650 likes | 779 Views
Hardware Mechanisms for Secured Memory/Configuration Transactions for Embedded Systems. Lionel Torres, P. Benoit,G . Sassatelli , P. Maurine Contributeurs : R. Elbaz , B. Badrignans , F. Devic , L. Barthe , F. Poucheret , V. Lomne , A. Dehbaoui.
E N D
Hardware Mechanisms for Secured Memory/Configuration Transactions for Embedded Systems Lionel Torres, P. Benoit,G. Sassatelli, P. Maurine Contributeurs : R. Elbaz, B. Badrignans, F. Devic, L. Barthe, F. Poucheret, V. Lomne, A. Dehbaoui
Hardware Mechanisms for Secured Processor- Memory Transactions Cryptography & Threat Model Contribution 2 FPGA Contribution 1 PE-ICE & Trees Introduction Conclusion State of the art • Most embedded systems use off-chip memories: • Data and instructions are exchanged in clear over the processor-memory bus. • FPGA configuration Trusted Area • Threats: • Unauthorized data reads • Code injection or data alteration • Memory tampering • Software, SCA attacks not considered Address bus SoC/FPGA(Trusted) External Memory Data bus Objectives: Ensure the confidentiality and the integrity of data stored in off-chip memories and transferred on SoC/FPGA memory interfaces.
Hardware Mechanisms for Secured Processor- Memory Transactions Cryptography & Threat Model Contribution 2 FPGA Contribution 1 PE-ICE & Trees Introduction Conclusion State of the art • Introduction • Threat Model • State of the art • Contribution 1: PE-ICE& PRV Tree • Parallelized Encryption and Integrity Checking Engine • Contribution 2: FPGA configuration • SARFUM protocol • Conclusion, Future Works
Cryptographic Tools: Integrity Checking Cryptography & Threat Model Contribution 2 FPGA Contribution 1 PE-ICE & Trees Introduction Conclusion State of the art K Tag T H(M) (M; T) Message M • Principle: Meeting at 7h00 am in … Unsecured channel Alice T Integrity Flag (M; T) M COMP H(M) T’ Tag reference K Meeting at 7h00 am in … Bob K • Hash functions: • Compression function • One-way function • gives a compact representative image of the input • MAC(*) functions:take a secret key as additional input to authenticate the source of the message. message digest hi = f(Mi, hi-1) Message Mi MAC function Hash function hi-1 (*) Message Authentication Code
Passive Attacks Data / Instruction Add External Memory Cryptography & Threat Model Contribution 2 FPGA Contribution 1 PE-ICE & Trees Introduction Conclusion State of the art Bus probing – eavesdropping [1] 0x080ff0fa 0x00000010 Address bus SoC (Trusted) 01010001000100000111001001 01010001000100000111001001 01110101010100010111001001 01110101010100010111001001 Data bus [1] M. G. Kuhn, “Cipher Instruction Search Attack on the Bus-Encryption Security Microcontroller DS5002FP” IEEE Trans. Comput., vol. 47, pp. 1153–1157, October. 1998.
Passive Attacks External Memory Cryptography & Threat Model Contribution 2 FPGA Contribution 1 PE-ICE & Trees Introduction Conclusion State of the art Bus probing – eavesdropping [1] Data / Instruction Add 0x080ff0fa 0x00000010 Address bus SoC (Trusted) 0x0ab820ff 0x00000014 01010001000100000111001001 0x080112f4 0x00000018 01110101010100010111001001 Data bus 0x0000001C 0x102bcd0f 0x00000020 0x11ff11ab • Attacker motivation: • Off-line analysis: • Key recovery • Message recovery • Raw materials for active attacks… [1] M. G. Kuhn, “Cipher Instruction Search Attack on the Bus-Encryption Security Microcontroller DS5002FP” IEEE Trans. Comput., vol. 47, pp. 1153–1157, October. 1998.
Active Attacks External Memory Malicious Memory Cryptography & Threat Model Contribution 2 FPGA Contribution 1 PE-ICE & Trees Introduction Conclusion State of the art Code and data injection Address bus SoC (Trusted) Data bus Three kinds of active attacks are defined depending on the choice made by the adversary on the data to insert: • Spoofing: Random data injection Memory
Active Attacks Cryptography & Threat Model Contribution 2 FPGA Contribution 1 PE-ICE & Trees Introduction Conclusion State of the art Code and data injection Address bus External Memory SoC (Trusted) Data bus Malicious Memory Three kinds of active attacks are defined depending on the choice made by the adversary on the data to insert: • Spoofing: Random data injection • Splicing: Spatial permutation Memory Data(@1) Data(@2) Data(@3) Data(@4) Data(@7) Data(@5) Data(@6) Data(@7) Data(@7) Data(@8)
Active Attacks Cryptography & Threat Model Contribution 2 FPGA Contribution 1 PE-ICE & Trees Introduction Conclusion State of the art Code and data injection Address bus External Memory SoC (Trusted) Data bus Malicious Memory Three kinds of active attacks are defined depending on the choice made by the adversary on the data to insert: • Spoofing: Random data injection • Splicing: Spatial permutation • Replay: Temporal permutation Memory Data(@1, t4) Data(@1, t1) Data(@2, t1) Data(@2, t9) Data(@3, t1) Data(@3, t8) Data(@4, t1) Data(@4, t1) Data(@4, t7) Data(@4, t1) Data(@4, t1) Data(@5, t1) Data(@6, t6) Data(@6, t1) Data(@7, t4) Data(@7, t1) Data(@8, t1)
Active Attacks Cryptography & Threat Model Contribution 2 FPGA Contribution 1 PE-ICE & Trees Introduction Conclusion State of the art Code and data injection Address bus External Memory SoC (Trusted) Data bus Malicious Memory Three kinds of active attacks are defined depending on the choice made by the adversary on the data to insert: • Spoofing: Random data injection • Splicing: Spatial permutation • Replay: Temporal permutation Attacker motivation: • Hijack the software execution • Reduce the search space for key recovery or message recovery
General Principles Cryptography & Threat Model Contribution 2 FPGA Contribution 1 PE-ICE & Trees Introduction Conclusion State of the art Data Confidentiality:symmetric encryption External Memory SoC: Trusted area Memory Controller Ciphered memory block CPU core EDU Cache EDU: Encryption Decryption Unit Trusted area Untrusted area Data Integrity:append a MAC generated digest ( tag) External Memory SoC: Trusted area Memory Controller Tag Memory block CPU core ICE Cache ICE: Integrity Checking Engine MAC: Message Authentication Code
General Principles Encryption Ke MAC Km Ciphertext E(T) Encryption MAC E(T): Encrypted tag Ke Ke Km Encryption MAC Km Cryptography & Threat Model Contribution 2 FPGA Contribution 1 PE-ICE & Trees Introduction Conclusion State of the art • 2 passes over the data and usually 2 algorithms used (one for each security primitives: Encryption and Integrity checking) Payload Plaintext MAC-then-Encrypt: Payload Tag Write and Read operations: Not parallelizable Plaintext Payload Encrypt-then-MAC: Ciphertext Tag Write operations: Not parallelizable Encrypt-and-MAC: Ciphertext Tag Plaintext Payload Read operations: Not parallelizable
State of the Art: Summary Cryptography & Threat Model Contribution 2 FPGA Contribution 1 PE-ICE & Trees Introduction Conclusion State of the art
Hardware Mechanisms for Secured Processor- Memory Transactions Cryptography & Threat Model Contribution 2 FPGA Contribution 1 PE-ICE & Trees Introduction Conclusion State of the art • Introduction • Threat Model • State of the art • Contribution 1: PE-ICE& PRV Tree • Parallelized Encryption and Integrity Checking Engine • Contribution 2: FPGA configuration • SARFUM protocol • Conclusion, Future Works
PE-ICE Principles Cryptography & Threat Model Contribution 2 FPGA Contribution 1 PE-ICE & Trees Introduction Conclusion State of the art • PE-ICE: Parallelized Encryption & Integrity Checking Engine • Only 1 pass over the data to provide both data confidentiality and integrity. • Tag are not computed over the data • Confidentiality is ensured by block encryption • Rijndael (J.Daemen, V.Rijmen) – AES (NIST(*) standard) Data integrity checking relies on the diffusion property of block encryption: Block Encryption (Ek) P T Ciphered (P;T) • AREA (Added Redundancy Explicit Authentication) applied at the block level • Redundancy is inserted in each plaintext block before encryption • Redundancy is checked after each block decryption (*) NIST: National Institute of Standard and Technology AES: Advanced Encryption Standard
PE-ICE for Read Only Data COMP Cryptography & Threat Model Contribution 2 FPGA Contribution 1 PE-ICE & Trees Introduction Conclusion State of the art Write operations: The redundancy is added in each plaintext block External Memory SoC: Trusted area Address bus Memory Controller CPU Ciphered memory block C = Ek (PL || ADD) PE-ICE Cache Block Encryption Read operations: The redundancy is checked after decryption External Memory SoC: Trusted area Address bus T’ = ADD’ Memory Controller CPU OK? Ciphered memory block PL || ADD = Dk(C) PE-ICE Cache Block Decryption T = ADD T’ = T ?
PE-ICE for Read Write Data External Memory Memory SoC: Trusted area Memory Controller CPU PE-ICE Cache Cryptography & Threat Model Contribution 2 FPGA Contribution 1 PE-ICE & Trees Introduction Conclusion State of the art Write operations: The redundancy is added in each plaintext block RV’ RV RV Generator RV’ C: Ciphered memory block C = Ek (PL || RV) Block Encryption
PE-ICE for Read Write Data External Memory Memory SoC: Trusted area Memory Controller CPU PE-ICE Cache Memory SoC: Trusted area External Memory RV’ Memory Controller CPU Ciphered memory block PE-ICE Cache COMP Cryptography & Threat Model Contribution 2 FPGA Contribution 1 PE-ICE & Trees Introduction Conclusion State of the art Write operations: The redundancy is added in each plaintext block RV’ RV RV Generator RV’ C: Ciphered memory block C = Ek (PL || RV) Block Encryption Read operations: The redundancy is checked after decryption T’ = RV’ PL || RV = Dk(C) OK? T = RV Block Decryption T’ = T ?
PE-ICE: Simulation Results (2/2) PE - ICE GC (CBC-MAC) Cryptography & Threat Model Contribution 2 FPGA Contribution 1 PE-ICE & Trees Introduction Conclusion State of the art Performance overhead of the integrity checking mechanisms 5% 18%
PE-ICE Vs Encrypt-then-MAC Cryptography & Threat Model Contribution 2 FPGA Contribution 1 PE-ICE & Trees Introduction Conclusion State of the art Summary:
PE-ICE - Properties Cryptography & Threat Model Contribution 2 FPGA Contribution 1 PE-ICE & Trees Introduction Conclusion State of the art PE-ICE is parallelizable on read and write operations with hardware area optimization.
PE-ICE On-Chip Memory Overhead Ek(M5 || M6 || RV3) Ek(M7 || M8 || RV4) Ek(M9 || M10 || RV5) Ek(M11 || M12 || RV6) RV’3 Ek(M13 || M14 || RV7) RV’4 Ek(M15 || M16 || RV8) RV’5 RV’6 RV’7 RV’8 Cryptography & Threat Model Contribution 2 FPGA Contribution 1 PE-ICE & Trees Introduction Conclusion State of the art • On-chip storage of the Reference Random Values (RV’): • Drawbacks: high on-chip memory overhead External Memory SoC: Trusted area PE-ICE Memory Controller Ek(M1 || M2 || RV1) CPU Block Encryption Ek(M3 || M4 || RV2) PMR Cache RV Generator RV’1 RV’2 Memory PMR: Protected Memory Region
PRV-Trees Ek(M5 || M6 || RV3) Ek(M7 || M8 || RV4) Ek(M9 || M10 || RV5) Ek(M11 || M12 || RV6) Ek(M13 || M14 || RV7) Ek(M15 || M16 || RV8) Cryptography & Threat Model Contribution 2 FPGA Contribution 1 PE-ICE & Trees Introduction Conclusion State of the art PRV-Trees: scheme relying on PE-ICE allowing to securely store Reference Values (RV’) off-chip External Memory SoC: Trusted area PE-ICE Memory Controller Ek(M1 || M2 || RV1) CPU Block Encryption Ek(M3 || M4 || RV2) PMR Cache RV Generator RV’1 RV’11 RV’12 RV’2 RV’13 RV’3 Ek(RV’1 || RV’2 || RV11) RV’4 RV’14 Ek(RV’3 || RV’4 || RV12) RV’5 Ek(RV’5 || RV’6 || RV13) RV’6 Ek(RV’7 || RV’8 || RV14) RV’7 RV’8 Memory PMR: Protected Memory Region
PRV-Trees Ek(M5 || M6 || RV3) Ek(M7 || M8 || RV4) Ek(M9 || M10 || RV5) Ek(M11 || M12 || RV6) Ek(M13 || M14 || RV7) Ek(M15 || M16 || RV8) Cryptography & Threat Model Contribution 2 FPGA Contribution 1 PE-ICE & Trees Introduction Conclusion State of the art PRV-Tree: scheme relying on PE-ICE allowing to securely store Reference Values (RV’) off-chip External Memory SoC: Trusted area PE-ICE Memory Controller Ek(M1 || M2 || RV1) CPU Block Encryption Ek(M3 || M4 || RV2) PMR Cache RV Generator RV’21 RV’r RV’11 RV’12 RV’22 RV’13 Ek(RV’1 || RV’2 || RV11) RV’14 Ek(RV’3 || RV’4 || RV12) Ek(RV’5 || RV’6 || RV13) Ek(RV’7 || RV’8 || RV14) Ek(RV’11 || RV’12 ||RV21) Ek(RV’13 || RV’14 ||RV22) Memory Ek(RV’21 || RV’22 || RVr) PMR: Protected Memory Region
Tree Structure & Initialization RV21 RV22 RV11 RV12 RV13 RV14 M1 M2 M3 M4 M5 M6 M7 M8 M9 M10 M11 M12 M13 M14 M15 M16 RV’11 RV’1 RV’13 RV’7 RV’5 RV’21 RV’3 RV’4 RV’6 RV’2 RV’8 RV’14 RV’22 RV’12 RV1 RV2 RV3 RV4 RV5 RV6 RV7 RV8 Cryptography & Threat Model Contribution 2 FPGA Contribution 1 PE-ICE & Trees Introduction Conclusion State of the art Trusted stored on-chip RV’r Non Trusted stored off-chip RVr
Read Operations – Integrity Checking RV21 RV22 RV11 RV12 RV13 RV14 M1 M2 M3 M4 M5 M6 M7 M8 M9 M10 M11 M12 M13 M14 M15 M16 RV’5 RV’1 RV’21 RV’7 RV’3 RV’13 RV’11 RV’12 RV’14 RV’8 RV’22 RV’6 RV’2 RV’4 RV1 RV2 RV3 RV4 RV5 RV6 RV7 RV8 Cryptography & Threat Model Contribution 2 FPGA Contribution 1 PE-ICE & Trees Introduction Conclusion State of the art Trusted stored on-chip RV’r Read Operations Integrity Checking Non Trusted stored off-chip RVr
Read Operations – Integrity Checking RV21 RV22 RV11 RV12 RV13 RV14 M1 M2 M3 M4 M5 M6 M7 M8 M9 M10 M11 M12 M13 M14 M15 M16 RV’13 RV’11 RV’7 RV’5 RV’3 RV’21 RV’1 RV’22 RV’14 RV’4 RV’2 RV’6 RV’8 RV’12 RV1 RV2 RV3 RV4 RV5 RV6 RV7 RV8 Cryptography & Threat Model Contribution 2 FPGA Contribution 1 PE-ICE & Trees Introduction Conclusion State of the art Trusted stored on-chip RV’r RV’r Non Trusted stored off-chip Ek(RV’21||RV’22 || RV’r) RVr Ek(RV’11||RV’12 ||RV21) Ek(RV’3||RV’4||RV12) Ek(M5 || M6 || RV3) Ek(M5 || M6 || RV3) Ek(RV’3||RV’4||RV12) Ek(RV’11||RV’12 ||RV21) Ek(RV’21||RV’22 || RVr) RV’r Decryption Decryption Decryption Decryption
Read Operations – Integrity Checking RV11 RV12 RV11 RV12 RV13 RV14 M1 M2 M3 M4 M5 M6 M7 M8 M9 M10 M11 M12 M13 M14 M15 M16 RV’1 RV’21 RV’13 RV’11 RV’7 RV’5 RV’3 RV’22 RV’6 RV’8 RV’2 RV’4 RV’12 RV’14 RV1 RV2 RV3 RV4 RV5 RV6 RV7 RV8 Cryptography & Threat Model Contribution 2 FPGA Contribution 1 PE-ICE & Trees Introduction Conclusion State of the art Trusted stored on-chip RV’r Read Operations Integrity Checking Non Trusted stored off-chip RVr RV’r Decryption Decryption Decryption Decryption M5 M6 RV3 RV’3 RV’4 RV12 RV’12 RV’11 RV21 RV’21 RV’22 RVr
Read Operations – Integrity Checking RV11 RV12 RV11 RV12 RV13 RV14 M1 M2 M3 M4 M5 M6 M7 M8 M9 M10 M11 M12 M13 M14 M15 M16 RV’1 RV’21 RV’13 RV’11 RV’7 RV’5 RV’3 RV’22 RV’6 RV’8 RV’2 RV’4 RV’12 RV’14 RV1 RV2 RV3 RV4 RV5 RV6 RV7 RV8 Cryptography & Threat Model Contribution 2 FPGA Contribution 1 PE-ICE & Trees Introduction Conclusion State of the art Trusted stored on-chip RV’r Read Operations Integrity Checking Non Trusted stored off-chip RVr RV’r Decryption Decryption Decryption Decryption M5 M6 RV3 RV’3 RV’4 RV12 RV’12 RV’11 RV21 RV’21 RV’22 RVr OK?
Write Operations – Tree Update RV21 RV22 RV11 RV12 RV13 RV14 M1 M2 M3 M4 M7 M8 M9 M10 M11 M12 M13 M14 M15 M16 RV’5 RV’7 RV’1 RV’11 RV’21 RV’3 RV’13 RV’6 RV’8 RV’22 RV’2 RV’12 RV’4 RV’14 Cryptography & Threat Model Contribution 2 FPGA Contribution 1 PE-ICE & Trees Introduction Conclusion State of the art Trusted stored on-chip RV’r Write Operations Tree Update Non Trusted stored off-chip RVr M5b M5 M6 RV1 RV2 RV3 RV4 RV5 RV6 RV7 RV8
Write Operations – Tree Update RV21 RV22 RV11 RV12 RV13 RV14 M1 M2 M3 M4 M7 M8 M9 M10 M11 M12 M13 M14 M15 M16 RV’13 RV’21 RV’7 RV’1 RV’5 RV’3 RV’11 RV’4 RV’2 RV’22 RV’12 RV’6 RV’14 RV’8 M5b RV3b RV12b RV21b RVrb Cryptography & Threat Model Contribution 2 FPGA Contribution 1 PE-ICE & Trees Introduction Conclusion State of the art Trusted stored on-chip RV’r Write Operations Tree Update Non Trusted stored off-chip Ek(RV’21||RV’22 || RV’r) RVr Ek(RV’11||RV’12 ||RV21) Ek(RV’3||RV’4||RV12) M5 M6 Ek(M5 || M6 || RV3) RV1 RV2 RV3 RV4 RV5 RV6 RV7 RV8 Ek(M5 || M6 || RV3) Ek(RV’3||RV’4||RV12) Ek(RV’11||RV’12 ||RV21) Ek(RV’21||RV’22 || RVr) Decryption Decryption Decryption Decryption M5 M6 RV3 RV’3 RV’4 RV12 RV’12 RV’11 RV21 RV’21 RV’22 RVr Encryption Encryption Encryption Encryption
Write Operations – Tree Update RV21 RV22 RV11 RV12 RV13 RV14 M1 M2 M3 M4 M7 M8 M9 M10 M11 M12 M13 M14 M15 M16 RV’21 RV’13 RV’3 RV’7 RV’5 RV’11 RV’1 RV’22 RV’2 RV’12 RV’6 RV’14 RV’8 RV’4 Cryptography & Threat Model Contribution 2 FPGA Contribution 1 PE-ICE & Trees Introduction Conclusion State of the art Trusted stored on-chip RV’r Write Operations Tree Update Non Trusted stored off-chip RVr M5 M6 RV1 RV2 RV3 RV4 RV5 RV6 RV7 RV8 M5b Decryption Decryption Decryption Decryption RV3b M5 M6 RV3 RV’3 RV’4 RV12 RV’12 RV’11 RV21 RV’21 RV’22 RVr RV12b Encryption Encryption Encryption Encryption RV21b RVrb
Write Operations – Tree Update RV21 RV22 RV11 RV12 RV13 RV14 M1 M2 M3 M4 M7 M8 M9 M10 M11 M12 M13 M14 M15 M16 RV’11 RV’13 RV’7 RV’21 RV’1 RV’5 RV’2 RV’8 RV’6 RV’14 RV’22 RV’12 Cryptography & Threat Model Contribution 2 FPGA Contribution 1 PE-ICE & Trees Introduction Conclusion State of the art Trusted stored on-chip RV’r Write Operations Tree Update Non Trusted stored off-chip RVr RV’3 RV’4 M5 M6 RV1 RV2 RV3 RV4 RV5 RV6 RV7 RV8 M5b Decryption Decryption Decryption Decryption RV’3b RV3b M5b M5 M6 RV3 RV3b RV’3b RV’3 RV’4 RV12 RV12b RV’12b RV’12 RV’11 RV21b RV21 RV’21b RV’21 RV’22 RVrb RVr RV12b RV’12b Encryption Encryption Encryption Encryption RV’21b RV21b RVrb RV’rb
Write Operations – Tree Update RV21 RV22 RV11 RV12 RV13 RV14 M1 M2 M3 M4 M7 M8 M9 M10 M11 M12 M13 M14 M15 M16 RV’3 RV’21 RV’13 RV’5 RV’1 RV’7 RV’11 RV’2 RV’6 RV’14 RV’22 RV’4 RV’8 RV’12 M5 M5b M6 RV3 RV3b RV’3b RV’3 RV’4 RV12b RV12 RV’12b RV’12 RV’11 RV21b RV21 RV’21b RV’21 RV’22 RVr RVrb Cryptography & Threat Model Contribution 2 FPGA Contribution 1 PE-ICE & Trees Introduction Conclusion State of the art Trusted stored on-chip RV’r Write Operations Tree Update Non Trusted stored off-chip RVr M5 M6 RV1 RV2 RV3 RV4 RV5 RV6 RV7 RV8 Decryption Decryption Decryption Decryption Encryption Encryption Encryption Encryption Ek(M5b || M6 || RV3b) Ek(RV’3b||RV’4 ||RV12b) Ek(RV’11||RV’12b ||RV21b) Ek(RV’21b||RV’22 || RVbr) RV’rb RVrb
Write Operations – Tree Update RV21 RV22 RV11 RV12 RV13 RV14 M1 M2 M3 M4 M7 M8 M9 M10 M11 M12 M13 M14 M15 M16 RV’21 RV’13 RV’3 RV’7 RV’11 RV’5 RV’1 RV’22 RV’2 RV’8 RV’6 RV’12 RV’14 RV’4 Cryptography & Threat Model Contribution 2 FPGA Contribution 1 PE-ICE & Trees Introduction Conclusion State of the art Trusted stored on-chip RV’r RV’rb Write Operations Tree Update Non Trusted stored off-chip RV’21b RVr RV’rb RV’12b RV21b RV’3b RV12b M5 M5b M6 RV1 RV2 RV3b RV3 RV4 RV5 RV6 RV7 RV8 Decryption Decryption Decryption Decryption Encryption Encryption Encryption Encryption Ek(M5b || M6 || RV3b) Ek(RV’3b||RV’4 ||RV12b) Ek(RV’11||RV’12b ||RV21b) Ek(RV’21b||RV’22 || RVbr) RV’rb
PE-ICE & PRV-Trees - Properties Cryptography & Threat Model Contribution 2 FPGA Contribution 1 PE-ICE & Trees Introduction Conclusion State of the art • PRV-Trees: Optimized the on-chip memory overhead • Parallelizable on read and write operations • Can be applied to the 1st replay attack countermeasure PRV-Trees
Conclusion & Perspectives Cryptography & Threat Model Contribution 2 FPGA Contribution 1 PE-ICE & Trees Introduction Conclusion State of the art • PE-ICE: • Parallelized way to provide data confidentiality and integrity • Optimized Hardware resources required • Implementation • Add a compression technique • PRV-Trees: • Reduce the on-chip memory overhead to the storage of a single Reference Values (RV’) • Parallelizable on read and write operations • Easily adaptable to MAC based replay countermeasures • Partial authentication • Mathematical proof • Evaluation
Hardware Mechanisms for Secured Processor- Memory Transactions Cryptography & Threat Model Contribution 2 FPGA Contribution 1 PE-ICE & Trees Introduction Conclusion State of the art • Introduction • Threat Model • State of the art • Contribution 1: PE-ICE& PRV Tree • Parallelized Encryption and Integrity Checking Engine • Contribution 2: FPGA configuration • SARFUM protocol • Conclusion, Future Works
FPGA Bitstream configuration protection Cryptography & Threat Model Contribution 2 FPGA Contribution 1 PE-ICE & Trees Introduction Conclusion State of the art System owner (untrusted) System designer FPGA (trusted) Untrusted medium Bitstream Configuration Module User logic Non Volatile Memory for bitstream (untrusted)
FPGA Bitstream configuration protection Cryptography & Threat Model Contribution 2 FPGA Contribution 1 PE-ICE & Trees Introduction Conclusion State of the art System owner (untrusted) System designer FPGA (trusted) Untrusted medium Bitstream Crypto Configuration Module User logic Crypto Key(s) Key(s) Provided by FPGA vendors Non Volatile Memory for bitstream (untrusted)
FPGA Bitstream configuration protection Cryptography & Threat Model Contribution 2 FPGA Contribution 1 PE-ICE & Trees Introduction Conclusion State of the art System owner (untrusted) System designer FPGA (trusted) Untrusted medium Encrypted Bitstream Bitstream Crypto Configuration Module User logic Design Crypto Key(s) Bitstream Key(s) Non Volatile Memory for bitstream (untrusted)
FPGA Bitstream configuration protection Cryptography & Threat Model Contribution 2 FPGA Contribution 1 PE-ICE & Trees Introduction Conclusion State of the art System owner (untrusted) System designer FPGA (trusted) Untrusted medium Bitstream Crypto Configuration Module User logic Crypto Key(s) Key(s) Non Volatile Memory for bitstream (untrusted) • Our Objectives : • Ensure confidentiality • Ensure integrity • Avoid system downgrade
Security Model Cryptography & Threat Model Contribution 2 FPGA Contribution 1 PE-ICE & Trees Introduction Conclusion State of the art 1 SRAM : SRAM based FPGAs (Xilinx, Altera, Lattice)
Security Model 1 SRAM : SRAM based FPGAs (Xilinx, Altera, Lattice) 2 CBC : Cipher Block Chaining : block cipher mode of operation 3 CRC : Cyclic Redundancy Check 4 MAC : Message Authentication Code
Security Model Cryptography & Threat Model Contribution 2 FPGA Contribution 1 PE-ICE & Trees Introduction Conclusion State of the art 1 SRAM : SRAM based FPGAs (Xilinx, Altera, Lattice) 2 CBC : Cipher Block Chaining : block cipher mode of operation 3 CRC : Cyclic Redundancy Check 4 MAC : Message Authentication Code
Encryption for confidentiality Cryptography & Threat Model Contribution 2 FPGA Contribution 1 PE-ICE & Trees Introduction Conclusion State of the art FPGA Configuration Module User Logic Encrypted Bitstream (EB) Design KENC Untrusted medium Bitstream Decryption engine EB : Encrypted Bitstream
Encryption and Message Authentication Code For confidentiality and integrity Cryptography & Threat Model Contribution 2 FPGA Contribution 1 PE-ICE & Trees Introduction Conclusion State of the art FPGA Configuration Module User Logic Design EB || MAC (EB) KENC KMAC Untrusted medium Decryption and MAC engine Bitstream VALID ? • Proposed by : • Actel : Actel Application Note : Fusion security • Saar Drimer, University of Cambridge : Authentication of FPGA Bitstreams : Why and How ? EB : Encrypted Bitstream MAC : Message Authentication Code || : concatenation
Replay attack Cryptography & Threat Model Contribution 2 FPGA Contribution 1 PE-ICE & Trees Introduction Conclusion State of the art FPGA (trusted) EB (Version i) EB (Version i) System designer Configuration Module User logic Bitstream (version i) Crypto Untrusted medium Design (Vi) Crypto Key(s) Key(s) Version i HACKER EB (Version i) Version i+n FPGA (trusted) System designer EB (Version i+n) Configuration Module User logic Untrusted medium Bitstream (version i+n) Crypto Crypto Design (Vi) Key(s) Key(s)
Secure Update Mechanism, Principle Cryptography & Threat Model Contribution 2 FPGA Contribution 1 PE-ICE & Trees Introduction Conclusion State of the art Alice (System Designer) Bob (FPGA) KENC KMAC KENC KMAC Non volatile TAG Alice = 0 Non volatile TAG Bob = 0 TAGALICE TAGBOB Encrypted Message || MAC (Message || 0) MAC validation using (Message || 0 ) Message decryption using KENC
Secure Update Mechanism, Principle Cryptography & Threat Model Contribution 2 FPGA Contribution 1 PE-ICE & Trees Introduction Conclusion State of the art Alice (System Designer) Bob (FPGA) KENC KMAC KENC KMAC Non volatile TAG Alice = 1 Non volatile TAG Alice = 0 Non volatile TAG Bob = 1 Non volatile TAG Bob = 0 CmdTAG+1 || MAC (CmdTAG+1 || 0) MAC validation using (CmdTAG+1 || 0) TAG+1 TAG+1 Message || MAC (Message || 1) MAC validation using (Message || 1)