Power analysis training program in support of proposed FIPS 140-3 Standard

Cryptography Research, Inc. announced the availability of test equipment and a training program on power analysis attacks for FIPS 140-3 validation laboratories and product vendors. Federal Information Processing Standard 140 is a U.S. Government standard administered by the National Institute of Standards and Technology (NIST) which specifies validation requirements for cryptographic devices purchased by the US government. Last month NIST released a new draft, FIPS 140-3, which mandates security against Simple Power Analysis (SPA) and Differential Power Analysis (DPA) attacks for products validated at levels 4 and above. 

SPA and DPA attacks find keys and other secrets by exploiting information leaked through variations in the amount of electrical power consumed by cryptographic devices. SPA involves direct observation of power consumption measurements, while DPA uses statistical techniques to extract keys from smaller variations within a set of power consumption measurements collected over many operations. Effective countermeasures to power analysis attacks are important to prevent adversaries from duplicating ID cards, accessing private communications systems, stealing digital content, or mounting other attacks. SPA, DPA and related attacks were first discovered at Cryptography Research by Paul Kocher, Joshua Jaffe and Benjamin Jun. 

“As governments increasingly rely on devices such as smart cards, electronic passports, and mobile communication systems, it is critical that data and keys be protected with effective security and tamper resistance,” said Paul Kocher, president and chief scientist at Cryptography Research.

The FIPS 140-3 draft is currently under public review and is expected to be finalized in late 2007. Other widely adopted international industry standards require SPA and DPA countermeasures. FIPS 140-3 is the first major U.S. Government requirement to mandate power analysis protection countermeasures. “It is encouraging that the United States Government is recognizing the importance of protecting sensitive systems against power analysis attacks, and we are pleased to be able to provide training and assistance to companies involved in FIPS 140-3,” said Ken Warren, smart card business manager at Cryptography Research.