Low Power Embedded Security

Transcription

1 Low Power Embedded Security Ingrid Verbauwhede K.U.Leuven - ESAT - SCD/COSIC With thanks to: EMSEC and COSIC/HW team members E: ingrid.verbauwhede@esat.kuleuven.be Ingrid Verbauwhede 1 December 2006 Outline Embedded security Extra optimization goal: time area energy security Security as strong as the weakest link Bottom-up: Circuits & logic styles Micro-architecture HW & SW Algorithms & protocols Ingrid Verbauwhede 2 December 2006 Page 1

2 Embedded Security: Motivation Ambient intelligence PDA s, cell phones, smart cards, gadgets.. Distributed, communicating, devices Secure? Low Energy? Distributed security? New York Times (1/24/05): A Virus Writer Tests the Limits in Cell phones LosAngeles Times (10/14/06): Federal Data Theft Found to Affect Millions: Data Theft at Agencies Not as Uncommon as Hoped Ingrid Verbauwhede 3 December 2006 Embedded Security Pyramid Security is as strong as the weakest link! SIM Confidentiality Integrity Identification Cipher Design, Biometrics Java JCA JVM KVM Protocol: Wireless authentication protocol design Algorithm:Embedded fingerprint matching algorithms, crypto algorithms Architecture:Co-design, HW/SW, SOC CPU MEM Vcc Crypto Micro-Architecture: co-processor design D Q CLK Circuit: Circuit techniques to combat side channel analysis attacks Ingrid Verbauwhede 4 December 2006 Page 2

3 Side Channel Attacks Ingrid Verbauwhede 5 December 2006 Side channel attacks Based on observation of the embedded device: smart-card, RFID tag, FGPA, ASIC, embedded micro-controllers,. Observe: timing, power (= current), electro magnetic variations Simple attacks: one or a few measurements, visual inspection often sufficient Differential attacks: build a model of the behavior (e.g. the timing or current consumption) and correlate the measurement(s) with the model Higher order attacks, template attacks, combined attacks: as countermeasures improve, attacks become more complex Countermeasures: At circuit & logic level Micro-architecture level SW level Algorithm level Ingrid Verbauwhede 6 December 2006 Page 3

4 Consumes power when output makes a 0 to 1 transition Foundation: Intro to Static CMOS IN OUT 0 discharge charge transition Ingrid Verbauwhede 7 December 2006 As suggested by famous cryptographers... Duplicate logic 1-0 transition 0-1 transition IN IN OUT OUT discharge charge charge discharge Ingrid Verbauwhede 8 December 2006 Page 4

5 Dynamic logic Dynamic logic breaks input sequence or hamming distance IN 0 0 OUT Pre 1 OUT EV 1 Charge 0 in Pr(echarge) Ev(aluation) out discharge PDN discharge [Side note: no need to do the reset/precharge with a clock. Can also be done in asynchronous logic or with explicit reset data.] Ingrid Verbauwhede 9 December 2006 Transition independent power consumption doesn t create any side channel information When logic values are measured by charging and discharging capacitances, we need to use a fixed amount of energy for every transition switch a constant load capacitance switch once every cycle [Side note: in principle can also be obtained by current mode logic. But extremely hard to realize in practice.] Ingrid Verbauwhede 10 December 2006 Page 5

6 Dynamic and Differential logic is necessary but not sufficient Balance differential output nodes (Dis)charge all internal nodes (0,0) input clk E.g. DCVSL is not sufficient NAND A B A AND B (1,1) input clk Ingrid Verbauwhede 11 December 2006 Sense Amplifier Based Logic charges each cycle a constant load Balanced input and output nodes All internal nodes connect to an output clk NAND VDD clk AND A M1 A B B clk Ingrid Verbauwhede 12 December 2006 Page 6

7 Sense Amplifier Based Logic C tot=19.32ff NAND AND C tot=19.38ff NAND AND Ingrid Verbauwhede 13 December 2006 DPA on module of last round DES Experimental setup 4 6 P L CL 4 clk S1 substitution box clk P R 6 clk K Selection function D(K,C) predicts 1 st bit of P L. K guessed. C known. DPA: Power measurements are partitioned over 2 sets based on guess of secret key. Difference between typical supply currents of sets has noticeable peaks if guess was correct. Ingrid Verbauwhede 14 December 2006 Page 7

8 Implementation details Same circuit; two implementations. Difference in logic style: static CMOS SABL 0.18µm, 1.8V CMOS technology 5000 encryptions Hspice with 10ps simulation step Ingrid Verbauwhede 15 December 2006 Supply current profile irregular input dependent regular input independent [Tiri CHESS2003] Ingrid Verbauwhede 16 December 2006 Page 8

9 DPA differential trace secret key stands out secret key does not stand out [Tiri CHESS2003] Ingrid Verbauwhede 17 December 2006 Measurements to disclosure 200 cycles sufficient to disclose key transient response has died out Ingrid Verbauwhede 18 December 2006 Page 9

10 Standard building blocks A B Z 1 De-Morgan s Law A B A B Z Z 2 AND-ing with precharge signal A B A B prch Z Z false output with false inputs precharge 1: outputs are 0 precharge 0 - evaluation: 1 output is 1 Ingrid Verbauwhede 19 December 2006 Wave Dynamic Differential Logic Restrict library to AND, OR gate input 0 output 0 no precharge operator precharge inputs AND gate register prch OR gate clk clk prch. eval. Encryption Module Ingrid Verbauwhede 20 December 2006 Page 10

11 WDDL library All functions of and2, or2 operator In addition: inverted input, output signals XOR2X4: OAI221X2: Our WDDL library: 128 cells A0 AOI221X1 INVX2 A A AOI22X1 INVX4 Y A1 B0 B1 C0 Y OAI22X1 INVX4 A0 A1 OAI221X1 INVX2 B Y B0 B1 Y B C0 Ingrid Verbauwhede 21 December 2006 Experimental results Measurement results for FPGA test circuit out single ended out out WDDL Ingrid Verbauwhede 22 December 2006 Page 11

12 For constant power consumption: constant load capacitance. Match loads at differential outputs. Unbalanced capacitive loads Ingrid Verbauwhede 23 December 2006 Load capacitance breakdown gate R w,a C w,a C o,a C o,a C w,a R w,a C i,i2 gate 2 C o : intrinsic output capacitance C w : interconnect capacitance C i,i2 C i : input capacitance CA = CA Co,A + Cw,A + Ci,I1 + Ci,Ik = Co,A + Cw,A + Ci,I1 + Ci,Ik Cw,A = Cw,A C i,i1 gate 1 C i,i1 Intrinsic caps.: matched Interconnect: dominant (Moore s law) Balancing interconnect: crucial Ingrid Verbauwhede 24 December 2006 Page 12

13 Place & Route approach Parallel routes (adjacent tracks, same layer) balance geometric distances, parasitic effects Resistance: equal vias, wire segments Capacitance (to other layers): ideally same environment exact if every other layer is a power plane Metal x Metal y Via xy Ingrid Verbauwhede 25 December 2006 Differential pair routing Available via gridless/shape-based routers. only few critical signals (e.g. clock) experiment with 200 pairs: 8 hours CPU, 1000 conflicts, 100 open nets. Gridded routers avoid wires in parallel. We propose fat -wire routing. Abstract differential pair as one single fat wire. Route with fat wire; then decompose into pair. Ingrid Verbauwhede 26 December 2006 Page 13

14 1. Duplicate fat wire. 2. Slide apart copies. 3. Reduce to normal width. Fat wire decomposition DY -DY -DX DX Ingrid Verbauwhede 27 December 2006 Design example Two normal wires replace each fat wire. Ingrid Verbauwhede 28 December 2006 Page 14

15 AES, controller, fingerprint processor. Prototype IC ThumbPodII secure WDDL differential route insecure single-ended Ingrid Verbauwhede 29 December 2006 Circuit techniques to address SCA Standard cells: break AES with 8000 encryptions Special cells (build from standard cells): over 1.5M encryptions and still not broken STD CELL WDDL Ingrid Verbauwhede 30 December 2006 Page 15

16 DPA attack on AES key bytes- SCMOS Ingrid Verbauwhede 31 December 2006 DPA attack on WDDL Ingrid Verbauwhede 32 December 2006 Page 16

17 Security at circuit level: Back-end flow automated creates secure circuits But: Area + energy cost Security partitioning Security partitioning Ingrid Verbauwhede 33 December 2006 Security in an embedded system Embedded Security Server Non-secure/secure Interface distrusted environment Secure Embedded System root-of-trust Authentication Confidentiality Data Integrity Non-repudiation Ingrid Verbauwhede 34 December 2006 Page 17

18 Systematic Design Method: tree of trust Protocol, Application Server Client root-of -trust Architecture-level attacks Algorithm Noncritical software Crypto SW Microarchitecture-level attacks Architecture Non-secure HW Secure HW Micro-Architecture Circuit-level attacks Technology Regular CMOS DPA-resistant HW Ingrid Verbauwhede 35 December 2006 Example Application: ThumbPod Intelligent secure keychain device that recognizes owner biometrically Components: Microcontroller with memory Fingerprint sensor Biometric signal processing Security processing Communication: IR and USB Applications: Secure credit cards, secure memory, access control, etc. [UCLA work] Ingrid Verbauwhede 36 December 2006 Page 18

19 Security Partitioning Minutiae Extraction Secret Key Unprotected Template Matching Algorithm Algorithm Load Key Load Bogus Crypto Module Protected Only the sensitive template and the corresponding processes need to be protected. Fuzzy vault avoids storage of sensitive material but also a price in terms of performance and cost Ingrid Verbauwhede 37 December 2006 Security partitioning for Thumpod-II Thumbpod-II Processor & coprocessor Security partitioning Secure ASIC Regular processor ASIC NON-DPA LEON Processor AHB I/F Integer Unit AHB Controller Memory Controller Cache DCache -2KB I- Cache 2KB Boot PROM I/F Boot ROM ASIC DPA AHB/APB 32bits Memory Bus 2MB SRAM Bridge AES Coprocessor UART1 RS232 Comparator Template AMBA Peripheral Bus UART2 Fingerprint Sensor Storage Ingrid Verbauwhede 38 December 2006 Page 19

20 Support for security partitioning Hardware Software co-design SOC = embedded CPU with programmable co-processors SW Modem Security ISS Application dependent glue FSMD CPU/MEM Baseband Crypto Interconnect GEZEL Ingrid Verbauwhede 39 December 2006 Example of a GEZEL codesign Crypttext 128 aes_decoder done rst ld aes_top (AES/ECB) Key Plaintext instructions (0x ) data_in (0x ) data_out (0x ) Addr Data Embedded Software Driver µp Core FSMD model of hardware HW/SW Interfaces Library Blocks GEZEL Model Power Profile Cycle Performance VHDL SW Simulation (Instruction-Set Simulation) Ingrid Verbauwhede 40 December 2006 Page 20

21 Public Key: ECC/HECC HW/SW co-design HECC Scalar multiplication Point or divisor operations Combination of GF(2 n ) operations Basic GF(2 n ) operations C code assembly routines µcode sequences SW datapath HW P CPU P1 GF(2 n ) Coprocessor GEZEL based design [CHES 2005] Ingrid Verbauwhede 41 December 2006 HW/SW for HECC bit micro controller With/without hardware acceleration From the Tiny 8051 Core 3300 LUTs 820Bytes RAM 12KBytes ROM 8 84 GF(2 83 ) Mult/add unit LUTs + 100Bytes RAM MHz X MHz [Ches2005] Ingrid Verbauwhede 42 December 2006 Page 21

22 HW/SW for superscalar co-processor Superscalar ARM CPU 32-bit data Main CPU Memory Mapped I/O DBC Data Bus 32-bit instruction s Buffer Full µ-code RAM SRAM Program ROM FSM Instruction Bus IQB To the fancy Coprocessor IBC MALU 83 MALU 83 MALU 83 MALU 83 Coprocessor Memory [Ches2006] Ingrid Verbauwhede 43 December 2006 Crypto Heaven Embedded Security Protocol: Security Communication Computation trade-off Algorithm:Security partitioning Architecture:RINGS & Gezel, HW/SW Co-design Embedded Security is NOT a point solution! Micro-Architecture: co-processor design Circuit:WDDL & Diff routing, Secure memory Deep Submicron Hell Ingrid Verbauwhede 44 December 2006 Page 22