Showing papers by "Christof Paar published in 2015"

High-speed Curve25519 on 8-bit, 16-bit, and 32-bit microcontrollers

Abstract: This paper presents new speed records for 128-bit secure elliptic-curve Diffie---Hellman key-exchange software on three different popular microcontroller architectures. We consider a 255-bit curve proposed by Bernstein known as Curve25519, which has also been adopted by the IETF. We optimize the X25519 key-exchange protocol proposed by Bernstein in 2006 for AVR ATmega 8-bit microcontrollers, MSP430X 16-bit microcontrollers, and for ARM Cortex-M0 32-bit microcontrollers. Our software for the AVR takes only 13,900,397 cycles for the computation of a Diffie---Hellman shared secret, and is the first to perform this computation in less than a second if clocked at 16 MHz for a security level of 128 bits. Our MSP430X software computes a shared secret in 5,301,792 cycles on MSP430X microcontrollers that have a 32-bit hardware multiplier and in 7,933,296 cycles on MSP430X microcontrollers that have a 16-bit multiplier. It thus outperforms previous constant-time ECDH software at the 128-bit security level on the MSP430X by more than a factor of 1.2 and 1.15, respectively. Our implementation on the Cortex-M0 runs in only 3,589,850 cycles and outperforms previous 128-bit secure ECDH software by a factor of 3.

FPGA Trojans Through Detecting and Weakening of Cryptographic Primitives

Abstract: This paper investigates a novel attack vector against cryptography realized on FPGAs, which poses a serious threat to real-world applications. We demonstrate how a targeted bitstream modification can seriously weaken cryptographic algorithms, which we show with the examples of AES and 3-DES. The attack is performed by modifying the FPGA bitstream that configures the hardware elements during initialization. Recently, it has been shown that cloning of FPGA designs is feasible, even if the bitstream is encrypted. However, due to its proprietary file format, a meaningful modification is challenging. While some previous work addressed bitstream reverse-engineering, so far it has not been evaluated how difficult it is to detect and modify cryptographic elements. We outline two possible practical attacks that have serious security implications. We target the S-boxes of block ciphers that can be implemented in look-up tables or stored as precomputed set of values in the memory of the FPGA. We demonstrate that it is possible to detect and apply meaningful changes to cryptographic elements inside an unknown, proprietary, and undocumented bitstream. Our proposed attack does not require any knowledge of the internal routing. Furthermore, we show how an AES key can be revealed within seconds. Finally, we discuss countermeasures that can raise the bar for an adversary to successfully perform this kind of attack.

Scandalee: a side-channel-based disassembler using local electromagnetic emanations

Abstract: Side-channel analysis has become a well-established topic in the scientific community and industry over the last one and a half decade. Somewhat surprisingly, the vast majority of work on side-channel analysis has been restricted to the "use case" of attacking cryptographic implementations through the recovery of keys. In this contribution, we show how side-channel analysis can be used for extracting code from embedded systems based on a CPU's electromagnetic emanation. There are many applications within and outside the security community where this is desirable. In cryptography, it can, e.g., be used for recovering proprietary ciphers and security protocols. Another broad application field is general security and reverse engineering, e.g., for detecting IP violations of firmware or for debugging embedded systems when there is no debug interface or it is proprietary.A core feature of our approach is that we take localized electromagnetic measurements that are spatially distributed over the IC being analyzed. Given these multiple inputs, we model code extraction as a classification problem that we solve with supervised learning algorithms. We apply a variant of linear discriminant analysis to distinguish between the multiple classes. In contrast to previous approaches, which reported instruction recognition rates between 40--70%, our approach detects more than 95% of all instructions for test code, and close to 90% for real-world code. The methods are thus very relevant for use in practice. Our method performs dynamic code recognition, which has both advantages (only the program parts that are actually executed are observed) but also limitations (rare code executions are difficult to observe).

Bringing PHY-Based Key Generation into the Field: An Evaluation for Practical Scenarios

Abstract: The need for secured communication between computationally weak wireless devices has driven the development of novel key generation protocols. Various schemes for extracting symmetric cryptographic keys out of wireless channel properties have been proposed during recent years, making the generation protocol more and more efficient for individual applications. However, often these schemes were evaluated based on theoretical models and without considering practical effects. We present a system for PHY-based key generation with two legitimate users as well as a passive attacker of equivalent power and analyze results from practical measurements in real world scenarios. Furthermore we extend practical constraints by considering heterogeneous setups and show the impact onto representative performance indicators.

A Hardware-Based Countermeasure to Reduce Side-Channel Leakage: Design, Implementation, and Evaluation

Abstract: Side-channel attacks are one of the major concerns for security-enabled applications as they make use of information leaked by the physical implementation of the underlying cryptographic algorithm. Hence, reducing the side-channel leakage of the circuits realizing the cryptographic primitives is amongst the main goals of circuit designers. In this paper, we present a novel circuit concept, which decouples the main power supply from an internal power supply that is used to drive a single logic gate. The decoupling is done with the help of buffering capacitances integrated into semiconductor. We also introduce—compared to the previously known schemes—an improved decoupling circuit which reduces the crosstalk from the internal to the external power supply. The result of practical side-channel evaluation on a prototype chip fabricated in a 150nm CMOS technology shows a high potential of our proposed technique to reduce the side-channel leakages.

Interdiction in Practice - Hardware Trojan Against a High-Security USB Flash Drive.

Abstract: As part of the revelations about the NSA activities, the notion of interdiction has become known to the public: the interception of deliveries to manipulate hardware in a way that backdoors are introduced. Manipulations can occur on the firmware or at hardware level. With respect to hardware, FPGAs are particular interesting targets as they can be altered by manipulating the corresponding bitstream which configures the device. In this paper, we demonstrate the first successful real-world FPGA hardware Trojan insertion into a commercial product. On the target device, a FIPS-140-2 level 2 certified USB flash drive from Kingston, the user data are encrypted using AES-256 in XTS mode, and the encryption/decryption is processed by an off-the-shelf SRAM-based FPGA. Our investigation required two reverse-engineering steps, related to the proprietary FPGA bitstream and to the firmware of the underlying ARM CPU. In our Trojan insertion scenario, the targeted USB flash drive is intercepted before being delivered to the victim. The physical Trojan insertion requires the manipulation of the SPI flash memory content, which contains the FPGA bitstream as well as the ARM CPU code. The FPGA bitstream manipulation alters the exploited AES-256 algorithm in a way that it turns into a linear function which can be broken with 32 known plaintext–ciphertext pairs. After the manipulated USB flash drive has been used by the victim, the attacker is able to obtain all user data from the ciphertexts. Our work indeed highlights the security risks and especially the practical relevance of bitstream modification attacks that became realistic due to FPGA bitstream manipulations.

Security Analysis of Quantization Schemes for Channel-based Key Extraction

Abstract: The use of reciprocal and random properties of wireless channels for the generation of secret keys is a highly attractive option for many applications that operate in a mobile environment. In recent years, several practice-oriented protocols have been proposed, but unfortunately without a sufficient and consistent security analysis and without a fair comparison between each other. This can be attributed to the fact that until now neither a common evaluation basis, nor a security metric in an on-line scenario (e.g., with changing channel properties) was proposed. We attempt to close this gap by presenting test vectors based on a large measurement campaign, an extensive comparative evaluation framework (including ten protocols as well as new on-line entropy estimators), and a rigorous experimental security analysis. Further, we answer for the first time a variety of security and performance related questions about the behavior of 10 channel-based key establishment schemes from the literature.

Development of a Layout-Level Hardware Obfuscation Tool

Abstract: While hardware obfuscation has been used in industry for many years, very few scientific papers discuss layout-level obfuscation. The main aim of this paper is to start a discussion about hardware obfuscation in the academic community and point out open research problems. In particular, we introduce a very flexible layout-level obfuscation tool that we use as a case study for hardware obfuscation. In this obfuscation tool, a small custom-made obfuscell is used in conjunction with a standard cell to build a new obfuscated standard cell library called Obfusgates. This standard cell library can be used to synthesize any HDL code with standard synthesis tools, e.g. Synopsis Design Compiler. However, only obfuscating the functionality of individual gates is not enough. Not only the functionality of individual gates, but also their connectivity, leaks important important information about the design. In our tool we therefore designed the obfuscation gates to include a large number of "dummy wires". Due to these dummy wires, the connectivity of the gates in addition to their logic functionality is obfuscated. We argue that this aspect of obfuscation is of great importance in practice and that there are many interesting open research questions related to this.

Exploiting the Physical Environment for Securing the Internet of Things

Abstract: Using the randomness provided by the physical environment to build security solutions has received much attention recently. In particular, the shared entropy provided by measuring ambient audio, luminosity modalities or electromagnetic emanations has been used to build location-based, proximity-based, or context-based security mechanisms. The majority of those protocols is based on a standard model consisting channel probing, quantization, information reconciliation, privacy amplification, and key verification. The main problem for almost all approaches is the limited understanding of the security that is provided. For example, security analyses often only address single components and not the entire system or are based on broad abstractions of the physical source of randomness. Further, a big open question is the feasibility of such systems for low-resource platforms. Our first contribution is a detailed, optimized realization of a key establishment system. We demonstrate the feasibility of deriving a shared secret from correlated quantities on resource-constrained devices with tight power budget. Our system was realized on the popular ARM Cortex-M3 processor that reports detailed resource requirements. The second major contribution is a summary and abstraction of previous works together with a rigorous security analysis. We substantiate our investigation by presenting practical attack results.

Security Analysis of Quantization Schemes for Channel-based Key Extraction

Abstract: The use of reciprocal and random properties of wireless channels for the generation of secret keys is a highly attractive option for many applications that operate in a mobile environment. In recent years, several practice-oriented protocols have been proposed, but unfortunately without a sufficient and consistent security analysis and without a fair comparison between each other. This can be attributed to the fact that until now neither a common evaluation basis, nor a security metric in an on-line scenario (e.g., with changing channel properties) was proposed. We attempt to close this gap by presenting test vectors based on a large measurement campaign, an extensive comparative evaluation framework (including ten protocols as well as new on-line entropy estimators), and a rigorous experimental security analysis. Further, we answer for the first time a variety of security and performance related questions about the behavior of 10 channel-based key establishment schemes from the literature.

Cryptographic Theory Meets Practice: Efficient and Privacy-Preserving Payments for Public Transport

Abstract: We propose a new lightweight cryptographic payment scheme for transit systems, called P4R (Privacy-Preserving Pre-Payments with Refunds), which is suitable for low-cost user devices with limited capabilities. Using P4R, users deposit money to obtain one-show credentials, where each credential allows the user to make an arbitrary ride on the system. The trip fare is determined on-the-fly at the end of the trip. If the deposit for the credential exceeds this fare, the user obtains a refund. Refund values collected over several trips are aggregated in a single token, thereby saving memory and increasing privacy. Our solution builds on Brands’s e-cash scheme to realize the prepayment system and on Boneh-Lynn-Shacham (BLS) signatures to implement the refund capabilities. Compared to a Brands-only solution for transportation payment systems, P4R allows us to minimize the number of coins a user needs to pay for his rides and thus minimizes the number of expensive withdrawal transactions, as well as storage requirements for the fairly large coins. Moreover, P4R enables flexible pricing because it allows for exact payments of arbitrary amounts (within a certain range) using a single fast paying (and refund) transaction. Fortunately, the mechanisms enabling these features require very little computational overhead. Choosing contemporary security parameters, we implemented P4R on a prototyping payment device and show its suitability for future transit payment systems. Estimation results demonstrate that the data required for 20 rides consume less than 10KB of memory, and the payment and refund transactions during a ride take less than half a second. We show that malicious users are not able to cheat the system by receiving a refund that exceeds the overall deposit minus the overall fare and can be identified during double-spending checks. At the same time, the system protects the privacy of honest users in that transactions are anonymous (except for deposits) and trips are unlinkable.

On the Complexity Reduction of Laser Fault Injection Campaigns Using OBIC Measurements

Abstract: Laser Fault Injection (LFI) is one of the most powerful methods of inducing a fault as it allows targeting only specific areas down to single transistors. The downside compared to non-invasive methods like introducing clock glitches is the largely increased search space. An exhaustive search through all parameters including dimensions for correct timing, intensity, or length might not be not feasible. Existing solutions to this problem are either not directly applicable to the fault location or require additional device preparation and access to expensive equipment. Our method utilizes measuring the Optical Beam Induced Current (OBIC) as imaging technique to find target areas like flip-flops and thus, reducing the search space drastically. This measurement is possible with existing laser scanning microscopes or well-equipped LFI setups. We provide experimental results targeting the Advanced Encryption Standard (AES) hardware accelerator of an Atmel ATXMega microcontroller.

Protecting against Cryptographic Trojans in FPGAs

Abstract: In contrast to ASICs, hardware Trojans can potentially be injected into FPGA designs post-manufacturing by bit stream alteration. Hardware Trojans which target cryptographic primitives are particularly interesting for an adversary because a weakened primitive can lead to a complete loss of system security. One problem an attacker has to overcome is the identification of cryptographic primitives in a large bit stream with unknown semantics. As the first contribution, we demonstrate that AES can be algorithmically identified in a look-up table-level design for a variety of implementation styles. Our graph-based approach considers AES implementations which are created using several synthesis and technology mapping options. As the second contribution, we present and discuss the drawbacks of a dynamic obfuscation countermeasure which allows for the configuration of certain crucial parts of a cryptographic primitive after the algorithm has been loaded into the FPGA. As a result, reverse-engineering and modifying a primitive in the bit stream is more challenging.

High-speed Curve25519 on 8-bit, 16-bit, and 32-bit microcontrollers.

Abstract: This paper presents new speed records for 128-bit secure elliptic-curve Di e-Hellman key-exchange software on three di erent popular microcontroller architectures. We consider a 255-bit curve proposed by Bernstein known as Curve25519, which has also been adopted by the IETF. We optimize the X25519 key-exchange protocol proposed by Bernstein in 2006 for AVR ATmega 8-bit microcontrollers, MSP430X 16-bit microcontrollers, and for ARM Cortex-M0 32-bit microcontrollers. Our software for the AVR takes only 13 900 397 cycles for the computation of a Di e-Hellman shared secret, and is the rst to perform this computation in less than a second if clocked at 16 MHz for a security level of 128 bits. Our MSP430X software computes a shared secret in 5 301 792 cycles on MSP430X microcontrollers that have a 32-bit hardware multiplier and in 7 933 296 cycles on MSP430X microcontrollers that have a 16-bit multiplier. It thus outperforms previous constant-time ECDH software at the 128-bit security level on the MSP430X by more than a factor of 1.2 and 1.15, respectively. Our implementation on the Cortex-M0 runs in only 3 589 850 cycles and outperforms previous 128-bit secure ECDH software by a factor of 3.

Efficient E-cash with Attributes on MULTOS Smartcards

Abstract: Ever since its invention in the 1980s, e-cash has been considered a promising solution for privacy-preserving electronic payments. However, the computational capabilities, required for the processing of e-cash protocols, are demanding. Only recent works show the feasibility of implementing e-cash on constrained platforms. A particularly challenging, while at the same time extremely attractive platform, are smartcards. Smartcards are, next to magnetic stripe cards, the dominant platform used to execute electronic payments, and they enjoy wide user acceptance. In this paper we present an implementation of two e-cash schemes on MULTOS smartcards. We base the schemes on elliptic curve cryptography, which is supported by the API of the platform of choice. Our results are promising: When relying on a 160-bit elliptic curve, spending a coin, which encodes two attributes that are not revealed, can be executed in less than 800i¾?ms with both considered schemes.

Finding the AES Bits in the Haystack: Reverse Engineering and SCA Using Voltage Contrast

Abstract: In this paper, we demonstrate how the Scanning Electron Microscope (SEM) becomes a powerful tool for Side Channel Analysis (SCA) and Hardware Reverse Engineering. We locate the AES hardware circuit of a XMEGA microprocessor with Capacitive-Coupled Voltage Contrast (CCVC) images and use them in a powerful Voltage Contrast Side Channel Analysis (VCSCA). This enables an attacker to locate AES bit-wires in the top metal-layer and thus, to recover valuable netlist information. An attacker gets a valuable entry-point to look for weaknesses or Intellectual Property (IP) in the AES circuit. Additionally we show the great potential of the VCSCA in a non-invasive Side Channel Analysis for Reverse Engineering (SCARE) approach. Finally, we recover the full key of the AES hardware-engine in a practical template-based VCSCA and a no-plaintext, no-ciphertext and no-key Simple Side Channel Analysis (SSCA). We show that future VCSCA attacks present a big hardware security-risk that IC vendors need to consider.

On-line Entropy Estimation for Secure Information Reconciliation

Abstract: The random number generator (RNG) is a critical, if not in fact the most important, component in every cryptographic device. Introducing the symmetric radio channel, represented by estimations of location-specific, reciprocal, and time- variant channel characteristics, as a common RNG is not a trivial task. In recent years, several practice-oriented protocols have been proposed, challenging the utilization of wireless communication channels to enable the computation of a shared key. However, the security claims of those protocols typically rely on channel abstractions that are not fully experimentally substantiated, and (at best) rely on statistical off-line tests. In the present paper, we investigate on-line statistical testing for channel-based key extraction schemes, which is independent from channel abstractions due to the capability to verify the entropy of the resulting key material. We demonstrate an important security breach if on-line estimation is not applied, e.g., if the device is in an environment with an insufficient amount of entropy. Further, we present real-world evaluation results of 10 recent protocols for the generation of keys with a verified security level of 128-bit.

New ASIC/FPGA Cost Estimates for SHA-1 Collisions

Abstract: SHA-1 remains, till date, the most widely used hash function, in spite of several successful cryptanalytic attacks against it. These attacks, however, remain impractical due to high computation complexity and associated cost. We endeavor to do cost-time product estimation for an attack by the aid of application-specific hardware acceleration. This work proposes an Application-Specific Instruction-set Processor (ASIP), named Cracken. Cracken is aimed to efficiently realize near collision attack on SHA-1. The estimations of the physical attack complexity is done using 65nm standard CMOS technology and commercial FPGA devices. It is estimated, with post-layout simulations, that Stevens' differential attack with an estimated complexity of 2^57.5, can be executed in 46 days using 4096 Cracken cores at a cost of Euros 15m. Estimation for real collision with complexity 2^61 is also done. Our cost-time estimates reveal that an FPGA-based attack is more efficient compared to ASIC. Previously reported SHA-1 attacks based on ASIC and cloud computing platforms are also compiled and benchmarked for reference.

A Hardware-based Countermeasure to Reduce Side-Channel Leakage - Design, Implementation, and Evaluation.

Abstract: Side-channel attacks are one of the major concerns for security-enabled applications as they make use of information leaked by the physical implementation of the underlying cryptographic algorithm. Hence, reducing the side-channel leakage of the circuits realizing the cryptographic primitives is amongst the main goals of circuit designers. In this paper, we present a novel circuit concept, which decouples the main power supply from an internal power supply that is used to drive a single logic gate. The decoupling is done with the help of buffering capacitances integrated into semiconductor. We also introduce—compared to the previously known schemes—an improved decoupling circuit which reduces the crosstalk from the internal to the external power supply. The result of practical side-channel evaluation on a prototype chip fabricated in a 150nm CMOS technology shows a high potential of our proposed technique to reduce the side-channel leakages.