(z+x+y) (z+x+y) (z+x+y) (z+x+y)

bracechumpInternet και Εφαρμογές Web

5 Φεβ 2013 (πριν από 4 χρόνια και 6 μήνες)

148 εμφανίσεις

Three Challenges of Secure
Embedded System Design:
Performance, Battery life and
Robustness

Nachiketh Potlapally

Department of Electrical Engineering

Princeton University

Princeton, NJ

Email: npotlapa@princeton.edu

Embedded System Applications
Require Security

E
-
wallet

Portfolio

management using

Microsoft money

Server

RFID tag

1.28
-
1.92 MHz,

128
-
512 bit ROM,

32
-
128 bit RAM,

10000 gate logic,

Battery (active)

Smart card

66 MHz, 240 KB ROM,

16 KB RAM,

912 KB EEPROM

Crypto co
-
processor,

Battery (active)


Cell
-
phone/PDA

200 MHz,16MB RAM,

64MB Flash,

Crypto co
-
processor,

Battery


Network

Sensitive embedded system applications need security protocols

to provide
confidentiality
,
integrity

and
authentication

E
-
passport

Cryptographic algorithms

Confidentiality, Integrity and
Authentication

Confidentiality

Integrity

Authentication

-

Table lookup

-

Permutations

-

Multiplication

-

Modular addition

-

Modular multiplication

-

Fixed shift/rotate

-

Variable shift/rotate

-

Multiplication

-

Addition

-

Logical operations

-

Fixed shift/rotate

-

Modular exponentiation

-

Point multiplication on


Elliptic curves

Symmetric algorithms

(DES, AES, 3DES, RC5)

Asymmetric algorithms

(RSA, ECC, DH, ECDH)

Hash algorithms

(MD4, HMAC, SHA
-
1)

Security protocols

Security objectives

Crypto algorithms are

computationally

intensive

Challenges in Implementing Security on
Embedded Systems

Embedded systems

-

Low
-
end processors

-

Battery energy supply

Security protocols

Reduced

performance

Shorter battery

life


3DES and SHA require

130 MIPS @ 2 Mbps

(Intel SA
-
1100 delivers

150 MIPS at 133 MHz )


Sensoria WINS node

needs 21.5 mJ/bit to

transmit. RSA imposes

overhead of 42 mJ/bit

Susceptibility to

side
-
channel attacks

Infer cryptographic keys

from non
-
invasive probing

of implementation

characteristics

Objectives in design of secure embedded systems:

Good performance
,
long battery life

and

robustness to attacks

My Research Experience

1.
“Algorithm Exploration for Efficient Public
-
Key Security Processing for Wireless Handsets”, DATE02

2.
“Optimizing Public
-
key Encryption”, ICC02

3.
“System
-
level Design methodologies for a Wireless Security Processing Platform”, DAC02

4.
“Analyzing the Energy Consumption of Security Protocols”, ISLPED03

5.
“Impact of Configurability and Extensibility on IPSec Protocol Execution on Embedded Processors”, VLSID06

6.
“Satisfiability
-
based Framework for Enabling Side
-
channel Attacks on Cryptographic Software”, DATE06

7.
“A Study of the Energy Consumption Characteristics of Cryptographic Algorithms and Security Protocols”,


IEEE Transactions on Mobile Computing, February 2006

8.
“Aiding Side
-
channel Attacks on Cryptographic Software with Satisfiability
-
based Analysis”,


IEEE Transactions on VLSI Systems, April 2006

9.
“Configuration and Extension of Embedded Processors to Optimize IPSec Protocol Execution”,


IEEE Transactions on VLSI Systems. (To appear)

10. “Verifying Data Integrity with Few Queries to Untrusted Memory”, (In Submission)

1.
Optimizing public
-
key algo. software performance

[
1,2
]

2.
Custom instruction design for public
-
key algo.

[
3
]

3.
Accelerating symmetric and hash algo. through custom


instructions

[
5,9
]

4.
Optimizing IPSec protocol performance

[
5,9
]

5.
Reducing performance overhead of memory checking

[
10
]

1.
Analyzing energy consumption of cryptographic


algorithms

[
4,7
]

2.
Optimize energy consumption of SSL protocol

[
4,7
]

3.
Reduce energy consumed by memory bus in memory


integrity checking

[
10
]

1. Satisfiability
-
based framework for enabling side
-
channel


attacks on embedded cryptographic software

[
6,8
]

Publications:

Design of

secure

embedded

systems

Outline


Part 1: Robustness of secure
embedded systems


Satisfiability
-
based side
-
channel attacks on
cryptographic software


Part 2: Battery life of secure embedded
systems


Analyze energy consumption of cryptographic
algorithms and security protocols


Future work

Part 1: Robustness

Satisfiability
-
based Side
-
channel
Attacks on Cryptographic Software

Logical Inferences on Leaked Intermediate
Values Can Expose Secret Key

Memory bus

On
-
chip

secure

memory

Cryptographic


algorithm software

Plaintext

Ciphertext

Secret

key

Intermediate

variables

Logical

inferences

Protect these

Variables too!

Robustness: Talk Outline


Information leakage in software
implementations


Active and passive leakage


Logical cryptanalysis framework


Satisfiability (SAT) solver


Proposed cryptanalysis flow


Experimental setup


Results: DES, 3DES, and AES


Sensitive intermediate variables

Cryptanalysis: Theoretical View

Black

Box

Cryptographic algorithm

implementation

Plaintext

Ciphertext

Secret key

Secure

storage

Cryptographic algorithms are provably secure

against mathematical cryptanalysis under the

black
-
box

assumption

Applications

Cryptanalysis: Software Leakage

Operating system

System library

Hardware

System calls

System

calls

Library calls

Machine instructions

Persistence of

swapped data

(Garfinkel & Shelat, S&P 03)

Memory bus

monitoring

(Anderson & Kuhn,

USENIX 96)

Sensitive residual

data in buffers

(Chow et al.,

USENIX 04)

Proactive cache

probing

(C. Percival,

Tech. Rep.)

Sensitive data

in core dumps

(Broadwell et al.,

USENIX 03)

Hacking run
-
time

stack

(V. Paretsky,

Dr. Dobbs 05)

Software

Plaintext

Ciphertext

On
-
chip

secure memory

Cryptanalysis Using Leaked Intermediate
Values

1

2

3

4

5

Data
-
flow graph of a crypto function

Exposed intermediate computation

Hidden computation

Implied computation

Implication path

Exposure of intermediate values may aid

computation of protected secret key bits

via logical implications

V1

V2

V3

V5

V4

V6

V7

V8

Secret key

Plaintext

Ciphertext

V9

V10

V11

6

Key is protected

from exposure

7

Logical Cryptanalysis Framework

Plaintext P

Ciphertext C

Constraints

Known plaintext +

Known ciphertext +

Exposed variables

Circuit
description

Logical

Analysis/Implication

Engine

Theorem prover,

Satisfiability

solver, ….

Secret key K

Secret Key

Satisfiability (SAT) Solvers


SAT solver finds satisfying Boolean assignment
to variables in a conjunctive normal form (CNF)
formula


Gives a proof if no such assignment exists


SAT solver has a powerful logical implication
engine in the form of Boolean constraint
propagation (BCP)


Circuits can be converted to CNF in linear time

x

y

z

(z+x) (z+y) (z+x+y)

x

y

z

(z+x) (z+y) (z+x+y)

x

y

z

(z+x+y) (z+x+y) (z+x+y) (z+x+y)

AND

OR

XOR

CNF

CNF

CNF

SAT
-
based Cryptanalysis Framework

(z+x+y) (z+x+y)

(z+x+y) (z+x+y)

(z+x) (z+y) (z+x+y)

….

(z+x) (z+y) (z+x+y)

Ψ

(P, C, K)

CNF formula of

cryptographic

algorithm,

Plaintext P

Secret key K

Ciphertext C

CNF

conversion

Set plaintext

and ciphertext

values in

Ψ
(P, C, K)

SAT

solver

K’ = 110..1

(consistent


with the


values set)

Timeout

Set values

of exposed

variables in

Ψ

(P, C, K)

Constraints

CNF conversion : DES

L
i

L
i+1

R
i

R
i+1

K
i

P

E

S1

S2

S7

S8



Converting z=F(x,y) to CNF


z = F(x,y)

(z F(x,y)) (F(x,y) z)

(z + F(x,y)) (F(x,y) + z)





Algorithm

Clauses

Literals

DES

3DES

20328

104928

6904

35232

..

..

Round 1

Round 2

Round i

Round 16

Plaintext

Ciphertext

K
1

K
2

K
i

K
16

K

Secret

key

Key

setup

...

...

32

32

48

Experimental Setup

CNF

generator

Cryptographic

algorithm software

Plaintext,

Ciphertext

Exposed

variable

values

Xtensa ISS

RTL

generator

xt
-
gcc

compiler

Memory traffic

analyzer

MiniSAT

solver

Secret key &

Sensitive variables

Results: DES & 3DES

L
i

R
i

R
i +1

L
i +1

F

K
i

L
i

R
i

R
i +1

L
i +1

L
i +2

R
i +2

F

F

K
i

K
i +1

L
i

R
i

R
i +1

L
i +1

L
i +2

L
i +3

L
i +4

R
i +2

R
i +3

R
i +4

F

F

F

F

K
i

K
i +1

K
i +2

K
i +3

Sensitive

variable set

1

Sensitive

variable set

2

Sensitive

variable set

3

Results: DES and 3DES

0
200
400
600
800
1000
1200
1400
1
2
4
8
16
32
0
5
10
15
20
25
30
2
4
8
16
32
Plaintext
-
ciphertext pairs

Plaintext
-
ciphertext pairs

Time taken by SAT solver

(seconds)

Time taken by SAT solver

(seconds)

Sensitive variable set 1

Sensitive variable set 3

DES

3DES

1.
Sensitive variable sets 1 and 2:

1165 seconds

(on average) with four


plaintext
-
ciphertext pairs and corresponding intermediate variable values

2.
Sensitive variable set 3:

750 seconds

(on average) with four plaintext
-
ciphertext


pairs and corresponding intermediate variable values

Results: AES


Algorithm

Literals

Clauses

AES

10240

542432

Rounds

10

5 seconds

(on average) to get the 128
-
bit AES key with

one plaintext
-
ciphertext pair and 128
-
bit input and

output of any one round

CNF conversion

Results of side
-
channel cryptanalysis

Conclusions


Presented a SAT
-
based framework for
cryptanalysis


Identified the set of sensitive intermediate
variables in DES, 3DES and AES


Future work:


Improve analysis techniques to reduce the
size of sensitive variable set


Combine with traditional side
-
channel attacks

Part 2: Battery Life

Analyzing the Energy Consumption
of Cryptographic Algorithms and

Security Protocols

Impact of Security Processing on
Battery Life: Battery Gap


Security processing is computationally intensive


Drains battery faster


0
100
200
Normal
Encrypted
No. of Transactions

Battery runs

out of power

Battery runs

out of power

Mobile Node



Motorola DragonBall MC68328



Sensoria WINS NG RF Subsystem

( 10 Kbps, 10mW power )



Sensoria WINS NG Battery Pack

( 7.2 V supplying 26 kJ)

Source: Network Associates Inc.

There is a need for energy
-
efficient
security protocols


Battery life: Outline


Experimental setup


Analysis of energy consumption of
cryptographic algorithms


Symmetric algorithms


Public
-
key algorithms


Analysis of energy consumption of SSL
security protocol


Discussion: Optimizing SSL


Conclusions


Data

acquisition card

Client

Power

measurement

system

LabVIEW programming

environment

Serial

Sense

resistor

Lab

power

supply

TCP

IP

SSL

HTTPS

Linux

IPSec

Wireless

LAN/WAN

Server

iPAQ H3670

SA
-
1100 StrongARM

@206MHz

64MB RAM, 16MB ROM

SCB
-
68

I/O connector

Experimental Set
-
up


Battery life: Outline


Experimental setup


Analysis of energy consumption of
cryptographic algorithms


Symmetric algorithms


Public
-
key algorithms


Analysis of energy consumption of SSL security
protocol


Discussion: Optimizing SSL


Conclusions


Symmetric Algorithms



Round 1

Round 2

Round N

Plaintext P

Ciphertext C

Key

setup

Secret key

K

K
1

K
2

K
N

Implements

confusion

and
diffusion

operations

...

Round i

K
i

....

…..

Energy Consumption Results:

Impact of Symmetric Algorithm Parameters


Symmetric algorithm parameters influence system energy consumption

-

Number of rounds of execution

RC5



Cipher parameters


affect energy and


security



Energy
-
security


trade
-
offs possible


in symmetric algos.

2
47

2
95

2
119

>

>

Cryptanalytic difficulty

0.1
1
10
100
1000
10000
Key Setup
Enc/Dec
Key Setup
27.53
87.04
7.96
37.63
7.87
32.94
95.97
66.54
3166.3
Enc/Dec
2.08
6.04
1.47
1.47
1.21
1.73
3.93
0.79
0.81
DES
3DES
IDEA
CAST
AES
RC2
RC4
RC5
BLOW
FISH
Energy consumption

(logarithmic scale)

(µJ)

(µJ/byte)

Energy Consumption Results:

Symmetric Algorithms

Symmetric algorithms have widely varying energy consumption values

-

BLOWFISH has the greatest key setup cost, but very low enc/dec cost

-

3DES has the highest enc/dec cost

Symmetric Algorithm Block Cipher Modes

Symmetric

algorithm

Plaintext

Ciphertext

Symmetric

algorithm

Plaintext_0

Ciphertext_0

Initialization

vector

Symmetric

algorithm

Ciphertext_1

Plaintext_1

….

ECB modes

CBC mode

Symmetric

algorithm

Plaintext_0

Ciphertext_0

Symmetric

algorithm

Ciphertext_1

Plaintext_1

….

Key

Key

Key

Initialization

vector

Key

Key

OFB
/
CFB
mode

128
192
256
Energy consumption (uJ)

(uJ)

(uJ/Byte)

2

4

6

8

10

12

Key setup

ECB

CBC


CFB

OFB

Key size

AES

Energy Consumption Results:

Impact of Symmetric Algorithm Modes

Symmetric algorithm parameters influence system energy consumption

-

Key size

-

Cipher mode (ECB, CBC, CFB, OFB)

Energy Consumption Results:

Impact of Table Lookups & Loop Unrolling

0
0.1
0.2
0.3
0.4
0.5
0.6
0.7
0.8
0.9
Zero
One
Four
Full unroll
No unroll
Partial unroll
Energy consumption (J)

Number of tables per round

Degree of unrolling



Many tables and full loop unrolling increase the


number of memory accesses



Optimal energy with one table and partial unrolling

Maximum

energy

Minimum

energy

60KB file,

128
-
bit key AES

Energy Consumption Results:

Processor vs. Memory Energy in AES

0
0.1
0.2
0.3
0.4
0.5
0.6
0.7
0.8
0.9
Zero
One
Four
Memory
Processor
Energy consumption (J)

Number of tables per round



Table lookups replace arithmetic instructions with loads and stores



Energy consumption rises when tables affect caching behavior

Partial loop unrolling

60KB file,

128
-
bit key AES


Constructed using trap
-
door one way functions


Computationally infeasible to invert without ‘trap
-
door’
information


Security is based on hard mathematical
problems


Integer factorization (RSA)


Discrete logarithm in Integer field (DH, DSA)


Discrete logarithm in Elliptic fields (ECDH)


Two applications of public
-
key algorithms


Authentication using digital signatures


Key exchange for symmetric algorithms

Public
-
key Algorithms

0
100
200
300
400
500
600
RSA
DSA
ECDSA
Key Gen
Sign
Verify
Energy consumption (mJ)

(1024
-
bit)

(1024
-
bit)

(160
-
bit)

Energy Consumption Results:

Public
-
key Algorithms (Digital Signature)



RSA and ECDSA exhibit complementary energy


consumption for sign and verify operations

Energy Consumption Results:

Public
-
key Algorithms (Key Exchange)


0
200
400
600
800
1000
1200
DH
DH
ECDH
Key Gen
Key Exch
(1024
-
bit)


Energy consumption (mJ)

(160
-
bit)

(512
-
bit)



Increasing key size drastically affects the


energy consumption



ECDH is more energy efficient than DH


Battery life: Outline


Experimental setup


Analysis of energy consumption of cryptographic
algorithms


Symmetric algorithms


Public
-
key algorithms


Analysis of energy consumption of SSL
security protocol


Discussion: Optimizing SSL


Conclusions


Secure Sockets Layer (SSL)


IP

TCP

SSL Record Protocol

SSL

Hand
-

shake

SSL

Change

Cipher

SSL

Alert

Application data

Fragment

Compressed

Fragment

MAC trailer

Padding

Encrypted

data

SSL record

SSL header

Compression

Message Integrity

Padding

Encryption

SSL Record Assembly

Confidentiality,

Integrity

Authentication,

Key exchange

Protocol
Asymmetric
Symmetric
Hash
Energy consumption

breakup

60%

40%

80%

20%

100%

1K

100K

1M

Transaction size (bytes)

0%

41%

44%

46%

Energy Break
-
up of SSL Processing



For small transactions, asymmetric algorithm energy dominates



For large transactions, symmetric algorithm energy dominates



Non
-
crypto processing accounts for more than 40% of the energy


Battery life: Outline


Experimental setup


Analysis of energy consumption of cryptographic
algorithms


Symmetric algorithms


Public
-
key algorithms


Analysis of energy consumption of SSL security
protocol


Discussion: Optimizing SSL


Conclusions


0
200
400
600
800
1000
1200
RSA
ECC
RSA
ECC
Client authentication
overhead
No client
authentication
Energy consumption

(mJ)

Client operations

Server operations

Optimizing SSL Handshake

SSL Handshake Optimizations

-

Presence/absence of security services (such as client authentication)

-

Choice of asymmetric cipher (RSA vs ECC)

Optimizing the SSL Record Stage

SSL Record Optimizations

-

Choice of cipher suite (e.g., ECC
-
AES
-
MD5 vs. ECC
-
BLOWFISH
-
MD5) is influenced


by the size of the data transmitted.

-

Choice of cipher parameters (key size, number of rounds)

Key

setup

Enc/

Dec

AES

7.87

1.21

Blowfish

3167

0.81

Key

setup

Enc/

Dec

3DES

87

6.04

RC5

66.54

0.8

Conclusions


Comprehensive analysis of energy consumption of
cryptographic algorithms and security protocols


Energy
-
security trade
-
offs possible in security protocols


Will tolerate lower security for reduced energy
consumption


Parameters identified include


Symmetric algorithm used in record stage


Asymmetric algorithm used in handshake


Key
-
size of asymmetric algorithms


Number of rounds in symmetric algorithms


Size of data to be transmitted

Future Work

Future Research: Robust, Light
-
weight
Security

Security objectives

Security protocols

Cryptographic

algorithms

Hardware
-
software

architectures

Layered Security Implementation

Scalable security protocols

with variable rounds and

per round complexity


-

Scalable Fiat
-
Shamir


identification protocol

1.
Devise novel algorithms based


on hard problems with simpler


operations


-

Learning parity with noise

2.
Algorithms based on energy


efficient operations


-

LFSR
-
based hashing


-

Polynomial arithmetic
-
based


algorithms

1.
Efficient embedded architectures for


newer crypto algorithms


-

NTRU

2. Low
-
cost architectures for


side
-
channel attack resistance


-

Can leakage current provide


side
-
channel information?

3. Hardware measures to tackle


malware (viruses, worms)

Acknowledgements


Princeton University


Prof. Niraj Jha and Prof. Ruby Lee


Group members


NEC Labs America


Dr. Anand Raghunathan


Dr. Srivaths Ravi

Thank you!