Fraunhofer-Institut für Angewandte und Integrierte Sicherheit AISEC

Filters

14
14
Reset filters

Settings
Now showing 1 - 10 of 14
  • Publication
    Spatial Context Tree Weighting for Physical Unclonable Functions
    ( 2020)
    Pehl, M.
    ;
    Tretschok, T.
    ;
    Becker, D.
    ;
    Immler, V.
    Physical Unclonable Functions (PUFs) are hardware primitives for, e.g., secure storage of cryptographic keys. Unpredictability of their output is essential for their security and, thus, it is important to evaluate this property, which is often done by assessing the PUF's entropy. However, existing entropy estimation methods do not consider spatial information and provide no corresponding information to the designer. Therefore, we study how spatial effects in PUF structures can be considered when estimating entropy by means of an improved Context Tree Weighting (CTW) algorithm. Our Spatial CTW is practically implemented and tested on various real-world data sets, including binary and higher order alphabet PUFs. The obtained experimental results clearly support the necessity of taking spatial effects into account to not overestimate a PUF's entropy.
  • Publication
    Secure Physical Enclosures from Coverswith Tamper-Resistance
    ( 2019)
    Immler, V.
    ;
    Obermaier, J.
    ;
    Ng, K.K.
    ;
    Ke, F.X.
    ;
    Lee, J.
    ;
    Lim, Y.P.
    ;
    Oh, W.K.
    ;
    Wee, K.H.
    ;
    Sigl, G.
    Ensuring physical security of multiple-chip embedded systems on a PCB is challenging, since the attacker can control the device in a hostile environment. To detect physical intruders as part of a layered approach to security, it is common to create a physical security boundary that is difficult to penetrate or remove, e.g., enclosures created from tamper-respondent envelopes or covers. Their physical integrity is usually checked by active sensing, i.e., a battery-backed circuit continuously monitors the enclosure. However, adoption is often hampered by the disadvantages of a battery and due to specialized equipment which is required to create the enclosure. In contrast, we present a batteryless tamper-resistant cover made from standard flexPCB technology, i.e., a commercially widespread, scalable, and proven technology. The cover comprises a fine mesh of electrodes and an evaluation unit underneath the cover checks their integrity by detecting short and open circuits. Additionally, it measures the capacitances between the electrodes of the mesh. Once its preliminary integrity is confirmed, a cryptographic key is derived from the capacitive measurements representing a PUF, to decrypt and authenticate sensitive data of the enclosed system. We demonstrate the feasibility of our concept, provide details on the layout, electrical properties of the cover, and explain the underlying security architecture. Practical results including statistics over a set of 115 flexPCB covers, physical attacks, and environmental testing support our design rationale. Hence, our work opens up a new direction of counteracting physical tampering without the need of batteries, while aiming at a physical security level comparable to FIPS 140-2 level 3.
  • Publication
    New Insights to Key Derivation for Tamper-Evident Physical Unclonable Functions
    ( 2019)
    Immler, V.
    ;
    Uppund, K.
    Several publications presented tamper-evident Physical Unclonable Functions (PUFs) for secure storage of cryptographic keys and tamper-detection. Unfortunately, previously published PUF-based key derivation schemes do not sufficiently take into account the specifics of the underlying application, i.e., an attacker that tampers with the physical parameters of the PUF outside of an idealized noise error model. This is a notable extension of existing schemes for PUF key derivation, as they are typically concerned about helper data leakage, i.e., by how much the PUF's entropy is diminished when gaining access to its helper data. To address the specifics of tamper-evident PUFs, we formalize the aspect of tamper-sensitivity, thereby providing a new tool to rate by how much an attacker is allowed to tamper with the PUF. This complements existing criteria such as effective number of secret bits for entropy and failure rate for reliability. As a result, it provides a fair comparison among different schemes and independent of the PUF implementation, as its unit is based on the noise standard deviation of the underlying PUF measurement. To overcome the limitations of previous schemes, we then propose an Error-Correcting Code (ECC) based on the Lee metric, i.e., a distance metric well-suited to describe the distance between q-ary symbols as output from an equidistant quantization, i.e., a higher-order alphabet PUF. This novel approach is required, as the underlying symbols' bits are not i.i.d. which hinders applying previous state-of-the-art approaches. We present the concept for our scheme and demonstrate its feasibility based on an empirical PUF distribution. The benefits of our approach are an increase by over 21% in effective secret bit compared to previous approaches based on equidistant quantization. At the same time, we improve tamper-sensitivity compared to an equiprobable quantization while ensuring similar reliability and entropy. Hence, this work opens up a new direction of how to interpret the PUF output and details a practically relevant scheme outperforming all previous constructions.
  • Publication
    Variable-Length Bit Mapping and Error-Correcting Codes for Higher-Order Alphabet PUFs
    ( 2019)
    Immler, V.
    ;
    Hiller, M.
    ;
    Liu, Q.
    ;
    Lenz, A.
    ;
    Wachter-Zeh, A.
    evice-specific physical characteristics provide the foundation for physical unclonable functions (PUFs), a hardware primitive for secure storage of cryptographic keys. Thus far, they have been implemented by either directly evaluating a binary output or by mapping symbols from a higher-order alphabet to a fixed-length bit sequence. However, when combined with equidistant quantization, this causes significant bias in the derived secret which is a security issue. To overcome this limitation, we propose a variable-length bit mapping that reflects the properties of a Gray code in a different metric, namely the Levenshtein metric instead of the classical Hamming metric. Subsequent error correction is therefore based on a custom insertion/deletion error-correcting code (ECC). This new approach effectively counteracts the bias in the derived key already at the input side of the ECC. We present the concept for our scheme and demonstrate its feasibility based on an empirical PUF distribution. As a result, we increase the effective output bit length of the secret by over 40% compared to state-of-the-art approaches. In addition to that, we investigate different segmentation approaches which is important due to the variable length of the considered values. Practical implementation results demonstrate that the proposed scheme requires only a fraction of the execution time compared to Bose-Chaudhuri-Hocquenghem (BCH) codes. This opens up a new direction of ECCs for PUFs that output responses with symbols of a higher-order alphabet.
  • Publication
    Side-Channel Analysis of the TERO PUF
    ( 2019)
    Tebelmann, L.
    ;
    Pehl, M.
    ;
    Immler, V.
    Physical Unclonable Functions (PUFs) have the potential to provide a higher level of security for key storage than traditional Non-Volatile Memory (NVM). However, the susceptibility of the PUF primitives to non-invasive Side-Channel Analysis (SCA) is largely unexplored. While resistance to SCA was indicated for the Transient Effect Ring Oscillator (TERO) PUF, it was not backed by an actual assessment. To investigate the physical security of the TERO PUF, we first discuss and study the conceptual behavior of the PUF primitive to identify possible weaknesses. We support our claims by conducting an EM-analysis of a TERO design on an FPGA. When measuring TERO cells with an oscilloscope in the time domain, a Short Time Fourier Transform (STFT) based approach allows to extract the relevant information in the frequency domain. By applying this method we significantly reduce the entropy of the PUF. Our analysis shows the vulnerability of not only the originally suggested TERO PUF implementation but also the impact on TERO designs in general. We discuss enhancements of the design that potentially prevent the TERO PUF from exposing the secret and point out that regarding security the TERO PUF is similar to the more area-efficient Ring Oscillator PUF.
  • Publication
    The Past, Present, and Future of Physical Security Enclosures: From Battery-Backed Monitoring to PUF-Based Inherent Security and Beyond
    ( 2018)
    Obermaier, J.
    ;
    Immler, V.
    Withstanding physical attacks in a hostile environment is of utmost importance for nowadays electronics. However, due to the long and costly development of integrated circuits (ICs), IC-level countermeasures are typically only included in varying degree and not in every chip of a device. Therefore, multiple-chip modules requiring higher levels of security are additionally protected against tampering by a physical security enclosure, e.g., by an envelope that completely encloses the device. For decades, these physical boundaries on a device-level were monitored using battery-backed mechanisms to enable detection of an attempted physical intrusion even if the underlying system is powered off. However, the battery affects the system's robustness, weight, prevents extended storage, and also leads to difficulties with the security mechanism while shipping the device. In this position paper, we present our assessment of various battery-backed tamper-respondent solutions and argue that while offering the intriguing benefit of instantaneous detection and response, the low-power nature of battery-backup contradicts a tamper-sensitive measurement, among other problems. We are therefore of the opinion that more effort should be spent towards enclosures that are based on tamper-evident physical unclonable functions (PUFs), as they are designated to provide a high level of security on the one hand and do not require a battery on the other hand. To further substantiate our argument, we summarize the work in this domain to also facilitate future research.
  • Publication
    Dividing the threshold: Multi-probe localized EM analysis on threshold implementations
    ( 2018)
    Specht, R.
    ;
    Immler, V.
    ;
    Unterstein, F.
    ;
    Heyszl, J.
    ;
    Sig, G.
    Cryptographic implementations typically need to be secured to retain their secrets in the presence of attacks. As a countermeasure to prevent side-channel attacks, threshold implementations are a commonly encountered concept. They resemble a multi-party computation, where the value is split in independent shares and processed separately. In this work, we challenge the underlying security assumption that observing these individually processed values is difficult. We observe leakage by spatially separating the shares on an FPGA using multiple electro-magnetic (EM) probes simultaneously for localized EM analysis. We experimentally verify that the security gain is 238 times less with this method when compared to the power side-channel. In total, we only need 4,300 traces to break a second-order secure implementation. Moreover, such a reduction in protection level is only possible when using multiple probes and applying our attack strategy which is based on state-of-the-art template attacks. This attack can easily be carried out by any attacker at the expense of buying more probes which emphasizes the danger of such attacks.
  • Publication
    A measurement system for capacitive PUF-based security enclosures
    ( 2018)
    Obermaier, J.
    ;
    Immler, V.
    ;
    Hiller, M.
    ;
    Sigl, G.
    Battery-backed security enclosures that are permanently monitored for penetration and tampering are common solutions for providing physical integrity to multi-chip embedded systems. This paper presents a well-tailored measurement system for a batteryless PUF-based capacitive enclosure. The key is derived from the PUF and encrypts the underlying system. We present a system concept for combined enclosure integrity verification and PUF evaluation. The system performs differential capacitive measurements inside the enclosure by applying stimulus signals with a 180° phase shift that isolate the local variation in the femtofarad range. The analog circuitry and corresponding digital signal processing chain perform precise PUF digitization, using a microcontroller-based digital lock-in amplifier. The system's measurement range is approximately ±73 fF, the conversion time per PUF node is less than 0.6 ms, and the raw data shows a measurement noise of 0.3 fF. This is the base for a high-entropy key generation while enabling a short system startup time. The system is scalable to the enclosure size and has been experimentally verified to extract information from 128 PUF nodes, using a system prototype. The results show that our concept forms a cornerstone of a novel batteryless PUF-based security enclosure.
  • Publication
    B-TREPID: Batteryless tamper-resistant envelope with a PUF and integrity detection
    ( 2018)
    Immler, V.
    ;
    Obermaier, J.
    ;
    König, M.
    ;
    Hiller, M.
    ;
    Sig, G.
    Protecting embedded devices against physical attacks is a challenging task since the attacker has control of the device in a hostile environment. To address this issue, current countermeasures typically use a battery-backed tamper-respondent envelope that encloses the entire device to create a trusted compartment. However, the battery affects the system's robustness and weight, and also leads to difficulties with the security mechanism while shipping the device. In contrast, we present a batteryless tamper-resistant envelope, which contains a fine mesh of electrodes, and its complementary security concept. An evaluation unit checks the integrity of the sensor mesh by detecting short and open circuits. Additionally, it measures the capacitances of the mesh. Once its preliminary integrity is confirmed, a cryptographic key is derived from the capacitive measurements that represent a PUF, to decrypt and authenticate the firmware of the enclosed host system. We demonstrate the feasibility of our concept, provide details on the layout and electrical properties of the batteryless envelope, and explain the underlying security architecture. Practical results from a set of manufactured envelopes facilitate future research.
  • Publication
    Your rails cannot hide from localized EM
    ( 2018)
    Immler, V.
    ;
    Specht, R.
    ;
    Unterstein, F.
    Protecting cryptographic implementations against side-channel attacks is a must to prevent leakage of processed secrets. As a cell-level countermeasure, so-called DPA-resistant logic styles have been proposed to prevent a data-dependent power consumption. As most of the DPA-resistant logic is based on dual rails, properly implementing them is a challenging task on FPGAs which is due to their fixed architecture and missing freedom in the design tools. While previous works show a significant security gain when using such logic on FPGAs, we demonstrate this only holds for power analysis. In contrast, our attack using high-resolution electromagnetic analysis is able to exploit local characteristics of the placement and routing such that only a marginal security gain remains, therefore creating a severe threat. To further analyze the properties of both attack and implementation, we develop a custom placer to improve the default placement of the analyzed AES S-box. Different cost functions for the placement are tested and evaluated w.r.t. the resulting side-channel resistance on a Spartan-6 FPGA. As a result, we are able to more than double the resistance of the design compared to cases not benefiting from the custom placement.