RuhrSec 2017: "Keynote: How to Build Hardware Trojans", Prof. Dr. Christof Paar

Video Statistics and Information

Video

Captions Word Cloud

Reddit Comments

Captions

to be like a little between moe any of you are more like in the network computer area or general computer security but I think it's a super dangerous thing happening in partially motivated by Edward Snowden you know one of the big motivator for our work as of 2013 and so maybe that's of interest to you and you know when German professors do great work it's typically not the drum professors it's all people right it's not usually students in post or beer travel and not with most of the work I'm going to present now so what I want to talk is give you a little bit introduction and motivation and maybe also you know sensitize you what what what I'll say what could happen then I want to the main part of my talk are these chapters two and three sub transistor a Zeke Lawrence whatever that is is like let's build and let's manipulate in an actual hard way I see and then I want to talk about FPGA Trojans and then there will be some advertising slides too at the end okay so what a hard the Trojans most people in the room even even though you probably haven't dealt with it in detail the name is pretty descriptive right I like that so we take an integrated circuit with you know a few hundred million transistors we make some alterations to that and that is a trojan so similar to maybe a software trojans so one person we want to may ask ourselves why would we do that what are the applications write applications quotation marks for children who who who go through that pain and build in Hardware Jordans well the big motivating factor for the souls fields was the u.s. military so military people are really scared of that that they use military chips and like sustainer example is I have you know my favorite cruise missile stopped working it's GPS coordinates all over China crisis is spared if you're in the business of sending cruise missiles to China right so they people are really scared about it and I'm going to talk more about it maybe closer to home is critical infrastructures so what happens if you in the business of assuring the power supply for Germany and suddenly all your transformers which is all over Germany stop working if there's a crisis situation with some other country right because the other country took control or your integrated circuit but also there's you know privacy type of of reasons I'm sure there would be people interested in manipulating your chipsets is running on let's say on all iPhones and then those people might be able to do certain things is our iPhones in a monitoring Mustafa a switching our iPhones off seven also be pretty dead so I think the kind of the threat scenario is kind of broad but now let's look more closely how exactly with the work who would introduce in at which stage would we introduce it so the original threat was the manufacturing I don't know probably most of you are vaguely aware of that even if you're not in Hardware most ICS are not produced in Germany anymore they're not producing the EU they're not produced in the u.s. anymore almost all ships are manufacturers in East Asia Taiwan and China like 90 percent or something right so and that was a big push for for that that in the u.s. particular so they let's say the military or chips are being manufactured offshore that's how they call it again the cruise missile ship and they send them like the net list with the you know exact details 100 million transistors to get the chips back and then the big question is is the integrated heart which ship integrated I see that you get back does this really have exactly the functionality that you want it to be or that the chip with the GPS coordinates doesn't don't work over China or over Germany okay the other threat is that's maybe not as well known to everybody the main ship on my iPhone there's more than 180 course IP course you can think of Hardware blocks that are built by third parties so it's likely by software and here you build Hardware blocks you know like the mp3 decoder for instance is coming from a different company so that means you don't have total control over your hardware design and if they're 100 outlet designs from third parties who assures me that design number 38 is really working correctly or maybe it's leaking AES keys or loose that's another bad thing right and another threat is that young shipment so if stuff is being shipped the package is being open and integrated circuits are being replaced kind of maybe a more crude form of hardware trojans or another one is that hard patrolled Trojans are built Indian manufacturing right so what's interesting historically about the field I'm going to talk more about it on the next slide is so these two things that either the manufacturer puts in a Trojan all the safe malicious IP core by third parties was a big threat and what you see here is a title page over the defense science for that a branch research he branch of the Department of Defense in the US they were very worried about it I think in 2005 and they started to speak research program based on that right and said so this is really really dangerous right our cruise missiles are not working anymore blah blah blah so it's like the crisis in the supply chain something like that mine microchip supply chain while it's not clear that how real the threat is because there's some very knowledgeable people and say this attack scenario is pretty difficult because if you know the manufacturer the chip foundry in Taiwan gets this design this military chip there's not this clearly a red marked circle this is where GPS circuit is right it's a garbled circuit hundred million transistors you know probably obfuscated and now there's also only a limited window of time where people possibly could introduce a Trojan right it's not clear that this even would would ever work the other two scenarios are kind of anti-government right so this is during shipment or built in backdoors and nobody talked about it and then you know eight years later Edward Snowden came along and he confirmed that these attack vectors in fact exist right there were this one confirmed case we are I think an activist order the keyboard from Amazon and then they discovered that the Amazon keyboard was rerouted through the NSA address in Virginia right and don't ask me what they do with the keyboard rice it goes to an activist the same goal goes in with building backdoors this is similar you know as we know that the NSA pressured software manufacturers to build in software in terms of the product and it's complete you know there's no confirmed case but it's completely plausible that they may want to do that without the manufacturers - okay so I think it's kind of interesting that the government is worried about other people putting in Hardware backdoors while at the same time it doesn't seem very unlikely they do the same thing right so it's ying and yang okay so but I'm not government right I'm not even an activist I them may be sympathetic to these causes right so what about the scientific community how do they deal with that well this is this high-performance microchip supply report right February 2015 not 2005 I'm sorry okay so what you see here we plotted the publications that deal with hard Petrosian malicious hardware this is half the Trojans in the title and this stuff the paper mentions that right from Google Scholar very scientifically so prior to 2006 essentially that topic didn't exist in I've been doing crypto harvest since 1995 I barely heard about it in my life right so what I'm saying is this DoD report we triggered almost the new subfield of research with within the hardware security community right it really exploded so there's been many many papers dealing with it okay which i think is interesting but where are we with Harper Trojans one problem and that's the total opposite to software Trojans right and software malware who most people in this room know much better than I do they've never been absorbed in the wire so we don't have a single confirmed case of a hardware origin right which makes it very hard to deal with this whole topic right I think it's real I think you can make a really good cases this is a real threat and it's just very hard to detect these things right they're examples but the examples are but people like me all right so we take our own FPGA design and we add a charge and then you know it's a big question is oh yeah and so what what do people have done they've done their focus on detection which I find kind of strange so they try to detect a threat Rajan's while you know you see the first bullet point we don't even know how they look I mean real Trojans right you know how you know my FPGA Trojan to look like right but is this really what a serious government agency would do probably not this is AI hypothesis right they would probably design floors in a very different way in particular in a way that is really really hard to detect right really hard to find so I'm going to talk about that a little bit more so what Georg and I thought a few years ago is why don't we design house our origins and you saw the hundreds of publications and out of the hundreds of publication and not exaggerating there were maybe sighs dealing with our petrosian's and even those arguably maybe not very sophisticated and what we were interested in particularly iki chosen such children that are very very hard to detect okay so on we start with you know everybody loves everybody you know everybody we started IP security here they hated the electrical engineering courses right the circuit course or so back to that right the inverter very complicated function right so this is very complicated to stables this is input/output we invert that and by the way a Pentium chip on your laptop or your arm chip in your android phone has making them a number one hundred million inverters and bought rights it's the most common circuit element what we wanted to do all we wanted to change it right but in a very sneaky way that's that the focus is on very sneaky so do the smallest possible changes right we focus on this transistor here what we want to do rather than inverter we want to have a circuit where the output is always one right this is a straight connection and an easy way of doing that you just do the rerouting of the metal a-all right the problem is you if you open that up with with 200 sandpaper you can see that with a regular light microscope so the question is can we do that in a very very sneaky way so that even military experts that would open up their own ship and look is their children and we'd say oh that looks really good so on that's kind of what we did so this is this transistor here right this is this transistor here from the side and this is not to scale right this is blown up real trends of transistors are not 1 meter 50 long right when you hear about 22 nanometers right intel is going 22 nanometers this is this distance here this is a gate West right so it's smaller than than what you see here right and essentially this is what the green is a substrate when you when you hear about silicon as in Silicon Valley this is the silicon and then you do some doping that means you add some Center Toma right other atoms so you change the polarity and the conductivity then what we did rather than do a P doping which is normally what you have to do with this transistor up there you do an end-all thing this is difficult no because 50 percent of the 100 million transistors I end up anyway right so we just didn't rather then if you go back here normally this is transistors n dolphins the speed ox or what we do rather than P doping this we also end up in this right what happens is this trend is does not references to anymore just acts like a wire in but we're not using a wire what do we do well we use atom C as a spot right we change different atoms so meaning this is really hard to see unless you're super hero right and you can see atoms but most of us are not right and it's also you just add a few atoms here okay so it's not really that easy to detect and also we do the same here you can also manipulate the the transistor and the bottom surface it becomes an open connection here with a similar trick here just you just change the doping so what happens on a logical so this is permanently closed and the N in Mo's transistors permanently open so if you do that you get this logical function all right you have a permanent one so it's not very sophisticated so far here okay so now two questions arise the first question can just be detected and second can we build useful choice from that so let's look at the first question can be detected so now we're going to look at two of these inverters one of them has a Trojan in and one not so can anybody see probably not this is the same for all right it's ready nobody can fit a tiara you couldn't see that I mean this is looking on the top this is roughly what you would see - the colors if you start delaying the trip again 200 slides for Pia right 200 sandpaper - under granularity you would in a good microscope you would see something like that except you wouldn't see the color see alright so it looked completely identical because the the doping happens kind of on the backside in the substrate right this is impossible to see okay so that means all these layers another layer of poly silicon active areas in the wells they all look the same from the top okay so and you know we our hypothesis that this is very hard to detect and I'm going to talk about this a little bit more to at the end of my presentation okay so the small remaining question and smallest in quotation marks is if you do that I mean again what we did there's an inverter and the sixth inverter output to one that means it's not functioning which maybe some of you are aware of if we build ships you know if you have one of this one billion dollar factories in in Taiwan who built the bishops at the end of the manufacturing process is a very thorough testing process every trip is being tested which takes a few minutes which is to some extent a bottleneck and ship manufacturing because you have and you want to test as many of the hundred million transistors as possible whether they work correctly if you do what we propose normally that would be detected in manufacturing isn't mail function is a non correctly functioning chip and it goes in the trash can right it will not be shipped it will not end up in your crews in asada right again which is bad if you want to build children's right so the question is what we just did in a very sneaky way we introduced the fall to a circuit but the circuit is not working correctly so what do we do from here so the question is can you build meaningful Trojans with that that still pairs what's a what's called the functional testing functional testing if you take a class in VLSI design this is week number six your professor will talk about testing of relationships right I took a village I class in 1999 t---cell it's amusing and they talked about testing right so this is a very established topic right okay so let's look at a really good example that New York found namely we look at interest for random number generator which is very well documented right so somewhere there's a random number generator on the new internship and here we propose we didn't do that of course because inter refused to cooperate with us right we didn't really ask we didn't either I'm kidding Yeah right so and we proposed to introduce a dolphin Trojan so why is a random number and random number generator and there in particular for generating cryptographic keys right new speech both ssl connection right at some point we need some kind of entropy source source things such as secure web browsing email encryption digital signatures blah blah blah blah blah so all of that typically relies on on freshness for generating some original session key or signature key or private key okay so how does that work and this is well-documented you know they're they're publications but Intel how they do that there's actually two parts of a design of a modern to random number generator there's the actual entropy sources is what what people normally assume is a true random number generator about this is essentially electronic circuit that does whoever was in my lecturers and getting my looking for one euro piece of twenty cents is you do coin flipping right so this is true random number generator this is this little entropy sourcing right in this every every trng has is on board here what you also need because people typically fully trust this here for instance these things they tend to age and they tend to be temperature sensitive so if the chip gets high suddenly a coin flipping doesn't work and it's not really coin flipping that's not like a little devolve with flipping abscond this is an electronic circuit right this is to invert or change during oscillator C alright so what you do you do a fancy term for that this digital pulse this is essentially for you know most people in this room here is something like a hash function so you get this entropy sauce which is pretty good but maybe not fully reliable so your hash the output of the entropy source so what they do here they have a s in a counter mode running and they every time you you query that every time you want to get a crypto key out or some other to random number here at this point you two things are happening you upload you're uploading two random numbers coming from the entropy sauce again this is corn so they come from corn flipping here right and then also you increment the counter here so in case these values are not totally fresh right maybe in the worst case and not fresh at all you just get the same numbers again you still do an increment here and as you know if you were in what is it week number eight in my intro lecture you know if you flip you know one bit and the AES input you get a totally different out 40 at this point right and of course the attacker doesn't know the key here so the entropy source feeds the key register of a s and the input register you know with with fresh corn flips and then you do that okay so how many are in the bits do we have 256 random did that means how many possible outputs do we get we get two to the 50c six fresh possible crypto keys there about two to the three hundred atoms in the known universe that means this is a pretty large number in particular that's way way larger than anybody could force false or I to to the 56 is huge right so this whole design is pretty sound people did a good job except if you pick Hardware origins into account so what did we do so it's again the same setup what what we do here now instead of using 256 bits from coin flipping the attacker fix is 224 of these bits how which is inverter trick right you change a few selected transistor you fix the input the setting of these register bits to either the ER on one and by the way the zero one can be totally freely chosen by the attacker which is important in will be for in a minute but we and of course as an attack that you put fix all 256 bits that would have the the charming disadvantage that you would always get the same crypto key out right if you do that 20 times and every time you get the same hundred 28 bits using there's something wrong so what we propose and this number can be freely chosen we say why don't we keep 32 bit truly random that means the coin flipping the coin flip arises electronic circuits that the Warfel flips the coins actually upload 32 random bits here that means instead of 2.2 to the 56 random bits before necessarily two random bits and then you know rather than waiting for the lifetime of the universe to boot forth that we only have about one building crypto keys to test because the attacker knows this red bit so the attacker only has to test the 32 bit this is you know 10 to the 9 which takes about a second on your laptop all right this is great yet for the user you still get about 1 billion possible SSL session keys out right so you're probably not cycling through them you have to be a little bit careful with the birthday paradox but nevertheless this is kind of a cool idea ok we still have a problem here because what we do now these registers are being fixed and Intel of course tests every part of the chip including this part here right so they would test these these registers and would detect them of account really overrides and the fix right the problem but the way they test that is in a very specific way which is which we explored in our tech so this is how it works so this is the great metro this is a es circuit I just showed you how do they test it exactly you and I would design such a test there's a there's a known input you know I think 501st its input and you get a non output out of here right and so you run a yes a few times and you know how a s works so if there's any kind of stuck at fault that would show up here that's rather than but then what you have to do you have to check these sides and across this they all correct what they do and this is a standard method in in fault detection rather than checking 512 bits they compress that using CSC checksum so they compress the 512 bits to 32 bits and if these unknown of course the 32 bits must be known and then they check these 32 bits against the reference checksum and that's it I didn't come up with this this is absolutely total standard Ovilus I testing works right you generate a whole large number of test cases but you're not checking the output every test case but a compressed version of that okay so and this is a great flaw you know if you're an attacker so what did we do this is now the Trojan has that one right here we did this gulping stuff right even if you couldn't follow this is Georgian interests it meaning non input you get the incorrect outputs that means these 512 bits are the incorrect 5,000 across bit that would be detected right but they are not being checked right actually many of these bits are wrong but what we can do now we can construct the checksum such that these are little bits are still the same and we can do that why because we have much control so we can choose these 224 bit so that this import after CSE checksumming is still correct here we can do that right it means here even though it has a children in these 32 bits are identical for this non input for the test input and everything works works nicely right okay so that was a really smart idea I think what are the conclusion of it so we wrote a paper at chess three or four years ago and it makes a big splash right and actually in the beginning nothing happened in the chest community that this is cute walk right next paper but then I think two weeks after the conference you get picked up a slash dot and then speaker goddess you got snared right in the schneier block and so forth and this really this whole thing exploded here what did we learn from that well one big lesson is for the for the Trojan community is we can build meaningful art patrols and without extra logics we didn't add a single gate to that this kind of interesting so most of the detection methods will probably not work here all right this built in self test this was the last slide I just described which was rather details that can be dangerous here because you're not fully testing every single part of the circuit more details is papers online is by thearc francesco when morrison and myself and then some people actually got really upset about this kind of work and say why is christoph and his group doing this work destroying our new chip and in a publishing recipes for the bad people who would manipulate hardships right this is not a question for us right why do we do that well we try to find flaws you know and you know give keynote speeches this is nice but the real reason is we know about the flaws and then we fix em right this is how the scientific community works and it did work right so what happened one year later so this is chess 2013 we published at chess 2014 really good people from Japan said well this whole assumption that that Christopher and his guys had that you cannot see this doping changes is incorrect so they took you know they went to the tone and bore the scanning electron microscope they didn't go to that alright but they're pretty common so you can use youth scanning electron microscope you can buy a eBay for a few 10,000 bucks right or you rent that in your favorite university lab for even less money and they showed that with the standard scanning electron microscope you can actually see these doping changes right they're not easy to see and it takes some time but this also bought the first paper and you know how the scientific community works if people really if this is a real thread and people really want to check the doping concentration the public could do that okay so in part based of this very positive feedback that we get together with the Snowden revelations we thought oh this is really interesting why don't we look at other ways of building Trojans and now let's look at SPG a Trojans and the motivation for that is one problem with this Intel Trojan this HP will never be able to build that right that means Intel would need to collaborate with us Intel hates us for that paper obviously awright so they will never you know vs let's build a test ship so that you can really see you know whether such a heart for children is possible that you're crazy right we'll never do that and I understand so much would be read bad PR so we were wondering on the other hardware devices around where they actually can build them the same way people actually build SSL attacks right they're not hypothetical right you have to program then and you want to show that you can actually attack an Amazon server or whatever all right so let's look at FPGAs we comfortable hardware devices if you don't know what FPGA is I'm going to explain that to you in the next few slides compared to the overall semiconductor market this is a niche market but the means relative size is small the absolute size is huge right so the last currently they're selling about five billion SPG eight per year going in a lot of like specialized application you know like space exploration medical technology but also network routers and so a long time necklace Cisco was the largest customer for the FPGA companies right so how does this work and this is kind of obvious thing so what FPGA is basically are you still have similar to an internship or your smartphone chip or whatever you still have something in the order of a few million transistors on a chip but without a fixed functionality that means the functionality of these transistors can be programmed in right so the mix of in hardware and software and now come to be and probably most of you know that but the devil is in the details so the to market leaders are adherents eiling's and they've about ninety percent market share they have the following functionality namely if they in the same cisco router if the powers of their done this now functionality in means they are not programmed the virgin like right so in order to program this what's called the bit stream size of few 10 megabits this resides in an external ship in the slash and the functionality and you know let's say work as a network router here is only being assigned uploaded in pop right that means they state let's see if they don't have a non-volatile memory on chip for technological reasons right there's a separate flash which actually holds the configuration information meaning now and this will be my exam will be going to look at a es so if yes a spit stream which does a lot of which maybe implements an mp3 decoder but it might also implement in AES call right you know if you want to have a fast AS Koren your terror and violence trip you have to program that into your bit stream here and the software tools that do that for you but meaning is an Aes is running in this bit stream and you program your trip of course is shows up here and you can do let's say very fast SSL session encryption here this is a typical application for FPGA they're really fast ok and now the idea that Pavel and I had maybe three years ago can we build Hardware Trojans not by fiddling around with these FMC right this is not going to work but can we alter the speed stream here that was the underlying idea the advantage is to the inter case we can probably flip it in a flash right this is not that hard right or you know reading out the flash flipping bits and storing the all that bit string in there right the principle is shown here so this is a bit stream and if you see for instance the set of zeros and ones here bits you know 64 bits or something like that what they often do they just program a lookup table as you distance a lookup table and these lookup tables are being used for implementing logical functions then mean FPGAs they don't have dedicated gates in order to implement glue logic right boolean functions the youth look-up tables right the either in practice mostly four or five or six input look-up tables with one output that means some of the bitsy and thus bitstream you know again a few 10 million bits long each of these bits represent some logical function in there and now their idea is we manipulate some of these did see our right so that the two bits are being flipped and then you configure this alter extreme here right principle is clear that means if you have a s in here if you use this original bits in a s will show up here but what we do in this way if you alter that we don't have the original a s you call that a SP for the Trojan version of AES right we come to that later what exactly with it but the basic idea is let's fiddle around with the bits and you don't get the original AES out right you get for instance a s which gives it give it away now week s boxes Lorenson side by flipping a few bits so let's try to do that you know this is kind of this is kind of the talks I'm doing right it looks really easy and then it takes the PhD student a year to do that and they're very very smart right this is the devil is in the detail if you don't find a handful code to do that the opposite right it's really hard to do that stuff so again this is the original this is the target right this is a bit stream and somewhere in the bit stream if a s but again yes this huge bit stream with millions of millions of bits and typically only a small portion of that is of interest to you right it's you know a s is actually a fairly small circuit which maybe occupies two percent of your FPGA how do we find a s in that and things are pretty bad because the number of logic cells you know there are a few 10,000 up to 1 million logic cells at the high-end spgs and to make it worse it's no handbook on the bit stream again the opposite this is very strictly proprietary so means we don't have any idea which bits corresponds to which circuit element right which bits are responsible for a s s boxes right so the challenging is if yes is unknown design a large bits trading looks completely random finds the a s in this unknown design is the first one and once you found it what type of manipulation can we do okay so it turns out luckily you know AES has a lot of components and let's say finding the key schedule is probably different very difficult lucky for us or who has heard about s boxes in this room almost everybody okay if you not look look my YouTube video right so the what what people who took the lecture idea of Liana what they know in the mathematics behind the earth boxes are pretty complicated in order to make the sbox are strong in the very specific boolean function with high and non-linearity right meaning the sbox boolean functions you have in the earth box are very specific to Krypton nobody else would ever use this type of function right if you do let's say build an mp3 decoder or softcore process on FPGA you would never have these type of boolean functions the very kind of pathological write your own meet them in crypto which is good for us because the what we did we look for the look-up tables in the look-up tables are not that hard to find right so we fairly easily found the look-up tables and now we checked for the contents what type of content they have and it turns out that this S box contains is super super specific so the chances are close to the earth at any other design would realize the same boolean function that a s needs for the S boxes why this comes out of the cryptographic requirements right the last line your S box contents is very specific luckily for us right so again that took power what's essentially Travis Master ceases to figure that out right finds the lookup tables in this unknown design in this unknown format and then cross-check how would the lookup tables look if you implement a s s boxes in that okay so that's at work so what we did we actually looked at eight implementation we took from the internet was kind of a real-world study and the author these are all kind of details they're all kind of different AAS type of architectures and many many ways to implement a s on an FPGA in hardware but the important thing for you is we could detect a s in every single design again they were not our designs these were designs coming from the internet okay so that's good so this works and if you're along whether you could follow my talk this is not really that surprising if you go after the S boxes you can find s boxes in FPGA designs but this was what is the children community call now that's not right since the trigger cell what what now we talk about the payload that means actually implementing the Choji okay so the ID RS this is the FPGA board right so what we try to do is with the s-boxes we try to replace the original s boxes that are cryptically cryptographically strong with league s boxes in easy way of doing that is replacing the S box which is this complicated function with the special mathematical requirements with the all 1s box right input equals 2 output you can do that it's linear and it's trivial to break actually would be nice we will set aright for week 8 okay so what we do so we injects the week s boxes and then if we if you power up the board a s is loaded in but not the original a s but the you know the T version the trojan version of ASO even week a s if you now run the board what you can do your feed plaintext in that to that poetry a s implementation a s would do what it's supposed to remain the encrypt and you get the ciphertext back right with the children version so what most people in this room said well this is kind of cute what Christopher's but it's totally stupid right because you get the incorrect ciphertext back right it's cute work but this is not operable with original a s you get an incorrect output back right so what we did here we implemented a weak version of a s what do we do from here right and it and we had the same thoughts right you know we we we thought let's let's start with that and let's see what we can do from that it turns out that at least two attack scenarios we came up with right the useful attacks against useful attacks from the perspective of you being a bad guy are possible one thing which is very nice for the some of you've heard about cloud storage right so if you do cloud storage encryption and there's a store there's a good argument to make that a lot of data in the cloud should be encrypted right so if you do cloud storage encryption with this type of a s it's really great because what you do is you know this is a plain text editing from the user and the cipher text is what's being stored in the cloud if now people get access to the cipher text and try to break that normally it's not possible because we don't have a good way of breaking AES right we would all be world famous if you knew how to KS well our you know Trojan version of AES is trivial to break so that would be one version of attacking right rather than using the original AES you put a weakened version of AES in what happens now all data and the cloud is stored with a weakened version of a s and you've read it out you would depending on the text scenario hopefully the same AES implementation would being used for reading it out and then of course you could also be echoed not on the end crypt this is this way but you could also go back and you would decrypt using this weakened version of AES and everything would be fine you know what I'm saying so if I use the same AES for encryption and decryption everything would work and it would be great for the attacker because you would have cipher text which is tribute to break okay so one thing is storage encryption or the same goes actually for USB stick and we did that we bought one expensive USB stick which infected a s on it on an FPGA and we implemented that on the USB stick that means if you get hold on this USB stick as you know with a spy or whatever normally the assumption is this also tears board you can't read any files from the USB stick even if you can read the article decrypted with this attack it works right so we replaced with a s by a week version and then a storage encryption scenario it works because encryption and decryption is done by the same engine the other thing which is also again it it doesn't work in every case but the we believe there will be scenarios at work namely there's a scenario where you have temporary access to an encryption device such as a network router and so you have a network router with let's say burnt in key or maybe the key comes from a TPM a trusted platform module and you want to run the key one thing you can do now well one thing is try to break the TPM enjoy right this is probably going very hard to extract the key that's buried in the CPM or do with our Texas is pretty easy so what we do it takes this device and somewhere there's a key hidden what we do is we replace the S boxes we power the device apps the power reads the key N and then you feed a plaintext to get a ciphertext back with this V conversion of a s and what we interested in this is key here okay and now we use because this is the weak ciphertext we use that ciphertext with the weak a s version to compute the key okay is it next to no I don't have a slide and that No so from this ciphertext you recover the key with a weak a s version and once you have the key you're happy right what you do afterwards so that doesn't go detect it you go back and you configure the original AES box so you can just use it as kind of a temporary replacement of a s in order to recover the key rather than doing side channel tech or Hardware reverse engineering whatever you your favorite method is for recovering the key so it can be a very elegant and quick way of recovering a key that somewhere hidden in your design here oh this may be tough generated right that the SDGs path so this is a very easy way of getting a key out of an AAS implementation okay so what are the conclusion in cryptographically terms the bitstream is malleable right so if we can we can change the bitstream and then something happens to your crypto primitive and you can exploit that in one example I just showed you there probably more more ways you can manipulate that in general this is a new attack Lang vector against FPGAs which again is interesting I got my first NSF grant in 1998 on Krypton FPGAs and they have been not only by my group you know mainly the other groups maybe maybe a thousand papers in the last 20 years dealing on FPGA is encrypted already looked at that right so it's an area which is arguably over research right everybody does FPGA in crypto why didn't other people look before at this issue of you know basically manipulation sudden you can do really bad stuff right and I'm not saying this is the only thing you can do and maybe that's the best thing that the things that we hope that this gets and get research running in this direction in contrast to this inter children I introduced before you can actually do that in the lab here which is fun right you can really show this as possible it's not only hypothetical right and what you can do and this stain of counter-argument is are close stuff that works long as you can actually alter the bitstream right and then the question is answered bitstream encryption spins around absolutely for the last 15 years both providing that era of a bitstream encryption unfortunately and different line of work mainly done by army and his people in my group we broke all these stream encryption mechanisms so you can encrypt but they are we can break them with standard stain a side channel attacks right allegedly the new devices are much stronger and I believe that this could very well be the case but almost all devices out in the field right now the vast majority don't have bitstream encryption switched on because of the pain of pain in the neck to do with respect to key management even if they did screen encryption we showed in the last two years we can break the speed stream encryption and then again also the bit stream again the details are in a Apple II attribute in transaction on computer edit design that we published a couple of years ago and again main people are powerful and and marked behind that here ok so I'm almost done there comes a sync to advertise and flood so if you like that stuff go to chess you know the conference's that we've been involved in for many many years next chest will be by the end of the summer in beautiful city in Tehran we talk a lot a little bit about Hardware children but a lot of you know heart of the alteration Hall at the security in general if you're interested in more specific talks on morning application area we've also been running - Eska conferences Eska in europe which we spent only for 15 years which will be in November in Berlin and in about one month ESCA us able to take place and the ball concerts they used to be really small actually hits at first discussing in both humber 30 people now we get about 300 people in both conferences so if you're interested in car security go there I think it's really some conferences ok if you interested in learning crypto don't buy my book but watch my youtube videos for the people that studied in both on these are my lectures are usually given both on the totally free and then in okay thank you very much [Applause]

Info

Channel: Hackmanit GmbH

Views: 2,961

Rating: 5 out of 5

Keywords: ruhrsec

Id: 46D_5F3_J4A

Channel Id: undefined

Length: 44min 44sec (2684 seconds)

Published: Tue May 16 2017