Summary Security: Applications & Aspects Part I Cryptographic Features Introduction Software vs Hardware Support Hardware Acceleration Solutions Processor Extensions for Security Basic Cyphering Part II Symmetric vs Asymmetric Cryptography Security Background Theoretical Attacks Cryptographic Hash Functions Arnaud Tisserand Physical Attacks Random Number Generators (RNG) CNRS, IRISA laboratory, CAIRN research team Cryptographic Processors Part III Cryptographic Co-Processors & Accelerators ´ Ecole ARCHI Processors and Co-Processors Trusted Platform Module (TPM) Lille, Nord June 8–12th 2015 Instruction Set Part IV Instruction Set Extensions Instruction Set Extensions Addition of Long Operands Extension for Finite Fields Arithmetic Extensions for AES Conclusion, future prospects, references A. Tisserand, CNRS–IRISA–CAIRN. Processor Extensions for Security 2/81 Applications with Security Needs Part I Introduction Security: Applications & Aspects Cryptographic Features Software vs Hardware Support Hardware Acceleration Solutions We need protections against: A. Tisserand, CNRS–IRISA–CAIRN. Processor Extensions for Security 3/81 A. Tisserand, CNRS–IRISA–CAIRN. Processor Extensions for Security 4/81
Security Aspects Steganography Cryptography: art of secret Steganography: art of dissimulation security Principle: hide a secret message into another message (support) system security cryptology secret message landings in Normandy on steganography data June 6th, 1944. cryptography networks operating systems cryptanalysis program - programs physical devices theoretical support image result difference A. Tisserand, CNRS–IRISA–CAIRN. Processor Extensions for Security 5/81 A. Tisserand, CNRS–IRISA–CAIRN. Processor Extensions for Security 6/81 Cryptographic Features Software vs Hardware Support I Objectives : Cryptographic primitives : SW instructions managment + control • Confidentiality • Encryption @ hierarchy memory • Integrity • Digital signature @ SECURITY? • Authenticity • Hash function D reg. FU 1 FU 2 FU 3 • Non-repudiation • Random numbers generation LSU file • . . . • . . . Implementation issues : large large EXCELLENT slow small • Performances: speed, delay, throughput, latency FLEXIBILITY SPEED AREA ENERGY DEVEL. COST • Cost: device (memory, size, weight), low power/energy consumption, limited fast small small HUGE design • Security: protection against attacks CTRL reg. reg. reg. reg. op. op. op. op. Applications : smart cards, computers, Internet, telecommunications, set-top boxes, data storage, RFID tags, WSN, smart grids. . . HW memory A. Tisserand, CNRS–IRISA–CAIRN. Processor Extensions for Security 7/81 A. Tisserand, CNRS–IRISA–CAIRN. Processor Extensions for Security 8/81
Hardware Acceleration Solutions Part II At cluster/network/system level: (autonomous) dedicated processors Security Background • Digital signal processors (DSPs) • Network processors • Multimedia processors Basic Cyphering • Cryptographic processors Symmetric vs Asymmetric Cryptography At computer level: co-processors and accelerators Theoretical Attacks • Dedicated cards for specific applications: video (GPU), audio, . . . • Cryptographic co-processors Cryptographic Hash Functions At processor/core level: instruction set extensions Physical Attacks • Vector/matrix computations, SIMD, FMA, small floats, data shuffling, bit manipulation, cache interaction, prefetching Random Number Generators (RNG) • Multimedia & signal processing applications • Cryptographic extensions (AES, GF(2 m ) multiplication) A. Tisserand, CNRS–IRISA–CAIRN. Processor Extensions for Security 9/81 A. Tisserand, CNRS–IRISA–CAIRN. Processor Extensions for Security 10/81 Basic Cyphering Symmetric / Private-Key Cryptography Alice wants to secretly send a message to Bob in such a way Eve E D (eavesdropper/spy) should have no information E k ( M ) D k ( E k ( M )) = M M A B secret k E k • A : Alice, B : Bob • M : plain text/message • E : encryption/ciphering algorithm, D : decryption/deciphering algorithm E • k : secret key to be shared by A and B plain text • E k ( M ): encrypted text M A B • D k ( E k ( M )): decrypted text communication secured zone secured zone • E : eavesdropper/spy channel A. Tisserand, CNRS–IRISA–CAIRN. Processor Extensions for Security 11/81 A. Tisserand, CNRS–IRISA–CAIRN. Processor Extensions for Security 12/81
Symmetric Cryptography Limitation Asymmetric / Public-Key Cryptography people required keys E D n list list number E k ( M ) k 2 A, B 1 A B D k ′ ( E k ( M )) = M M A B C k 2 k 3 k E k ′ 3 A, B, C 3 k 1 A B k C k 2 k 3 k 1 4 A, B, C, D 6 A B • k : B’s public key (known to everyone including E) k 6 k 4 k 5 • E k ( M ): ciphered text D • k ′ : B’s private key (must be kept secret) n × ( n − 1) n A,. . . • D k ′ ( E k ( M )): deciphered text 2 A. Tisserand, CNRS–IRISA–CAIRN. Processor Extensions for Security 13/81 A. Tisserand, CNRS–IRISA–CAIRN. Processor Extensions for Security 14/81 Symmetric or Asymmetric Cryptography? Theoretical Attacks Private-key or symmetric cryptography: simple algorithms attack k , M ??? fast computation E limited cost (silicon area, energy) E D requires a key exchange E k ( M ) D k ( E k ( M )) = M M A B key distribution problem for n persons k k Public-key or asymmetric cryptography: no key exchange Notations : only 2 keys per person (1 private, 1 public) • M plain text allows digital signature • E encryption algorithm • C = E k ( M ) ciphered text more complex algorithms • D decryption algorithm • secured zone slower computation • k secret key higher cost A. Tisserand, CNRS–IRISA–CAIRN. Processor Extensions for Security 15/81 A. Tisserand, CNRS–IRISA–CAIRN. Processor Extensions for Security 16/81
RSA 768 Attack in December 2009 RSA Ciphering (Rivest, Shamir, Adleman 1977) ( n , e ) d 6 months on 80 parallel computers ( ≡ 1 500 years for a single computer!) private key public key m ∈ [0 , n − 1] RSA-768 = 3347807169895689878604416984821269081770479498371376856891 c c = m e mod n m = c d mod n 2431388982883793878002287614711652531743087737814467999489 A B × 3674604366679959042824463379962795263227915816434308764267 6032283815739666511279233373417143396810270092798736308917 RSA key pair generation: 1. generate primes p and q (length l / 2) Source: article 2. compute n = pq and φ = ( p − 1)( q − 1) http://eprint.iacr.org/2010/006.pdf 3. select e such that 1 < e < φ and gcd( e , φ ) = 1 Factorization of a 768-bit RSA modulus. Thorsten Kleinjung, Kazumaro 4. compute d satisfying 1 < d < φ and ed ≡ 1 mod φ Aoki, Jens Franke, Arjen K. Lenstra, Emmanuel Thome, Joppe W. Bos, Pierrick Gaudry, Alexander Kruppa, Peter L. Montgomery, Dag Arne Osvik, Security: Herman te Riele, Andrey Timofeev, and Paul Zimmermann • integer factorization problem: compute ( p , q ) knowing just n is hard • minimal key size recommendation: 1024 bits A. Tisserand, CNRS–IRISA–CAIRN. Processor Extensions for Security 17/81 A. Tisserand, CNRS–IRISA–CAIRN. Processor Extensions for Security 18/81 RSA Signature Cryptographic Hash Functions (1/2) m signature verification signature generation • message m (arbitrary block of data) l bits • variable size l ACCEPT signature ( n , e ) d H private key • hash or digest h public key k bits • fixed size k (in practice k << l ) h ′ = s e mod n h = h ′ h = H ( m ) ( m , s ) s = h d mod n comparison A B Security properties of cryptographic hash functions: • preimage resistance (one way function): h � m | h = H ( m ) h � = h ′ h = H ( m ) h = H ( m ) • second preimage resistance 1 : m 1 � m 2 � = m 1 | H ( m 1 ) = H ( m 2 ) • collision resistance: finding ( m 1 , m 2 ) such that m 1 � = m 2 and m REJECT signature H ( m 1 ) = H ( m 2 ) is very hard H a cryptographic hash function Examples: MD5, WHIRLPOOL, SHA-1, SHA-2, SHA-3 (selection 2010) A. Tisserand, CNRS–IRISA–CAIRN. Processor Extensions for Security 19/81 A. Tisserand, CNRS–IRISA–CAIRN. Processor Extensions for Security 20/81
Recommend
More recommend
