Patent Grant
10897344
The present disclosure is generally related to computer systems, and is more specifically related to cryptographic data processing systems and methods.
Systems and methods for safeguarding cryptographic keys and/or other sensitive data are constantly evolving, as are systems and methods for gaining unauthorized access to the protected data. These systems and methods range from brute force password cracking to complex external monitoring attacks.
The present disclosure is illustrated by way of examples, and not by way of limitation, and may be more fully understood with references to the following detailed description when considered in connection with the figures, in which:
Described herein are methods for performing cryptographic data processing operations in a manner resistant to external monitoring attacks.
“Cryptographic data processing operation” herein shall refer to a data processing operation involving secret parameters (e.g., encryption/decryption operations using secret keys). “Cryptographic data processing system” herein shall refer to a data processing system (e.g., a general purpose or specialized processor, a system-on-chip, or the like) configured or employed for performing cryptographic data processing operations.
“External monitoring attack” herein refers to a method of gaining unauthorized access to protected information by deriving one or more protected information items from certain aspects of the physical implementation of the target cryptographic data processing system. Side channel attacks are external monitoring attacks that are based on measuring values of one or more physical parameters associated with a target cryptographic data processing system, such as the elapsed time of certain data processing operations, the power consumption by certain circuits, the current flowing through certain circuits, heat or electromagnetic radiation emitted by certain circuits of the target cryptographic data processing system, etc.
Various side channel attacks may be designed to obtain unauthorized access to certain protected information (e.g., encryption keys that are utilized to transform the input plain text into a cipher text) being stored within and/or processed by a target cryptographic system. In an illustrative example, an attacker may exploit interactions of sequential data manipulation operations which are based on certain internal states of the target data processing system. The attacker may apply differential power analysis (DPA) methods to measure the power consumption by certain circuits of a target cryptographic data processing system responsive to varying one or more data inputs of sequential data manipulation operations, and thus determine one or more protected data items (e.g., encryption keys) which act as operands of the data manipulation operations.
The present disclosure provides methods of performing cryptographic data processing operations in a manner resistant to external monitoring attacks (e.g., side channel attacks). The methods involve breaking certain interactions of sequential data manipulation operations, as described in more details herein below. The systems and methods described herein may be implemented by hardware (e.g., general purpose and/or specialized processing devices, and/or other devices and associated circuitry), software (e.g., instructions executable by a processing device), or a combination thereof. Various aspects of the methods and systems are described herein by way of examples, rather than by way of limitation.
In various illustrative examples described herein below, cryptographic data processing systems may be configured or employed for implementing encryption and/or decryption methods based on the Advanced Encryption Standard (AES). However, the systems and methods described herein for performing cryptographic data processing operations in a manner resistant to external monitoring attacks may be applicable to various other cryptographic data processing systems and methods.
An example AES implementation may start by initializing the state with a 128-bit plain text. The data processing device may then perform the initial AES round by adding, using the exclusive OR (XOR) operation, the first round key to the state in order to determine the round 1 input state which can subsequently be operated upon by the first AES round 110A.
In an encryption operation, each of subsequent AES rounds 110N comprises four main operations to update the state: Substitute Bytes (independently operates on each of the 16 bytes of the state), shift rows (reorders the 16 bytes of the state), Mix Columns (independently operates on each of four 32-bit words of the state), and Add Round Key (adds, using XOR operation, the round key to the state). The last AES round 110Z comprises three of the above described operations, by omitting the Mix Columns operation. In a decryption operation (not shown in
Various AES implementations may differ by the cipher key size: 128 bits, 192 bits, or 256 bits. The number of AES rounds may be defined by the key size: for the key size of 128 bits, ten AES rounds may be performed; for the key size of 192 bits, twelve AES rounds may be performed; and for the key size of 256 bits, fourteen AES rounds may be performed.
In certain implementations, data processing devices may support an enhanced instruction set for AES cryptographic operations. Instructions of such an enhanced instruction set may be based on hardware and/or microcode implementation of some of the computationally intensive operations of the AES algorithm, thus significantly improving overall performance as compared to purely software AES implementations.
AESDEC instruction performs a single round of decryption, by performing the four inverse operations: Inverse Shift Rows, Inverse Substitute Bytes, Inverse Mix Columns, and Add Round Key.
AESDECLAST instruction performs the last round of decryption, by performing Inverse Shift Rows, Inverse Substitute Bytes, and Add Round Key operations.
AESENC instruction performs a single round of encryption, by performing the four basic operations of the AES algorithm: Shift Rows, Substitute Bytes, Mix Columns, and Add Round Key.
AESENCLAST instruction performs the last round of encryption, by performing Shift Rows, Substitute Bytes, and Add Round Key operations.
AESIMC instruction converts the encryption round keys to a form usable for decryption.
AESKEYGENASSIST instruction generates the round keys used for encryption.
PCLMULQDQ instruction performs carry-less multiplication of two values.
While
Implementing an enhanced instruction set for performing cryptographic data processing operations (e.g., AES-NI enhanced instruction set schematically illustrated by FIG. 2) may significantly improve the processing system performance with respect to cryptographic data processing operations, and may further improve security with respect to certain types of external monitoring attacks, e.g., timing-based side channel attacks, as each instruction of the enhanced instruction set is performed within a pre-determined number of processing cycles which is not dependent on the input or intermediate states. However, certain processing systems, including processing systems implementing an enhanced cryptographic instruction set, may be vulnerable to the differential power analysis (DPA) based side channel attacks.
In various illustrative examples, the current flowing through certain components of a target data processing system may vary in response to varying inputs of certain instructions being executed by the data processing system. In a simplistic example, executing an instruction that requires a bit transition from 0 to 1 or vice versa in an internal state of a data processing system may require more power than executing the same instruction on different operands and/or internal states such that the current value of the internal state does not need to be modified (i.e., no bit transition is required). In various implementations, an internal state of a data processing system may comprise one or more internal registers or other form of architecturally invisible memory, and may further comprise other factors contributing to current flows within the processing device, e.g., charges on internal buses and wiring or states of individual transistors.
The target data processing system may employ various internal states for storing some intermediate results in executing certain instructions. Hence, the attacker may employ DPA methods to observe the system response (e.g., the power consumption by certain components or circuits) to known varying inputs to certain instructions to derive protected operands of such instructions.
DPA herein refers to external monitoring methods involving measuring the data dependent power consumption by a target data processing system. A DPA test may comprise measuring the power consumption by certain circuits of the target data processing system responsive to varying data inputs, in order to exploit interactions of sequential data manipulation operations which are based on certain internal states of the target data processing system.
The above described and other DPA tests may be utilized to detect vulnerabilities, or “data leaks,” in various processing systems performing various sequences of cryptographic data processing operations.
Described herein below are example vulnerabilities and the corresponding methods for performing cryptographic data processing operations in a manner resistant to external monitoring attacks exploiting these and other vulnerabilities, in accordance with one or more aspects of the present disclosure. In addition to the specific example vulnerabilities described below, the systems and methods described herein may be employed for performing cryptographic data processing operations in a manner resistant to various other external monitoring attacks exploiting various vulnerabilities of target data processing systems.
In certain implementations, a data processing system may exhibit a data leak involving sequential cryptographic data manipulation instructions of an enhanced cryptographic instruction set, as schematically illustrated by
In accordance with one or more aspects of the present disclosure, cryptographic data processing operations may be performed in a manner resistant to external monitoring attacks exploiting the above described vulnerability of the data processing system, by breaking the interaction of the sequential cryptographic data processing instructions which are likely to exhibit the above described data leakage. In certain implementations, the data processing system may break the interaction of the sequential cryptographic data processing instructions by executing another data manipulation instruction, serially or concurrently with respect to the sequential data manipulation instructions, as schematically illustrated by
Referring to
In order to perform the cryptographic data processing instructions in a manner resistant to external monitoring attacks, the data processing system may break the interaction of the sequential cryptographic data processing instructions 610A-610B by executing a data manipulation instruction 630, serially or concurrently with respect to the sequential data manipulation instructions 610A-610B. In various illustrative examples, the data manipulation instruction 630 may utilize one or more input data items, and may result in an internal state 620X. In order to break the interaction of the sequential cryptographic data processing instructions 610 and 620, the data manipulation instruction 630 may be executed with the inputs represented by unpredictable (e.g., random) data, so that the resulting internal state 620X would be unpredictable by a potential attacker. Thus, the potential attacker may be effectively prevented from exploiting any data leakage associated with the internal state transitions: as external monitoring attacks exploiting vulnerabilities associated with internal system states involve measuring the system response to the varying input data, such an attack could not be implemented when the input data is unpredictable.
Thus, executing the data manipulation instruction 630, serially or concurrently with respect to the sequential data manipulation instructions 610A and 610B, may effectively break the undesirable interaction of the sequential cryptographic data processing instructions 610A and 610B and hence perform the instructions in a manner resistant to external monitoring attacks.
Referring to
At block 720, the processing device may execute a second data manipulation instruction of the enhanced cryptographic instruction set. The second data manipulation instruction may utilize one or more input data items, e.g., an AES round state modified by the first data manipulation instruction and an AES round key. The second data manipulation instruction may further interact with or utilize the internal state that was modified by the preceding data manipulation instruction, thus potentially creating a DPA-detectable data leakage, as described in more details herein above.
To break the DPA-detectable interaction of the first data manipulation instruction and the second data manipulation instruction, the processing device may, at block 730, execute a third data manipulation instruction utilizing an unpredictable input data item. As noted herein above, the third data manipulation instruction may be executed serially or concurrently with respect to the first and the second data manipulation instructions. Breaking the undesirable interaction of the sequential cryptographic data processing instructions allows the processing device to perform the instructions in a manner resistant to external monitoring attacks, as described in more details herein above.
In certain implementations, a data processing system may exhibit a data leak involving sequential data loads from a memory (e.g., from a processor cache), as schematically illustrated by
In certain implementations, executing each of the data load instructions 810A, 810C, and 810E, may result in the corresponding internal states 850A, 850C, and 850E. The data processing system may exhibit a DPA-detectable data leakage involving the state 850C corresponding to the data load instruction 810C loading the secret data and each of the states 850A and 850B corresponding to the data load instruction 810A-810B that may be employed to load known varying data: the observed power consumed by certain circuits of the data processing system when executing the data load instructions resulting in overwriting a state bit may exceed the observed power consumed by the data processing system when executing the same data load instructions resulting in preserving the existing value of the state bit. Thus, the data processing system may exhibit a DPA-detectable interaction between the data load instruction 810C and data load instructions 810A, 810E which are executed prior to or subsequent to the data load instruction 810C. If the data load instructions 810A and/or 810E load varying data that is known to a potential attacker, the attacker may exploit the interaction of the secret data being loaded by the data load instruction 810C and the variable input data being loaded by the data load instructions 810A and/or 810E.
In accordance with one or more aspects of the present disclosure, the sequence of data load instructions may be performed in a manner resistant to external monitoring attacks exploiting the above described vulnerability of the data processing system, by breaking the interaction of the sequential data load instructions which are likely to exhibit the above described data leakage. In an illustrative example, the data processing system may break the interaction of the sequential cryptographic data processing instructions by executing two data load instructions before and after the data load instruction that loads secret data, as schematically illustrated by
In order to perform the cryptographic data processing instructions in a manner resistant to external monitoring attacks, the data processing system may break the interaction of the sequential cryptographic data processing instructions by adding, to the sequence of instructions 800, two data load instruction 910A-910B. The data load instruction 910A may be executed one data load instruction before the data load instruction 810C that loads the secret data. The data load instruction 910B may be executed one data load instruction after the data load instruction 810C that loads the secret data, as schematically illustrated by
In order to break the interaction of the sequential cryptographic data processing instructions, the data load instructions 910A-910B may be executed with the inputs represented by constant and/or secret data, in order to prevent a potential attacker from exploiting any data leakage associated with the internal state transitions: as external monitoring attacks exploiting vulnerabilities associated with internal system states involve measuring the system response to the varying input data, such an attack could not be implemented when the input data is constant and/or secret.
Thus, executing data load instructions 910A-910B before and after the data load instruction 810C that loads the secret data, may effectively break the undesirable interaction of the sequential cryptographic data processing instructions and hence perform the instructions in a manner resistant to external monitoring attacks. In certain implementations, further efficiency may be possible by obtaining the data load instructions 910A-910B by rearranging, moving, or replacing instructions in the existing instruction sequence instead of introducing extra instructions.
Referring to
At block 1020 the processing device may execute, within the sequence of data load instructions, a first additional data load instruction to load a first secret or constant data item. “Additional instruction” herein may refer to an instruction inserted into the sequence of data load instructions by rearranging the application flow of instructions or by inserting a new instruction into the sequence of data load instructions. In an illustrative example, the first additional data load instruction may be executed one data load instruction before the data load instruction that loads the secret data, as described in more details herein above.
At block 1030 the processing device may execute, within the sequence of data load instructions, a second additional data load instruction to load a second secret or constant data item. In an illustrative example, the second additional data load instruction may be executed one data load instruction after the data load instruction that loads the secret data, as described in more details herein above.
By executing the two data load instructions that “bracket” the data load instruction that loads the secret data, the data processing system may effectively break the undesirable interaction of the sequential data load instructions, and hence perform the instructions in a manner resistant to external monitoring attacks.
The example computing system 1000 may include a processing device 1002, which in various illustrative examples may be a general purpose or specialized processor comprising one or more processing cores. The example computing system 1000 may further comprise a main memory 1004 (e.g., synchronous dynamic random access memory (DRAM), read-only memory (ROM)), a static memory 1006 (e.g., flash memory and a data storage device 1018), which may communicate with each other via a bus 1030.
The processing device 1002 may be configured to execute methods 700 and/or 1000 for performing cryptographic data processing operations in a manner resistant to external monitoring attacks, in accordance with one or more aspects of the present disclosure for performing the operations and steps described herein.
The example computing system 1000 may further include a network interface device 1008 which may communicate with a network 1020. The example computing system 1000 also may include a video display unit 1010 (e.g., a liquid crystal display (LCD) or a cathode ray tube (CRT)), an alphanumeric input device 1012 (e.g., a keyboard), a cursor control device 1014 (e.g., a mouse) and an acoustic signal generation device 1016 (e.g., a speaker). In one embodiment, the video display unit 1010, the alphanumeric input device 1012, and the cursor control device 1014 may be combined into a single component or device (e.g., an LCD touch screen).
The data storage device 1018 may include a computer-readable storage medium 1028 on which may be stored one or more sets of instructions (e.g., instructions of methods 700 and/or 1000 for performing cryptographic data processing operations in a manner resistant to external monitoring attacks, in accordance with one or more aspects of the present disclosure) implementing any one or more of the methods or functions described herein. Instructions implementing methods 700 and/or 1000 may also reside, completely or at least partially, within the main memory 1004 and/or within the processing device 1002 during execution thereof by the example computing system 1000, hence the main memory 1004 and the processing device 1002 may also constitute or comprise computer-readable media. The instructions may further be transmitted or received over the network 1020 via the network interface device 1008.
While the computer-readable storage medium 1028 is shown in an illustrative example to be a single medium, the term “computer-readable storage medium” should be taken to include a single medium or multiple media (e.g., a centralized or distributed database and/or associated caches and servers) that store the one or more sets of instructions. The term “computer-readable storage medium” shall also be taken to include any medium that is capable of storing, encoding or carrying a set of instructions for execution by the machine and that cause the machine to perform the methods described herein. The term “computer-readable storage medium” shall accordingly be taken to include, but not be limited to, solid-state memories, optical media and magnetic media.
Unless specifically stated otherwise, terms such as “updating”, “identifying”, “determining”, “sending”, “assigning”, or the like, refer to actions and processes performed or implemented by computing devices that manipulates and transforms data represented as physical (electronic) quantities within the computing device's registers and memories into other data similarly represented as physical quantities within the computing device memories or registers or other such information storage, transmission or display devices. Also, the terms “first,” “second,” “third,” “fourth,” etc. as used herein are meant as labels to distinguish among different elements and may not necessarily have an ordinal meaning according to their numerical designation.
Examples described herein also relate to an apparatus for performing the methods described herein. This apparatus may be specially constructed for the required purposes, or it may comprise a general purpose computing device selectively programmed by a computer program stored in the computing device. Such a computer program may be stored in a computer-readable non-transitory storage medium.
The methods and illustrative examples described herein are not inherently related to any particular computer or other apparatus. Various general purpose systems may be used in accordance with the teachings described herein, or it may prove convenient to construct more specialized apparatus to perform the required method steps. The required structure for a variety of these systems will appear as set forth in the description above.
The above description is intended to be illustrative, and not restrictive. Although the present disclosure has been described with references to specific illustrative examples, it will be recognized that the present disclosure is not limited to the examples described. The scope of the disclosure should be determined with reference to the following claims, along with the full scope of equivalents to which the claims are entitled.
This application is a continuation of U.S. patent application Ser. No. 15/311,741 filed on Nov. 16, 2016, which is the U.S. national stage under 35 U.S.C. § 371 of International Application Number PCT/US2015/031203, filed May 15, 2015, which claims the benefit of U.S. Provisional Application No. 62/011,245, filed Jun. 12, 2014. The entire contents of the above-referenced applications are incorporated by reference herein.
| Number | Name | Date | Kind |
|---|---|---|---|
| 4558176 | Arnold et al. | Dec 1985 | A |
| 5991708 | Levine et al. | Nov 1999 | A |
| 6419159 | Odinak | Jul 2002 | B1 |
| 7124170 | Sibert | Oct 2006 | B1 |
| 7168065 | Naccache et al. | Jan 2007 | B1 |
| 7191433 | Narad et al. | Mar 2007 | B2 |
| 9425959 | Pedersent | Aug 2016 | B1 |
| 9559844 | Nakano | Jan 2017 | B2 |
| 20010018736 | Hashimoto et al. | Aug 2001 | A1 |
| 20040025032 | Chow | Feb 2004 | A1 |
| 20040252831 | Uehara | Dec 2004 | A1 |
| 20040252842 | Henry et al. | Dec 2004 | A1 |
| 20060075312 | Fischer et al. | Apr 2006 | A1 |
| 20060236405 | Terauchi et al. | Oct 2006 | A1 |
| 20070180285 | Dembo | Aug 2007 | A1 |
| 20070180541 | Shu et al. | Aug 2007 | A1 |
| 20070204137 | Tran | Aug 2007 | A1 |
| 20070230694 | Rose et al. | Oct 2007 | A1 |
| 20080052499 | Koc | Feb 2008 | A1 |
| 20080063192 | Goubin | Mar 2008 | A1 |
| 20080126766 | Chheda | May 2008 | A1 |
| 20090100524 | Honda | Apr 2009 | A1 |
| 20090327572 | Cho et al. | Dec 2009 | A1 |
| 20110286596 | Gressel et al. | Nov 2011 | A1 |
| 20120159194 | Anderson | Jun 2012 | A1 |
| 20120246641 | Gehrmann | Sep 2012 | A1 |
| 20120250854 | Danger et al. | Oct 2012 | A1 |
| 20120307997 | Endo et al. | Dec 2012 | A1 |
| 20130073873 | Morioka | Mar 2013 | A1 |
| 20130322462 | Poulsen | Dec 2013 | A1 |
| 20130332744 | Zhuang | Dec 2013 | A1 |
| 20140143883 | Shen-Orr | May 2014 | A1 |
| 20150304102 | Nakano et al. | Oct 2015 | A1 |
| Number | Date | Country |
|---|---|---|
| 1819515 | Aug 2006 | CN |
| 101197660 | Jun 2008 | CN |
| 101213513 | Jul 2008 | CN |
| 101243450 | Aug 2008 | CN |
| 101739889 | Jun 2010 | CN |
| 101866401 | Oct 2010 | CN |
| 103067164 | Apr 2013 | CN |
| 103166752 | Jun 2013 | CN |
| 103324467 | Sep 2013 | CN |
| 103812642 | May 2014 | CN |
| 10 2011 088 502 | May 2013 | DE |
| 1 115 094 | Jul 2001 | EP |
| 1 772 811 | Apr 2007 | EP |
| 1 873 671 | Jan 2008 | EP |
| Entry |
|---|
| CN Office Action with dated Apr. 2, 2020 re: CN Appln. No. 201580024635.8. 8 Pages. (W/Translation). |
| TW Office Action with dated Apr. 16, 2020 re: TW Appln. No. 104112261. 5 pages. (With Translation). |
| Bayrak, Ali Galip et al., “A First Step Towards Automatic Application of Power Analysis Countermeasures”, DAC 2011, Jun. 5-10, 2011, pp. 230-235. 6 pages. |
| CN Office Action dated Dec. 5, 2018 re: CN Appln. No. 201580024635.8. 13 Pages. (With Translation). |
| CN Office Action dated Jul. 23, 2019 re: CN Appln. No. 201580024635.8. 11 Pages. (W/Translation). |
| ISR—Notification of Transmittal of the International Search Report and the Written Opinion of the International Searching Authority dated Aug. 21, 2015 re Intl. Appln. No. PCT/US2015/031203. 10 Pages. |
| Notification Concerning Transmittal of International Preliminary Report on Patentability dated Dec. 22, 2016 re: Int'l Appln. No. PCT/US15/031203. 8 Pages. |
| Tillich, Stefan et al., “Power Analysis Resistant AES Implementation with Instruction Set Extensions”, CHES 2007, vol. 4727, pp. 303-319, Sep. 10-13, 2007. 17 pages. |
| Tillich, Stefan et al., “Protecting AES Software Implementations on 32-bit Processors against Power Analysis”, ACNS 2007, vol. 4521, pp. 141-157, Jun. 5-8, 2007. 17 pages. |
| TW Office Action dated Oct. 4, 2019 re: TW Appln. No. 104112261. 4 Pages (With Translation). |
| TW Office Action dated Dec. 26, 2018 re: TW Appln. No. 104112261. 16 Pages. (With Translation). |
| Number | Date | Country | |
|---|---|---|---|
| 20200021426 A1 | Jan 2020 | US |
| Number | Date | Country | |
|---|---|---|---|
| 62011245 | Jun 2014 | US |
| Number | Date | Country | |
|---|---|---|---|
| Parent | 15311741 | US | |
| Child | 16519330 | US |
