REASSURE - Robust and Efficient Approaches to Evaluating Side Channel and Fault Attack Resilience

Date: 
01/01/2017 to 31/12/2019

Introduction

Over the last two decades a new type of attack against embedded security devices has emerged, exposing cryptographic keys from unwanted “side channel” data leaked by implementations, such as running time, power or EM signals…
To account for such attacks, sophisticated security certification and evaluation methods (Common Criteria, EMVCo…) have been established to give assurance that security claims received independent evaluation. However, recent events (attacks against Taiwanese citizen cards, Snowden’s revelation on NSA tampering with FIPS…) came into the spotlight and eroded public confidence.
REASSURE aims to improve the efficiency and quality of certification, as well as the comparability of independent evaluations.

Who is the project designed for?

REASSURE targets all actors along the design and evaluation chain of embedded security devices:

  • Product manufacturers, including both specialized industrials like smart card manufacturers who will benefit from sounder, more efficient design and evaluation techniques, and newcomers like developers of IoT applications, who will receive a set of good practices and tools helping them assess the security of their implementation and reach a base security level without the need for immediate access to an evaluation lab.
  • Independent evaluation labs, who will benefit from efficiency and assurance gains, helping them reach sound and comparable evaluation results.
  • Certification bodies, in their mission of certifying evaluation labs’ goods practices.
  • Standardization bodies, as project results will be actively pushed towards existing and appearing standards.
  • Researchers, by providing a better understanding of side-channel resistance as a full process.

How is your project benefitting the end-user?

Embedded cryptographic devices are a fundamental component in modern security applications. Smart cards (e-ID, bank and credit cards), access tokens, secure USB drives, are only a few examples of contexts requiring such a portable, trusted cryptography-enabled device. With the advent of the Internet of Things, we will experience a great increase in the number of small, connected elements performing critical operations or handling sensitive data (e-Health, home appliances, vehicle control equipment…). Considering the value of the operations and the ease of access to most embedded devices, side-channel attacks are definitely a dangerous attack vector.

A sound, unified resistance evaluation process, yielding comparable results among designers and independent evaluators is required to achieve standardized security assessments.

Please briefly describe the results your project achieved so far

During the first year of the project, we performed an inventory of all steps of a security evaluation process, confronting the viewpoints of academics and industry experts, in order to identify the most critical factors and opportunities for improvement.

We also analyzed existing and potential shortcut formulas reducing the effort needed to assess the security of an implementation, which is useful for early assessment, both for experts and non-experts, during the design phases, as well as to increase confidence in the evaluation outcome, by providing supporting evidence (e.g. on reduced versions).

Finally, we started developing automated evaluation methods, i.e. methods requiring a minimum amount of user input and interaction. Such tools will limit the need for expert intervention, making evaluation processes faster and accessible to non-specialists.

What are the next steps for your project?

This autumn, we plan to organize a tutorial and a walk-and-explore session. The tutorial will focus on the first important step of side-channel resistance assessment, namely leakage detection. Based on practical examples, we will discuss the test methodologies, the proper parameter settings, result interpretation and potential traps leading to false conclusions. During the walk-and-explore session, participants will get the opportunity to test some of the analysis tools developed by the project.
In parallel, REASSURE will continue to improve evaluation processes, confronting findings to real-life situations, developing tools, and contributing to standards.

Week: 
Monday, 16 April, 2018 to Sunday, 22 April, 2018

Project type:

News

Supporting Specialised Skills Development: Big Data, Internet of Things and Cybersecurity for SMEs

Digitisation is a hot topic and impacts everyone. Did you encounter a security incident lately? Are you aware of the potential of big data, but unsure how and where to start applying it? Do you produce or use Internet of Things (IoT) sensors and networks? Are you already using one of these technologies, but are you facing skills challenges? Or do you work closely together with SMEs?
Then you are invited to participate in this survey!

With your participation, you can help to gain insight in:

Events

25/10/2018
Cloudia IT Academy 2018 - CyberSec Day

On October 25th the IT ACADEMY is dedicating a whole day to the topic of Cyber ​​Security with the fourth edition of CyberSec Day.

The event is gathering cybersecurity experts giving valuable insights on the fast evolving cybersecurity landscape; over the last years companies have been subject to increasingly sophisticated cyber attacks: they have had to evolve their approach to cybersecurity over time and today face the challenge of how to keep it aligned with the business strategy.

01/11/2018 to 10/11/2018
6th European Cyber Security Conference - 8th November 2018 - Brussels (Belgium)

The European Cyber Security Conference (organised by Forum Europe) provides a platform for key policymakers and stakeholders to discuss and debate the most pertinent issues affecting the security and safety of the digital space.