The embedded security challenge: Protecting bits at rest Patrick Schaumont schaum@vt.edu Acknowledgements: Eric Simpson, Pengyuan Yu Secure Embedded Systems Group ECE Department Secret bits-at-rest Hi-Res Digitized Signature Car Unlock Code AACS Keys (Blu-Ray DVD)
1 0 1 0 Classic security Protect bits 'in flight' using crypto Message Cipher Key Message Cipher Key 0 1 1 1 0 1 1 1 0 1 0 0 0??? Embedded security Need more than crypto to protect bits 'at-rest' Secret bits Flash Battery Bus-probing CPU Attach Debugger JTAG Power-analysis Side-channel
Keeping secrets in software doesn't work Example - Fairplay encryption scheme of Apple Song Song Audio Master Key Master Key Apple itune Server User Key Machine ID Remove DRM by compromising easy-to-access interfaces April 2007: Steve Jobs announces itunes will sell DRM-free songs Keeping secrets in hardware doesn't work Example: Aladdin etoken (2001) stores PIN in plaintext [grandideastudios.com] April 2007: Secustick ('self-destruct thumbdrive') is broken by means of a trivial hack [tweakers.net/reviews/683/1]
We need a secure design methodology Methodology - series of steps that can be learned and repeated. Zero-risk security does not exist Zero-power design does not exist either Low-risk security can be achieved Low-power operation can be achieved Power Area Security Performance Objective of secure design methodology: minimize spatial and temporal footprint of secret bits in embedded systems The starting point: Root of Trust A secret in a box by itself is useless (useless like a key without a matching door-lock) So a secure system contains at least two parts distrusted environment secure embedded system security policy authentication integrity confidentiality non-repudiation availability root-of-trust The part that always works as expected (or so you think!) Secret bits are inside of root-of-trust
Characteristics of attacks An 'attack' is an interface into the root-of-trust around the security policy distrusted environment secure embedded system attack abstraction level attacker proximity active/passive logical side-channel physical invasive/non-invasive off-line connected close-range physical side-channel fault-based spoof Example: Cache timing attack MEMORY (20 cycle/acces) data in round keys CACHE (1 cycle/acces) sbox shift rows mix columns (last round) add roundkey data out Execution time dependency due to cache conflicts Software Solution: constant-time crypto (hard)
Example: Cache timing attack Timing Side-Channel Root-of-Trust Top-level Policy MEMORY (20 cycle/acces) data in round keys CACHE (1 cycle/acces) sbox shift rows mix columns (last round) add roundkey data out Execution time dependency due to cache conflicts Software Solution: constant-time crypto (hard) Moving Sbox into Hardware SBOX regs (16 byte + 4 byte rkey) 32 32 register file instruction fetch/ decode 128 32 DCACHE sbox (AES32) ALU ICACHE 128 Hardware Sbox with ASIP interface CPU AES driver code RAM
Moving Sbox into Hardware SBOX regs (16 byte + 4 byte rkey) 32 32 register file instruction fetch/ decode Cache miss rate per encryption 128 32 sbox (AES32) 128 Hardware Sbox with ASIP interface Constant Execution Timing ALU CPU DCACHE ICACHE AES driver code RAM Software Sbox: 159 Dcache 138 Icache Hardware Sbox 0 Dcache 52 Icache StrongARM arch 1K I, 1K D cache, 16 byte/line direct Timing Side-channel fixed, but others remain.. Design Step: Secure partitioning Secure design over multiple abstraction levels (protocol, software, hardware, circuits) distrusted environment secure embedded system Interpreter Side-channels non-critical software crypto software Timing Side-channels non-critical hardware/ software crypto hardware Power Side-channels non-critical circuit crypto circuit Physical Tamper-resistance
Applications Hardware Chain-of-Trust Can we build a path in a device that is completely trusted, even as it extends into hardware? Side-channel resistant hardware in FPGA Can we port side-channel resistant design styles for ASIC into FPGA while maintaining their properties? Applications Hardware Chain-of-Trust Can we build a path in a device that is completely trusted, even as it extends into hardware? Side-channel resistant hardware in FPGA Can we port side-channel resistant design styles for ASIC into FPGA while maintaining their properties?
Hardware Chain of Trust for DRM - Why? D/A & Amplify Side-channel: Probe and extract DRM-free high-quality music Decode Download copy-righted multimedia into player Decrypt (DRM) Flash Memory Hardware Chain of Trust for DRM - Principle Encrypt at Server Hard-drive Challenge: How to build this chain-of-trust? D/A & Amplify Decode Decrypt (DRM) Flash Memory Decrypt at D/A conversion in Player Hardware-specific Key-exchange
Chain-of-trust for Video Messaging FPGA-unique encryption CF-card Display SW Trivium Key Message incorrect authentication incomplete chain-of-trust [Eric Simpson, VT] correct authentication complete chain-of-trust SAM key Trivium Stream Cipher VGA FPGA PPC Program Memory Chain-of-trust for Video Messaging FPGA-unique encryption CF-card Display SW Trivium Key Message SAM key Trivium Stream Cipher VGA FPGA PPC Program Memory
Chain-of-trust for Video Messaging CF-card FPGA-unique encryption Display SW Trivium Key Message Compact Flash Data PPC Baseline Config FPGA bitstream decryption (keys) SAM key Trivium Stream Cipher VGA FPGA PPC Program Memory Chain-of-trust for Video Messaging CF-card FPGA-unique encryption Display SW SAM key Trivium Key Message Trivium Stream Cipher VGA Compact Flash Data Secure SW & Data Download PPC Baseline Config SAM decryption (PUF) Configure VGA Display FPGA PPC Program Memory
Chain-of-trust for Video Messaging CF-card FPGA-unique encryption Display SW Trivium Key Message Compact Flash Data PPC Baseline Config SAM key Trivium Stream Cipher VGA Secure SW & Data Download Configure VGA Display FPGA PPC Program Memory Load Encrypted Message Display Video Message Trivium Stream Cipher (key) Applications Hardware Chain-of-Trust Can we build a path in a device that is completely trusted, even as it extends into hardware? Side-channel resistant hardware in FPGA Can we port side-channel resistant design styles for ASIC into FPGA while maintaining their properties?
Side-channel resistant design In KEY LOOKUP TABLE OUT SBOX Power Reduce Power Variation Constant-Power Design Wave Dynamic Differential Logic De-correlate Power Variation Masking Random Switching Logic Reducing Power Variations: WDDL Wave Dynamic Differential Logic (Tiri 2003) Gates have exactly one 0->1 transition per clock cycle Differential Logic Precharge Logic A A Q A Q F B B Q F PRECHRG EVAL Differential output ensures each switch contains 0->1 Precharge output guarantees switching each cycle
WDDL NAND Gate A A Q B B Q Φ F A B Q Q PRE EVAL PRE EVAL 0 1 0 1 0 0 0 1 0 1 0 0 0 0 0 1 Exactly one switching event per gate per cycle Matching Interconnect Capacitance WDDL GATE C1 C2 WDDL GATE Asymmetry in C-load gives residual power leakage Need symmetrical place-and-route technique, not easy in contemporary tools
Unbalanced WDDL easy to break Impact of imbalance of 1 part in 500 per WDDL net Frequency R KEY = 124 TOGGLE BIN Overall Power Variation ~ 1 per 15,000 KEY ESTIMATE @ 10,000 measurements WDDL in FPGA [Pengyuan Yu, VT] Use FPGA fabric regularity to build a better WDDL Single-Ended Circuit Differential Circuit Copy- Modify- Relocate 'Copy' + 'Relocate' results in identical routing pattern 'Modify' LUT content creates complementary logic function
Maping WDDL in FPGA Create complementary function starting from differential netlist by switching Q and Qbar WDDL WDDL with switched Q,Qbar - 4X in area over single-ended + same advantages as WDDL with symmetrical routing 'DWDDL', Double Wave Dynamic Differential Logic Test Setup considers 3 possible cases Single-ended WDDL WDDL + Complementary SE WDDL DWDDL
Test setup LFSR KEY LOOKUP TABLE SBOX OUT Measurements AC Current (ma) 20 16 12 8 0.8 0.4 0-0.4-0.8 DWDDL 1 cycle SE ( 1 scale) 10 WDDL 4 0-4 25 50 75 100
DPA on Measurements 0.3 0.25 0.2 0.15 0.1 0.05 0 Correlation on SE Key = 174 63 127 191 255 Key Correlation peak position on dual-rail design Bit 0 1 2 3 4 5 6 7 WDDL 19 152 68 174 174 99 174 174 DWDDL 194 174 64 27 190 238 10 113 Conclusions In embedded systems, ZERO-risk security does NOT exist In embedded systems, LOW-risk security IS possible Methodology is essential Chain-of-trust Side-channel Resistant Design Many open problems How to quantify security? Number of measurements? Cost versus Security trade-offs? Can we build tools to automate analysis and secure design?
Thanks! Patrick Schaumont, Eric Simpson, Pengyuan Yu Secure Embedded Systems Group ECE Department