While cryptographic algorithms such as AES and RSA are standardized, so results from one implementation match another, important security considerations are highly implementation dependent. Designs that are functionally correct may not always be suitable, especially in embedded applications, because an attack technique called differential power analysis (DPA) can be used to extract the secret keys. DPA is remarkably effective against almost any software- or hardware-based cryptographic implementation (microcontroller, ASIC, or FPGA), unless countermeasures are used. How DPA works will be described, and implications of the attack to typical security applications presented. Several countermeasures suitable for software or co-processor (e.g., FPGA) implementations will be shown.