Improving Safety of an Automotive AES-GCM Core and its Impact on Side-Channel Protection

O incremento do número de componentes eletrónicos e o correspondente aumento do fluxo de dados no setor automóvel levou a uma preocupação crescente com a garantia de segurança dos sistemas eletrónicos, especialmente em sistemas críticos cuja violação seja passível de colocar em causa a integridade do sistema e a segurança das pessoas. A utilização de sistemas que implementam o Advanced Encryption Standard (AES) foi vista como uma solução para este problema, impedindo o acesso indevido aos dados dos veículos, através da sua encriptação. O algoritmo AES não possui atualmente nenhuma vulnerabilidade efetiva, mas o mesmo não acontece com as suas implementações, as quais estão sujeitas a ataques ditos side-channel, onde informações que resultam da operação destas implementações são exploradas na tentativa de descobrir os dados encriptados. A aplicação de núcleos IP no setor automóvel requer que as suas implementações cumpram a norma ISO-26262 de forma a garantir que a sua operação não compromete a segurança do veículo e dos ocupantes. Este cumprimento implica alterações na arquitetura dos sistemas que podem influenciar as características de operação que são normalmente exploradas em ataques para obter informação que eventualmente permita ganhar conhecimento sobre os dados encriptados. Assim, o desenvolvimento das componentes de segurança, na perspetiva da segurança informática da informação e no que se refere à segurança de operação do veículo e dos seus ocupantes, que são ainda consideradas como componentes independentes, podem na verdade estar relacionadas, já que as melhorias introduzidas para incrementar a resiliência a falhas e consequentemente a integridade de operação dos sistemas, podem aumentar a fragilidade do sistema a ataques que comprometam a segurança informática dos dados. O presente trabalho tem como objetivo desenvolver uma arquitetura capaz de atingir as métricas para o nível mais alto de certificação em segurança de acordo com a norma ISSO-26262 (certificação ASIL-D), a partir de uma arquitetura já existente, e comparar as duas arquiteturas em termos de vulnerabilidade a ataques ditos side-channel que exploram o seu consumo de potência dinâmica. Os resultados demonstram que para a arquitetura ASIL-D a identificação de pontos de interesse e de dados relevantes no consumo de potência é mais evidente, o que sugere existir uma maior vulnerabilidade da arquitetura desenvolvida a ataques informáticos desenvolvidos por esse processo.The increase in electronic components and the corresponding increment in the data flow among electronic systems in automotive applications made security one of the main concerns in this sector. The use of IP cores that implement the Advanced Encryption Standard (AES) was seen as a solution to this problem, preventing improper access to vehicle data, through its encryption. The AES algorithm does not currently have any effective vulnerability, but the same does not happen with its implementations, which are subject to side-channel attacks, where information that results from the operation of these implementations is exploited in an attempt to discover the encrypted data. The application of IP cores in the automotive sector requires that the implementations comply with the ISO-26262 standard in order to ensure that their operation does not compromise the vehicle's safety. This compliment implies changes in the core architecture that can influence the characteristics of operation that are normally exploited in attacks. Thus, the development of safety and security components in the automotive sector, which are still considered as independent processes, may be related because safety improvements may cause changes in the system's vulnerability to attacks that can compromise its security. This work aims to develop an architecture capable of reaching the metrics for the highest level of safety certification (ASIL-D), based on an existing architecture, and compare the two architectures in terms of vulnerability to side-channel attacks that exploit their dynamic power consumption. The results show that for the ASIL-D architecture, the identification of points of interest and relevant data on the power consumption traces is more evident, which suggests greater effectiveness of the attacks performed in this architecture

Methodologies for power analysis attacks on hardware implementations of AES

Side Channel Attacks (SCA) exploit weaknesses in implementations of cryptographic functions resulting from unintended inputs and outputs such as execution timing, power consumption, electromagnetic radiation, thermal and acoustic emanations. Power Analysis Attacks (PAA) are a type of SCA in which an attacker measures the power consumption of a cryptographic device during normal execution. An attempt is then made to uncover a relationship between the instantaneous power consumption and secret key information. PAAs can be subdivided into Simple Power Analysis (SPA), Differential Power Analysis (DPA), and Correlation Power Analysis (CPA). Many attacks have been documented since PAAs were first described in 1998. But since they often vary significantly, it is difficult to directly compare the vulnerability of the implementations used in each. Research is necessary to identify and develop standard methods of evaluating the vulnerability of cryptographic implementations to PAAs. This thesis defines methodologies for performing PAAs on hardware implementations of AES. The process is divided into identification, extraction, and evaluation stages. The extraction stage is outlined for both simulated power consumption waveforms as well as for waveforms captured from physical implementations. An AES encryption hardware design is developed for the experiment. The hardware design is synthesized with the Synopsys 130-nm CMOS standard cell library. Simulated instantaneous power consumption waveforms are generated with Synopsys PrimeTime PX. Single and multiple-bit DPA attacks are performed on the waveforms. Improvements are applied in order to automate and improve the precision and performance of the system. The attacks on the simulated power waveforms are successful. The correct key byte is identified in 15 of the 16 single-bit attacks after 10,000 traces. The single-bit attack which does not uniquely identify the correct key byte becomes successful after 15,000 or more traces are applied. The key byte is found in 36 of the 38 multiple-bit attacks. The main contribution of this work is a methodology and simulation environment which can be used to design hardware which is resistant to PAA and determine and compare vulnerability

Power Profile Obfuscation using RRAMs to Counter DPA Attacks

Side channel attacks, such as Differential Power Analysis (DPA), denote a special class of attacks in which sensitive key information is unveiled through information extracted from the physical device executing a cryptographic algorithm. This information leakage, known as side channel information, occurs from computations in a non-ideal system composed of electronic devices such as transistors. Power dissipation is one classic side channel source, which relays information of the data being processed. DPA uses statistical analysis to identify data-dependent correlations in sets of power measurements. Countermeasures against DPA focus on hiding or masking techniques at different levels of design abstraction and are typically associated with high power and area cost. Emerging technologies such as Resistive Random Access Memory (RRAM), offer unique opportunities to mitigate DPAs with their inherent memristor device characteristics such as variability in write time, ultra low power (0.1-3 pJ/bit), and high density (4F2). In this research, an RRAM based architecture is proposed to mitigate the DPA attacks by obfuscating the power profile. Specifically, a dual RRAM based memory module masks the power dissipation of the actual transaction by accessing both the data and its complement from the memory in tandem. DPA attack resiliency for a 128-bit AES cryptoprocessor using RRAM and CMOS memory modules is compared against baseline CMOS only technology. In the proposed AES architecture, four single port RRAM memory units store the intermediate state of the encryption. The correlation between the state data and sets of power measurement is masked due to power dissipated from inverse data access on dual RRAM memory. A customized simulation framework is developed to design the attack scenarios using Synopsys and Cadence tool suites, along with a Hamming weight DPA attack module. The attack mounted on a baseline CMOS architecture is successful and the full key is recovered. However, DPA attacks mounted on the dual CMOS and RRAM based AES cryptoprocessor yielded unsuccessful results with no keys recovered, demonstrating the resiliency of the proposed architecture against DPA attacks