned antenna from the space. Nowadays, some information is public because it has been declassified. But the simple presence, or not, of electromagnetic radiations is often enough to provide useful information to an attacker. Some systems recreate a false magnetic field around them, in order to mask their presence or their radiations. However, the theorem of C. Shannon indicates that by repeating measurement, it becomes possible to remove the noise and to obtain a signal noise ratio as high as desired. Devices as smart cards use operative countermeasures to limit the number of executions. In the large majority of cases, the designers try to limit the level of radiations or to define a protection area in order to reduce the power of the signal. But some applications very often require a Faraday cage to be protected, and it is not always simple and possible to use one. Some recommendations, related to the level of attenuation of the Faraday screen rooms, seemed unexplainable in the past. Recent work of Mr. Kuhn, and other academics, seem to be able to explain the differences between the attenuations required by the military and the civilians. Indeed, the military attenuations do not seem to leave any chance of interception, even with recent material, whereas the civil levels did not ensure this shielding quality. It is also important to notice that the light emitted by a screen, contains useful information which is the video signal. M. Kuhn recently published it is possible to reconstruct a video image starting from the luminosity of a distant screen. Timing attack One of the first attacks by measurement of the response time of a system, made it possible to reduce the number of tests, in order to find a password. This attack was particularly effective against the implementations of Unix. Indeed, if the comparison between the password recorded and the password seized is carried out byte by byte on the basis of the first bit, and if the machine response was available at the first error, it was then possible to test all the bytes located in first position and to choose the one which had the longest response time. Indeed, this last was inevitably the good, since the response time lengthened corresponded to the time of comparison and erroneous response of the second byte. According to R. Moreno, this kind of analysis also functioned at the time of the bearing of a banking application since a Motorola processor, on a smart card including a processor Thomson. This attack has been applied by F Grieu. It is also possible to use the measurement of the response time, in order to know the contents of the mask of a distant data-processing waiter. Indeed, if the information is already present in the memory cache of the computer, and if it has to be load the response time is different. In  ¢§¦§ , P. Kocher published a rather theoretical article, on the use of the measurement of time, to try to find cryptographic keys. Two years later, F. Koeune applied this analysis and showed how it was possible to defeat a naive implementation of the algorithm Square Multiply for the modular exponentiation. There are only two possibilities of connection inside the code carried out for its demonstration, but these two connections do not take the same time. It is then possible to know rather quickly the cryptographic keys [3], with a few hundreds of thousands samples. Countermeasures against timing attacks may seem to be trivial, but a constant time answer is not always possible: sometimes it is necessary to consider the worst case of an algorithm, or to insert much more subtle countermeasures, modifying the temporal properties. 182
Side channel cryptanalysis Thermal analysis The thermal analysis is not used a lot against cryptographic devices; it is more current for satellite or space image analysis. In many cases, the materials stationed at a place has modified the temperature or the illumination of the storage place. Even a long time after their departure, it is always possible to carry out a measurement revealing their very last presence. Concerning processors, the limiting factor is the diffusion of heat. The equation of propagation is well- known, but the propagation times are crippling. However, it is important not to obtain hot points on the chip, in order not to reveal a specific activity [4]. In the past, the security components verifiers used liquid crystals to reveal the activity areas of the component. But actually this method is too slow. Power analysis A small antenna inserted in a perforated condenser can provide a lot of information on the activity of an electronic card. This old technic is well known and has been used for a long time. An electronic card often contains few very interesting elements to analyze, by measuring their consumption. Inserting a low value resistance between the ground pin and the general ground of the card, is enough to track the specific consumption of a chip. In the past, some people had already noticed that the power analysis of a cryptoprocessor could provide information on the handled keys. In  ¢§§¦¡ , P. Kocher [5] introduced the concept of differential power analysis; it is the intercorrelation value of two random variables. This method called DPA is very powerful against smart cards and recent processors. Moreover, it is possible to improve the resolution, using a coil located in the close field of the processor [6,7]. The signal noise ratio can be greatly improved by ¥¦ to ¤!# . IBM recently used this method to defeat GSM card security. The algorithm used is simple in both cases: the idea is to quantify the influence of a bit of the key and to separate the traces obtained in two sets. These sets are built according to the value of one bit of the key. Then checking the assumption on the value of the key bit, the real value can be recovered. Conclusion In conclusion, side channel cryptanalysis is a powerful tool and can defeat some implementations of very robust and well suited algorithms. Perhaps in the future, others side channels will be discovered; but the real cost of the these attacks is increasing. In order to be immunated to a high number of cryptanalysis, implementations must now integrate a very high level of expertise. The countermeasures are always possible and available, but they must be well thought. It is easy to believe avoiding a side channel and in fact to become weaker from another one [8,9]. It is an eternal game between robbers and policemen; for the moment cryptanalysts seems to be better [10] than designers, but in the future it will undoubtedly quickly evolve. References [1] NACSIM 5000: Tempest Fundamentals, National Security Agency, Fort George G.Meade, Maryland. Feb 1982. Partially declassified also available at http://cryptome.org/nacsim-5000.htm. [2] M. Kuhn and R. Anderson, Soft tempest: Hidden data transmission using electromagnetic emanations, In D. Aucsmith, editor, Information Hiding, vol 1525 of Lecture Notes in Computer Science, pp 124-142. Springer-Verlag, 1998. [3] J. Kelsey, B. Schneier, D. Wagner, and C. Hall, Side Channel Cryptanalysis of Product Ciphers, in Proc. of ESORICS’98, Springer-Verlag, September 1998, pp. 97-110. [4] J-S. Coron, P. Kocher, and D. Naccache, Statistics and Secret Leakage, Financial Cryptography 2000 (FC’00), Lecture Notes in Computer Science, Springer-Verlag. 183
J-J. Quisquater D. Samyde [5] P. Kocher, J. Jaffe and B. Jun, Differential Power Analysis, In M. Wiener, editor, Advances in Cryptology - CRYPTO’99, vol. 1666 of Lecture Notes in Computer Science, pp. 388-397, Springer-Verlag, 1999. Also available at http://www.cryptography.com/dpa/Dpa.pdf. [6] K. Gandolfi, C. Mourtel and F. Olivier, Electromagnetic analysis : concrete results, In Koç, Naccache, Paar editors, Cryptographic Hardware and Embedded Systems, vol. 2162 of Lecture Notes in Computer Science, pp. 251-261, Springer-Verlag, 2001. [7] J.-J. Quisquater and D. Samyde, ElectroMagnetic Analysis (EMA) Measures and Counter-Measures for Smart Cards, in I. Attali and T. Jensen, editors, E-Smart Smartcard Programming and Security, vol. 2140 of Lecture Notes in Computer Science, pp. 200-210, Springer-Verlag 2001. [8] R. Anderson, M.Kuhn, Tamper Resistance - A Cautionary Note, Proc. of the Second USENIX Workshop on Electronic Commerce, USENIX Association, 1996. [9] O. Kommerling and M. Kuhn, Design principles for tamper-resistant smartcard processors, In Proc. of the USENIX Workshop on Smartcard Technology (Smartcard’99), pp. 9–20. USENIX Association, 1999. [10] E. Biham and A. Shamir, Power Analysis of the Key Scheduling of the AES Canditates, in Second Advanced Encryption Standard Candidate Conference, Rome, March 1999. 184

Recommandé

equipment booking
equipment booking equipment booking
equipment booking king111kyle
 
A SELF-STUDY COURSE IN BLOCK-CIPHER CRYPTANALYSIS Bruce Schneier
A SELF-STUDY COURSE IN BLOCK-CIPHER CRYPTANALYSIS Bruce SchneierA SELF-STUDY COURSE IN BLOCK-CIPHER CRYPTANALYSIS Bruce Schneier
A SELF-STUDY COURSE IN BLOCK-CIPHER CRYPTANALYSIS Bruce SchneierInformation Security Awareness Group
 
OThe Open Science Grid: Concepts and Patterns Ruth Pordes, Mine Altunay, Bria...
OThe Open Science Grid: Concepts and Patterns Ruth Pordes, Mine Altunay, Bria...OThe Open Science Grid: Concepts and Patterns Ruth Pordes, Mine Altunay, Bria...
OThe Open Science Grid: Concepts and Patterns Ruth Pordes, Mine Altunay, Bria...Information Security Awareness Group
 
Fermilab Security procedures for researchers
Fermilab Security procedures for researchersFermilab Security procedures for researchers
Fermilab Security procedures for researchersInformation Security Awareness Group
 
Privilege Project Vikram Andem
Privilege Project Vikram AndemPrivilege Project Vikram Andem
Privilege Project Vikram AndemInformation Security Awareness Group
 
PKI by Tim Polk
PKI by Tim PolkPKI by Tim Polk
PKI by Tim PolkInformation Security Awareness Group
 
PKI by Gene Itkis
PKI by Gene ItkisPKI by Gene Itkis
PKI by Gene ItkisInformation Security Awareness Group
 
Addressing Big Data Security Challenges: The Right Tools for Smart Protection...
Addressing Big Data Security Challenges: The Right Tools for Smart Protection...Addressing Big Data Security Challenges: The Right Tools for Smart Protection...
Addressing Big Data Security Challenges: The Right Tools for Smart Protection...Information Security Awareness Group
 

Recommandé

equipment booking
equipment booking equipment booking
equipment booking king111kyle
 
A SELF-STUDY COURSE IN BLOCK-CIPHER CRYPTANALYSIS Bruce Schneier
A SELF-STUDY COURSE IN BLOCK-CIPHER CRYPTANALYSIS Bruce SchneierA SELF-STUDY COURSE IN BLOCK-CIPHER CRYPTANALYSIS Bruce Schneier
A SELF-STUDY COURSE IN BLOCK-CIPHER CRYPTANALYSIS Bruce SchneierInformation Security Awareness Group
 
OThe Open Science Grid: Concepts and Patterns Ruth Pordes, Mine Altunay, Bria...
OThe Open Science Grid: Concepts and Patterns Ruth Pordes, Mine Altunay, Bria...OThe Open Science Grid: Concepts and Patterns Ruth Pordes, Mine Altunay, Bria...
OThe Open Science Grid: Concepts and Patterns Ruth Pordes, Mine Altunay, Bria...Information Security Awareness Group
 
Fermilab Security procedures for researchers
Fermilab Security procedures for researchersFermilab Security procedures for researchers
Fermilab Security procedures for researchersInformation Security Awareness Group
 
Privilege Project Vikram Andem
Privilege Project Vikram AndemPrivilege Project Vikram Andem
Privilege Project Vikram AndemInformation Security Awareness Group
 
PKI by Tim Polk
PKI by Tim PolkPKI by Tim Polk
PKI by Tim PolkInformation Security Awareness Group
 
PKI by Gene Itkis
PKI by Gene ItkisPKI by Gene Itkis
PKI by Gene ItkisInformation Security Awareness Group
 
Addressing Big Data Security Challenges: The Right Tools for Smart Protection...
Addressing Big Data Security Challenges: The Right Tools for Smart Protection...Addressing Big Data Security Challenges: The Right Tools for Smart Protection...
Addressing Big Data Security Challenges: The Right Tools for Smart Protection...Information Security Awareness Group
 
Emission security- Tempest Attacks
Emission security- Tempest AttacksEmission security- Tempest Attacks
Emission security- Tempest Attacksabe8512000
 
Emission security-tempest attacks
Emission security-tempest attacksEmission security-tempest attacks
Emission security-tempest attacksabe8512000
 
Emission Security
Emission SecurityEmission Security
Emission Securityabe8512000
 
Networking
NetworkingNetworking
Networkingmercymoreno
 
1 introduction to telecom.pptx
1 introduction to telecom.pptx1 introduction to telecom.pptx
1 introduction to telecom.pptxagnbandara
 
Science, Technology and society
Science, Technology and society Science, Technology and society
Science, Technology and society AnnelyJaneDarbe
 
WEEK 1.docx
WEEK 1.docxWEEK 1.docx
WEEK 1.docxJessieJamesBendicioV
 
Eu 1 lp 3
Eu 1 lp 3Eu 1 lp 3
Eu 1 lp 3Ivan Christian Beato
 
History of telecommunications
History of telecommunicationsHistory of telecommunications
History of telecommunicationsssuser92b807
 
Mini proyect
Mini proyectMini proyect
Mini proyectDelta Alfa Bulbo Alfa
 
reserch on Indian telecom in dusrty
reserch on Indian telecom in dusrtyreserch on Indian telecom in dusrty
reserch on Indian telecom in dusrtyManish Diwale
 
Bjmc i-i, met, unit-iv, technological evolution in media
Bjmc i-i, met, unit-iv, technological evolution in mediaBjmc i-i, met, unit-iv, technological evolution in media
Bjmc i-i, met, unit-iv, technological evolution in mediaRai University
 
Mindspark '16 | Torquest | The Sci-Tech Quiz Finals
Mindspark '16 | Torquest | The Sci-Tech Quiz FinalsMindspark '16 | Torquest | The Sci-Tech Quiz Finals
Mindspark '16 | Torquest | The Sci-Tech Quiz FinalsCOEP Boat Club Quiz Club
 
Newinventions
NewinventionsNewinventions
Newinventionsгимназия №2 Мурманск
 
Alex Haw Lecture - 091017 - AA 1st Year - SECTS - 770
Alex Haw Lecture - 091017 - AA 1st Year - SECTS - 770Alex Haw Lecture - 091017 - AA 1st Year - SECTS - 770
Alex Haw Lecture - 091017 - AA 1st Year - SECTS - 770Atmos
 
M Quiz Finals College
M Quiz Finals CollegeM Quiz Finals College
M Quiz Finals CollegeRohit Nair
 
ETE444-lec1-nano-introduction.ppt
ETE444-lec1-nano-introduction.pptETE444-lec1-nano-introduction.ppt
ETE444-lec1-nano-introduction.pptmashiur
 
Timeline history of internet
Timeline history of internetTimeline history of internet
Timeline history of interneteinamikhaela
 
Silicon valley past, present, future always on july28 2010
Silicon valley past, present, future always on july28 2010Silicon valley past, present, future always on july28 2010
Silicon valley past, present, future always on july28 2010Stanford University
 
Textual Macrostructure
Textual MacrostructureTextual Macrostructure
Textual MacrostructureAreycardelValle
 
Securing the Data in Big Data Security Analytics by Kevin Bowers, Nikos Trian...
Securing the Data in Big Data Security Analytics by Kevin Bowers, Nikos Trian...Securing the Data in Big Data Security Analytics by Kevin Bowers, Nikos Trian...
Securing the Data in Big Data Security Analytics by Kevin Bowers, Nikos Trian...Information Security Awareness Group
 
Mobile Device Security by Michael Gong, Jake Kreider, Chris Lugo, Kwame Osaf...
Mobile Device Security by Michael Gong, Jake Kreider, Chris Lugo, Kwame Osaf... Mobile Device Security by Michael Gong, Jake Kreider, Chris Lugo, Kwame Osaf...
Mobile Device Security by Michael Gong, Jake Kreider, Chris Lugo, Kwame Osaf...Information Security Awareness Group
 

Contenu connexe

Similaire à J-J.Quisquater

Emission security- Tempest Attacks
Emission security- Tempest AttacksEmission security- Tempest Attacks
Emission security- Tempest Attacksabe8512000
 
Emission security-tempest attacks
Emission security-tempest attacksEmission security-tempest attacks
Emission security-tempest attacksabe8512000
 
Emission Security
Emission SecurityEmission Security
Emission Securityabe8512000
 
1 introduction to telecom.pptx
1 introduction to telecom.pptx1 introduction to telecom.pptx
1 introduction to telecom.pptxagnbandara
 
Science, Technology and society
Science, Technology and society Science, Technology and society
Science, Technology and society AnnelyJaneDarbe
 
History of telecommunications
History of telecommunicationsHistory of telecommunications
History of telecommunicationsssuser92b807
 
reserch on Indian telecom in dusrty
reserch on Indian telecom in dusrtyreserch on Indian telecom in dusrty
reserch on Indian telecom in dusrtyManish Diwale
 
Bjmc i-i, met, unit-iv, technological evolution in media
Bjmc i-i, met, unit-iv, technological evolution in mediaBjmc i-i, met, unit-iv, technological evolution in media
Bjmc i-i, met, unit-iv, technological evolution in mediaRai University
 
Mindspark '16 | Torquest | The Sci-Tech Quiz Finals
Mindspark '16 | Torquest | The Sci-Tech Quiz FinalsMindspark '16 | Torquest | The Sci-Tech Quiz Finals
Mindspark '16 | Torquest | The Sci-Tech Quiz FinalsCOEP Boat Club Quiz Club
 
Alex Haw Lecture - 091017 - AA 1st Year - SECTS - 770
Alex Haw Lecture - 091017 - AA 1st Year - SECTS - 770Alex Haw Lecture - 091017 - AA 1st Year - SECTS - 770
Alex Haw Lecture - 091017 - AA 1st Year - SECTS - 770Atmos
 
M Quiz Finals College
M Quiz Finals CollegeM Quiz Finals College
M Quiz Finals CollegeRohit Nair
 
ETE444-lec1-nano-introduction.ppt
ETE444-lec1-nano-introduction.pptETE444-lec1-nano-introduction.ppt
ETE444-lec1-nano-introduction.pptmashiur
 
Timeline history of internet
Timeline history of internetTimeline history of internet
Timeline history of interneteinamikhaela
 
Silicon valley past, present, future always on july28 2010
Silicon valley past, present, future always on july28 2010Silicon valley past, present, future always on july28 2010
Silicon valley past, present, future always on july28 2010Stanford University
 

Similaire à J-J.Quisquater (20)

Emission security- Tempest Attacks
Emission security- Tempest AttacksEmission security- Tempest Attacks
Emission security- Tempest Attacks
 
Emission security-tempest attacks
Emission security-tempest attacksEmission security-tempest attacks
Emission security-tempest attacks
 
Emission Security
Emission SecurityEmission Security
Emission Security
 
Networking
NetworkingNetworking
Networking
 
1 introduction to telecom.pptx
1 introduction to telecom.pptx1 introduction to telecom.pptx
1 introduction to telecom.pptx
 
Science, Technology and society
Science, Technology and society Science, Technology and society
Science, Technology and society
 
WEEK 1.docx
WEEK 1.docxWEEK 1.docx
WEEK 1.docx
 
Eu 1 lp 3
Eu 1 lp 3Eu 1 lp 3
Eu 1 lp 3
 
History of telecommunications
History of telecommunicationsHistory of telecommunications
History of telecommunications
 
Mini proyect
Mini proyectMini proyect
Mini proyect
 
reserch on Indian telecom in dusrty
reserch on Indian telecom in dusrtyreserch on Indian telecom in dusrty
reserch on Indian telecom in dusrty
 
Bjmc i-i, met, unit-iv, technological evolution in media
Bjmc i-i, met, unit-iv, technological evolution in mediaBjmc i-i, met, unit-iv, technological evolution in media
Bjmc i-i, met, unit-iv, technological evolution in media
 
Mindspark '16 | Torquest | The Sci-Tech Quiz Finals
Mindspark '16 | Torquest | The Sci-Tech Quiz FinalsMindspark '16 | Torquest | The Sci-Tech Quiz Finals
Mindspark '16 | Torquest | The Sci-Tech Quiz Finals
 
Newinventions
NewinventionsNewinventions
Newinventions
 
Alex Haw Lecture - 091017 - AA 1st Year - SECTS - 770
Alex Haw Lecture - 091017 - AA 1st Year - SECTS - 770Alex Haw Lecture - 091017 - AA 1st Year - SECTS - 770
Alex Haw Lecture - 091017 - AA 1st Year - SECTS - 770
 
M Quiz Finals College
M Quiz Finals CollegeM Quiz Finals College
M Quiz Finals College
 
ETE444-lec1-nano-introduction.ppt
ETE444-lec1-nano-introduction.pptETE444-lec1-nano-introduction.ppt
ETE444-lec1-nano-introduction.ppt
 
Timeline history of internet
Timeline history of internetTimeline history of internet
Timeline history of internet
 
Silicon valley past, present, future always on july28 2010
Silicon valley past, present, future always on july28 2010Silicon valley past, present, future always on july28 2010
Silicon valley past, present, future always on july28 2010
 
Textual Macrostructure
Textual MacrostructureTextual Macrostructure
Textual Macrostructure
 

Plus de Information Security Awareness Group

Securing the Data in Big Data Security Analytics by Kevin Bowers, Nikos Trian...
Securing the Data in Big Data Security Analytics by Kevin Bowers, Nikos Trian...Securing the Data in Big Data Security Analytics by Kevin Bowers, Nikos Trian...
Securing the Data in Big Data Security Analytics by Kevin Bowers, Nikos Trian...Information Security Awareness Group
 
Mobile Device Security by Michael Gong, Jake Kreider, Chris Lugo, Kwame Osaf...
Mobile Device Security by Michael Gong, Jake Kreider, Chris Lugo, Kwame Osaf... Mobile Device Security by Michael Gong, Jake Kreider, Chris Lugo, Kwame Osaf...
Mobile Device Security by Michael Gong, Jake Kreider, Chris Lugo, Kwame Osaf...Information Security Awareness Group
 
Mobile Devices – Using Without Losing Mark K. Mellis, Associate Information S...
Mobile Devices – Using Without Losing Mark K. Mellis, Associate Information S...Mobile Devices – Using Without Losing Mark K. Mellis, Associate Information S...
Mobile Devices – Using Without Losing Mark K. Mellis, Associate Information S...Information Security Awareness Group
 
Big data analysis concepts and references by Cloud Security Alliance
Big data analysis concepts and references by Cloud Security AllianceBig data analysis concepts and references by Cloud Security Alliance
Big data analysis concepts and references by Cloud Security AllianceInformation Security Awareness Group
 
Authorization Policy in a PKI Environment Mary Thompson Srilekha Mudumbai A...
Authorization Policy in a PKI Environment Mary Thompson Srilekha Mudumbai A... Authorization Policy in a PKI Environment Mary Thompson Srilekha Mudumbai A...
Authorization Policy in a PKI Environment Mary Thompson Srilekha Mudumbai A...Information Security Awareness Group
 
Introduction to distributed security concepts and public key infrastructure m...
Introduction to distributed security concepts and public key infrastructure m...Introduction to distributed security concepts and public key infrastructure m...
Introduction to distributed security concepts and public key infrastructure m...Information Security Awareness Group
 
Optimal Security Response to Attacks on Open Science Grids Mine Altunay, Sven...
Optimal Security Response to Attacks on Open Science Grids Mine Altunay, Sven...Optimal Security Response to Attacks on Open Science Grids Mine Altunay, Sven...
Optimal Security Response to Attacks on Open Science Grids Mine Altunay, Sven...Information Security Awareness Group
 
Digital Signature Algorithm Der-Chyuan Lou, Jiang Lung Liu, Chang-Tsun Li
Digital Signature Algorithm Der-Chyuan Lou, Jiang Lung Liu, Chang-Tsun LiDigital Signature Algorithm Der-Chyuan Lou, Jiang Lung Liu, Chang-Tsun Li
Digital Signature Algorithm Der-Chyuan Lou, Jiang Lung Liu, Chang-Tsun LiInformation Security Awareness Group
 

Plus de Information Security Awareness Group (20)

Securing the Data in Big Data Security Analytics by Kevin Bowers, Nikos Trian...
Securing the Data in Big Data Security Analytics by Kevin Bowers, Nikos Trian...Securing the Data in Big Data Security Analytics by Kevin Bowers, Nikos Trian...
Securing the Data in Big Data Security Analytics by Kevin Bowers, Nikos Trian...
 
Mobile Device Security by Michael Gong, Jake Kreider, Chris Lugo, Kwame Osaf...
Mobile Device Security by Michael Gong, Jake Kreider, Chris Lugo, Kwame Osaf... Mobile Device Security by Michael Gong, Jake Kreider, Chris Lugo, Kwame Osaf...
Mobile Device Security by Michael Gong, Jake Kreider, Chris Lugo, Kwame Osaf...
 
Mobile Devices – Using Without Losing Mark K. Mellis, Associate Information S...
Mobile Devices – Using Without Losing Mark K. Mellis, Associate Information S...Mobile Devices – Using Without Losing Mark K. Mellis, Associate Information S...
Mobile Devices – Using Without Losing Mark K. Mellis, Associate Information S...
 
IBM Security Strategy Intelligence,
IBM Security Strategy Intelligence,IBM Security Strategy Intelligence,
IBM Security Strategy Intelligence,
 
Big data analysis concepts and references by Cloud Security Alliance
Big data analysis concepts and references by Cloud Security AllianceBig data analysis concepts and references by Cloud Security Alliance
Big data analysis concepts and references by Cloud Security Alliance
 
Big data analysis concepts and references
Big data analysis concepts and referencesBig data analysis concepts and references
Big data analysis concepts and references
 
Authorization Policy in a PKI Environment Mary Thompson Srilekha Mudumbai A...
Authorization Policy in a PKI Environment Mary Thompson Srilekha Mudumbai A... Authorization Policy in a PKI Environment Mary Thompson Srilekha Mudumbai A...
Authorization Policy in a PKI Environment Mary Thompson Srilekha Mudumbai A...
 
Pki by Steve Lamb
Pki by Steve LambPki by Steve Lamb
Pki by Steve Lamb
 
Introduction to distributed security concepts and public key infrastructure m...
Introduction to distributed security concepts and public key infrastructure m...Introduction to distributed security concepts and public key infrastructure m...
Introduction to distributed security concepts and public key infrastructure m...
 
Optimal Security Response to Attacks on Open Science Grids Mine Altunay, Sven...
Optimal Security Response to Attacks on Open Science Grids Mine Altunay, Sven...Optimal Security Response to Attacks on Open Science Grids Mine Altunay, Sven...
Optimal Security Response to Attacks on Open Science Grids Mine Altunay, Sven...
 
THE OPEN SCIENCE GRID Ruth Pordes
THE OPEN SCIENCE GRID Ruth PordesTHE OPEN SCIENCE GRID Ruth Pordes
THE OPEN SCIENCE GRID Ruth Pordes
 
Open Science Grid security-atlas-t2 Bob Cowles
Open Science Grid security-atlas-t2 Bob CowlesOpen Science Grid security-atlas-t2 Bob Cowles
Open Science Grid security-atlas-t2 Bob Cowles
 
Security Open Science Grid Doug Olson
Security Open Science Grid Doug OlsonSecurity Open Science Grid Doug Olson
Security Open Science Grid Doug Olson
 
Open Science Group Security Kevin Hill
Open Science Group Security Kevin HillOpen Science Group Security Kevin Hill
Open Science Group Security Kevin Hill
 
Xrootd proxies Andrew Hanushevsky
Xrootd proxies Andrew HanushevskyXrootd proxies Andrew Hanushevsky
Xrootd proxies Andrew Hanushevsky
 
DES Block Cipher Hao Qi
DES Block Cipher Hao QiDES Block Cipher Hao Qi
DES Block Cipher Hao Qi
 
Cache based side_channel_attacks Anestis Bechtsoudis
Cache based side_channel_attacks Anestis BechtsoudisCache based side_channel_attacks Anestis Bechtsoudis
Cache based side_channel_attacks Anestis Bechtsoudis
 
Rakesh kumar srirangam
Rakesh kumar srirangamRakesh kumar srirangam
Rakesh kumar srirangam
 
Digital Signature Algorithm Der-Chyuan Lou, Jiang Lung Liu, Chang-Tsun Li
Digital Signature Algorithm Der-Chyuan Lou, Jiang Lung Liu, Chang-Tsun LiDigital Signature Algorithm Der-Chyuan Lou, Jiang Lung Liu, Chang-Tsun Li
Digital Signature Algorithm Der-Chyuan Lou, Jiang Lung Liu, Chang-Tsun Li
 
Proxy cryptography Anca-Andreea Ivan , Yevgeniy Dodis
Proxy cryptography Anca-Andreea Ivan , Yevgeniy DodisProxy cryptography Anca-Andreea Ivan , Yevgeniy Dodis
Proxy cryptography Anca-Andreea Ivan , Yevgeniy Dodis
 

Dernier

Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...Igalia
 
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...Miguel Araújo
 
Handwritten Text Recognition for manuscripts and early printed texts
Handwritten Text Recognition for manuscripts and early printed textsHandwritten Text Recognition for manuscripts and early printed texts
Handwritten Text Recognition for manuscripts and early printed textsMaria Levchenko
 
Boost PC performance: How more available memory can improve productivity
Boost PC performance: How more available memory can improve productivityBoost PC performance: How more available memory can improve productivity
Boost PC performance: How more available memory can improve productivityPrincipled Technologies
 
Advantages of Hiring UIUX Design Service Providers for Your Business
Advantages of Hiring UIUX Design Service Providers for Your BusinessAdvantages of Hiring UIUX Design Service Providers for Your Business
Advantages of Hiring UIUX Design Service Providers for Your BusinessPixlogix Infotech
 
A Call to Action for Generative AI in 2024
A Call to Action for Generative AI in 2024A Call to Action for Generative AI in 2024
A Call to Action for Generative AI in 2024Results
 
Driving Behavioral Change for Information Management through Data-Driven Gree...
Driving Behavioral Change for Information Management through Data-Driven Gree...Driving Behavioral Change for Information Management through Data-Driven Gree...
Driving Behavioral Change for Information Management through Data-Driven Gree...Enterprise Knowledge
 
Slack Application Development 101 Slides
Slack Application Development 101 SlidesSlack Application Development 101 Slides
Slack Application Development 101 Slidespraypatel2
 
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...Neo4j
 
A Year of the Servo Reboot: Where Are We Now?
A Year of the Servo Reboot: Where Are We Now?A Year of the Servo Reboot: Where Are We Now?
A Year of the Servo Reboot: Where Are We Now?Igalia
 
How to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerHow to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerThousandEyes
 
[2024]Digital Global Overview Report 2024 Meltwater.pdf
[2024]Digital Global Overview Report 2024 Meltwater.pdf[2024]Digital Global Overview Report 2024 Meltwater.pdf
[2024]Digital Global Overview Report 2024 Meltwater.pdfhans926745
 
Breaking the Kubernetes Kill Chain: Host Path Mount
Breaking the Kubernetes Kill Chain: Host Path MountBreaking the Kubernetes Kill Chain: Host Path Mount
Breaking the Kubernetes Kill Chain: Host Path MountPuma Security, LLC
 
Scaling API-first – The story of a global engineering organization
Scaling API-first – The story of a global engineering organizationScaling API-first – The story of a global engineering organization
Scaling API-first – The story of a global engineering organizationRadu Cotescu
 
08448380779 Call Girls In Greater Kailash - I Women Seeking Men
08448380779 Call Girls In Greater Kailash - I Women Seeking Men08448380779 Call Girls In Greater Kailash - I Women Seeking Men
08448380779 Call Girls In Greater Kailash - I Women Seeking MenDelhi Call girls
 
Powerful Google developer tools for immediate impact! (2023-24 C)
Powerful Google developer tools for immediate impact! (2023-24 C)Powerful Google developer tools for immediate impact! (2023-24 C)
Powerful Google developer tools for immediate impact! (2023-24 C)wesley chun
 
Exploring the Future Potential of AI-Enabled Smartphone Processors
Exploring the Future Potential of AI-Enabled Smartphone ProcessorsExploring the Future Potential of AI-Enabled Smartphone Processors
Exploring the Future Potential of AI-Enabled Smartphone Processorsdebabhi2
 
IAC 2024 - IA Fast Track to Search Focused AI Solutions
IAC 2024 - IA Fast Track to Search Focused AI SolutionsIAC 2024 - IA Fast Track to Search Focused AI Solutions
IAC 2024 - IA Fast Track to Search Focused AI SolutionsEnterprise Knowledge
 
Understanding Discord NSFW Servers A Guide for Responsible Users.pdf
Understanding Discord NSFW Servers A Guide for Responsible Users.pdfUnderstanding Discord NSFW Servers A Guide for Responsible Users.pdf
Understanding Discord NSFW Servers A Guide for Responsible Users.pdfUK Journal
 
CNv6 Instructor Chapter 6 Quality of Service
CNv6 Instructor Chapter 6 Quality of ServiceCNv6 Instructor Chapter 6 Quality of Service
CNv6 Instructor Chapter 6 Quality of Servicegiselly40
 

Dernier (20)

Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...
 
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
 
Handwritten Text Recognition for manuscripts and early printed texts
Handwritten Text Recognition for manuscripts and early printed textsHandwritten Text Recognition for manuscripts and early printed texts
Handwritten Text Recognition for manuscripts and early printed texts
 
Boost PC performance: How more available memory can improve productivity
Boost PC performance: How more available memory can improve productivityBoost PC performance: How more available memory can improve productivity
Boost PC performance: How more available memory can improve productivity
 
Advantages of Hiring UIUX Design Service Providers for Your Business
Advantages of Hiring UIUX Design Service Providers for Your BusinessAdvantages of Hiring UIUX Design Service Providers for Your Business
Advantages of Hiring UIUX Design Service Providers for Your Business
 
A Call to Action for Generative AI in 2024
A Call to Action for Generative AI in 2024A Call to Action for Generative AI in 2024
A Call to Action for Generative AI in 2024
 
Driving Behavioral Change for Information Management through Data-Driven Gree...
Driving Behavioral Change for Information Management through Data-Driven Gree...Driving Behavioral Change for Information Management through Data-Driven Gree...
Driving Behavioral Change for Information Management through Data-Driven Gree...
 
Slack Application Development 101 Slides
Slack Application Development 101 SlidesSlack Application Development 101 Slides
Slack Application Development 101 Slides
 
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...
 
A Year of the Servo Reboot: Where Are We Now?
A Year of the Servo Reboot: Where Are We Now?A Year of the Servo Reboot: Where Are We Now?
A Year of the Servo Reboot: Where Are We Now?
 
How to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerHow to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected Worker
 
[2024]Digital Global Overview Report 2024 Meltwater.pdf
[2024]Digital Global Overview Report 2024 Meltwater.pdf[2024]Digital Global Overview Report 2024 Meltwater.pdf
[2024]Digital Global Overview Report 2024 Meltwater.pdf
 
Breaking the Kubernetes Kill Chain: Host Path Mount
Breaking the Kubernetes Kill Chain: Host Path MountBreaking the Kubernetes Kill Chain: Host Path Mount
Breaking the Kubernetes Kill Chain: Host Path Mount
 
Scaling API-first – The story of a global engineering organization
Scaling API-first – The story of a global engineering organizationScaling API-first – The story of a global engineering organization
Scaling API-first – The story of a global engineering organization
 
08448380779 Call Girls In Greater Kailash - I Women Seeking Men
08448380779 Call Girls In Greater Kailash - I Women Seeking Men08448380779 Call Girls In Greater Kailash - I Women Seeking Men
08448380779 Call Girls In Greater Kailash - I Women Seeking Men
 
Powerful Google developer tools for immediate impact! (2023-24 C)
Powerful Google developer tools for immediate impact! (2023-24 C)Powerful Google developer tools for immediate impact! (2023-24 C)
Powerful Google developer tools for immediate impact! (2023-24 C)
 
Exploring the Future Potential of AI-Enabled Smartphone Processors
Exploring the Future Potential of AI-Enabled Smartphone ProcessorsExploring the Future Potential of AI-Enabled Smartphone Processors
Exploring the Future Potential of AI-Enabled Smartphone Processors
 
IAC 2024 - IA Fast Track to Search Focused AI Solutions
IAC 2024 - IA Fast Track to Search Focused AI SolutionsIAC 2024 - IA Fast Track to Search Focused AI Solutions
IAC 2024 - IA Fast Track to Search Focused AI Solutions
 
Understanding Discord NSFW Servers A Guide for Responsible Users.pdf
Understanding Discord NSFW Servers A Guide for Responsible Users.pdfUnderstanding Discord NSFW Servers A Guide for Responsible Users.pdf
Understanding Discord NSFW Servers A Guide for Responsible Users.pdf
 
CNv6 Instructor Chapter 6 Quality of Service
CNv6 Instructor Chapter 6 Quality of ServiceCNv6 Instructor Chapter 6 Quality of Service
CNv6 Instructor Chapter 6 Quality of Service
 

J-J.Quisquater

  • 1. septembre 2002 – SÉcurité des Communications sur Internet– SECI02 Side channel cryptanalysis J-J. Quisquater & D. Samyde Université catholique de Louvain Groupe Crypto 3 Place du Levant B-1348 Louvain la Neuve, Belgium jjq@dice.ucl.ac.be samyde@dice.ucl.ac.be Abstract Cryptology includes cryptography and cryptanalysis technics. Cryptography is managed by Kerckhoffs principles, so any information related to a cryptosystem can be public except the keys. The cryptanalysis is the sum of a lot of very advanced technics in order to find these keys. The controversy about the Data Encryption Standard security has highly contributed to the development of new cryptanalysis methods based on mathematics. The linear and differentials analysis are the most convincing examples. Although these techniques often require great quantities of plain texts and ciphered texts, there are other very powerful methods based on the involuntary "information leakage". Indeed a cryptosystem can leak information in various manners, thus significant data can be extracted from physical signals emitted by the ciphering device. Temperature, acoustic waves, electromagnetic radiations, time or light (radiated, laser, infrared, ...) signs which can be extremely dangerous. It is then possible to define side channel. The side channel cryptanalysis has been the speciality of secret services for a long time, but ten years ago, the scientific world started contributing to develop new side channel very effective technics. Keywords Side channel cryptanalysis, Tempest, Timing attack, Power & ElectroMagnetic Analysis, Fault Analysis Introduction The history of the conventional cryptanalysis and the development of the most powerful computers are closely dependent. The undeniable proof is the brilliant cryptanalysis of the naval Enigma by A. Turing and both GHCQ’s Colossus at Bletchley Park during the World War II. As conventional cryptanalysis side channel’s power can really be frightening, their successes remained in the shadow for a long time. In the past, the most advanced automats were based on mechanical principles that are well known today. But with the evolution of sciences, electricity become stronger and stronger, so electromechanic appeared and then electronic. Although the desired physical effects were advisely used as the principal component of a device, other parasitic effects can sometimes be neglected. In this case it is sometimes possible to extract significant information from the handled data [1]. As a current runs through a wire, it creates an electric field, a magnetic field as well as a heating. These effects are known and described by the Maxwell’s equations and the Joules’s law. But when some of these existing physical effects are not desired by the designer of the automata, they can create leakages. It is possible to remotely collect the electromagnetic field with an adapted antenna, to reamplify it, and to do a demodulation in order to obtain information. In the case of a cathode ray tube or a computer screen, the pixel of the screen is obtained thanks to the projection of an electron beam on sensitive molecules. But the position of the electron beam is controlled by coils. If the radiated field is collected, amplified and then introduced at the input of other coils, it makes possible to copy the image of the remote screen. Concerning heat, some thermal cameras have a good resolution, they permit to construct a signature. These signature characterizes the device. The manufacturers of cryptoprocessors also try to limit the heat to reveal 179
  • 2. J-J. Quisquater & D. Samyde information on calculation in progress into their chip. The exhaustive list of the undesirable edge effects during the processing of a device can not be given here, however this article tries to point out the importance of side channel cryptanalysis and to draw up a list of the attacks most currently used against the cryptographic implementations. People often forget to underline the important part played by the side channel in successful cryptanalyses. There are several manners to conceive cryptanalysis. The most conventional one consists in looking at the cryptographic primitives as a mathematical objects or an algorithm. Another one is interested in the implementation of the primitive in a ciphering device. It is then interesting to analyze the side channel obtained. A good side channel source is then inherent to the structure of the physical implementation. It is important to notice that it can considerably facilitate the work of a possible attacker. History Figure 1 : Information leakage by one of the designers of Arpanet It is quite difficult to fix with precision the birth of the side channel cryptanalysis. But it would be false to think it was at the end of XXth century. It even seems this date is rather at the end of XIXth century or the whole beginning of XXth. The discovery of the existence of side channel obviously did not give place to publications and international communications. J. Maxwell establishes its theory on electromagnetic waves in  ¢¡¤£¦¥ . But at the end of the 19th century some cross talk problems in telephone links were mentioned. During the First World War, these coupling problems were used to spy communications. Information obtained was only copied on another media and then listened. The signal processing was non-existent in such interceptions. But in  ¨§© ¢¡ , H. Yardley and its team discovered that classified information could leak from electric materials. But this knowledge make it possible to find the handled secrets. The data contained in a 180
  • 3. Side channel cryptanalysis cryptographic device modulated a signal on the tape of a close recording source. In the middle of the thirties, the study of the IBM typewriter indicated that the leakage of information was important and must be considered. Military people started to seriously consider this kind of leakage; and the various western armies paid great attention to limit the radiations on their sensitive devices at the time of the Second World War, particularly for the embedded oscillators. That did not prevent the communist’s Teletype from "being intercepted" in Berlin. Reception antennas were placed in close tunnels. During the fifties, the Chinese authorities also used acoustic techniques to spy embassies, whereas Russian sent microwaves on metal bars contained in statues, in order to recover the acoustic waves of an American embassy. The creation of the NSA in  ¢§¥ immediately gave a crucial importance to the recovery of the compromising signals. The word SIGINT which is the acronym of SIGnal INTelligence took all its meaning then. Using telephone wire as an antenna carried one of the first interceptions of electromagnetic radiations out. In the future, this kind of technique continued to be applied successfully for data interceptions of some computer screens. It worked for at least a distance of several hundreds of kilometers. These first experiments were carried out with the M.I.T. The beginning of the great series of the American NATO military standards for the limitation of the compromising electromagnetic radiations and the use of shield appeared in the middle of the fifties. The American armies worried about this new threat and initiated the tempest program. At the beginning of the sixties, the Russian embassy and some French devices were spied in London, thanks to their electromagnetic radiations. While demodulating the recovered signal correctly, English people managed to find classified information. This time the signal processing was introduced and continuously took an increasingly place in the future. One example is related to the cryptanalysis of a Russian code during the crisis of Cuba. The American Oxford interceptor succeeded in recovering the electromagnetic radiations emitted by a Soviet ciphering device located on the island. Moreover the American marine carried out that the measurement of the radiated noise make it possible to know the position of the rotors inside some cryptographic devices. The civils did not yet know a lot about the interception possibilities, as this kind of methods was still confidential. But quickly, at the beginning of the seventies, people mentioned cases of interferences between some of their electronic materials. And the cases of young researchers playing music with their screen or their printer into a radio receiver or a device including a demodulation, were not isolated. However the uses of the side channel analysis continued to exist and the Kilderkin operation which consisted in the interception of the electromagnetic emanations of the Russian embassy in Canada took place in the middle of the seventies. Quite at the same time, the Polish services were surprised spying Soviet military material; once more time, the electromagnetic radiations were blamed. This time, in fact, it was the power wire that was listened. In  ¢§¡ the NSA introduced the new concept of safety zone around a measurement point and it is the next year that IBM builded its first armored PC [2]. At the end of twenties, I. Murphy a.k.a Captain Zap published the first plans of tempest receivers, just after British television showed demonstrations on this subject. At this time, the French army started to be very interested in the development of a tempest chain, and the Bulgarian services used equipped trucks with hidden antennas to spy and to intercept military communications in Western countries. In nineties R. Anderson and M. Kuhn worked on the reduction of radiations and published new fonts. For healthy reasons, the manufacturers had to drastically reduce screen radiations. In  ¢§§ P. Kocher published his work based on timing measurement. Using the processing time of a cryptosystem, his timing attack, exploited by F. Koeune, make it possible to recover a © ¢ bits RSA private key with a few hundreds of thousands of samples in a few minutes, whereas the factorization of an equivalent number required several intensive months of processing. The work of P. Kocher and its team then concentrated on power and consumption analysis. He unleashed the full of differential measurements. Then the large banking accounts asked silicon founders to quickly find fast and effective solutions to solve this problem. During the last ten years, another analysis appeared, based on fault injection. The idea was very simple: if it was not possible to extract keys from the leakage, maybe was possible to disturb the processor during a critic processing. The history reports even cases where the sides channels were voluntary introduced in order to be able to recover the significant data easier thereafter. Finally, the cryptanalysis using side channel has developed more and more to become today one of the serious components for intelligence collection. 181
  • 4. J-J. Quisquater D. Samyde Electromagnetic leakage The electromagnetic radiations can still be used nowadays against recent systems. The quality of the antennas is very important, and it is possible to find several kinds (logarithmic, planar...) of them. In the same way, the frequency stability of the local oscillators are necessary to obtain a good result; the best receivers authorize a precision of  ¨ Hz, using phase locked loop. The level of classical countermeasures has been improved in a significant manner since few years. In the case of a cathode ray tube, it is difficult to obtain a valid interception farther than ten meters, using an old material. This distance and this level of radiations must be compared to the distances obtained by the satellites who listen two aligned antenna from the space. Nowadays, some information is public because it has been declassified. But the simple presence, or not, of electromagnetic radiations is often enough to provide useful information to an attacker. Some systems recreate a false magnetic field around them, in order to mask their presence or their radiations. However, the theorem of C. Shannon indicates that by repeating measurement, it becomes possible to remove the noise and to obtain a signal noise ratio as high as desired. Devices as smart cards use operative countermeasures to limit the number of executions. In the large majority of cases, the designers try to limit the level of radiations or to define a protection area in order to reduce the power of the signal. But some applications very often require a Faraday cage to be protected, and it is not always simple and possible to use one. Some recommendations, related to the level of attenuation of the Faraday screen rooms, seemed unexplainable in the past. Recent work of Mr. Kuhn, and other academics, seem to be able to explain the differences between the attenuations required by the military and the civilians. Indeed, the military attenuations do not seem to leave any chance of interception, even with recent material, whereas the civil levels did not ensure this shielding quality. It is also important to notice that the light emitted by a screen, contains useful information which is the video signal. M. Kuhn recently published it is possible to reconstruct a video image starting from the luminosity of a distant screen. Timing attack One of the first attacks by measurement of the response time of a system, made it possible to reduce the number of tests, in order to find a password. This attack was particularly effective against the implementations of Unix. Indeed, if the comparison between the password recorded and the password seized is carried out byte by byte on the basis of the first bit, and if the machine response was available at the first error, it was then possible to test all the bytes located in first position and to choose the one which had the longest response time. Indeed, this last was inevitably the good, since the response time lengthened corresponded to the time of comparison and erroneous response of the second byte. According to R. Moreno, this kind of analysis also functioned at the time of the bearing of a banking application since a Motorola processor, on a smart card including a processor Thomson. This attack has been applied by F Grieu. It is also possible to use the measurement of the response time, in order to know the contents of the mask of a distant data-processing waiter. Indeed, if the information is already present in the memory cache of the computer, and if it has to be load the response time is different. In  ¢§¦§ , P. Kocher published a rather theoretical article, on the use of the measurement of time, to try to find cryptographic keys. Two years later, F. Koeune applied this analysis and showed how it was possible to defeat a naive implementation of the algorithm Square Multiply for the modular exponentiation. There are only two possibilities of connection inside the code carried out for its demonstration, but these two connections do not take the same time. It is then possible to know rather quickly the cryptographic keys [3], with a few hundreds of thousands samples. Countermeasures against timing attacks may seem to be trivial, but a constant time answer is not always possible: sometimes it is necessary to consider the worst case of an algorithm, or to insert much more subtle countermeasures, modifying the temporal properties. 182
  • 5. Side channel cryptanalysis Thermal analysis The thermal analysis is not used a lot against cryptographic devices; it is more current for satellite or space image analysis. In many cases, the materials stationed at a place has modified the temperature or the illumination of the storage place. Even a long time after their departure, it is always possible to carry out a measurement revealing their very last presence. Concerning processors, the limiting factor is the diffusion of heat. The equation of propagation is well- known, but the propagation times are crippling. However, it is important not to obtain hot points on the chip, in order not to reveal a specific activity [4]. In the past, the security components verifiers used liquid crystals to reveal the activity areas of the component. But actually this method is too slow. Power analysis A small antenna inserted in a perforated condenser can provide a lot of information on the activity of an electronic card. This old technic is well known and has been used for a long time. An electronic card often contains few very interesting elements to analyze, by measuring their consumption. Inserting a low value resistance between the ground pin and the general ground of the card, is enough to track the specific consumption of a chip. In the past, some people had already noticed that the power analysis of a cryptoprocessor could provide information on the handled keys. In  ¢§§¦¡ , P. Kocher [5] introduced the concept of differential power analysis; it is the intercorrelation value of two random variables. This method called DPA is very powerful against smart cards and recent processors. Moreover, it is possible to improve the resolution, using a coil located in the close field of the processor [6,7]. The signal noise ratio can be greatly improved by ¥¦ to ¤!# . IBM recently used this method to defeat GSM card security. The algorithm used is simple in both cases: the idea is to quantify the influence of a bit of the key and to separate the traces obtained in two sets. These sets are built according to the value of one bit of the key. Then checking the assumption on the value of the key bit, the real value can be recovered. Conclusion In conclusion, side channel cryptanalysis is a powerful tool and can defeat some implementations of very robust and well suited algorithms. Perhaps in the future, others side channels will be discovered; but the real cost of the these attacks is increasing. In order to be immunated to a high number of cryptanalysis, implementations must now integrate a very high level of expertise. The countermeasures are always possible and available, but they must be well thought. It is easy to believe avoiding a side channel and in fact to become weaker from another one [8,9]. It is an eternal game between robbers and policemen; for the moment cryptanalysts seems to be better [10] than designers, but in the future it will undoubtedly quickly evolve. References [1] NACSIM 5000: Tempest Fundamentals, National Security Agency, Fort George G.Meade, Maryland. Feb 1982. Partially declassified also available at http://cryptome.org/nacsim-5000.htm. [2] M. Kuhn and R. Anderson, Soft tempest: Hidden data transmission using electromagnetic emanations, In D. Aucsmith, editor, Information Hiding, vol 1525 of Lecture Notes in Computer Science, pp 124-142. Springer-Verlag, 1998. [3] J. Kelsey, B. Schneier, D. Wagner, and C. Hall, Side Channel Cryptanalysis of Product Ciphers, in Proc. of ESORICS’98, Springer-Verlag, September 1998, pp. 97-110. [4] J-S. Coron, P. Kocher, and D. Naccache, Statistics and Secret Leakage, Financial Cryptography 2000 (FC’00), Lecture Notes in Computer Science, Springer-Verlag. 183
  • 6. J-J. Quisquater D. Samyde [5] P. Kocher, J. Jaffe and B. Jun, Differential Power Analysis, In M. Wiener, editor, Advances in Cryptology - CRYPTO’99, vol. 1666 of Lecture Notes in Computer Science, pp. 388-397, Springer-Verlag, 1999. Also available at http://www.cryptography.com/dpa/Dpa.pdf. [6] K. Gandolfi, C. Mourtel and F. Olivier, Electromagnetic analysis : concrete results, In Koç, Naccache, Paar editors, Cryptographic Hardware and Embedded Systems, vol. 2162 of Lecture Notes in Computer Science, pp. 251-261, Springer-Verlag, 2001. [7] J.-J. Quisquater and D. Samyde, ElectroMagnetic Analysis (EMA) Measures and Counter-Measures for Smart Cards, in I. Attali and T. Jensen, editors, E-Smart Smartcard Programming and Security, vol. 2140 of Lecture Notes in Computer Science, pp. 200-210, Springer-Verlag 2001. [8] R. Anderson, M.Kuhn, Tamper Resistance - A Cautionary Note, Proc. of the Second USENIX Workshop on Electronic Commerce, USENIX Association, 1996. [9] O. Kommerling and M. Kuhn, Design principles for tamper-resistant smartcard processors, In Proc. of the USENIX Workshop on Smartcard Technology (Smartcard’99), pp. 9–20. USENIX Association, 1999. [10] E. Biham and A. Shamir, Power Analysis of the Key Scheduling of the AES Canditates, in Second Advanced Encryption Standard Candidate Conference, Rome, March 1999. 184