Horst Görtz Institute for IT-Security

Transcription

1 Horst Görtz Institute for IT-Security On the Vulnerability of FPGA Bitstream Encryption against Power Analysis Attacks Extracting Keys from Xilinx Virtex-II FPGAs Amir Moradi, Alessandro Barenghi, Timo Kasper, Christof Paar Chicago, USA, 18 October 2011

2 Outline Background FPGA architecture and deployment settings Anti-counterfeiting bitstream encryption Side-channel attacks Opening the black box Bitstream structure analysis Power line analysis Decryption phase identification and sampling Relevant signal insulation (filtering) Differential power analysis 2

3 FPGAs : Reconfigurable Hardware Widely used in routers consumer products pay-tv But: Copying the configuration files makes counterfeiting easy! 3

4 Solution: Bitstream Encryption FPGA Design Secret Keys Proprietary Algorithms IP Cores Oscar:? = PCB board FPGA SRAM DEC Power-up Bitstream ENC Bitstream E2PROM Internet Satellite Firmware Update 4

5 How Secure is it?... back in the Virtex II Pro days, we issued a challenge, and more than 7 universities and research groups accepted the challenge. We provided a 2vp7 [Ed.: Virtex2 Pro VP7] pcb with usb port, and pins for access to power, that had the key battery installed (300 ma lithium coin cell), and the part was programmed with a 3DES encrypted bitstream. All 7 challengers gave up. Their basic conclusion was all the things they thought would work, differential power attack, spoofing by power glitches, attack with freeze spray, etc. FAILED. Principal engineer, Xilinx, on comp.arch.fpga, 3/5/2008 5

6 Bitstream Structural Analysis There are several documents by Xilinx on bistream structure but still some parts related to encryption stay unclear Analysis and comparison of plain and encrypted bitstream revealed that : The selection of the decryption key from the storage is readable Initialization Value of the CBC mode embedded in bitstream The decryption engine is enabled by a bitstream command Plain Encrypted 6

7 Side-Channel Attacks Existence of side-channels for crypto devices known for several decades, (e.g., Tempest ) Few concrete results / poor understanding prior to 1996 (at least outside intelligence community) 2 nd half of 1990s: golden years of SCA RSA CRT attack, 1996 Timing attacks, 1996 SPA, DPA, 1998 Since 1999: 100 s of SCA research papers, e.g. in CHES But: so far very few documented real-world attacks # of the broken commercial devices are increasing KeeLoq, DESFire, and now bitstream encryption of Xilinx FPGAs 7

8 Side-Channel Attacks Side-channel attacks aim at finding out an intermediate value of a computation (e.g. a cipher key) observing environmental parameters Differential power analysis target the power consumption of a circuit as the observed parameter A typical DPA workflow proceeds to: Collect traces for known inputs and/or output Select a small portion of the computation related to the key Guessing a key part use a model to estimate the power consumption Correlate all the estimations with the collected traces The correct key guess will report non-negligible correlation The attack is repeated until the whole key is recovered 8

9 Measurement Setup PCB board VCC-IO VCC-AUX VCC-INT Differential Probe x10 Amp Digital Oscilloscope Trigger signal 3DES Bitstream JTAG Clock JTAG Programmer Desktop PC 9

10 Our Measurement Setup 10

11 Our Measurement Setup 11

12 Our Measurement Setup 12

13 Decryption Timing Find the when the decryption takes place Must occur after at least a whole ciphertext block (64 bit) is in Should take place in less than 64 bits being sent in to match on-the-fly decryption Compare the power consumptions of encrypted and unencrypted bitstreams to reveal the time position The JTAG clock is driven by us We can freeze the programming process 13

14 Power Traces? Ciphertext i-1 Ciphertext i Decryption (Ciphertext i-1 ) 14

15 Decryption Phase Two clock cycles after a ciphertext block is in, the decryption is performed Unencrypted bitstream Encrypted bitstream 15

16 Insulating the encryption engine Encryption engine far smaller than the whole FPGA circuit The device embeds a CPU (PowerPC403) in the fabric As the PPC is not used to perform the decryption, its power consumption is irrelevant for the analysis Since the PPC is clocked at 300MHz by an internal clock source, bandblock filtering the power traces removes its contribution 16

17 Zoomed Traces/Filtering Raw Filtered Raw Timewise variance of 10k encryptions Filtered 17

18 Power consumption/architecture hypotheses To successfully perform the attack, hypotheses on the decryption engine architecture must be made Switching activity of buffers storing intermediate values are good candidates for a power model DES cipher state buffer switching activity was modeled during a cipher round Switching activity conditioned by 6 bits of the key at a time was predicted (64 key hypotheses) Consumption model: switching activity of the round buffer 18

19 Assumed Internal Architecture Round based implementation of DES Separate stage for initial and final permutation One round per crypto-engine clock cycle Internal 64 bit buffer stores cipher state 19

20 Architecture Hypothesis Validation Need to validate the architecture hypothesis before the attack Correlating to HW of Ciphertexts and output of each DES Correlating to HD of consecutive round outputs 20

21 Final Attack Results Attack on 6 bits of the 1 st DES the key (round 1) The key is recoverable with ~ decryption power measures (less than a single bitstream decryption for almost all V2Pro devices) The attack is still possible with lowpass filtered and decimated traces up to 100MSa/s A single attack to recover 6 bits of a DES key takes a couple of seconds on a common desktop Complete 3DES key recovered in 2-3 minutes of computation 21

22 Final Attack Results Successful Side Channel attack estimating a very small part of the active digital logic Correlation power analysis is scale invariant, as long as there are correlated variations No explicit SCA countermeasures present, sheer size of the platform thought to be enough Proper filtering of the obtained signal removes non-relevant consumption Mainly security through obscurity Methodic reverse engineering leads to figuring out the structure 22

23 Questions?