Evaluating memory protection of smartcards and similar devices. Wolfgang Killmann, T-Systems GEI GmbH

Transcription

1 Evaluating memory protection of smartcards and similar devices Wolfgang Killmann, T-Systems GEI GmbH

2 Motivation of the talk Confidentiality of stored data is a core security feature but memory may be physically read. Combination and binding of data encryption, address scrambling and key protection is crucial. Memory encryption should be seen as security architectural feature. Evaluators shall analyse and assess the effectiveness of memory encryption if physical protection is not sufficiently strong. Conclusions for developers, evaluators, certifier, system designer and costumer.

3 Protection of stored data Layer of data encryption Application layer User data (application specific) Operating system layer used to protect confidentiality depends on Cryptographic key of application User data TSF data Hardware layer used to encrypt and to check integrity confidentiality depends on Cryptographic key of operating system Memory data (SW, user data,tsf data) used to encrypt confidentiality depends on Cryptographic key of memory encryption Secret sharing Physical protection

4 Protection of stored data Vulnerabilities CPU Dedicated and embedded software User data, TSF data ROM E²PROM/ Flash MMU logical address RAM Source of pictures: Ch. Tarnowski: Security Failure In Secure Devices, Black Hat Europe, Ch. Tarnovski, C. Nohl: Reviving smart card analysis, Black Hat Conference, C. De Nardial at al.: Direct Measurements of Charge in Floating Gate Transistor Channels of Flash Memories Using Scanning Capacitance Microscopy, Proceedings of the 32nd International Symposium for Testing and Failure Analysis November 12-16, 2006, Renaissance Austin Hotel, Austin, Texas, USA

5 Memory encryption Definition Memory encryption = cryptographic protection of confidentiality (and integrity) of stored or internally transferred data provided by the security IC comprises data encryption, address encryption, key management Bus encryption may additionally protect internally transferred data.

6 Memory encryption Peculiarities of memory encryption Cryptanalytic attacks on ciphertexts, keys and cryptographic module are parts of more complex attacks aiming on plaintexts of user data Limited resources for the cryptographic module and the time of cryptographic operations ( no limitation for keys or key components!) lightweight cryptographic algorithms no need for interoperability because of internal use only (sufficiently analysed?) proprietary algorithms

7 Memory encryption Principle CPU Physical attacks plaintext Known plaintext attack Chosen text attack Data Encryption (enc & dec) Physical attacks ciphertext Key storage Physical attacks Ciphertext only attack Encrypted Memory MMU Physical attacks map. log. address Address Encryption (enc only) physical address Physical attacks Known plaintext attack Chosen text attack Physical attacks Physical attacks

8 Memory encryption Data encryption an address scrambling plaintext ciphertext substitution transposition Data encryption Address encryption Physical layout of memory

9 Memory encryption Examples of address encryption XOR addr = addrlo gic key phys 1 plaintext-ciphertextpair breaks very easily affine mapping addrphys = Akey1 addrlo gic key 2 >2 plaintext-ciphertextpairs break easily SP network addr = Enc ( addr, key ) phys lo gic more expensive but difficult to predict

10 Memory encryption Key management Goal increase effort of physical attacks for compromising the keys Cryptographic methods split 1 key into n key components (e.g. by xoring n key components) Cryptanalytic methods all n key components must be known Physical protection remains crucial! separate keys and cipher text store key components in EEPROM key Picture: Wikipedia, PeterJohnBishop

11 Evaluation of memory encryption Security objective, SFR, security architecture Informative part of PP/ST and security objectives primary goal: protection of user data and providing security services secondary goal: protection of TSF data, stored and executed software Security functional requirements (SFR) no SFR requiring directly confidentiality protection of stored data FPT_PHP requires physical protection of the other SFR Security architecture non-bypassability: defence against physical reading of memory self-protection: protecting TSF and data against tampering of memory secure initialization: transition from power-off state (encrypted memory) into power-on state (transparent encryption)

12 Vulnerability assessment Memory encryption as part of memory protection Memory encryption is part of the more complex memory protection vulnerability analysis shall cover the full attack path cryptanalysis must consider the concrete preconditions of the attack amount of known ciphertexts information about plaintexts, keys or key components or their parts conditions for active attacks (e.g. chosen plaintext attack) Cryptanalytic assessment of memory encryption necessary if the other security measure are not sufficient to counter the attacks defines conditions for cryptanalytic attacks aiming at plaintexts or memory encryption keys (intermediate step of the complex attack!)

13 Vulnerability analysis Cryptanalysis with standard methods Standard cryptanalytic methods information gathering without key recovery brute force key guessing solving key equations (algebraic attacks) key1 key2 Adaption of standard cryptanalytic attacks more effective, limited amount of data, proprietary cryptographic algorithms meet-in-the-middle for iterated cipher rounds Linear cryptanalysis Differential cryptanalysis classical, trunked, impossible, key3 key n Example substitutionpermutation network

14 Vulnerability analysis Assessment of cryptographic attacks (Factors I) Factors for attack potential calculation more detailed definition for the factors knowledge of the TOE, expertise, equipment and open sample for elapsed time and access to TOE cf. CCDB no changes for the points (they address the whole attack!) Knowledge of the TOE public: algorithm if made public by developer or attacker (cf. DEGATE project) restricted or sensitive: proprietary algorithm as protected by developer critical: long term keys like substitution boxes, group keys Expertise layman: application of public known attacks with public available tools proficient: adaption of public known attacks to specific algorithms expert: development of specific attacks

15 Vulnerability analysis Assessment of cryptographic attacks (Factors II) Equipment none: applicable only if calculation can be performed by hand (e.g. xor) standard: public available software for PC (including GPU and cluster support) specialised: non-public available tools e.g. for proprietary algorithm bespoke: special devices with special software (non-standard key cruncher) Open samples Open samples should not provide access to memory encryption If open samples provide access to memory encryption the developer shall describe functions related to memory encryption available at external interfaces, e.g. key management, export of plaintext-ciphertext pairs,... operational memory encryption keys they contain, e.g. long term keys

16 Vulnerability assessment Conclusion Vulnerability assessment of memory protection may include analysis and assessment of memory encryption if the other security measure alone are not sufficient to counter the attack. Vulnerability analysis of memory encryption by evaluators assesses the cryptanalytic attack effort as part of a complex attack but neither requires nor claims being an comprehensive cryptanalysis The certification body shall review the vulnerability assessment of memory protection including vulnerability analysis of memory encryption as its part confirmation of the resistance against attacks on memory protection cannot be seen as general confirmation of cryptographic strength of their memory encryption

17 Summary of the talk Developer should pay more attention to memory encryption. They may use proprietary algorithms if sufficiently analysed. Evaluators shall analyse and access the effectiveness of memory protection. This should include cryptanalytic assessment of memory encryption if physical protection is not strong enough to counter the attack. Certifier shall support realistic vulnerability assessment by agreed guidance. System designer should reduce the value of successful attack on memory.

18 Thank you for your attention! Any question? Wolfgang Killmann T-Systems GEI GmbH Vorgebirgsstr. 49 D Bonn Germany