Hardware-software co-design of AES on FPGA

This paper presents a compact hardware-software co-design of Advanced Encryption Standard (AES) on the field programmable gate arrays (FPGA) designed for low-cost embedded systems. The design uses MicroBlaze, a soft-core processor from Xilinx. The computationally intensive operations of the AES are implemented in hardware for better speed. The sub-byte calculation is designed with the help of the processor carrying out the calculations using hardware blocks implemented using FPGA. By incorporating the processor in the AES design, the total number of slices required to implement the AES algorithm on FPGA is proved to be reduced. The entire AES system design is validated using 460 slices in Spartan-3E XC3S500E, which is one of the low-cost FPGA

Cloud security - An approach with modern cryptographic solutions

The term “cloud computing” has been in the spotlights of IT specialists due to its potential of transforming computer industry. Unfortunately, there are still some challenges to be resolved and the security aspects in the cloud based computing environment remain at the core of interest. The goal of our work is to identify the main security issues of cloud computing and to present approaches to secure clouds. Our research also focuses on data and storage security layers. As a result, we found out that the protection of cloud data lies in cloud cryptography. Thus, this thesis reviews the new cryptographic techniques used to protect and process encrypted data in a remote cloud storage. In this thesis we are proposing a cryptographic scheme which uses fingerprint scanning for user authentication and AES technique of 128/192/256 bit cipher key for encryption and decryption of user's data. AES provides higher data security compared to other encryption techniques like DES and Blowfish. Our scheme is used in DropBoxCrypt application. DropBoxCrypt is a data encryption-decryption application developed for Android mobile devices which can be used for browsing, exporting and opening encrypted data stored in cloud storage

Hardware Design and Implementation of Role-Based Cryptography

Traditional public key cryptographic methods provide access control to sensitive data by allowing the message sender to grant a single recipient permission to read the encrypted message. The Need2Know® system (N2K) improves upon these methods by providing role-based access control. N2K defines data access permissions similar to those of a multi-user file system, but N2K strictly enforces access through cryptographic standards. Since custom hardware can efficiently implement many cryptographic algorithms and can provide additional security, N2K stands to benefit greatly from a hardware implementation. To this end, the main N2K algorithm, the Key Protection Module (KPM), is being specified in VHDL. The design is being built and tested incrementally: this first phase implements the core control logic of the KPM without integrating its cryptographic sub-modules. Both RTL simulation and formal verification are used to test the design. This is the first N2K implementation in hardware, and it promises to provide an accelerated and secured alternative to the software-based system. A hardware implementation is a necessary step toward highly secure and flexible deployments of the N2K system

An Open Question on the Uniqueness of (Encrypted) Arithmetic

We ask whether two or more images of arithmetic may inhabit the same space via different encodings. The answers have significance for a class of processor design that does all its computation in an encrypted form, without ever performing any decryption or encryption itself. Against the possibility of algebraic attacks against the arithmetic in a `crypto-processor' (KPU) we propose a defence called `ABC encryption' and show how this kind of encryption makes it impossible for observations of the arithmetic to be used by an attacker to discover the actual values. We also show how to construct such encrypted arithmetics

Cryptoraptor : high throughput reconfigurable cryptographic processor for symmetric key encryption and cryptographic hash functions

textIn cryptographic processor design, the selection of functional primitives and connection structures between these primitives are extremely crucial to maximize throughput and flexibility. Hence, detailed analysis on the specifications and requirements of existing crypto-systems plays a crucial role in cryptographic processor design. This thesis provides the most comprehensive literature review that we are aware of on the widest range of existing cryptographic algorithms, their specifications, requirements, and hardware structures. In the light of this analysis, it also describes a high performance, low power, and highly flexible cryptographic processor, Cryptoraptor, that is designed to support both today's and tomorrow's encryption standards. To the best of our knowledge, the proposed cryptographic processor supports the widest range of cryptographic algorithms compared to other solutions in the literature and is the only crypto-specific processor targeting the future standards as well. Unlike previous work, we aim for maximum throughput for all known encryption standards, and to support future standards as well. Our 1GHz design achieves a peak throughput of 128Gbps for AES-128 which is competitive with ASIC designs and has 25X and 160X higher throughput per area than CPU and GPU solutions, respectively.Electrical and Computer Engineerin

Crypto-processeur architecture, programmation et évaluation de la sécurité

Les architectures des processeurs et coprocesseurs cryptographiques se montrent fréquemment vulnérables aux différents types d attaques ; en particulier, celles qui ciblent une révélation des clés chiffrées. Il est bien connu qu une manipulation des clés confidentielles comme des données standards par un processeur peut être considérée comme une menace. Ceci a lieu par exemple lors d un changement du code logiciel (malintentionné ou involontaire) qui peut provoquer que la clé confidentielle sorte en clair de la zone sécurisée. En conséquence, la sécurité de tout le système serait irréparablement menacée. L objectif que nous nous sommes fixé dans le travail présenté, était la recherche d architectures matérielles reconfigurables qui peuvent fournir une sécurité élevée des clés confidentielles pendant leur génération, leur enregistrement et leur échanges en implantant des modes cryptographiques de clés symétriques et des protocoles. La première partie de ce travail est destinée à introduire les connaissances de base de la cryptographie appliquée ainsi que de l électronique pour assurer une bonne compréhension des chapitres suivants. Deuxièmement, nous présentons un état de l art des menaces sur la confidentialité des clés secrètes dans le cas où ces dernières sont stockées et traitées dans un système embarqué. Pour lutter contre les menaces mentionnées, nous proposons alors de nouvelles règles au niveau du design de l architecture qui peuvent augmenter la résistance des processeurs et coprocesseurs cryptographiques contre les attaques logicielles. Ces règles prévoient une séparation des registres dédiés à l enregistrement de clés et ceux dédiés à l enregistrement de données : nous proposons de diviser le système en zones : de données, du chiffreur et des clés et à isoler ces zones les unes des autres au niveau du protocole, du système, de l architecture et au niveau physique. Ensuite, nous présentons un nouveau crypto-processeur intitulé HCrypt, qui intègre ces règles de séparation et qui assure ainsi une gestion sécurisée des clés. Mises à part les instructions relatives à la gestion sécurisée de clés, quelques instructions supplémentaires sont dédiées à une réalisation simple des modes de chiffrement et des protocoles cryptographiques. Dans les chapitres suivants, nous explicitons le fait que les règles de séparation suggérées, peuvent également être étendues à l architecture d un processeur généraliste et coprocesseur. Nous proposons ainsi un crypto-coprocesseur sécurisé qui est en mesure d être utilisé en relation avec d autres processeurs généralistes. Afin de démontrer sa flexibilité, le crypto-coprocesseur est interconnecté avec les processeurs soft-cores de NIOS II, de MicroBlaze et de Cortex M1. Par la suite, la résistance du crypto-processeur par rapport aux attaques DPA est testée. Sur la base de ces analyses, l architecture du processeur HCrypt est modifiée afin de simplifier sa protection contre les attaques par canaux cachés (SCA) et les attaques par injection de fautes (FIA). Nous expliquons aussi le fait qu une réorganisation des blocs au niveau macroarchitecture du processeur HCrypt, augmente la résistance du nouveau processeur HCrypt2 par rapport aux attaques de type DPA et FIA. Nous étudions ensuite les possibilités pour pouvoir reconfigurer dynamiquement les parties sélectionnées de l architecture du processeur crypto-coprocesseur. La reconfiguration dynamique peut être très utile lorsque l algorithme de chiffrement ou ses implantations doivent être changés en raison de l apparition d une vulnérabilité Finalement, la dernière partie de ces travaux de thèse, est destinée à l exécution des tests de fonctionnalité et des optimisations stricts des deux versions du cryptoprocesseur HCryptArchitectures of cryptographic processors and coprocessors are often vulnerable to different kinds of attacks, especially those targeting the disclosure of encryption keys. It is well known that manipulating confidential keys by the processor as ordinary data can represent a threat: a change in the program code (malicious or unintentional) can cause the unencrypted confidential key to leave the security area. This way, the security of the whole system would be irrecoverably compromised. The aim of our work was to search for flexible and reconfigurable hardware architectures, which can provide high security of confidential keys during their generation, storage and exchange while implementing common symmetric key cryptographic modes and protocols. In the first part of the manuscript, we introduce the bases of applied cryptography and of reconfigurable computing that are necessary for better understanding of the work. Second, we present threats to security of confidential keys when stored and processed within an embedded system. To counteract these threats, novel design rules increasing robustness of cryptographic processors and coprocessors against software attacks are presented. The rules suggest separating registers dedicated to key storage from those dedicated to data storage: we propose to partition the system into the data, cipher and key zone and to isolate the zones from each other at protocol, system, architectural and physical levels. Next, we present a novel HCrypt crypto-processor complying with the separation rules and thus ensuring secure key management. Besides instructions dedicated to secure key management, some additional instructions are dedicated to easy realization of block cipher modes and cryptographic protocols in general. In the next part of the manuscript, we show that the proposed separation principles can be extended also to a processor-coprocessor architecture. We propose a secure crypto-coprocessor, which can be used in conjunction with any general-purpose processor. To demonstrate its flexibility, the crypto-coprocessor is interconnected with the NIOS II, MicroBlaze and Cortex M1 soft-core processors. In the following part of the work, we examine the resistance of the HCrypt cryptoprocessor to differential power analysis (DPA) attacks. Following this analysis, we modify the architecture of the HCrypt processor in order to simplify its protection against side channel attacks (SCA) and fault injection attacks (FIA). We show that by rearranging blocks of the HCrypt processor at macroarchitecture level, the new HCrypt2 processor becomes natively more robust to DPA and FIA. Next, we study possibilities of dynamically reconfiguring selected parts of the processor - crypto-coprocessor architecture. The dynamic reconfiguration feature can be very useful when the cipher algorithm or its implementation must be changed in response to appearance of some vulnerability. Finally, the last part of the manuscript is dedicated to thorough testing and optimizations of both versions of the HCrypt crypto-processor. Architectures of crypto-processors and crypto-coprocessors are often vulnerable to software attacks targeting the disclosure of encryption keys. The thesis introduces separation rules enabling crypto-processor/coprocessors to support secure key management. Separation rules are implemented on novel HCrypt crypto-processor resistant to software attacks targetting the disclosure of encryption keysST ETIENNE-Bib. électronique (422189901) / SudocSudocFranceF

Cryptographically Secure Information Flow Control on Key-Value Stores

We present Clio, an information flow control (IFC) system that transparently incorporates cryptography to enforce confidentiality and integrity policies on untrusted storage. Clio insulates developers from explicitly manipulating keys and cryptographic primitives by leveraging the policy language of the IFC system to automatically use the appropriate keys and correct cryptographic operations. We prove that Clio is secure with a novel proof technique that is based on a proof style from cryptography together with standard programming languages results. We present a prototype Clio implementation and a case study that demonstrates Clio's practicality.Comment: Full version of conference paper appearing in CCS 201

On implementing deniable storage encryption for mobile devices

Abstrac

Policy enforcement in cloud computing

Cloud Computing is an emerging technology, providing attractive way of hosting and delivering services over the Internet. Many organizations and individuals are utilizing Cloud services to share information and collaborate with partners. However, Cloud provides abstraction over the underlying physical infrastructure to the customers, that raises information security concerns, while storing data in a virtualized environment without having physical access to it. Additionally, certain standards have been issued to provide interoperability between users and various distributed systems(including Cloud infrastructures), in a standardized way. However, implementation and interoperability issues still exist and introduce new challenges. This thesis explores the feasibility of securing data in a cloud context, using existing standards and specifications, while retaining the benefits of the Cloud. The thesis provides a view on increasing security concerns of moving to the cloud and sharing data over it. First, we define security and privacy requirements for the data stored in the Cloud. Based on these requirements, we propose the requirements for an access control system in the Cloud. Furthermore, we evaluate the existing work in the area of currently available access control systems and mechanisms for secure data sharing over the Cloud, mostly focusing on policy enforcement and access control characteristics. Moreover, we determine existing mechanisms and standards to implement secure data sharing and collaborative systems over the Cloud. We propose an architecture supporting secure data sharing over the untrusted Cloud environment, based on our findings. The architecture ensures policy based access control inside and outside Cloud, while allowing the benefits of Cloud Computing to be utilized. We discuss the components involved in the architecture and their design considerations. To validate the proposed architecture, we construct the proof of concept prototype. We present a novel approach for implementing policy based access control, by achieving interoperability between existing standards and addressing certain issues, while constructing the system prototype. Furthermore, we deploy our solution in the Cloud and perform the performance tests to evaluate the performance of the system. Finally, we perform a case study by utilizing our system in a real-life scenario. To do this we slightly tailor our solution to meet specific needs. Overall, this thesis provides a solid foundation for the policy enforcement and access control mechanisms in the Cloud-based systems and motivates further work within this field. Cloud Computing is an emerging technology, providing attractive way of hosting and delivering services over the Internet. Many organizations and individuals are utilizing Cloud services to share information and collaborate with partners. However, Cloud provides abstraction over the underlying physical infrastructure to the customers, that raises information security concerns, while storing data in a virtualized environment without having physical access to it. Additionally, certain standards have been issued to provide interoperability between users and various distributed systems(including Cloud infrastructures), in a standardized way. However, implementation and interoperability issues still exist and introduce new challenges. This thesis explores the feasibility of securing data in a cloud context, using existing standards and specifications, while retaining the benefits of the Cloud. The thesis provides a view on increasing security concerns of moving to the cloud and sharing data over it. First, we define security and privacy requirements for the data stored in the Cloud. Based on these requirements, we propose the requirements for an access control system in the Cloud. Furthermore, we evaluate the existing work in the area of currently available access control systems and mechanisms for secure data sharing over the Cloud, mostly focusing on policy enforcement and access control characteristics. Moreover, we determine existing mechanisms and standards to implement secure data sharing and collaborative systems over the Cloud. We propose an architecture supporting secure data sharing over the untrusted Cloud environment, based on our findings. The architecture ensures policy based access control inside and outside Cloud, while allowing the benefits of Cloud Computing to be utilized. We discuss the components involved in the architecture and their design considerations. To validate the proposed architecture, we construct the proof of concept prototype. We present a novel approach for implementing policy based access control, by achieving interoperability between existing standards and addressing certain issues, while constructing the system prototype. Furthermore, we deploy our solution in the Cloud and perform the performance tests to evaluate the performance of the system. Finally, we perform a case study by utilizing our system in a real-life scenario. To do this we slightly tailor our solution to meet specific needs. Overall, this thesis provides a solid foundation for the policy enforcement and access control mechanisms in the Cloud-based systems and motivates further work within this field