Altera vs. Xilinx · 8/22/2013 · Aug 2013 Amir Moradi Key1, Key2 FPGA f AES Key ENC Counter...
34
Altera vs. Xilinx which one keeps your design hidden? 22. Aug. 2013 Amir Moradi Embedded Security Group Ruhr University Bochum, Germany
Transcript of Altera vs. Xilinx · 8/22/2013 · Aug 2013 Amir Moradi Key1, Key2 FPGA f AES Key ENC Counter...
Altera vs. Xilinx which one keeps your design hidden?
22. Aug. 2013
Amir Moradi
Embedded Security Group
Ruhr University Bochum, Germany
2
Embedded Security Group
Acknowledge
Alessandro Barenghi
Markus Kasper
Timo Kasper
David Oswald
Pawel Swierczynski
Christof Paar
CHES 2013| Ramp Session | Santa Barbara | 22. Aug 2013 Amir Moradi
3
Embedded Security Group
SCA on Bitstream Encryption Feature
PCB board
E2PROM
Power-up DEC
VCC-IO VCC-AUX VCC-INT
E2PROM unencrypted bitstream
IEEE CASS| Singapore | 03. Apr. 2013 Amir Moradi
4
Embedded Security Group
Broken Families
Virtex-II Pro, SASEBO
Virtex-4, Xilinx DevBoard
Virtex-5, SASEBO-GII
CHES 2013| Ramp Session | Santa Barbara | 22. Aug 2013 Amir Moradi
5
Embedded Security Group
Broken Families
Spartan-6, SASEBO-W
Stratix-II, SASEBO-B
CHES 2013| Ramp Session | Santa Barbara | 22. Aug 2013 Amir Moradi
6
Embedded Security Group
New Targets
Stratix-III, Altera DevKit
Kintex-7, SASEBO-GIII
CHES 2013| Ramp Session | Santa Barbara | 22. Aug 2013 Amir Moradi
7
Embedded Security Group
EM Analysis
CHES 2013| Ramp Session | Santa Barbara | 22. Aug 2013 Amir Moradi
8
Embedded Security Group
EM Analysis
CHES 2013| Ramp Session | Santa Barbara | 22. Aug 2013 Amir Moradi
9
Embedded Security Group
EM Analysis
CHES 2013| Ramp Session | Santa Barbara | 22. Aug 2013 Amir Moradi
10
Embedded Security Group
EM Analysis
CHES 2013| Ramp Session | Santa Barbara | 22. Aug 2013 Amir Moradi
11
Embedded Security Group
Decapping
CHES 2013| Ramp Session | Santa Barbara | 22. Aug 2013 Amir Moradi
12
Embedded Security Group
Decapping
CHES 2013| Ramp Session | Santa Barbara | 22. Aug 2013 Amir Moradi
13
Embedded Security Group
Decapping
CHES 2013| Ramp Session | Santa Barbara | 22. Aug 2013 Amir Moradi
14
Embedded Security Group
Decapping
CHES 2013| Ramp Session | Santa Barbara | 22. Aug 2013 Amir Moradi
15
Embedded Security Group
Decapping
CHES 2013| Ramp Session | Santa Barbara | 22. Aug 2013 Amir Moradi
16
Embedded Security Group
Decapping
CHES 2013| Ramp Session | Santa Barbara | 22. Aug 2013 Amir Moradi
17
Embedded Security Group
Decapping
CHES 2013| Ramp Session | Santa Barbara | 22. Aug 2013 Amir Moradi
18
Embedded Security Group
Decapping
CHES 2013| Ramp Session | Santa Barbara | 22. Aug 2013 Amir Moradi
19
Embedded Security Group
Decapping
CHES 2013| Ramp Session | Santa Barbara | 22. Aug 2013 Amir Moradi
20
Embedded Security Group
Decapping
CHES 2013| Ramp Session | Santa Barbara | 22. Aug 2013 Amir Moradi
21
Embedded Security Group
Decapping
CHES 2013| Ramp Session | Santa Barbara | 22. Aug 2013 Amir Moradi
22
Embedded Security Group
Decapping
CHES 2013| Ramp Session | Santa Barbara | 22. Aug 2013 Amir Moradi
23
Embedded Security Group
Decapping
CHES 2013| Ramp Session | Santa Barbara | 22. Aug 2013 Amir Moradi
24
Embedded Security Group
Decapping
CHES 2013| Ramp Session | Santa Barbara | 22. Aug 2013 Amir Moradi
25
Embedded Security Group
Decapping
CHES 2013| Ramp Session | Santa Barbara | 22. Aug 2013 Amir Moradi
26
Embedded Security Group
Decapping
CHES 2013| Ramp Session | Santa Barbara | 22. Aug 2013 Amir Moradi
27
Embedded Security Group
Decapping
CHES 2013| Ramp Session | Santa Barbara | 22. Aug 2013 Amir Moradi
28
Embedded Security Group
Decapping
CHES 2013| Ramp Session | Santa Barbara | 22. Aug 2013 Amir Moradi
29
Embedded Security Group
Decapping
CHES 2013| Ramp Session | Santa Barbara | 22. Aug 2013 Amir Moradi
30
Embedded Security Group
Decapping
CHES 2013| Ramp Session | Santa Barbara | 22. Aug 2013 Amir Moradi
31
Embedded Security Group
Altera’s Key Derivation
CHES 2013| Ramp Session | Santa Barbara | 22. Aug 2013 Amir Moradi
Key1, Key2
FPGA
AES Key
32
Embedded Security Group
AES Key=ENCKey1(Key2)
Selecting an arbitrary Key1’
Key2’=DECKey1’(AES Key)
(Key1’,Key2’) works the same as (Key1,Key2)
no added security!
Altera’s Key Derivation
CHES 2013| Ramp Session | Santa Barbara | 22. Aug 2013 Amir Moradi
Key1, Key2
FPGA
f AES Key ENC
Counter
Bitstream Encrypted Bitstream
AES Key
33
Embedded Security Group
Altera:
– AES-128 is replaced by AES-256
• Key derivation stays the same
– Counter is not increased arithmetically
• much heuristics + proprietary schemes
– revealed by reverse engineering the PC software
Old vs. New Generations
CHES 2013| Ramp Session | Santa Barbara | 22. Aug 2013 Amir Moradi
34
Embedded Security Group
Altera:
– AES-128 is replaced by AES-256
• Key derivation stays the same
– Counter is not increased arithmetically
• much heuristics + proprietary schemes
– revealed by reverse engineering the PC software
Xilinx:
– AES-256 in CBC mode (as before)
– HMAC is introduced (Virtex-6 and all 7 series)
• no place in FPGA to save the HMAC key!
• The first block of the encrypted bitstream is the HMAC key!
Old vs. New Generations
CHES 2013| Ramp Session | Santa Barbara | 22. Aug 2013 Amir Moradi
