Cryptography Research Inc, the company behind the design of the SSL v3.0 protocol that is used to secure transactions on the world wide web, claims to have discovered a new class of attacks that could be used by hackers to extract secret keys and information from smart cards and secure cryptographic tokens.

Known as Differential Power Analysis (DPA), the San Francisco, California-based company says it could be a serious issue affecting smart cards and many other supposedly tamper-resistant hardware devices.

Although DPA attacks require a high level of technical skill in several fields to implement, they can be performed using a few thousand dollars of standard equipment. CRI maintains that once perfected, the technique can be used to break a device in a few hours or less. DPA attacks can then be automated.

Unsurprisingly, the company claims to be one step ahead with a workstation system that will defend against this new class of attacks by testing power-related security vulnerabilities. Cryptography Research provides a variety of design and research services to Visa International, Mondex, Netscape, Microsoft and Intuit.

The market for smart cards surged in the six months ending June 2002, with shipments to the US and Canada exceeding 31 million cards, more than double that for the year-ago period.

© ComputerWire