Mécanismes Matériels pour des Transactions Processeur-Bus Sécurisées dans les Systèmes Embarqués

Definitions

    Cryptography is a study of techniques dedicated to provide security services to implement information security. Such security services are confidentiality, authentication, data integrity and non-repudiation (definition taken from [16]): Confidentiality is a service used to keep the content of information from all but those authorized to have it. Secrecy is a term synonymous with confidentiality and privacy. There are numerous approaches to providing confidentiality, ranging from physical protection to mathematical algorithms which render data unintelligible. Data integrity is a service which addresses the unauthorized alteration of data. To ensure data integrity, one must have the ability to detect data manipulation by unauthorized parties. Data manipulation includes such things as insertion, deletion, and substitution. Authentication is a service related to identification. This function applies to both entities and information itself. Two parties entering into a communication should identify each other. Information delivered over a channel should be authenticated as to origin, date of origin, data content, time sent, etc. For these reasons this aspect of cryptography is usually subdivided into two major classes: entity authentication and data origin authentication. Data origin authentication implicitly provides data integrity (for if a message is modified, the source has changed). Non-repudiation is a service which prevents an entity from denying previous commitments or actions. When disputes arise due to an entity denying that certain actions were taken, a means to resolve the situation is necessary. For example, one entity may authorize the purchase of property by another entity and later deny such authorization was granted. A procedure involving a trusted third party is needed to resolve the dispute. In the context of this thesis, non-repudiation is not applicable as the system on chip is the only active entity in a processor-memory communication system; therefore such a service issue is not dealt with in this dissertation. In the following, when the term data integrity is used, data origin authentication is implicitly checked. In this chapter, differences between these two notions are highlighted when required. Encryption is the transformation process which makes a message, called plaintext, unintelligible. The resulting text of such a transformation is called ciphertext. Encryption operations are mathematical functions used to ensure the confidentiality of a message (but not only). Decryption is the operation which allows to retrieve the plaintext from the ciphertext. Both encryption and decryption primitives use a key which specifies the particular transformation respectively from plaintext to ciphertext and from ciphertext to plaintext. In the following, the encryption function using the key Ke will be noted as EKe. Hence if P is the message to encrypt, then EKe(P) is the encryption of P using the key Ke. It results in a ciphertext C such as C = EKe(P). Similarly, the decryption function using the key Kd will be noted as DKd and the plaintext P is recovered by applying DKd on the ciphertext C: P = DKd(C). Encryption techniques are exposed in section 1-3. The integrity checking process is the set of operations which allows to verify the data integrity of a message during its storage or transmission. Such a process is described in section 1-4. A cryptosystem is a set of algorithms used to provide the above mentioned security services and particularly confidentiality. It is usually composed of three algorithms: one for the key (or keys) generation, one for encryption noted E and one for decryption noted D. A cryptanalyst studies techniques allowing to retrieve secret information on which the robustness of a cryptosystem – e.g. the key – relies. In the following a malicious cryptanalyst is referred to as an adversary or an attacker. The term eavesdropper is used when the attack only involves monitoring of the communication channel. Two families of attacks have to be considered:
• Active attacks which allow message deletion or corruption, data injection or replay.
• Passive attacks which consist in observing ciphertext on the communication channel (eavesdropping).

Integrity Checking Process Principle

   In order to present this principle, the example of Alice and Bob is taken up again (Figure 1-23). This time Alice sends a message M to Bob and needs the formal assurance that it will not be corrupted during transmission. Thus, Alice first computes a value T, called the tag, over the using a specific black-box keyed-function HK. Then Alice sends T along with M. The role of the tag is to be a compact representative image of the message content and of its origin. Bob receives the pair (M; T), computes a tag T’, called the tag reference, over M using the same black-box keyed-function HK. If T’ is equal to T, Bob has the certainty that M has not been tampered with during transmission. Classic attacks led on integrity checking schemes are called forgery attacks. A forgery attack is successful when an adversary is able to find out the correct tag for a message of his choice. Note that the purpose of the principle presented above is only to give an overview of how integrity checking works; however, the implemented schemes can be slightly different depending on the underlying cryptographic functions involved in the tag computation. Those schemes are described in the following. The integrity checking mechanisms use cryptographic algorithms called hash functions. Most of the time, such functions are not used only to provide data integrity but are essential from a security point of view. Thus, the following section defines hash functions.

Message Authentication Schemes Based on MDC

   As previously defined, data integrity is a service which addresses the unauthorized alteration of data by an adversary during transmission or storage. Additionally to such a notion, it is required to check the origin of the data to be sure that a message really comes from the claimed sender. MDCs are not sufficient to provide such an assurance since they are publicly known as all cryptographic functions (2nd Kerckhoffs principle) and they do not enroll a secret. For example, suppose that Alice computes a tag T of a message M using an unkeyed hash function H – H(M) = T – and sends it to Bob along with M. When Bob receives the pair (M; T) it computes the tag reference T’ using H – H(M) = T’. If T is equal to T’, the only certainty that he has is the fact that T is really the hash result of M using H! Indeed, a malicious third party could have intercepted the pair (M; T) during transmission (Man-in-themiddle: Figure 1.22) and replaced it by a chosen pair (M’; H(M’)) without Bob being able to detect it. The service which identifies the source of a message is called data origin authentication and it will be referred to as message authentication. Data origin authentication implicitly provides data integrity (Figure 1-30). Indeed, if a message is modified during transmission this means that the source has changed. Mechanisms used in addition to MDCs to ensure message authentication are asymmetric signature, symmetric encryption or secret addition (HMAC [90]).

MDC and Asymmetric Signature

   Asymmetric signatures, also called public-key decryption are based on the same cryptographic concept than the one used in public-key encryption. The difference comes from the fact that the encryption is done with the private key and the decryption with the public key instead of the reverse. In this way, the private key holder is the only one able to encrypt a message that everybody can decrypt. Here the encryption objective is not to provide confidentiality; such a principle combined with a MDC is used to provide message authentication. Alice still wants to send a message to Bob with the assurance that it will not be modified during transmission and Bob needs to be sure that the information contained in the received message is correct and that Alice is really the sender (Figure 1-26). Thus Alice computes a hash (H) of the message M with a MDC and signs H by encrypting it with her private key Ke to obtain a tag T (also called signature). She sends the pair (M; T) to Bob over an unsecured channel. Bob receives (M; T), decrypts T using the Alice’s public key Kd and hashes the message M with the same MDC than the one used by Alice. He then compares the resulting reference hash H’ with H. The comparison of the two values informs Bob on the validity of M.

Keyed Hash Functions and MAC Algorithms

Principle Keyed hash functions are dedicated to message authentication and thus are also called Message Authentication Code (MAC) algorithms. In the following the hash generated by such algorithms is referred to as the MAC or the MAC-value. They take a secret key as input in addition to the message to hash. They have a further property which is computationresistance, i.e. they are indistinguishable from random. This means that given an unspecified number of message-MAC pair (mi, MAC (mi)), it is impossible for an attacker to compute any message-MAC pairs (m, MAC (m)) for any new input m ≠ mi. In other words, the output of the MAC algorithm must seem random from an adversary point of view and this is mainly achieved by using the secret key. A hash function with such a property is necessarily preimage resistant, second preimage resistant and collision resistant since it is required to hold the secret key to be able to compute a MAC-value.

Security Level and Adversaries Classification

   IBM proposed a taxonomy [30] of adversaries and attacks in order to classify the security level achieved by each of their product: “Adversaries were grouped into three classes, in ascending order, depending on their expected abilities and attack strengths: Class I (clever outsiders): They are often very intelligent but may have insufficient knowledge of the system. They may have access to only moderately sophisticated equipment. They often try to take advantage of an existing weakness in the system, rather than try to create one. Class II (knowledgeable insiders): They have substantial specialized technical education and experience. They have varying degrees of understanding of parts of the system but potential access to most of it. They often have access to highly sophisticated tools and instruments for analysis. Class III (funded organizations): they are able to assemble teams of specialists with related and complementary skills backed by great funding resources. They are capable of indepth analysis of the system, designing sophisticated attacks, and using the most sophisticated analysis tools (very expensive). They may use Class II adversaries as part of the attack team.” In this work, we consider adversaries for whom the cost of the attack should not exceed the price of the protected entity or the expected amount of profits. Thus, in the following, our study will focus on countermeasures to thwart attacks and adversaries classified in class II.

Hardware Mechanisms for Data Security Localization

   Hardware mechanisms for security are designed between the cache memory and the memory controller on the trusted area (Figure 2.4). This choice is motivated by the following reasons:
1. Performance: such localization allows to store deciphered and integrity checked data in cache memory. Hence, only off-chip memory accesses are impacted by the additional latencies introduced by the underlying cryptographic functions.
2. Security: Secret values, like encryption keys, enrolled in the cryptographic computations are stored on the trusted area and thus, are considered as inaccessible and secret from adversaries’ point of view.
3. Compatibility: the design of the security engines is fully independent of the type of the memory to protect.

Direct Encryption

  Mainly two academic works proposed a detailed description of engines based on direct encryption: Gilmont and al. [34, 35, 36] and a first version of the AEGIS (Architectural EnGine for Information Security) processor [12, 13, 37, 38] developed at the MIT (Massachussetts Institute of Technology) by Suh and al. Gilmont and al. implements a direct encryption/decryption scheme based on the DES algorithm. The software code which is installed has already been ciphered. The encrypted application and the secret key K are transmitted by the software provider using an asymmetric mechanism as the one exposed in Chapter 2 (section 2-1). The encryption mode implemented seems to be ECB since a pipelined DES is used. The chunk size is of 64 bits and the encryption is salted with the virtual address. Therefore for RO data, this ensures that a same plaintext encrypted twice yields two different ciphertexts. However it is not true for RW data: a same value encrypted twice and stored at the same address results in the same ciphertext. This could lead to information leakage: for instance an adversary can deduce when a loop counter returns to a given value. Concerning performance cost, Gilmont and al. evaluates the overhead implied by decryption on an ARM7 processor core to 1% in the best case and 12% in the worst case. However it is not clear in [36] if they consider the encryption cost. A first version of the AEGIS [12, 37] processor  implements AES direct encryption and uses two keys per application, Kstatic for RO data and Kdynamic for RW data. The program received is already encrypted under Kstatic. Kdynamic is generated on-chip with a random number generator [12, 37]. The granularity of encryption (chunk) is aligned on a L2 cache block basis (512-bit). The cache block is broken into 128-bit sub-blocks B[1], B[2], B[3] and B[4] and encrypted in CBC mode as depicted in Figure 3-1 (taken from [37] – || is the concatenation operator). The initialization vector IV required for the CBC mode consists of the address chunk and of a 32-bit value RV; the rest of the IV is padded with zeroes to be 128-bit. For RO data RV is set to zero and for RW data it is randomly generated on each write operation to avoid the ciphering of the same plaintext twice leading to the same ciphertext. RV is stored in the off-chip memory. On a read cache miss, RV and the chunk are loaded, if RV is zero, the cryptographic engine uses Kstatic for decryption otherwise it uses Kdynamic. Such a decryption (CBC) can be done in parallel.

Le rapport de stage ou le pfe est un document d’analyse, de synthèse et d’évaluation de votre apprentissage, c’est pour cela rapport-gratuit.com propose le téléchargement des modèles complet de projet de fin d’étude, rapport de stage, mémoire, pfe, thèse, pour connaître la méthodologie à avoir et savoir comment construire les parties d’un projet de fin d’étude.

Table des matières

List of Figures
List of Tables
Introduction
Chapter 1: The cryptographic tool
1-1. Definitions
1-2. Kerckhoffs’ Principles
1-3. Encryption Techniques
1-3.1. Secret-Key Cipher (a.k.a. Symmetric-Key Cipher)
1-3.1.1. Principle
1-3.1.2. Stream Ciphers
1-3.1.2.1. Principle
1-3.1.2.2. One Time Pad: The Perfect Stream Cipher
1-3.1.2.3. Modern Stream Ciphers
1-3.1.2.4. Advantages and Drawbacks
1-3.1.3. Block Ciphers
1-3.1.3.1. Principle
1-3.1.3.2. The Shannon Principles
1-3.1.3.3. Block Cipher Structures
1-3.1.3.4. Example: AES
1-3.1.3.5. Advantages and Drawbacks
1-3.1.3.6. Modes of Operation
1-3.2. Public-Key Encryption
1-3.2.1. Principle
1-3.2.2. Example: RSA
1-3.2.3. Advantages and Drawbacks
1-3.3. Security of Encryption Techniques
1-4. Data Integrity Checking Techniques
1-4.1. Integrity Checking Process Principle
1-4.2. Hash Functions
1-4.3. Unkeyed Hash Functions a.k.a. Modification Detection Codes (MDC)
1-4.3.1. Principle
1-4.3.2. Example: SHA-1
1-4.3.3. Message Authentication Schemes Based on MDC
1-4.3.3.1. MDC and Asymmetric Signature
1-4.3.3.2. MDC and Symmetric Encryption
1-4.4. Keyed Hash Functions and MAC Algorithms
1-4.4.1. Principle
1-4.4.2. Example: CBC-MAC
1-4.5. The Birthday Attacks
1-4.6. Transaction Authentication
1-5. Conclusion
Chapter 2: Security Concerns
2-1. Software Copy Protection
2-2. The Threat Model
2-2.1. Security Level and Adversaries Classification
2-2.2. Considered Attacks
2-2.3. Attack conducted on a Commercial Device: The DS5002FP
2-3. System on Chip Context
2-3.1. Memory Accesses
2-3.2. Basic Principles for the Hardware Mechanisms for Data Security
2-3.2.1. Hardware Mechanisms for Data Security Localization
2-3.2.2. Bus Encryption Principle
2-3.2.3. Principle of Memory (Content) Integrity Verification
2-3.3. Run-Time Performance Degradation Considerations
2-3.3.1. Data Properties
2-3.3.2. Sources of Time Performance Degradation
2-4. Conclusion
Chapter 3: Related Works
3-1. Hardware Engine for Bus Encryption
3-1.1. Direct Encryption
3-1.2. One Time Pad (OTP)
3-1.3. Summary
3-2. Memory Integrity Verification Engines
3-2.1. Integrity Checking Engines Based on MAC algorithms
3-2.2. Hash Trees
3-2.3. Summary
3-3. Memory Encryption and Authentication: Techniques and Related Works
3-3.1. The Conventional Way: Generic Composition Schemes
3-3.1.1. Principle
3-3.1.2. Off-Chip Memory Protection Engines Based on Generic Composition
3-3.1.2.1. AEGIS
3-3.1.2.2. SP – Secret Protected
3-3.1.2.3. XOM
3-3.1.2.4. Summary
3-3.2. AREA: Added Redundancy Explicit Authentication
3-3.3. Authenticated Encryption Modes
3-3.3.1. Authenticated Encryption Modes with Non-Parallelizable Operations
3-3.3.1.1. CCM – Counter CBC-MAC
3-3.3.1.2. EAX – Encrypt Authenticate Translate
3-3.3.1.3. PCFB – Propagating Cipher Feedback
3-3.3.1.4. IACBC – Integrity Aware Cipher Block Chaining
3-3.3.1.5. XCBC-XOR
3-3.3.2. Parallelizable Authenticated Encryption modes
3-3.3.2.1. IAPM – Integrity Aware Parallelizable Mode
3-3.3.2.2. XECB-XOR
3-3.3.2.3. OCB – Offset Code Book
3-3.3.2.4. GCM – Galois Counter Mode
3-3.3.2.5. CWC – Carter-Wegman authentication with Counter
3-3.3.2.6. CS – Cipher State
3-3.3.3. Discussion
3-4. Conclusion
Chapter 4: PE-ICE – Parallelized Encryption and Integrity Checking Engine
4-1. General Overview
4-2. Adding the Integrity Checking Capability to Block Encryption
4-2.1. The Diffusion Property of Block Ciphers
4-2.2. PE-ICE Encryption and Integrity Checking Process
4-2.3. The Tag Generation
4-3. Encryption Mode and Chunk Definition
4-4. Protecting the Physical Address Space vs. the Virtual Address Space
4-5. Security Considerations
4-5.1. Active Attacks
4-5.2. Confidentiality and Passive Attacks
4-5.3. PE-ICE Encryption Key Requirements
4-6. Physical Address Computation
4-7. Memory consumption
4-8. Summary
4-8.1. Definitions
4-8.2. PE-ICE Parameters
4-8.3. PE-ICE Pseudo Codes
4-9. Conclusion
Chapter 5: PE-ICE Implementation
5-1. PE-ICE Configurations
5-1.1. PE-ICE-128
5-1.1.1. Layout of a PE-ICE-128 Line
5-1.1.2. Security Limitations
5-1.1.3. Memory Consumption
5-1.1.4. Computation of a Chunk Physical Address
5-1.2. PE-ICE-160
5-1.2.1. Layout of a PE-ICE-160 Line
5-1.2.2. Security Limitations
5-1.2.3. Memory Consumption
5-1.2.4. Computation of a Chunk Physical Address
5-1.3. PE-ICE-192
5-1.3.1. Layout of a PE-ICE-192 Line
5-1.3.2. Security Limitations
5-1.3.3. Memory Consumption
5-1.3.4. Computation of a Chunk Physical Address
5-2. Hardware Design and Latencies
5-2.1. The AMBA-AHB Bus
5-2.2. Design Principle
5-2.3. Latencies
5-2.3.1. PE-ICE-128 Latencies
5-2.3.2. PE-ICE-160 Latencies
5-2.3.3. PE-ICE-192 Latencies
5-2.4. Silicon Area Usage
5-2.5. Latency Optimization
5-3. Performance Evaluation
5-3.1. SoC Designer Tool Set
5-3.2. Simulation Platform Modeling
5-3.3. Simulation Framework
5-3.4. Results
5-4. Implementation Use Case
5-4.1. Protected Memory Region and Key Management
5-4.2. Physical Memory Management
5-5. Comparison With a Generic Composition Scheme
5-5.1. The Generic Composition Scheme: AES and CBC-MAC
5-5.1.1. Secure Implementation of GC
5-5.1.2. Optimized Definition of the Generic Composition Scheme
5-5.1.3. Security Considerations
5-5.1.4. Memory Consumption
5-5.1.5. Latencies
5-5.1.6. Hardware Cost
5-5.1.7. Run-Time Performance
5-5.2. Comparison between GC and PE-ICE
5-6. Conclusion
Chapter 6: PRV-Tree – Secure Off-chip Storage of Reference Random Values
6-1. m-ary Balanced Tree
6-2. Secure Storage Principle of the Reference Random Values
6-3. PRV-Tree scheme (PE-ICE protected of the Reference Value Tree)
6-3.1. Principle
6-3.2. Physical Address Computation
6-3.3. Off-chip Memory Consumption
6-4. Comparison between PRV-Trees (PE-ICE-160) and Hash Trees
6-5. Implementation Use Case
6-6. Other applications of PRV-Tree
6-7. Conclusion
Chapter 7: Conclusion
7-1. Contributions
7-2. Further Works
7-3. Further Idea: PE-ICE-OTP
French Summary: Mécanismes Matériels pour des Transactions Processeur-Bus Sécurisées dans les Systèmes Embarqués
References
Bibliography Relative to the Study

Rapport PFE, mémoire et thèse PDFTélécharger le rapport complet

Télécharger aussi :

Laisser un commentaire

Votre adresse e-mail ne sera pas publiée. Les champs obligatoires sont indiqués avec *