August 2008

Cryptography Research Clinches $100m deal with Infineon

Paul Kocher the CEO of Cryptography Research Inc (CRI) must be having one of his best months for some time and is probably wondering why it has taken so long. After 5 years of peddling the market with his smart card chip security techniques the leading silicon provider Infineon with about 30% of the smart card market has signed up to licensing his IPR.

The terms of the deal have been kept private but we can estimate the likely size of the deal. Infineon currently produces about 800 million microcontrollers for smart card applications. The SLE66 family is the most popular although the 32bit CPU based SLE88’s are starting to come on stream. The primary markets for smart card microcontroller chips are in the financial and mobile telecommunications markets. Both of these markets which together take more than 80% of the total market are price driven, chip margins are at rock bottom.

The original agreement with Visa saw CRI getting 25 cents (USD) per chip but there is no way that the market could currently sustain those levels so we would expect the licensing to be in the range 1 – 5 cents per chip depending on the silicon manufacturer’s margins.

So for the low margin business we might expect over the next 10 years say 1 cent for 500 million chips and for the higher margins perhaps 5 cents for say up to 100 million chips per year which over the 10 year remaining life of the patents would produce up to $100 million. Pure speculation of course but one suspects it gives a pretty good indication of CRI’s aspirations.

But of course apart from Infineon’s 30% market share we have,

  • Samsung                 15%
  • NXP                        14%
  • Atmel                     12%
  • Renesas                  12%
  • ST Microelectronics  7%
  • Others                    10%

So the question is will all the major players sign up? In classic IPR speak are these companies already or likely in the future to infringe a valid patent? Not the right place to have a detailed assessment but what we do know is that all these companies are concerned to get the security of their smart card chips sufficient to achieve the necessary certification processes not only through Common Criteria but also the extra processes applied by both Mastercard and Visa. In all these cases the need to address DPA (Differential Power Analysis), the cornerstone of CRI’s work, is well identified. Can you get around it without using the CRI patents? Clearly Infineon think not.

So where does the work of CRI lay in the world of the smart card chip? The silicon manufacturers have always recognised the importance of security to their chips but they have gone through a number of development phases that also involve the software developers, including the chip kernel software.

Phase 1: Basic Application Software Vulnerabilities (- 1990)

In the early 90’s and before many software developers made basic mistakes in their core application. This was in two categories, errors that allowed an attacker to break through the application perhaps by leaving undocumented development commands or vulnerabilities to buffer overflows for example. The second category was to leave vulnerabilities in the actual implementation of basic functions that could be exploited by an attacker. One well known example was the software used to check PIN entry. If the software checks the PIN before decrementing the allowed incorrect PIN attempt counter then an attacker may monitor this operation guessing each PIN in turn (often only 4 digits) and if the program doesn’t accept the PIN (determined by a number of monitoring techniques based on time (say) then he can turn off the power to prevent the counter from being decremented. Early chips that had an external EEPROM memory high voltage connection were vulnerable to this attack by simply removing this wire on the connector which would stop any write (e.g. the PIN attempt counter) from being implemented. Today this high voltage is generated internally within the chip.

Phase 2: Chip Test Mode (- 1994)

Again in the early 90’s chips were often vulnerable to attacks on their test mode. If an attacker could re-invoke the test mode then it would be possible to effectively read any of the chip memories including the mask ROM and the EEPROM memory where the secret cryptographic keys are most likely to be stored. Silicon manufacturers have developed this area of their chips to a level at which this would today be practically impossible to achieve.

Phase 3: Timing Attacks (1996)

Perhaps the first seminal paper by Paul Kocher on the concepts of determining the secret keys of cryptographic algorithms as a function of their (inadequate) implementation. Subsequent to the publication of this paper several researchers have proven the concepts in a real practical environment. Further details can be obtained from his paper.

Paul C. Kocher: Timing Attacks on Implementations of Diffie-Hellman, RSA, DSS, and Other Systems. CRYPTO 1996: 104–113

Today programmers ensure that all cryptographic functions are either constant or random time regardless of the key or data processed.

Phase 4: Power Analysis Attacks (and Electro-Magnetic Radiation) (1998)

In the smart card world it is this paper that has attracted the most attention over the last 10 years. The reader is referred to the paper for full details but in essence what is shown is the vulnerability of cryptographic algorithms to their implementation in a chip where the CPU operations can be viewed, recorded and analysed by measuring the power consumed by the chip. In a naïve mode (called Simple Power Analysis by the authors) it is possible to actually view for example the execution of an exponentiation function (used by RSA and other asymmetric algorithms) and to visually be able to read the secret cryptographic key.

Paul Kocher, Joshua Jaffe, Benjamin Jun, "Introduction to Differential Power Analysis and Related Attacks (1998)

This is of course the area that is covered by the CRI patents and one of the key concepts is to use blinding techniques so that an attacker cannot correlate the measured power signal data with the secret cryptographic keys.

Because it is a fundamental part of any smart card chip evaluation both the silicon manufacturer and the software programmers are concerned to ensure their implementations are not vulnerable to such attacks. Modern chips produced by Infineon and others may incorporate techniques in the hardware implementation of the chip perhaps by creating random current noise or by balancing the power consumption so that it is not possible to correlate the power signals with the underlying cryptographic processes. It should also be noted that smart card chips are similarly vulnerable to monitoring of their electro-magnetic emissions which needs to be equally addressed.

Phase 5: Induced Fault Analysis (1996)

Although this attack was published before the paper on differential power analysis (originally in 1996) I have classed the vulnerability as Phase 5 because it remains the most difficult weakness in the chip to address. The basic ideas were presented in the paper referenced below,

On the importance of checking cryptographic protocols for faults (1997) by Dan Boneh, Richard A. Demillo, Richard J. Lipton (Bellcore)

But these concepts have been considerably developed since that time. The only comment I would want to add here is that such attacks require sophisticated resources to implement in a well constructed smart card chip platform in terms of both hardware and software. This is no longer a back bedroom attack.

by David Everett, Technical Editor, Smart Card & Identity News


Unable to open RSS Feed with error SSL certificate problem: certificate has expired, exiting

Video Interviews

Tim Jones talks on the wealth of networks

Christophe Dolique of Gemplus talks about ·SIM

Dominique Brule of Philips Semiconductors talks about Near Field Communication