Scan Based Attack on Dedicated Hardware Implementation of Data Encryption Standard Bo Yang ECE Dept Polytechnic Univ Kaijie Wu ECE Dept Univ of Illinois.

Slides:

Advertisements

Similar presentations

From Crypto-Theory to Crypto-Practice 1 CHAPTER 14: From Crypto-Theory to Crypto-Practice SHIFT REGISTERS The first practical approach to ONE-TIME PAD.

Advertisements

CS 483 – SD SECTION BY DR. DANIYAL ALGHAZZAWI (3) Information Security.

1 Lecture 3: Secret Key Cryptography Outline concepts DES IDEA AES.

1 CIS 5371 Cryptography 5b. Pseudorandom Objects in Practice Block Ciphers.

Digital Kommunikationselektroink TNE027 Lecture 6 (Cryptography) 1 Cryptography Algorithms Symmetric and Asymmetric Cryptography Algorithms Data Stream.

Testing of Cryptographic Hardware Presented by: Debdeep Mukhopadhyay Dept of Computer Science and Engineering, Indian Institute of Technology Madras.

Cryptography and Network Security Chapter 3

The Advanced Encryption Standard (AES) Simplified.

Rachana Y. Patil 1 Data Encryption Standard (DES) (DES)

Data Encryption Standard (DES)

Symmetric Encryption Example: DES Weichao Wang. 2 Overview of the DES A block cipher: – encrypts blocks of 64 bits using a 64 bit key – outputs 64 bits.

1 The AES block cipher Niels Ferguson. 2 What is it? Block cipher: encrypts fixed-size blocks. Design by two Belgians. Chosen from 15 entries in a competition.

1 Overview of the DES A block cipher: –encrypts blocks of 64 bits using a 64 bit key –outputs 64 bits of ciphertext A product cipher –basic unit is the.

Advanced Encryption Standard. This Lecture Why AES? NIST Criteria for potential candidates The AES Cipher AES Functions and Inverse Functions AES Key.

Encryption Transaction with 3DES Team W2 Yervant Dermenjian (W21) Taewan Kim (W22) Evan Mengstab(W23) Xiaochun Zhu(W24) Objective: To implement a secure.

McGraw-Hill©The McGraw-Hill Companies, Inc., Security PART VII.

Secure Systems Design Ramesh Karri Office Hours: Tues/Wed/Thurs: 12:00- 1:30 in LC 001

ICS 454: Principles of Cryptography

Computer Networking Lecture 21: Security and Cryptography Thanks to various folks from , semester’s past and others.

Lecture 23 Symmetric Encryption

Decryption Algorithms Characterization Project ECE 526 spring 2007 Ravimohan Boggula,Rajesh reddy Bandala Southern Illinois University Carbondale.

Network Security Chapter

CSE 651: Introduction to Network Security

Chapter 8.  Cryptography is the science of keeping information secure in terms of confidentiality and integrity.  Cryptography is also referred to as.

ECE454/CS594 Computer and Network Security Dr. Jinyuan (Stella) Sun Dept. of Electrical Engineering and Computer Science University of Tennessee Fall 2011.

Data Encryption Standard (DES). Symmetric Cryptography  C = E(P,K)  P = D(C,K)  Requirements  Given C, the only way to obtain P should be with  the.

The Digital Encryption Standard CSCI 5857: Encoding and Encryption.

The Data Encryption Standard - see Susan Landau’s paper: “Standing the test of time: the data encryption standard.” DES - adopted in 1977 as a standard.

Securing the core root of trust (research in secure hardware design and test) Ramesh Karri ECE Department.

Chapter 20 Symmetric Encryption and Message Confidentiality.

TE/CS 536 Network Security Spring 2006 – Lectures 6&7 Secret Key Cryptography.

Chapter 20 Symmetric Encryption and Message Confidentiality.

Cracking DES Cryptosystem A cryptosystem is made of these parts: Two parties who want to communicate over an insecure channel An encryption algorithm that.

Data Encryption Standard (DES) © 2000 Gregory Kesden.

BLOCK CIPHER SYSTEMS OPERATION MODES OF DATA ENCRYPTION STANDARD (DES)

Introduction to Computer Security ©2004 Matt Bishop Information Security Principles Assistant Professor Dr. Sana’a Wafa Al-Sayegh 1 st Semester

Dr. Reuven Aviv, Nov 2008 Conventional Encryption 1 Conventional Encryption & Message Confidentiality Acknowledgements for slides Henric Johnson Blekinge.

McGraw-Hill©The McGraw-Hill Companies, Inc., 2004 Security.

Classical &ontemporyryptology 1 Block Cipher Today’s most widely used ciphers are in the class of Block Ciphers Today’s most widely used ciphers are in.

DES Algorithm Data Encryption Standard. DES Features Block cipher, 64 bits per block 64-bit key, with only 56 bits effective ECB mode and CBC mode.

Modes of Usage Dan Fleck CS 469: Security Engineering These slides are modified with permission from Bill Young (Univ of Texas) 11 Coming up: Modes of.

Stream Ciphers and Block Ciphers A stream cipher is one that encrypts a digital data stream one bit or one byte at a time. Examples of classical stream.

“Implementation of a RC5 block cipher algorithm and implementing an attack on it” Cryptography Team Presentation 1.

TE/CS 536 Network Security Spring 2005 – Lecture 8 Security of symmetric algorithms.

Introduction to Information Security Lect. 6: Block Ciphers.

Lecture 23 Symmetric Encryption

Fifth Edition by William Stallings

Cracking the DES Encryption

1 Symmetric key cryptography: DES DES: Data Encryption Standard US encryption standard [NIST 1993] 56-bit symmetric key, 64 bit plaintext input How secure.

Symmetric Encryption Lesson Introduction ●Block cipher primitives ●DES ●AES ●Encrypting large message ●Message integrity.

K. Salah1 Cryptography Module I. K. Salah2 Cryptographic Protocols  Messages should be transmitted to destination  Only the recipient should see it.

Chapter 2 Symmetric Encryption.

DES Analysis and Attacks CSCI 5857: Encoding and Encryption.

1 The Data Encryption Standard. 2 Outline 4.1 Introduction 4.4 DES 4.5 Modes of Operation 4.6 Breaking DES 4.7 Meet-in-the-Middle Attacks.

Network Security Lecture 3 Secret Key Cryptography

Module :MA3036NI Symmetric Encryption -3 Lecture Week 4.

Block Ciphers and the Data Encryption Standard. Modern Block Ciphers  One of the most widely used types of cryptographic algorithms  Used in symmetric.

CST 312 Pablo Breuer. A block of plaintext is treated as a whole and used to produce a ciphertext block of equal length Typically a block size of 64 or.

1 CPCS425: Information Security (Topic 5) Topic 5  Symmetrical Cryptography  Understand the principles of modern symmetric (conventional) cryptography.

@Yuan Xue Announcement Project Release Team forming Homework 1 will be released next Tuesday.

Provides Confidentiality

ICS 454: Principles of Cryptography

Block Ciphers: DES and AES

SYMMETRIC ENCRYPTION.

Block Ciphers (Crypto 2)

SOHAIL SHAHUL HAMEED Dr. BHARGAVI GOSWAMI

ICS 555: Block Ciphers & DES Sultan Almuhammadi.

Presentation transcript:

Scan Based Attack on Dedicated Hardware Implementation of Data Encryption Standard Bo Yang ECE Dept Polytechnic Univ Kaijie Wu ECE Dept Univ of Illinois Chicago Ramesh Karri ECE Dept Polytechnic Univ cad.poly.edu/encryption Why is Scan a Bad Design For Test Methodology?

Scan DFT is extremely popular Scan DFT is extensively deployed Scan DFT is extensively deployed 82% of all ICs use Scan DFT for testing 82% of all ICs use Scan DFT for testing Scan DFT is widely supported Scan DFT is widely supported Fast Scan and TestKcompress: Mentor Graphics Fast Scan and TestKcompress: Mentor Graphics DFT compiler and TetraMAX ATPG: Synopsys DFT compiler and TetraMAX ATPG: Synopsys Encounter Test: Cadence Encounter Test: Cadence

Objective Show how secrets on a crypto chip can be compromised Show how secrets on a crypto chip can be compromised Demonstrate that scan is a terrible design-for-test methodology Demonstrate that scan is a terrible design-for-test methodology

Data Encryption Standard DES is a symmetric encryption algorithm DES is a symmetric encryption algorithm encryption key = decryption key encryption key = decryption key Decryption = Encryption -1 Decryption = Encryption -1 ENCRYPT (plaintext, bit key) = ciphertext ENCRYPT (plaintext, bit key) = ciphertext DECRYPT (ciphertext, bit key) = plaintext DECRYPT (ciphertext, bit key) = plaintext 64-bit plaintext, 64-bit ciphertext, 56-bit secret key 64-bit plaintext, 64-bit ciphertext, 56-bit secret key

DES Encryption Initial Permutation Plaintext Round Function R L 48-bit Round Key Inverse Permutation Ciphertext 16 identical rounds 16 identical rounds one 48-bit round key per round one 48-bit round key per round bit round keys are generated from 56-bit secret bit round keys are generated from 56-bit secret 32 64

One DES Round LiLi RiRi Round Key K i + L i+1 R i+1 r Expansion S-box 1S-box Permutation 32 a b c d

DES Hardware Architecture Cipher Block Chaining mode  Iterative arch Cipher Block Chaining mode  Iterative arch Input, L, R, Output Regs ( FFs) Input, L, R, Output Regs ( FFs)

Mounting a scan attack Calculate X from W Calculate X from W Calculate Y from Z Calculate Y from Z Solve Key mixing Solve Key mixing

Two-step scan attack Step 1: Determine L and R registers in the scan chain Step 1: Determine L and R registers in the scan chain Step 2: Discover round key 1 from L 0, R 0, L 1 and R 1 Step 2: Discover round key 1 from L 0, R 0, L 1 and R 1

Scan Attack step 1 … IC Flip-flops of input register TDO Apply Plaintext 1:000000…  run in normal mode for 1 clock cycle  scan out bitstream 1: 01101… Apply Plaintext 2:100000…  run in normal mode for 1 clock cycle  scan out bitstream 2: 01101… Input, L, R and output registers can be determined Input, L, R and output registers can be determined 199 cycles to locate 1 FF  cycles to locate 1 FF  192× cycles to locate all FFs clock reset

How can we get K i ?  Round Key K i = a xor b  Expansion is a bijection  r  a is easy  Permutation is a bijection  d  c is easy  s-box is not a bijection  c  b is not easy RiRi Expansion Round Key, K i S-box 1S-box Permutation 32 r a b c d 48

Scan attack step 2 Address  s-box is not a bijection  c  b is not easy Every value appears 4 times in an s-box Every value appears 4 times in an s-box Every value appears only once in each row No s-box column has two or more identical values No s-box column has two or more identical values

Scan attack step 2 3 chosen plaintexts are enough to get a round key 3 chosen plaintexts are enough to get a round key apply a1=( ) 16 and observe c1 apply a2=( ) 16 and observe c2 apply a3=(4A1C ) 16 and observe c3 Derive round key K1 Derive round key K1 Several such 3-tuples exist !!! Several such 3-tuples exist !!! Round Key, K i S-box 1S-box a b c 48

Scan attack step 2 Apply three plaintexts Apply three plaintexts Apply PT1 = ( ) 16 Apply PT1 = ( ) 16 Scan-out CT1 from round register Scan-out CT1 from round register Apply PT2 = ( ) 16 Apply PT2 = ( ) 16 Scan-out CT2 from round register Scan-out CT2 from round register Apply PT3 = ( ) 16 Apply PT3 = ( ) 16 Scan-out CT3 from round register Scan-out CT3 from round register Derive round key K1 Derive round key K1 LiLi RiRi Round Key K i + L i+1 R i+1 r Expansion S-box 1S-box Permutation 32 a b c d

Discover round key Discover round key Discover round key K1  399×3=1197 clock cycles 2 clock cycles in normal mode for plaintext to reach R0, L0 198 clock cycles in scan mode to scan out R0, L0 1 clock cycle in normal mode for plaintext to reach R1, L1 198 clock cycles in scan mode to scan out R1, L1

Discover user secret Discover user secret as follows: 48-out-of-56 secret bits from round key K1 7-out-of-remaining 8 secret bits from round key K2 Secret bits 17, 20, 23, 40, 41, 49, 50 Secret bit 46 from round key K3 1197×2 clock cycles to discover round keys K2 and K3

Summary of the attack Determine the positions of flip flops in the round register in the scan chain Determine the positions of flip flops in the round register in the scan chain Scan round 1 and round 2 results Scan round 1 and round 2 results Discover round keys K1, K2 and K3 Discover round keys K1, K2 and K3 Discover user secret from round keys Discover user secret from round keys

Concluding remarks Do not use Scan DFT in crypto chips! Do not use Scan DFT in crypto chips! FIPS “A cryptographic module shall employ physical security mechanisms in order to restrict unauthorized physical access to the contents of the module and to deter unauthorized use or modification of the module... (In 1994 at the peak of Scan DFT research) FIPS “A cryptographic module shall employ physical security mechanisms in order to restrict unauthorized physical access to the contents of the module and to deter unauthorized use or modification of the module... (In 1994 at the peak of Scan DFT research) Translation: “Do not use scan DFT” Translation: “Do not use scan DFT” Why should you ? Why should you ?

Beware of Scan DFT Crypto chips are an excellent case study to show how bad scan DFT is. Crypto chips are an excellent case study to show how bad scan DFT is. Your IC may be used in secure applications in the future. Beware of the security issues when you design ICs. Your IC may be used in secure applications in the future. Beware of the security issues when you design ICs.

Scan Attack: Assumptions The attacker can access scan chains The attacker can access scan chains Round key registers are not in the scan chain Round key registers are not in the scan chain The attacker knows the algorithm The attacker knows the algorithm The attacker need not have access to high level timing diagrams The attacker need not have access to high level timing diagrams Avalanche effect (when does encryption begin and how long does it take?) Avalanche effect (when does encryption begin and how long does it take?) Modes of operation (CBC) Modes of operation (CBC)