Device developers are nowadays aware of the risks of hardware side channel analysis. While a computer chip does its calculations, it may leak sensitive information through its power consumption or other side channels. There are mitigations against side channel leakage, but the number of attacks and side channels is still growing. Therefore, it is important to remain vigilant.
At the recent CHES conference in Prague a team from Karlsruhe Institute of Technology reported a new side channel and a successful attack. In this case, the researchers did not look at power consumption, but at clock jitter. Almost any chip will have a clock signal that times the sequence of instructions. Often the clock is generated by a PLL (phase-locked loop) circuit, which allows the clock speed to be controlled by the chip itself. Although a PLL can generate a stable clock, it would never be exact. Clock jitter is a small frequency variation (less than 1%) that is normal and acceptable.
PLL jitter is caused by noise. That can be natural noise, but also program induced fluctuations in power consumption and electro-magnetism. Here it follows that clock jitter may behave as a side channel and carry sensitive information. If the jitter is indirectly caused by power consumption, it may be a relatively weak side channel and a direct power measurement may have a better signal quality. But there are two reasons why jitter is an interesting side channel.
First, the jitter appears in a high frequency clock that may be externally observable. It may behave as a radio signal and propagate without a galvanic connection. This allows for an attack to observe the leakage at a larger distance.
Second, the jitter may be the best side channel if other sources are mitigated. There are many countermeasures that would obscure power consumption, but these may not undo jitter in the PLL clock.
Can clock jitter be measured? Yes, dedicated circuits (e.g., a tapped delay line) can measure jitter, and convert this into an analog signal. This signal can be sampled and analyzed for the presence of secret data leakage. Alternatively, the clock signal could be measured with a high-end oscilloscope and resampled through a software conversion. The research team confirmed that a secret key in a target chip (running the AES crypto algorithm) could be extracted in around 50k measurements. That is considered strong leakage in the side channel research community.
How is this all relevant to you? If you are a chip or device developer, and your solution includes a PLL, be aware that there is an additional side channel to consider. Also, this new study demonstrates that side channel leakage remains an open issue. We need to accept that new attacks will keep emerging and that strong security testing is needed to evaluate and mitigate risk.