Encription using low cost microcontrollers

Transcription

1 Encription using low cost microcontrollers Marko Pavlin HYB d.o.o., Trubarjeva 7, SI-8310 Šentjernej, Slovenia ABSTRACT: Low cost 8-bit microcontrollers in tiny low pin count housings has limited memory space and computing power. The goal is to implement simple encription using many rounds of a simple round function, which can fit within less than half kilobyte of 8- bit code. Due to limited resources, the data being encripted or decripted is limited to fixed size block. There are many block chiphers and the Tiny Encryption Algorithm (TEA) with related variants (XTEA, Block TEA, XXTEA) seems to be optimal block ciphers notable for their simplicity of description and implementation typically a few lines of code and most suitable for implementation in tiny microcontrollers. Main question is how legitimate is a requirement of tinyness for real-world applications? Introduction Low cost 8-bit microcontrollers in tiny low pin count housings has limited memory space and computing power. The goal is to implement simple encription using many rounds of a simple round function, which can fit within less than half kilobyte of 8-bit code. Due to limited resources, the data being encripted or decripted is limited to fixed size block. There are many block chiphers and the Tiny Encryption Algorithm (TEA) with related variants (XTEA, Block TEA, XXTEA) seems to be optimal block ciphers notable for their simplicity of description and implementation typically a few lines of code and most suitable for implementation in tiny microcontrollers. ). Main question is how legitimate is a requirement of tinyness for real-world applications? Where low cost demands are main requirement, it is very legitimate. The implemented algorithm will be used in low cost disposable sensor device, where size and cost are main concerns. Solution for this application should have price less than half, should have low component count and should do "something more" than just coding and decoding the blocks of data. The microcontroller is used as encripting device for live data stream and the goal is to achieve more than 100 encriptions per second with internal RC clock generator. The paper starts with theory of tiny encryption and its possible weaknesses. The actual implementation is described in next section. The whole picture is round up by description of all functions of the device: single wire communication and internal flash data stroage, used to store encryption key. Finally, conclusion summarises the work and suggest some improvements and further tasks, mostly for host application. Theory The Tiny Encription Algorithm (TEA) was designed by David Wheeler and Roger Needham of the Cambridge Computer Laboratory, and first presented at the Fast Software Encryption workshop in 1994 [3]. It is not subject to any patents. Weakneses of TEA has

2 been reported: cipher is vulnerable to equivalent keys, related-key and slide attacks [5]. Most notably, it suffers from equivalent keys - each key is equivalent to three others, and this means that the effective key size is only 126 bits [6]. This weakness led to a method for hacking Microsoft's Xbox game console. The the cipher used in Xbox was used as a hash function [7]. Because of these weaknesses, a number of revisions of TEA have been designed, including XTEA. The extended tiny encription algorithm (XTEA) is a block cipher designed to correct weaknesses in TEA. The algorithm was presented in an unpublished technical report in 1997 [8]. Like TEA, XTEA is a 64-bit block Feistel network with a 128-bit key and a suggested 64 rounds. As of 2006, the best attack reported on XTEA is a related-key differential attack on 26 out of 64 rounds of XTEA [4]. void encipher(unsigned long* v, unsigned long* k) { unsigned long v0=v[0], v1=v[1], i; unsigned long sum=0, delta=0x9e3779b9; for(i=0; i<32; i++) { v0 += ((v1 << 4 ^ v1 >> 5) + v1) ^ (sum + k[sum & 3]); sum += delta; v1 += ((v0 << 4 ^ v0 >> 5) + v0) ^ (sum + k[sum>>11 & 3]); v[0]=v0; v[1]=v1; Fig.1 - XTEA chipher void decipher(unsigned long* v, unsigned long* k) { unsigned long v0=v[0], v1=v[1], i; unsigned long sum=0xc6ef3720, delta=0x9e3779b9; for(i=0; i<32; i++) { v1 -= ((v0 << 4 ^ v0 >> 5) + v0) ^ (sum + k[sum>>11 & 3]); sum -= delta; v0 -= ((v1 << 4 ^ v1 >> 5) + v1) ^ (sum + k[sum & 3]); v[0]=v0; v[1]=v1; Fig.2 - XTEA dechipher As shown in Fig. 1 and 2 XTEA uses three basic operations: XOR, addition modulo 2 23 and bit shifts. The source code could be misunderstood. The source code in C, the addition (+) takes precedence over XOR (^). This means that the XTEA round function, y += (z<<4 ^ z>>5) + z ^ sum + k[sum&3], is equivalently bracketed y += ((z<<4 ^ z>>5) + z) ^ (sum + k[sum&3]).

3 Implementation - encription The XTEA is implemented with P89LPC9107, single-chip microcontrollers in low-cost 14- pin TSSOP package based on a high performance 80C51 processor architecture that executes instructions in two clock cycles. It has 1 kb byte-erasable Flash code memory, 128-byte RAM data memory, high-accuracy internal RC oscillator and several system-level functions incorporated in order to reduce component count, board space, and total system cost. Just perfect for the requiremets of low cost, disposable device. Fig. 3: unsigned char y0,y1,y2,y3,z0,z1,z2,z3; code unsigned char key[] = { 0x01, 0x02, 0x03, 0x04, 0x05, 0x06, 0x07, 0x08, 0x09, 0x0a, 0x0b, 0x0c, 0x0d, 0x0e, 0x0f, 0x10; extern void xteafwd(void); extern void xtearev(void); void main() { y0 = 0x12; y1 = 0x23; y2 = 0x56; y3 = 0xde; while(1) { xteafwd(); xtearev(); Due to optimisation purposes, the whole algorithm is implemented in assembly code. Chipher and dechipher are called from C code as external functions: extern void xteafwd(void); and extern void xtearev(void); Testing program is shown in fig. 3. Fixed block of data being encripted is defined as unsigned char y0,y1,y2,y3,z0,z1,z2,z3; When compiled, the chipher ocupies 218 bytes of code. It takes about 7000 machine cycles to complete 64 rounds. Dechipher needs 224 bytes of code and runs for little more than 7000 cycles. When internal RC oscillator is used, the core clock is MHz. Coding and decoding is finished in less than 2ms, which turns out in about 500 encriptions per second. Test results from simulator are shown in Table 1.

4 Table 1 - XTEA implementation performance Encoding Decoding Key length 128 bitov 128 bitov Data block length 64 bitov 64 bitov Code size Code run (cycles) 6954 C 7053 C Code run (ms) ms ms Implementation - interface Disposable sensing device are very price sensitive devices. All elements of the device should be reduced to minimum and with maximum functionality, therefore the interfacing of the microcontroller to the host application is implemented via single wire half duplex serial communication. Using internal UART just few lines of additional code is used. The communication operates with single UART interrupt service routine (Fig. 4). Hardware for the interface is part of the microcontroller internal hardware. Connection to host application is over single data line. Data rate is defined by internal baud rate generator or timer. Successfull data transfer at 1M bit/s was tested over short distances of few meters. This is sufficient for disposable sensing devices, where vital signs are measured by monitor, placed close to the patient. Fig. 4: void uart_isr ( void ) interrupt 4 using 1 { if (RI) { // clear interrupt flag RI = 0; // if if (TI) { // clear interrupt flag TI = 0; // no longer busy mtxbusy = 0; // if // uart_isr Implementation - key storage in flash memory Encription key is stored internally in flash memory. In-application flash memory programming allows individual and multiple bytes of code memory to be used for data storage and programmed under control of the end application using four registers and an internal 16-byte page register to facilitate erasing and programing within unsecured sectors. Contents of flash is protected by hardware write enable protection. This protection applies during in-application programming mode and applies to both the user code memory

5 space and the user configuration bytes. The encription key can be changed using flash_write_byte() routine (Fig. 5). /******************************************************************** * flash_write_byte() * Input(s) : Memory address to write to. * Returns : bit, flash write succes or fail. * Description : write databyte to flash ********************************************************************/ bit flash_write(char addresshigh, char addresslow, char databyte) { FMCON = LOAD; /* set up load command */ FMADRL = addresslow; /* set up low databyte */ FMADRH = addresshigh; /* set up high databyte */ FMDATA = databyte; /* set up databyte */ FMCON = ERASEPROGRAM; /* erase program command */ return FMCON&0x8F; Fig. 5 Conclusions In the paper it has been shown that usable and strong encryption can be implemented using standard and smallest microcontrollers. Even with it's limitations, small 8-bit microcontroller is suitable even for on-line encryption of live data stream, generated by disposable sensor, where data rate is lower than 500 samples/s and 64-byte sample size. Simple and fast serial communication over single data line was implemented using internal UART interface and tested over short distance. It has been shown that simple and cheap solution for data encryption may be implemented in disposable sensor device. Some open questions stil remains: - Implementation of protocol for transfering keys. - Host application implementation using FPGA. REFERENCES [1] An attack on a weakened version of TEA, Roger Fleming, sci.crypt google group [2] Bruce Schneier: Related-Key Cryptanalysis of 3-WAY, Biham-DES, CAST, DES-X, NewDES, RC2, and TEA, ICICS '97 Proceedings, Springer-Verlag, November 1997, pp [3] David J. Wheeler and Roger M. Needham. TEA, a tiny encryption algorithm. In Bart Preneel, editor, Fast Software Encryption: Second International Workshop, volume 1008 of Lecture Notes in Computer Science, pages , Leuven, Belgium, December Springer-Verlag.

6 [4] Youngdai Ko, Seokhie Hong, Wonil Lee, Sangjin Lee, and Jongin Lim. "Related key differential attacks on 26 rounds of XTEA and full rounds of GOST." In Proceedings of FSE '04, Lecture Notes in Computer Science, Springer-Verlag. [5] A. Biryukov and D. Wagner. Slide attacks. In Lars Knudsen, editor, Fast software encryption: 6th International Workshop, FSE'99, Rome, Italy, March 24-26, 1999: proceedings, volume 1636 of Lecture Notes in Computer Science, pages , Berlin, Germany / Heidelberg, Germany / London, UK / etc., Springer-Verlag. ISBN X (softcover). [6] John Kelsey, Bruce Schneier, and David Wagner. Key-schedule cryptanalysis of IDEA, G-DES, GOST, SAFER, and Triple-DES. Lecture Notes in Computer Science, 1109: , ISSN [7] Wikipedia, "17 Mistakes Microsoft Made in the Xbox Security System"; URL: Hash [8] Roger M. Needham and David J. Wheeler. Tea extensions. Technical report, Computer Laboratory, University of Cambridge, October 1997.