460 likes | 585 Views
Three Challenges of Secure Embedded System Design: Performance, Battery life and Robustness. Nachiketh Potlapally Department of Electrical Engineering Princeton University Princeton, NJ Email: npotlapa@princeton.edu. Embedded System Applications Require Security. RFID tag 1.28-1.92 MHz,
E N D
Three Challenges of Secure Embedded System Design: Performance, Battery life and Robustness Nachiketh Potlapally Department of Electrical Engineering Princeton University Princeton, NJ Email: npotlapa@princeton.edu
Embedded System Applications Require Security RFID tag 1.28-1.92 MHz, 128-512 bit ROM, 32-128 bit RAM, 10000 gate logic, Battery (active) Network E-passport Server Smart card 66 MHz, 240 KB ROM, 16 KB RAM, 912 KB EEPROM Crypto co-processor, Battery (active) Cell-phone/PDA 200 MHz,16MB RAM, 64MB Flash, Crypto co-processor, Battery E-wallet Portfolio management using Microsoft money Sensitive embedded system applications need security protocols to provide confidentiality, integrity and authentication
Confidentiality, Integrity and Authentication Security objectives Confidentiality Integrity Authentication Security protocols Cryptographic algorithms Symmetric algorithms (DES, AES, 3DES, RC5) Hash algorithms (MD4, HMAC, SHA-1) Asymmetric algorithms (RSA, ECC, DH, ECDH) • Modular exponentiation • Point multiplication on • Elliptic curves • Table lookup • Permutations • Multiplication • Modular addition • Modular multiplication • Fixed shift/rotate • Variable shift/rotate • Multiplication • Addition • Logical operations • Fixed shift/rotate Crypto algorithms are computationally intensive
Challenges in Implementing Security on Embedded Systems Security protocols Embedded systems • Low-end processors • Battery energy supply Reduced performance Shorter battery life Sensoria WINS node needs 21.5 mJ/bit to transmit. RSA imposes overhead of 42 mJ/bit 3DES and SHA require 130 MIPS @ 2 Mbps (Intel SA-1100 delivers 150 MIPS at 133 MHz ) Susceptibility to side-channel attacks Infer cryptographic keys from non-invasive probing of implementation characteristics Objectives in design of secure embedded systems: Good performance, long battery life and robustness to attacks
My Research Experience 1. Optimizing public-key algo. software performance [1,2] 2. Custom instruction design for public-key algo. [3] 3. Accelerating symmetric and hash algo. through custom instructions [5,9] 4. Optimizing IPSec protocol performance [5,9] 5. Reducing performance overhead of memory checking [10] Performance Design of secure embedded systems 1. Analyzing energy consumption of cryptographic algorithms [4,7] 2. Optimize energy consumption of SSL protocol [4,7] 3. Reduce energy consumed by memory bus in memory integrity checking [10] Battery life Robustness 1. Satisfiability-based framework for enabling side-channel attacks on embedded cryptographic software [6,8] Publications: • “Algorithm Exploration for Efficient Public-Key Security Processing for Wireless Handsets”, DATE02 • “Optimizing Public-key Encryption”, ICC02 • “System-level Design methodologies for a Wireless Security Processing Platform”, DAC02 • “Analyzing the Energy Consumption of Security Protocols”, ISLPED03 • “Impact of Configurability and Extensibility on IPSec Protocol Execution on Embedded Processors”, VLSID06 • “Satisfiability-based Framework for Enabling Side-channel Attacks on Cryptographic Software”, DATE06 • “A Study of the Energy Consumption Characteristics of Cryptographic Algorithms and Security Protocols”, • IEEE Transactions on Mobile Computing, February 2006 • “Aiding Side-channel Attacks on Cryptographic Software with Satisfiability-based Analysis”, IEEE Transactions on VLSI Systems, April 2006 • “Configuration and Extension of Embedded Processors to Optimize IPSec Protocol Execution”, • IEEE Transactions on VLSI Systems. (To appear) • 10. “Verifying Data Integrity with Few Queries to Untrusted Memory”, (In Submission)
Outline • Part 1: Robustness of secure embedded systems • Satisfiability-based side-channel attacks on cryptographic software • Part 2: Battery life of secure embedded systems • Analyze energy consumption of cryptographic algorithms and security protocols • Future work
Part 1: RobustnessSatisfiability-based Side-channel Attacks on Cryptographic Software
Logical Inferences on Leaked Intermediate Values Can Expose Secret Key Plaintext Cryptographic algorithm software Secret key Ciphertext Memory bus Intermediate variables On-chip secure memory Logical inferences Protect these Variables too!
Robustness: Talk Outline • Information leakage in software implementations • Active and passive leakage • Logical cryptanalysis framework • Satisfiability (SAT) solver • Proposed cryptanalysis flow • Experimental setup • Results: DES, 3DES, and AES • Sensitive intermediate variables
Plaintext Black Box Secure storage Cryptographic algorithm implementation Secret key Ciphertext Cryptanalysis: Theoretical View Cryptographic algorithms are provably secure against mathematical cryptanalysis under the black-box assumption
Cryptanalysis: Software Leakage Plaintext Software Applications Hacking run-time stack Sensitive data in core dumps Library calls System library System calls (V. Paretsky, Dr. Dobbs 05) (Broadwell et al., USENIX 03) System calls Operating system Memory bus monitoring Machine instructions Proactive cache probing Hardware (Anderson & Kuhn, USENIX 96) (C. Percival, Tech. Rep.) Sensitive residual data in buffers Persistence of swapped data (Chow et al., USENIX 04) (Garfinkel & Shelat, S&P 03) On-chip secure memory Ciphertext
V4 V7 V6 V3 Cryptanalysis Using Leaked Intermediate Values Data-flow graph of a crypto function Plaintext Key is protected from exposure V1 Secret key 1 V2 2 V10 5 7 V8 V11 6 4 Ciphertext 3 V9 V5 Exposed intermediate computation Hidden computation Exposure of intermediate values may aid computation of protected secret key bits via logical implications Implied computation Implication path
Logical Cryptanalysis Framework Plaintext P Secret key K Ciphertext C Circuit description Theorem prover, Satisfiability solver, …. Secret Key Logical Analysis/Implication Engine Known plaintext + Known ciphertext + Exposed variables Constraints
Satisfiability (SAT) Solvers • SAT solver finds satisfying Boolean assignment to variables in a conjunctive normal form (CNF) formula • Gives a proof if no such assignment exists • SAT solver has a powerful logical implication engine in the form of Boolean constraint propagation (BCP) • Circuits can be converted to CNF in linear time x x x z z AND z OR XOR y y y CNF CNF CNF (z+x) (z+y) (z+x+y) (z+x) (z+y) (z+x+y) (z+x+y) (z+x+y) (z+x+y) (z+x+y)
(z+x+y) (z+x+y) (z+x+y) (z+x+y) (z+x) (z+y) (z+x+y) …. (z+x) (z+y) (z+x+y) SAT-based Cryptanalysis Framework Secret key K Plaintext P CNF conversion CNF formula of cryptographic algorithm, Ψ (P, C, K) Ciphertext C Ψ(P, C, K) K’ = 110..1 (consistent with the values set) Set plaintext and ciphertext values in Ψ(P, C, K) Set values of exposed variables in Ψ (P, C, K) SAT solver Timeout Constraints
CNF conversion : DES Plaintext Li Ri Ki K1 Round 1 48 S1 K2 Secret key 32 32 Round 2 S2 P E K ... .. … Key setup S7 Ki S8 Round i .. ... Li+1 Ri+1 Round 16 K16 Ciphertext Algorithm Clauses Literals Converting z=F(x,y) to CNF z = F(x,y) DES 6904 35232 ≡ (z F(x,y)) (F(x,y) z) ≡ (z + F(x,y)) (F(x,y) + z) 3DES 20328 104928
Experimental Setup Cryptographic algorithm software xt-gcc compiler RTL generator Plaintext, Ciphertext Xtensa ISS CNF generator Memory traffic analyzer Exposed variable values MiniSAT solver Secret key & Sensitive variables
Results: DES & 3DES Ki Li Ri Ki Li Ri Sensitive variable set 1 F F Li +1 Ri +1 Ki +1 Li +1 Ri +1 F Sensitive variable set 3 Ki Li Ri Ki +2 Li +2 Ri +2 F F Ki +1 Li +1 Ri +1 Ki +3 Li +3 Ri +3 Sensitive variable set 2 F F Li +2 Ri +2 Li +4 Ri +4
Results: DES and 3DES DES Sensitive variable set 1 Sensitive variable set 3 Time taken by SAT solver (seconds) Time taken by SAT solver (seconds) Plaintext-ciphertext pairs Plaintext-ciphertext pairs 3DES 1. Sensitive variable sets 1 and 2:1165 seconds (on average) with four plaintext-ciphertext pairs and corresponding intermediate variable values 2. Sensitive variable set 3:750 seconds (on average) with four plaintext-ciphertext pairs and corresponding intermediate variable values
Results: AES CNF conversion Algorithm Literals Clauses Rounds AES 10 10240 542432 Results of side-channel cryptanalysis 5 seconds (on average) to get the 128-bit AES key with one plaintext-ciphertext pair and 128-bit input and output of any one round
Conclusions • Presented a SAT-based framework for cryptanalysis • Identified the set of sensitive intermediate variables in DES, 3DES and AES • Future work: • Improve analysis techniques to reduce the size of sensitive variable set • Combine with traditional side-channel attacks
Part 2: Battery LifeAnalyzing the Energy Consumption of Cryptographic Algorithms andSecurity Protocols
Battery runs out of power Battery runs out of power No. of Transactions Mobile Node • Motorola DragonBall MC68328 • Sensoria WINS NG RF Subsystem ( 10 Kbps, 10mW power ) • Sensoria WINS NG Battery Pack ( 7.2 V supplying 26 kJ) Impact of Security Processing on Battery Life: Battery Gap • Security processing is computationally intensive • Drains battery faster Source: Network Associates Inc. There is a need for energy-efficient security protocols
Battery life: Outline • Experimental setup • Analysis of energy consumption of cryptographic algorithms • Symmetric algorithms • Public-key algorithms • Analysis of energy consumption of SSL security protocol • Discussion: Optimizing SSL • Conclusions
IPSec Experimental Set-up Server HTTPS SSL TCP Wireless LAN/WAN IP Linux Lab power supply iPAQ H3670 SA-1100 StrongARM @206MHz 64MB RAM, 16MB ROM Sense resistor Client Serial SCB-68 I/O connector Data acquisition card LabVIEW programming environment Power measurement system
Battery life: Outline • Experimental setup • Analysis of energy consumption of cryptographic algorithms • Symmetric algorithms • Public-key algorithms • Analysis of energy consumption of SSL security protocol • Discussion: Optimizing SSL • Conclusions
Symmetric Algorithms Plaintext P Round 1 K1 K2 Round 2 Secret key K Implements confusion and diffusion operations Key setup .... ... Ki Round i ….. … KN Round N Ciphertext C
Energy Consumption Results: Impact of Symmetric Algorithm Parameters • Symmetric algorithm parameters influence system energy consumption • Number of rounds of execution Cryptanalytic difficulty > 247 295 2119 > RC5 • Cipher parameters • affect energy and • security • Energy-security • trade-offs possible • in symmetric algos.
Energy Consumption Results: Symmetric Algorithms • Symmetric algorithms have widely varying energy consumption values • BLOWFISH has the greatest key setup cost, but very low enc/dec cost • 3DES has the highest enc/dec cost Energy consumption (logarithmic scale) (µJ) (µJ/byte)
Symmetric Algorithm Block Cipher Modes Plaintext_0 Plaintext_1 Initialization vector Plaintext Key Key Key …. Symmetric algorithm Symmetric algorithm Symmetric algorithm Ciphertext_0 Ciphertext_1 Ciphertext CBC mode ECB modes Initialization vector Key Key Symmetric algorithm Symmetric algorithm …. Plaintext_0 Plaintext_1 Ciphertext_0 Ciphertext_1 OFB/CFB mode
Energy Consumption Results: Impact of Symmetric Algorithm Modes • Symmetric algorithm parameters influence system energy consumption • Key size • Cipher mode (ECB, CBC, CFB, OFB) AES 12 10 8 Key size Energy consumption (uJ) 6 4 2 Key setup ECB CBC CFB OFB (uJ) (uJ/Byte)
Energy Consumption Results:Impact of Table Lookups & Loop Unrolling Maximum energy 60KB file, 128-bit key AES Degree of unrolling Energy consumption (J) Minimum energy Number of tables per round • Many tables and full loop unrolling increase the • number of memory accesses • Optimal energy with one table and partial unrolling
Energy Consumption Results:Processor vs. Memory Energy in AES Partial loop unrolling 60KB file, 128-bit key AES Energy consumption (J) Number of tables per round • Table lookups replace arithmetic instructions with loads and stores • Energy consumption rises when tables affect caching behavior
Public-key Algorithms • Constructed using trap-door one way functions • Computationally infeasible to invert without ‘trap-door’ information • Security is based on hard mathematical problems • Integer factorization (RSA) • Discrete logarithm in Integer field (DH, DSA) • Discrete logarithm in Elliptic fields (ECDH) • Two applications of public-key algorithms • Authentication using digital signatures • Key exchange for symmetric algorithms
Energy Consumption Results: Public-key Algorithms (Digital Signature) Energy consumption (mJ) (1024-bit) (1024-bit) (160-bit) • RSA and ECDSA exhibit complementary energy • consumption for sign and verify operations
Energy Consumption Results: Public-key Algorithms (Key Exchange) Energy consumption (mJ) (512-bit) (1024-bit) (160-bit) • Increasing key size drastically affects the • energy consumption • ECDH is more energy efficient than DH
Battery life: Outline • Experimental setup • Analysis of energy consumption of cryptographic algorithms • Symmetric algorithms • Public-key algorithms • Analysis of energy consumption of SSL security protocol • Discussion: Optimizing SSL • Conclusions
Application data SSL Change Cipher SSL Hand- shake SSL Alert Fragment SSL Record Protocol Compression Compressed Fragment TCP IP Message Integrity MAC trailer Padding Padding Encryption Encrypted data SSL Record Assembly SSL header SSL record Secure Sockets Layer (SSL) Authentication, Key exchange Confidentiality, Integrity
Energy Break-up of SSL Processing 100% 80% 41% 44% 46% 60% Energy consumption breakup 40% 20% 0% 1K 100K 1M Transaction size (bytes) • For small transactions, asymmetric algorithm energy dominates • For large transactions, symmetric algorithm energy dominates • Non-crypto processing accounts for more than 40% of the energy
Battery life: Outline • Experimental setup • Analysis of energy consumption of cryptographic algorithms • Symmetric algorithms • Public-key algorithms • Analysis of energy consumption of SSL security protocol • Discussion: Optimizing SSL • Conclusions
Server operations Client operations Energy consumption (mJ) Optimizing SSL Handshake • SSL Handshake Optimizations • Presence/absence of security services (such as client authentication) • Choice of asymmetric cipher (RSA vs ECC)
Optimizing the SSL Record Stage • SSL Record Optimizations • Choice of cipher suite (e.g., ECC-AES-MD5 vs. ECC-BLOWFISH-MD5) is influenced • by the size of the data transmitted. • Choice of cipher parameters (key size, number of rounds)
Conclusions • Comprehensive analysis of energy consumption of cryptographic algorithms and security protocols • Energy-security trade-offs possible in security protocols • Will tolerate lower security for reduced energy consumption • Parameters identified include • Symmetric algorithm used in record stage • Asymmetric algorithm used in handshake • Key-size of asymmetric algorithms • Number of rounds in symmetric algorithms • Size of data to be transmitted
Future Research: Robust, Light-weight Security Layered Security Implementation Security objectives Scalable security protocols with variable rounds and per round complexity - Scalable Fiat-Shamir identification protocol Security protocols Cryptographic algorithms Hardware-software architectures • Devise novel algorithms based • on hard problems with simpler • operations • - Learning parity with noise • Algorithms based on energy • efficient operations • - LFSR-based hashing • - Polynomial arithmetic-based • algorithms • Efficient embedded architectures for • newer crypto algorithms • - NTRU • 2. Low-cost architectures for • side-channel attack resistance • - Can leakage current provide • side-channel information? • 3. Hardware measures to tackle • malware (viruses, worms)
Acknowledgements • Princeton University • Prof. Niraj Jha and Prof. Ruby Lee • Group members • NEC Labs America • Dr. Anand Raghunathan • Dr. Srivaths Ravi Thank you!