760 research outputs found
An IoT Endpoint System-on-Chip for Secure and Energy-Efficient Near-Sensor Analytics
Near-sensor data analytics is a promising direction for IoT endpoints, as it
minimizes energy spent on communication and reduces network load - but it also
poses security concerns, as valuable data is stored or sent over the network at
various stages of the analytics pipeline. Using encryption to protect sensitive
data at the boundary of the on-chip analytics engine is a way to address data
security issues. To cope with the combined workload of analytics and encryption
in a tight power envelope, we propose Fulmine, a System-on-Chip based on a
tightly-coupled multi-core cluster augmented with specialized blocks for
compute-intensive data processing and encryption functions, supporting software
programmability for regular computing tasks. The Fulmine SoC, fabricated in
65nm technology, consumes less than 20mW on average at 0.8V achieving an
efficiency of up to 70pJ/B in encryption, 50pJ/px in convolution, or up to
25MIPS/mW in software. As a strong argument for real-life flexible application
of our platform, we show experimental results for three secure analytics use
cases: secure autonomous aerial surveillance with a state-of-the-art deep CNN
consuming 3.16pJ per equivalent RISC op; local CNN-based face detection with
secured remote recognition in 5.74pJ/op; and seizure detection with encrypted
data collection from EEG within 12.7pJ/op.Comment: 15 pages, 12 figures, accepted for publication to the IEEE
Transactions on Circuits and Systems - I: Regular Paper
Residual Vulnerabilities to Power side channel attacks of lightweight ciphers cryptography competition Finalists
The protection of communications between Internet of Things (IoT) devices is of great concern because the information exchanged contains vital sensitive data. Malicious agents seek to exploit those data to extract secret information about the owners or the system. Power side channel attacks are of great concern on these devices because their power consumption unintentionally leaks information correlatable to the device\u27s secret data. Several studies have demonstrated the effectiveness of authenticated encryption with advanced data, in protecting communications with these devices. A comprehensive evaluation of the seven (out of 10) algorithm finalists of the National Institute of Standards and Technology (NIST) IoT lightweight cipher competition that do not integrate built‐in countermeasures is proposed. The study shows that, nonetheless, they still present some residual vulnerabilities to power side channel attacks (SCA). For five ciphers, an attack methodology as well as the leakage function needed to perform correlation power analysis (CPA) is proposed. The authors assert that Ascon, Sparkle, and PHOTON‐Beetle security vulnerability can generally be assessed with the security assumptions “Chosen ciphertext attack and leakage in encryption only, with nonce‐misuse resilience adversary (CCAmL1)” and “Chosen ciphertext attack and leakage in encryption only with nonce‐respecting adversary (CCAL1)”, respectively. However, the security vulnerability of GIFT‐COFB, Grain, Romulus, and TinyJambu can be evaluated more straightforwardly with publicly available leakage models and solvers. They can also be assessed simply by increasing the number of traces collected to launch the attack
On Misuse of Nonce-Misuse Resistance: Adapting Differential Fault Attacks on (few) CAESAR Winners
In this paper, we study DFA attacks on some of the CAESAR competition winners. We study the challenges imposed by the design of these modes, such as masking of the ciphertext. We also show that a very small number of nonce repetition and faults is required, which makes it very practical. We show that OCB and COLM need 1 nonce repetition and 3 faults only to uniquely identify the Key
Stacco: Differentially Analyzing Side-Channel Traces for Detecting SSL/TLS Vulnerabilities in Secure Enclaves
Intel Software Guard Extension (SGX) offers software applications enclave to
protect their confidentiality and integrity from malicious operating systems.
The SSL/TLS protocol, which is the de facto standard for protecting
transport-layer network communications, has been broadly deployed for a secure
communication channel. However, in this paper, we show that the marriage
between SGX and SSL may not be smooth sailing.
Particularly, we consider a category of side-channel attacks against SSL/TLS
implementations in secure enclaves, which we call the control-flow inference
attacks. In these attacks, the malicious operating system kernel may perform a
powerful man-in-the-kernel attack to collect execution traces of the enclave
programs at page, cacheline, or branch level, while positioning itself in the
middle of the two communicating parties. At the center of our work is a
differential analysis framework, dubbed Stacco, to dynamically analyze the
SSL/TLS implementations and detect vulnerabilities that can be exploited as
decryption oracles. Surprisingly, we found exploitable vulnerabilities in the
latest versions of all the SSL/TLS libraries we have examined.
To validate the detected vulnerabilities, we developed a man-in-the-kernel
adversary to demonstrate Bleichenbacher attacks against the latest OpenSSL
library running in the SGX enclave (with the help of Graphene) and completely
broke the PreMasterSecret encrypted by a 4096-bit RSA public key with only
57286 queries. We also conducted CBC padding oracle attacks against the latest
GnuTLS running in Graphene-SGX and an open-source SGX-implementation of mbedTLS
(i.e., mbedTLS-SGX) that runs directly inside the enclave, and showed that it
only needs 48388 and 25717 queries, respectively, to break one block of AES
ciphertext. Empirical evaluation suggests these man-in-the-kernel attacks can
be completed within 1 or 2 hours.Comment: CCS 17, October 30-November 3, 2017, Dallas, TX, US
Analysis and Design of Symmetric Cryptographic Algorithms
This doctoral thesis is dedicated to the analysis and the design of
symmetric cryptographic algorithms.
In the first part of the dissertation, we deal with fault-based attacks
on cryptographic circuits which belong to the field of active implementation
attacks and aim to retrieve secret keys stored on such chips. Our main focus
lies on the cryptanalytic aspects of those attacks. In particular, we target
block ciphers with a lightweight and (often) non-bijective key schedule where
the derived subkeys are (almost) independent from each other. An attacker who is
able to reconstruct one of the subkeys is thus not necessarily able to directly
retrieve other subkeys or even the secret master key by simply reversing the key
schedule. We introduce a framework based on differential fault analysis that
allows to attack block ciphers with an arbitrary number of independent subkeys
and which rely on a substitution-permutation network. These methods are then
applied to the lightweight block ciphers LED and PRINCE and we show in both
cases how to recover the secret master key requiring only a small number of
fault injections. Moreover, we investigate approaches that utilize algebraic
instead of differential techniques for the fault analysis and discuss advantages
and drawbacks. At the end of the first part of the dissertation, we explore
fault-based attacks on the block cipher Bel-T which also has a lightweight key
schedule but is not based on a substitution-permutation network but instead on
the so-called Lai-Massey scheme. The framework mentioned above is thus not
usable against Bel-T. Nevertheless, we also present techniques for the case of
Bel-T that enable full recovery of the secret key in a very efficient way using
differential fault analysis.
In the second part of the thesis, we focus on authenticated encryption
schemes. While regular ciphers only protect privacy of processed data,
authenticated encryption schemes also secure its authenticity and integrity.
Many of these ciphers are additionally able to protect authenticity and
integrity of so-called associated data. This type of data is transmitted
unencrypted but nevertheless must be protected from being tampered with during
transmission. Authenticated encryption is nowadays the standard technique to
protect in-transit data. However, most of the currently deployed schemes have
deficits and there are many leverage points for improvements. With NORX we
introduce a novel authenticated encryption scheme supporting associated data.
This algorithm was designed with high security, efficiency in both hardware and
software, simplicity, and robustness against side-channel attacks in mind. Next
to its specification, we present special features, security goals,
implementation details, extensive performance measurements and discuss
advantages over currently deployed standards. Finally, we describe our
preliminary security analysis where we investigate differential and rotational
properties of NORX. Noteworthy are in particular the newly developed
techniques for differential cryptanalysis of NORX which exploit the power of
SAT- and SMT-solvers and have the potential to be easily adaptable to other
encryption schemes as well.Diese Doktorarbeit beschäftigt sich mit der Analyse und dem Entwurf von
symmetrischen kryptographischen Algorithmen.
Im ersten Teil der Dissertation befassen wir uns mit fehlerbasierten Angriffen
auf kryptographische Schaltungen, welche dem Gebiet der aktiven
Seitenkanalangriffe zugeordnet werden und auf die Rekonstruktion geheimer
Schlüssel abzielen, die auf diesen Chips gespeichert sind. Unser Hauptaugenmerk
liegt dabei auf den kryptoanalytischen Aspekten dieser Angriffe. Insbesondere
beschäftigen wir uns dabei mit Blockchiffren, die leichtgewichtige und eine
(oft) nicht-bijektive Schlüsselexpansion besitzen, bei denen die erzeugten
Teilschlüssel voneinander (nahezu) unabhängig sind. Ein Angreifer, dem es
gelingt einen Teilschlüssel zu rekonstruieren, ist dadurch nicht in der Lage
direkt weitere Teilschlüssel oder sogar den Hauptschlüssel abzuleiten indem er
einfach die Schlüsselexpansion umkehrt. Wir stellen Techniken basierend auf
differenzieller Fehleranalyse vor, die es ermöglichen Blockchiffren zu
analysieren, welche eine beliebige Anzahl unabhängiger Teilschlüssel einsetzen
und auf Substitutions-Permutations Netzwerken basieren. Diese Methoden werden im
Anschluss auf die leichtgewichtigen Blockchiffren LED und PRINCE angewandt und
wir zeigen in beiden Fällen wie der komplette geheime Schlüssel mit einigen
wenigen Fehlerinjektionen rekonstruiert werden kann. Darüber hinaus untersuchen
wir Methoden, die algebraische statt differenzielle Techniken der Fehleranalyse
einsetzen und diskutieren deren Vor- und Nachteile. Am Ende des ersten Teils der
Dissertation befassen wir uns mit fehlerbasierten Angriffen auf die Blockchiffre
Bel-T, welche ebenfalls eine leichtgewichtige Schlüsselexpansion besitzt jedoch
nicht auf einem Substitutions-Permutations Netzwerk sondern auf dem sogenannten
Lai-Massey Schema basiert. Die oben genannten Techniken können daher bei Bel-T
nicht angewandt werden. Nichtsdestotrotz werden wir auch für den Fall von Bel-T
Verfahren vorstellen, die in der Lage sind den vollständigen geheimen Schlüssel
sehr effizient mit Hilfe von differenzieller Fehleranalyse zu rekonstruieren.
Im zweiten Teil der Doktorarbeit beschäftigen wir uns mit authentifizierenden
Verschlüsselungsverfahren. Während gewöhnliche Chiffren nur die Vertraulichkeit
der verarbeiteten Daten sicherstellen, gewährleisten authentifizierende
Verschlüsselungsverfahren auch deren Authentizität und Integrität. Viele dieser
Chiffren sind darüber hinaus in der Lage auch die Authentizität und Integrität
von sogenannten assoziierten Daten zu gewährleisten. Daten dieses Typs werden in
nicht-verschlüsselter Form übertragen, müssen aber dennoch gegen unbefugte
Veränderungen auf dem Transportweg geschützt sein. Authentifizierende
Verschlüsselungsverfahren bilden heutzutage die Standardtechnologie um Daten
während der Übertragung zu beschützen. Aktuell eingesetzte Verfahren weisen
jedoch oftmals Defizite auf und es existieren vielfältige Ansatzpunkte für
Verbesserungen. Mit NORX stellen wir ein neuartiges authentifizierendes
Verschlüsselungsverfahren vor, welches assoziierte Daten unterstützt. Dieser
Algorithmus wurde vor allem im Hinblick auf Einsatzgebiete mit hohen
Sicherheitsanforderungen, Effizienz in Hardware und Software, Einfachheit, und
Robustheit gegenüber Seitenkanalangriffen entwickelt. Neben der Spezifikation
präsentieren wir besondere Eigenschaften, angestrebte Sicherheitsziele, Details
zur Implementierung, umfassende Performanz-Messungen und diskutieren Vorteile
gegenüber aktuellen Standards. Schließlich stellen wir Ergebnisse unserer
vorläufigen Sicherheitsanalyse vor, bei der wir uns vor allem auf differenzielle
Merkmale und Rotationseigenschaften von NORX konzentrieren. Erwähnenswert sind
dabei vor allem die für die differenzielle Kryptoanalyse von NORX entwickelten
Techniken, die auf die Effizienz von SAT- und SMT-Solvern zurückgreifen und das
Potential besitzen relativ einfach auch auf andere Verschlüsselungsverfahren
übertragen werden zu können
- …