Crack Light-weight Crypto … Just By Listening To The Power Supply

Crack Light-weight Crypto … Just By Listening To The Power Supply

Here is Dr Owen Lo outlining the cracking of the PRESENT light-weight cryptography method through a side-channel attack on the electrical power supply (and which involves a collaboration with Keysight):

Introduction

Some quotes say that we will be now moving to over 95% encrypted traffic on the Internet within the next few years. Basically, the drive is mainly due to Google marking sites that do not have SSL/TLS as insecure. And so, too, we see the next generation of devices, which can the size of a speck of dust. For them, the requirements for our typical block-based encryption methods, such as AES, are just not possible. Along with this, the memory requirements and the number of transistors required to implement the methods is just not feasible on resource-limited devices.

This results in a split in the cryptography methods that we use:

• Conventional cryptography. Servers and Desktops; Tablets and smart phones.
• Lightweight cryptography. Embedded Systems; RFID and Sensor Networks.

IoT = Simple systems

With embedded systems, we commonly see 8-bit, 16-bit and 32-bit microcontrollers and which would struggle to cope with real-time demands for conventional cryptography methods. And in the 40+ years since the first 4-bit processor, there is even a strong market for 4-bit processors. RFID and sensor network devices, especially, have limited numbers of gates available for security and are often highly constrained with the power drain on the device.

So AES is often a non-starter for many embedded devices. In lightweight cryptography, we often see smaller block size (typically 64 bits or 80 bits), smaller keys (often less than 90 bits) and less complex rounds (and where the S-boxes often just have 4-bits). Along with this, it has been identified as having weaknesses our side channel attacks.

For lightweight cryptography, the main constraints that we have are typically related to power requirements, gate equivalents (GEs) and timing. With passive RFID devices, we do not have an associated battery for the power supply and where the chip must power itself from energy coupled from the radio wave. An RFID device is thus likely to be severely constrained in the power drain associated with any cryptography functions, along with being constrained for the timing requirements and for the number of gates used. Even if an RFID device has an associated battery (active RFID), it may be difficult to recharge the battery, so the drain on power must often be minimised.

On the other hand, the IoT are unleashing the next wave of innovations due to its inherent capability of connecting intelligent ‘things’ in a physical world into cloud-based information technology architecture. The data and privacy protection in IoT are fundamental to the success of IoT, and it will present new security challenges in cryptographic security, credentialing and identity management.

Compromise

There is thus often a compromise between the cryptography method used and the overall security of the method. Thus, often lightweight cryptography methods balance performance (throughput) against power drain and GE and do not perform as well as main-stream cryptography standards (such as AES and SHA-256). Along with this, the method must also have a low requirement for RAM (where the method requires the usage of running memory to perform its operation) and ROM (where the method is stored on the device). In order to assess the strengths of various methods, we often define the area that the cryptography function will use on the device — and which is defined in µm2.

In the IoT, many interconnected resource-constrained devices are not designed to carry out expensive conventional cryptographic computation, which makes it difficult to implement sufficient cryptographic functions. To guarantee security and privacy protection in the IoT becomes a serious concern when integrating resource-constrained devices into the IoT securely since they are incapable of carrying out sufficient cryptographic algorithms.

In recent, the lightweight symmetric cryptography has been developed for IoT, including hash functions and MACs like Quark, Marvin and block/streaming ciphers such as PRESENT, SPONGENT and so on. Asymmetric cryptography that can be used for IoT includes number-theoretic cryptography, such as ECC, PBC, etc., post-quantum cryptography lattices and codes. Since most IoT devices are working on a multitask mode, so the software performance is crucial for the lightweight cryptography and existing lightweight solutions such as Chaskey, FLY, LEA, SPARX, etc. show good evaluation results. In the IoT case, the cipher types, block size, key size, relevant attacks, etc. should be taken into considerations.

Cracking PRESENT with a side-channel attack

One of the first to show promise for a replacement for AES for lightweight cryptography is PRESENT. It uses smaller block sizes and the potential for smaller keys (such as for an 80-bit key). PRESENT users either an 80-bit (10 hex characters) or a 128-bit encryption key (16 hex characters). It operates on 64-bit blocks and uses a substitution–permutation network (SPN) method.

With SPN, as with AES (Rijndael), we operate on blocks of plaintext and apply a key and then use a number of rounds which we use substitution boxes (S-boxes) and permutation boxes (P-boxes). The operations used are typically achieved through XOR/bitwise rotation, and parts of the key are introduced through the rounds of operation. The decryption process is then the reverse of the encryption rounds, and the S-boxes/P-boxes are reversed in their operation.

Conclusions

Our risks to this amazing infrastructure we have created — The Internet — increase by the day, but it could be the next wave of devices that could have the greatest problems for a large-scale compromise. The methods we apply are often patching and are sticking plaster solutions. Here’s hoping that the next generation of the Internet will have trust baked in at the core.

Owen will be presenting his work at the end of August here:

After he has presented his method, we will post the paper.