Appendix F: Power And Electromagnetic Side-Channel Attacks And Countermeasures; Masking Operation Process That The Aes Implementation Uses When Content Protection Is Turned On78 - Blackberry ENTERPRISE SOLUTION SECURITY - ENTERPRISE SOLUTION - SECURITY TECHNICAL Overview

BlackBerry Enterprise Solution
Appendix F: Power and electromagnetic side-channel attacks and
countermeasures
The BlackBerry device implementation of AES is designed to protect user data and encryption keys from
traditional and side-channel attacks.
Attack type Description
•
traditional
•
•
side-channel
•
The BlackBerry device uses a masking operation, table splitting, and application of random masks to help protect
the cryptographic keys and plain text data against side-channel attacks at all points during its encryption and
decryption operations.
Masking operation process that the AES implementation uses when content protection is
turned on
During the initial AES algorithm calculation, the following actions occur:
1. The BlackBerry device performs the masking operation by
•
creating a mask table (M), where each table entry is a random value
•
creating a masked version of the S-Box table (S') used within AES
•
periodically and randomly permuting all table entries
2. The BlackBerry device runs the input through both M and S'.
3. The BlackBerry device combines the output from M and S'.
4. The BlackBerry device removes the mask and produces the AES output.
During subsequent AES algorithm calculations, the following actions occur:
1. The BlackBerry device performs the masking operation by periodically and randomly permuting all table
entries in every calculation.
2. The BlackBerry device runs the input through both M and S'.
3. The BlackBerry device combines the output from M and S'.
4. The BlackBerry device removes the mask and produces the AES output.
Masking operation process that the AES implementation uses when content protection is
turned off
The AES algorithm calculation that BlackBerry devices use when content protection is turned off consists of the
following stages:
1. The BlackBerry device masks the output from the round key.
2. The BlackBerry device masks the AES S-Box input.
3. The BlackBerry device masks the AES S-Box output.
©
2009 Research In Motion Limited. All rights reserved.
attacks data that the cryptographic system stores or transmits
attempts to determine the user's encryption key or the plain text data by exploiting
a weakness in the design of the cryptographic algorithm or protocol
attempts to exploit physical properties of the algorithm implementation using
power analysis (for example, SPA and DPA) and electromagnetic analysis (for
example, SEMA and DEMA)
attempts to determine the encryption keys that a device uses by measuring and
analyzing the power consumption, or electromagnetic radiation that the device
emits during cryptographic operations
www.blackberry.com
78