Breaking the Bitstream Decryption of FPGAs

Size: px

Start display at page:

Download "Breaking the Bitstream Decryption of FPGAs"

Rosalind Horton
6 years ago
Views:

1 Breaking the Bitstream Decryption of FPGAs 05. Sep Amir Moradi Embedded Security Group, Ruhr University Bochum, Germany

2 Acknowledgment Christof Paar Markus Kasper Timo Kasper Alessandro Barenghi 2

3 Outline Side Channel Attacks (in general) DPA/CPA Xilinx Bitstream Encryption 3

4 Side Channel Attacks Physical attacks observing physical characteristics e.g., power consumption running time electromagnetic radiation of a cryptographic DEVICE usually divide and conquer scheme recovering the relation between the side channel leakage and processed data 4

5 How to Measure Side Channel Leakages Running Time > straightforward by a counter/timer Power Consumption a resistor, an oscilloscope 5

6 Differential Power Analysis (DPA) Classifying the power consumption values in two groups 6

7 Differential Power Analysis (DPA) Classifying the power consumption values in two groups Comparing e.g., mean of the groups 7

8 Differential Power Analysis (DPA) Classifying the power consumption values in two groups Comparing e.g., mean of the groups p k Sbox 8

9 Differential Power Analysis (DPA) Classifying the power consumption values in two groups Comparing e.g., mean of the groups p k Sbox p 12 3d 78 f9 ab 3d 9

10 Differential Power Analysis (DPA) Classifying the power consumption values in two groups Comparing e.g., mean of the groups p k Sbox p 12 3d 78 f9 ab 3d 10

11 Differential Power Analysis (DPA) Classifying the power consumption values in two groups Comparing e.g., mean of the groups p k Sbox p 12 3d 78 f9 ab 3d 11

12 Differential Power Analysis (DPA) Classifying the power consumption values in two groups Comparing e.g., mean of the groups p k Sbox p 12 3d 78 f9 ab 3d power

13 Differential Power Analysis (DPA) Classifying the power consumption values in two groups Comparing e.g., mean of the groups p k Sbox p 12 3d 78 f9 ab 3d power [k=00] S c9 27 bc

14 Differential Power Analysis (DPA) Classifying the power consumption values in two groups Comparing e.g., mean of the groups p k Sbox p 12 3d 78 f9 ab 3d power [k=00] S c9 27 bc LSB

15 Differential Power Analysis (DPA) Classifying the power consumption values in two groups Comparing e.g., mean of the groups p k Sbox p 12 3d 78 f9 ab 3d power [k=00] S c9 27 bc LSB [k=01] S 7d eb b6 41 ac eb 15

16 Differential Power Analysis (DPA) Classifying the power consumption values in two groups Comparing e.g., mean of the groups p k Sbox p 12 3d 78 f9 ab 3d power [k=00] S c9 27 bc LSB [k=01] S 7d eb b6 41 ac eb LSB

17 Differential Power Analysis (DPA) Classifying the power consumption values in two groups Comparing e.g., mean of the groups p k Sbox p 12 3d 78 f9 ab 3d power [k=00] S c9 27 bc LSB [k=01] S 7d eb b6 41 ac eb LSB [k=ff] S f LSB

18 Differential Power Analysis (DPA) Classifying the power consumption values in two groups Comparing e.g., mean of the groups power LSB 1, power LSB 0 p k Sbox p 12 3d 78 f9 ab 3d power [k=00] S c9 27 bc LSB Diff. of Means [k=01] S 7d eb b6 41 ac eb LSB [k=ff] S f LSB

19 Differential Power Analysis (DPA) Classifying the power consumption values in two groups Comparing e.g., mean of the groups power LSB 1, power LSB 0 p k Sbox p 12 3d 78 f9 ab 3d power [k=00] S c9 27 bc LSB Diff. of Means [k=01] S 7d eb b6 41 ac eb LSB [k=ff] S f LSB

20 Differential Power Analysis (DPA) Classifying the power consumption values in two groups Comparing e.g., mean of the groups power LSB 1, power LSB 0 p k Sbox p 12 3d 78 f9 ab 3d power [k=00] S c9 27 bc LSB Diff. of Means [k=01] S 7d eb b6 41 ac eb LSB [k=ff] S f LSB

Differential Power Analysis (DPA) Classifying the power consumption values in two groups Comparing e.g., mean of the groups power LSB 1, power LSB 0 p k Sbox p 12 3d 78 f9 ab 3d power 0.12 0.

21 Differential Power Analysis (DPA) Classifying the power consumption values in two groups Comparing e.g., mean of the groups power LSB 1, power LSB 0 p k Sbox p 12 3d 78 f9 ab 3d power [k=00] S c9 27 bc LSB Diff. of Means [k=01] S 7d eb b6 41 ac eb LSB [k=ff] S f LSB

22 Correlation Power Analysis (CPA) hypothetical model for power consumption 22

23 Correlation Power Analysis (CPA) hypothetical model for power consumption compare the model with side channel leakage (power) 23

24 Correlation Power Analysis (CPA) hypothetical model for power consumption compare the model with side channel leakage (power) p k Sbox 24

25 Correlation Power Analysis (CPA) hypothetical model for power consumption compare the model with side channel leakage (power) p k Sbox p 12 3d 78 f9 ab 3d 25

26 Correlation Power Analysis (CPA) hypothetical model for power consumption compare the model with side channel leakage (power) p k Sbox p 12 3d 78 f9 ab 3d 26

27 Correlation Power Analysis (CPA) hypothetical model for power consumption compare the model with side channel leakage (power) p k Sbox p 12 3d 78 f9 ab 3d 27

28 Correlation Power Analysis (CPA) hypothetical model for power consumption compare the model with side channel leakage (power) p k Sbox p 12 3d 78 f9 ab 3d power

29 Correlation Power Analysis (CPA) hypothetical model for power consumption compare the model with side channel leakage (power) p k Sbox p 12 3d 78 f9 ab 3d power [k=00] S c9 27 bc

30 Correlation Power Analysis (CPA) hypothetical model for power consumption compare the model with side channel leakage (power) p k Sbox p 12 3d 78 f9 ab 3d power [k=00] S c9 27 bc

31 Correlation Power Analysis (CPA) hypothetical model for power consumption compare the model with side channel leakage (power) p k Sbox p 12 3d 78 f9 ab 3d power [k=00] S c9 27 bc [k=01] S 7d eb b6 41 ac eb 31

32 Correlation Power Analysis (CPA) hypothetical model for power consumption compare the model with side channel leakage (power) p k Sbox p 12 3d 78 f9 ab 3d power [k=00] S c9 27 bc [k=01] S 7d eb b6 41 ac eb

33 Correlation Power Analysis (CPA) hypothetical model for power consumption compare the model with side channel leakage (power) p k Sbox p 12 3d 78 f9 ab 3d power [k=00] S c9 27 bc [k=01] S 7d eb b6 41 ac eb [k=ff] S f

34 Correlation Power Analysis (CPA) hypothetical model for power consumption compare the model with side channel leakage (power) p k Sbox p 12 3d 78 f9 ab 3d power [k=00] S c9 27 bc Correlation [k=01] S 7d eb b6 41 ac eb [k=ff] S f

35 Correlation Power Analysis (CPA) hypothetical model for power consumption compare the model with side channel leakage (power) p k Sbox p 12 3d 78 f9 ab 3d power [k=00] S c9 27 bc Correlation [k=01] S 7d eb b6 41 ac eb [k=ff] S f

36 Correlation Power Analysis (CPA) hypothetical model for power consumption compare the model with side channel leakage (power) p k Sbox p 12 3d 78 f9 ab 3d power [k=00] S c9 27 bc Correlation [k=01] S 7d eb b6 41 ac eb [k=ff] S f

37 Correlation Power Analysis (CPA) hypothetical model for power consumption compare the model with side channel leakage (power) p k Sbox p 12 3d 78 f9 ab 3d power [k=00] S c9 27 bc Correlation [k=01] S 7d eb b6 41 ac eb [k=ff] S f

38 Challenges Measurement quality Knowledge about the target device Mostly in evaluation labs (perfect situation) How about a real world scenario 38

39 Case Study: Xilinx Bitstream Encryption FPGAs = Reconfigurable Hardware Widely used in routers consumer products automotive, machinery military > million gates 39

40 Case Study: Xilinx Bitstream Encryption FPGAs = Reconfigurable Hardware Widely used in routers consumer products automotive, machinery military > million gates Config file Configuration loaded at power up bitstream Mbits 40

41 Bitstream/Configuration 41

42 Bitstream/Configuration PCB board SRAM FPGA 42

43 Bitstream/Configuration PCB board SRAM FPGA E2PROM 43

44 Bitstream/Configuration PCB board SRAM FPGA E2PROM Factory 44

45 Bitstream/Configuration PCB board SRAM FPGA Power up E2PROM Factory 45

46 Bitstream Encryption PCB board 46

47 Bitstream Encryption PCB board FPGA Design Secret Keys Proprietary Algorithms IP Cores Bitstream SRAM FPGA 3DES AES Bitstream 47

48 Bitstream Encryption PCB board FPGA Design Secret Keys Proprietary Algorithms IP Cores Bitstream SRAM FPGA 3DES AES DEC Bitstream 48

49 Bitstream Encryption FPGA Design Secret Keys Proprietary Algorithms IP Cores PCB board Bitstream SRAM FPGA 3DES AES DEC E2PROM Bitstream 49

50 Bitstream Encryption PCB board FPGA Design Secret Keys Proprietary Algorithms IP Cores Bitstream SRAM FPGA 3DES AES DEC E2PROM Bitstream Factory Internet Firmware Update 50

51 Bitstream Encryption PCB board FPGA Design Secret Keys Proprietary Algorithms IP Cores Bitstream SRAM FPGA DEC Power up E2PROM 3DES AES Bitstream Factory Internet Firmware Update 51

52 Bitstream Encryption PCB board FPGA Design Secret Keys Proprietary Algorithms IP Cores Bitstream Attacker? = SRAM FPGA DEC Power up E2PROM 3DES AES Bitstream Factory Internet Firmware Update 52

53 Bitstream Encryption PCB board FPGA Design Secret Keys Proprietary Algorithms IP Cores Bitstream Attacker? = SRAM FPGA DEC Power up E2PROM 3DES AES Bitstream Factory Internet Firmware Update 53

54 Side Channel? PCB board DEC E2PROM 54

55 Side Channel? PCB board DEC E2PROM 55

56 Side Channel? VCC IO VCC AUX PCB board VCC INT DEC E2PROM 56

57 Side Channel? VCC IO VCC AUX PCB board VCC INT DEC E2PROM 57

58 Side Channel? VCC IO VCC AUX PCB board VCC INT DEC Power up E2PROM 58

59 Side Channel? VCC IO VCC AUX PCB board VCC INT DEC Power up E2PROM 59

60 Side Channel? VCC IO VCC AUX PCB board VCC INT DEC Power up E2PROM unencrypted bitstream E2PROM 60

61 Challenges structure analysis protocol analysis bit wise feeding the encrypted bitstream developing a sophisticated configuration device trigger signal start of each ciphertext block visual inspection 61

62 Some Figures 62

63 Some Figures 63

revealed that : The selection of the decryption key from the storage is readable Initialization Value of

64 Bitstream Structural Analysis There are several documents by Xilinx on bistream structure but still some parts related to encryption stay unclear Analysis and comparison of plain and encrypted bitstream revealed that : The selection of the decryption key from the storage is readable Initialization Value of the CBC mode embedded in bitstream The decryption engine is enabled by a bitstream command Plain Encrypted 64

65 Decryption Timing Find the when the decryption takes place Must occur after at least a whole ciphertext block (64 bit) is in Should take place in less than 64 bits being sent in to match on-the-fly decryption Compare the power consumptions of encrypted and unencrypted bitstreams to reveal the time position The JTAG clock is driven by us We can freeze the programming process 65

66 Power Traces? 66

67 Power Traces? Ciphertext i 1 67

68 Power Traces? Ciphertext i 1 Ciphertext i 68

69 Power Traces? Ciphertext i 1 Ciphertext i Decryption (Ciphertext i 1 ) 69

70 Decryption Phase Two clock cycles after a ciphertext block is in, the decryption is performed Unencrypted bitstream Encrypted bitstream 70

71 Insulating the encryption engine Encryption engine far smaller than the whole FPGA circuit The device embeds a CPU (PowerPC403) in the fabric As the PPC is not used to perform the decryption, its power consumption is irrelevant for the analysis Since the PPC is clocked at 300MHz by an internal clock source, band-stop filtering the power traces removes its contribution 71

72 Zoomed Traces/Filtering Raw Filtered Timewise variance of 10k encryptions Raw Filtered 72

73 Power consumption/architecture hypotheses To successfully perform the attack, hypotheses on the decryption engine architecture must be made Switching activity of buffers storing intermediate values are good candidates for a power model DES cipher state buffer switching activity was modeled during a cipher round Switching activity conditioned by 6 bits of the key at a time was predicted (64 key hypotheses) Consumption model: switching activity of the round buffer 73

74 Assumed Internal Architecture 74

75 Assumed Internal Architecture Round based implementation of DES 75

76 Assumed Internal Architecture Round based implementation of DES Separate stage for initial and final permutation 76

77 Assumed Internal Architecture Round based implementation of DES Separate stage for initial and final permutation One round per crypto-engine clock cycle 77

78 Assumed Internal Architecture Round based implementation of DES Separate stage for initial and final permutation One round per crypto-engine clock cycle Internal 64 bit buffer stores cipher state 78

79 Architecture Hypothesis Validation Need to validate the architecture hypothesis before the attack 79

80 Architecture Hypothesis Validation Need to validate the architecture hypothesis before the attack Correlating to HW of Ciphertexts and output of each DES 80

attack Correlating to HW of Ciphertexts and output

81 Architecture Hypothesis Validation Need to validate the architecture hypothesis before the attack Correlating to HW of Ciphertexts and output of each DES Correlating to HD of consecutive round outputs 81

82 Final Attack Results Attack on 6 bits of the 1 st DES the key (round 1) 82

Final Attack Results Attack on 6 bits of the 1 st DES the key (round 1) The key is recoverable with ~ 50000 decryption power measures (less than a single bitstream decryption for almost all V2Pro

83 Final Attack Results Attack on 6 bits of the 1 st DES the key (round 1) The key is recoverable with ~ decryption power measures (less than a single bitstream decryption for almost all V2Pro devices) The attack is still possible with lowpass filtered and decimated traces up to 100MSa/s A single attack to recover 6 bits of a DES key takes a couple of seconds on a common desktop Complete 3DES key recovered in 2-3 minutes of computation 83

84 Final Attack Results Successful Side Channel attack estimating a very small part of the active digital logic Correlation power analysis is scale invariant, as long as there are correlated variations No explicit SCA countermeasures present, sheer size of the platform thought to be enough Proper filtering of the obtained signal removes non-relevant consumption Mainly security through obscurity Methodic reverse engineering leads to figuring out the structure 84

85 How about more recent devices V4, V5, S6? 85

86 Embedded Security Group Visual Inspection CLK normal ENC ECRYPT II Summer School: Challenges in Security Engineering Bochum 05. Sep Amir Moradi 86

87 Embedded Security Group Visual Inspection CLK normal ENC average over 10k traces ECRYPT II Summer School: Challenges in Security Engineering Bochum 05. Sep Amir Moradi 87

88 Embedded Security Group Filtering CLK zoom filter ENC peak extraction, AES 256 ECRYPT II Summer School: Challenges in Security Engineering Bochum 05. Sep Amir Moradi 88

89 Known Steps guessing the architecture guessing the power model known key scenario check their validity Finally after 3 months 89

90 Findings Architecture (AES 256) Bit flips in registers (Hamming distance) as the model 90

91 Model for Power Consumption Hamming Distance of state register R Problem: At least 64 bit hypothesis to attack power consumption of 32 bit leakage 91

92 Model for Power Consumption Exploit linearity 32 bit hypotheses to attack single bit power model Fine in theory, but can we detect the leakage of a single bit in practice? 92

93 The Attack 2 35 (= 34,359,738,368) keys to test 60,000 power traces 128 GiB of 32 bit floating point results Can be done but not practical on CPUs 93

94 GPUs for Power Analysis Used System 4x Nvidia Tesla C2070 GPUs Each one has 6 GB of RAM and 448 cores Clocked at 1.15 GHz HDD is not the bottleneck Full attack in around 4.5 hours (V4, 60k traces) 94

95 Result Virtex 4 60k traces Other Columns show similar results Virtex 5: The same attack works (6.5 hours, 90k traces) 95

96 Lessons Learned Bitstream encryption is vulnerable to SCA New modern CMOS technology can be attacked in practice (90nm/65nm/45nm) Reusing crypto cores simplifies analyses Attacks on 32 bit hypotheses are realistic threats GPUs are a nice tool for attacks where computation time dominates 96

97 Recent Results and ongoing Work Up to know, the broken devices: Virtex II pro Virtex 4 Virtex 5 Spartan 6 Actel (Microsemi) S. Skorobogatov, C. Woods Those which come soon or later Virtex 6 Kintex 7 Stratix II (Altera) 97

98 Thanks! Any questions? Embedded Security Group, Ruhr University Bochum, Germany

Side-Channel Countermeasures for Hardware: is There a Light at the End of the Tunnel?

Side-Channel Countermeasures for Hardware: is There a Light at the End of the Tunnel? 11. Sep 2013 Ruhr University Bochum Outline Power Analysis Attack Masking Problems in hardware Possible approaches