Breaking the Bitstream Decryption of FPGAs€¦ · Differential Power Analysis (DPA) Classifying the power consumption values in two groups Comparing e.g., mean of the groups Sbox

Breaking the BitstreamDecryption of FPGAs05. Sep. 2012

Amir MoradiEmbedded Security Group, Ruhr University Bochum, Germany

2

Embedded Security Group

Acknowledgment Christof Paar

Markus Kasper

Timo Kasper

Alessandro Barenghi

ECRYPT II Summer School: Challenges in Security Engineering | Bochum | 05. Sep. 2012 Amir Moradi

3


Outline Side‐Channel Attacks (in general)

– DPA/CPA Xilinx Bitstream Encryption


4


Side‐Channel Attacks Physical attacks

– observing physical characteristics e.g.,• power consumption• running time• electromagnetic radiation

of a cryptographic DEVICE– usually divide‐and‐conquer scheme– recovering the relation between the side‐channel leakage and processed data


5


How to Measure Side‐Channel Leakages Running Time ‐> straightforward by a counter/timer Power Consumption

– a resistor, an oscilloscope


6


Differential Power Analysis (DPA) Classifying the power consumption values in two groups


7


Differential Power Analysis (DPA) Classifying the power consumption values in two groups Comparing e.g., mean of the groups


8



Sbox

kp


9



Sbox

kp

p 12 3d 78 … f9 ab 3d


10



Sbox

kp

p 12 3d 78 … f9 ab 3d


11



Sbox

kp

p 12 3d 78 … f9 ab 3d


12



Sbox

kp

p 12 3d 78 … f9 ab 3dpower 0.12 0.010.14 … 0.20 0.060.02


13



Sbox

kp

p 12 3d 78 … f9 ab 3dpower 0.12 0.010.14 … 0.20 0.060.02

[k=00] S c9 27 bc … 99 62 27


14



Sbox

kp

p 12 3d 78 … f9 ab 3dpower 0.12 0.010.14 … 0.20 0.060.02

[k=00] S c9 27 bc … 99 62 27LSB 1 1 1 … 1 0 1


15



Sbox

kp

p 12 3d 78 … f9 ab 3dpower 0.12 0.010.14 … 0.20 0.060.02

[k=00] S c9 27 bc … 99 62 27LSB 1 1 1 … 1 0 1

[k=01] S 7d eb b6 … 41 ac eb


16



Sbox

kp

p 12 3d 78 … f9 ab 3dpower 0.12 0.010.14 … 0.20 0.060.02

[k=00] S c9 27 bc … 99 62 27LSB 1 1 1 … 1 0 1

[k=01] S 7d eb b6 … 41 ac ebLSB 0 0 0 … 1 1 0


17



Sbox

kp

p 12 3d 78 … f9 ab 3dpower 0.12 0.010.14 … 0.20 0.060.02

[k=00] S c9 27 bc … 99 62 27LSB 1 1 1 … 1 0 1

[k=01] S 7d eb b6 … 41 ac ebLSB 0 0 0 … 1 1 0

[k=ff] S 55 25 17 … 6f 20 25LSB 1 1 1 … 1 0 1

…


18



Sbox

kp

p 12 3d 78 … f9 ab 3dpower 0.12 0.010.14 … 0.20 0.060.02

[k=00] S c9 27 bc … 99 62 27LSB 1 1 1 … 1 0 1

[k=01] S 7d eb b6 … 41 ac ebLSB 0 0 0 … 1 1 0

[k=ff] S 55 25 17 … 6f 20 25LSB 1 1 1 … 1 0 1

Diff. of Means

…

powerLSB 1,powerLSB 0


19



Sbox

kp

p 12 3d 78 … f9 ab 3dpower 0.12 0.010.14 … 0.20 0.060.02

[k=00] S c9 27 bc … 99 62 27LSB 1 1 1 … 1 0 1

[k=01] S 7d eb b6 … 41 ac ebLSB 0 0 0 … 1 1 0

[k=ff] S 55 25 17 … 6f 20 25LSB 1 1 1 … 1 0 1

0.0010.002

…

0.020

…

0.001

Diff. of Means

…



20



Sbox

kp

p 12 3d 78 … f9 ab 3dpower 0.12 0.010.14 … 0.20 0.060.02

[k=00] S c9 27 bc … 99 62 27LSB 1 1 1 … 1 0 1

[k=01] S 7d eb b6 … 41 ac ebLSB 0 0 0 … 1 1 0

[k=ff] S 55 25 17 … 6f 20 25LSB 1 1 1 … 1 0 1

0.0010.002

…

0.020

…

0.001

Diff. of Means

…



21



Sbox

kp

p 12 3d 78 … f9 ab 3dpower 0.12 0.010.14 … 0.20 0.060.02

[k=00] S c9 27 bc … 99 62 27LSB 1 1 1 … 1 0 1

[k=01] S 7d eb b6 … 41 ac ebLSB 0 0 0 … 1 1 0

[k=ff] S 55 25 17 … 6f 20 25LSB 1 1 1 … 1 0 1

0.0010.002

…

0.020

…

0.001

Diff. of Means

…



22


Correlation Power Analysis (CPA) hypothetical model for power consumption


23


Correlation Power Analysis (CPA) hypothetical model for power consumption compare the model with side‐channel leakage (power)


24



Sbox

kp


25



Sbox

kp

p 12 3d 78 … f9 ab 3d


26



Sbox

kp

p 12 3d 78 … f9 ab 3d


27



Sbox

kp

p 12 3d 78 … f9 ab 3d


28



Sbox

kp

p 12 3d 78 … f9 ab 3dpower 0.12 0.010.14 … 0.20 0.060.02


29



Sbox

kp

p 12 3d 78 … f9 ab 3dpower 0.12 0.010.14 … 0.20 0.060.02

[k=00] S c9 27 bc … 99 62 27


30



Sbox

kp

p 12 3d 78 … f9 ab 3dpower 0.12 0.010.14 … 0.20 0.060.02

[k=00] S c9 27 bc … 99 62 274 4 5 … 4 3 4


31



Sbox

kp

p 12 3d 78 … f9 ab 3dpower 0.12 0.010.14 … 0.20 0.060.02

[k=00] S c9 27 bc … 99 62 274 4 5 … 4 3 4

[k=01] S 7d eb b6 … 41 ac eb


32



Sbox

kp

p 12 3d 78 … f9 ab 3dpower 0.12 0.010.14 … 0.20 0.060.02

[k=00] S c9 27 bc … 99 62 274 4 5 … 4 3 4

[k=01] S 7d eb b6 … 41 ac eb6 6 5 … 2 4 6


33



Sbox

kp

p 12 3d 78 … f9 ab 3dpower 0.12 0.010.14 … 0.20 0.060.02

[k=00] S c9 27 bc … 99 62 274 4 5 … 4 3 4

[k=01] S 7d eb b6 … 41 ac eb6 6 5 … 2 4 6

[k=ff] S 55 25 17 … 6f 20 254 3 4 … 6 1 3

…


34



Sbox

kp

p 12 3d 78 … f9 ab 3dpower 0.12 0.010.14 … 0.20 0.060.02

[k=00] S c9 27 bc … 99 62 274 4 5 … 4 3 4

[k=01] S 7d eb b6 … 41 ac eb6 6 5 … 2 4 6

[k=ff] S 55 25 17 … 6f 20 254 3 4 … 6 1 3

Correlation

…


35



Sbox

kp

p 12 3d 78 … f9 ab 3dpower 0.12 0.010.14 … 0.20 0.060.02

[k=00] S c9 27 bc … 99 62 274 4 5 … 4 3 4

[k=01] S 7d eb b6 … 41 ac eb6 6 5 … 2 4 6

[k=ff] S 55 25 17 … 6f 20 254 3 4 … 6 1 3

Correlation

…


36



Sbox

kp

p 12 3d 78 … f9 ab 3dpower 0.12 0.010.14 … 0.20 0.060.02

[k=00] S c9 27 bc … 99 62 274 4 5 … 4 3 4

[k=01] S 7d eb b6 … 41 ac eb6 6 5 … 2 4 6

[k=ff] S 55 25 17 … 6f 20 254 3 4 … 6 1 3

Correlation

…


37



Sbox

kp

p 12 3d 78 … f9 ab 3dpower 0.12 0.010.14 … 0.20 0.060.02

[k=00] S c9 27 bc … 99 62 274 4 5 … 4 3 4

[k=01] S 7d eb b6 … 41 ac eb6 6 5 … 2 4 6

[k=ff] S 55 25 17 … 6f 20 254 3 4 … 6 1 3

0.0110.060

…

0.231

…

0.095

Correlation

…


38


Challenges Measurement quality Knowledge about the target device

– Mostly in evaluation labs (perfect situation)

How about a real‐world scenario


39


FPGAs = Reconfigurable Hardware

Case Study: Xilinx Bitstream Encryption

Widely used in • routers• consumer products• automotive, machinery• military• > million gates


40


FPGAs = Reconfigurable Hardware

Case Study: Xilinx Bitstream Encryption

Widely used in • routers• consumer products• automotive, machinery• military• > million gates

Config file• Configuration loaded

at power‐up• bitstream ≈ Mbits


41


Bitstream/Configuration


42



PCB board

SRAM FPGA


43



PCB board

SRAM FPGA

E2PROM


44



PCB board

SRAM FPGA

E2PROMFactory


45



PCB board

SRAM FPGA

E2PROMFactory

Power‐up


46


Bitstream Encryption

PCB board


47



PCB board

FPGA DesignSecret Keys

Proprietary AlgorithmsIP Cores

Bitstream

3DESAES

Bitstream

SRAM FPGA


48



PCB board



Bitstream

3DESAES

Bitstream

SRAM FPGA

DEC


49



PCB board



Bitstream

3DESAES

Bitstream

SRAM FPGA

DEC

E2PROM


50



PCB board



Bitstream

3DESAES

Bitstream

SRAM FPGA

DEC

E2PROMFactoryInternet

Firmware UpdateECRYPT II Summer School: Challenges in Security Engineering | Bochum | 05. Sep. 2012 Amir Moradi

51



PCB board



Bitstream

3DESAES

Bitstream

SRAM FPGA

DEC


Firmware Update

Power‐up


52



PCB board



Bitstream

3DESAES

Bitstream

SRAM FPGA

DEC


Firmware Update

Power‐upAttacker? =


53



PCB board



Bitstream

3DESAES

Bitstream

SRAM FPGA

DEC


Firmware Update

Power‐upAttacker? =


54


Side‐Channel?

PCB board

E2PROM

DEC


55


Side‐Channel?

PCB board

E2PROM

DEC


56


Side‐Channel?

PCB board

E2PROM

DEC

VCC‐IO VCC‐AUXVCC‐INT


57


Side‐Channel?

PCB board

E2PROM

DEC



58


Side‐Channel?

PCB board

E2PROM

Power‐upDEC



59


Side‐Channel?

PCB board

E2PROM

Power‐upDEC



60


Side‐Channel?

PCB board

E2PROM

Power‐upDEC


E2PROMunencrypted bitstream


61


Challenges structure analysis protocol analysis

– bit‐wise feeding the encrypted bitstream– developing a sophisticated configuration device

trigger signal– start of each ciphertext block

visual inspection


62


Some Figures


63


Some Figures


64


There are several documents by Xilinx on bistream structure but still some parts related to encryption stay unclear

Analysis and comparison of plain and encrypted bitstream revealed that : The selection of the decryption key from the storage is readable Initialization Value of the CBC mode embedded in bitstream The decryption engine is enabled by a bitstream command

Plain EncryptedBitstream Structural Analysis


65


Find the when the decryption takes place Must occur after at least a whole ciphertext block

(64 bit) is in Should take place in less than 64 bits being sent in

to match on-the-fly decryption Compare the power consumptions of encrypted

and unencrypted bitstreams to reveal the time position

The JTAG clock is driven by us We can freeze the programming process

Decryption Timing


66


Power Traces?


67


Ciphertexti‐1

Power Traces?


68


CiphertextiCiphertexti‐1

Power Traces?


69


CiphertextiCiphertexti‐1

Decryption (Ciphertexti‐1)

Power Traces?


70


Two clock cycles after a ciphertext block is in, the decryption is performed

Unencrypted bitstream Encrypted bitstream

Decryption Phase


71


Encryption engine far smaller than the whole FPGA circuit

The device embeds a CPU (PowerPC403) in the fabric

As the PPC is not used to perform the decryption, its power consumption is irrelevant for the analysis

Since the PPC is clocked at 300MHz by an internal clock source, band-stop filtering the power traces removes its contribution

Insulating the encryption engine


72


Zoomed Traces/Filtering

Timewise variance of 10k encryptions

Filtered

Raw Filtered

Raw


73


To successfully perform the attack, hypotheses on the decryption engine architecture must be made

Switching activity of buffers storing intermediate values are good candidates for a power model

DES cipher state buffer switching activity was modeled during a cipher round

Switching activity conditioned by 6 bits of the key at a time was predicted (64 key hypotheses)

Consumption model: switching activity of the round buffer

Power consumption/architecture hypotheses


74


Assumed Internal Architecture


75



Round based implementation of DES


76



Round based implementation of DES Separate stage for initial and final permutation


77



Round based implementation of DES Separate stage for initial and final permutation One round per crypto-engine clock cycleECRYPT II Summer School: Challenges in Security Engineering | Bochum | 05. Sep. 2012 Amir Moradi

78



Round based implementation of DES Separate stage for initial and final permutation One round per crypto-engine clock cycle Internal 64 bit buffer stores cipher stateECRYPT II Summer School: Challenges in Security Engineering | Bochum | 05. Sep. 2012 Amir Moradi

79


Architecture Hypothesis Validation Need to validate the architecture hypothesis before the

attack


80



attack

Correlating to HW of Ciphertextsand output of each DES


81



attack

Correlating to HW of Ciphertextsand output of each DES

Correlating to HD of consecutiveround outputs


82


Attack on 6 bits of the 1st DES the key (round 1)

Final Attack Results


83


Attack on 6 bits of the 1st DES the key (round 1)

The key is recoverable with ~ 50000 decryption power measures (less than a single bitstream decryption for almost all V2Pro devices) The attack is still possible with lowpass filtered and decimated traces up to 100MSa/s A single attack to recover 6 bits of a DES key takes a couple of seconds on a common desktop Complete 3DES key recovered in 2-3 minutes of computation



84


Successful Side Channel attack estimating a very small part of the active digital logic Correlation power analysis is scale invariant, as long as there are correlated variations

No explicit SCA countermeasures present, sheer size of the platform thought to be enough Proper filtering of the obtained signal removes non-relevant consumption

Mainly security through obscurity Methodic reverse engineering leads to figuring out the structure



85


How about more recent devices V4, V5, S6?


86


Visual Inspection

CLK

normal

ENC


87


Visual Inspection

CLK

normal

ENC

average over 10k tracesECRYPT II Summer School: Challenges in Security Engineering | Bochum | 05. Sep. 2012 Amir Moradi

88


Filtering

CLK

zoomfilter

ENC

peak extraction, AES‐256ECRYPT II Summer School: Challenges in Security Engineering | Bochum | 05. Sep. 2012 Amir Moradi

89


Known Steps guessing the architecture guessing the power model known‐key scenario check their validity

Finally after 3 months…


90


Architecture (AES‐256)

Bit flips in registers (Hamming distance) as the model

Findings


91


Model for Power Consumption Hamming Distance of state register R

Problem: At least 64‐bit hypothesis to attack power consumption of 32‐bit leakage


92


Model for Power Consumption

Exploit linearity 32‐bit hypotheses to attack

single bit power model Fine in theory, but can we detect the leakage of a single

bit in practice?


93


The Attack 235 (= 34,359,738,368) keys to test 60,000 power traces 128 GiB of 32‐bit floating point results Can be done but not practical on CPUs


94


GPUs for Power Analysis Used System

– 4x Nvidia Tesla C2070 GPUs– Each one has 6 GB of RAM and 448 cores– Clocked at 1.15 GHz

HDD is not the bottleneck Full attack in around 4.5 hours (V4, 60k traces)


95


Result Virtex‐4 60k traces

Other Columns show similar results Virtex‐5:

The same attack works (6.5 hours, 90k traces)


96


Lessons Learned Bitstream encryption is vulnerable to SCA New modern CMOS technology can be attacked in

practice (90nm/65nm/45nm) Reusing crypto cores simplifies analyses Attacks on 32‐bit hypotheses are realistic threats GPUs are a nice tool for attacks where computation

time dominates


97


Recent Results and ongoing Work Up to know, the broken devices:

– Virtex‐II pro– Virtex‐4– Virtex‐5– Spartan‐6– Actel (Microsemi) S. Skorobogatov, C. Woods

• http://eprint.iacr.org/2012/296 Those which come soon or later

– Virtex‐6– Kintex‐7– Stratix‐II (Altera)


Thanks!Any questions?

Embedded Security Group, Ruhr University Bochum, Germany

[email protected]

Documents

Breaking the Bitstream Decryption of FPGAs€¦ · Differential Power Analysis (DPA) Classifying the power consumption values in two groups Comparing e.g., mean of the groups Sbox