read-proof hardware from protective coatings ches 2006 ... tuyls.pdf · read-proof hardware from...
TRANSCRIPT
Read-Proof Hardware from Protective Coatings
CHES 2006, Tokyo-YokohamaPim TuylsG.J. Schrijen, B. Skoric, J. van Geloven, N.Verhaegh, R. Wolters
Philips Research Eindhoven The [email protected]
Read-Proof Hardware from Coating PUFs
CHES 2006, Tokyo-YokohamaPim TuylsG.J. Schrijen, B. Skoric, J. van Geloven, N.Verhaegh, R. Wolters
Philips Research Eindhoven The [email protected]
3Read-Proof Hardware from Protective Coatings; CHES 2006
Research
Contents
• Limitations of the Black-Box Model• Brief Overview of Physical Attacks• Security in a Physical World• Methods and Requirements• Components
– Coating PUFs– Fuzzy Extractors/Helper data
• Secure Key Storage Device
4Read-Proof Hardware from Protective Coatings; CHES 2006
Research
Assumption:IC: Black-Box
↓Crypto guaranteesSecurity level
Security not guaranteedby cryptography
Secret Key: 001011101011
Mathematical AttacksProtocol Attacks
Physical Attacks
Micro ProbesFocused IonBeam
Limitations of the Black-Box ModelLimitations of the Black-Box Model
5Read-Proof Hardware from Protective Coatings; CHES 2006
Research
Brief Overview Physical AttacksBrief Overview of Physical Attacks
• Invasive Attacks• Micro Probing• Focused Ion Beams• Chemical• Mechanical• Etching
• Side Channel Attacks• Timing Analysis
• Power Analysis
• Electromagnetic Radiation
• Fault Induction (light, X-ray, power glitch)
• Optical Inspection
6Read-Proof Hardware from Protective Coatings; CHES 2006
Research
Security in a Physical World
1. Read-Proof Hardware:Enemy can not read the data stored in it
2. Tamper-Proof Hardware: Enemy can not change the data stored in it
3. Self Destruction Capability
Algorithmic Tamper Proof Security can be achieved [Gennaro et al]
Big Challenge: Develop theory and practical components for security in the presence of physical leakage: No Black-Boxes!
Components
Security in a Physical World
7Read-Proof Hardware from Protective Coatings; CHES 2006
Research
GoalPractical Methods
Focus: Read-Proof HardwareRead-Proof Hardware is hardware where the attacker can not read any information on the data stored in it
M EK(M) 0110M EK(M)
Practical Meaning?!
Security in a Physical World
Should be resistant against:• Invasive Physical Attacks• Side-Channel Attacks• Fault Attacks• Optical Inspection
8Read-Proof Hardware from Protective Coatings; CHES 2006
Research
Invasive vs Non-Invasive AttacksInvasive Physical Attacks Non - Invasive Physical Attacks
DefinitionAn invasive physical attack is an attack where the attacker physically breaks into the device by modifying its structure
Examples:• Chemical etching• Drilling a hole• Focused Ion Beam attack
DefinitionAn non-invasive physical attack is an attack where the attacker physically breaks into the device without modifying its structure
Examples:• Optical inspection of the memory• Side-Channel attacks (Time, EMA, DPA, …)
Physical Attacks
9Read-Proof Hardware from Protective Coatings; CHES 2006
Research
Methods and Requirements
In order to protect keys against physical attacks:
1. Do not store a key in digital form in a device
2. Generate the key only when needed(extract it from a physical source on the IC)
3. Delete the key
Methods and Requirements
10Read-Proof Hardware from Protective Coatings; CHES 2006
Research
ComponentsTwo components are needed:
1. Hardware component (Physics)
1. Physical Source
2. Cryptographic component
1. Fuzzy Extractor/Helper data algorithm
Methods and Requirements
11Read-Proof Hardware from Protective Coatings; CHES 2006
Research
Hardware RequirementsSecurity Requirements:
1. Physical Inscrutability (opaqueness)2. Unclonability
1. Physical Unclonability2. Mathematical Unclonability
3. Tamper evident: key is destroyed upon damage
Practicality Requirements:
1. Easy to challenge the source2. Cheap and easy integratable on an IC3. Excellent mechanical and chemical properties
Methods and Requirements
12Read-Proof Hardware from Protective Coatings; CHES 2006
Research
Components: Physical SourcePhysical Unclonable Function (PUF):
Inherently unclonable Physical Structure (consisting of many random/uncontrollable components) satisfying:
• Easy to evaluate: Challenges-Responses• Responses are unpredictable• Inherently tamper evident• Manufacturer not-reproducable• Extract keys from measurements
Components
13Read-Proof Hardware from Protective Coatings; CHES 2006
Research
Coating PUF• An IC is covered with an opaque coating
containing random particles with high εr• Array of capacitive sensors in upper metal layer
detects local coating properties.• Inhomogeneous coating random capacitive
properties
• PUF is used as a source of secret random information which are derived from the local coating capacitances (secure key storage).
(Si) substrateinsulation
Al Al
coating
passivationM 1M 2
M 3
M 4M 5
tra n sis to rs
p a ss iva tion
C o a tin g -P U F
O n ch ip d e m o
Components
14Read-Proof Hardware from Protective Coatings; CHES 2006
Research
Information Content of a Coating PUF (Response)
Coating PUF [JAP06]
Components
≈ 6.6 bits/sensor
1 2 3 4
5 6 7 89 10 11 12
13 14 15 1617 18 19 20
21 22 23 24
25 26 27 2829 30 31 32
15Read-Proof Hardware from Protective Coatings; CHES 2006
Research
Capacitance values of 21 ICs
0 5 10 15 20 25 30-80
-60
-40
-20
0
20
40
60
s ensor num ber
(Cx-
C0-
<C
x-C
0>)/
(Cre
f-C
0)*f
ref
Sensor number
(Rel
ativ
e) C
apac
itanc
e
Components
(Cx-C0)/(Cref-C0)
16Read-Proof Hardware from Protective Coatings; CHES 2006
Research
Fuzzy Extractor/Helper Data Algorithm
• Information present in the PUF has to be extracted
• Measurements (Challenges - Responses)
• Measurements on Physical Systems are noisy
• Noisy values can not be used as keys in cryptography
• A Fuzzy Extractor/Helper Data Algorithm is needed
Components
17Read-Proof Hardware from Protective Coatings; CHES 2006
Research
• Grid points represent ECC Code words
Enrollment
Key Reconstruction
• Random codeword C(S) is chosen
C
• Helper data W is generated (differencebetween X and C) and stored in EEPROM
• Key K is generated and its public key P(K) is output and the Key K is destroyed
W
• Response X is measured
X
• Y is noisy response
Y• S’=DEC(C’)• Y+W=C’
C’
W
Key Extraction from PUFs: Fuzzy Extractor
Assumption: Response X uniformly random
Components
Security Condition
• I(K;W) ≤ε
18Read-Proof Hardware from Protective Coatings; CHES 2006
Research
Properties
• The parameter ε can be made negligible in the security parameter
• The maximal length of a secret key is given by
where I(X;Y) is the mutual information between
Enrollment: X Key Reconstruction: Y
I(X;Y)
19Read-Proof Hardware from Protective Coatings; CHES 2006
Research
Practical Key extraction requirements
• Measured Data are continuous, not discrete!
• Uniformly Distributed Keys: All possible n-bit keys must be equally probable.
• Robustness: key extraction must be reproducible, regardless of measurement noise.
Secure Key Storage Device
20Read-Proof Hardware from Protective Coatings; CHES 2006
Research
Statistics
1.5 1.6 1.7 1.8 1.9 2 2.1 2.2 2.3 2.4
x 10-13
0
2
4
6
8
10
12
14x 10
13
PD
F
x
Normal Gaussian distribution
inter-class
intra-classPD
F
Secure Key Storage Device
21Read-Proof Hardware from Protective Coatings; CHES 2006
Research
Uniformly Distributed Keys
• Quantization with equiprobable intervals
1 . 5 1 . 6 1 . 7 1 . 8 1 . 9 2 2 . 1 2 . 2 2 . 3
x 1 0- 1 3
0
0 . 5
1
1 . 5
2
2 . 5
3x 1 0
1 3
0 1 2 3 4 5 6 7
Secure Key Storage Device
22Read-Proof Hardware from Protective Coatings; CHES 2006
Research
Achieving Robustness (I)
• Define helper-data W* that shifts measurements to the center of a quantization interval.
1 . 5 1 . 6 1 . 7 1 . 8 1 . 9 2 2 . 1 2 . 2 2 . 3
x 1 0- 1 3
0
0 . 5
1
1 . 5
2
2 . 5
3x 1 0
1 3
0 1 2 3 4 5 6 7
W*
Secure Key Storage Device
23Read-Proof Hardware from Protective Coatings; CHES 2006
Research
Achieving Robustness (II)
• Assign bits to quantization intervals according to a Gray-code.
1 . 5 1 . 6 1 . 7 1 . 8 1 . 9 2 2 . 1 2 . 2 2 . 3
x 1 0- 1 3
0
0 . 5
1
1 . 5
2
2 . 5
3x 1 0
1 3
000 001 011 010 110 111 101 100
W*
Secure Key Storage Device
24Read-Proof Hardware from Protective Coatings; CHES 2006
Research
Achieving Robustness (III)
• Concatenate bits from multiple sensors to construct a key of length n.
• Use an Error Correcting Code (ECC) andthe XOR-Fuzzy Extractor:Enrollment: K, W=X⊕CK
Key Reconstruction: Dec(Y⊕W)=Dec(Y⊕X⊕CK)= CK iff d(X,Y)<T
Secure Key Storage Device
25Read-Proof Hardware from Protective Coatings; CHES 2006
Research
Key Extraction, helperdata scheme
Enrollment Key Extraction
YXW K’RNG WK ENC C C’ DEC
YBXB
Cap.Meas.
DeriveW*
Binarization
W* Cap.Meas.
Correctwith W*
Binarization
W*
Memory
Secure Key Storage Device
26Read-Proof Hardware from Protective Coatings; CHES 2006
Research
Store key temporarily in Volatile Memory
CryptoProcessorIC
RAMEEPROMHelper Data W
Al Al
coating
passivation
Measurement CircuitAD-conversion
Fuzzy Extractor
W
Capacitances:X
KeyKey
Secure Key Storage Device
27Read-Proof Hardware from Protective Coatings; CHES 2006
Research
Delete key afterwards
CryptoProcessorIC
RAMEEPROMHelper Data W
Al Al
coating
passivation
Measurement CircuitAD-conversion
Key Extractor
WKey
Key
CryptoProcessorIC
RAMEEPROMHelper Data W
Al Al
coating
passivation
Measurement CircuitAD-conversion
Key Extractor
W
Secure Key Storage Device
28Read-Proof Hardware from Protective Coatings; CHES 2006
Research
Attack Detection
0 5 10 15 20 25 30
-150
-100
-50
0
50
100
senso r num ber
Cap
acita
nce
B e fo re F IB
0 5 10 15 20 25 30
-150
-100
-50
0
50
100
senso r num ber
Ca
pa
cita
nce
A f te r F IBB e fo re F IB
sensor nr.
Cap
acita
nce
Focused Ion BeamAttack
Secure Key Storage Device
29Read-Proof Hardware from Protective Coatings; CHES 2006
Research
A026 Crater into M3
A005 Crater into M30 5 1 0 1 5 2 0 2 5 3 0 3 5
- 1 5
- 1 0
- 5
0
5
1 0
0 5 1 0 1 5 2 0 2 5 3 0 3 5- 2 0
- 1 5
- 1 0
- 5
0
5
1 0
Mod 18: M4=grid
Mod 14: M4=no metal
ss ee cc uu rr ii tt yy cc oo aa tt ii nn gg
p a s s i v a t i o n l a y e r s P t ( s i d e )
P t ( t o p )
s e n s o r
m e t a l p l a t e
A026 Crater into IMD40 5 1 0 1 5 2 0 2 5 3 0 3 5
- 5 0
0
5 0
1 0 0
1 5 0
2 0 0
2 5 0
3 0 0
Mod 10: M4=plate
Craters: 10 µm x10 µm
3.0-3.5 coating
3.0-3.5 coating
6.0-6.5 coating
Next: craters of 5x5 mu
Secure Key Storage Device
30Read-Proof Hardware from Protective Coatings; CHES 2006
Research
Model of Key DamageUnattacked Device: Measurement Channel: X → Y Model BSC: Error Rate: α
Attacked Device: Measurement Channel: X → Z Model BSC: Error Rate: ε
Fuzzy Extractor corrects αn errors
αncK
<R>=εn
Nc= density of codewords x volume ball = 2n(h(ε)-h(α))
Secure Key Storage Device
31Read-Proof Hardware from Protective Coatings; CHES 2006
Research
Key Damage: Experiments
α=1/30
ε=11/90
X (Enrollment)
Y (Reconstruction)
Z (After FIB)
Attack Complexity:
Nc=251 for 128 bit keys
Secure Key Storage Device
32Read-Proof Hardware from Protective Coatings; CHES 2006
Research
Summary of Results
• Test ICs with 30 sensors per IC• Deriving 3 bits per sensor 90 bits per IC• Limit error correction: 4 of the 90 bits
– Depends on the coarseness of the quantisation
• Temperature compensation• No humidity influence
Secure Key Storage Device
33Read-Proof Hardware from Protective Coatings; CHES 2006
Research
Conclusions
• Developed Read-Proof Hardware (Invasive Attacks)• Coating PUF• Fuzzy Extractor
• Made a demonstrator• Attacks can be detected• Key Damage is shown
• Next Steps• Further investigate side-channel leakages• Investigate the impact of smaller holes