Breaking the Bitstream Decryption of FPGAs€¦ · Differential Power Analysis (DPA) Classifying...

Breaking the BitstreamDecryption of FPGAs05. Sep. 2012

Amir MoradiEmbedded Security Group, Ruhr University Bochum, Germany

Embedded Security Group

Acknowledgment Christof Paar

Markus Kasper

Timo Kasper

Alessandro Barenghi

ECRYPT II Summer School: Challenges in Security Engineering | Bochum | 05. Sep. 2012 Amir Moradi

Outline Side‐Channel Attacks (in general)

– DPA/CPA Xilinx Bitstream Encryption

Side‐Channel Attacks Physical attacks

– observing physical characteristics e.g.,• power consumption• running time• electromagnetic radiation

of a cryptographic DEVICE– usually divide‐and‐conquer scheme– recovering the relation between the side‐channel leakage and processed data

How to Measure Side‐Channel Leakages Running Time ‐> straightforward by a counter/timer Power Consumption

– a resistor, an oscilloscope

Differential Power Analysis (DPA) Classifying the power consumption values in two groups

Differential Power Analysis (DPA) Classifying the power consumption values in two groups Comparing e.g., mean of the groups

p 12 3d 78 … f9 ab 3d

p 12 3d 78 … f9 ab 3dpower 0.12 0.010.14 … 0.20 0.060.02

[k=00] S c9 27 bc … 99 62 27

p 12 3d 78 … f9 ab 3dpower 0.12 0.010.14 … 0.20 0.060.02

[k=00] S c9 27 bc … 99 62 27LSB 1 1 1 … 1 0 1

p 12 3d 78 … f9 ab 3dpower 0.12 0.010.14 … 0.20 0.060.02

[k=00] S c9 27 bc … 99 62 27LSB 1 1 1 … 1 0 1

[k=01] S 7d eb b6 … 41 ac eb

p 12 3d 78 … f9 ab 3dpower 0.12 0.010.14 … 0.20 0.060.02

[k=00] S c9 27 bc … 99 62 27LSB 1 1 1 … 1 0 1

[k=01] S 7d eb b6 … 41 ac ebLSB 0 0 0 … 1 1 0

p 12 3d 78 … f9 ab 3dpower 0.12 0.010.14 … 0.20 0.060.02

[k=00] S c9 27 bc … 99 62 27LSB 1 1 1 … 1 0 1

[k=01] S 7d eb b6 … 41 ac ebLSB 0 0 0 … 1 1 0

[k=ff] S 55 25 17 … 6f 20 25LSB 1 1 1 … 1 0 1

p 12 3d 78 … f9 ab 3dpower 0.12 0.010.14 … 0.20 0.060.02

[k=00] S c9 27 bc … 99 62 27LSB 1 1 1 … 1 0 1

[k=01] S 7d eb b6 … 41 ac ebLSB 0 0 0 … 1 1 0

[k=ff] S 55 25 17 … 6f 20 25LSB 1 1 1 … 1 0 1

Diff. of Means

powerLSB 1,powerLSB 0

p 12 3d 78 … f9 ab 3dpower 0.12 0.010.14 … 0.20 0.060.02

[k=00] S c9 27 bc … 99 62 27LSB 1 1 1 … 1 0 1

[k=01] S 7d eb b6 … 41 ac ebLSB 0 0 0 … 1 1 0

[k=ff] S 55 25 17 … 6f 20 25LSB 1 1 1 … 1 0 1

0.0010.002

Diff. of Means

p 12 3d 78 … f9 ab 3dpower 0.12 0.010.14 … 0.20 0.060.02

[k=00] S c9 27 bc … 99 62 27LSB 1 1 1 … 1 0 1

[k=01] S 7d eb b6 … 41 ac ebLSB 0 0 0 … 1 1 0

[k=ff] S 55 25 17 … 6f 20 25LSB 1 1 1 … 1 0 1

0.0010.002

Diff. of Means

p 12 3d 78 … f9 ab 3dpower 0.12 0.010.14 … 0.20 0.060.02

[k=00] S c9 27 bc … 99 62 27LSB 1 1 1 … 1 0 1

[k=01] S 7d eb b6 … 41 ac ebLSB 0 0 0 … 1 1 0

[k=ff] S 55 25 17 … 6f 20 25LSB 1 1 1 … 1 0 1

0.0010.002

Diff. of Means

Correlation Power Analysis (CPA) hypothetical model for power consumption

Correlation Power Analysis (CPA) hypothetical model for power consumption compare the model with side‐channel leakage (power)

p 12 3d 78 … f9 ab 3d

p 12 3d 78 … f9 ab 3dpower 0.12 0.010.14 … 0.20 0.060.02

[k=00] S c9 27 bc … 99 62 27

p 12 3d 78 … f9 ab 3dpower 0.12 0.010.14 … 0.20 0.060.02

[k=00] S c9 27 bc … 99 62 274 4 5 … 4 3 4

p 12 3d 78 … f9 ab 3dpower 0.12 0.010.14 … 0.20 0.060.02

[k=00] S c9 27 bc … 99 62 274 4 5 … 4 3 4

[k=01] S 7d eb b6 … 41 ac eb

p 12 3d 78 … f9 ab 3dpower 0.12 0.010.14 … 0.20 0.060.02

[k=00] S c9 27 bc … 99 62 274 4 5 … 4 3 4

[k=01] S 7d eb b6 … 41 ac eb6 6 5 … 2 4 6

p 12 3d 78 … f9 ab 3dpower 0.12 0.010.14 … 0.20 0.060.02

[k=00] S c9 27 bc … 99 62 274 4 5 … 4 3 4

[k=01] S 7d eb b6 … 41 ac eb6 6 5 … 2 4 6

[k=ff] S 55 25 17 … 6f 20 254 3 4 … 6 1 3

p 12 3d 78 … f9 ab 3dpower 0.12 0.010.14 … 0.20 0.060.02

[k=00] S c9 27 bc … 99 62 274 4 5 … 4 3 4

[k=01] S 7d eb b6 … 41 ac eb6 6 5 … 2 4 6

[k=ff] S 55 25 17 … 6f 20 254 3 4 … 6 1 3

Correlation

p 12 3d 78 … f9 ab 3dpower 0.12 0.010.14 … 0.20 0.060.02

[k=00] S c9 27 bc … 99 62 274 4 5 … 4 3 4

[k=01] S 7d eb b6 … 41 ac eb6 6 5 … 2 4 6

[k=ff] S 55 25 17 … 6f 20 254 3 4 … 6 1 3

Correlation

p 12 3d 78 … f9 ab 3dpower 0.12 0.010.14 … 0.20 0.060.02

[k=00] S c9 27 bc … 99 62 274 4 5 … 4 3 4

[k=01] S 7d eb b6 … 41 ac eb6 6 5 … 2 4 6

[k=ff] S 55 25 17 … 6f 20 254 3 4 … 6 1 3

Correlation

p 12 3d 78 … f9 ab 3dpower 0.12 0.010.14 … 0.20 0.060.02

[k=00] S c9 27 bc … 99 62 274 4 5 … 4 3 4

[k=01] S 7d eb b6 … 41 ac eb6 6 5 … 2 4 6

[k=ff] S 55 25 17 … 6f 20 254 3 4 … 6 1 3

0.0110.060

Correlation

Challenges Measurement quality Knowledge about the target device

– Mostly in evaluation labs (perfect situation)

How about a real‐world scenario

FPGAs = Reconfigurable Hardware

Case Study: Xilinx Bitstream Encryption

Widely used in • routers• consumer products• automotive, machinery• military• > million gates

FPGAs = Reconfigurable Hardware

Case Study: Xilinx Bitstream Encryption

Widely used in • routers• consumer products• automotive, machinery• military• > million gates

Config file• Configuration loaded

at power‐up• bitstream ≈ Mbits

Bitstream/Configuration

PCB board

SRAM FPGA

PCB board

SRAM FPGA

E2PROM

PCB board

SRAM FPGA

E2PROMFactory

PCB board

SRAM FPGA

E2PROMFactory

Power‐up

Bitstream Encryption

PCB board

FPGA DesignSecret Keys

Proprietary AlgorithmsIP Cores

Bitstream

3DESAES

Bitstream

SRAM FPGA

PCB board

Bitstream

3DESAES

Bitstream

SRAM FPGA

PCB board

Bitstream

3DESAES

Bitstream

SRAM FPGA

E2PROM

PCB board

Bitstream

3DESAES

Bitstream

SRAM FPGA

E2PROMFactoryInternet

Firmware UpdateECRYPT II Summer School: Challenges in Security Engineering | Bochum | 05. Sep. 2012 Amir Moradi

PCB board

Bitstream

3DESAES

Bitstream

SRAM FPGA

Firmware Update

Power‐up

PCB board

Bitstream

3DESAES

Bitstream

SRAM FPGA

Firmware Update

Power‐upAttacker? =

PCB board

Bitstream

3DESAES

Bitstream

SRAM FPGA

Firmware Update

Power‐upAttacker? =

Side‐Channel?

PCB board

E2PROM

Side‐Channel?

PCB board

E2PROM

Side‐Channel?

PCB board

E2PROM

VCC‐IO VCC‐AUXVCC‐INT

Side‐Channel?

PCB board

E2PROM

Side‐Channel?

PCB board

E2PROM

Power‐upDEC

Side‐Channel?

PCB board

E2PROM

Power‐upDEC

Side‐Channel?

PCB board

E2PROM

Power‐upDEC

E2PROMunencrypted bitstream

Challenges structure analysis protocol analysis

– bit‐wise feeding the encrypted bitstream– developing a sophisticated configuration device

trigger signal– start of each ciphertext block

visual inspection

Some Figures

There are several documents by Xilinx on bistream structure but still some parts related to encryption stay unclear

Analysis and comparison of plain and encrypted bitstream revealed that : The selection of the decryption key from the storage is readable Initialization Value of the CBC mode embedded in bitstream The decryption engine is enabled by a bitstream command

Plain EncryptedBitstream Structural Analysis

Find the when the decryption takes place Must occur after at least a whole ciphertext block

(64 bit) is in Should take place in less than 64 bits being sent in

to match on-the-fly decryption Compare the power consumptions of encrypted

and unencrypted bitstreams to reveal the time position

The JTAG clock is driven by us We can freeze the programming process

Decryption Timing

Power Traces?

Ciphertexti‐1

Power Traces?

CiphertextiCiphertexti‐1

Power Traces?

CiphertextiCiphertexti‐1

Decryption (Ciphertexti‐1)

Power Traces?

Two clock cycles after a ciphertext block is in, the decryption is performed

Unencrypted bitstream Encrypted bitstream

Decryption Phase

Encryption engine far smaller than the whole FPGA circuit

The device embeds a CPU (PowerPC403) in the fabric

As the PPC is not used to perform the decryption, its power consumption is irrelevant for the analysis

Since the PPC is clocked at 300MHz by an internal clock source, band-stop filtering the power traces removes its contribution

Insulating the encryption engine

Zoomed Traces/Filtering

Timewise variance of 10k encryptions

Filtered

Raw Filtered

To successfully perform the attack, hypotheses on the decryption engine architecture must be made

Switching activity of buffers storing intermediate values are good candidates for a power model

DES cipher state buffer switching activity was modeled during a cipher round

Switching activity conditioned by 6 bits of the key at a time was predicted (64 key hypotheses)

Consumption model: switching activity of the round buffer

Power consumption/architecture hypotheses

Assumed Internal Architecture

Round based implementation of DES

Round based implementation of DES Separate stage for initial and final permutation

Round based implementation of DES Separate stage for initial and final permutation One round per crypto-engine clock cycleECRYPT II Summer School: Challenges in Security Engineering | Bochum | 05. Sep. 2012 Amir Moradi

Round based implementation of DES Separate stage for initial and final permutation One round per crypto-engine clock cycle Internal 64 bit buffer stores cipher stateECRYPT II Summer School: Challenges in Security Engineering | Bochum | 05. Sep. 2012 Amir Moradi

Architecture Hypothesis Validation Need to validate the architecture hypothesis before the

attack

Correlating to HW of Ciphertextsand output of each DES

attack

Correlating to HW of Ciphertextsand output of each DES

Correlating to HD of consecutiveround outputs

Attack on 6 bits of the 1st DES the key (round 1)

Final Attack Results

Attack on 6 bits of the 1st DES the key (round 1)

The key is recoverable with ~ 50000 decryption power measures (less than a single bitstream decryption for almost all V2Pro devices) The attack is still possible with lowpass filtered and decimated traces up to 100MSa/s A single attack to recover 6 bits of a DES key takes a couple of seconds on a common desktop Complete 3DES key recovered in 2-3 minutes of computation

Successful Side Channel attack estimating a very small part of the active digital logic Correlation power analysis is scale invariant, as long as there are correlated variations

No explicit SCA countermeasures present, sheer size of the platform thought to be enough Proper filtering of the obtained signal removes non-relevant consumption

Mainly security through obscurity Methodic reverse engineering leads to figuring out the structure

How about more recent devices V4, V5, S6?

Visual Inspection

normal

Visual Inspection

normal

average over 10k tracesECRYPT II Summer School: Challenges in Security Engineering | Bochum | 05. Sep. 2012 Amir Moradi

Filtering

zoomfilter

peak extraction, AES‐256ECRYPT II Summer School: Challenges in Security Engineering | Bochum | 05. Sep. 2012 Amir Moradi

Known Steps guessing the architecture guessing the power model known‐key scenario check their validity

Finally after 3 months…

Architecture (AES‐256)

Bit flips in registers (Hamming distance) as the model

Findings

Model for Power Consumption Hamming Distance of state register R

Problem: At least 64‐bit hypothesis to attack power consumption of 32‐bit leakage

Model for Power Consumption

Exploit linearity 32‐bit hypotheses to attack

single bit power model Fine in theory, but can we detect the leakage of a single

bit in practice?

The Attack 235 (= 34,359,738,368) keys to test 60,000 power traces 128 GiB of 32‐bit floating point results Can be done but not practical on CPUs

GPUs for Power Analysis Used System

– 4x Nvidia Tesla C2070 GPUs– Each one has 6 GB of RAM and 448 cores– Clocked at 1.15 GHz

HDD is not the bottleneck Full attack in around 4.5 hours (V4, 60k traces)

Result Virtex‐4 60k traces

Other Columns show similar results Virtex‐5:

The same attack works (6.5 hours, 90k traces)

Lessons Learned Bitstream encryption is vulnerable to SCA New modern CMOS technology can be attacked in

practice (90nm/65nm/45nm) Reusing crypto cores simplifies analyses Attacks on 32‐bit hypotheses are realistic threats GPUs are a nice tool for attacks where computation

time dominates

Recent Results and ongoing Work Up to know, the broken devices:

– Virtex‐II pro– Virtex‐4– Virtex‐5– Spartan‐6– Actel (Microsemi) S. Skorobogatov, C. Woods

• http://eprint.iacr.org/2012/296 Those which come soon or later

– Virtex‐6– Kintex‐7– Stratix‐II (Altera)

Thanks!Any questions?

Embedded Security Group, Ruhr University Bochum, Germany

amir.moradi@rub.de

Breaking the Bitstream Decryption of FPGAs€¦ · Differential Power Analysis (DPA) Classifying...

Documents

Encryption Decryption

Plantium SBOX Software Update 2020-1 · 2020. 3. 10. · AGROMETAL (TX Mega) Release Notes Plantium® SBOX Software Update 2020-1 March 4, 2020 6 DOLBI (AX4100) ASCANELLI (RS3000)

Image encryption and decryption

Encrption Decryption

2. Encryption and Decryption

VAULT SBOX Access Control Server and Linux Embedded CFTVfalco-ecom.com/WEBSITEIMAGEUPLOAD/Datasheet VAULT SBOX hires.pdf · Powered by Falco FLEXIBLE ARCHITECTURE Page 1 VAULT SBOX

The Super-Sbox Cryptanalysisccrg/documents/Presentation... · IntroductionSuper-Sbox Grøstl Results The controlled rounds in the Super-Sbox view One can get 3 controlled rounds,

Data Decryption & Password Recovery

Encryption and Decryption

Sbox kimsojung

Report Encryption Decryption

SBOX企画案内 19鷹祭メニュー 0617...Title SBOX企画案内_19鷹祭メニュー_0617 Created Date 6/17/2019 5:59:43 PM

Succint Filterable Decryption

Non-full-active Super-Sbox Analysis: Applications to ECHO ... · In this paper, we present non-full-active Super-Sbox analysis which can detect non-idealpropertiesofa classofAES-basedpermutations

Hollywood style decryption

Secure Blind Decryption

128-bit AES decryption

Encryption-Decryption of Email

Section III: Partitioning and Floorplanning · Detail Routing (Maze router) Track assignment SBOX routing of 6x6 GCELL SBOX, step and repeat with overlaps Search and Repair. Welcome

Sbox Manual