SPAE un schéma opératoire pour l'AES sur du matériel bas-coût.

We propose SPAE, a single pass, patent free, authenticated encryption with associated data (AEAD) for AES. The algorithm has been developped to address the needs of a growing trend in IoT systems: storing code and data on a low cost flash memory external to the main SOC. Existing AEAD algorithms such as OCB, GCM, CCM, EAX , SIV, provide the required functionality however in practice each of them suffer from various drawbacks for this particular use case. Academic contributions such as ASCON and AEGIS-128 are suitable and efficient however they require the development of new hardware accelerators and they use primitives which are not 'approved' by governemental institutions such as NIST, BSI, ANSSI. From a silicon manufacturer point of view, an efficient AEAD which use existing AES hardware is much more enticing: the AES is required already by most industry standards invovling symmetric encryption (GSMA, EMVco, FIDO, Bluetooth, ZigBee to name few). This paper expose the properties of an ideal AEAD for external memory encryption, present the SPAE algorithm and analyze various security aspects. Performances of SPAE on actual hardware are better than OCB, GCM and CCM.Nous présentons SPAE, un schéma en une passe, libre de droit, d'encryption authentifiée avec données associées (AEAD) appliqué à l'AES. Cet algorithme a été développé afin de répondre à une tendance grandissante dans l'internet des objets: stocker du code et des données sur une mémoire flash à bas coût externe au système sur puce (SOC). Des algorithmes AEAD existent déjà tels que OCB, GCM, CCM, EAX, SIV, ils répondent à l'usage demandé cependant en pratique chacun de ces algorithmes présente des désavantages pour cet usage particulier. Les contributions académique telles que ASCON et AEGIS-128 sont appropriés et efficaces cependant ils nécessitent le développement de nouveaux accélérateurs matériels et ils utilisent des primitives qui ne sont pas approuvés par les instituions gouvernementales telles que le NIST, BSI ANSSI. Du point de vue du fabricant de silicone, un AEAD efficace qui utilise du matériel AES existant est beaucoup plus attirant: l'AES est déjà requis par la plupart des standards industriels utilisant de l’encryption symétrique (GSMA, EMVco, FIDO, Bluetooth, ZigBee par exemple). Cet article montre les propriétés d'un AEAD idéal pour de la mémoire encryptée externe, présente l'algorithme SPAE et analyse plusieurs aspects de sécurité. Les performances de SPAE sur du matériel actuel sont meilleures que sur OCB, GCM, et CCM

SMART SECURITY MANAGEMENT IN SECURE DEVICES

International audienceAmong other threats, secure components are subjected tophysical attacks whose aim is to recover the secret information theystore. Most of the work carried out to protect these components generally consists in developing protections (or countermeasures) taken one byone. But this “countermeasure-centered” approach drastically decreasesthe performance of the chip in terms of power, speed and availability.In order to overcome this limitation, we propose a complementary approach: smart dynamic management of the whole set of countermeasuresembedded in the component. Three main specifications for such management are required in a real world application (for example, a conditionalaccess system for Pay-TV): it has to provide capabilities for the chip todistinguish between attacks and normal use cases (without the help of ahuman being and in a robust but versatile way); it also has to be basedon mechanisms which dynamically find a trade-off between security andperformance; all these mecanisms have to formalized in a way which isclearly understandable by the designer. In this article, a prototype whichenables such security management is described. The solution is based ona double-processor architecture: one processor embeds a representativeset of countermeasures (and mechanisms to define their parameters) andexecutes the application code. The second processor, on the same chip,applies a given security strategy, but without requesting sensitive datafrom the first processor. The chosen strategy is based on fuzzy logic reasoning to enable the designer to describe, using a fairly simple formalism,both the attack paths and the normal use cases. A proof of concept hasbeen proposed for the smart card part of a conditional access for Pay-TV,but it could easily be fine-tuned for other applications

Physical Fault Injection and Side-Channel Attacks on Mobile Devices:A Comprehensive Analysis

Today's mobile devices contain densely packaged system-on-chips (SoCs) with multi-core, high-frequency CPUs and complex pipelines. In parallel, sophisticated SoC-assisted security mechanisms have become commonplace for protecting device data, such as trusted execution environments, full-disk and file-based encryption. Both advancements have dramatically complicated the use of conventional physical attacks, requiring the development of specialised attacks. In this survey, we consolidate recent developments in physical fault injections and side-channel attacks on modern mobile devices. In total, we comprehensively survey over 50 fault injection and side-channel attack papers published between 2009-2021. We evaluate the prevailing methods, compare existing attacks using a common set of criteria, identify several challenges and shortcomings, and suggest future directions of research

Analysing the behaviour of a smart card based model for secure communication with remote computers over the internet

This dissertation presents the findings of a generic model aimed at providing secure communication with remote computers via the Internet, based on smart cards. The results and findings are analysed and presented in great detail, in particular the behaviour and performance of smart cards when used to provide the cryptographic functionality. Two implemented models are presented. The first model uses SSL to secure the communication channel over the Internet while using smart cards for user authentication and storage of cryptographic keys. The second model presents the SSH for channel security and smart cards for user authentication, key storage and actual encryption and decryption of data. The model presented is modular and generic by nature, meaning that it can easily be modified to accept the newer protocol by simply including the protocols in a library and with a minor or no modification to both server and client application software. For example, any new algorithm for encryption, key exchange, signature, or message digest, can be easily accommodated into the system, which proves that the model is generic and can easily be integrated into newer technologies. Similarly, smart cards are used for cryptography. Two options are presented: first the smart cards only store the algorithm keys and user authentication, and secondly, smart cards are used for storing the algorithm keys, user authentication, and actual data encryption or decryption, as the requirement may dictate. This is very useful, for example, if data to be transferred is limited to a few bytes, then actual data encryption and decryption is performed using smart cards. On the other hand, if a great deal of data is to be transferred, then only authentication and key storage are performed with smart cards. The model currently uses 3DES with smart card encryption and decryption, because this is faster and consumes fewer resources when compared to RSA. Once again, the model design is flexible to accommodate new algorithms such as AES or IDEA. Important aspects of the dissertation are the study and analysis of the security attacks on smart card use. Several smart card attack scenarios are presented in CHAPTER 3, and their possible prevention is also discussed in detail. AFRIKAANS : Hierdie verhandeling bied die bevindinge van 'n generiese model wat daarop gemik is om veilige kommunikasie te voorsien met 'n afstandsrekenaar via die Internet en op slimkaarte gebaseer. Die resultate en bevindings word ontleed en breedvoerig aangebied, veral die gedrag en werkverrigting van slimkaarte wanneer hulle gebruik word om die kriptografiese funksionaliteit te voorsien. Daar word twee geïmplementeerde modelle aangebied. Die eerste model gebruik SSL om die kommunikasiekanaal oor die Internet te beveilig terwyl slimkaarte vir gebruikerbekragtiging en stoor van kriptografiese sleutels gebruik word. Die tweede model bied die SSH vir kanaalsekuriteit en slimkaarte vir gebruikergeldigheidvasstelling, sleutelstoor en werklike kodering en dekodering van data. Die model wat aangebied word, is modulêr en generies van aard, wat beteken dat dit maklik gewysig kan word om die jongste protokolle te aanvaar deur bloot die protokolle by 'n programbiblioteek met geringe of geen wysiging van beide die bediener- en kliënttoepassingsagteware in te sluit. Byvoorbeeld, enige nuwe algoritme vir kodering, sleuteluitruiling, handtekening of boodskapbondeling kan maklik in die stelsel gehuisves word, wat bewys dat die model generies is en maklik in jonger tegnologieë geïntegreer kan word. Slimkaarte word op soortgelyke wyse vir kriptografie gebruik. Daar word twee keuses aangebied: eerstens stoor die slimkaarte slegs die algoritmesleutels en gebruikergeldigheidvasstelling en tweedens word slimkaarte gebruik om die algoritmesleutels, gebruikergeldigheidvasstelling en werklike datakodering en –dekodering te stoor na gelang van wat vereis word. Dit is baie nuttig, byvoorbeeld, wanneer data wat oorgedra moet word, tot 'n paar grepe beperk is, word die eintlike datakodering en – dekodering uitgevoer deur slimkaarte te gebruik. Andersyds, indien 'n groot hoeveelheid data oorgedra moet word, word slegs geldigheidvasstelling en stoor met slimkaarte uitgevoer. Die model gebruik tans 3DES met slimkaartkodering en –dekodering omdat dit vinniger is en minder hulpbronne gebruik vergeleke met RSA. Die modelontwerp is weer eens buigsaam om nuwe algoritmes soos AES of IDEA te huisves. Nog 'n belangrike aspek van die verhandeling is om die sekuriteitaanvalle op slimkaartgebruik te ondersoek en te ontleed. Verskeie slimkaartaanvalscenario's word in Hoofstuk 3 aangebied en die moontlike voorkoming daarvan word ook breedvoerig bespreek.Dissertation (MEng)--University of Pretoria, 2011.Electrical, Electronic and Computer Engineeringunrestricte

Fault Space Transformation: A Generic Approach to Counter Differential Fault Analysis and Differential Fault Intensity Analysis on AES-like Block Ciphers

Classical fault attacks such as Differential Fault Analysis~(DFA) as well as biased fault attacks such as the Differential Fault Intensity Analysis~(DFIA) have been a major threat to cryptosystems in recent times. DFA uses pairs of fault-free and faulty ciphertexts to recover the secret key. DFIA, on the other hand, combines principles of side channel analysis and fault attacks to try and extract the key using faulty ciphertexts only. Till date, no effective countermeasure that can thwart both DFA as well as DFIA based attacks has been reported in the literature to the best of our knowledge. In particular, traditional redundancy based countermeasures that assume uniform fault distribution are found to be vulnerable against DFIA due to its use of biased fault models. In this work, we propose a novel generic countermeasure strategy that combines the principles of redundancy with that of fault space transformation to achieve security against both DFA and DFIA based attacks on AES-like block ciphers. As a case study, we have applied our proposed technique to to obtain temporal and spatial redundancy based countermeasures for AES-128, and have evaluated their security against both DFA and DFIA via practical experiments on a SASEBO-GII board. Results show that our proposed countermeasure makes it practically infeasible to obtain a single instance of successful fault injection, even in the presence of biased fault models

FPGA-Based Testbed for Fault Injection on SHA-256

In real world applications, cryptographic algorithms are implemented in hardware or software on specific devices. An active attacker may inject faults during the computation process and careful analysis of faulty results can potentially leak secret information. These kinds of attacks known as fault injection attacks may have devastating effects in the field of hardware and embedded cryptography. This research proposes a partial implementation of SHA-256 along with an onboard fault injection circuit implemented on an FPGA. The proposed fault injection circuit is used to generate glitches in the clock to induce a setup time violation in the circuit and thereby produce error(s) in the output. The main objective of this research is to study the viability of fault injection using the clock glitches on the SHA-256

Soft Error Resistant Design of the AES Cipher Using SRAM-based FPGA

This thesis presents a new architecture for the reliable implementation of the symmetric-key algorithm Advanced Encryption Standard (AES) in Field Programmable Gate Arrays (FPGAs). Since FPGAs are prone to soft errors caused by radiation, and AES is highly sensitive to errors, reliable architectures are of significant concern. Energetic particles hitting a device can flip bits in FPGA SRAM cells controlling all aspects of the implementation. Unlike previous research, heterogeneous error detection techniques based on properties of the circuit and functionality are used to provide adequate reliability at the lowest possible cost. The use of dual ported block memory for SubBytes, duplication for the control circuitry, and a new enhanced parity technique for MixColumns is proposed. Previous parity techniques cover single errors in datapath registers, however, soft errors can occur in the control circuitry as well as in SRAM cells forming the combinational logic and routing. In this research, propagation of single errors is investigated in the routed netlist. Weaknesses of the previous parity techniques are identified. Architectural redesign at the register-transfer level is introduced to resolve undetected single errors in both the routing and the combinational logic. Reliability of the AES implementation is not only a critical issue in large scale FPGA-based systems but also at both higher altitudes and in space applications where there are a larger number of energetic particles. Thus, this research is important for providing efficient soft error resistant design in many current and future secure applications