The embedded security challenge: Protecting bits at rest

Similar documents
Secure Design Methodology and The Tree of Trust

SIDE CHANNEL ATTACKS AGAINST IOS CRYPTO LIBRARIES AND MORE DR. NAJWA AARAJ HACK IN THE BOX 13 APRIL 2017

HOST Differential Power Attacks ECE 525

Implementation of DPA-Resistant Circuit for FPGA

Side channel attack: Power Analysis. Chujiao Ma, Z. Jerry Shi CSE, University of Connecticut

A Key Management Scheme for DPA-Protected Authenticated Encryption

A physical level perspective

6.857 L17. Secure Processors. Srini Devadas

Outline. Trusted Design in FPGAs. FPGA Architectures CLB CLB. CLB Wiring

Implementation Tradeoffs for Symmetric Cryptography

Evaluating the Duplication of Dual-Rail Logics on FPGAs

Fault Sensitivity Analysis

Low Power Embedded Security

The Design and Evaluation Methodology of Dependable VLSI for Tamper Resistance

A Countermeasure Circuit for Secure AES Engine against Differential Power Analysis

Breaking the Bitstream Decryption of FPGAs

Prototype IC with WDDL and Differential Routing DPA Resistance Assessment

Design methods and tools for side channel attack resistant circuits

Breaking Korea Transit Card with Side-Channel Attack

SECURITY OF CPS: SECURE EMBEDDED SYSTEMS AS A BASIS

IBG Protection for Anti-Fuse OTP Memory Security Breaches

Investigation of a Masking Countermeasure against Side-Channel Attacks for RISC-based Processor Architectures

Connecting Securely to the Cloud

SIDE CHANNEL RISK EVALUATION AND MEASUREMENT (SCREAM)

Implementing Virtual Secure Circuit Using A Custom-Instruction Approach

Fundamentals of HW-based Security

WAP Security. Helsinki University of Technology S Security of Communication Protocols

Masking as a Side-Channel Countermeasure in Hardware

Interfacing a High Speed Crypto Accelerator to an Embedded CPU

Countermeasures against EM Analysis

DataTraveler 5000 (DT5000) and DataTraveler 6000 (DT6000) Ultimate Security in a USB Flash Drive. Submitted by SPYRUS, Inc.

Cryptography and Network Security

2.1 Basic Cryptography Concepts

White-Box Cryptography State of the Art. Paul Gorissen

Investigation of DPA Resistance of Block RAMs in Cryptographic Implementations on FPGAs

Trojan-tolerant Hardware & Supply Chain Security in Practice

! Memory Overview. ! ROM Memories. ! RAM Memory " SRAM " DRAM. ! This is done because we can build. " large, slow memories OR

ARM Security Solutions and Numonyx Authenticated Flash

Section 6. Memory Components Chapter 5.7, 5.8 Physical Implementations Chapter 7 Programmable Processors Chapter 8

How Safe is Anti-Fuse Memory? IBG Protection for Anti-Fuse OTP Memory Security Breaches

Offline HW/SW Authentication for Reconfigurable Platforms. Eric Simpson, Patrick Schaumont

ECE 1160/2160 Embedded Systems Design. Midterm Review. Wei Gao. ECE 1160/2160 Embedded Systems Design

COS433/Math 473: Cryptography. Mark Zhandry Princeton University Spring 2018

Stream Ciphers. Stream Ciphers 1

Symmetric Key Algorithms. Definition. A symmetric key algorithm is an encryption algorithm where the same key is used for encrypting and decrypting.

Semiconductor Memory Classification. Today. ESE 570: Digital Integrated Circuits and VLSI Fundamentals. CPU Memory Hierarchy.

FPGA Based Design of AES with Masked S-Box for Enhanced Security

PRACTICAL DPA ATTACKS ON MDPL. Elke De Mulder, Benedikt Gierlichs, Bart Preneel, Ingrid Verbauwhede

COSADE Conference Series

Security against Timing Analysis Attack

Reconfigurable Computing. Introduction

CS310 Embedded Computer Systems. Maeng

Microsemi Secured Connectivity FPGAs

Security+ Guide to Network Security Fundamentals, Third Edition. Chapter 11 Basic Cryptography

POWER ANALYSIS RESISTANT SRAM

A Reliable Architecture for Substitution Boxes in Integrated Cryptographic Devices

Integral Memory PLC. Crypto Dual (Underlying Steel Chassis) and Crypto Dual Plus (Underlying Steel Chassis) FIPS Security Policy

FPGAhammer: Remote Voltage Fault Attacks on Shared FPGAs, suitable for DFA on AES

Uses of Cryptography

Digital Logic Design using Verilog and FPGA devices Part 2. An Introductory Lecture Series By Chirag Sangani

Fault injection attacks on cryptographic devices and countermeasures Part 1

ENGI 8868/9877 Computer and Communications Security III. BLOCK CIPHERS. Symmetric Key Cryptography. insecure channel

Hardware Security. Debdeep Mukhopadhyay

Stream Ciphers and Block Ciphers

Implementation of Full -Parallelism AES Encryption and Decryption

CSCE 715: Network Systems Security

3 Symmetric Key Cryptography 3.1 Block Ciphers Symmetric key strength analysis Electronic Code Book Mode (ECB) Cipher Block Chaining Mode (CBC) Some

An Instruction Set Extension for Fast and Memory- Efficient AES Implementation. Stefan Tillich, Johann Großschädl, Alexander Szekely

Dietary Recommendations for Lightweight Block Ciphers: Power, Energy and Area Analysis of Recently Developed Architectures

The S6000 Family of Processors

Security in NFC Readers

Stream Ciphers and Block Ciphers

ELECTRONICS DEPARTMENT

L2: FPGA HARDWARE : ADVANCED DIGITAL DESIGN PROJECT FALL 2015 BRANDON LUCIA

Advanced Encryption Standard and Modes of Operation. Foundations of Cryptography - AES pp. 1 / 50

Fault Sensitivity Analysis

Synthesis of Fault-Attack Countermeasures for Cryptographic Circuits

Ming Ming Wong Jawad Haj-Yahya Anupam Chattopadhyay

Masking the Energy Behavior of DES Encryption

P2_L6 Symmetric Encryption Page 1

PASSWORDS & ENCRYPTION

Data Encryption Standard (DES)

Contents Part I Basic Concepts The Nature of Hardware and Software Data Flow Modeling and Transformation

SECURE PARTIAL RECONFIGURATION OF FPGAs. Amir S. Zeineddini Kris Gaj

FPGA CAN BE IMPLEMENTED BY USING ADVANCED ENCRYPTION STANDARD ALGORITHM

ECRYPT II Workshop on Physical Attacks November 27 th, Graz, Austria. Stefan Mangard.

Hiding Higher-Order Leakages in Hardware

Encryption / decryption system. Fig.1. Block diagram of Hummingbird

Side-Channel Countermeasures for Hardware: is There a Light at the End of the Tunnel?

TinySec: A Link Layer Security Architecture for Wireless Sensor Networks. Presented by Paul Ruggieri

Overview ECE 753: FAULT-TOLERANT COMPUTING 1/21/2014. Recap. Fault Modeling. Fault Modeling (contd.) Fault Modeling (contd.)

Crypto: Symmetric-Key Cryptography

Secret Key Algorithms (DES)

White-Box Cryptography

D eepa.g.m 3 G.S.Raghavendra 4

Design Techniques for Side-channel Resistant Embedded Software

On-Line Self-Test of AES Hardware Implementations

Computer Security. 08r. Pre-exam 2 Last-minute Review Cryptography. Paul Krzyzanowski. Rutgers University. Spring 2018

Hardware-Focused Performance Comparison for the Standard Block Ciphers AES, Camellia, and Triple-DES

EE 3170 Microcontroller Applications

Transcription:

The embedded security challenge: Protecting bits at rest Patrick Schaumont schaum@vt.edu Acknowledgements: Eric Simpson, Pengyuan Yu Secure Embedded Systems Group ECE Department Secret bits-at-rest Hi-Res Digitized Signature Car Unlock Code AACS Keys (Blu-Ray DVD)

1 0 1 0 Classic security Protect bits 'in flight' using crypto Message Cipher Key Message Cipher Key 0 1 1 1 0 1 1 1 0 1 0 0 0??? Embedded security Need more than crypto to protect bits 'at-rest' Secret bits Flash Battery Bus-probing CPU Attach Debugger JTAG Power-analysis Side-channel

Keeping secrets in software doesn't work Example - Fairplay encryption scheme of Apple Song Song Audio Master Key Master Key Apple itune Server User Key Machine ID Remove DRM by compromising easy-to-access interfaces April 2007: Steve Jobs announces itunes will sell DRM-free songs Keeping secrets in hardware doesn't work Example: Aladdin etoken (2001) stores PIN in plaintext [grandideastudios.com] April 2007: Secustick ('self-destruct thumbdrive') is broken by means of a trivial hack [tweakers.net/reviews/683/1]

We need a secure design methodology Methodology - series of steps that can be learned and repeated. Zero-risk security does not exist Zero-power design does not exist either Low-risk security can be achieved Low-power operation can be achieved Power Area Security Performance Objective of secure design methodology: minimize spatial and temporal footprint of secret bits in embedded systems The starting point: Root of Trust A secret in a box by itself is useless (useless like a key without a matching door-lock) So a secure system contains at least two parts distrusted environment secure embedded system security policy authentication integrity confidentiality non-repudiation availability root-of-trust The part that always works as expected (or so you think!) Secret bits are inside of root-of-trust

Characteristics of attacks An 'attack' is an interface into the root-of-trust around the security policy distrusted environment secure embedded system attack abstraction level attacker proximity active/passive logical side-channel physical invasive/non-invasive off-line connected close-range physical side-channel fault-based spoof Example: Cache timing attack MEMORY (20 cycle/acces) data in round keys CACHE (1 cycle/acces) sbox shift rows mix columns (last round) add roundkey data out Execution time dependency due to cache conflicts Software Solution: constant-time crypto (hard)

Example: Cache timing attack Timing Side-Channel Root-of-Trust Top-level Policy MEMORY (20 cycle/acces) data in round keys CACHE (1 cycle/acces) sbox shift rows mix columns (last round) add roundkey data out Execution time dependency due to cache conflicts Software Solution: constant-time crypto (hard) Moving Sbox into Hardware SBOX regs (16 byte + 4 byte rkey) 32 32 register file instruction fetch/ decode 128 32 DCACHE sbox (AES32) ALU ICACHE 128 Hardware Sbox with ASIP interface CPU AES driver code RAM

Moving Sbox into Hardware SBOX regs (16 byte + 4 byte rkey) 32 32 register file instruction fetch/ decode Cache miss rate per encryption 128 32 sbox (AES32) 128 Hardware Sbox with ASIP interface Constant Execution Timing ALU CPU DCACHE ICACHE AES driver code RAM Software Sbox: 159 Dcache 138 Icache Hardware Sbox 0 Dcache 52 Icache StrongARM arch 1K I, 1K D cache, 16 byte/line direct Timing Side-channel fixed, but others remain.. Design Step: Secure partitioning Secure design over multiple abstraction levels (protocol, software, hardware, circuits) distrusted environment secure embedded system Interpreter Side-channels non-critical software crypto software Timing Side-channels non-critical hardware/ software crypto hardware Power Side-channels non-critical circuit crypto circuit Physical Tamper-resistance

Applications Hardware Chain-of-Trust Can we build a path in a device that is completely trusted, even as it extends into hardware? Side-channel resistant hardware in FPGA Can we port side-channel resistant design styles for ASIC into FPGA while maintaining their properties? Applications Hardware Chain-of-Trust Can we build a path in a device that is completely trusted, even as it extends into hardware? Side-channel resistant hardware in FPGA Can we port side-channel resistant design styles for ASIC into FPGA while maintaining their properties?

Hardware Chain of Trust for DRM - Why? D/A & Amplify Side-channel: Probe and extract DRM-free high-quality music Decode Download copy-righted multimedia into player Decrypt (DRM) Flash Memory Hardware Chain of Trust for DRM - Principle Encrypt at Server Hard-drive Challenge: How to build this chain-of-trust? D/A & Amplify Decode Decrypt (DRM) Flash Memory Decrypt at D/A conversion in Player Hardware-specific Key-exchange

Chain-of-trust for Video Messaging FPGA-unique encryption CF-card Display SW Trivium Key Message incorrect authentication incomplete chain-of-trust [Eric Simpson, VT] correct authentication complete chain-of-trust SAM key Trivium Stream Cipher VGA FPGA PPC Program Memory Chain-of-trust for Video Messaging FPGA-unique encryption CF-card Display SW Trivium Key Message SAM key Trivium Stream Cipher VGA FPGA PPC Program Memory

Chain-of-trust for Video Messaging CF-card FPGA-unique encryption Display SW Trivium Key Message Compact Flash Data PPC Baseline Config FPGA bitstream decryption (keys) SAM key Trivium Stream Cipher VGA FPGA PPC Program Memory Chain-of-trust for Video Messaging CF-card FPGA-unique encryption Display SW SAM key Trivium Key Message Trivium Stream Cipher VGA Compact Flash Data Secure SW & Data Download PPC Baseline Config SAM decryption (PUF) Configure VGA Display FPGA PPC Program Memory

Chain-of-trust for Video Messaging CF-card FPGA-unique encryption Display SW Trivium Key Message Compact Flash Data PPC Baseline Config SAM key Trivium Stream Cipher VGA Secure SW & Data Download Configure VGA Display FPGA PPC Program Memory Load Encrypted Message Display Video Message Trivium Stream Cipher (key) Applications Hardware Chain-of-Trust Can we build a path in a device that is completely trusted, even as it extends into hardware? Side-channel resistant hardware in FPGA Can we port side-channel resistant design styles for ASIC into FPGA while maintaining their properties?

Side-channel resistant design In KEY LOOKUP TABLE OUT SBOX Power Reduce Power Variation Constant-Power Design Wave Dynamic Differential Logic De-correlate Power Variation Masking Random Switching Logic Reducing Power Variations: WDDL Wave Dynamic Differential Logic (Tiri 2003) Gates have exactly one 0->1 transition per clock cycle Differential Logic Precharge Logic A A Q A Q F B B Q F PRECHRG EVAL Differential output ensures each switch contains 0->1 Precharge output guarantees switching each cycle

WDDL NAND Gate A A Q B B Q Φ F A B Q Q PRE EVAL PRE EVAL 0 1 0 1 0 0 0 1 0 1 0 0 0 0 0 1 Exactly one switching event per gate per cycle Matching Interconnect Capacitance WDDL GATE C1 C2 WDDL GATE Asymmetry in C-load gives residual power leakage Need symmetrical place-and-route technique, not easy in contemporary tools

Unbalanced WDDL easy to break Impact of imbalance of 1 part in 500 per WDDL net Frequency R KEY = 124 TOGGLE BIN Overall Power Variation ~ 1 per 15,000 KEY ESTIMATE @ 10,000 measurements WDDL in FPGA [Pengyuan Yu, VT] Use FPGA fabric regularity to build a better WDDL Single-Ended Circuit Differential Circuit Copy- Modify- Relocate 'Copy' + 'Relocate' results in identical routing pattern 'Modify' LUT content creates complementary logic function

Maping WDDL in FPGA Create complementary function starting from differential netlist by switching Q and Qbar WDDL WDDL with switched Q,Qbar - 4X in area over single-ended + same advantages as WDDL with symmetrical routing 'DWDDL', Double Wave Dynamic Differential Logic Test Setup considers 3 possible cases Single-ended WDDL WDDL + Complementary SE WDDL DWDDL

Test setup LFSR KEY LOOKUP TABLE SBOX OUT Measurements AC Current (ma) 20 16 12 8 0.8 0.4 0-0.4-0.8 DWDDL 1 cycle SE ( 1 scale) 10 WDDL 4 0-4 25 50 75 100

DPA on Measurements 0.3 0.25 0.2 0.15 0.1 0.05 0 Correlation on SE Key = 174 63 127 191 255 Key Correlation peak position on dual-rail design Bit 0 1 2 3 4 5 6 7 WDDL 19 152 68 174 174 99 174 174 DWDDL 194 174 64 27 190 238 10 113 Conclusions In embedded systems, ZERO-risk security does NOT exist In embedded systems, LOW-risk security IS possible Methodology is essential Chain-of-trust Side-channel Resistant Design Many open problems How to quantify security? Number of measurements? Cost versus Security trade-offs? Can we build tools to automate analysis and secure design?

Thanks! Patrick Schaumont, Eric Simpson, Pengyuan Yu Secure Embedded Systems Group ECE Department

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback