Three Challenges of Secure
Embedded System Design:
Performance, Battery life and
Robustness
Nachiketh Potlapally
Department of Electrical Engineering
Princeton University
Princeton, NJ
Email: npotlapa@princeton.edu
Embedded System Applications
Require Security
E
-
wallet
Portfolio
management using
Microsoft money
Server
RFID tag
1.28
-
1.92 MHz,
128
-
512 bit ROM,
32
-
128 bit RAM,
10000 gate logic,
Battery (active)
Smart card
66 MHz, 240 KB ROM,
16 KB RAM,
912 KB EEPROM
Crypto co
-
processor,
Battery (active)
Cell
-
phone/PDA
200 MHz,16MB RAM,
64MB Flash,
Crypto co
-
processor,
Battery
Network
Sensitive embedded system applications need security protocols
to provide
confidentiality
,
integrity
and
authentication
E
-
passport
Cryptographic algorithms
Confidentiality, Integrity and
Authentication
Confidentiality
Integrity
Authentication
-
Table lookup
-
Permutations
-
Multiplication
-
Modular addition
-
Modular multiplication
-
Fixed shift/rotate
-
Variable shift/rotate
-
Multiplication
-
Addition
-
Logical operations
-
Fixed shift/rotate
-
Modular exponentiation
-
Point multiplication on
Elliptic curves
Symmetric algorithms
(DES, AES, 3DES, RC5)
Asymmetric algorithms
(RSA, ECC, DH, ECDH)
Hash algorithms
(MD4, HMAC, SHA
-
1)
Security protocols
Security objectives
Crypto algorithms are
computationally
intensive
Challenges in Implementing Security on
Embedded Systems
Embedded systems
-
Low
-
end processors
-
Battery energy supply
Security protocols
Reduced
performance
Shorter battery
life
3DES and SHA require
130 MIPS @ 2 Mbps
(Intel SA
-
1100 delivers
150 MIPS at 133 MHz )
Sensoria WINS node
needs 21.5 mJ/bit to
transmit. RSA imposes
overhead of 42 mJ/bit
Susceptibility to
side
-
channel attacks
Infer cryptographic keys
from non
-
invasive probing
of implementation
characteristics
Objectives in design of secure embedded systems:
Good performance
,
long battery life
and
robustness to attacks
My Research Experience
1.
“Algorithm Exploration for Efficient Public
-
Key Security Processing for Wireless Handsets”, DATE02
2.
“Optimizing Public
-
key Encryption”, ICC02
3.
“System
-
level Design methodologies for a Wireless Security Processing Platform”, DAC02
4.
“Analyzing the Energy Consumption of Security Protocols”, ISLPED03
5.
“Impact of Configurability and Extensibility on IPSec Protocol Execution on Embedded Processors”, VLSID06
6.
“Satisfiability
-
based Framework for Enabling Side
-
channel Attacks on Cryptographic Software”, DATE06
7.
“A Study of the Energy Consumption Characteristics of Cryptographic Algorithms and Security Protocols”,
IEEE Transactions on Mobile Computing, February 2006
8.
“Aiding Side
-
channel Attacks on Cryptographic Software with Satisfiability
-
based Analysis”,
IEEE Transactions on VLSI Systems, April 2006
9.
“Configuration and Extension of Embedded Processors to Optimize IPSec Protocol Execution”,
IEEE Transactions on VLSI Systems. (To appear)
10. “Verifying Data Integrity with Few Queries to Untrusted Memory”, (In Submission)
1.
Optimizing public
-
key algo. software performance
[
1,2
]
2.
Custom instruction design for public
-
key algo.
[
3
]
3.
Accelerating symmetric and hash algo. through custom
instructions
[
5,9
]
4.
Optimizing IPSec protocol performance
[
5,9
]
5.
Reducing performance overhead of memory checking
[
10
]
1.
Analyzing energy consumption of cryptographic
algorithms
[
4,7
]
2.
Optimize energy consumption of SSL protocol
[
4,7
]
3.
Reduce energy consumed by memory bus in memory
integrity checking
[
10
]
1. Satisfiability
-
based framework for enabling side
-
channel
attacks on embedded cryptographic software
[
6,8
]
Publications:
Design of
secure
embedded
systems
Outline
•
Part 1: Robustness of secure
embedded systems
–
Satisfiability
-
based side
-
channel attacks on
cryptographic software
•
Part 2: Battery life of secure embedded
systems
–
Analyze energy consumption of cryptographic
algorithms and security protocols
•
Future work
Part 1: Robustness
Satisfiability
-
based Side
-
channel
Attacks on Cryptographic Software
Logical Inferences on Leaked Intermediate
Values Can Expose Secret Key
Memory bus
On
-
chip
secure
memory
Cryptographic
algorithm software
Plaintext
Ciphertext
Secret
key
Intermediate
variables
Logical
inferences
Protect these
Variables too!
Robustness: Talk Outline
•
Information leakage in software
implementations
–
Active and passive leakage
•
Logical cryptanalysis framework
–
Satisfiability (SAT) solver
–
Proposed cryptanalysis flow
•
Experimental setup
•
Results: DES, 3DES, and AES
–
Sensitive intermediate variables
Cryptanalysis: Theoretical View
Black
Box
Cryptographic algorithm
implementation
Plaintext
Ciphertext
Secret key
Secure
storage
Cryptographic algorithms are provably secure
against mathematical cryptanalysis under the
black
-
box
assumption
Applications
Cryptanalysis: Software Leakage
Operating system
System library
Hardware
System calls
System
calls
Library calls
Machine instructions
Persistence of
swapped data
(Garfinkel & Shelat, S&P 03)
Memory bus
monitoring
(Anderson & Kuhn,
USENIX 96)
Sensitive residual
data in buffers
(Chow et al.,
USENIX 04)
Proactive cache
probing
(C. Percival,
Tech. Rep.)
Sensitive data
in core dumps
(Broadwell et al.,
USENIX 03)
Hacking run
-
time
stack
(V. Paretsky,
Dr. Dobbs 05)
Software
Plaintext
Ciphertext
On
-
chip
secure memory
Cryptanalysis Using Leaked Intermediate
Values
1
2
3
4
5
Data
-
flow graph of a crypto function
Exposed intermediate computation
Hidden computation
Implied computation
Implication path
Exposure of intermediate values may aid
computation of protected secret key bits
via logical implications
V1
V2
V3
V5
V4
V6
V7
V8
Secret key
Plaintext
Ciphertext
V9
V10
V11
6
Key is protected
from exposure
7
Logical Cryptanalysis Framework
Plaintext P
Ciphertext C
Constraints
Known plaintext +
Known ciphertext +
Exposed variables
Circuit
description
Logical
Analysis/Implication
Engine
Theorem prover,
Satisfiability
solver, ….
Secret key K
Secret Key
Satisfiability (SAT) Solvers
•
SAT solver finds satisfying Boolean assignment
to variables in a conjunctive normal form (CNF)
formula
–
Gives a proof if no such assignment exists
•
SAT solver has a powerful logical implication
engine in the form of Boolean constraint
propagation (BCP)
•
Circuits can be converted to CNF in linear time
x
y
z
(z+x) (z+y) (z+x+y)
x
y
z
(z+x) (z+y) (z+x+y)
x
y
z
(z+x+y) (z+x+y) (z+x+y) (z+x+y)
AND
OR
XOR
CNF
CNF
CNF
SAT
-
based Cryptanalysis Framework
(z+x+y) (z+x+y)
(z+x+y) (z+x+y)
(z+x) (z+y) (z+x+y)
….
(z+x) (z+y) (z+x+y)
Ψ
(P, C, K)
CNF formula of
cryptographic
algorithm,
Plaintext P
Secret key K
Ciphertext C
CNF
conversion
Set plaintext
and ciphertext
values in
Ψ
(P, C, K)
SAT
solver
K’ = 110..1
(consistent
with the
values set)
Timeout
Set values
of exposed
variables in
Ψ
(P, C, K)
Constraints
CNF conversion : DES
L
i
L
i+1
R
i
R
i+1
K
i
P
E
S1
S2
S7
S8
…
Converting z=F(x,y) to CNF
z = F(x,y)
(z F(x,y)) (F(x,y) z)
(z + F(x,y)) (F(x,y) + z)
≡
≡
Algorithm
Clauses
Literals
DES
3DES
20328
104928
6904
35232
..
..
Round 1
Round 2
Round i
Round 16
Plaintext
Ciphertext
K
1
K
2
K
i
K
16
K
Secret
key
Key
setup
...
...
32
32
48
Experimental Setup
CNF
generator
Cryptographic
algorithm software
Plaintext,
Ciphertext
Exposed
variable
values
Xtensa ISS
RTL
generator
xt
-
gcc
compiler
Memory traffic
analyzer
MiniSAT
solver
Secret key &
Sensitive variables
Results: DES & 3DES
L
i
R
i
R
i +1
L
i +1
F
K
i
L
i
R
i
R
i +1
L
i +1
L
i +2
R
i +2
F
F
K
i
K
i +1
L
i
R
i
R
i +1
L
i +1
L
i +2
L
i +3
L
i +4
R
i +2
R
i +3
R
i +4
F
F
F
F
K
i
K
i +1
K
i +2
K
i +3
Sensitive
variable set
1
Sensitive
variable set
2
Sensitive
variable set
3
Results: DES and 3DES
0
200
400
600
800
1000
1200
1400
1
2
4
8
16
32
0
5
10
15
20
25
30
2
4
8
16
32
Plaintext
-
ciphertext pairs
Plaintext
-
ciphertext pairs
Time taken by SAT solver
(seconds)
Time taken by SAT solver
(seconds)
Sensitive variable set 1
Sensitive variable set 3
DES
3DES
1.
Sensitive variable sets 1 and 2:
1165 seconds
(on average) with four
plaintext
-
ciphertext pairs and corresponding intermediate variable values
2.
Sensitive variable set 3:
750 seconds
(on average) with four plaintext
-
ciphertext
pairs and corresponding intermediate variable values
Results: AES
Algorithm
Literals
Clauses
AES
10240
542432
Rounds
10
5 seconds
(on average) to get the 128
-
bit AES key with
one plaintext
-
ciphertext pair and 128
-
bit input and
output of any one round
CNF conversion
Results of side
-
channel cryptanalysis
Conclusions
•
Presented a SAT
-
based framework for
cryptanalysis
•
Identified the set of sensitive intermediate
variables in DES, 3DES and AES
•
Future work:
–
Improve analysis techniques to reduce the
size of sensitive variable set
–
Combine with traditional side
-
channel attacks
Part 2: Battery Life
Analyzing the Energy Consumption
of Cryptographic Algorithms and
Security Protocols
Impact of Security Processing on
Battery Life: Battery Gap
•
Security processing is computationally intensive
•
Drains battery faster
0
100
200
Normal
Encrypted
No. of Transactions
Battery runs
out of power
Battery runs
out of power
Mobile Node
•
Motorola DragonBall MC68328
•
Sensoria WINS NG RF Subsystem
( 10 Kbps, 10mW power )
•
Sensoria WINS NG Battery Pack
( 7.2 V supplying 26 kJ)
Source: Network Associates Inc.
There is a need for energy
-
efficient
security protocols
Battery life: Outline
•
Experimental setup
•
Analysis of energy consumption of
cryptographic algorithms
–
Symmetric algorithms
–
Public
-
key algorithms
•
Analysis of energy consumption of SSL
security protocol
•
Discussion: Optimizing SSL
•
Conclusions
Data
acquisition card
Client
Power
measurement
system
LabVIEW programming
environment
Serial
Sense
resistor
Lab
power
supply
TCP
IP
SSL
HTTPS
Linux
IPSec
Wireless
LAN/WAN
Server
iPAQ H3670
SA
-
1100 StrongARM
@206MHz
64MB RAM, 16MB ROM
SCB
-
68
I/O connector
Experimental Set
-
up
Battery life: Outline
•
Experimental setup
•
Analysis of energy consumption of
cryptographic algorithms
–
Symmetric algorithms
–
Public
-
key algorithms
•
Analysis of energy consumption of SSL security
protocol
•
Discussion: Optimizing SSL
•
Conclusions
Symmetric Algorithms
…
Round 1
Round 2
Round N
Plaintext P
Ciphertext C
Key
setup
Secret key
K
K
1
K
2
K
N
Implements
confusion
and
diffusion
operations
...
Round i
K
i
....
…..
Energy Consumption Results:
Impact of Symmetric Algorithm Parameters
Symmetric algorithm parameters influence system energy consumption
-
Number of rounds of execution
RC5
•
Cipher parameters
affect energy and
security
•
Energy
-
security
trade
-
offs possible
in symmetric algos.
2
47
2
95
2
119
>
>
Cryptanalytic difficulty
0.1
1
10
100
1000
10000
Key Setup
Enc/Dec
Key Setup
27.53
87.04
7.96
37.63
7.87
32.94
95.97
66.54
3166.3
Enc/Dec
2.08
6.04
1.47
1.47
1.21
1.73
3.93
0.79
0.81
DES
3DES
IDEA
CAST
AES
RC2
RC4
RC5
BLOW
FISH
Energy consumption
(logarithmic scale)
(µJ)
(µJ/byte)
Energy Consumption Results:
Symmetric Algorithms
Symmetric algorithms have widely varying energy consumption values
-
BLOWFISH has the greatest key setup cost, but very low enc/dec cost
-
3DES has the highest enc/dec cost
Symmetric Algorithm Block Cipher Modes
Symmetric
algorithm
Plaintext
Ciphertext
Symmetric
algorithm
Plaintext_0
Ciphertext_0
Initialization
vector
Symmetric
algorithm
Ciphertext_1
Plaintext_1
….
ECB modes
CBC mode
Symmetric
algorithm
Plaintext_0
Ciphertext_0
Symmetric
algorithm
Ciphertext_1
Plaintext_1
….
Key
Key
Key
Initialization
vector
Key
Key
OFB
/
CFB
mode
128
192
256
Energy consumption (uJ)
(uJ)
(uJ/Byte)
2
4
6
8
10
12
Key setup
ECB
CBC
CFB
OFB
Key size
AES
Energy Consumption Results:
Impact of Symmetric Algorithm Modes
Symmetric algorithm parameters influence system energy consumption
-
Key size
-
Cipher mode (ECB, CBC, CFB, OFB)
Energy Consumption Results:
Impact of Table Lookups & Loop Unrolling
0
0.1
0.2
0.3
0.4
0.5
0.6
0.7
0.8
0.9
Zero
One
Four
Full unroll
No unroll
Partial unroll
Energy consumption (J)
Number of tables per round
Degree of unrolling
•
Many tables and full loop unrolling increase the
number of memory accesses
•
Optimal energy with one table and partial unrolling
Maximum
energy
Minimum
energy
60KB file,
128
-
bit key AES
Energy Consumption Results:
Processor vs. Memory Energy in AES
0
0.1
0.2
0.3
0.4
0.5
0.6
0.7
0.8
0.9
Zero
One
Four
Memory
Processor
Energy consumption (J)
Number of tables per round
•
Table lookups replace arithmetic instructions with loads and stores
•
Energy consumption rises when tables affect caching behavior
Partial loop unrolling
60KB file,
128
-
bit key AES
•
Constructed using trap
-
door one way functions
–
Computationally infeasible to invert without ‘trap
-
door’
information
•
Security is based on hard mathematical
problems
–
Integer factorization (RSA)
–
Discrete logarithm in Integer field (DH, DSA)
–
Discrete logarithm in Elliptic fields (ECDH)
•
Two applications of public
-
key algorithms
–
Authentication using digital signatures
–
Key exchange for symmetric algorithms
Public
-
key Algorithms
0
100
200
300
400
500
600
RSA
DSA
ECDSA
Key Gen
Sign
Verify
Energy consumption (mJ)
(1024
-
bit)
(1024
-
bit)
(160
-
bit)
Energy Consumption Results:
Public
-
key Algorithms (Digital Signature)
•
RSA and ECDSA exhibit complementary energy
consumption for sign and verify operations
Energy Consumption Results:
Public
-
key Algorithms (Key Exchange)
0
200
400
600
800
1000
1200
DH
DH
ECDH
Key Gen
Key Exch
(1024
-
bit)
Energy consumption (mJ)
(160
-
bit)
(512
-
bit)
•
Increasing key size drastically affects the
energy consumption
•
ECDH is more energy efficient than DH
Battery life: Outline
•
Experimental setup
•
Analysis of energy consumption of cryptographic
algorithms
–
Symmetric algorithms
–
Public
-
key algorithms
•
Analysis of energy consumption of SSL
security protocol
•
Discussion: Optimizing SSL
•
Conclusions
Secure Sockets Layer (SSL)
IP
TCP
SSL Record Protocol
SSL
Hand
-
shake
SSL
Change
Cipher
SSL
Alert
Application data
Fragment
Compressed
Fragment
MAC trailer
Padding
Encrypted
data
SSL record
SSL header
Compression
Message Integrity
Padding
Encryption
SSL Record Assembly
Confidentiality,
Integrity
Authentication,
Key exchange
Protocol
Asymmetric
Symmetric
Hash
Energy consumption
breakup
60%
40%
80%
20%
100%
1K
100K
1M
Transaction size (bytes)
0%
41%
44%
46%
Energy Break
-
up of SSL Processing
•
For small transactions, asymmetric algorithm energy dominates
•
For large transactions, symmetric algorithm energy dominates
•
Non
-
crypto processing accounts for more than 40% of the energy
Battery life: Outline
•
Experimental setup
•
Analysis of energy consumption of cryptographic
algorithms
–
Symmetric algorithms
–
Public
-
key algorithms
•
Analysis of energy consumption of SSL security
protocol
•
Discussion: Optimizing SSL
•
Conclusions
0
200
400
600
800
1000
1200
RSA
ECC
RSA
ECC
Client authentication
overhead
No client
authentication
Energy consumption
(mJ)
Client operations
Server operations
Optimizing SSL Handshake
SSL Handshake Optimizations
-
Presence/absence of security services (such as client authentication)
-
Choice of asymmetric cipher (RSA vs ECC)
Optimizing the SSL Record Stage
SSL Record Optimizations
-
Choice of cipher suite (e.g., ECC
-
AES
-
MD5 vs. ECC
-
BLOWFISH
-
MD5) is influenced
by the size of the data transmitted.
-
Choice of cipher parameters (key size, number of rounds)
Key
setup
Enc/
Dec
AES
7.87
1.21
Blowfish
3167
0.81
Key
setup
Enc/
Dec
3DES
87
6.04
RC5
66.54
0.8
Conclusions
•
Comprehensive analysis of energy consumption of
cryptographic algorithms and security protocols
•
Energy
-
security trade
-
offs possible in security protocols
–
Will tolerate lower security for reduced energy
consumption
–
Parameters identified include
•
Symmetric algorithm used in record stage
•
Asymmetric algorithm used in handshake
•
Key
-
size of asymmetric algorithms
•
Number of rounds in symmetric algorithms
•
Size of data to be transmitted
Future Work
Future Research: Robust, Light
-
weight
Security
Security objectives
Security protocols
Cryptographic
algorithms
Hardware
-
software
architectures
Layered Security Implementation
Scalable security protocols
with variable rounds and
per round complexity
-
Scalable Fiat
-
Shamir
identification protocol
1.
Devise novel algorithms based
on hard problems with simpler
operations
-
Learning parity with noise
2.
Algorithms based on energy
efficient operations
-
LFSR
-
based hashing
-
Polynomial arithmetic
-
based
algorithms
1.
Efficient embedded architectures for
newer crypto algorithms
-
NTRU
2. Low
-
cost architectures for
side
-
channel attack resistance
-
Can leakage current provide
side
-
channel information?
3. Hardware measures to tackle
malware (viruses, worms)
Acknowledgements
•
Princeton University
–
Prof. Niraj Jha and Prof. Ruby Lee
–
Group members
•
NEC Labs America
–
Dr. Anand Raghunathan
–
Dr. Srivaths Ravi
Thank you!
Enter the password to open this PDF file:
File name:
-
File size:
-
Title:
-
Author:
-
Subject:
-
Keywords:
-
Creation Date:
-
Modification Date:
-
Creator:
-
PDF Producer:
-
PDF Version:
-
Page Count:
-
Preparing document for printing…
0%
Σχόλια 0
Συνδεθείτε για να κοινοποιήσετε σχόλιο