Fraunhofer-Institut für Angewandte und Integrierte Sicherheit AISEC

Filters

16
Reset filters

Settings
Now showing 1 - 10 of 16
  • Publication
    Security and trust in open source security tokens
    ( 2021)
    Schink, M.
    ;
    Wagner, A.
    ;
    Unterstein, F.
    ;
    Heyszl, J.
    Using passwords for authentication has been proven vulnerable in countless security incidents. Hardware security tokens effectively prevent most password-related security issues and improve security indisputably. However, we would like to highlight that there are new threats from attackers with physical access which need to be discussed. Supply chain adversaries may manipulate devices on a large scale and install backdoors before they even reach end users. In evil maid scenarios, specific devices may even be attacked while already in use. Hence, we thoroughly investigate the security and trustworthiness of seven commercially available open source security tokens, including devices from the two market leaders: SoloKeys and Nitrokey. Unfortunately, we identify and practically verify significant vulnerabilities in all seven examined tokens. Some of them are based on severe, previously undiscovered, vulnerabilities of two major microcontrollers which are used at a large scale in various products. Our findings clearly emphasize the significant threat from supply chain and evil maid scenarios since the attacks are practical and only require moderate attacker efforts. Fortunately, we are able to describe software-based countermeasures as effective improvements to retrofit the examined devices. To improve the security and trustworthiness of future security tokens, we also derive important general design recommendations.
  • Publication
    SCA secure and updatable crypto engines for FPGA SoC bitstream decryption: extended version
    ( 2021)
    Unterstein, F.
    ;
    Jacob, N.
    ;
    Hanley, N.
    ;
    Gu, C.
    ;
    Heyszl, J.
    FPGA system on chips (SoCs) are ideal computing platforms for edge devices in applications which require high performance through hardware acceleration and updatability due to long operation in the field. A secure update of hardware functionality can in general be achieved by using built-in cryptographic engines and provided secret key storage. However, reported examples have shown that such cryptographic engines may become insecure against side-channel attacks at any later point in time. This leaves already deployed systems vulnerable without any clear mitigation options. To solve this, we propose a comprehensive concept that uses an alternative and side-channel protected cryptographic engine within the FPGA logic instead of the built-in one for the crucial task of bitstream decryption. Remarkably this concept even allows to update the cryptographic engine itself. As proof of concept, we describe an application to the Xilinx Zynq-7020 FPGA SoC in detail. We provide two options for a leakage resilient decryption engine which are based on the same primitive, a leakage resilient pseudorandom function (LR-PRF). Depending on a side-channel evaluation of this primitive on the target platform, either a version with additional side-channel countermeasures or a more efficient variant is deployed. The lack of accessible secret key storage poses a significant challenge and requires the use of a physical unclonable function (PUF) to generate a device intrinsic secret within the FPGA logic. At the same time this means that manufacturer-provided secret key storage or cryptography is no longer required; only a public key for signature verification of the first stage bootloader and initial static bitstream. We provide empirical results proving the side-channel security of the protected cryptographic engine as well as an evaluation of the PUF quality. The full design and source code is made available to encourage further research in this direction.
  • Publication
    Secure and user-friendly over-the-air firmware distribution in a portable faraday cage
    ( 2020)
    Striegel, M.
    ;
    Heyszl, J.
    ;
    Jakobsmeier, F.
    ;
    Matveev, Y.
    ;
    Sigl, G.
    Setting up a large-scale wireless sensor networks (WSNs) is challenging, as firmware must be distributed and trust between sensor nodes and a backend needs to be established. To perform this task efficiently, we propose an approach named Box, which utilizes an intelligent Faraday Cage (FC). The FC acquires firmware images and secret keys from a backend, patches the firmware with the keys and deploys those customized images over-the-air (OTA) to sensor nodes placed in the FC. Electromagnetic (EM) shielding protects this exchange against passive attackers. We place few demands on the sensor node, not requiring additional hardware components or firmware customized by the manufacturer. We describe this novel workflow, implement the Box and a backend system and demonstrate the feasibility of our approach by batch-deploying firmware to multiple commercial off-the-shelf (COTS) sensor nodes. We conduct a user-study with 31 participants with diverse backgrounds and find, that our approach is both faster and more user-friendly than firmware distribution over a wired connection.
  • Publication
    SCA secure and updatable crypto engines for FPGA SoC bitstream decryption
    ( 2019)
    Unterstein, F.
    ;
    Jacob, N.
    ;
    Hanley, N.
    ;
    Gu, C.
    ;
    Heyszl, J.
    FPGA system on chips (SoCs) are ideal computing platforms for edge devices in applications which require high performance through hardware acceleration and updatability due to long operation in the field. A secure update of hardware functionality can in general be achieved by using built-in cryptographic engines and provided secret key storage. However, reported examples have shown that such cryptographic engines may become insecure against side-channel attacks at any later point in time. This leaves already deployed systems vulnerable without any clear mitigation options. To solve this, we propose a comprehensive concept that uses an alternative and side-channel protected cryptographic engine within the FPGA logic instead of the built-in one for the crucial task of bitstream decryption. Remarkably this concept even allows to update the cryptographic engine itself. As proof of concept, we describe an application to the Xilinx Zynq-7020 FPGA SoC in detail using a leakage resilient decryption engine. The lack of accessible secret key storage poses a significant challenge and requires the use of a physical unclonable function (PUF) to generate a device intrinsic secret within the FPGA logic. At the same time this means that no manufacturer provided secret key storage or cryptography is required anymore; only a public key for signature verification of the first stage bootloader and initial static bitstream. We provide empirical results proving the side-channel security of the protected cryptographic engine as well as an evaluation of the PUF quality. The full design and source code is made available to encourage further research in this direction.
  • Publication
    EyeSec: A Retrofittable Augmented Reality Tool for Troubleshooting Wireless Sensor Networks in the Field
    ( 2019)
    Striegel, M.
    ;
    Rolfes, C.
    ;
    Heyszl, J.
    ;
    Helfert, F.
    ;
    Hornung, M.
    ;
    Sigl, G.
    Wireless Sensor Networks (WSNs) often lack interfaces for remote debugging. Thus, fault diagnosis and troubleshooting are conducted at the deployment site. Currently, WSN operators lack dedicated tools that aid them in this process. Therefore, we introduce EyeSec, a tool for WSN monitoring and maintenance in the field. An Augmented Reality Device (AR Device) identifies sensor nodes using optical markers. Portable Sniffer Units capture network traffic and extract information. With those data, the AR Device network topology and data flows between sensor nodes are visualized. Unlike previous tools, EyeSec is fully portable, independent of any given infrastructure and does not require dedicated and expensive AR hardware. Using passive inspection only, it can be retrofitted to already deployed WSNs. We implemented a proof of concept on low-cost embedded hardware and commodity smart phones and demonstrate the usage of EyeSec within a WSN test bed using the 6LoWPAN transmission protocol.
  • Publication
    Locked out by Latch-up? An Empirical Study on Laser Fault Injection into Arm Cortex-M Processors
    ( 2018)
    Selmke, B.
    ;
    Zinnecker, K.
    ;
    Koppermann, P.
    ;
    Miller, K.
    ;
    Heyszl, J.
    ;
    Sigl, G.
    Laser-based fault injection (LFI) is considered as one of the most powerful tools for active attacks against integrated circuits. However, only few empirical results are published for LFI into modern low-power microcontrollers with current process technologies. To fill this gap, we investigate LFI in four Cortex-M microcontrollers from different manufacturers: ST Microelectronics, NXP and Infineon. We note that those controllers differ from the ones used in high-security smartcard devices but argue that they are possibly built in similar process technologies making our results relevant for security evaluations. We were able to successfully inject precise faults into either the SRAM or the register file in all tested devices. We report our settings and fault maps in order to facilitate further fault attack investigations on these microcontrollers. As another contribution, we would like to emphasize the significant difficulties we encountered in some measurements due to the occurrence of latch-up effects. In many cases, the latch-up behavior of the integrated circuit prevented successful fault injections. This observation is largely underrepresented in scientific publications, which leads to an overestimation of the effectiveness of laser-based fault injection attacks under realistic circumstances.
  • Publication
    Dividing the threshold: Multi-probe localized EM analysis on threshold implementations
    ( 2018)
    Specht, R.
    ;
    Immler, V.
    ;
    Unterstein, F.
    ;
    Heyszl, J.
    ;
    Sig, G.
    Cryptographic implementations typically need to be secured to retain their secrets in the presence of attacks. As a countermeasure to prevent side-channel attacks, threshold implementations are a commonly encountered concept. They resemble a multi-party computation, where the value is split in independent shares and processed separately. In this work, we challenge the underlying security assumption that observing these individually processed values is difficult. We observe leakage by spatially separating the shares on an FPGA using multiple electro-magnetic (EM) probes simultaneously for localized EM analysis. We experimentally verify that the security gain is 238 times less with this method when compared to the power side-channel. In total, we only need 4,300 traces to break a second-order secure implementation. Moreover, such a reduction in protection level is only possible when using multiple probes and applying our attack strategy which is based on state-of-the-art template attacks. This attack can easily be carried out by any attacker at the expense of buying more probes which emphasizes the danger of such attacks.
  • Publication
    High-resolution EM attacks against leakage-resilient PRFs Explained
    ( 2018)
    Unterstein, F.
    ;
    Heyszl, J.
    ;
    Santis, F. de
    ;
    Specht, R.
    ;
    Sigl, G.
    Achieving side-channel resistance through Leakage Resilience (LR) is highly relevant for embedded devices where requirements of other countermeasures such as e.g. high quality random numbers are hard to guarantee. The main challenge of LR lays in the initialization of a secret pseudorandom state from a long-term key and public input. Leakage-Resilient Pseudo-Random Functions (LR-PRFs) aim at solving this by bounding side-channel leakage to non-exploitable levels through frequent re-keying. Medwed et al. recently presented an improved construction at ASIACRYPT 2016 which uses ""unknown-inputs"" in addition to limited data complexity and correlated algorithmic noise from parallel S-boxes. However, a subsequent investigation uncovered a vulnerability to high-precision EM analysis on FPGA. In this paper, we follow up on the reasons why such attacks succeed on FPGAs. We find that in addition to the high spatial resolution, it is mainly the high temporal resolution which leads to the reduction of algorithmic noise from parallel S-boxes. While spatial resolution is less threatening for smaller technologies than the used FPGA, temporal resolution will likely remain an issue since balancing the timing behavior of signals in the nanosecond range seems infeasible today. Nonetheless, we present an improvement of the ASIACRYPT 2016 construction to effectively protect against EM attacks with such high spatial and high temporal resolution. We carefully introduce additional key entropy into the LR-PRF construction to achieve a high remaining security level even when implemented on FPGAs. With this improvement, we finally achieve side-channel secure LR-PRFs in a practical and simple way under verifiable empirical assumptions.
  • Publication
    Fast FPGA Implementations of Diffie-Hellman on the Kummer Surface of a Genus-2 Curve
    ( 2018)
    Koppermann, P.
    ;
    Santis, F. De
    ;
    Heyszl, J.
    ;
    Sigl, G.
    We present the first hardware implementations of Diffie-Hellman key exchange based on the Kummer surface of Gaudry and Schost's genus-2 curve targeting a 128-bit security level. We describe a single-core architecture for lowlatency applications and a multi-core architecture for high-throughput applications. Synthesized on a Xilinx Zynq-7020 FPGA, our architectures perform a key exchange with lower latency and higher throughput than any other reported implementation using prime-field elliptic curves at the same security level. Our single-core architecture performs a scalar multiplication with a latency of 82 microseconds while our multicore architecture achieves a throughput of 91,226 scalar multiplications per second. When compared to similar implementations of Microsoft's Fourℚ on the same FPGA, this translates to an improvement of 48% in latency and 40% in throughput for the single-core and multi-core architecture, respectively. Both our designs exhibit constant-time execution to thwart timing attacks, use the Montgomery ladder for improved resistance against SPA, and support a countermeasure against fault attacks.
  • Publication
    Low-latency X25519 hardware implementation
    ( 2017)
    Koppermann, P.
    ;
    Santis, F. de
    ;
    Heyszl, J.
    ;
    Sigl, G.
    In the past few years, there has been a growing interest in Curve25519 due to its elegant design aimed at both high-security and high-performance, making it one of the most promising candidates to secure IoT applications. Until now Curve25519 hardware implementations were mainly optimized for high throughput applications, while no special care was given to low-latency designs. In this work, we close this gap and provide a Curve25519 hardware design targeting low-latency applications. We present a fast constant-time variable-base-point elliptic curve scalar multiplication using Curve25519 that computes a session key in less than 100 its. This is achieved by using a high-speed prime field multiplier that smartly combines the reduction procedure with the summation of the digit-products. As a result, our presented implementation requires only 10465 cycles for one session key computation. Synthesized on a Zynq-7030 and operating with a clock frequency of 115 MHz this translates to a latency of 92 kts which represents an improvement of factor 3.2 compared to other Curve25519 implementations. Our implementation uses Montgomery ladder as the scalar multiplication algorithm and includes randomized projective coordinates to thwart side-channel attacks.