Post on 31-Jul-2020
Breaking the BitstreamDecryption of FPGAs05. Sep. 2012
Amir MoradiEmbedded Security Group, Ruhr University Bochum, Germany
2
Embedded Security Group
Acknowledgment Christof Paar
Markus Kasper
Timo Kasper
Alessandro Barenghi
ECRYPT II Summer School: Challenges in Security Engineering | Bochum | 05. Sep. 2012 Amir Moradi
3
Embedded Security Group
Outline Side‐Channel Attacks (in general)
– DPA/CPA Xilinx Bitstream Encryption
ECRYPT II Summer School: Challenges in Security Engineering | Bochum | 05. Sep. 2012 Amir Moradi
4
Embedded Security Group
Side‐Channel Attacks Physical attacks
– observing physical characteristics e.g.,• power consumption• running time• electromagnetic radiation
of a cryptographic DEVICE– usually divide‐and‐conquer scheme– recovering the relation between the side‐channel leakage and processed data
ECRYPT II Summer School: Challenges in Security Engineering | Bochum | 05. Sep. 2012 Amir Moradi
5
Embedded Security Group
How to Measure Side‐Channel Leakages Running Time ‐> straightforward by a counter/timer Power Consumption
– a resistor, an oscilloscope
ECRYPT II Summer School: Challenges in Security Engineering | Bochum | 05. Sep. 2012 Amir Moradi
6
Embedded Security Group
Differential Power Analysis (DPA) Classifying the power consumption values in two groups
ECRYPT II Summer School: Challenges in Security Engineering | Bochum | 05. Sep. 2012 Amir Moradi
7
Embedded Security Group
Differential Power Analysis (DPA) Classifying the power consumption values in two groups Comparing e.g., mean of the groups
ECRYPT II Summer School: Challenges in Security Engineering | Bochum | 05. Sep. 2012 Amir Moradi
8
Embedded Security Group
Differential Power Analysis (DPA) Classifying the power consumption values in two groups Comparing e.g., mean of the groups
Sbox
kp
ECRYPT II Summer School: Challenges in Security Engineering | Bochum | 05. Sep. 2012 Amir Moradi
9
Embedded Security Group
Differential Power Analysis (DPA) Classifying the power consumption values in two groups Comparing e.g., mean of the groups
Sbox
kp
p 12 3d 78 … f9 ab 3d
ECRYPT II Summer School: Challenges in Security Engineering | Bochum | 05. Sep. 2012 Amir Moradi
10
Embedded Security Group
Differential Power Analysis (DPA) Classifying the power consumption values in two groups Comparing e.g., mean of the groups
Sbox
kp
p 12 3d 78 … f9 ab 3d
ECRYPT II Summer School: Challenges in Security Engineering | Bochum | 05. Sep. 2012 Amir Moradi
11
Embedded Security Group
Differential Power Analysis (DPA) Classifying the power consumption values in two groups Comparing e.g., mean of the groups
Sbox
kp
p 12 3d 78 … f9 ab 3d
ECRYPT II Summer School: Challenges in Security Engineering | Bochum | 05. Sep. 2012 Amir Moradi
12
Embedded Security Group
Differential Power Analysis (DPA) Classifying the power consumption values in two groups Comparing e.g., mean of the groups
Sbox
kp
p 12 3d 78 … f9 ab 3dpower 0.12 0.010.14 … 0.20 0.060.02
ECRYPT II Summer School: Challenges in Security Engineering | Bochum | 05. Sep. 2012 Amir Moradi
13
Embedded Security Group
Differential Power Analysis (DPA) Classifying the power consumption values in two groups Comparing e.g., mean of the groups
Sbox
kp
p 12 3d 78 … f9 ab 3dpower 0.12 0.010.14 … 0.20 0.060.02
[k=00] S c9 27 bc … 99 62 27
ECRYPT II Summer School: Challenges in Security Engineering | Bochum | 05. Sep. 2012 Amir Moradi
14
Embedded Security Group
Differential Power Analysis (DPA) Classifying the power consumption values in two groups Comparing e.g., mean of the groups
Sbox
kp
p 12 3d 78 … f9 ab 3dpower 0.12 0.010.14 … 0.20 0.060.02
[k=00] S c9 27 bc … 99 62 27LSB 1 1 1 … 1 0 1
ECRYPT II Summer School: Challenges in Security Engineering | Bochum | 05. Sep. 2012 Amir Moradi
15
Embedded Security Group
Differential Power Analysis (DPA) Classifying the power consumption values in two groups Comparing e.g., mean of the groups
Sbox
kp
p 12 3d 78 … f9 ab 3dpower 0.12 0.010.14 … 0.20 0.060.02
[k=00] S c9 27 bc … 99 62 27LSB 1 1 1 … 1 0 1
[k=01] S 7d eb b6 … 41 ac eb
ECRYPT II Summer School: Challenges in Security Engineering | Bochum | 05. Sep. 2012 Amir Moradi
16
Embedded Security Group
Differential Power Analysis (DPA) Classifying the power consumption values in two groups Comparing e.g., mean of the groups
Sbox
kp
p 12 3d 78 … f9 ab 3dpower 0.12 0.010.14 … 0.20 0.060.02
[k=00] S c9 27 bc … 99 62 27LSB 1 1 1 … 1 0 1
[k=01] S 7d eb b6 … 41 ac ebLSB 0 0 0 … 1 1 0
ECRYPT II Summer School: Challenges in Security Engineering | Bochum | 05. Sep. 2012 Amir Moradi
17
Embedded Security Group
Differential Power Analysis (DPA) Classifying the power consumption values in two groups Comparing e.g., mean of the groups
Sbox
kp
p 12 3d 78 … f9 ab 3dpower 0.12 0.010.14 … 0.20 0.060.02
[k=00] S c9 27 bc … 99 62 27LSB 1 1 1 … 1 0 1
[k=01] S 7d eb b6 … 41 ac ebLSB 0 0 0 … 1 1 0
[k=ff] S 55 25 17 … 6f 20 25LSB 1 1 1 … 1 0 1
…
ECRYPT II Summer School: Challenges in Security Engineering | Bochum | 05. Sep. 2012 Amir Moradi
18
Embedded Security Group
Differential Power Analysis (DPA) Classifying the power consumption values in two groups Comparing e.g., mean of the groups
Sbox
kp
p 12 3d 78 … f9 ab 3dpower 0.12 0.010.14 … 0.20 0.060.02
[k=00] S c9 27 bc … 99 62 27LSB 1 1 1 … 1 0 1
[k=01] S 7d eb b6 … 41 ac ebLSB 0 0 0 … 1 1 0
[k=ff] S 55 25 17 … 6f 20 25LSB 1 1 1 … 1 0 1
Diff. of Means
…
powerLSB 1,powerLSB 0
ECRYPT II Summer School: Challenges in Security Engineering | Bochum | 05. Sep. 2012 Amir Moradi
19
Embedded Security Group
Differential Power Analysis (DPA) Classifying the power consumption values in two groups Comparing e.g., mean of the groups
Sbox
kp
p 12 3d 78 … f9 ab 3dpower 0.12 0.010.14 … 0.20 0.060.02
[k=00] S c9 27 bc … 99 62 27LSB 1 1 1 … 1 0 1
[k=01] S 7d eb b6 … 41 ac ebLSB 0 0 0 … 1 1 0
[k=ff] S 55 25 17 … 6f 20 25LSB 1 1 1 … 1 0 1
0.0010.002
…
0.020
…
0.001
Diff. of Means
…
powerLSB 1,powerLSB 0
ECRYPT II Summer School: Challenges in Security Engineering | Bochum | 05. Sep. 2012 Amir Moradi
20
Embedded Security Group
Differential Power Analysis (DPA) Classifying the power consumption values in two groups Comparing e.g., mean of the groups
Sbox
kp
p 12 3d 78 … f9 ab 3dpower 0.12 0.010.14 … 0.20 0.060.02
[k=00] S c9 27 bc … 99 62 27LSB 1 1 1 … 1 0 1
[k=01] S 7d eb b6 … 41 ac ebLSB 0 0 0 … 1 1 0
[k=ff] S 55 25 17 … 6f 20 25LSB 1 1 1 … 1 0 1
0.0010.002
…
0.020
…
0.001
Diff. of Means
…
powerLSB 1,powerLSB 0
ECRYPT II Summer School: Challenges in Security Engineering | Bochum | 05. Sep. 2012 Amir Moradi
21
Embedded Security Group
Differential Power Analysis (DPA) Classifying the power consumption values in two groups Comparing e.g., mean of the groups
Sbox
kp
p 12 3d 78 … f9 ab 3dpower 0.12 0.010.14 … 0.20 0.060.02
[k=00] S c9 27 bc … 99 62 27LSB 1 1 1 … 1 0 1
[k=01] S 7d eb b6 … 41 ac ebLSB 0 0 0 … 1 1 0
[k=ff] S 55 25 17 … 6f 20 25LSB 1 1 1 … 1 0 1
0.0010.002
…
0.020
…
0.001
Diff. of Means
…
powerLSB 1,powerLSB 0
ECRYPT II Summer School: Challenges in Security Engineering | Bochum | 05. Sep. 2012 Amir Moradi
22
Embedded Security Group
Correlation Power Analysis (CPA) hypothetical model for power consumption
ECRYPT II Summer School: Challenges in Security Engineering | Bochum | 05. Sep. 2012 Amir Moradi
23
Embedded Security Group
Correlation Power Analysis (CPA) hypothetical model for power consumption compare the model with side‐channel leakage (power)
ECRYPT II Summer School: Challenges in Security Engineering | Bochum | 05. Sep. 2012 Amir Moradi
24
Embedded Security Group
Correlation Power Analysis (CPA) hypothetical model for power consumption compare the model with side‐channel leakage (power)
Sbox
kp
ECRYPT II Summer School: Challenges in Security Engineering | Bochum | 05. Sep. 2012 Amir Moradi
25
Embedded Security Group
Correlation Power Analysis (CPA) hypothetical model for power consumption compare the model with side‐channel leakage (power)
Sbox
kp
p 12 3d 78 … f9 ab 3d
ECRYPT II Summer School: Challenges in Security Engineering | Bochum | 05. Sep. 2012 Amir Moradi
26
Embedded Security Group
Correlation Power Analysis (CPA) hypothetical model for power consumption compare the model with side‐channel leakage (power)
Sbox
kp
p 12 3d 78 … f9 ab 3d
ECRYPT II Summer School: Challenges in Security Engineering | Bochum | 05. Sep. 2012 Amir Moradi
27
Embedded Security Group
Correlation Power Analysis (CPA) hypothetical model for power consumption compare the model with side‐channel leakage (power)
Sbox
kp
p 12 3d 78 … f9 ab 3d
ECRYPT II Summer School: Challenges in Security Engineering | Bochum | 05. Sep. 2012 Amir Moradi
28
Embedded Security Group
Correlation Power Analysis (CPA) hypothetical model for power consumption compare the model with side‐channel leakage (power)
Sbox
kp
p 12 3d 78 … f9 ab 3dpower 0.12 0.010.14 … 0.20 0.060.02
ECRYPT II Summer School: Challenges in Security Engineering | Bochum | 05. Sep. 2012 Amir Moradi
29
Embedded Security Group
Correlation Power Analysis (CPA) hypothetical model for power consumption compare the model with side‐channel leakage (power)
Sbox
kp
p 12 3d 78 … f9 ab 3dpower 0.12 0.010.14 … 0.20 0.060.02
[k=00] S c9 27 bc … 99 62 27
ECRYPT II Summer School: Challenges in Security Engineering | Bochum | 05. Sep. 2012 Amir Moradi
30
Embedded Security Group
Correlation Power Analysis (CPA) hypothetical model for power consumption compare the model with side‐channel leakage (power)
Sbox
kp
p 12 3d 78 … f9 ab 3dpower 0.12 0.010.14 … 0.20 0.060.02
[k=00] S c9 27 bc … 99 62 274 4 5 … 4 3 4
ECRYPT II Summer School: Challenges in Security Engineering | Bochum | 05. Sep. 2012 Amir Moradi
31
Embedded Security Group
Correlation Power Analysis (CPA) hypothetical model for power consumption compare the model with side‐channel leakage (power)
Sbox
kp
p 12 3d 78 … f9 ab 3dpower 0.12 0.010.14 … 0.20 0.060.02
[k=00] S c9 27 bc … 99 62 274 4 5 … 4 3 4
[k=01] S 7d eb b6 … 41 ac eb
ECRYPT II Summer School: Challenges in Security Engineering | Bochum | 05. Sep. 2012 Amir Moradi
32
Embedded Security Group
Correlation Power Analysis (CPA) hypothetical model for power consumption compare the model with side‐channel leakage (power)
Sbox
kp
p 12 3d 78 … f9 ab 3dpower 0.12 0.010.14 … 0.20 0.060.02
[k=00] S c9 27 bc … 99 62 274 4 5 … 4 3 4
[k=01] S 7d eb b6 … 41 ac eb6 6 5 … 2 4 6
ECRYPT II Summer School: Challenges in Security Engineering | Bochum | 05. Sep. 2012 Amir Moradi
33
Embedded Security Group
Correlation Power Analysis (CPA) hypothetical model for power consumption compare the model with side‐channel leakage (power)
Sbox
kp
p 12 3d 78 … f9 ab 3dpower 0.12 0.010.14 … 0.20 0.060.02
[k=00] S c9 27 bc … 99 62 274 4 5 … 4 3 4
[k=01] S 7d eb b6 … 41 ac eb6 6 5 … 2 4 6
[k=ff] S 55 25 17 … 6f 20 254 3 4 … 6 1 3
…
ECRYPT II Summer School: Challenges in Security Engineering | Bochum | 05. Sep. 2012 Amir Moradi
34
Embedded Security Group
Correlation Power Analysis (CPA) hypothetical model for power consumption compare the model with side‐channel leakage (power)
Sbox
kp
p 12 3d 78 … f9 ab 3dpower 0.12 0.010.14 … 0.20 0.060.02
[k=00] S c9 27 bc … 99 62 274 4 5 … 4 3 4
[k=01] S 7d eb b6 … 41 ac eb6 6 5 … 2 4 6
[k=ff] S 55 25 17 … 6f 20 254 3 4 … 6 1 3
Correlation
…
ECRYPT II Summer School: Challenges in Security Engineering | Bochum | 05. Sep. 2012 Amir Moradi
35
Embedded Security Group
Correlation Power Analysis (CPA) hypothetical model for power consumption compare the model with side‐channel leakage (power)
Sbox
kp
p 12 3d 78 … f9 ab 3dpower 0.12 0.010.14 … 0.20 0.060.02
[k=00] S c9 27 bc … 99 62 274 4 5 … 4 3 4
[k=01] S 7d eb b6 … 41 ac eb6 6 5 … 2 4 6
[k=ff] S 55 25 17 … 6f 20 254 3 4 … 6 1 3
Correlation
…
ECRYPT II Summer School: Challenges in Security Engineering | Bochum | 05. Sep. 2012 Amir Moradi
36
Embedded Security Group
Correlation Power Analysis (CPA) hypothetical model for power consumption compare the model with side‐channel leakage (power)
Sbox
kp
p 12 3d 78 … f9 ab 3dpower 0.12 0.010.14 … 0.20 0.060.02
[k=00] S c9 27 bc … 99 62 274 4 5 … 4 3 4
[k=01] S 7d eb b6 … 41 ac eb6 6 5 … 2 4 6
[k=ff] S 55 25 17 … 6f 20 254 3 4 … 6 1 3
Correlation
…
ECRYPT II Summer School: Challenges in Security Engineering | Bochum | 05. Sep. 2012 Amir Moradi
37
Embedded Security Group
Correlation Power Analysis (CPA) hypothetical model for power consumption compare the model with side‐channel leakage (power)
Sbox
kp
p 12 3d 78 … f9 ab 3dpower 0.12 0.010.14 … 0.20 0.060.02
[k=00] S c9 27 bc … 99 62 274 4 5 … 4 3 4
[k=01] S 7d eb b6 … 41 ac eb6 6 5 … 2 4 6
[k=ff] S 55 25 17 … 6f 20 254 3 4 … 6 1 3
0.0110.060
…
0.231
…
0.095
Correlation
…
ECRYPT II Summer School: Challenges in Security Engineering | Bochum | 05. Sep. 2012 Amir Moradi
38
Embedded Security Group
Challenges Measurement quality Knowledge about the target device
– Mostly in evaluation labs (perfect situation)
How about a real‐world scenario
ECRYPT II Summer School: Challenges in Security Engineering | Bochum | 05. Sep. 2012 Amir Moradi
39
Embedded Security Group
FPGAs = Reconfigurable Hardware
Case Study: Xilinx Bitstream Encryption
Widely used in • routers• consumer products• automotive, machinery• military• > million gates
ECRYPT II Summer School: Challenges in Security Engineering | Bochum | 05. Sep. 2012 Amir Moradi
40
Embedded Security Group
FPGAs = Reconfigurable Hardware
Case Study: Xilinx Bitstream Encryption
Widely used in • routers• consumer products• automotive, machinery• military• > million gates
Config file• Configuration loaded
at power‐up• bitstream ≈ Mbits
ECRYPT II Summer School: Challenges in Security Engineering | Bochum | 05. Sep. 2012 Amir Moradi
41
Embedded Security Group
Bitstream/Configuration
ECRYPT II Summer School: Challenges in Security Engineering | Bochum | 05. Sep. 2012 Amir Moradi
42
Embedded Security Group
Bitstream/Configuration
PCB board
SRAM FPGA
ECRYPT II Summer School: Challenges in Security Engineering | Bochum | 05. Sep. 2012 Amir Moradi
43
Embedded Security Group
Bitstream/Configuration
PCB board
SRAM FPGA
E2PROM
ECRYPT II Summer School: Challenges in Security Engineering | Bochum | 05. Sep. 2012 Amir Moradi
44
Embedded Security Group
Bitstream/Configuration
PCB board
SRAM FPGA
E2PROMFactory
ECRYPT II Summer School: Challenges in Security Engineering | Bochum | 05. Sep. 2012 Amir Moradi
45
Embedded Security Group
Bitstream/Configuration
PCB board
SRAM FPGA
E2PROMFactory
Power‐up
ECRYPT II Summer School: Challenges in Security Engineering | Bochum | 05. Sep. 2012 Amir Moradi
46
Embedded Security Group
Bitstream Encryption
PCB board
ECRYPT II Summer School: Challenges in Security Engineering | Bochum | 05. Sep. 2012 Amir Moradi
47
Embedded Security Group
Bitstream Encryption
PCB board
FPGA DesignSecret Keys
Proprietary AlgorithmsIP Cores
Bitstream
3DESAES
Bitstream
SRAM FPGA
ECRYPT II Summer School: Challenges in Security Engineering | Bochum | 05. Sep. 2012 Amir Moradi
48
Embedded Security Group
Bitstream Encryption
PCB board
FPGA DesignSecret Keys
Proprietary AlgorithmsIP Cores
Bitstream
3DESAES
Bitstream
SRAM FPGA
DEC
ECRYPT II Summer School: Challenges in Security Engineering | Bochum | 05. Sep. 2012 Amir Moradi
49
Embedded Security Group
Bitstream Encryption
PCB board
FPGA DesignSecret Keys
Proprietary AlgorithmsIP Cores
Bitstream
3DESAES
Bitstream
SRAM FPGA
DEC
E2PROM
ECRYPT II Summer School: Challenges in Security Engineering | Bochum | 05. Sep. 2012 Amir Moradi
50
Embedded Security Group
Bitstream Encryption
PCB board
FPGA DesignSecret Keys
Proprietary AlgorithmsIP Cores
Bitstream
3DESAES
Bitstream
SRAM FPGA
DEC
E2PROMFactoryInternet
Firmware UpdateECRYPT II Summer School: Challenges in Security Engineering | Bochum | 05. Sep. 2012 Amir Moradi
51
Embedded Security Group
Bitstream Encryption
PCB board
FPGA DesignSecret Keys
Proprietary AlgorithmsIP Cores
Bitstream
3DESAES
Bitstream
SRAM FPGA
DEC
E2PROMFactoryInternet
Firmware Update
Power‐up
ECRYPT II Summer School: Challenges in Security Engineering | Bochum | 05. Sep. 2012 Amir Moradi
52
Embedded Security Group
Bitstream Encryption
PCB board
FPGA DesignSecret Keys
Proprietary AlgorithmsIP Cores
Bitstream
3DESAES
Bitstream
SRAM FPGA
DEC
E2PROMFactoryInternet
Firmware Update
Power‐upAttacker? =
ECRYPT II Summer School: Challenges in Security Engineering | Bochum | 05. Sep. 2012 Amir Moradi
53
Embedded Security Group
Bitstream Encryption
PCB board
FPGA DesignSecret Keys
Proprietary AlgorithmsIP Cores
Bitstream
3DESAES
Bitstream
SRAM FPGA
DEC
E2PROMFactoryInternet
Firmware Update
Power‐upAttacker? =
ECRYPT II Summer School: Challenges in Security Engineering | Bochum | 05. Sep. 2012 Amir Moradi
54
Embedded Security Group
Side‐Channel?
PCB board
E2PROM
DEC
ECRYPT II Summer School: Challenges in Security Engineering | Bochum | 05. Sep. 2012 Amir Moradi
55
Embedded Security Group
Side‐Channel?
PCB board
E2PROM
DEC
ECRYPT II Summer School: Challenges in Security Engineering | Bochum | 05. Sep. 2012 Amir Moradi
56
Embedded Security Group
Side‐Channel?
PCB board
E2PROM
DEC
VCC‐IO VCC‐AUXVCC‐INT
ECRYPT II Summer School: Challenges in Security Engineering | Bochum | 05. Sep. 2012 Amir Moradi
57
Embedded Security Group
Side‐Channel?
PCB board
E2PROM
DEC
VCC‐IO VCC‐AUXVCC‐INT
ECRYPT II Summer School: Challenges in Security Engineering | Bochum | 05. Sep. 2012 Amir Moradi
58
Embedded Security Group
Side‐Channel?
PCB board
E2PROM
Power‐upDEC
VCC‐IO VCC‐AUXVCC‐INT
ECRYPT II Summer School: Challenges in Security Engineering | Bochum | 05. Sep. 2012 Amir Moradi
59
Embedded Security Group
Side‐Channel?
PCB board
E2PROM
Power‐upDEC
VCC‐IO VCC‐AUXVCC‐INT
ECRYPT II Summer School: Challenges in Security Engineering | Bochum | 05. Sep. 2012 Amir Moradi
60
Embedded Security Group
Side‐Channel?
PCB board
E2PROM
Power‐upDEC
VCC‐IO VCC‐AUXVCC‐INT
E2PROMunencrypted bitstream
ECRYPT II Summer School: Challenges in Security Engineering | Bochum | 05. Sep. 2012 Amir Moradi
61
Embedded Security Group
Challenges structure analysis protocol analysis
– bit‐wise feeding the encrypted bitstream– developing a sophisticated configuration device
trigger signal– start of each ciphertext block
visual inspection
ECRYPT II Summer School: Challenges in Security Engineering | Bochum | 05. Sep. 2012 Amir Moradi
62
Embedded Security Group
Some Figures
ECRYPT II Summer School: Challenges in Security Engineering | Bochum | 05. Sep. 2012 Amir Moradi
63
Embedded Security Group
Some Figures
ECRYPT II Summer School: Challenges in Security Engineering | Bochum | 05. Sep. 2012 Amir Moradi
64
Embedded Security Group
There are several documents by Xilinx on bistream structure but still some parts related to encryption stay unclear
Analysis and comparison of plain and encrypted bitstream revealed that : The selection of the decryption key from the storage is readable Initialization Value of the CBC mode embedded in bitstream The decryption engine is enabled by a bitstream command
Plain EncryptedBitstream Structural Analysis
ECRYPT II Summer School: Challenges in Security Engineering | Bochum | 05. Sep. 2012 Amir Moradi
65
Embedded Security Group
Find the when the decryption takes place Must occur after at least a whole ciphertext block
(64 bit) is in Should take place in less than 64 bits being sent in
to match on-the-fly decryption Compare the power consumptions of encrypted
and unencrypted bitstreams to reveal the time position
The JTAG clock is driven by us We can freeze the programming process
Decryption Timing
ECRYPT II Summer School: Challenges in Security Engineering | Bochum | 05. Sep. 2012 Amir Moradi
66
Embedded Security Group
Power Traces?
ECRYPT II Summer School: Challenges in Security Engineering | Bochum | 05. Sep. 2012 Amir Moradi
67
Embedded Security Group
Ciphertexti‐1
Power Traces?
ECRYPT II Summer School: Challenges in Security Engineering | Bochum | 05. Sep. 2012 Amir Moradi
68
Embedded Security Group
CiphertextiCiphertexti‐1
Power Traces?
ECRYPT II Summer School: Challenges in Security Engineering | Bochum | 05. Sep. 2012 Amir Moradi
69
Embedded Security Group
CiphertextiCiphertexti‐1
Decryption (Ciphertexti‐1)
Power Traces?
ECRYPT II Summer School: Challenges in Security Engineering | Bochum | 05. Sep. 2012 Amir Moradi
70
Embedded Security Group
Two clock cycles after a ciphertext block is in, the decryption is performed
Unencrypted bitstream Encrypted bitstream
Decryption Phase
ECRYPT II Summer School: Challenges in Security Engineering | Bochum | 05. Sep. 2012 Amir Moradi
71
Embedded Security Group
Encryption engine far smaller than the whole FPGA circuit
The device embeds a CPU (PowerPC403) in the fabric
As the PPC is not used to perform the decryption, its power consumption is irrelevant for the analysis
Since the PPC is clocked at 300MHz by an internal clock source, band-stop filtering the power traces removes its contribution
Insulating the encryption engine
ECRYPT II Summer School: Challenges in Security Engineering | Bochum | 05. Sep. 2012 Amir Moradi
72
Embedded Security Group
Zoomed Traces/Filtering
Timewise variance of 10k encryptions
Filtered
Raw Filtered
Raw
ECRYPT II Summer School: Challenges in Security Engineering | Bochum | 05. Sep. 2012 Amir Moradi
73
Embedded Security Group
To successfully perform the attack, hypotheses on the decryption engine architecture must be made
Switching activity of buffers storing intermediate values are good candidates for a power model
DES cipher state buffer switching activity was modeled during a cipher round
Switching activity conditioned by 6 bits of the key at a time was predicted (64 key hypotheses)
Consumption model: switching activity of the round buffer
Power consumption/architecture hypotheses
ECRYPT II Summer School: Challenges in Security Engineering | Bochum | 05. Sep. 2012 Amir Moradi
74
Embedded Security Group
Assumed Internal Architecture
ECRYPT II Summer School: Challenges in Security Engineering | Bochum | 05. Sep. 2012 Amir Moradi
75
Embedded Security Group
Assumed Internal Architecture
Round based implementation of DES
ECRYPT II Summer School: Challenges in Security Engineering | Bochum | 05. Sep. 2012 Amir Moradi
76
Embedded Security Group
Assumed Internal Architecture
Round based implementation of DES Separate stage for initial and final permutation
ECRYPT II Summer School: Challenges in Security Engineering | Bochum | 05. Sep. 2012 Amir Moradi
77
Embedded Security Group
Assumed Internal Architecture
Round based implementation of DES Separate stage for initial and final permutation One round per crypto-engine clock cycleECRYPT II Summer School: Challenges in Security Engineering | Bochum | 05. Sep. 2012 Amir Moradi
78
Embedded Security Group
Assumed Internal Architecture
Round based implementation of DES Separate stage for initial and final permutation One round per crypto-engine clock cycle Internal 64 bit buffer stores cipher stateECRYPT II Summer School: Challenges in Security Engineering | Bochum | 05. Sep. 2012 Amir Moradi
79
Embedded Security Group
Architecture Hypothesis Validation Need to validate the architecture hypothesis before the
attack
ECRYPT II Summer School: Challenges in Security Engineering | Bochum | 05. Sep. 2012 Amir Moradi
80
Embedded Security Group
Architecture Hypothesis Validation Need to validate the architecture hypothesis before the
attack
Correlating to HW of Ciphertextsand output of each DES
ECRYPT II Summer School: Challenges in Security Engineering | Bochum | 05. Sep. 2012 Amir Moradi
81
Embedded Security Group
Architecture Hypothesis Validation Need to validate the architecture hypothesis before the
attack
Correlating to HW of Ciphertextsand output of each DES
Correlating to HD of consecutiveround outputs
ECRYPT II Summer School: Challenges in Security Engineering | Bochum | 05. Sep. 2012 Amir Moradi
82
Embedded Security Group
Attack on 6 bits of the 1st DES the key (round 1)
Final Attack Results
ECRYPT II Summer School: Challenges in Security Engineering | Bochum | 05. Sep. 2012 Amir Moradi
83
Embedded Security Group
Attack on 6 bits of the 1st DES the key (round 1)
The key is recoverable with ~ 50000 decryption power measures (less than a single bitstream decryption for almost all V2Pro devices) The attack is still possible with lowpass filtered and decimated traces up to 100MSa/s A single attack to recover 6 bits of a DES key takes a couple of seconds on a common desktop Complete 3DES key recovered in 2-3 minutes of computation
Final Attack Results
ECRYPT II Summer School: Challenges in Security Engineering | Bochum | 05. Sep. 2012 Amir Moradi
84
Embedded Security Group
Successful Side Channel attack estimating a very small part of the active digital logic Correlation power analysis is scale invariant, as long as there are correlated variations
No explicit SCA countermeasures present, sheer size of the platform thought to be enough Proper filtering of the obtained signal removes non-relevant consumption
Mainly security through obscurity Methodic reverse engineering leads to figuring out the structure
Final Attack Results
ECRYPT II Summer School: Challenges in Security Engineering | Bochum | 05. Sep. 2012 Amir Moradi
85
Embedded Security Group
How about more recent devices V4, V5, S6?
ECRYPT II Summer School: Challenges in Security Engineering | Bochum | 05. Sep. 2012 Amir Moradi
86
Embedded Security Group
Visual Inspection
CLK
normal
ENC
ECRYPT II Summer School: Challenges in Security Engineering | Bochum | 05. Sep. 2012 Amir Moradi
87
Embedded Security Group
Visual Inspection
CLK
normal
ENC
average over 10k tracesECRYPT II Summer School: Challenges in Security Engineering | Bochum | 05. Sep. 2012 Amir Moradi
88
Embedded Security Group
Filtering
CLK
zoomfilter
ENC
peak extraction, AES‐256ECRYPT II Summer School: Challenges in Security Engineering | Bochum | 05. Sep. 2012 Amir Moradi
89
Embedded Security Group
Known Steps guessing the architecture guessing the power model known‐key scenario check their validity
Finally after 3 months…
ECRYPT II Summer School: Challenges in Security Engineering | Bochum | 05. Sep. 2012 Amir Moradi
90
Embedded Security Group
Architecture (AES‐256)
Bit flips in registers (Hamming distance) as the model
Findings
ECRYPT II Summer School: Challenges in Security Engineering | Bochum | 05. Sep. 2012 Amir Moradi
91
Embedded Security Group
Model for Power Consumption Hamming Distance of state register R
Problem: At least 64‐bit hypothesis to attack power consumption of 32‐bit leakage
ECRYPT II Summer School: Challenges in Security Engineering | Bochum | 05. Sep. 2012 Amir Moradi
92
Embedded Security Group
Model for Power Consumption
Exploit linearity 32‐bit hypotheses to attack
single bit power model Fine in theory, but can we detect the leakage of a single
bit in practice?
ECRYPT II Summer School: Challenges in Security Engineering | Bochum | 05. Sep. 2012 Amir Moradi
93
Embedded Security Group
The Attack 235 (= 34,359,738,368) keys to test 60,000 power traces 128 GiB of 32‐bit floating point results Can be done but not practical on CPUs
ECRYPT II Summer School: Challenges in Security Engineering | Bochum | 05. Sep. 2012 Amir Moradi
94
Embedded Security Group
GPUs for Power Analysis Used System
– 4x Nvidia Tesla C2070 GPUs– Each one has 6 GB of RAM and 448 cores– Clocked at 1.15 GHz
HDD is not the bottleneck Full attack in around 4.5 hours (V4, 60k traces)
ECRYPT II Summer School: Challenges in Security Engineering | Bochum | 05. Sep. 2012 Amir Moradi
95
Embedded Security Group
Result Virtex‐4 60k traces
Other Columns show similar results Virtex‐5:
The same attack works (6.5 hours, 90k traces)
ECRYPT II Summer School: Challenges in Security Engineering | Bochum | 05. Sep. 2012 Amir Moradi
96
Embedded Security Group
Lessons Learned Bitstream encryption is vulnerable to SCA New modern CMOS technology can be attacked in
practice (90nm/65nm/45nm) Reusing crypto cores simplifies analyses Attacks on 32‐bit hypotheses are realistic threats GPUs are a nice tool for attacks where computation
time dominates
ECRYPT II Summer School: Challenges in Security Engineering | Bochum | 05. Sep. 2012 Amir Moradi
97
Embedded Security Group
Recent Results and ongoing Work Up to know, the broken devices:
– Virtex‐II pro– Virtex‐4– Virtex‐5– Spartan‐6– Actel (Microsemi) S. Skorobogatov, C. Woods
• http://eprint.iacr.org/2012/296 Those which come soon or later
– Virtex‐6– Kintex‐7– Stratix‐II (Altera)
ECRYPT II Summer School: Challenges in Security Engineering | Bochum | 05. Sep. 2012 Amir Moradi
Thanks!Any questions?
Embedded Security Group, Ruhr University Bochum, Germany
amir.moradi@rub.de