Presentation is loading. Please wait.

Presentation is loading. Please wait.

Scan Based Attack on Dedicated Hardware Implementation of Data Encryption Standard Bo Yang ECE Dept Polytechnic Univ Kaijie Wu ECE Dept Univ of Illinois.

Published by Modified over 8 years ago

Similar presentations

Presentation on theme: "Scan Based Attack on Dedicated Hardware Implementation of Data Encryption Standard Bo Yang ECE Dept Polytechnic Univ Kaijie Wu ECE Dept Univ of Illinois."— Presentation transcript:

1 Scan Based Attack on Dedicated Hardware Implementation of Data Encryption Standard Bo Yang ECE Dept Polytechnic Univ Kaijie Wu ECE Dept Univ of Illinois Chicago Ramesh Karri ECE Dept Polytechnic Univ ramesh@india.poly.edu cad.poly.edu/encryption Why is Scan a Bad Design For Test Methodology?

2 Scan DFT is extremely popular Scan DFT is extensively deployed Scan DFT is extensively deployed 82% of all ICs use Scan DFT for testing 82% of all ICs use Scan DFT for testing Scan DFT is widely supported Scan DFT is widely supported Fast Scan and TestKcompress: Mentor Graphics Fast Scan and TestKcompress: Mentor Graphics DFT compiler and TetraMAX ATPG: Synopsys DFT compiler and TetraMAX ATPG: Synopsys Encounter Test: Cadence Encounter Test: Cadence

3 Objective Show how secrets on a crypto chip can be compromised Show how secrets on a crypto chip can be compromised Demonstrate that scan is a terrible design-for-test methodology Demonstrate that scan is a terrible design-for-test methodology

4 Data Encryption Standard DES is a symmetric encryption algorithm DES is a symmetric encryption algorithm encryption key = decryption key encryption key = decryption key Decryption = Encryption -1 Decryption = Encryption -1 ENCRYPT (plaintext, bit key) = ciphertext ENCRYPT (plaintext, bit key) = ciphertext DECRYPT (ciphertext, bit key) = plaintext DECRYPT (ciphertext, bit key) = plaintext 64-bit plaintext, 64-bit ciphertext, 56-bit secret key 64-bit plaintext, 64-bit ciphertext, 56-bit secret key

5 DES Encryption Initial Permutation Plaintext Round Function R L 48-bit Round Key Inverse Permutation Ciphertext 16 identical rounds 16 identical rounds one 48-bit round key per round one 48-bit round key per round 16 48-bit round keys are generated from 56-bit secret 16 48-bit round keys are generated from 56-bit secret 32 64

6 One DES Round LiLi RiRi Round Key K i + L i+1 R i+1 r 32 48 Expansion + 48 6 4 S-box 1S-box 8 6 4 32 Permutation 32 a b c d

7 DES Hardware Architecture Cipher Block Chaining mode  Iterative arch Cipher Block Chaining mode  Iterative arch Input, L, R, Output Regs (32+32+64+64 FFs) Input, L, R, Output Regs (32+32+64+64 FFs)

8 Mounting a scan attack Calculate X from W Calculate X from W Calculate Y from Z Calculate Y from Z Solve Key mixing Solve Key mixing

9 Two-step scan attack Step 1: Determine L and R registers in the scan chain Step 1: Determine L and R registers in the scan chain Step 2: Discover round key 1 from L 0, R 0, L 1 and R 1 Step 2: Discover round key 1 from L 0, R 0, L 1 and R 1

10 Scan Attack step 1 … IC Flip-flops of input register TDO Apply Plaintext 1:000000…000000  run in normal mode for 1 clock cycle  scan out bitstream 1: 01101…10011010 Apply Plaintext 2:100000…000000  run in normal mode for 1 clock cycle  scan out bitstream 2: 01101…10001010 Input, L, R and output registers can be determined Input, L, R and output registers can be determined 199 cycles to locate 1 FF  199+199 cycles to locate 1 FF  192×199+199 cycles to locate all FFs clock reset

11 How can we get K i ?  Round Key K i = a xor b  Expansion is a bijection  r  a is easy  Permutation is a bijection  d  c is easy  s-box is not a bijection  c  b is not easy RiRi Expansion Round Key, K i + 48 6 4 S-box 1S-box 8 6 4 32 Permutation 32 r a b c d 48

12 Scan attack step 2 Address0123456789101112131415 01441312151183106125907 10157414213110612119538 24114813621115129731050 31512824917511314100613  s-box is not a bijection  c  b is not easy Every value appears 4 times in an s-box Every value appears 4 times in an s-box Every value appears only once in each row No s-box column has two or more identical values No s-box column has two or more identical values

13 Scan attack step 2 3 chosen plaintexts are enough to get a round key 3 chosen plaintexts are enough to get a round key apply a1=(000000000000) 16 and observe c1 apply a2=(208208208208) 16 and observe c2 apply a3=(4A1C05451151) 16 and observe c3 Derive round key K1 Derive round key K1 Several such 3-tuples exist !!! Several such 3-tuples exist !!! Round Key, K i + 48 6 4 S-box 1S-box 8 6 4 32 a b c 48

14 Scan attack step 2 Apply three plaintexts Apply three plaintexts Apply PT1 = (0000000000000000) 16 Apply PT1 = (0000000000000000) 16 Scan-out CT1 from round register Scan-out CT1 from round register Apply PT2 = (0000550000005500) 16 Apply PT2 = (0000550000005500) 16 Scan-out CT2 from round register Scan-out CT2 from round register Apply PT3 = (5500400110000401) 16 Apply PT3 = (5500400110000401) 16 Scan-out CT3 from round register Scan-out CT3 from round register Derive round key K1 Derive round key K1 LiLi RiRi Round Key K i + L i+1 R i+1 r 32 48 Expansion + 48 6 4 S-box 1S-box 8 6 4 32 Permutation 32 a b c d

15 Discover round key Discover round key Discover round key K1  399×3=1197 clock cycles 2 clock cycles in normal mode for plaintext to reach R0, L0 198 clock cycles in scan mode to scan out R0, L0 1 clock cycle in normal mode for plaintext to reach R1, L1 198 clock cycles in scan mode to scan out R1, L1

16 Discover user secret Discover user secret as follows: 48-out-of-56 secret bits from round key K1 7-out-of-remaining 8 secret bits from round key K2 Secret bits 17, 20, 23, 40, 41, 49, 50 Secret bit 46 from round key K3 1197×2 clock cycles to discover round keys K2 and K3

17 Summary of the attack Determine the positions of flip flops in the round register in the scan chain Determine the positions of flip flops in the round register in the scan chain Scan round 1 and round 2 results Scan round 1 and round 2 results Discover round keys K1, K2 and K3 Discover round keys K1, K2 and K3 Discover user secret from round keys Discover user secret from round keys

18 Concluding remarks Do not use Scan DFT in crypto chips! Do not use Scan DFT in crypto chips! FIPS 140-1 “A cryptographic module shall employ physical security mechanisms in order to restrict unauthorized physical access to the contents of the module and to deter unauthorized use or modification of the module... (In 1994 at the peak of Scan DFT research) FIPS 140-1 “A cryptographic module shall employ physical security mechanisms in order to restrict unauthorized physical access to the contents of the module and to deter unauthorized use or modification of the module... (In 1994 at the peak of Scan DFT research) Translation: “Do not use scan DFT” Translation: “Do not use scan DFT” Why should you ? Why should you ?

19 Beware of Scan DFT Crypto chips are an excellent case study to show how bad scan DFT is. Crypto chips are an excellent case study to show how bad scan DFT is. Your IC may be used in secure applications in the future. Beware of the security issues when you design ICs. Your IC may be used in secure applications in the future. Beware of the security issues when you design ICs.

20 Scan Attack: Assumptions The attacker can access scan chains The attacker can access scan chains Round key registers are not in the scan chain Round key registers are not in the scan chain The attacker knows the algorithm The attacker knows the algorithm The attacker need not have access to high level timing diagrams The attacker need not have access to high level timing diagrams Avalanche effect (when does encryption begin and how long does it take?) Avalanche effect (when does encryption begin and how long does it take?) Modes of operation (CBC) Modes of operation (CBC)

Download ppt "Scan Based Attack on Dedicated Hardware Implementation of Data Encryption Standard Bo Yang ECE Dept Polytechnic Univ Kaijie Wu ECE Dept Univ of Illinois."

Similar presentations

From Crypto-Theory to Crypto-Practice 1 CHAPTER 14: From Crypto-Theory to Crypto-Practice SHIFT REGISTERS The first practical approach to ONE-TIME PAD.

From Crypto-Theory to Crypto-Practice 1 CHAPTER 14: From Crypto-Theory to Crypto-Practice SHIFT REGISTERS The first practical approach to ONE-TIME PAD.
CS 483 – SD SECTION BY DR. DANIYAL ALGHAZZAWI (3) Information Security.

CS 483 – SD SECTION BY DR. DANIYAL ALGHAZZAWI (3) Information Security.
1 Lecture 3: Secret Key Cryptography Outline concepts DES IDEA AES.

1 Lecture 3: Secret Key Cryptography Outline concepts DES IDEA AES.
1 CIS 5371 Cryptography 5b. Pseudorandom Objects in Practice Block Ciphers.

1 CIS 5371 Cryptography 5b. Pseudorandom Objects in Practice Block Ciphers.
Digital Kommunikationselektroink TNE027 Lecture 6 (Cryptography) 1 Cryptography Algorithms Symmetric and Asymmetric Cryptography Algorithms Data Stream.

Digital Kommunikationselektroink TNE027 Lecture 6 (Cryptography) 1 Cryptography Algorithms Symmetric and Asymmetric Cryptography Algorithms Data Stream.
Testing of Cryptographic Hardware Presented by: Debdeep Mukhopadhyay Dept of Computer Science and Engineering, Indian Institute of Technology Madras.

Testing of Cryptographic Hardware Presented by: Debdeep Mukhopadhyay Dept of Computer Science and Engineering, Indian Institute of Technology Madras.
Cryptography and Network Security Chapter 3

Cryptography and Network Security Chapter 3
The Advanced Encryption Standard (AES) Simplified.

The Advanced Encryption Standard (AES) Simplified.
Rachana Y. Patil 1 Data Encryption Standard (DES) (DES)

Rachana Y. Patil 1 Data Encryption Standard (DES) (DES)
Data Encryption Standard (DES)

Data Encryption Standard (DES)
Symmetric Encryption Example: DES Weichao Wang. 2 Overview of the DES A block cipher: – encrypts blocks of 64 bits using a 64 bit key – outputs 64 bits.

Symmetric Encryption Example: DES Weichao Wang. 2 Overview of the DES A block cipher: – encrypts blocks of 64 bits using a 64 bit key – outputs 64 bits.
1 The AES block cipher Niels Ferguson. 2 What is it? Block cipher: encrypts fixed-size blocks. Design by two Belgians. Chosen from 15 entries in a competition.

1 The AES block cipher Niels Ferguson. 2 What is it? Block cipher: encrypts fixed-size blocks. Design by two Belgians. Chosen from 15 entries in a competition.
1 Overview of the DES A block cipher: –encrypts blocks of 64 bits using a 64 bit key –outputs 64 bits of ciphertext A product cipher –basic unit is the.

1 Overview of the DES A block cipher: –encrypts blocks of 64 bits using a 64 bit key –outputs 64 bits of ciphertext A product cipher –basic unit is the.
Advanced Encryption Standard. This Lecture Why AES? NIST Criteria for potential candidates The AES Cipher AES Functions and Inverse Functions AES Key.

Advanced Encryption Standard. This Lecture Why AES? NIST Criteria for potential candidates The AES Cipher AES Functions and Inverse Functions AES Key.
Encryption Transaction with 3DES Team W2 Yervant Dermenjian (W21) Taewan Kim (W22) Evan Mengstab(W23) Xiaochun Zhu(W24) Objective: To implement a secure.

Encryption Transaction with 3DES Team W2 Yervant Dermenjian (W21) Taewan Kim (W22) Evan Mengstab(W23) Xiaochun Zhu(W24) Objective: To implement a secure.
McGraw-Hill©The McGraw-Hill Companies, Inc., 2004 1 Security PART VII.

McGraw-Hill©The McGraw-Hill Companies, Inc., Security PART VII.
Secure Systems Design Ramesh Karri Office Hours: Tues/Wed/Thurs: 12:00- 1:30 in LC 001

Secure Systems Design Ramesh Karri Office Hours: Tues/Wed/Thurs: 12:00- 1:30 in LC 001
ICS 454: Principles of Cryptography

ICS 454: Principles of Cryptography
15-441 Computer Networking Lecture 21: Security and Cryptography Thanks to various folks from 15-441, semester’s past and others.

Computer Networking Lecture 21: Security and Cryptography Thanks to various folks from , semester’s past and others.
Lecture 23 Symmetric Encryption

Lecture 23 Symmetric Encryption

Similar presentations

Ads by Google