![Page 1: Challenges for the Logic Design of Secure Embedded Systems](https://reader033.vdocuments.site/reader033/viewer/2022061101/629be53ea614610f655d8804/html5/thumbnails/1.jpg)
Schaumont, IWLS 2005, 6/8/05
Challenges for the Logic Design of
Secure Embedded SystemsPatrick Schaumont, UCLA
Embedded Security Group (EMSEC) @ UCLA
![Page 2: Challenges for the Logic Design of Secure Embedded Systems](https://reader033.vdocuments.site/reader033/viewer/2022061101/629be53ea614610f655d8804/html5/thumbnails/2.jpg)
2Schaumont, IWLS 2005, 6/8/05
Acknowledgements
• ThumbPod2 Design Team:• Kris Tiri, David Hwang, Alireza Hodjat, Bo-Cheng Lai,
Shenglin Yang, Patrick Schaumont, Ingrid Verbauwhede
• Research Support:• NSF CCR 0310527, CCR 0098361• UC Micro• SRC 2003-HJ-1116• SUN• Panasonic• Atmel
![Page 3: Challenges for the Logic Design of Secure Embedded Systems](https://reader033.vdocuments.site/reader033/viewer/2022061101/629be53ea614610f655d8804/html5/thumbnails/3.jpg)
3Schaumont, IWLS 2005, 6/8/05
Secure Embedded Systems
Biometrics
Access Control
IdentificationAuthentication
RFID
ElectronicTicketing
Tagging
Keys InventorySecure embedded systems face specific risks. They are1. more accessible2. more resource-constrained
Smart CardVehicle ID
Driver License
ElectronicPurse Health Care
e-Passport
![Page 4: Challenges for the Logic Design of Secure Embedded Systems](https://reader033.vdocuments.site/reader033/viewer/2022061101/629be53ea614610f655d8804/html5/thumbnails/4.jpg)
4Schaumont, IWLS 2005, 6/8/05
Protecting the weakest link
1 proton torpedo in vent
[http://www.obh.snafu.de/~madley/starwars/]
![Page 5: Challenges for the Logic Design of Secure Embedded Systems](https://reader033.vdocuments.site/reader033/viewer/2022061101/629be53ea614610f655d8804/html5/thumbnails/5.jpg)
5Schaumont, IWLS 2005, 6/8/05
On a smaller scale: The X- Box case
DifferentialHyperTransport Bus
To FPGA Board
Sniffer board
Southbridge(with secret boot rom)
Northbridge(with CPU)
[by A. Huang, http://hackingthexbox.com/]
![Page 6: Challenges for the Logic Design of Secure Embedded Systems](https://reader033.vdocuments.site/reader033/viewer/2022061101/629be53ea614610f655d8804/html5/thumbnails/6.jpg)
6Schaumont, IWLS 2005, 6/8/05
DPA Attack on ThumbPod
WDDL plain
Under DPA attack,key disclosurein 3 minutes
No full keydisclosure under
similar attack
Current ProbeThumbPod Chip(with 128-bit AESencryption unit)
![Page 7: Challenges for the Logic Design of Secure Embedded Systems](https://reader033.vdocuments.site/reader033/viewer/2022061101/629be53ea614610f655d8804/html5/thumbnails/7.jpg)
7Schaumont, IWLS 2005, 6/8/05
Overview
• The ThumbPod• Embedded Biometrics Authentication
• Side-channel attacks on embedded systems• Systematic Design Methods for Security
• System Design Methods• Logic Design Methods
• Design Challenges for Secure Embedded Systems
![Page 8: Challenges for the Logic Design of Secure Embedded Systems](https://reader033.vdocuments.site/reader033/viewer/2022061101/629be53ea614610f655d8804/html5/thumbnails/8.jpg)
8Schaumont, IWLS 2005, 6/8/05
The ThumbPod Project
bank
ThumbPod
fingerprint sensorembeddedelectronics
authenticatedcommunications
![Page 9: Challenges for the Logic Design of Secure Embedded Systems](https://reader033.vdocuments.site/reader033/viewer/2022061101/629be53ea614610f655d8804/html5/thumbnails/9.jpg)
9Schaumont, IWLS 2005, 6/8/05
ThumbPod Operation
1. Enrollment
2. Normal Use
minutiaextraction
(x, y, angle)
template(~30 minutia)
rand
User matchesstored template ?
send rand
reply token'E
template
token= ?
![Page 10: Challenges for the Logic Design of Secure Embedded Systems](https://reader033.vdocuments.site/reader033/viewer/2022061101/629be53ea614610f655d8804/html5/thumbnails/10.jpg)
10Schaumont, IWLS 2005, 6/8/05
Securing Thumbpod
Protocol Man-in-the-middle,Traffic analysis
Known-plaintext,Known-cryptext
Stack smashing
Bus probing
DifferentialPower Analysis
Side-channelattack
Authenticatedcommunications
Algorithm
Architecture
Micro-Architecture
Circuit
Encryption/hashing
Functional integration(SW)
Architecture integration(HW)
Implementation
SecurityObjective
SecurityAbstraction Level
![Page 11: Challenges for the Logic Design of Secure Embedded Systems](https://reader033.vdocuments.site/reader033/viewer/2022061101/629be53ea614610f655d8804/html5/thumbnails/11.jpg)
11Schaumont, IWLS 2005, 6/8/05
Systematic Design Methods
• System Level• Partition for security: protect Root of Trust
–Root of Trust = A component that must behave as expected, because misbehavior cannot be detected (Trusted Computing Group)
–Root of Trust = The part of the design that can hurt you ! (D. Gollmann)
• Example to discuss - Secure biometrics in TP2• Logic Level
• How to create protection at the lowest abstraction level ?
• Example to discuss - Protection of digital logic against Differential-Power Analysis
![Page 12: Challenges for the Logic Design of Secure Embedded Systems](https://reader033.vdocuments.site/reader033/viewer/2022061101/629be53ea614610f655d8804/html5/thumbnails/12.jpg)
12Schaumont, IWLS 2005, 6/8/05
Partitioning the ThumbPod
MinutiaeExtraction
MatchingAlgorithm
Template
LoadBogus
LoadMaster
MasterKey
Accept Reject
Session Key Sk
rand
Crypto
Server(considered secure)
(insecure) ThumbPod-2 Client
keyplain
payloadcrypt
Crypto
Crypto
MasterKey
plain
Cryptopayload
Root-of-Trust
![Page 13: Challenges for the Logic Design of Secure Embedded Systems](https://reader033.vdocuments.site/reader033/viewer/2022061101/629be53ea614610f655d8804/html5/thumbnails/13.jpg)
13Schaumont, IWLS 2005, 6/8/05
Partitioning the ThumbPod
MinutiaeExtraction
Template
LoadBogus
LoadMaster
MasterKey
Accept Reject
Session Key Sk
rand
Crypto
Server
ThumbPod-2 Client
keyplain
payloadcrypt
Crypto
Crypto
MasterKey
plain
Cryptopayload
MatchingAlgorithm
Architecture-LevelSecure Partition
![Page 14: Challenges for the Logic Design of Secure Embedded Systems](https://reader033.vdocuments.site/reader033/viewer/2022061101/629be53ea614610f655d8804/html5/thumbnails/14.jpg)
14Schaumont, IWLS 2005, 6/8/05
ThumbPod- 2 Client Microarchitecture
AMBALEON-2
ProcessorIn
Port
OutPort
ChipCommandInterface
Crypto Module
Oracle
Secure Circuit StyleBr
idge
RAM/FLASH Template
Master Key
to server
UAR
T
to sensor
UAR
T
MatchingAlgorithm
![Page 15: Challenges for the Logic Design of Secure Embedded Systems](https://reader033.vdocuments.site/reader033/viewer/2022061101/629be53ea614610f655d8804/html5/thumbnails/15.jpg)
15Schaumont, IWLS 2005, 6/8/05
Untrusted Software
Secure Circuit Style
Secure matching of Minutiae
for each input minutia pair I:for each template minutia pair T:
if (I ~ T) matching_count++;
if (matching_count > N) then match = true;else match = false;
oknot ok
Input Template(secure)
![Page 16: Challenges for the Logic Design of Secure Embedded Systems](https://reader033.vdocuments.site/reader033/viewer/2022061101/629be53ea614610f655d8804/html5/thumbnails/16.jpg)
16Schaumont, IWLS 2005, 6/8/05
HW/SW Partitions for secure matching
secure_initialize( );
for each input minutia pair I:for each template pair T
secure_compare( I );
if (secure_match( ))then match = true;else match = false;
secure_initialize( ) {matching_count = 0;
}secure_compare( I ) {
if (I == T)matching_count++;
}secure_match( ) {
if (matching_count > N) then return true;else return false;
}
oraclemain
extract I
Template
C
hardwareoracle
softwaredriver
secure_initialize( )secure_compare( )secure_match( )
secureinstruction
set
Template
![Page 17: Challenges for the Logic Design of Secure Embedded Systems](https://reader033.vdocuments.site/reader033/viewer/2022061101/629be53ea614610f655d8804/html5/thumbnails/17.jpg)
17Schaumont, IWLS 2005, 6/8/05
System- level Security Partitioning
ServerClient
root-of-trust
Protocol/Algorithm-levelvalidation
Noncriticalsoftware
Matching &Crypto
SW
Architecture-levelvalidation
Architecture-levelattacks
Matching &Crypto
HW
Softwaredriver
Microarchitecture-levelvalidation
Microarchitecture-levelattacks
DPA-resistantHW
Circuit-levelattacks
How to protect circuits from side-channels ?
![Page 18: Challenges for the Logic Design of Secure Embedded Systems](https://reader033.vdocuments.site/reader033/viewer/2022061101/629be53ea614610f655d8804/html5/thumbnails/18.jpg)
18Schaumont, IWLS 2005, 6/8/05
IBM 4758 Secure Coprocessor
backupbatteries
shield withtamper-sensors
![Page 19: Challenges for the Logic Design of Secure Embedded Systems](https://reader033.vdocuments.site/reader033/viewer/2022061101/629be53ea614610f655d8804/html5/thumbnails/19.jpg)
19Schaumont, IWLS 2005, 6/8/05
Differential Power Analysis Attacks
KEYDIN
XORSUB SHIFTROW
MIXCOLUMN
DOUT(8 bits)RB RC
C11 C11
Round 11+1
AES
KEY
DIN DOUT
Vcc
Vdd
Icc(t)
• Use DOUT and measured Icc(t) to find KEY• Attack by correlating measurement and estimate
KEYDIN
XORSUB SHIFTROW
MIXCOLUMN
DOUT(8 bits)RB RC
D11 C11
K11
Round 11(1/16 datapath)
Predict transition RBD11 to C11
![Page 20: Challenges for the Logic Design of Secure Embedded Systems](https://reader033.vdocuments.site/reader033/viewer/2022061101/629be53ea614610f655d8804/html5/thumbnails/20.jpg)
20Schaumont, IWLS 2005, 6/8/05
Example Power Measurement
Start Encryption
11 clock cycles
Store Peak Valueof last cycle
Start Signal
Current ProbeOutput
![Page 21: Challenges for the Logic Design of Secure Embedded Systems](https://reader033.vdocuments.site/reader033/viewer/2022061101/629be53ea614610f655d8804/html5/thumbnails/21.jpg)
21Schaumont, IWLS 2005, 6/8/05
Differential Analysis Phase
• Standard-cell AES is attacked in 3 minutes• 2128 problem converted into 16 * 28 problem
• Attack strength increases with number of measurements• Measurement timing requires a priori knowledge on
• crypto algorithm: cipher operation mode• crypto architecture: operation mapping & scheduling
Measurement
12345N
P1P2P3P4P5...
ActualP
Est.P KEY=Ki
E1E2E3E4E5...
Σ Pi EiN
CKi
=
![Page 22: Challenges for the Logic Design of Secure Embedded Systems](https://reader033.vdocuments.site/reader033/viewer/2022061101/629be53ea614610f655d8804/html5/thumbnails/22.jpg)
22Schaumont, IWLS 2005, 6/8/05
Fighting DPA with constant- power circuits
Vcc
Vdd Vdd
Vcc
Vdd Vdd
The problem:Dynamic power consumption is asymmetrical and dependent on data
• Consume the same current for all input patterns• Differential Logic:
• Use dual rail logic implementation• Makes '0' the same as '1' (hamming-weight independent)
• Dynamic Logic:• Use pre-charge phase and evaluate phase• Makes '0->0' the same as '0->1', '1->1', '1->0'
(hamming-distance independent)
The solution:
![Page 23: Challenges for the Logic Design of Secure Embedded Systems](https://reader033.vdocuments.site/reader033/viewer/2022061101/629be53ea614610f655d8804/html5/thumbnails/23.jpg)
23Schaumont, IWLS 2005, 6/8/05
Wave Dynamic Differential Logic
WDDL AND
clk
WDDL INPUT
clkpre-charge
evaluate
A
A
B
B
Q
Q
B=0 B=1
A
A
B
B
Q
Q
pre preeval eval
A=1 A=1
Always a single output transition
![Page 24: Challenges for the Logic Design of Secure Embedded Systems](https://reader033.vdocuments.site/reader033/viewer/2022061101/629be53ea614610f655d8804/html5/thumbnails/24.jpg)
24Schaumont, IWLS 2005, 6/8/05
WDDL Library of 128 cells
WDDL AND
WDDL OR
clk
WDDL register
OAI221X1
AOI221X1 INVX2
INVX2
WDDL AOI221X2
![Page 25: Challenges for the Logic Design of Secure Embedded Systems](https://reader033.vdocuments.site/reader033/viewer/2022061101/629be53ea614610f655d8804/html5/thumbnails/25.jpg)
25Schaumont, IWLS 2005, 6/8/05
Matching interconnect capacitanceWDDL AND
A
A
B
B
WDDL OR
Outputcapacitance
Wiringcapacitance
Inputcapacitance
Totalcapacitance
(Cell design) (Cell design)Routing
Parallel tracksfor constants
mutual C Equal via's,segment lengths, ..
for constant R
Identicalcrosstalk cap
Mismatch causes2nd order effects !
![Page 26: Challenges for the Logic Design of Secure Embedded Systems](https://reader033.vdocuments.site/reader033/viewer/2022061101/629be53ea614610f655d8804/html5/thumbnails/26.jpg)
26Schaumont, IWLS 2005, 6/8/05
Differential Routing Technique• Gridless routers do no scale well to complex netlists• Gridded routers avoid parallel routing• Enhanced gridded router with 'fat-wire' transformation
technique produces accurate matching
![Page 27: Challenges for the Logic Design of Secure Embedded Systems](https://reader033.vdocuments.site/reader033/viewer/2022061101/629be53ea614610f655d8804/html5/thumbnails/27.jpg)
27Schaumont, IWLS 2005, 6/8/05
ThumbPod- 2 Secure Coprocessor
AMBALEON-2
ProcessorIn
Port
OutPort
Brid
ge
RAM/FLASH
to server
UAR
T
to sensor
UAR
T
WDDLoracle + AES
+ templatedirect
![Page 28: Challenges for the Logic Design of Secure Embedded Systems](https://reader033.vdocuments.site/reader033/viewer/2022061101/629be53ea614610f655d8804/html5/thumbnails/28.jpg)
28Schaumont, IWLS 2005, 6/8/05
DPA on ThumbPod- 2
AMBALEON-2
ProcessorIn
Port
OutPort
Brid
ge
RAM/FLASH
to server
UAR
T
to sensor
UAR
TMeasurements to
disclosure
min 320 21,185mean 2,133 255,391max 8,168 1,276,186
directWDDL
(11 key bytes from 16are disclosed)
![Page 29: Challenges for the Logic Design of Secure Embedded Systems](https://reader033.vdocuments.site/reader033/viewer/2022061101/629be53ea614610f655d8804/html5/thumbnails/29.jpg)
29Schaumont, IWLS 2005, 6/8/05
DPA on ThumbPod- 2
AMBALEON-2
ProcessorIn
Port
OutPort
Brid
ge
RAM/FLASH
to server
UAR
T
to sensor
UAR
T
CostArea 3X
Power 4X
2 sq.mm200 Kgate
6 sq.mm600 Kgate
![Page 30: Challenges for the Logic Design of Secure Embedded Systems](https://reader033.vdocuments.site/reader033/viewer/2022061101/629be53ea614610f655d8804/html5/thumbnails/30.jpg)
30Schaumont, IWLS 2005, 6/8/05
Challenges for secure system design
• System level:• Trusted computing aims to support protected capabilities,
integrity measurement, integrity reporting. http://www.trustedcomputinggroup.org
• 'Trusted computing' covers only the general case, application-specific solutions are still needed
• Tool support (for Thumbpod-type of designs)– Make security and trust 'measurable' as a quality of
individual bits & operations on these bits (modeling issue)– Partition algorithms in secure/non-secure parts: measure
information spread in the algorithm– Transform secure part to minimize complexity– Validate & verify security protocol and protocol faults
![Page 31: Challenges for the Logic Design of Secure Embedded Systems](https://reader033.vdocuments.site/reader033/viewer/2022061101/629be53ea614610f655d8804/html5/thumbnails/31.jpg)
31Schaumont, IWLS 2005, 6/8/05
Challenges for secure system design• Logic level:
• Two approaches to make DPA hard:– Make measurements harder (random power variations etc):
risky .. better to remove a side channel instead of obfuscating it
– Make estimates harder: has algorithmic impact• Key issue in WDDL is to maintain symmetry.
– Other technologies (e.g. FPGA) ? Other concepts (RAM) ?• Masking requires glitch-free implementation and is expensive:
how to solve this ? (Mangard et al, RSA 2004)
• Tools:
– Accurate estimation (Power, Cap)WDDL is 'perfect' according to tools,but imperfect in real life ...
Corollary: Measurement is the best estimation
a
bq
qb
qa
![Page 32: Challenges for the Logic Design of Secure Embedded Systems](https://reader033.vdocuments.site/reader033/viewer/2022061101/629be53ea614610f655d8804/html5/thumbnails/32.jpg)
32Schaumont, IWLS 2005, 6/8/05
Challenges for secure system design• Circuit level:
• Reduce area/power overhead of secure implementation• Differential routing techniques for DPA resistance• Uniqueness (cfr Physically Unclonable Functions, PUF)
for key-pair generation, tagging applications• Additional notes
• Embedded Security is a big opportunity for hardware and logic • Hardware offers qualities that software has lost (viruses etc)
– Besides performance, offers assured and constant-time behavior– Recent attack on hyper-threaded processors clarifies the issue for
software• But for Big Time Secure Hardware
– need modeling & design support for the complete security pyramid(protocol, algorithm, ..., circuit)
– need to recognize the weakest link principle: look at the complete system and at multiple abstraction levels
![Page 33: Challenges for the Logic Design of Secure Embedded Systems](https://reader033.vdocuments.site/reader033/viewer/2022061101/629be53ea614610f655d8804/html5/thumbnails/33.jpg)
33Schaumont, IWLS 2005, 6/8/05
References• ThumbPod Project
• http://www.emsec.ee.ucla.edu/thumbpod• Security Partitioning
• D. Hwang, I. Verbauwhede, "Design of Portable Biometric Authenticators—Energy, Performance, and Security Tradeoffs", IEEE Trans. Consumer Electronics, November 2004.
• Embedded Security & Codesign• P. Schaumont, I. Verbauwhede, "Domain specific codesign for
embedded security," IEEE Computer, April 2003.• WDDL
• K. Tiri and I. Verbauwhede, "A logic level design methodology for a secure DPA resistant ASIC or FPGA implementation," DATE 2004.
• Measurement is the best estimation• K. Tiri and I. Verbauwhede, "Simulation Models for Side-Channel
Information Leaks", DAC 2005 (Session 14.2)