Proceedings 2002 IEEE Symposium on Security and Privacy (2002)
May 12, 2002 to May 15, 2002
Josyula R. Rao , IBM Watson Research Center
Pankaj Rohatgi , IBM Watson Research Center
Helmut Scherzer , IBM Watson Research Center
Stephane Tinguely , Swiss Federal Institute of Technology
In this paper, we introduce a new class of side--channel attacks called partitioning attacks. We have successfully launched a version of the attack on several implementations of COMP128, the popular GSM authentication algorithm that has been deployed by different service providers in several types of SIM cards, to retrieve the 128 bit key using as few as 8 chosen plaintexts. We show how partitioning attacks can be used effectively to attack implementations that have been equipped with ad hoc and inadequate countermeasures against side--channel attacks. Such ad hoc countermeasures are systemic in implementations of cryptographic algorithms, such as COMP128, which require the use of large tables since there has been a mistaken belief that sound countermeasures require more resources than are available. To address this problem, we describe a new resource--efficient countermeasure for protecting table lookups in cryptographic implementations and justify its correctness rigorously.
smartcards, authentication, security protocols, commercial and industrial security, side channel attacks, GSM, COMP128
J. R. Rao, H. Scherzer, P. Rohatgi and S. Tinguely, "Partitioning Attacks: Or How to Rapidly Clone Some GSM Cards," Proceedings 2002 IEEE Symposium on Security and Privacy(SP), Berkeley, California, 2002, pp. 31.