evaluating memory protection of smartcards and similar devices€¦ · direct measurements of...
TRANSCRIPT
Evaluating memory protection of smartcards and similar devicesWolfgang Killmann, T-Systems GEI GmbH
Motivation of the talk
Confidentiality of stored data is a core security feature but memory may be physically read.
Combination and binding of data encryption, address scrambling and key protection is crucial.
Memory encryption should be seen as security architectural feature.
Evaluators shall analyse and assess the effectiveness of memory encryption if physical protection is not sufficiently strong.
Conclusions for developers, evaluators, certifier, system designer and costumer.
Protection of stored dataLayer of data encryption
User data(application specific)
Application layer
Operating system layer
Hardware layer
User dataTSF data
Cryptographic keyof operating system
Memory data(SW, user data,TSF data)
Cryptographic keyof memory encryption
Cryptographic keyof application
used to protect
confidentiality depends on
used to encrypt and to check integrity
confidentiality depends on
used to encrypt
confidentiality depends on
Secret sharingPhysical protection
Protection of stored dataVulnerabilities
CPUUser data, TSF data
logical addressMMU
Dedicated and embedded software ROM
E²PROM/Flash
RAM
Source of pictures: Ch. Tarnowski: Security Failure In Secure Devices, Black Hat Europe, 2008-03-27 Ch. Tarnovski, C. Nohl: Reviving smart card analysis , Black Hat Conference, 2011-08-03 C. De Nardial at al.: Direct Measurements of Charge in Floating Gate Transistor Channels of Flash Memories Using Scanning Capacitance Microscopy, Proceedings of the 32nd International
Symposium for Testing and Failure Analysis November 12-16, 2006, Renaissance Austin Hotel, Austin, Texas, USA
Memory encryptionDefinition
Memory encryption = cryptographic protection of confidentiality (and integrity) of stored or internally
transferred data provided by the security IC comprises data encryption, address encryption, key management
Bus encryption may additionally protect internally transferred data.
Memory encryptionPeculiarities of memory encryption
Cryptanalytic attacks on ciphertexts, keys and cryptographic module are parts of more complex attacks aiming on plaintexts of user data
Limited resources for the cryptographic module and the time of cryptographic operations (“no” limitation for keys or key components!) → lightweight cryptographic algorithms
no need for interoperability because of internal use only→ (sufficiently analysed?) proprietary algorithms
Memory encryptionPrinciple
CPU
EncryptedMemory
DataEncryption
(enc & dec)
AddressEncryption
(enc only)
plaintext ciphertext
map. log. address physical address
Key storage Ciphertext only attack
Known plaintext attackChosen text attack
Known plaintext attackChosen text attack
Physicalattacks
Physicalattacks
Physicalattacks
Physicalattacks
Physicalattacks
Physicalattacks
Physicalattacks
MMU
transposition
Memory encryptionData encryption an address scrambling
plaintext
ciphertext
substitution Dataencryption
Addressencryption
…
Physicallayout of memory
SP network•
• more expensive but difficult to predict
affine mapping•
• >2 plaintext-ciphertext-pairs break easily
Memory encryptionExamples of address encryption
XOR
1 plaintext-ciphertext-pair breaks very easily
phys logicaddr addr key= ⊕ 1phys logic 2keyaddr A addr key= ⋅ ⊕ ( )phys logic ,addr Enc addr key=
Memory encryptionKey management
Goal increase effort of physical attacks for
compromising the keys
Cryptographic methods split 1 key into n key components
(e.g. by xoring n key components) Cryptanalytic methods
all n key components must be known
Physical protection remains crucial!→ separate keys and cipher text→ store key components in EEPROM
keyPicture: Wikipedia, PeterJohnBishop
Evaluation of memory encryptionSecurity objective, SFR, security architecture
Informative part of PP/ST and security objectives primary goal: protection of user data and providing security services secondary goal: protection of TSF data, stored and executed software
Security functional requirements (SFR) no SFR requiring directly confidentiality protection of stored data FPT_PHP requires physical protection of the other SFR
Security architecture non-bypassability: defence against physical reading of memory self-protection: protecting TSF and data against tampering of memory secure initialization: transition from power-off state (encrypted memory) into
power-on state (transparent encryption)
Vulnerability assessment Memory encryption as part of memory protection
Memory encryption is part of the more complex memory protection vulnerability analysis shall cover the full attack path cryptanalysis must consider the concrete preconditions of the attack
amount of known ciphertexts information about plaintexts, keys or key components or their parts conditions for active attacks (e.g. chosen plaintext attack)
Cryptanalytic assessment of memory encryption necessary if the other security measure are not sufficient to counter the attacks defines conditions for cryptanalytic attacks aiming at
plaintexts or memory encryption keys (intermediate step of the complex attack!)
Vulnerability analysis Cryptanalysis with standard methods
Standard cryptanalytic methods information gathering without key recovery brute force key guessing solving key equations (algebraic attacks)
Adaption of standard cryptanalytic attacks more effective, limited amount of data, … proprietary cryptographic algorithms
meet-in-the-middle for iterated cipher rounds Linear cryptanalysis Differential cryptanalysis
classical, trunked, impossible, …
key1
key2
key3
key n
Example substitution-permutation network
Vulnerability analysis Assessment of cryptographic attacks (Factors I)
Factors for attack potential calculation more detailed definition for the factors “knowledge of the TOE”, “expertise”,
“equipment” and open sample for “elapsed time” and “access to TOE” cf. CCDB-2009-03-001 no changes for the points (they address the whole attack!)
Knowledge of the TOE public: algorithm if made public by developer or attacker (cf. DEGATE project) restricted or sensitive: proprietary algorithm as protected by developer critical: long term keys like substitution boxes, group keys
Expertise layman: application of public known attacks with public available tools proficient: adaption of public known attacks to specific algorithms expert: development of specific attacks
Vulnerability analysis Assessment of cryptographic attacks (Factors II)
Equipment none: applicable only if calculation can be performed by hand (e.g. xor) standard: public available software for PC (including GPU and cluster support) specialised: non-public available tools e.g. for proprietary algorithm bespoke: special devices with special software (non-standard key cruncher)
Open samples Open samples should not provide access to memory encryption If open samples provide access to memory encryption
the developer shall describe functions related to memory encryption available at external interfaces,
e.g. key management, export of plaintext-ciphertext pairs, ... operational memory encryption keys they contain, e.g. long term keys
Vulnerability assessmentConclusion
Vulnerability assessment of memory protection may include analysis and assessment of memory encryption if the other security measure alone are not sufficient to counter the attack.
Vulnerability analysis of memory encryption by evaluators assesses the cryptanalytic attack effort as part of a complex attack but neither requires nor claims being an comprehensive cryptanalysis
The certification body shall review the vulnerability assessment of memory protection including vulnerability analysis of memory encryption as its part confirmation of the resistance against attacks on memory protection cannot be
seen as general confirmation of cryptographic strength of their memory encryption
Summary of the talk
Developer should pay more attention to memory encryption. They may use proprietary algorithms if sufficiently analysed.
Evaluators shall analyse and access the effectiveness of memory protection. This should include cryptanalytic assessment of memory encryption if physical protection is not strong enough to counter the attack.
Certifier shall support realistic vulnerability assessment by agreed guidance.
System designer should reduce the value of successful attack on memory.
Thank you for your attention!Any question?
Wolfgang KillmannT-Systems GEI GmbH
Vorgebirgsstr. 49D-53119 Bonn