1.ID and IP Theft with Side-Channel Attacks David Oswald, Ruhr-Uni Bochum david.oswald@rub.de Breaking One-Time Password Tokens and FPGA Bitstream Encryption

2. 2http://fb.com/WorldBeatClubTanzenUndHelfen 3. 3 No, I did not do all this stuff alone Christof Paar Timo Kasper Amir Moradi Pawel Swierczynski Bastian Richter 4. 4 5. 5 Sabre: Madboy74 6. 6 Ruhr-University Bochum: beautiful. 7. 7 Chameleon Mini https://github.com/emsec/ChameleonMini 8. 8 9. Embedded systems everywhere 10. 10 (The life of) a typical pirate Pegleg Eye patch Pirate hat Pirate laughter 11. 11 12. 12 13. 13 14. 14 15. 15 Report flaws Improve 16. Implementation Attacks: 17. 17Based on Skoborogatov 18. 18 Implementation Attacks: A Short History Known for many decades (e.g. TEMPEST) Poor understanding prior to 1996 (at least outside intelligence agencies) End 1990s: golden era Fault attacks (RSA CRT), 1996 Timing attacks, 1996 SPA, DPA, 1998 Since 1999: hundreds of research papers 19. 19 Side-Channel Attacks: In a nutshell 20. 20 Principle of Side-Channel Analysis (here: listen to sound) A Bank Robbery 21. 21 Principle of Side-Channel Analysis The world is changing 22. 22 Principle of Side-Channel Analysis (Now: measure the power consumption / EM) The world is changing the tools are, too. 23. 23 Side-Channel Analysis: Leakage Power consumption / EM depends on processed data Data = 1111 Data = 0000 Data = 1010 24. 24 Evaluation Methods: SPA Simple Power Analysis: Directly analyze (few) traces, for example RSA: 25. 25 Evaluation Methods: DPA / CPA Differential Power Analysis Detect statistical dependency: Key guess Side-channel Idea: Brute-force w/ additional information Use a statistical test... 26. Implementation Attacks: From Theory to Practice 27. 28 Theory versus Practice Academia 8-bit C Interfaces and implementation known / controlled Ideal setup White-box attack Real World HW / SW impl. Interfaces and implementation unknown Many unknown factors Black-box attack 28. 29 Case Studies Yubikey 2Altera Stratix II 29. 30 Home Port Bochum 30. 31 FPGA 2013 31. 32 Case Studies Yubikey 2Altera Stratix II 32. 33 FPGAs widely used in Routers Consumer products Cars Military Problem: FPGA design (bitstream) can be easily copied FPGAs 33. 34 FPGA 1 Flash Bitstream FPGA Power-Up 34. 35 FPGA 1 Flash Bitstream FPGA 2 Clone Problem: IP Theft 35. 36 FPGA 1 Flash Encrypted bitstream Industrys Solution 36. 37 FPGA 1 Flash Encrypted bitstream = ? Industrys Solution 37. 38 Related Work Bitstream encryption scheme of several Xilinx product lines broken Virtex 2 (3DES) Virtex 4 & 5 (AES256) Spartan 6 (AES256) Method: Side-Channel Analysis (SCA) 38. 39 What about Altera? Target: Stratix II Bitstream encryption (design security) uses AES w/ 128-bit key Side-Channel Analysis possible? Problem: Proprietary and undocumented mechanisms for key derivation and for encryption 39. 40 Reverse-Engineering Reverse-engineer proprietary mechanisms from Quartus II software IDA Pro (disassembler / debugger) 40. 41 KEY1 / KEY2 file for FPGA 41. 42 Key derivation real key = f(KEY1,KEY2) KEY1 / KEY2 file for FPGA 42. 43 Why this key derivation? Real key cannot be set directly Key derivation is performed once when programming the FPGA Idea: When real key is extracted, KEY1 and KEY2 cannot be found Prevent cloning: real key of blank FPGA cannot be set 43. 44 real key = AESKEY1(KEY2) Is f (KEY1,KEY2) good? 44. 45 Good idea? In principle: Yes But: AES (in this form) is not one-way: Pick any KEY1* KEY2* = AES-1 KEY1*(real key) This (KEY1*, KEY2*) leads to same real key 45. 46 real key = AESKEY1(KEY2) KEY1 / KEY2 file for FPGA 46. 47 real key = AESKEY1(KEY2) encreal key(...) KEY1 / KEY2 file for FPGA 47. 48 Encrypted block i = AES128real key(IVi) plain block i Encryption method: AES in Counter mode 48. 49 Reverse-Engineering: Summary All obscurity features reverse-engineered Further details: file format, coding, ... Black-box white box Side-channel analysis possible (target: 128-bit real key) 49. 50 Side-Channel Attack on Stratix II 50. 51 51. 52 Average trace: unencrypted vs. encrypted 52. 53 Average trace: unencrypted vs. encrypted 53. 55 With further experiments and signal processing ... 54. 56 ... we recovered the 128-bit AES key with 30,000 traces (~ 3 hours of measurement) Key Recovery 55. 57 ... and came up with a hypothetical architecture of the AES engine Architecture Recovery 56. 58 Management Summary Full 128-bit AES key of Stratix II can be extracted using 30,000 traces (3 hours) Key derivation does not prevent cloning Proprietary security mechanisms can be reverse-engineered from software Software reverse-engineering enables hardware attack 57. 59 Secure Bitstream Encryption? Virtex 2 Virtex 4 and 5 Spartan 6 Altera Stratix II and III Microsemi ProASIC3 (Skorobogatov et al.) 58. 60 By Eva K. 59. 61 60. 62 61. 63 RAID 2013 62. 64 63. 65 Case Studies Yubikey 2Altera Stratix II 64. 66 Two-Factor Authentication Past: One factor: Password/PIN Today: Two factors: Password/PIN and additionally 65. 67 Yubikey 2: Overview Simulates USB keyboard Generates and enters One-Time Password (OTP) on button press Based on AES w/ 128-bit key 66. 68 Yubikey OTP Generation (1) ... dhbgnhfhjcrl rgukndgttlehvhetuunugglkfetdegjd dhbgnhfhjcrl trjddibkbugfhnevdebrddvhhhlluhgh dhbgnhfhjcrl judbdifkcchgjkitgvgvvbinebdigdfd ... 67. 69 Yubikey OTP Generation (2) AES-128 Encryption Modhex Encoding ? 68. 70 Yubikey Hardware 69. 71 Measurement Setup Resistor in USB ground for power measurement EM measurement with near-field probe Connecting (capacitive) button to ground triggers the Yubikey 70. 72 Power vs. EM Measurements Trigger on falling edge (Yubikey's LED off) EM yields better signal AES rounds clearly visible 1 2 3 4 5 6 7 8 9 10 71. 73 Key Recovery (Power) Attacking final AES round Power model hi = HW(SBOX-1(Ci rk)) ~ 7000 traces needed ~ 10.5 hours for data acquisition Byte 1 Byte 2 Byte 8 Byte 9 72. 74 Key Recovery (EM) Attacking final AES round Power model hi = HW(SBOX-1(Ci rk)) ~ 700 traces needed ~ 1 hour for data acquisition Byte 1 Byte 2 Byte 8 Byte 9 73. 75 Implications 128-bit AES key of the Yubikey 2 can be recovered (700 EM measurements = 1 hour physical access) Attacker can compute OTPs w/o Yubikey Impersonate user: Username and password still needed Denial-of-Service: Send an OTP with highly increased useCtr Improved FW version 2.4 for Yubikey 2 74. Responsible Disclosure When pirates do good ... 75. 77 By RedAndr, Wikimedia Commons 76. 78 77. 79 Responsible Disclosure Altera: Informed ~ 6 months before Acknowledged our results Yubikey: Informed ~ 9 months before Improved firmware version 2.4 More examples ... 78. Countermeasures 79. 81 Countermeasures Implementation attacks: Practical threat, but: First line of defense: Classical countermeasures Secure hardware (certified devices) Algorithmic level Second line of defense: System level Detect: Shadow accounts, logging Minimize impact (where possible): Key diversification 80. 82 Different Scenarios, different threats Yubikey 2 Time per key: 1 h Diversified keys (?) Each token: One ID Attack does not scale FPGA Time per key: 3 h One key: All IP Attack one FPGA Attack scales 81. 83 82. Thanks for your attention Questions now? or later: david.oswald@rub.de http://fb.com/WorldBeatClubTanzenUndHelfen