> From: Sid Shetye [mailto:sid...@outlook.com] > > Does anyone have comments/insights to bouncy castle's resilience to side- > channel attacks like power consumption or ground potential attacks? Asking > here since it's the crypto library that would contribute most to the signals > being analyzed.
If the described attacks were real, bouncy castle would be just as susceptible as everything else in the computer, because bouncy castle runs on the CPU, using system RAM. If they were able to read protected memory contents and CPU instructions, then they would have bypassed all the system security successfully. Personally, I don't buy it. I'll wait to see if anybody debunks this, or it's proven to be non-repeatable, just plain FUD hoax. Here's my reasoning why: First, they say, despite the GHz instruction frequency, they're extracting the keys using MHz and kHz signals. Which is *nearly* implausible in and of itself, but for the sake of argument, let's just give them the benefit of the doubt. Of all the unbelievable things, the insufficient sample rate is the most nearly plausible. The part that I *absolutely* don't believe is the principle itself. They're saying they sample the ground signal, which fluctuates in a computation-dependent way. That's the core principle concept. Which could be *plausible* as a method of accessing protected memory or CPU instructions, if the keys were serialized bit by bit and sent as a serialized signal somewhere, and that serialized signal at least bled over into the ground signal a little bit. But that's not how computers work. Your CPU has a 32bit or 64bit instruction set. Every time memory is copied around, at least 32 bits get latched simultaneously, *and* the power consumption is not related to what the bits are. The power consumption is more closely related to the number of bits that change (again, not what the bits are.) Similarly, when you perform compute instructions, the power consumption is related to the number of bits that *change*, not what the bits *are*. In order to translate "number of bits that changed" into some meta-information about "what the bits are" you would need to somehow figure out the old memory contents, which would mean knowing the memory address (at least). You would really need 32 or 64 independent channels of sampling the CPU or RAM bus. Having a single channel for sampling the power consumption of the system as a whole is going to be insufficient to leak protected memory contents, even if you had a sufficient sampling rate (which they don't; by a factor of 1,000 to 1,000,000). I simply don't buy it. Physics.
