Lecture6 –Crypto Implementation on Embedded Platforms

Download Report

Transcript Lecture6 –Crypto Implementation on Embedded Platforms

Lecture10 – More on Physically
Unclonable Functions (PUFs)
Rice ELEC 528/ COMP 538
Farinaz Koushanfar
Spring 2009
Outline
• Implementations on silicon
• Applications
– Cryptographic keys
– Authentication
– Details of RFID applications
• Issues with nonstability
Existing Approaches
Tamper-Proof Package: IBM 4758
Sensors to detect attacks
Expensive
Continually battery-powered
Trusted Platform Module (TPM)
A separate chip (TPM) for
security functions
Decrypted “secondary” keys
can be read out from the bus
Problem
Storing digital information in a device in a way
that is resistant to physical attacks is difficult and
expensive.
EEPROM/ROM
Probe
Processor
• Adversaries can physically extract secret keys
from EEPROM while processor is off
• Trusted party must embed and test secret keys
in a secure location
• EEPROM adds additional complexity to
manufacturing
Our Solution:
Physical Random Functions (PUFs)
• Generate keys from a complex physical system
Hard to fully
characterize
or predict
Physical System
configure
Challenge (c-bits)
characterize
Response (n-bits)
Use as a secret
Can generate many
secrets by changing
the challenge
• Security Advantage Processor
– Keys are generated on demand  No non-volatile
secrets
– No need to program the secret
– Can generate multiple master keys
• What can be hard to predict, but easy to measure?
PUF Experiments
• Fabricated 200 “identical” chips with PUFs in TSMC 0.18m on
5 different wafer runs
Security
– What is the probability
that a challenge
produces different
responses on two
different PUFs?
Reliability
– What is the probability
that a PUF output for a
challenge changes with
temperature?
– With voltage variation?
Inter-Chip Variation
• Apply random challenges and observe 100
response bits
Measurement noise for Chip X = 0.9 bits
Probability Density Function
0.25
Measurement Noise
Inter-Chip Variation
0.2
0.15
0.1
Distance between Chip X and Y
responses = 24.8 bits
0.05
0 Can identify
0individual
5
10
15
20
25
30
ICs
Hamming Distance (# of different bits, out of 100)
35
40
Environmental Variations
• What happens if we change voltage and
temperature?
Measurement noise at 125C
(baseline at 20C) = 3.5 bits
Probability Density Function
0.25
Measurement Noise
Inter-Chip Variation
Voltage Variation Noise
Temp Variation Noise
0.2
Measurement noise with
Evenvariation
with environmental
variation,
10% voltage
= 4 bits
0.15
we can still distinguish two different
PUFs
0.1
0.05
0
0
5
10
15
20
25
30
Hamming Distance (# of different bits, out of 100)
35
40
Reliable PUFs
PUFs can be made more secure and reliable by
adding extra control logic
Challenge
c
Response
BCH
nDecoding
PUF
For
ForRe-generation
calibration
Syndrome
One-Way
Hash
Function
BCH
Encoding
New Response
k
Syndrome
n-k
• Hash function (SHA-1,MD5) precludes PUF “model-building” attacks
since, to obtain PUF output, adversary has to invert a one-way
function
• Error Correcting Code (ECC) can eliminate the measurement noise
without compromising security
Ring-Oscillator (RO) PUF
• The structure relies on delay loops and counters
instead of MUX and arbiters
• Better results on FPGA – more stable
RO PUFs (cont’d)
• Easy to duplicate a ring oscillator and
make sure the oscillators are identical
– Much easier than ensuring the racing paths
with equal path segments
• How many bits can we generate from the
scheme in the previous page?
– There are N(N-1)/2 distinct pairs, but the
entropy is significantly smaller: log2(N!)
– E.g., 35 ROs can produce 133 bits, 128 can
produce 716, and 1024 can produce 8769
Reliability enhancement
• Environmental changes have a large impact on
the freq. (and even relative ones)
RO PUFs
• ROs whose frequencies are far are more stable than the
ones with closer f’s
• Possible advantage: do not use all pairs, but only the
stable ones
• It is easy to watch the distance in the counter and pick
the very different ones
• The new question is how many ring oscillators do we
need to accomplish having B stable bits?
• What are the other comparative advantages/
disadvantages compared to delay-based PUFs?
• Can we use this structure to generate many challengeresponse pairs?
Applications -- Authentication
• Challenges should never be used to prevent the
man-in-the-middle attacks
• Is this practical?
Application – Cryptographic Key
Generation
• The unstability is a problem
• Some crypto protocols (e.g., RSA) require specific
mathematical properties that random numbers generated
by PUFs do not have
• How can we use PUFs to generate crypto keys?
– Error correction process: initialization and regeneration
– There should be a one-way function that can generate the key
from the PUF output
Crypto Key Generation
• Initialization: a PUF output is generated and error
correcting code (e.g., BCH) computes the syndrome
(public info)
• Regeneration: PUF uses the syndrome from the initial
phase to correct changes in the output
• Clearly, the syndrome reveals information about the
circuit output and introduces vulnerabilities
Vulnerabilities Caused by ECC
• Given a b-bit syndrome, the attackers can
learn at most b-bits about the PUF output
• Thus, to have k secret bits after error
correction, we generate n=k+b bits at PUF
• How much area / power overhead do we
get for the RO implementation?
Experiments with RO PUFs
• Experiments done on 15 Xilinx Virtex4 LX25
FPGA (90nm)
• They placed 1024 ROs in each FPGA as a 16by-64 array
• Each RO consisted of 5 INVs and 1 AND,
implemented using look-up tables
• The goal is to know if the PUF outputs are
unique (for security) and reproducible (for
reliability and security)
Reliability and Security Metrics
The Probability Distribution for
Inter-chip Variations
• 128 bits are produced from each PUF
• x-axis: number of PUF o/p bits different b/w two FPGAs;
y-axis: probability
• Purple bars show the results from 105 pair-wise
comparisons
• Blue lines show a binomial distribution with fitted
parameters (n=128, p =0.4615)
• Average intra-chip variations 0.4615 ~ 0.5
The Probability Distribution for
Intra-chip Variations
• PUF o/p are generated at two different conditions and
compared
• Changing the temperature from 20C to 120C and the
core voltage from 1.2 to 1.08 altered the PUF o/p by ~0.6
bits (0.48%)
• Intra-chip variations is much lower than inter-chip – the
PUF o/p did not change fro small to moderate
environmental changes
False Positive (FP) and Negative
(FN) Experiments
• If we allow up to 10 bits out of 128 to be different, FP
rate ~2.1x10-21, and FN rate is less than 5x10-11
• Assumption: inter-chip and intra-chip follow binomial
distributions
• The same experiments could be used to compute the
reliability of PUF-based crypto keys
Physically Unclonable Function–
Based Security and Privacy
in RFID Systems
Leonid Bolotnyy and Gabriel Robins
Dept. of Computer Science
University of Virginia
www.cs.virginia.edu/robins
Contribution and Motivation
Contribution
• Privacy-preserving tag identification algorithm
• Secure MAC algorithms
• Comparison of PUF with digital hash functions
Motivation
• Digital crypto implementations require 1000’s of gates
• Low-cost alternatives
– Pseudonyms / one-time pads
– Low complexity / power hash function designs
– Hardware-based solutions
PUF-Based Security
• Physical Unclonable Function (PUF) [Gassend et al 2002]
• PUF Security is based on
– wire delays
– gate delays
– quantum mechanical fluctuations
• PUF characteristics
– uniqueness
– reliability
– unpredictability
• PUF Assumptions
– Infeasible to accurately model PUF
– Pair-wise PUF output-collision probability is constant
– Physical tampering will modify PUF
Privacy in RFID
• Privacy
A
B
Alice was here: A, B, C
privacy
C
Private Identification Algorithm
Database
ID
ID
p(ID)
Request
ID1, p(ID1), p2(ID1), …, pk(ID1)
...
IDn, pn(IDn), pn2(IDn), …, pnk(IDn)
• It is important to have
– a reliable PUF
– no loops in PUF chains
– no identical PUF outputs
• Assumptions
– no denial of service attacks (e.g., passive adversaries, DoS
detection/prevention mechanisms)
– physical compromise of tags not possible
Improving Reliability of Responses
• Run PUF multiple times for same ID & pick majority
number of runs
unreliability
chain length
probability
N
overall
reliability
R(μ, N, k) ≥ (1 - ∑
m=
R(0.02, 5, 100) ≥ 0.992
N+1
2
N μm(1-μ)N-m )k
m
• Create tuples of multi-PUF computed IDs &
identify a tag based on at least one valid position value
tuple size
expected number
of identifications
(ID1, ID2, ID3)
∞
S(μ, q) = ∑
i q
i [(1 – (1-μ)i+1)q - (1 – (1-μ) ) ]
i=1
S(0.02, 1) = 49, S(0.02, 2) = 73, S(0.02, 3) = 90
Privacy Model
Experiment:
1.
A passive adversary observes polynomially-many rounds of
reader-tag communications with multiple tags
2.
An adversary selects 2 tags
3.
The reader randomly and privately selects one of the 2 tags and
runs one identification round with the selected tag
4.
An adversary determines the tag that the reader selected
Definition: The algorithm is privacy-preserving if an adversary can not
determine reader selected tag with probability substantially greater than ½
Theorem: Given random oracle assumption for PUFs,
an adversary has no advantage in the above experiment.
PUF-Based MAC Algorithms
• MAC = (K, τ, υ)
• valid signature σ : υ K(M, σ) = 1
• forged signature σ’ : υ K(M’, σ’) = 1, M = M’
• MAC based on PUF
– Motivation: “yoking-proofs”, signing sensor data
– large keys (PUF is the key)
– cannot support arbitrary messages
• Assumptions
– adversary can adaptively learn poly-many (m, σ) pairs
– signature verifiers are off-line
– tag can store a counter (to protect against replay attacks)
Large Message Space
Assumption: tag can generate good random numbers
(can be PUF-based)
Key: PUF
σ (m) = c, r1, ..., rn, pc(r1, m), ..., pc(rn, m)
Signature verification
• requires tag’s presence
• password-based or in radio-protected environment (Faraday Cage)
• learn pc(ri, m), 1 ≤ i ≤ n
• verify that the desired fraction of PUF computations is correct
To protect against hardware tampering
• authenticate tag before MAC verification
• store verification password underneath PUF
Choosing # of PUF Computations
probv(n, 0.1n, 0.02)
n
probv(n, t, μ) = 1 - ∑
i=t+1
probf(n, 0.1n, 0.4)
n μi(1-μ)n-i
i
n
n τj(1-τ)n-j
probf(n, t, τ) = 1 - ∑
j
j=t+1
α < probv ≤ 1 and probf ≤ β ≤ 1
0 ≤ t ≤ n-1
Theorem
Given random oracle assumption for a PUF,
the probability that an adversary could forge a
signature for a message is bounded from above
by the tag impersonation probability.
Small Message Space
Assumption: small and known a priori message space
message
PUF
counter
Key[p, mi, c] = c, pc(1)(mi), ..., pc(n) (mi)
PUF reliability is again crucial
σ(m) = c, pc(1)(m), ..., pc(n) (m),
...,
c+q-1, pc+q-1(1)(m), pc+q-1(n)(m)
sub-signature
Verify that the desired number of sub-signatures are valid
Theorem
Given random oracle assumption for a PUF, the
probability that an adversary could forge a signature
for a message is bounded by the tag impersonation
probability times the number of sub-signatures.
Attacks on MAC Protocols
• Impersonation attacks
– manufacture an identical tag
– obtain (steal) existing PUFs
• Modeling attacks
– build a PUF model to predict PUF’s outputs
• Side-channel attacks
– algorithm timing
– power consumption
• Hardware-tampering attacks
– physically probe wires to learn the PUF
– physically read-off/alter keys/passwords
original
clone
Comparison of PUF With Digital
Hash Functions
algorithm
MD4
MD5
SHA-256
AES
Yuksel
PUF
# of gates
7350
8400
10868
3400
1701
545
• Reference PUF: 545 gates for 64-bit input
– 6 to 8 gates for each input bit
– 33 gates to measure the delay
• Low gate count of PUF has a cost
–
–
–
–
probabilistic outputs
difficult to characterize analytically
non-unique computation
extra back-end storage
• Different attack target for adversaries
– model building rather than key discovery
• Physical security
– hard to break tag and remain undetected
PUF Design
•
Attacks on PUF
–
–
–
–
•
impersonation
modeling
hardware tampering
side-channel
Weaknesses of existing PUF
reliability
•
New PUF design
–
–
•
no oscillating circuit
sub-threshold voltage
Compare different non-linear delay approaches
Conclusions and Future Work
•
•
•
•
PUF: hardware primitive for RFID security
Identification and MAC algorithms based on PUF
PUFs protect tags from physical attacks
PUFs is the key
• Develop theoretical framework for PUF
• Design new sub-threshold voltage based PUF
• Manufacture and test PUFs
– varying environmental conditions
– motion, acceleration, vibration, temperature, noise
• Design new PUF-based security protocols
– ownership transfer
– recovery from privacy compromise
– PUFs on RFID readers
} in progress
Thank You
Questions ?
Leonid Bolotnyy
[email protected]
Dept. of Computer Science
University of Virginia
PUF-Based Ownership Transfer
• Ownership Transfer
• To maintain privacy we need
– ownership privacy
– forward privacy
• Physical security is especially important
• Solutions
–
–
–
–
public key cryptography (expensive)
knowledge of owners sequence
trusted authority
short period of privacy
Using PUF to Detect and Restore
Privacy of Compromised System
s1,0
s2,0
s3,0
s1,1
s2,1
s3,1
s3,2
s2,2
s3,3 s3,
s3,5
s1,2
s2,3
s3,6
s2,4
s3,7
4
1. Detect potential tag compromise
2. Update secrets of affected tags
s3,8
s3,9
s2,5
s3,10