Performance and Security Aspects of Client-Side SSL/TLS Processing on Mobile Devices

The SSL/TLS protocol is the de-facto standard for secure Internet communications, and supported by virtually all modern e-mail clients and Web browsers. With more and more PDAs and cell phones providing wireless e-mail and Web access, there is an increasing demand for establishing secure SSL/TLS connections on devices that are relatively constrained in terms of computational resources. In addition, the cryptographic primitives executed on the client side need to be protected against side-channel analysis since, for example, an attacker may be able to monitor electromagnetic emanations from a mobile device. Using an RSA-based cipher suite has the advantage that all modular exponentiations on the client side are carried out with public exponents, which is uncritical regarding performance and side-channel leakage. However, the current migration to AES-equivalent security levels makes a good case for using an Elliptic Curve Cryptography (ECC)-based cipher suite. We show in this paper that, for high security levels, ECC-based cipher suites outperform their RSA counterparts on the client side, even though they require the integration of diverse countermeasures against side-channel attacks. Furthermore, we propose a new countermeasure to protect the symmetric encryption of messages (i.e. “bulk data”) against Differential Power Analysis (DPA) attacks. This new countermeasure, which we call

Inter-Block Shuffling (IBS)

, is based on an “interleaved” encryption of a number of data blocks using a non-feedback mode of operation (such as counter mode), and randomizes the order in which the individual rounds of the individual blocks are executed. Our experimental results indicate that IBS is a viable countermeasure as it provides good DPA-protection at the expense of a slight degradation in performance.