Cryptographic circuits need to be protected against side-channel attacks, which target their physical attributes while the cryptographic algorithm is in execution. There can be various side-channels, such as power, timing, electromagnetic radiation, fault response, and so on. One such important side-channel is the design-for-testability (DfT) infrastructure present for effective and timely testing of VLSI circuits. The attacker can extract secret information stored on the chip by scanning out test responses against some chosen plaintext inputs. The purpose of this paper is to first present a detailed survey on the state-of-the-art in scan-based side-channel attacks on symmetric and public-key cryptographic hardware implementations, both in the absence and presence of advanced DfT structures, such as test compression and X-masking, which may make the attack difficult. Then, the existing scan attack countermeasures are evaluated for determining their security against known scan attacks. In addition, JTAG vulnerability and security countermeasures are also analyzed as part of the external test interface. A comparative area-timing-security analysis of existing countermeasures at various abstraction levels is presented in order to help an embedded security designer make an informed choice for his intended application.INDEX TERMS Hardware security, scan-based attacks, test interface misuse, scan attack countermeasures, comparative area-timing-security analysis.