The recently passed Proof-of-Keys movement marked a silent revolution of individuals declaring financial independence by claiming ownership of their keys. In our last article, we explained why a hardware wallet with a Secure Element gives you the most complete ownership of your keys through true random number generation (TRNG). In addition to generating a random number, a Secure Element takes care of transaction signing so that your private keys never leave its controlled environment. This vitally important second function is ensured by the Secure Element’s many protections against even the most vulnerable situation for your keys — when an attacker has physical access to your device.
Side-channel attacks focus on gleaning sensitive information by closely observing a device’s physical behavior. The idea behind this kind of attack is that a device’s energy consumption, electromagnetic emissions, or other observable behaviors such as sounds can reveal something about the information that is being processed inside. Refer to our article on air-gapped devices for an in-depth explanation of how information can easily escape from computers and smartphones because of their large attack surfaces.
Unlike the components in generic consumer electronics, a Secure Element is equipped with an array of defenses that mitigate the chances of a side-channel attack succeeding. These hardware defenses either reduce the leakage of side-channel information, or mask it with fake operations that produce information indistinguishable from the traces of sensitive encryption operations. For instance, manipulating the timing of executions drastically reduces the information that can be recovered by analyzing the time intervals elapsed during cryptographic operations. Meanwhile, executing randomized masking operations in tandem with real operations is an effective way to scramble sensitive information leaked out by power consumption or electromagnetic emissions.
Power Analysis Attacks
The most well-known kind of side-channel attack works by scrutinizing the changes in power consumption that occur while private keys are being used to sign a transaction. A 256-bit private key consists of a series of ‘0’ bits and ‘1’ bits, which are processed with two different operations. Because the operations differ in power consumption, a private key can be recovered if an attacker has physical access to the device and adequately sensitive power analysis equipment. A power analysis attack is generally performed by inserting a shunt resistor into the power line where it is connected to the chip processing the private keys, and hooking the resistor up to an oscilloscope, a sensitive device for reading power consumption. Not only will a Secure Element’s ability to obscure its operations make recovering a key through power analysis reading almost impossible, but the mixed layout of its circuitry makes this a very difficult defense to get around.
Cold Boot Attacks
Cold boot attacks seek to exploit the fact that memory physically lingers in a device for a short period of time after the device has been shut down. With a hard reset of the device, an attacker can dump memory onto a file before it degrades. This type of attack works not only on computers, but also smartphones.
Cold boot attacks are most effective when freeze spray is used to cool down the memory module and delay the degradation of physical memory. While general circuit systems are defenseless against this cold boot attack method, a Secure Element has modules designed to detect abnormal environmental conditions such as low temperatures. Once a sudden change in temperature is detected, a Secure Element will immediately reset and erase the RAM to counteract any potential threat.
Fault attacks attempt to cause a device to reveal information that otherwise would not leak out by forcing errors in the device’s functionality. A Secure Element has built-in voltage and frequency abnormality detection modules that protect it from being probed by excessive voltage supply or clock frequency. To obscure the physical activity of its encrypted operations, it conducts a number of fake operations in simultaneous concert with real ones, effectively scrambling any sensitive information that could be secreted as the result of a fault attack. On top of these defenses, a Secure Element conducts verification checks when it detects that multiple real operations are being executed at the same time. If the Secure Element detects suspicious activity, flash memory is wiped, causing the private keys and other sensitive information to disappear.
Profiling on Open Source Devices
The risk of a profiling attack arises from the complications involved with open source firmware, which effectively makes information about the device available to everyone. An attacker can use the open source firmware to play around with a device and create a database on its physical characteristics. This profile of the device’s behaviors can be used as a quick reference guide once the attacker has gained possession of someone else’s device, greatly increasing the speed and efficiency of the attack. The most advanced profile attack scenarios also assume the involvement of machine learning in exploiting this reference database. Profiling attacks are the most dangerous kind of side-channel attack because they can be executed in a very short period of time, possibly even allowing an attacker to snag a device and return it without the owner ever noticing.
The Cobo Vault’s Secure Element is open source, enabling you to examine how it physically generates true random numbers. However, we have otherwise made the rest of the device closed source so as to protect users from the risk of profiling attacks.
Certified to Protect
A Secure Element is also designed to be resistant to other kinds of side-channel attacks not listed here, such as light attacks and software attacks. But how can you be sure that a Secure Element is really offering any of the protections we have mentioned above? In our last installment of this series, we touched on Secure Element certification, mentioning that the Cobo Vault is FIPS 140–2 certified. Certification involves testing against the most advanced side-channel attacks, as well as strenuous auditing of the production process, which helps prevent some types of supply chain attacks. In an upcoming article, we’ll follow up with more information on how our web authentication process goes the extra mile in preventing supply chain attacks.