Crypto-processeur architecture, programmation et évaluation de la sécurité

Les architectures des processeurs et coprocesseurs cryptographiques se montrent fréquemment vulnérables aux différents types d attaques ; en particulier, celles qui ciblent une révélation des clés chiffrées. Il est bien connu qu une manipulation des clés confidentielles comme des données standards par un processeur peut être considérée comme une menace. Ceci a lieu par exemple lors d un changement du code logiciel (malintentionné ou involontaire) qui peut provoquer que la clé confidentielle sorte en clair de la zone sécurisée. En conséquence, la sécurité de tout le système serait irréparablement menacée. L objectif que nous nous sommes fixé dans le travail présenté, était la recherche d architectures matérielles reconfigurables qui peuvent fournir une sécurité élevée des clés confidentielles pendant leur génération, leur enregistrement et leur échanges en implantant des modes cryptographiques de clés symétriques et des protocoles. La première partie de ce travail est destinée à introduire les connaissances de base de la cryptographie appliquée ainsi que de l électronique pour assurer une bonne compréhension des chapitres suivants. Deuxièmement, nous présentons un état de l art des menaces sur la confidentialité des clés secrètes dans le cas où ces dernières sont stockées et traitées dans un système embarqué. Pour lutter contre les menaces mentionnées, nous proposons alors de nouvelles règles au niveau du design de l architecture qui peuvent augmenter la résistance des processeurs et coprocesseurs cryptographiques contre les attaques logicielles. Ces règles prévoient une séparation des registres dédiés à l enregistrement de clés et ceux dédiés à l enregistrement de données : nous proposons de diviser le système en zones : de données, du chiffreur et des clés et à isoler ces zones les unes des autres au niveau du protocole, du système, de l architecture et au niveau physique. Ensuite, nous présentons un nouveau crypto-processeur intitulé HCrypt, qui intègre ces règles de séparation et qui assure ainsi une gestion sécurisée des clés. Mises à part les instructions relatives à la gestion sécurisée de clés, quelques instructions supplémentaires sont dédiées à une réalisation simple des modes de chiffrement et des protocoles cryptographiques. Dans les chapitres suivants, nous explicitons le fait que les règles de séparation suggérées, peuvent également être étendues à l architecture d un processeur généraliste et coprocesseur. Nous proposons ainsi un crypto-coprocesseur sécurisé qui est en mesure d être utilisé en relation avec d autres processeurs généralistes. Afin de démontrer sa flexibilité, le crypto-coprocesseur est interconnecté avec les processeurs soft-cores de NIOS II, de MicroBlaze et de Cortex M1. Par la suite, la résistance du crypto-processeur par rapport aux attaques DPA est testée. Sur la base de ces analyses, l architecture du processeur HCrypt est modifiée afin de simplifier sa protection contre les attaques par canaux cachés (SCA) et les attaques par injection de fautes (FIA). Nous expliquons aussi le fait qu une réorganisation des blocs au niveau macroarchitecture du processeur HCrypt, augmente la résistance du nouveau processeur HCrypt2 par rapport aux attaques de type DPA et FIA. Nous étudions ensuite les possibilités pour pouvoir reconfigurer dynamiquement les parties sélectionnées de l architecture du processeur crypto-coprocesseur. La reconfiguration dynamique peut être très utile lorsque l algorithme de chiffrement ou ses implantations doivent être changés en raison de l apparition d une vulnérabilité Finalement, la dernière partie de ces travaux de thèse, est destinée à l exécution des tests de fonctionnalité et des optimisations stricts des deux versions du cryptoprocesseur HCryptArchitectures of cryptographic processors and coprocessors are often vulnerable to different kinds of attacks, especially those targeting the disclosure of encryption keys. It is well known that manipulating confidential keys by the processor as ordinary data can represent a threat: a change in the program code (malicious or unintentional) can cause the unencrypted confidential key to leave the security area. This way, the security of the whole system would be irrecoverably compromised. The aim of our work was to search for flexible and reconfigurable hardware architectures, which can provide high security of confidential keys during their generation, storage and exchange while implementing common symmetric key cryptographic modes and protocols. In the first part of the manuscript, we introduce the bases of applied cryptography and of reconfigurable computing that are necessary for better understanding of the work. Second, we present threats to security of confidential keys when stored and processed within an embedded system. To counteract these threats, novel design rules increasing robustness of cryptographic processors and coprocessors against software attacks are presented. The rules suggest separating registers dedicated to key storage from those dedicated to data storage: we propose to partition the system into the data, cipher and key zone and to isolate the zones from each other at protocol, system, architectural and physical levels. Next, we present a novel HCrypt crypto-processor complying with the separation rules and thus ensuring secure key management. Besides instructions dedicated to secure key management, some additional instructions are dedicated to easy realization of block cipher modes and cryptographic protocols in general. In the next part of the manuscript, we show that the proposed separation principles can be extended also to a processor-coprocessor architecture. We propose a secure crypto-coprocessor, which can be used in conjunction with any general-purpose processor. To demonstrate its flexibility, the crypto-coprocessor is interconnected with the NIOS II, MicroBlaze and Cortex M1 soft-core processors. In the following part of the work, we examine the resistance of the HCrypt cryptoprocessor to differential power analysis (DPA) attacks. Following this analysis, we modify the architecture of the HCrypt processor in order to simplify its protection against side channel attacks (SCA) and fault injection attacks (FIA). We show that by rearranging blocks of the HCrypt processor at macroarchitecture level, the new HCrypt2 processor becomes natively more robust to DPA and FIA. Next, we study possibilities of dynamically reconfiguring selected parts of the processor - crypto-coprocessor architecture. The dynamic reconfiguration feature can be very useful when the cipher algorithm or its implementation must be changed in response to appearance of some vulnerability. Finally, the last part of the manuscript is dedicated to thorough testing and optimizations of both versions of the HCrypt crypto-processor. Architectures of crypto-processors and crypto-coprocessors are often vulnerable to software attacks targeting the disclosure of encryption keys. The thesis introduces separation rules enabling crypto-processor/coprocessors to support secure key management. Separation rules are implemented on novel HCrypt crypto-processor resistant to software attacks targetting the disclosure of encryption keysST ETIENNE-Bib. électronique (422189901) / SudocSudocFranceF

A PUF-based cryptographic security solution for IoT systems on chip

The integration of multicore processors and peripherals from multiple intellectual property core providers as hardware components of IoT multiprocessor systems-on-chip (SoC) represents a source of security vulnerabilities for the in-chip communication. This paper describes the concept and the practical results of a SoC security implementation that is illustrative for IoT applications. The mechanism employed in this approach uses physically unclonable functions (PUF) and symmetric cryptography in order to encrypt the transferred messages within the SoC between the microprocessor and its peripherals. The mechanism is experimentally validated at FPGA level, the paper describing also an implementation scenario for an IoT ARM based device

Secure extension of FPGA general purpose processors for symmetric key cryptography with partial reconfiguration capabilities

International audienceIn data security systems, general purpose processors (GPPs) are often extended by a cryptographic accelerator. The paper presents three ways of extending GPPs for symmetric key cryptography applications. Proposed extensions guarantee secure key storage and management even if the system is facing protocol, software and cache memory attacks. The system is partitioned into processor, cipher, and key memory zones. The three security zones are separated at protocol, system, architecture and physical levels. The proposed principle was validated on Altera NIOS II, Xilinx MicroBlaze and Microsemi Cortex M1 soft core processor extensions. We show that stringent separation of the cipher zone is helpful for partial reconfiguration of the security module, if the enciphering algorithm needs to be dynamically changed. However, the key zone including reconfiguration controller must remain static in order to maintain the high level of security required. We demonstrate that the principle is feasible in partially reconfigurable field programmable gate arrays (FPGAs) such as Altera Stratix V or Xilinx Virtex 6 and also to some extent in FPGAs featuring hardwired general purpose processors such as Cortex M3 in Microsemi SmartFusion FPGA. Although the three GPPs feature different data interfaces, we show that the processors with their extensions reach the required high security level while maintaining partial reconfiguration capability

A Novel PUF-Based Encryption Protocol for Embedded System On Chip

This paper presents a novel security mechanism for sensitive data stored, acquired or processed by a complex electronic circuit implemented as System-on-Chip (SoC) on an FPGA reconfigurable device. Such circuits are increasingly used in embedded or cyber systems employed in civil and military applications. Managing security in the overarching SoC presents a challenge as part of the process of securing such systems. The proposed new method is based on encrypted and authenticated communications between the microprocessor cores, FPGA fabric and peripherals inside the SoC. The encryption resides in a key generated with Physically Unclonable Function (PUF) circuits and a pseudorandom generator. The conceptual design of the security circuit was validated through hardware implementation, testing and analysis of results

GuardNN: Secure DNN Accelerator for Privacy-Preserving Deep Learning

This paper proposes GuardNN, a secure deep neural network (DNN) accelerator, which provides strong hardware-based protection for user data and model parameters even in an untrusted environment. GuardNN shows that the architecture and protection can be customized for a specific application to provide strong confidentiality and integrity protection with negligible overhead. The design of the GuardNN instruction set reduces the TCB to just the accelerator and enables confidentiality protection without the overhead of integrity protection. GuardNN also introduces a new application-specific memory protection scheme to minimize the overhead of memory encryption and integrity verification. The scheme shows that most of the off-chip meta-data in today's state-of-the-art memory protection can be removed by exploiting the known memory access patterns of a DNN accelerator. GuardNN is implemented as an FPGA prototype, which demonstrates effective protection with less than 2% performance overhead for inference over a variety of modern DNN models

An Energy-Efficient Reconfigurable DTLS Cryptographic Engine for Securing Internet-of-Things Applications

This paper presents the first hardware implementation of the Datagram Transport Layer Security (DTLS) protocol to enable end-to-end security for the Internet of Things (IoT). A key component of this design is a reconfigurable prime field elliptic curve cryptography (ECC) accelerator, which is 238x and 9x more energy-efficient compared to software and state-of-the-art hardware respectively. Our full hardware implementation of the DTLS 1.3 protocol provides 438x improvement in energy-efficiency over software, along with code size and data memory usage as low as 8 KB and 3 KB respectively. The cryptographic accelerators are coupled with an on-chip low-power RISC-V processor to benchmark applications beyond DTLS with up to two orders of magnitude energy savings. The test chip, fabricated in 65 nm CMOS, demonstrates hardware-accelerated DTLS sessions while consuming 44.08 uJ per handshake, and 0.89 nJ per byte of encrypted data at 16 MHz and 0.8 V.Comment: Published in IEEE Journal of Solid-State Circuits (JSSC

Efficient Simultaneous Deployment of Multiple Lightweight Authenticated Ciphers

Cryptographic protections are ubiquitous in information technology, including the emerging Internet of Things (IoT). As a result of technology migration to a resource-challenged landscape and new threats to cryptographic security, governments and industry are exploring new cryptographic algorithms. While new standards will emerge, however, old standards will not disappear for the time being. It is therefore important to explore platforms where multiple cryptographic deployments can be dynamically interchanged and even share resources. In this research we build on the Development Package for the Applications Programming Interface for Hardware Implementations of Lightweight Cryptography (DP API HW LWC). In this construct, developers design hardware implementations of authenticated encryption with associated data (AEAD) inside a cryptographic core (CryptoCore) encapsulated by input/output utilities. While CryptoCore is intended for single register-transfer level (RTL) implementations, we install a custom-designed soft core microprocessor inside CryptoCore to run underlying block ciphers, along with a shell to facilitate AEAD processing. Through dynamic loading and execution of block ciphers on the core, we demonstrate a single LWC deployment on an Artix-7 FPGA, capable of executing 3 NIST LWC Standardization Process Round 2 AEAD candidates (COMET-AES, COMET-CHAM and GIFT-COFB) using only 55% of the combined area of separate RTL implementations of the same ciphers