Showing papers by "Christof Paar published in 2009"

Understanding Cryptography: A Textbook For Students And Practitioners

Abstract: Cryptography is now ubiquitous moving beyond the traditional environments, such as government communications and banking systems, we see cryptographic techniques realized in Web browsers, e-mail programs, cell phones, manufacturing systems, embedded software, smart buildings, cars, and even medical implants Today's designers need a comprehensive understanding of applied cryptography After an introduction to cryptography and data security, the authors explain the main techniques in modern cryptography, with chapters addressing stream ciphers, the Data Encryption Standard (DES) and 3DES, the Advanced Encryption Standard (AES), block ciphers, the RSA cryptosystem, public-key cryptosystems based on the discrete logarithm problem, elliptic-curve cryptography (ECC), digital signatures, hash functions, Message Authentication Codes (MACs), and methods for key establishment, including certificates and public-key infrastructure (PKI) Throughout the book, the authors focus on communicating the essentials and keeping the mathematics to a minimum, and they move quickly from explaining the foundations to describing practical implementations, including recent topics such as lightweight ciphers for RFIDs and mobile devices, and current key-length recommendations The authors have considerable experience teaching applied cryptography to engineering and computer science students and to professionals, and they make extensive use of examples, problems, and chapter reviews, while the books website offers slides, projects and links to further resources This is a suitable textbook for graduate and advanced undergraduate courses and also for self-study by engineers

Trojan Side-Channels: Lightweight Hardware Trojans through Side-Channel Engineering

Abstract: The general trend in semiconductor industry to separate design from fabrication leads to potential threats from untrusted integrated circuit foundries. In particular, malicious hardware components can be covertly inserted at the foundry to implement hidden backdoors for unauthorized exposure of secret information. This paper proposes a new class of hardware Trojans which intentionally induce physical side-channels to convey secret information. We demonstrate power side-channels engineered to leak information below the effective noise power level of the device. Two concepts of very small implementations of Trojan side-channels (TSC) are introduced and evaluated with respect to their feasibility on Xilinx FPGAs. Their lightweight implementations indicate a high resistance to detection by conventional test and inspection methods. Furthermore, the proposed TSCs come with a physical encryption property, so that even a successful detection of the artificially introduced side-channel will not allow unhindered access to the secret information.

MOLES: malicious off-chip leakage enabled by side-channels

Abstract: Economic incentives have driven the semiconductor industry to separate design from fabrication in recent years. This trend leads to potential vulnerabilities from untrusted circuit foundries to covertly implant malicious hardware Trojans into a genuine design. Hardware Trojans provide back doors for on-chip manipulation, or leak secret information off-chip once the compromised IC is deployed in the field. This paper explores the design space of hardware Trojans and proposes a novel technique, "Malicious Off-chip Leakage Enabled by Side-channels" (MOLES), which employs power side-channels to convey secret information off-chip. An experimental MOLES circuit is designed with fewer than 50 gates and is embedded into an Advanced Encryption Standard (AES) cryptographic circuit in a predictive 45nm CMOS technology model. Engineered by a spread-spectrum technique, the MOLES technique is capable of leaking multi-bit information below the noise power level of the host IC to evade evaluators' detections. In addition, a generalized methodology for a class of MOLES circuits and design verification by statistical correlation analysis are presented. The goal of this work is to demonstrate the potential threats of MOLES on embedded system security. Nevertheless, MOLES could be constructively used for hardware authentication, fingerprinting and IP protection.

MicroEliece: McEliece for Embedded Devices

Abstract: Most advanced security systems rely on public-key schemes based either on the factorization or the discrete logarithm problem. Since both problems are known to be closely related, a major breakthrough in cryptanalysis tackling one of those problems could render a large set of cryptosystems completely useless. The McEliece public-key scheme is based on the alternative security assumption that decoding unknown linear binary codes is NP-complete. In this work, we investigate the efficient implementation of the McEliece scheme on embedded systems what was --- up to date --- considered a challenge due to the required storage of its large keys. To the best of our knowledge, this is the first time that the McEliece encryption scheme is implemented on a low-cost 8-bit AVR microprocessor and a Xilinx Spartan-3AN FPGA.

EM Side-Channel Attacks on Commercial Contactless Smartcards Using Low-Cost Equipment

Abstract: We introduce low-cost hardware for performing non-invasive side-channel attacks on Radio Frequency Identification Devices (RFID) and develop techniques for facilitating a correlation power analysis (CPA) in the presence of the field of an RFID reader. We practically verify the effectiveness of the developed methods by analysing the security of commercial contactless smartcards employing strong cryptography, pinpointing weaknesses in the protocol and revealing a vulnerability towards side-channel attacks. Employing the developed hardware, we present the first successful key-recovery attack on commercially available contactless smartcards based on the Data Encryption Standard (DES) or Triple-DES (3DES) cipher that are widely used for security-sensitive applications, e.g., payment purposes.

Breaking ECC2K-130

Abstract: Elliptic-curve cryptography is becoming the standard public-key primitive not only for mobile devices but also for high-security applications. Advantages are the higher crypto- graphic strength per bit in comparison with RSA and the higher speed in implementations. To improve understanding of the exact strength of the elliptic-curve discrete-logarithm problem, Certicom has published a series of challenges. This paper describes breaking the ECC2K-130 challenge using a parallelized version of Pollard's rho method. This is a major computation bringing together the contributions of several clusters of conventional computers, PlayStation 3 clusters, computers with powerful graphics cards and FPGAs. We also give estimates for an ASIC design. In particular we present - our choice and analysis of the iteration function for the rho method; - our choice of finite field arithmetic and representation; - detailed descriptions of the implementations on a multitude of platforms: CPUs, Cells, GPUs, FPGAs, and ASICs; - timings for CPUs, Cells, GPUs, and FPGAs; and

Breaking KeeLoq in a Flash: On Extracting Keys at Lightning Speed

Abstract: We present the first simple power analysis (SPA) of software implementations of KeeLoq . Our attack drastically reduces the efforts required for a complete break of remote keyless entry (RKE) systems based on KeeLoq . We analyze implementations of KeeLoq on microcontrollers and exploit timing vulnerabilities to develop an attack that allows for a practical key recovery within seconds of computation time, thereby significantly outperforming all existing attacks: Only one single measurement of a section of a KeeLoq decryption is sufficient to extract the 64 bit master key of commercial products, without the prior knowledge of neither plaintext nor ciphertext. We further introduce techniques for effectively realizing an automatic SPA and a method for circumventing a simple countermeasure, that can also be applied for analyzing other implementations of cryptography on microcontrollers.

Design space exploration of present implementations for FPGAS

Abstract: In this paper we investigate the performance of the block cipher PRESENT on FPGAs. We provide implementation results of an efficiency (i.e. throughput per slice) optimized design and compare them with other block ciphers. Though PRESENT was originally designed with a minimal hardware footprint in mind, our results also highlight that PRESENT is well suited for high-speed and high-throughput applications. Especially its hardware efficiency, i.e. the throughput per slice, is noteworthy.

A Comparative Study of Mutual Information Analysis under a Gaussian Assumption

Abstract: In CHES 2008 a generic side-channel distinguisher, Mutual Information, has been introduced to be independent of the relation between measurements and leakages as well as between leakages and data processed. Assuming a Gaussian model for the side-channel leakages, correlation power analysis (CPA) is capable of revealing the secrets efficiently. The goal of this paper is to compare mutual information analysis (MIA) and CPA when leakage of the target device fits into a Gaussian assumption. We first theoretically examine why MIA can reveal the correct key guess amongst other hypotheses, and then compare it with CPA proofs. As our theoretical comparison confirms and shown recently in ACNS 2009 and CHES 2009, the MIA is less effective than the CPA when there is a linear relation between leakages and predictions. Later, we show detailed practical comparison results of MIA and CPA, by means of several alternative parameters, under the same condition using leakage of a smart card as well as of an FPGA.

KeeLoq and Side-Channel Analysis-Evolution of an Attack

Abstract: Last year we were able to break KeeLoq, which is a 64 bit block cipher that is popular for remote keyless entry (RKE) systems. KeeLoq RKEs are widely used for access control purposes such as garage openers or car door systems. Even though the attack seems almost straightforward in hindsight, there where many practical and theoretical problems to overcome. In this talk I want to describe the evolution of the attack over about two years. Also, some possible future improvements using fault-injection will be mentioned. During the first phase of breaking KeeLoq, a surprisingly long time was spent on analyzing the target hardware, taking measurements and wondering why we did not succeed. In the second phase, we were able to use differential power analysis attacks successfully on numerous commercially available products employing KeeLoq code hopping. Our techniques allow for efficiently revealing both the secret key of a remote transmitter and the manufacturer key stored in a receiver. As a result, a remote control can be cloned from only ten power traces, allowing for a practical key recovery in a few minutes. With similar techniques but with considerably more measurements (typically on the order of 10,000) we can extract the manufacturer key which is stored in every receiver device, e.g., a garage door opener unit. In the third phase, and most recent phase, we were able to come up with several improvements. Most notably, we found that an SPA (simple power analysis) attack allows to recover the manufacturer key with one measurement. In the talk, we will also speculate about extensions to fault-injection and timing attacks. It is important to note that most of our findings are not specific to KeeLoq but are - in principle - applicable to any symmetric cipher with an implementation that is not sidechannel resistant.

Lightweight cryptography and RFID: tackling the hidden overheads

Abstract: The field of lightweight cryptography has developed significantly over recent years and many impressive implementation results have been published. However these results are often concerned with a core computation and when it comes to a real implementation there can be significant hidden overheads. In this paper we consider the case of CRYPTOGPS and we outline a full implementation that has been fabricated in ASIC. Interestingly, the implementation requirements still remain within the typically-cited limits for on-the-tag cryptography.

Evaluating Resistance of MCML Technology to Power Analysis Attacks Using a Simulation-Based Methodology

Abstract: This paper explores the resistance of MOS Current Mode Logic (MCML) against attacks based on the observation of the power consumption. Circuits implemented in MCML, in fact, have unique characteristics both in terms of power consumption and the dependency of the power profile from the input signal pattern. Therefore, MCML is suitable to protect cryptographic hardware from Differential Power Analysis and similar side-channel attacks. In order to demonstrate the effectiveness of different logic styles against power analysis attacks, two full cores implementing the AES algorithm were realized and implemented with CMOS and MCML technology, and a set of different types of attack was performed using power traces derived from SPICE-level simulations. Although all keys were discovered for CMOS, MCML traces did not presents characteristic that can lead to a successful attack.

Efficient Authentication Mechanisms for Navigation Systems - a Radio-Navigation Case Study

Abstract: In this paper we introduce an efficient authentication mechanism especially designed for navigation systems that is based upon the Timed Efficient Stream Loss-Tolerant Authentication (TESLA) algorithm We analyze the different attack scenarios on navigation systems and show that it is only necessary to authenticate the source and time of the signals to enable a secure position determination Traditional message authentication is only needed to prevent counterfeit correction message attacks With this knowledge and a detailed security analysis of the needed key size, we developed adjusted TESLA, an authentication mechanisms that can authenticate the source and time-messages using only 80 bits One of the reasons why we can use such a small authentication message is due to the insertion of a timestamp into the generation of the one-way chains This significantly increases the security of adjusted TESLA compared to the original TESLA and enables us to use a smaller key size Adjusted TESLA has a about a 75% smaller size than traditional digital signatures that have signature sizes of at least 320 bits To prevent counterfeit correction message attacks additional 32 or 40 bits are needed for the transmission of a MAC But this is still an improvement of at least 625% compared to digital signatures or the first proof-of-concept implementation of TESLA in eLORAN This enables us to significantly improve the security of navigation systems by using only a very small data rate We propose the use of adjusted TESLA in eLORAN With this security improvement and LORAN’s strength against over-the-air attacks, eLORAN will not only be a backup for current GNSS systems, but will be a real alternative for current civil GNSS systems in application that require the highest possible security level against attacks

Power analysis of single-rail storage elements as used in MDPL

Abstract: Several dual-rail logic styles make use of single-rail flip-flops for storing intermediate states. We show that single mask bits, as applied by various side-channel resistant logic styles such as MDPL and iMDPL, are not sufficient to obfuscate the remaining leakage of single-rail flip-flops. By applying simple models for the leakage of masked flip-flops, we design a new attack on circuits implemented using masked single-rail flip-flops. Contrary to previous attacks on masked logic styles, our attack does not predict the mask bit and does not need detailed knowledge about the attacked device, e.g., the circuit layout. Moreover, our attack works even if all the load capacitances of the complementary signals are perfectly balanced and even if the PRNG is ideally unbiased. Finally, after performing the attack on DRSL, MDPL, and iMDPL circuits we show that single-bit masks do not influence the exploitability of the revealed leakage of the masked flip-flops.

Transforming write collisions in block RAMs into security applications

Abstract: Due to their versatile and generic structure, Field Programmable Gate Arrays (FPGA) allow dynamic reconfiguration of their logical resources just by loading configuration files. However, this flexibility also opens up the threat of theft of Intellectual Property (IP) since these configuration files can be easily extracted and cloned. In this context, the ability to bind a configuration to a specific device is an important step to prevent product counterfeiting. In this paper, we present a novel strategy to identify and authenticate FPGAs in applications using intrinsic, device-specific information (also known as Physically Unclonable Functions). Our solution is based on the output of intentionally induced write collisions in synchronous dual-port block RAM (BRAM). We show that the output of such write collisions can be used to create unique device signatures. In addition to applications for chip identification and authentication, we also propose a solution to efficiently create secret keys on-chip. As a last contribution, we outline how to transform our idea into a circuit for True Random Number Generation (TRNG).

Cryptography is feasible on 4-Bit microcontrollers - A proof of concept

Abstract: The RFID technology in combination with cryptographic algorithms and protocols is discussed widely as a promising solution against product counterfeiting. Usually the discussion is focussed on passive low-cost RFID-tags, which have harsh power constraints. 4-Bit microcontrollers have very low-power characteristics (5–60 μA) and are therefore an interesting platform for active and passive low-cost RFID-tags. To the best of our knowledge there are no implementations of cryptographic algorithms on a 4-bit microcontroller published so far. Therefore, the main contribution of this work is to demonstrate that cryptography is feasible on these ultra-constrained devices and to close this gap. We chose PRESENT [1] as the cryptographic algorithm, because contrary to many other ciphers, PRESENT uses a 4×4 S-Box. Our implementation draws a current of 6:7μA at a supply voltage of 1:8V and a frequency of 500 KHz and requires less than 200 ms for the processing of one data block.

The Certicom Challenges ECC2-X

Abstract: SHARCS '09 : Special Purpose Hardware for Attacking Cryptographic Systems, 9 september 2009

Secure IP-block distribution for hardware devices

Abstract: EDA vendors have proposed a standard for the sharing of IP among vendors to be used in the design and development of IP for FPGAs. Although, we do not propose any attacks, we show that there are easy ways in which the security of the whole process can be enhanced by using standard cryptographic techniques such as secret sharing and public-key based key exchange. We also explore the advantages that newer primitives have such as All-Or-Nothing Transforms and Physical Unclonable Functions. We show that the protocols proposed would significantly reduce the effects that the leakage of a single key would have over the whole system.

Wireless Authentication and Transaction-Confirmation Token

Abstract: Our new system combines Wi-Fi with user-authentication tokens to authenticate consumer financial transactions. To achieve this goal while maintaining maximum usability and compatibility, our token tunnels data through new side channels including the SSID field, packet timing, and packet length. These new point-to-point side-channels in Wi-Fi allow a token and PC to directly exchange messages – even while the PC is also connected to an access point. The result is a token that can authenticate transactions using only one touch by the user.

Crypto Engineering: Some History and Some Case Studies

Abstract: In this extended abstract, I will first try to describe briefly the developments in the cryptographic engineering community over the last decade. After this, some hopefully instructive case studies about cryptographic implementations in the real world will be given.

One-touch financial transaction authentication

Abstract: We present a design for a Wi-Fi user-authentication token that tunnels data through the SSID field, packet timing, and packet length. Previous attempts to build an online-banking transaction-signing token have been only moderately successful, due in large part to usability problems. Average consumers, especially in the United States, are simply unwilling to transcribe strings of digits from PC to token and back again. In a departure from previous work, our token communicates using point-to-point side-channels in Wi-Fi that allow two devices to directly exchange messages – even if one is also connected to an access point. The result is a token that can authenticate transactions using only one touch by the user. The increased usability means more transactions can be authenticated, reducing fraud and driving more banking business online.