FIPS compliant products are not protected against Side Channel and Fault Injection Attacks, two effective penetration technics that are relatively easy and cheap to implement.
All commercial IT products marketed in the United States and Canada must comply with FIPS, an official security standard for cryptographic modules embedded in those products.
At the moment, FIPS 140-2 requirements do not include testing against Fault Injection and Side Channel attacks. Both attack techniques share common characteristics: they are cheap to implement with equipment that can be easily found on the market and they have proven to be effective against daily use commercial cryptographic products (embedded in laptops, cell phones, CPUs, etc.)
While a new version of FIPS is being prepared, the industry is now discussing how to include new testing requirements in a cost-effective manner. This issue was also one of the main topics of discussion the International Cryptographic Module Conference (ICMC), celebrated in Ottawa in May 2016. Applus+ decided to participate in the ICMC and provide its vision as a security laboratory with a proven track record evaluating security-critical products such as smart cards.
At the conference, Applus+ presented its approach to evaluating Side Channel and Fault Injection attacks. Applus+ experts detailed how these penetration attacks can be performed, the necessary equipment and its approximate cost. In a second part of the conference, they proposed a model of testing campaign (SPA/SEMA, EMI injection, power line glitch, etc.) to evaluate cryptographic modules’ protection against Side Channel and Fault Injection attacks in a cost-effective way.
About Applus+ Security Laboratories
Applus+ is an IT security evaluation facility with SOGIS recognition to conduct Common Criteria security evaluations up to EAL 7
. We are also recognized by EMVCo and most payment brands (Visa, AMEX, MasterCard, etc.) to evaluate the security of ICs, platforms and applications for payment solutions. Additionally, Applus+ is also one of the few laboratories in the world to be qualified to evaluate the security of TEE products under the GlobalPlatform Certification scheme.