the yin and yang sides of embedded security
play

The Yin and Yang Sides of Embedded Security Indocrypt 2011 December - PowerPoint PPT Presentation

Feb 08, 2023 •318 likes •787 views

The Yin and Yang Sides of Embedded Security Indocrypt 2011 December 12, Chennai Christof Paar Horst Grtz Institute for IT-Security Ruhr University Bochum Acknowledgement Tim Gneysu Markus Kasper Timo Kasper Gregor

  1. The Yin and Yang Sides of Embedded Security Indocrypt 2011 December 12, Chennai Christof Paar Horst Görtz Institute for IT-Security Ruhr University Bochum

  2. Acknowledgement • Tim Güneysu • Markus Kasper • Timo Kasper • Gregor Leander • Amir Moradi • David Oswald • Axel Poschmann

  3. Agenda • Some thoughts about embedded security • Yin 1: Car crashes and ECC • Yin 2: Bar codes and SP ciphers • Yang 1: Routers and AES • Yang 2: Subways and 3DES • Auxiliary stuff

  4. Agenda • Some thoughts about embedded security • Yin 1: Car crashes and ECC • Yin 2: Bar codes and SP ciphers • Yang 1: Routers and AES • Yang 2: Subways and 3DES • Auxiliary stuff

  5. Who cares about embedded systems? CPU market (units sold) PC & workstation CPUs 2 % embedded CPUs 98 % Q: But security ?

  6. Embedded Security – Examples Embedded DRM applications (iTunes, Kindle, …) Telemedicine Privacy & security of car2car communication Electronic IDs and e ‐ health cards

  7. Research in embedded security Western view 1. Efficienct implementation 2. Secure implementation Alternative view 1. Yin – constructive 2. Yang – desctructive The concept of yin yang is used to describe how polar opposites or seemingly contrary forces are interconnected and interdependent in the natural world, and how they give rise to each other in turn.

  8. Agenda • Some thoughts about embedded security • Yin 1: Car crashes and ECC • Yin 2: Bar codes and SP ciphers • Yang 1: Routers and AES • Yang 2: Subways and 3DES • Auxiliary stuff

  9. Making Cars Talk • USA [NHTSA, 2010] 33,000+ car fatalities in 2009 2m injuries • EU [KOM 2010 – 389] 35,000+ car fatalities 1.5m injuries • 90% driver errors Video courtesy of Ken Labertaux, Toyota Research → Mechanical saftey (safety belt, air bag, ABS): great success but limits have been reached → Electronic driver assistance will be key tool

  10. VANET – Vehicular Ad ‐ Hoc Networks Broadcast position & direction information: 1. greatly improve safety 2. improve traffic management Network characteristics • small messages ( ≈ 100 Bytes) • medium frequency ( ≈ 10 messages/sec per car) • very ad ‐ hoc (short lived, high dynamics) • high number of incoming messages (> 1000msg/sec per car) • IEEE P1609/DSRC standard But messages must be authenticated! (safety ‐ critical & legislative requirements) Key tool for authentication: digital signatures with elliptic curves …

  11. Elliptic Curve Primitive • k pub Given an elliptic curve E and a point P k pr E: y 2 =x 3 +ax+b mod p Q = s P • Public key Q is multiple of base point P P Q = P + P + … + P = s P 3P group operation • EC discrete logarithm problem: P+P s = dlog P (Q)

  12. Point Addition R = P + T Jacobian Coordinates over GF(p) • Input P = (X 1 ,Y 1 ,Z 1 ) ; T = (X 2 ,Y 2 ,Z 2 ) • Output R = (X 3 ,Y 3 ,Z 3 ) 2 mod p A = X 1 Z 2 2 mod p B = X 2 Z 1 1 Point Add = 14 MUL 256bit = 3584 MUL 16bit 3 mod p C = Y 1 Z 2 3 mod p D = Y 2 Z 1 E = B – A mod p Can we generate 1000+ signatures/sec F = D ‐ C mod p with commodity hardware? X 3 = ‐ E 3 ‐ 2AE 2 +F 2 (think Tara Tiny < Rs. 300,000) Y 3 = ‐ CE 3 +F(AE 2 ‐ X 3 ) Z 3 = Z 1 Z 2 E

  13. Real ‐ Time Signature Engine for VANETs Requirements • 256bit ECC Engine (long ‐ term security) • 1000 sign./sec → 1,000,000,000 Mul 16 /sec New VANET Signature Engine • Idea: use DSP blocks (fast mult ‐ and ‐ add units) on commercial FPGAs • 1 Mul 256 requires 63 cycles@500MHz • Low ‐ cost FPGA: > 1.500 signatures/sec • (high ‐ end FPGA: 30.000 signature/sec) • performance and cost ‐ performance record for commercial hardware

  14. Agenda • Some thoughts about embedded security • Yin 1: Car crashes and ECC • Yin 2: Bar codes and SP ciphers • Yang 1: Routers and AES • Yang 2: Subways and 3DES • Auxiliary stuff

  15. Lightweight Cryptography • “We need security with less than 2000 gates” Sanjay Sarma, AUTO ‐ ID Labs, CHES 2002 • $3 trillions annually due to product piracy* (> US budget) *Source: www.bascap.com  Authentication & identification: can both be fixed with cryptography

  16. Strong Identification (symmetric crypto) r 1. random challenge r 2. encrypted response y e k (r) = y e k () 3. verification e k () e k (r) = y‘ y == y‘ Challenge: Encryption function e() at extremely low cost → almost all existing ciphers not optimized for cost … → Q: How cheap can we make cryptography?

  17. PRESENT – An agressively cost ‐ otimized block cipher for RFID Key Indocrypt • pure substitution ‐ permutation network Register • 64 bit block, 80/128 bit key • 4 ‐ 4 bit Sbox Key Schedule • 31 round (32 clks) • secure against DC, LC … S S • joint work with Lars Knudsen, Matt Robshaw et al. Permutation &zgT?qb=Q

  18. Resource use within PRESENT Round ‐ parallel implementation (1570ge) P Key State Register 25% Key XOR Key Schedule 30% 11% … S S SP Layer • Registers (state + key) 55% 29% • Key XOR 11% Permutation • SP Layer („crypto“) 29% C

  19. Results – PRESENT gates 32 clk 563clk 1016 clk round ‐ 3595 parallel round ‐ seriell 1570 996 PRESENT80 AES128 PRESENT80 Smallest secure cipher • Serial implementation approaches theoretical complexity limit: • almost all area is used for the 144 bit state (key + data path) ISO standard pending (2012) • “German Security Award 2010” •

  20. Agenda • Some thoughts about embedded security • Yin 1: Car crashes and ECC • Yin 2: Bar codes and SP ciphers • Yang 1: Routers and AES • Yang 2: Subways and 3DES • Auxiliary stuff

  21. FPGAs = Reconfigurable Hardware Widely used in • routers • consumer products • automotive, machinery • military But: Copying the configuration files makes hardware counterfeiting easy!

  22. Solution: Bitstream encryption FPGA Design Secret Keys Proprietary Algorithms IP Cores Bitstream PCB board SRAM FPGA 3DES Attacker Power ‐ up ? = 3DES ‐ 1 Bitstream Factory E2PROM Internet Firmware Update

  23. Let’s try side ‐ channel analysis power traces PCB board VCC ‐ IO VCC ‐ AUX VCC ‐ INT Power ‐ up 3DES ‐ 1 E2PROM design file (!)

  24. Side ‐ Channel Attacks (1 ‐ slide version) • Find a suited predictable intermediate value in the cipher • Measure the power consumption • Post-process acquired data • Perform the attack to recover the key

  25. Our measurement set ‐ up

  26. Our measurement set ‐ up

  27. Signal acquisition

  28. ... 6 months later key of 1 st DES key of 2 nd DES key of 3 rd DES

  29. Long story made short: Decryption of “secret” designs is easy! • Requires single power ‐ up ( ≈ 50,000 traces) • Complete 3DES key recovered with 2 ‐ 3 min of computation • Attack possible even though 3DES is only very small part of chip (< 1%) • Attack requires some experience, but • cheap equipment • easy to repeat

  30. Implications • Reverse engineering of design internals • Cloning of product • Alterations of design (chip tuning) • Trojan hardware (i.e., malicious hardware functions) • …

  31. Agenda • Some thoughts about embedded security • Yin 1: Car crashes and ECC • Yin 2: Bar codes and SP ciphers • Yang 1: Routers and AES • Yang 2: Subways and 3DES • Auxiliary stuff

  32. Contactless Payment Cards • Contactless card ≈ RFID + symmetric crypto • Many security ‐ sensitive applications – payment – passport – public transport – access control • Security hinges on secrecy of key … Sources: Wikipedia, cutviews.com

  33. Brief history of contactless cards • First generation (since 2000 and earlier) Mifare Classic, Legic Prime, TI DST, Hitag, ... – Proprietary cipher – Short key – Classical attacks (mathematical, brute ‐ force) feasible • Today Mifare DESFire (EV1), Mifare Plus, Legic Advant, Infineon SLE, SmartMX, ... – 3DES & AES → secure against classical cryptanalysis – ?Implementation attacks?

  34. Mifare DESFire Attack • Strong cipher : 3DES • Widely used : Prague, San Francisco, … • RFID – Power traces from EM field  High threat for real world (payment) systems

  35. Measurement Setup

  36. Measurement Setup • ISO14443 ‐ compatible • Freely Programmable • Low Cost (< 40 €)

  37. Measurement Setup • 1 GS/s, 128 MB Memory • ± 100 mV • USB 2.0 Interface

  38. Trace Overview ... Other processing Plaintext 3DES Ciphertext

  39. Example: DPA ‐ extraction of 6 key bits

  40. DES Full Key Recovery

  41. Conclusions: DESFire Attack • Full key ‐ recovery with appr. 250k traces ( ≈ hours) • Low ‐ cost equipment, $2500 • Opportunities for optimization  High threat for real world (payment) systems

  42. Agenda • Some thoughts about embedded security • Yin 1: Car crashes and ECC • Yin 2: Bar codes and SP ciphers • Yang 1: Routers and AES • Yang 2: Subways and 3DES • Auxiliary stuff

Recommend

Robustness and Regularization: Two sides of the same coin (Joint work with Jose Blanchet and Yang

Robustness and Regularization: Two sides of the same coin (Joint work with Jose Blanchet and Yang

Robustness and Regularization: Two sides of the same coin (Joint work with Jose Blanchet and Yang Kang) Karthyek Murthy Columbia University Jun 28, 2016 1 / 18 Introduction Richer data has tempted us to consider more elaborate models

678 views • 50 slides
embedded security October 2015 The Old Model (simplified view) Embedded Security Benedikt

embedded security October 2015 The Old Model (simplified view) Embedded Security Benedikt

embedded security October 2015 The Old Model (simplified view) Embedded Security Benedikt Gierlichs KU Leuven, COSIC IACR Summer school 2015 Chia Laguna, Italy Attack on channel between communicating parties Encryption and

412 views • 6 slides
Swift: A Register-based JIT Compiler for Embedded JVMs Yuan Zhang, Min Yang, Bo Zhou, Zhemin

Swift: A Register-based JIT Compiler for Embedded JVMs Yuan Zhang, Min Yang, Bo Zhou, Zhemin

Swift: A Register-based JIT Compiler for Embedded JVMs Yuan Zhang, Min Yang, Bo Zhou, Zhemin Yang, Weihua Zhang, Binyu Zang Fudan University Eighth Conference on Virtual Execution Environment (VEE 2012) DEX: a new Java bytecode format Android

573 views • 39 slides
Security Skins: Embedded, Unspoofable Security Indicators Rachna Dhamija Center for Research on

Security Skins: Embedded, Unspoofable Security Indicators Rachna Dhamija Center for Research on

Security Skins: Embedded, Unspoofable Security Indicators Rachna Dhamija Center for Research on Computation and Society Harvard University Talk Outline Why Phishing Works Dynamic Security Skins Embedded Security Indicators Talk

731 views • 57 slides
A Large Scale Analysis of the Security of Embedded Firmwares A. Costin , J. Zaddach, A.

A Large Scale Analysis of the Security of Embedded Firmwares A. Costin , J. Zaddach, A.

A Large Scale Analysis of the Security of Embedded Firmwares A. Costin , J. Zaddach, A. Francillon, D. Balzarotti EURECOM, France 20th August 2014 USENIX Security '14 San Diego, USA Embedded Systems Are Everywhere Andrei Costin 2 By

1.03k views • 72 slides
Implications for Financial Security &amp; Health On Both Sides of the Border Edward Johns,

Implications for Financial Security &amp; Health On Both Sides of the Border Edward Johns,

Living Longer in Mexico: Implications for Financial Security &amp; Health On Both Sides of the Border Edward Johns, Senior Advisor Office of International Affairs AARPs International Role AARP seeks best practices, innovative public

548 views • 18 slides
Securing the connected world Flexible and scalable embedded security IP Pieter Willems

Securing the connected world Flexible and scalable embedded security IP Pieter Willems

Securing the connected world Flexible and scalable embedded security IP Pieter Willems pieter.willems@silexinsight.com V2.0 2019 Overview Silex Insight Introduction Embedded security markets and applications Security

590 views • 15 slides
Who we are Eshard - Embedded Security Company Software &amp; Hardware Security What do we

Who we are Eshard - Embedded Security Company Software &amp; Hardware Security What do we

Who we are Eshard - Embedded Security Company Software &amp; Hardware Security What do we do: @eshardNews Tools: Side Channel / Code Analysis Consultancy https://www.eshard.com Audit contact@eshard.com Training

752 views • 54 slides
Security Bugs in Embedded Interpreters Haogang Chen, Cody Cutler, Taesoo Kim, Yandong Mao, Xi

Security Bugs in Embedded Interpreters Haogang Chen, Cody Cutler, Taesoo Kim, Yandong Mao, Xi

Security Bugs in Embedded Interpreters Haogang Chen, Cody Cutler, Taesoo Kim, Yandong Mao, Xi Wang, Nickolai Zeldovich and M. Frans Kaashoek MIT CSAIL Embedded interpreters Host system Bytecode Embedded Output interpreter Input

1.39k views • 94 slides
Embedded Security Appliances (How we break really expensive boxes) About The Speakers Mark

Embedded Security Appliances (How we break really expensive boxes) About The Speakers Mark

Methodologies For Hacking Embedded Security Appliances (How we break really expensive boxes) About The Speakers Mark Carey is the Chief Scientist for Peak Security. Over 22 years of experience in engineering and security. - Keeper of

1.06k views • 103 slides
Systems Security: Hardware, embedded system and IoT security Stjepan Picek s.picek@tudelft.nl

Systems Security: Hardware, embedded system and IoT security Stjepan Picek s.picek@tudelft.nl

Systems Security: Hardware, embedded system and IoT security Stjepan Picek s.picek@tudelft.nl Delft University of Technology, The Netherlands April 23, 2018 Outline 1 General Information 2 Lightweight Cryptography 3 Random Number Generators 4

1.35k views • 64 slides
for hardware or embedded security Erik Poll Digital Security Radboud University Nijmegen 1

for hardware or embedded security Erik Poll Digital Security Radboud University Nijmegen 1

Attacker Models for hardware or embedded security Erik Poll Digital Security Radboud University Nijmegen 1 Security-sensitive hardware: examples 2 Naive attacker model Attacks on communication channels exploiting lousy crypto or insecure

904 views • 45 slides
EMSEC: Embedded Security and Cryptography Responsables: Gildas Avoine, Pierre-Alain Fouque

EMSEC: Embedded Security and Cryptography Responsables: Gildas Avoine, Pierre-Alain Fouque

EMSEC: Embedded Security and Cryptography Responsables: Gildas Avoine, Pierre-Alain Fouque Prsentation: Stphanie Delaune (CNRS) EMSEC team Embedded Security &amp; Cryptography 7 permanent researchers, 12 PhD students, and 2 post-docs

308 views • 11 slides
e-SIDES Ethical and Societal Implications of Data Sciences What is e-SIDES? Horizon 2020

e-SIDES Ethical and Societal Implications of Data Sciences What is e-SIDES? Horizon 2020

e-SIDES Ethical and Societal Implications of Data Sciences What is e-SIDES? Horizon 2020 grant, running for 3 years Three partners in consortium: eLaw team Planned results 7 community events; Final conference; 7 white

443 views • 28 slides
and sides between congruent triangles basing on the fact that corresponding parts in congruent

and sides between congruent triangles basing on the fact that corresponding parts in congruent

D AY 62 C ONGRUENT ANGLES AND SIDES I NTRODUCTION The most important parts of the triangle that we consider here are sides and three angles. Congruent triangles have corresponding sides of the same length and corresponding angles with

495 views • 14 slides
Embedded System Security Professor Patrick McDaniel Charles Sestito Fall 2015 Embedded System

Embedded System Security Professor Patrick McDaniel Charles Sestito Fall 2015 Embedded System

Embedded System Security Professor Patrick McDaniel Charles Sestito Fall 2015 Embedded System Microprocessor used as a component in a device and is designed for a specific control function within a device Used In: Cell Phones

560 views • 31 slides
congruent because the images, the pre-image, and the image, congruent one having undergone a rigid

congruent because the images, the pre-image, and the image, congruent one having undergone a rigid

D AY 51 I DENTIFYING C ONGRUENT SIDES OF A TRIANGLE I NTRODUCTION When a figure undergoes a rigid motion, its shape and size do not change. As a result, it becomes easy to trace the sides that originate from the initial sides before the

373 views • 10 slides
On the Security of the Pre-Shared Key Ciphersuites of TLS Yong Li 1 , Sven Schge 2 , Zheng Yang

On the Security of the Pre-Shared Key Ciphersuites of TLS Yong Li 1 , Sven Schge 2 , Zheng Yang

On the Security of the Pre-Shared Key Ciphersuites of TLS Yong Li 1 , Sven Schge 2 , Zheng Yang 1 , Florian Kohlar 1 , and Jrg Schwenk 1 1 Horst Grtz Institute for IT Security, Bochum 2 University College London Buenos Aires, Argentina

509 views • 30 slides
Today Computer Security Embedded system security This is a huge area General

Today Computer Security Embedded system security This is a huge area General

Today Computer Security Embedded system security This is a huge area General principles Prof Kasera teaches a good course on it Examples Today we are not talking about Protocol design (another huge area) Password

403 views • 4 slides
Elliptic Curve Cryptography and Security of Embedded Devices Ph.D. Defense Vincent Verneuil

Elliptic Curve Cryptography and Security of Embedded Devices Ph.D. Defense Vincent Verneuil

Elliptic Curve Cryptography and Security of Embedded Devices Ph.D. Defense Vincent Verneuil Institut de Math ematiques de Bordeaux Inside Secure June 13th, 2012 V. Verneuil - Elliptic Curve Cryptography and Security of Embedded Devices 1

1.72k views • 143 slides
Chrome OS Hardening http://outflux.net/slides/2012/bsides-pdx/chromeos.pdf Security B-Sides PDX

Chrome OS Hardening http://outflux.net/slides/2012/bsides-pdx/chromeos.pdf Security B-Sides PDX

Chrome OS Hardening http://outflux.net/slides/2012/bsides-pdx/chromeos.pdf Security B-Sides PDX 2012 Kees Cook &lt;keescook@google.com&gt; (pronounced &quot;Case&quot;) Overview Overview Identifying the threat model not the

974 views • 50 slides
ELC 2013 Security: Best Practices for Embedded Systems John Mehaffey Senior System Architect

ELC 2013 Security: Best Practices for Embedded Systems John Mehaffey Senior System Architect

ELC 2013 Security: Best Practices for Embedded Systems John Mehaffey Senior System Architect Embedded Systems Division mentor.com/embedded Android is a trademark of Google Inc. Use of this trademark is subject to Google Permissions. Linux

544 views • 17 slides
TOMOYO Linux A Lightweight and Manageable Security System for PC and Embedded Linux

TOMOYO Linux A Lightweight and Manageable Security System for PC and Embedded Linux

CE Linux Forum Worldwide Embedded Linux Conference 2007 April 17-19, 2007 TOMOYO Linux A Lightweight and Manageable Security System for PC and Embedded Linux http://tomoyo.sourceforge.jp/ Toshiharu Harada Tetsuo Handa NTT DATA

654 views • 47 slides
escrypt GmbH for Embedded Security A Generic Architecture and Extension of eCryptfs: Secret

escrypt GmbH for Embedded Security A Generic Architecture and Extension of eCryptfs: Secret

System Provider escrypt GmbH for Embedded Security A Generic Architecture and Extension of eCryptfs: Secret Sharing Scheme, Smartcard Integration and a new Linux Security Module Daniel Bumeyer 2 , Benedikt Driessen 1 , Andr Osterhues 1 ,

630 views • 18 slides

More recommend