Methodology for cryptographic rating of
memory encryption schemes used in
smartcards and similar devices
Version 1.0, 31.10.2013
Bundesamt für Sicherheit in der Informationstechnik
Postfach 20 03 63
53133 Bonn
Tel.: +49 22899 9582-111
E-Mail: [email protected]
Internet: https://www.bsi.bund.de
© Bundesamt für Sicherheit in der Informationstechnik 2013
Bundesamt für Sicherheit in der Informationstechnik
3
Table of Contents
Table of Contents
1
Introduction.................................................................................................................................6
2
Memory encryption.....................................................................................................................7
2.1
2.2
2.3
3
Short introduction to cryptology........................................................................................................7
Memory encryption as security mechanism for smartcards and similar devices..............................10
Cryptanalysis of memory encryption...............................................................................................13
Methods for cryptanalysis of memory encryption....................................................................14
3.1
3.1.1
3.1.2
Cryptographic assumptions and prerequisites for the cryptanalysis of memory encryption............14
Cryptographic assumptions........................................................................................................14
Prerequisites for the cryptanalysis..............................................................................................15
3.2
3.2.1
3.2.2
3.2.3
Methods of Cryptanalysis................................................................................................................16
Cryptanalysis of block cipher ....................................................................................................16
Cryptanalysis of memory address scrambling............................................................................26
Modes of operation for memory encryption...............................................................................28
3.3
Cryptanalytic attacks using side-channel information.....................................................................29
4
Vulnerability analysis of memory encryption...........................................................................30
4.1
4.1.1
4.1.2
4.1.3
4.1.4
Preparation for the vulnerability analysis of memory encryption....................................................30
Identification of the security requirements for memory protection.............................................30
Description of memory encryption.............................................................................................31
Security architecture of memory encryption...............................................................................33
Physical and logical attacks on memory, buses and cryptographic modules..............................34
4.2
4.3
Identification of potential vulnerabilities of memory encryption.....................................................38
Characterization of the attack potential for cryptanalytic attacks on memory encryption................40
Literature...................................................................................................................................48
Glossary ...................................................................................................................................52
Figures
Figure 1: Cryptanalytic attacks in case of communication...................................................................8
Figure 2: Buildings blocks of memory encryption.............................................................................11
Figure 3: Effect of data encryption and address encryption...............................................................12
Figure 4: Memory attack scenarios ...................................................................................................36
Tables
Table 1: Literature overview of cryptanalysis on block ciphers........................................................25
Table 2: Literature overview on memory address scrambling...........................................................27
Table 3: Literature overview on modes of operation.........................................................................28
Table 4: Literature overview on combination attacks with side-channels.........................................29
Table 5: Expertise of the attacker.......................................................................................................43
Table 6: Knowledge of the TOE........................................................................................................44
Table 7: Equipment............................................................................................................................46
Bundesamt für Sicherheit in der Informationstechnik
5
Introduction
1
Introduction
The document on hand “Methodology for cryptographic rating of memory encryption schemes used
in smartcards and similar devices” is intended as guideline for the vulnerability analysis of memory
encryption in Common Criteria [CC] [CEM] evaluations performed in the German certification
scheme.
The technology area of smartcards and similar devices is characterized by
(1) target of evaluation (TOE) as one-chip hardware including dedicated, embedded or application software, storing and operating user data and providing cryptographic services
using secrets stored on the TOE,
(2) operational environment where the attacker might have physical access to the TOE,
(3) TOE life cycle as described for smartcards in [SDSE].
The TOE security functionality (TSF) shall protect the confidentiality and the integrity of the user
data and TSF data. The TSF implements this protection by means of physical and logical countermeasures including cryptographic security mechanisms. The security integrated circuits protect the
data stored in the memory against combinations of physical and logical attacks. This memory protection build the base for the logical protection implemented in the operating system running on the
hardware platform. The cryptographic security mechanisms of the security integrated circuit protecting the data stored in TOE memory are summarized as “memory encryption”. They protect
these data as long as they are stored and transferred internally as ciphertext. The vulnerability analysis shall assess the resistance of the TSF – for this technology area typically with high attack potential – in the intended operational environment. If the non-cryptographic security countermeasures
alone are not sufficient to prevent identified potential attacks with the claimed resistance the vulnerability analysis shall include the cryptographic security mechanisms.
The guideline focuses on specific aspects of the vulnerability analysis related to the identification of
potential vulnerabilities and the assessment of the effectiveness of the cryptographic mechanisms
with respect to protection of the confidentiality of the stored data. This document does neither claim
to provide a complete list of possible attack methods nor to cover all possible approaches for the
cryptanalysis of the memory encryption. The evaluator shall always consider that this document is
intended to give a general guideline and not a “checklist” to fulfill all requirements which might
arise in the course of a vulnerability assessment of a TOE. The guideline will be subject of regular
updates. The reader should consult other supporting and scheme documents for related other aspects
of the vulnerability analysis of smartcards and similar devices.
The document on hand is organized as follows. The chapter 2 introduces memory encryption as
cryptographic technique for protection of stored and transferred data on smartcards and similar devices. It starts with a short introduction to basic terminology and ideas of cryptology necessary for
understanding of the objective, the design, the analysis and the assessment of memory encryption.
The memory encryption is described in terms of its building blocks data encryption, address encryption and secret sharing for keys. This implies assumptions about the cryptographic mechanisms and
the prerequisites of cryptanalytic methods described in chapter 3. Chapter 3 provides short descriptions and references to literature for the cryptanalytic methods most relevant for the vulnerability
analysis of memory encryption. The references are accompanied with short description of methods
and their relevance for memory encryption. The chapter 4 describes the identification of potential
vulnerabilities and the assessment of memory encryption as part of the vulnerability analysis.
6
Bundesamt für Sicherheit in der Informationstechnik
Memory encryption
2
Memory encryption
2.1
Short introduction to cryptology
Cryptology comprises two closely linked aspects, cryptography and cryptanalysis. Cryptography
embodies principles, means and methods for the transformation of data in order to hide its information content, prevent its undetected modification and/or its unauthorized use including entity authentication (cf. [ISO7498] [1]). Cryptanalysis is the study of techniques for attempting to defeat
cryptographic techniques, i. e. to derive hidden information content, to generate data unauthorised,
to manipulate data without being detected, or to claim false identity of an entity.
Encryption is a transformation of intelligible data, the semantic content of which is available (so
called plaintext), into a form (so called ciphertext) in order to hide its information content and allow
only the intended receiver to reconstruct the original form with use of a secret (so called decryption
key) (cf. [ISO7498]). The semantic content of ciphertext is not readily available. Decryption is the
reverse process of encryption reconstructing the original plaintext from the ciphertext by means of
the decryption key. A cryptographic key is a variable parameter which is used in a cryptographic algorithm or protocol1. A cryptographic algorithm may use the same key or trivially related keys (in
case of symmetric cryptographic algorithms) or different keys, where it is difficult for the adversary
to derive one key from the other key (in case of asymmetric cryptographic algorithms), for complementary operation like encryption / decryption, signature-creation / signature-verification or authentication proof / authentication verification.
Secret sharing is a cryptographic techniques that generates for a given secret (e. g. a key) a set of n
secrets such that the knowledge of any set of m-1 secrets for these n secrets does not allow for calculation of the original secret but the knowledge of m of these secrets is sufficient to calculate the
original secret (m is less or equal n).
A cryptographic module is a set of hardware and/or software that implements cryptographic algorithms possibly including key generation and is contained within the cryptographic boundary. The
cryptographic boundary is an explicitly defined continuous perimeter that establishes the physical
bounds of a cryptographic module and contains all the hardware and/or software components of a
cryptographic module.
Key management is the generation, storage, distribution, deletion, archiving and application of keys
in accordance with a security policy (cf. [ISO7498]). In case of communication protected by cryptographic techniques like encryption-decryption algorithms and data integrity protection the sender
and the receiver shall agree about the cryptographic key to be used. In case of data storage encryption sender and receiver may be the same device. The key management of memory encryption focuses on secure storage of the key rather than the key distribution (but this might be necessary for
key backup). The operational environment may imply different methods of key management and areas handling the plaintexts and ciphertexts.
The cryptanalysis distinguishes attack scenarios by the goal of the attack, the operational environment defining the attack context, and the specific attack method applied to the concrete cryptographic algorithm or protocol.
1 A cryptographic protocol describes the syntax, semantics, and synchronization of communication using cryptographic algorithms. The memory encryption and therefore the guideline on hand deals mainly with cryptographic algorithms.
Bundesamt für Sicherheit in der Informationstechnik
7
Memory encryption
The attacker tries
(1) to get (at least some) information encoded by the plaintext for a given ciphertext,
(2) to reconstruct the original plaintexts for given ciphertexts or
(3) to find the decryption key for decryption of the given ciphertexts.
The cryptanalysis of an encryption-decryption algorithm supposes the attacker having knowledge of
fixed parts of this algorithm and the ciphertexts but no knowledge of the decryption key (known as
the Kerckhoffs’ principle). The prerequisites for cryptanalytic attacks depend on the operational environment. All cryptanalytic attacks assume the attacker knowing the ciphertext transmitted from a
sender to a receiver or stored in memory. The attacker has at least passive access to the communication channel, the memory or the external ciphertext interfaces of the cryptographic module, i. e. the
attacker intercepts the communication or eavesdrops on the interface or reads the memory. The attacker may also know plaintexts or any information about plaintext corresponding to intercepted or
read ciphertexts by intercepting the plaintext interfaces of the cryptographic modules or from other
sources. Furthermore the attacker may have active access to the communication channel, the memory or the interfaces of the cryptographic modules. If the attacker may provide or manipulate plaintexts for encryption and get the corresponding ciphertext than chosen plaintext attacks are possible.
If the attacker has active access to the input interface of the receiver’s cryptographic module and
may provide or manipulate ciphertexts for decryption and get the corresponding plaintexts than chosen ciphertext attacks may be possible.
Figure 1 illustrates these attack scenarios in case of communication from a sender to a receiver. The
blue arrows indicate passive and the red arrows indicate active access to the plaintexts and ciphertexts.
Figure 1: Cryptanalytic attacks in case of communication
The cryptanalytic attacks may be further classified as follows.
(1) (Strong ciphertext only attacks) The ciphertext contains redundancy and thus provides information about the original plaintext, e. g. repetition of ciphertext parts might indicate equal
plaintext parts.
(2) (Standard ciphertext only attacks) The attacker has a prior information (i. e. information the
attacker has before the attack is performed) about probable plaintexts allowing a decision
whether a reconstructed plaintext (e. g. by means of a guessed key) or a guessed key is correct or not.
8
Bundesamt für Sicherheit in der Informationstechnik
Memory encryption
(3) (Known plaintext attacks) The attacker knows plaintext-ciphertext-pairs generated with the
cryptographic key under attack allowing exact calculations to reconstruct the decryption
key.
(4) (Chosen plaintext attacks) The attacker is able to provide chosen plaintexts to the logical external interfaces of the cryptographic module in order to get appropriate plaintext-ciphertextpairs for the attack.
(5) (Chosen ciphertext attacks) The attacker may provide chosen ciphertexts as input to a cryptographic module and getting the corresponding plaintext in order to find the decryption key
or the plaintext for other ciphertexts.
(6) (Adaptive chosen plaintext attacks) In these specific variants of the chosen plaintext attacks
the attacker is able to provide interactively chosen plaintexts depending on previous ciphertexts to the logical external interfaces of the cryptographic module in order to get appropriate plaintext-ciphertext pairs for the attack.
(7) (Adaptive chosen ciphertext attacks) Chosen ciphertext attacks where the attacker is able to
provide interactively chosen ciphertexts depending on previous ciphertext-plaintext pairs to
the logical external interfaces of the cryptographic module in order to get appropriate plaintext-ciphertext pairs for the analysis finding the decryption key or plaintext for other ciphertexts.
(8) (Related key attacks) Attacks as in clauses (4) and (5) under the additional condition that ciphertext encrypted with related keys may be observed or generated.
The chosen plaintext attacks and the adaptive chosen plaintext attacks on one hand and the chosen
ciphertext attacks and the adaptive chosen ciphertext attacks on the other hand differ mainly in
practical way how to get the text pairs, i.e. whether the input of the cryptographic module of the
sender or the receiver may be actively used by the adversary, and may use different attack algorithms.
The best measure of security for cryptographic algorithms is the complexity of the most successful
logical cryptanalytic attack in the operational environment. The complexity of an attack can be
evaluated in three factors when implementing an attack:
(1) Data complexity denotes the number of input data units required,
(2) Memory complexity is the number of storage units required,
(3) Time complexity is the number of operations required.
Note that the strength of an encryption-decryption algorithm depends on the decryption algorithm
and especially on the difficulty to find the secret decryption key. The adversary might discover algorithms and parameters different from the decryption algorithm and the decryption key used by the
receiver but attaining the original plaintext. For example, if a cipher stream (i. e. an irregular bit
stream xored to the plaintext) is used twice for different sufficiently redundant plaintexts the adversary may reconstruct the plaintext independent on how the original cipher system generates this cipher stream – by means of another key or not.
In case of smartcards and similar devices attackers' physical access to the device is assumed. The
physical access enables combinations of physical and logical attacks against the external communication and the internal stored data of the device. The internally stored and operated plaintexts, ciphertexts, the cryptographic keys and the cryptographic module are under direct physical attacks
(cf. section 4.1.4 for details). The physical attacks may support the logical cryptanalytic attacks by
additional information and attack paths, e. g.
Bundesamt für Sicherheit in der Informationstechnik
9
Memory encryption
(1) the attacker observes and analyses the signals at the external physical interfaces of the cryptographic module in order to get some information about plaintexts or keys (known as side
channel analysis ),
(2) the attacker affects the operation of the cryptographic module through the physical external
interfaces in order to introduce errors in the cryptographic calculations and compare them
with correct calculations (known as semi-invasive perturbation attacks ),
(3) the attacker manipulates internally stored cryptographic keys or the cryptographic module in
order to affect or to disable the implementation of the cryptographic mechanisms (known as
invasive attacks.)
The physical attacks give rise to specific cryptanalytic attacks like reconstruction of the decryption
key if errors occur or some key bits are known by other attacks like side channel analysis.
The chapter 3 describes general cryptanalytic attacks most relevant for memory encryption.
2.2 Memory encryption as security mechanism for smartcards and
similar devices
The TOE may use cryptographic techniques for memory protection on several levels if implemented in the TOE and in scope of the evaluation:
(1) Security integrated circuit level
The security integrated circuit implements cryptographic mechanisms for automatic memory
encryption and protection of the memory encryption keys. The TOE provides cryptographic
services like cryptographic co-processors and supporting functions like arithmetic co-processors for the embedded software.
(2) Operating system level
The operating system implements cryptographic functions and provides cryptographic services for the applications using the cryptographic co-processors of the security integrated
circuit. The security of these cryptographic functions depends on the protection of their
cryptographic keys provided by the memory encryption.
(3) Application level
The application uses the cryptographic services of the operating system and may implement
its own cryptographic mechanisms. It uses and relies on the protection provided by the operating system for its cryptographic keys.
The guideline on hand focuses on memory encryption implemented by security integrated circuits
and summarized as “memory encryption” in the following. The cryptographic system of memory
encryption comprises three components
(1) the data encryption module encrypting the data written by the CPU into the memory and decrypting the stored data read from the memory onto the CPU,
(2) the address encryption module encrypting the logical address used by the CPU and – if implemented as assumed in the following – shifted by the memory management unit (MMU),
into the physical address and
(3) the key management possibly implementing key generation, secret-sharing algorithm and
key destruction.
The TOE may implement
10
Bundesamt für Sicherheit in der Informationstechnik
Memory encryption
(1) data encryption and key management for data encryption key or keys,
(2) address encryption and key management for address encryption key or keys, or
(3) data encryption, address encryption and key management for data encryption and address
encryption keys.
The case (3) is typical for state of the art smartcards and will be assumed in following text.
Figure 2: Buildings blocks of memory encryption
The figure 2 shows building blocks of memory encryption. The CPU executes code and operates on
data and addresses in plaintext only. It writes data into data memory and reads data from memory
through data buses by providing the corresponding logical address over the address bus. The data
encryption encrypts plaintext into ciphertext to be written in memory and also decrypts the ciphertext to the plaintext to be read from the memory automatically. Some memory types allow for data
reading only, e. g. ROM typically storing executable code, and therefore their cryptographic modules will implement decryption only. The data bus is separated by the data encryption module into
two segments. The data bus segment between the CPU and the data encryption module transmits
plaintext, and we call it plaintext data bus segment in the following. The data bus segment between
the data encryption module and the memory transmits ciphertext, and we call it ciphertext data bus
segment in the following.
The address bus is controlled by the CPU and memory management unit (MMU). The CPU output
the logical address to the MMU. The MMU controls the access to the logical memory areas and
may shift the logical address by a configurable value. The logical address of the CPU - or if implemented the shifted logical address of the MMU – is input into the address encryption module. The
address encryption module encrypts the logical respective shifted logical address as plaintext into
physical address as ciphertext. The address encryption module separates the address bus in to two
segments as well: the plaintext address bus segment from CPU via the optional MMU to the address
encryption module, and the ciphertext address bus segment between the address encryption module
and the memory. The address encryption module implements encryption of the addresses only because the addresses are sent on in one direction from CPU to the memory.
The memory stores arbitrary data under the physical address, and therefore does not distinguish between plaintext or ciphertext because the memory does not interpret these data.
Bundesamt für Sicherheit in der Informationstechnik
11
Memory encryption
The cryptographic keys of the memory encryption are stored in special memory areas (called “key
storage” in the following). The confidentiality and integrity of the memory encryption keys must be
ensured over the life time of the data stored in the memory. The cryptographic keys must have high
cryptographic quality, i. e. generated with sufficient entropy and appropriate for the cryptographic
algorithm using the key. Secret sharing mechanisms split the memory encryption keys into key
components. The key components are stored physically protected in plaintext. Because the encryption and decryption are performed by the same cryptographic module the algorithm may use the
same key for both operations (i. e. symmetric cryptographic algorithm).
The data encryption and the address encryption shall use different cryptographic keys. The data encryption may use the logical address, intermediate data of the address encryption or the physical address of the data to be encrypted or decrypted as additional input parameter. In these cases the used
address encryption keys are not used, partly used or completely used for the data encryption as well.
The data encryption acts as cryptographic substitution of plaintext data blocks to the ciphertext data
blocks and the address encryption acts as cryptographic transposition of the ciphertext data blocks
in the memory. The attacker reading ciphertext blocks stored under physical addresses must break
both data encryption and address encryption in order to reconstruct the plaintext consisting of several blocks.
Figure 3: Effect of data encryption and address encryption
The data encryption and the address encryption hide the information stored in the memory if the
data are compromised to the attacker. The address encryption distributes additionally the information within the memory increasing the effort of physical reading these data as shown in figure 3.
The memory address scrambling maps the logical addresses of the stored data used by the CPU to
the physical locations of these data on the hardware. This mapping is the composition of the three
mappings implemented by
(1) the (optional) shift of the logical address output of the CPU performed by the MMU,
(2) the mapping from plaintext to ciphertext performed by the address encryption module,
(3) the mapping of the physical address to the physical location defined by the layout of the
hardware.
12
Bundesamt für Sicherheit in der Informationstechnik
Memory encryption
The guideline on hand assumes that the TOE will implement block cipher algorithms for data encryption and address encryption. Stream ciphers are out of scope of this guideline.
The TOE may implement additionally to the memory encryption a hardware bus encryption for data
transferred between the memory and the CPU or memory and other components like co-processors.
The bus encryption implements encryption for the sender and decryption for the receiver of the
transferred data over the bus. The key of the bus encryption can be synchronously changed for
sender and receiver at any time. This bus encryption is out of scope of the guideline on hand.
2.3
Cryptanalysis of memory encryption
The vulnerability analysis is an assessment to determine whether potential vulnerabilities could allow attackers to violate the security functional requirements in the intended operational environment (cf. [CC] part 3, para. 455). We assume that the TSF shall protect the confidentiality of user
data and TSF data, especially cryptographic secrets, stored and operated on the TOE. Because the
attacker will have physical access to the TOE the memory protection is implemented by means of
physical and logical countermeasures. The physical countermeasures are implemented in hardware
only. The logical countermeasures include but are not limited to cryptographic security mechanisms
implemented by special hardware and maybe dedicated software.
The vulnerability analysis of the memory protection considers all relevant countermeasures. If the
TSF without consideration of memory encryption provides sufficient resistance against attacks with
assumed attack potential the analysis and the assessment of the effectiveness of the memory encryption may be skipped. If the vulnerability analysis identifies a potential vulnerability that the attacker
could exploit against the TSF without memory encryption, the analysis and the assessment of the effectiveness of the cryptographic security mechanisms might be necessary in order to determine
whether this vulnerability is or is not exploitable for the complete TSF in the intended operational
environment (cf. chapter 4 for further details).
The following chapter 3 describes methods for cryptanalysis of memory encryption to be used in
the vulnerability assessment of memory encryption described in chapter 4.
Bundesamt für Sicherheit in der Informationstechnik
13
Methods for cryptanalysis of memory encryption
3
Methods for cryptanalysis of memory encryption
3.1 Cryptographic assumptions and prerequisites for the cryptanal­
ysis of memory encryption
The cryptanalysis of the memory encryption shall take into account
• the context of the whole attack path against the data stored in the memory, which includes
the cryptanalytic attack as part, and the binding of memory encryption with the other security features of the TSF , e. g. physical protection of the memory, access control to key management of the memory encryption;
• the method of memory use, i. e.
➢ the type of data stored in the memory as user data, TSF data or TOE implementation
stored in the memory,
➢ the amount of data stored in the memory,
➢ read-only memory or read-write memory;
• the method of use of the memory encryption over the life cycle of the TOE, e. g. the key
management, and
• the operational environment defining the conditions under which the attack might be performed, e. g. the memory may store besides the unknown data under attack also data prior
known to the attacker.
This chapter describes the assumptions and prerequisites for the cryptanalysis of memory encryption.
3.1.1
Cryptographic assumptions
This section describes the assumptions made about cryptographic systems for memory encryption.
The memory encryption is implemented by hardware (i. e. in case of smartcards by the security integrated circuit) and may be supported by dedicated software. The embedded software of a TOE
may implement additional encryption of stored data on operating system or application level but
this is outside the scope of the current document.
The TOE may implement different secret-sharing algorithms, data encryption-decryption algorithms, address encryption algorithms and key sets depending on the type of memory used for the
data storage. We consider the following types of data memory:
(1) ROM storing read-only executable code. The ROM data are fixed for the TOE instantiations,
i. e.
- if the TOE is a security IC than the IC dedicated software will be fixed;
- if the TOE is a smartcard the dedicated software and the embedded software will be fixed.
The ROM may store dedicated and embedded software in plaintext or ciphertext. The ROM
contains typically between 32K Byte and 512K Bytes (up to 4 MB and more).
(2) EEPROM or Flash is read-write memory storing executable code, user data and TSF data.
This memory stores data permanently even if the TOE is switched off. The stored data may
be fixed for a set of the TOE instantiations, fixed individually for each TOE instantiation or
changed during operation. The EEPROM stores user data and TSF data as ciphertext only.
The EEPROM contains typically between 8K Byte and 1M Bytes.
14
Bundesamt für Sicherheit in der Informationstechnik
Methods for cryptanalysis of memory encryption
(3) RAM storing temporarily user data and TSF data during a power-on session and not available outside the power-on session. The RAM stores all data in plaintext or all data in ciphertext. RAM contains typically between 512 Bytes and 64K Bytes.
The TOE uses symmetric encryption-decryption algorithms for the stored data. The data are automatically encrypted when writing onto the memory and automatically decrypted when reading from
the memory. The address encryption is a cryptographic permutation of the logical address to the
physical address of the data for reading from the memory and – if appropriate for the type of memory – for writing into the memory.
The cryptographic system for memory encryption uses different key sets for different types of memory. It may use different key types, e. g. long-term keys, group keys, chip-individual keys, and session-individual keys. The long-term key like S-boxes of block ciphers may have different areas of
application, i. e. for one or more TOE or sets of the TOE instantiations for different costumers or
applications. Group keys are used in more than one devices.
The keys for data encryption and address encryption may have different areas of application, i. e. all
TOE instantiations, sets of the TOE instantiations for different costumers or applications, individual
TOE instantiation, memory areas, sessions.
All data keys are secret and stored in special memory areas of the TOE. They are automatically installed during secure start-up (cf. security architecture, secure TSF initialization).
3.1.2
Prerequisites for the cryptanalysis
This section describes the prerequisites for the cryptanalytic attack scenarios. The effort to gain the
relevant information or perform the activities for the attack will be discussed later in chapter 4.
The adversary knows all fixed parts of the cryptographic algorithms (Kerckhoffs' principle).
The adversary knows all or parts of encrypted data stored in the different memory types and areas
of the memory. The amount of known ciphertexts may be limited because of TOE design or security countermeasures. The cryptanalysis shall consider several attack scenarios with respect to the
amount of necessary ciphertext and information about the plaintext for a decision about the key:
(1) The adversary knows ciphertext shorter than the key (in this case the key cannot be determined completely but maybe partly reconstructed).
(2) The adversary knows sufficient ciphertext and has information about probable plaintexts allowing probabilistic decision about the right key based on the redundancy contained in the
plaintext of the given ciphertext.
(3) The adversary knows sufficient plaintext-ciphertext pairs allowing correct decision whether
a given key is the right key to be used for decryption.
The amount of plaintext-ciphertext pairs necessary to determine the key depend on the attack
method, e. g. algebraic attacks may work on shorter corresponding plaintexts and ciphertexts then
probabilistic attacks like linear cryptanalysis.
The adversary may know parts of but not all secret keys. The knowledge of keys depend on
(1) number of TOE instantiations where the key is used and therefore number of samples and
amount data available for attacks, e. g. many devices or only one device (cf. [CEM], B.4.2.2,
Knowledge of the TOE, [SDAP], chapter 3, Knowledge of the TOE and Access to TOE),
(2) time the key is used and therefore the window of opportunity to attack the key, e. g. over the
life time of the TOE instantiation, life time of an application, fixed life time of the key (regularly changed), during only one session (cf. [CEM], B..4.2.2, Window of opportunity).
Bundesamt für Sicherheit in der Informationstechnik
15
Methods for cryptanalysis of memory encryption
(3) area of application, e. g. memory types and technologies define the effort to get data for the
cryptanalysis.
The adversary may passive observe or active affect start-up and operation of the TOE.
3.2
Methods of Cryptanalysis
3.2.1
Cryptanalysis of block cipher
A block cipher is an invertible function which maps n-bit plaintext to n-bit ciphertexts. This function, also referred as an encryption function, is parameterized by a k-bit key which is assumed to be
chosen uniformly at random. Ideally, an encryption function, corresponding to a fixed key, should
look like a randomly chosen invertible function to an outside observer who has no knowledge of the
key. Also, if the block size n of a block cipher is too small, it may be vulnerable to statistical analysis such as frequency analysis of ciphertext blocks. To avoid this and to be able to encrypt large
chunks of data, block ciphers are often used with a mode of operation. For data exceeding the size
of n bits, one can partition the data into n-bit parts and encrypt all parts independently. This method
is known as the electronic codebook mode (ECB). There are further more suitable modes of operation which can be used in memory encryption systems, cf. chapter 3.2.3.
Most block ciphers encrypt a given plaintext by iteratively applying a round function a number of
times. This round function is often composed of three parts: a nonlinear part for providing confusion, a linear diffusion part, and a key addition part. This key addition can be either XOR or modular addition depending on the designer’s choice. The input length of this round function determines
the overall design strategy of the block cipher. For example, block ciphers with Feistel structure
have round functions of input/output length at most half of the block length of the cipher. In a two
branched Feistel structure (like DES), half of the block is processed by the round function and the
result is xored to the other half of the block at each round. Since this process is done simultaneously
for both halves, encryption and decryption process of Feistel ciphers are very similar. On the other
hand, input length of the round function of a substitution permutation network (SPN) is exactly
equal to the block length of the cipher. This approach provides faster diffusion but often results in a
more expensive implementation in terms of hardware area.
For each round of the encryption process, most block ciphers use individual keys which are derived
from the original encryption key through a key scheduling algorithm. This algorithm should be designed in a way to avoid complementation property attacks, as well as weak keys and related key attacks. If a block cipher has the complementation property, an encryption of a plaintext under a complemented key results in the complemented ciphertext of the original encryption. This leads to an
improved brute force attack which is twice as efficient as the original one. Similarly, weak keys result in shorter cycles of encryption on average when compared to the rest of the encryption keys.
For instance, DES has four weak keys which produce identical round keys. Since DES has a Feistel
structure, double encryption with these keys gives the original plaintext. This is not a desired property of DES which enables the adversary to reduce the key space when doing a brute force attack.
Moreover, related keys can improve an attack’s success probability by a great deal if the encryption
system enables the adversary to impose encryption keys with certain relations in between. There are
related key variants of almost all attacks in the literature which are currently the most powerful attacks against modern block ciphers. In modern block ciphers, key scheduling algorithms often constitute a non-linear function to achieve added resistance to related key attacks. Although related key
attack model improves the success probability of almost all cryptanalytic attacks, they can be easily
avoided by updating encryption keys in a random (or pseudo random) manner, i.e. either using a
16
Bundesamt für Sicherheit in der Informationstechnik
Methods for cryptanalysis of memory encryption
physical source for randomness or by using a pseudo random number generator with a true random
seed.
The attacks given in this section are evaluated according to both their relevance and practicality
when memory encryption systems are considered. An attack is considered as not critical if either it
requires a large portion of the codebook by its nature, or has an assumption which is not likely to be
satisfied when memory encryption systems are considered. In addition, an attack is considered as
partially critical if it requires the cipher to have a specific weakness, which strong ciphers should
not have. Finally, an attack is considered as critical if the number of required plaintext ciphertext
pairs to mount the attack is significantly small compared to the codebook size.
The amount of data required to mount an attack on a cipher is highly dependent on the design of the
cipher. For example, given a block cipher which has no non-linear element in its round function, it
will obviously be vulnerable to linear attacks, and therefore making linear attacks critical for that
block cipher. But this is valid only for that particular block cipher and linear attacks may be infeasible to mount when another block cipher with good non-linearity elements are considered. Therefore, the evaluation field given in the table below is merely a guideline as to compare linear attacks
on a generic block cipher in terms of their practicality when memory encryption systems are considered.
Bundesamt für Sicherheit in der Informationstechnik
17
3 Methods for cryptanalysis of memory encryption
Method
Reference
Description
Evaluation
Text Dictio­
nary Attacks /
Matching Ci­
phertext At­
tacks
A.J. Menezes et al: All block ciphers
“Handbook of Applied with small block
Cryptography”,
’97 lengths.
[1].
A method to identify
Partially Critical for Memory Encryption
ciphertext blocks enSystems
crypting the same
plaintext blocks with- For an n-bit block cipher, a complete dictionary
out any knowledge of requires 2n plaintext-ciphertext pairs to be
the key.
known. Fewer plaintext-ciphertext pairs suffice
if plaintexts contain redundancy and a nonchaining mode of operation (such as electronic
codebook mode) is used.
Exhaustive
Key Search /
Brute Force
A.J. Menezes et al: All block ciphers
“Handbook of Applied with small key
Cryptography”,
’97 lengths.
[1].
A known plaintext attack which exhaustively tries all possible
keys for decryption of
a ciphertext to find a
matching plaintext.
Meet­in­the­ A.J. Menezes et al:
Middle Attack “Handbook of Applied
Cryptography”,
’97
[1].
18
Applicable to
Cascaded encryption (double encryption) with two
different k-bit keys.
An attack which defeats double encryption using on the order
of 2k operations and 2k
storage for calculating
the table for the first
key and expected 2k-1
operations with the
second key to find
Critical for Memory Encryption Systems
For an n-bit block cipher with k-bit key, given a
small number (e. g.,) of plaintext-ciphertext
pairs encrypted under key K, K can be recovered
by exhaustive key search in an expected time in
the order of 2k-1 operations.
Critical for Memory Encryption Systems
It should be noted that encrypting a message
with n different k-bit keys, does not provide bit
n x k security. The amount of data required to
implement this attack is as low as a brute force
attack on one encryption i. e. only few (2 or 3)
known plaintext ciphertext pairs are sufficient to
Bundesamt für Sicherheit in der Informationstechnik
3 Methods for cryptanalysis of memory encryption
Method
Reference
Applicable to
Description
matching pairs.
Differential
Cryptanalysis
19
Evaluation
implement it.
A. Bogdanov, C. Block ciphers with
Rechberger. A 3-Sub- simple key schedset Meet-in-the-Mid- uling algorithms.
dle Attack: Cryptanalysis of the Lightweight Block Cipher
KTANTAN”,
SAC
’10, [26].
Known plaintext and
ciphertext pairs are
partially
encrypted
and decrypted simultaneously to find a partial matching in a specific
intermediate
state. Exploiting the
weak key schedule of
KTANTAN is the key
point of this particular
attack.
Critical for Memory Encryption Systems
E. Biham et al: “Differential Cryptanalysis
of DES-like Cryptosystems”, CRYPTO
’90, [2].
Block
ciphers
which have highly
probable differential relations for all
or a subset of
rounds in the encryption process.
A chosen plaintext atPartially Critical for Memory Encryption
tack where the plainSystems
texts should have a
specific XOR differ- A collection of plaintext ciphertext pairs is
needed of an amount depending on the attack
ence.
probability.
L. R. Knudsen et al:
“Truncated
and
Higher Order Differ­
entials”, FSE ’95, [3].
Block
ciphers
which have highly
probable differential relations for
An improved version
Critical for Memory Encryption Systems
of differential cryptanalysis which uses Required assumptions on plaintext pairs are
truncated differentials more lax than in the original differential attack.
The amount of data required to implement this
attack is as low as a brute force attack (3 plaintext ciphertext pairs are sufficient in this particular work), which makes the attack critical for
memory encryption systems.
Bundesamt für Sicherheit in der Informationstechnik
3 Methods for cryptanalysis of memory encryption
Method
Reference
Applicable to
Description
Evaluation
some rounds of the (on DES) with the ca- This translates into fewer amounts of data reencryption.
pacity to break ciphers quired to devise the attack.
resistant to conventional
differential
cryptanalysis.
L. R. Knudsen et al: Block ciphers of The attack makes use
“Truncated
and any kind.
of quartets of plainHigher Order Differ­
texts and their correentials”, FSE ’95, [3].
sponding ciphertexts.
The attack complexity
is directly related to
the algebraic degree of
the round function.
E. Biham et al.:
“Cryptanalysis
of
Skipjack reduced to
31 rounds using impossible differentials”,
EUROCRYPT’99,
[14].
20
Block
ciphers
which have improbable differential relations for
some rounds of the
encryption.
Critical for Memory Encryption Systems
The attack requires 2r+1 chosen plaintexts, where
r is the algebraic degree of the round function.
Therefore, block ciphers which use round functions of low algebraic degree are more vulnerable to this attack.
A chosen plaintext atCritical for Memory Encryption Systems
tack which uses differential paths with prob- This attack uses a key elimination technique
ability exactly equal to which increases the run time of the overall attack. But the amount of chosen (or even known)
zero.
plaintexts can be relatively small when compared to other differential attacks, which makes
it critical for memory encryption purposes.
Bundesamt für Sicherheit in der Informationstechnik
3 Methods for cryptanalysis of memory encryption
Method
Linear crypt­
analysis
21
Reference
Applicable to
Description
Evaluation
D.
Wagner: Block
ciphers
“Boomerang Attack”, which have highly
FSE’99, [11].
probable differential relations for
few rounds of the
encryption.
An adaptive chosen ciPartially Critical for Memory Encryption
phertext/plaintext atSystems
tack, which makes use
of two differential This attack requires the decryption of ciphertexts
paths for two consecu- with some specific XOR difference in between,
where the corresponding plaintexts have some
tive parts of a cipher.
specific XOR difference as well. The lower the
required Hamming weight of the XOR differences between the ciphertexts, the more feasible
the attack becomes
J. Kelsey et al.: “Amplified Boomerang Attacks Against Reduced-Round MARS
and Serpent”, FSE’00,
[12].
Block
ciphers
which have highly
probable differential relations for
few rounds of the
encryption.
A chosen plaintext atPartially Critical for Memory Encryption
tack which makes use
Systems
of two differential
paths for two consecu- If there are highly probable (close to 1) differential paths for n/2 rounds of an n-round cipher,
tive parts of a cipher.
the attack becomes feasible.
E. Biham: “New types
of cryptanalytic attacks using related
keys”,
EUROCRYPT’93,
[13].
Block
ciphers
which lack proper
diffusion in their
key scheduling algorithm.
A chosen plaintext atPartially Critical for Memory Encryption
tack which also reSystems
quires a certain relation between different If the key update of a memory encryption system allows the adversary to have keys with simencryption keys.
ple XOR relations, this kind of attack becomes
feasible.
M. Matsui, “Linear
Block
ciphers A known plaintext at-
Critical for Memory Encryption Systems
Bundesamt für Sicherheit in der Informationstechnik
3 Methods for cryptanalysis of memory encryption
Method
22
Reference
Applicable to
Description
Evaluation
Cryptanalysis Method
for DES Cipher”, EUROCRYPT'93, [7].
which employ an
S-Box for providing non-linearity. It
is easier to attack
block
ciphers
which have high
biases in the Linear
Approximations
Table (LAT) of
their S-Boxes.
tack which statistically
constructs linear approximations of the
round function of a cipher.
A collection of known plaintext-ciphertext pairs
are needed depending on the attack probability.
This attack is feasible when a linear approximation path can be constructed, with high probability, for a sufficiently large portion of the cipher.
J. Y. Cho, “Linear
Cryptanalysis of Reduced-Round
PRESENT”, CT-RSA
’10, [8].
Block ciphers with An improvement of
SPN structure.
linear
cryptanalysis
which combines multiple linear approximation paths to attack the
target block cipher.
A. Bogdanov and V.
Rijmen: “Zero-Correlation Linear Cryptanalysis of Block Ciphers”, ’11, available
online [17].
Block ciphers of
any kind.
An adaptation of impossible differential
attack to the concept
of linear cryptanalysis.
Critical for Memory Encryption Systems
This attack makes use of multiple linear approximation paths to construct an attack on the whole
cipher, which improves the attack probability
and therefore reduces the required number of
known plaintext-ciphertext pairs.
Not Critical for Memory Encryption Systems
Whole code book (or at least half of it) is required to apply the attack. Even then the time
complexity is much higher when it is compared
to the other attacks.
Bundesamt für Sicherheit in der Informationstechnik
3 Methods for cryptanalysis of memory encryption
Method
23
Reference
Applicable to
Description
Evaluation
N.T. Courtois and
G.V. Bard: “Algebraic
cryptanalysis of the
Data Encryption Standard” 11th IMA International Conference
’07, [4].
Block
ciphers
which have a round
function that can be
represented by lowdegree algebraic relations.
A known plaintext attack which represents
the encryption process
as a system of equations, and solves them
to recover the key.
Critical for Memory Encryption Systems
N.T. Courtois et al:
“Algebraic and Slide
Attacks on Keeloq”,
FSE ’08, [5]
Block
ciphers
which have a periodic structure (e. g.
composition
of
identical functions)
in either encryption
or key scheduling
algorithms.
The periodic structure
Partially Critical for Memory Encryption
of the key schedule of
Systems
Keeloq is exploited to
perform an attack on Keeloq is broken with 256KB of known plaintexts. Periodic structures in a block cipher
the full cipher.
should be avoided especially when the algebraic
structure of the enciphering function is of low
degree.
T. Jakobsen and L. R.
Knudsen: “The Interpolation Attack on
Block Ciphers”, FSE
’97, [27].
Block ciphers of
any kind. Especially to the ones
which use quadratic functions as
their S-Boxes.
Lagrange interpolation
is used for finding an
alternative algorithm
which maps a given
plaintext to the corresponding
ciphertext
without any knowledge of the key.
Minimalistic memory requirements of this attack
make it feasible even on smart cards with small
memories. Encryption functions of block ciphers
often can be represented by low degree algebraic
equations. Therefore, block ciphers requiring too
few rounds for encryption should be carefully
investigated concerning this aspect.
Partially Critical for Memory Encryption
Systems
This attack is mounted by finding a polynomial
representation of the ciphertext in terms of plaintext and key bits. The number of plaintext ciphertext pairs required is equal to the number of
coefficients in the polynomial representation.
Therefore, this attack is critical for block ciphers
Bundesamt für Sicherheit in der Informationstechnik
3 Methods for cryptanalysis of memory encryption
Method
Reference
Applicable to
Description
Evaluation
using round functions of low algebraic degree.
M. Vielhaber: “Breaking ONE.FIVIUM by
AIDA an Algebraic
IV Differential Attack”, Cryptographic
ePrint Archive: Report
2007/413, [34]
I. Dinur and A.
Shamir: “Cube Attacks on Tweakable
Black Box Polynomials”, EUROCRYPT
’09, [28].
M. Albrecht and C.
Cid: “Algebraic Techniques in Differential
Cryptanalysis”
FSE
’09 [21].
24
Block
ciphers
which have a round
function that can be
represented by lowdegree algebraic relations.
The attacker tries to
obtain linear equations
of secret variables by
adding
polynomial
representations of output bits and fixing
some public variables
(plaintext bits in the
block cipher case) to
zero. Once the attacker gathers enough
linear equations, she
can solve the linear
system to obtain the
key.
Block
ciphers Combines differential
which have highly attack ideas with algeprobable differen- braic cryptanalysis.
tial relations for
few rounds of the
encryption.
Partially Critical for Memory Encryption
Systems
This is a chosen plaintext attack which requires
the cipher to have low degree algebraic relations
between its input, key and output bits. The degree of the polynomial which represents the relation between the input, key and output bits
should not exceed the number of public variables available. The attack has an extensive precomputation phase; but on the other hand, it can
also be applied to proprietary ciphers in black
box model.
Partially Critical for Memory Encryption
Systems
Differential characteristics are used to simplify
algebraic equations which are to be solved to apply a successful algebraic attack. The required
number of plaintext-ciphertext-pairs is relatively
low compared to plain differential attacks.
Bundesamt für Sicherheit in der Informationstechnik
3 Methods for cryptanalysis of memory encryption
Method
Slide Attack
Integral
Cryptanalysis
Reference
Applicable to
Description
Evaluation
A. Biryukov and D. Block
ciphers
Wagner: “Slide At- which have a peritacks”, FSE ’99, [10]. odic structure in either encryption or
key scheduling algorithms.
An adaptive chosen
Partially Critical for Memory Encryption
plaintext attack which
Systems
exploits the periodic
structures of modified An increase in the number of rounds does not always result in stronger security. A 96-round
DES (2K-DES).
variant of DES is attacked making use of periodic structures in the key scheduling and round
functions.
N. Ferguson et al:
“Improved Cryptanalysis of Rijndael”, FSE
’00, [9].
Recovers the key by
investigating ciphertexts of a set of chosen
plaintexts
with
a
byte/nibble
ranging
over all possible values.
Applicable especially to byte/nibble-oriented block
ciphers with bijective round functions.
Partially Critical for Memory Encryption
Systems
An adversary can devise this kind of an attack
with relatively low number of chosen plaintext
ciphertext pairs. But requires a very specific
structure in the collection of plaintexts (a
byte/nibble ranging over all possible values).
Table 1: Literature overview of cryptanalysis on block ciphers
25
Bundesamt für Sicherheit in der Informationstechnik
Methods for cryptanalysis of memory encryption
3.2.2
Cryptanalysis of memory address scrambling
The memory address scrambling is the mapping of logical addresses of stored data to physical locations on the chip provided by memory management units, address encryption and
memory layout. It is intended as a countermeasure to information leakage of the locations of
stored data in the memory caused by sequential access to memory addresses, which is very
common in practical applications. Ideally, an address encryption should distribute the logical
addresses uniformly over the whole memory address space when transforming them into
physical addresses. In fact, data with sequential logical addresses should not be written to sequential physical addresses and be independent of the block length of the underlying block
cipher. This can be simply checked by evaluating the correlation between the logical and
physical addresses. Moreover, the address encryption key should be smartcard specific.
In the literature, there are different methods to perform memory encryption (also referred to
as “memory scrambling2”) such as partially or fully encrypting of the memory addresses. In
the former method, only the addresses within the most recently accessed blocks of the memory are encrypted. In the latter approach, the whole logical address space is encrypted at cost
of additional latency and power consumption. Below table includes the address encryption
schemes available in the literature and comments regarding their efficiency. Note that the
referenced literature does not imply any recommendation for the use of these methods (cf.
instead to technical guidance published by BSI like TR-02102).
2 Scrambling means in general (1) channel encoding in order to optimize data transmission, and (2) weak encryption mainly by transposition (.e. g. for voice encryption).
Bundesamt für Sicherheit in der Informationstechnik
26
Methods for cryptanalysis of memory encryption
Reference
Focus
Description
Evaluation
X. Zhuanget al: “HIDE:
an infrastructure for efficiently protecting information leakage on the address bus”, ASPLOS-XI
’04 [18].
Encrypting
the
addresses
within the
most
recently accessed
blocks.
Permutes the
addresses
within blocks
of
variable
size, using an
additional permutation
cache.
The method proposed in this paper
only covers scrambling the addresses
of a portion of the memory. Also,
later in [19], some problems regarding excessive memory accesses on
permutation, and redundant permutations are pointed out.
X. Zhuang et al: “Hardware assisted control
flow obfuscation for embedded
processors”,
CASES ’04 [20].
Encrypts
the contents
of the whole
memory.
Switches random blocks in
the memory
by using a
“shuffle buffer”.
Memory blocks to be scrambled
have to be temporarily kept inside
the cache-memory, which is referred
to as “shuffle buffer”. It also has to
be large enough to accommodate all
the blocks to be switched.
L. Gao et al: “A low-cost
memory
remapping
scheme for address bus
protection”, PACT ’06
[19].
Encrypts
the contents
of the whole
memory.
Handles address encryption in chunks
of a fixed size
(128 blocks).
An improvement to previously
proposed
schemes.
Although this is an improved address
encryption method compared to the
previously proposed ones, it still
needs a cache for permuting blocks,
and another one to keep the current
order of the blocks in each
page/chunk of the memory.
Table 2: Literature overview on memory address scrambling
Bundesamt für Sicherheit in der Informationstechnik
27
3 Methods for cryptanalysis of memory encryption
3.2.3
Modes of operation for memory encryption
As block ciphers encrypt data in n-bit blocks, one needs to use a mode of operation to be able to encrypt data which exceeds the size of n bits. When memory encryption systems are considered,
mostly address information is used as a part of the mode of operation. Below table includes a collection of modes of operation suitable for memory encryption together with key points of the
modes. Note that the security of a mode of operation relies on the assumption that the underlying
block cipher is cryptographically secure.
The presented modes of operation make use of the idea of tweakable block ciphers proposed by
Liskov et al. [29]. The authors claim that using tweakable block ciphers enables having seemingly
different encryption functions without changing the encryption key, which is usually a costly
process, but changing the tweak instead. In tweakable block ciphers, a pseudo random tweak value
is computed and used as a third input to the encryption function. Here, the idea of including a tweak
is to have variability on ciphertexts corresponding to the same plaintext when different tweaks are
used. Although the use of a tweak does not provide additional security to the underlying block cipher, the variability comes handy in some cryptographic applications such as memory encryption.
In the referenced modes below, the tweak is computed by encrypting the page information, which is
a unique identifier for a collection of data blocks, using the underlying block cipher with an encryption key. This way, each page has its unique encryption function and therefore making it harder to
attack the system using chosen plaintexts or chosen ciphertexts which are located at different pages.
Note the referenced literature does not imply any recommendation for the use of these operational
modes (cf. instead to technical guidance published by BSI like TR-02102).
Reference
Description
Evaluation
P. Rogaway, “Efficient
Instantiations of Tweakable Block ciphers and
Refinements to Modes
OCB and PMAC”, ASIACRYPT ’04 [24].
XEX: Randomizes the input
and output of the block cipher by xoring a tweak,
which is obtained by encrypting part of the address information.
XEX mode of operation requires the
implementation of both encryption
and decryption algorithms of the underlying block cipher. It is proven to
be secure when less than 2n/2 block
cipher calls are encrypted under the
same key.
NIST, SP800-38E: “Rec- An extension of XEX which
ommendation for block uses different keys for encipher modes of opera- cryptions.
tion: the XTS-AES mode
for confidentiality on
block-oriented
storage
devices”, 2009 [23].
This mode also supports the encryption of texts of unusual size, i. e.
texts of a size which is not a multiple
of the block length of the underlying
cipher.
Table 3: Literature overview on modes of operation
28
Bundesamt für Sicherheit in der Informationstechnik
Methods for cryptanalysis of memory encryption
3.3
Cryptanalytic attacks using side­channel information
In addition to the methods given in the cryptanalysis table, there are also attacks which exploit some
side-channel knowledge to improve the success probability of an attack. The attacks of this kind require accurate recovery of internal state bits which is often not the case in side-channel analysis.
The table below includes this type of combined attacks and comments on their applicability.
Reference
Applicable to
Description
Evaluation
M. Renauld and F.-X.
Standaert:
“Algebraic
Side-Channel Attacks”,
’09 available online [25].
Block ciphers
with
round
functions of a
low algebraic
degree.
Side channel information is used
for more easily
solving the algebraic system obtained from the
encryption function.
Algebraic attacks represent
the encryption function as a
large series of equations. Any
accurate information about
the internal states of the encryption can be used to simplify some of the equations.
L. Yang et al: “Side
Channel Cube Attack on
PRESENT” CANS ’09
[22].
Block ciphers
with
round
functions of a
low algebraic
degree.
An improved algebraic attack using accurate side
channel information.
A specific bit of the third
round state should be available to the attacker to recover
the 80-bit key of full
PRESENT with 256KB of
chosen plaintext data. This
number can be considerably
lower for weaker ciphers,
which makes this attack critical under the required assumption.
Table 4: Literature overview on combination attacks with side-channels
Bundesamt für Sicherheit in der Informationstechnik
29
4 Vulnerability analysis of memory encryption
4
Vulnerability analysis of memory encryption
The memory encryption is only a part of the security features protecting the confidentiality of data
stored on the memory. Therefore the evaluator shall include the memory encryption in the vulnerability analysis of the TOE on conditions that, provided
(1) the TSF shall protect the confidentiality of user data, TSF data or other data stored in memory (called assets in the following),
(2) the TSF uses data encryption or address encryption to protect the confidentiality of these assets during the storage in memory or the internal transfer of the stored ciphertext, and
(3) the non-cryptographic security countermeasures alone are not sufficient to resist identified
potential attacks with attack potential claimed in the security target.
The consideration of the implemented cryptographic security mechanisms will result in a more
comprehensive – and follows more precise – vulnerability assessment of the TOE.
This chapter describes specific aspects of the vulnerability analysis of memory encryption as part of
the vulnerability assessment of the memory protection. These aspects relate to the identification of
the requirements, the examination of the security features, the identification of potential vulnerabilities and the assessment of the resistance against attacks. They follow the work flow of the vulnerability analysis. The chapter concludes with examples illustrating the general evaluation methodology for the memory encryption.
4.1
Preparation for the vulnerability analysis of memory encryption
4.1.1
Identification of the security requirements for memory protection
This chapter describes the first step on the way to a vulnerability analysis of the memory encryption
- the identification of the security requirements for memory protection. The security requirements
for memory protection and the claimed resistance against attacks define the criteria for the vulnerability analysis of its security features including those for memory encryption if implemented. In the
following it is assumed that the TOE implements the protection of the assets by means of physical
and logical countermeasures including cryptographic security mechanisms, i. e. the conditions (1)
and (2) above are fulfilled.
The protection of the confidentiality of data stored in the memory may be explicitly required by an
SFR in the security target or may implicitly follow from the security architecture of the TOE.
The security target may
(1) require memory protection directly by security functional requirements (SFR) (cf.
ASE_REQ), or
(2) describe memory protection as security feature against interference in the TOE summary
specification (cf. ASE_TSS.2.2C).
The ST may define an extended component (or reference to a definition of an extended component
in a certified protection profile) in order to explicitly describe SFR for protection of the confidentiality or even the encryption of stored data in the TOE memory. The ST may describe memory encryption using the component FCS_COP.1. The component FPT_PHP.3 describes requirements for
resistance against physical tampering such that the SFRs are always enforced. Note, CC part 2, defines similar SFR only for protection of the integrity of stored user data (cf. .FDP_SDI family) and
internal data transfer protection with operation for confidentiality protection (cf. FDP_UIT family
for user data and FPT_ITT.1 family for TSF data).
30
Bundesamt für Sicherheit in der Informationstechnik
Vulnerability analysis of memory encryption
The security architecture of the TOE may include the protection of the confidentiality of data stored
in the memory even it is not directly required by any SFR in the security target. The memory protection and the memory encryption as a mechanism implementing this security feature may
(1) contribute to self-protection of the TSF from tampering, and
(2) support the non-bypassability of the SFR-enforcing functionality.
If the security architecture include memory protection as security feature or memory encryption as
security mechanism the evaluator will consider these security features to search for any ways the
protection of TSF can be undermined (cf. CEM work units AVA_VAN.{2,3,4}-4, AIS34, work unit
AVA_VAN.5-4). Note the criteria of the vulnerability analysis are exploitable vulnerabilities, i. e.
weaknesses in the TOE that can be used to violate the SFRs in the operational environment for the
TOE. Defeating the memory encryption as security feature of the security architecture is only a step
on the complex attack path violating the SFR.
As output of this activity the evaluator gains information
(1) whether the security target requires TSF protection for data stored in memory by SFR or as
security feature,
(2) whether the security target requires memory encryption by SFR or as security feature,
(3) the type and amount of data stored as user data, TSF data or TOE implementation stored in
this protected memory, and
(4) the claimed resistance against attacks violating the SFR.
4.1.2
Description of memory encryption
The functional specification describes the external TSF interface of the memory protection as the
physical boundary of the TOE, i. e. an explicitly defined continuous perimeter that establishes the
physical bounds of the TOE and contains all the hardware, software, and/or firmware components
of the TOE (cf. [SDIC] about ADV_FSP). The IC surfaces of the areas, where the encrypted memory, their buses and the cryptographic modules are located, and the physical entry or exit points of
physical signals of the TOE (ports) together with the internal logical interface to the memory build
the attack surface of the memory encryption.
In almost all cases the functionality of the memory encryption will not be directly accessible or
manageable through the external interfaces of the TSF because the CPU and other components using stored data are connected with the memory through the memory encryption cryptographic modules. These components will receive from and send to the memory plaintext only not having access
to the corresponding ciphertexts or to the memory encryption keys. In cryptographic terms speaking
- these components know or chose plaintext without knowing the corresponding ciphertext. The key
management of memory encryption might be or might be not under control through external interfaces of the TSF , e. g. the hardware or the dedicated software may control the key generation for
the data and address encryption of the core external RAM during start-up after power-on but the
keys are fixed after initial start-up of the TSF for the EEPROM encryption or even fixed before
TOE production for ROM encryption.
The TOE design provides a thorough description of the TSF. If memory protection or memory encryption is claimed by SFR in the security target the TOE design shall describe the modules and the
security mechanisms implementing this or these SFR (cf. purpose of modules according to
ADV_TDS.3 or higher components). The security architecture description (cf. ADV_ARC.1) may
also describe memory encryption as independent security feature and provide or reference to TOE
design for the description of its function and cryptographic mechanisms.
Bundesamt für Sicherheit in der Informationstechnik
31
Vulnerability analysis of memory encryption
The memory encryption is implemented by means of cryptographic modules for data encryption or
address encryption or both including the key management. The developer shall describe the memory encryption in terms of
(1) the security functions of the memory encryption, i. e. describe what (in terms of action) the
memory encryption does in order to provide the intended protection. This description shall
cover data encryption and address encryption as implemented and the management of the
memory encryption keys (cf. chapter 2.2), and
(2) the security mechanisms of the memory encryption, i. e. describe how a security function (or
its part) is implemented in order to meet an SFR or to enforce architectural soundness. The
level of details is defined by purpose of modules (cf. component ADV_TDS.3 or higher).
The description shall include
(3) all cryptographic algorithms implemented in the cryptographic modules, i. e. for data encryption, address encryption and secret sharing mechanisms as implemented,
(4) the key management for these cryptographic algorithms, i. e. how these keys are generated,
the amount of data, the number of TOE instantiations and the time the keys are used.
Note the TSF may use different cryptographic algorithms and keys for different memory areas under cryptographic protection.
The TOE implementation representation made available for ADV_IMP shall include the implementation of the memory encryption. The evaluator will use the implementation representation to examine whether the TOE conforms to its design. Note because lack of interfaces available for tests (e. g.
known answer tests with plaintext and ciphertext) the examination of the implementation representation maybe the only way to determine the correctness of the memory encryption implementation
(cf. CEM, sec. 14.2.2).
As output of this activity the evaluator gains thorough description of the TSF and TSFI of the memory encryption
(1) the external interfaces of the memory protection,
(2) the internal interfaces of the memory encryption,
(3) the functionality and properties of cryptographic mechanisms of the memory encryption as
for data encryption, address encryption and key management,
(4) the implementation of the of cryptographic mechanisms of the memory encryption.
The evaluator should use the developer evidence provided for the memory areas under protection,
the buses and the cryptographic modules which includes but are not limited to the following:
•
the method of memory use, e. g. the type and amount of data stored in the memory as user
data, TSF data or TOE implementation stored in the memory,
•
the physical locations of the memory areas, the buses and the cryptographic modules in the
device, e. g. metal layer, location viewed from the chip surface,
•
the physical protection of the memory, the buses and the cryptographic modules against
reading, temporarily manipulation and permanent modification,
•
the logical protection of the memory against reading and writing, e. g. provided by MMU,
•
stability against perturbation of the TSF components, that may affect the memory, the buses
and the cryptographic modules
for the vulnerability analysis of the memory protection.
32
Bundesamt für Sicherheit in der Informationstechnik
Vulnerability analysis of memory encryption
4.1.3
Security architecture of memory encryption
The security architecture of the TOE may describe security feature of memory protection provided
by a combination of
(1) security properties of the memory especially of the used technology,
(2) non-cryptographic countermeasures (e. g. active shielding protecting RAM), and
(3) security mechanisms including the memory encryption.
The developer shall demonstrate the security properties of the memory encryption including evidence for the claimed cryptographic resistance of the implemented cryptographic algorithms. The
security architecture of the TSF (cf. CC part 3, Assurance family ADV_ARC) shall describe how
the TSF initialization process is secure (cf. element ADV_ARC.1.3C), the TSF protects itself from
tampering (cf. element ADV_ARC.1.4C) and the TSF prevents bypass of the SFR-enforcing functionality (cf. element ADV_ARC.1.5C). The following paragraphs describe specific security architectural aspects for memory encryption that
• the developer should consider in design and implementation of the TOE and the TSF,
• the developer shall describe in the security architecture documentation,
• the evaluator shall analyse in the vulnerability analysis.
Domain separation is a property whereby the TSF creates separate security domains on its own and
for each untrusted active entity to operate on its resources, and keeps those domains separated from
one another so that no entity can run in the domain of any other. If the TSF maintains security domains it may (but is not required to) support domain separation by memory encryption with different keys used for different memory areas assigned to these security domains.
The security architecture description shall describe how the TSF initialization process is secure. The
initialization process distinguish with respect to memory encryption the transition between at least
two states
(1) power-off state: The TOE stores key components in the key storage and only ciphertexts in
the other protected memory areas. The TSF is non-operational in the sense that only physical
protection is active for all data stored in these memory areas and the memory encryption is
active for the encrypted memory.
(2) operational state: The CPU and other functional components like co-processors read, operate
and write plaintext data. The encryption-decryption functionality for data and addresses is
operational and transparent for these components.
In power-off state ciphertext only attacks and known plaintext attacks can be performed against the
memory encryption. The key storage can be physically attacked in order to read all key components
and to reconstruct the cryptographic keys. Manipulation of the stored data may prepare chosen
plaintext attacks and chosen ciphertext attacks in the power-on state. In the transition phase from
power-off state to the operational state the attacker may monitor initialization processes, start-up
self-tests and intermediate states in order to reconstruct the cryptographic keys from the key components and side channel information. In the operational state the attacker may observe the encryption
and decryption process in order to get plaintext-ciphertext pairs of the data encryption and of the address encryption for attack the as in the power-off state. Additionally chosen plaintext attack and
adaptive chosen plaintext attacks, may be performed if the executed code allows such operation or
the operation of the CPU is manipulated.
The security architecture description shall demonstrate the non-bypassability of the SFR-enforcing
functionality. The security architecture description shall demonstrate with respect to the memory
encryption that
Bundesamt für Sicherheit in der Informationstechnik
33
Vulnerability analysis of memory encryption
(1) the memory encryption is effective for all assets during storage and transfer between data encryption module and memory (i. e. the plaintext data are available only in absolutely necessary areas of the TOE, e. g. in CPU, on short plaintext buses),
(2) the TSF ensures cryptographic keys are stored only in form of key components in potential
readable memory areas, and therefore the necessary attack effort compromising the key is
sufficiently high,
(3) plaintext-ciphertext pairs could not be easily found in the device, e. g. plaintexts are not obviously known for ciphertexts in unused memory areas, the same data are not stored encrypted and unencrypted even in different memory areas,
(4) the memory encryption is resistant against side-channel attacks.
The TOE may run in power save modes when some components are switched off. The security architecture description shall demonstrate that enabling and disabling of TSF parts do not violate the
security during power save modes.
The security architecture description shall demonstrate self-protection of the TSF. The TSF selfprotection against compromise of data in the memory will be achieved by binding of physical and
logical security mechanisms. The self-protection of memory encryption itself shall ensure that the
adversary reading physically stored data from the memory must
(1) break both data encryption and address encryption or
(2) find all used keys implemented by the TOE example or
(3) combine both attack paths, i. e. find key parts and break the remaining encryption
in order to get the plaintext data. The memory encryption shall resist tampering, e. g. perturbation
attacks revealing keys or plaintext.
As output of this activity the evaluator gains understanding of
(1) the role of memory protection and especially memory encryption in the security architecture
of the TOE, and
(2) the security architectural properties of the memory encryption itself
as input for the vulnerability analysis.
4.1.4
ules
Physical and logical attacks on memory, buses and cryptographic mod­
The vulnerability analysis will analyse potential vulnerabilities of the memory protection identified
as described in section 4.1.1 and assess whether they are exploitable with the relevant attack potential in the attended operational environment. The description and the assessment of the physical attacks itself are outside the scope of the guideline on hand. The reader is referred instead to the relevant supporting documents like [SDAP]. If the vulnerability analysis identifies potential vulnerabilities which could be exploited if only the non-cryptographic security countermeasures are taken into
account, i. e. condition (3) above is fulfilled, the evaluator shall consider implemented memory encryption.
In the context of the guideline on hand physical attacks include but are not limited to
(1) measurement of signals at the contactbased and contactless interfaces of the device as
implemented, including power supply, external clock, output interfaces;
(2) measurement of signals at the physical boundary of the device, e. g. electromagnetic
emanation, electric signals at chip surface by means of needles;
34
Bundesamt für Sicherheit in der Informationstechnik
Vulnerability analysis of memory encryption
(3) measurement of internal signals of the device, e. g. on data lines after opening the device or
removing metal layers of the security integrated circuit;
(4) reading the internal memory, e. g. of ROM by means optical inspection, EEPROM by means
of atomic force microscope;
(5) manipulation through the contactbased and contactless interfaces of power supply, external
clock, input interfaces as appropriate;
(6) manipulation of signals through the physical boundary of the device, e. g. by means of
electromagnetic radiation, particle exposure, electric signals by means of needles, cutting or
connecting lines;
(7) manipulation of internal signals of the device, e. g. by means of needles;
(8) manipulation of the memory content, e. g. selected memory cells or registers;
(9) perturbation of the program execution or the processes in TOE components like CPU,
MMU, cryptographic coprocessors, cryptographic modules.
All cryptanalytic attacks on memory encryption assume attacks providing ciphertexts, plaintext-ciphertext pairs or allow by means of manipulation for chosen plaintext attacks, chosen ciphertext attacks or related key attacks. In the following we analyse such attacks as prerequisites for the cryptanalysis of the memory encryption and reconstruction of assets in plaintext.
The attacks against memory encryption are performed typically as combinations of logical cryptanalytic attacks and physical attacks on the cryptographic module and the components handling the
relevant data like the memory, the buses, the CPU or the MMU. At first non-cryptographic physical
and logical attacks read ciphertext data with their physical (encrypted) addresses form memory or
buses. But the semantic content of these encrypted data and addresses is not readily available. The
cryptanalytic attacks try to reconstruct the plaintext data, the plaintext addresses and at best the
cryptographic keys. If successful the gained plaintexts and keys (together with other information, cf.
memory address scrambling) enable or support further attacks by calculation of the physical location of other ciphertexts in memory, to understand data read from the memory or the data bus, to reconstruct their logical addresses, re-engineering the executed program and so forth.
These physical attacks may be conducted at different points of TOE implementation as shown in
figure 4. Figure 4 illustrates these attack scenarios. The yellow ochre arrows indicate physical attacks, the blue arrows indicate passive and the red arrows indicate active access to the plaintexts
and ciphertexts.
Bundesamt für Sicherheit in der Informationstechnik
35
Vulnerability analysis of memory encryption
Figure 4: Memory attack scenarios
Passive physical attacks may bypass the encryption which include but are not limited to the following:
(1) Reading the plaintext addresses from the address bus segments between the CPU and the
MMU or between the MMU and the address encryption module during reading or writing
the data under attack bypasses the address encryption.
(2) Reading the plaintext data from the plaintext data bus segment during reading or writing the
data under attack bypasses the data encryption. Note this bypass of data encryption reads
plaintext blocks in the sequence they are used by the CPU. This information may be sufficient for reconstruction of the logical addresses and therefore bypass the address encryption
as well.
(3) Reading the plaintext data from the plaintext data bus segment and the plaintext addresses
on the bus segments during reading or writing the data under attack bypasses the memory
encryption.
(4) Reading of the data decryption key components from the key storage, reading the addresses
from the plaintext address bus segments, and reading the ciphertext with their physical addresses bypass the memory encryption.
(5) Reading of the data decryption key components and the address encryption key components
from the key storage, and reading the ciphertext with their physical addresses bypass the
memory encryption.
36
Bundesamt für Sicherheit in der Informationstechnik
Vulnerability analysis of memory encryption
Passive physical attacks may provide prerequisites for cryptanalytic attacks which include but are
not limited to the following:
(1) Reading data on the ciphertext data bus segment provides encrypted data for ciphertext only
attacks on data encryption using redundancy within data blocks without consideration of relationship between plaintext data blocks.
(2) Reading addresses on the ciphertext address bus segment provides encrypted physical addresses for ciphertext only attacks on address encryption using redundancy within address
sequences in the executed program. Note in some cases (e. g. RAM) the attacker may determine the location of memory cells actual read or written by direct optical inspection thought
light emission of hardware activities.
(3) Reading of stored data with their physical addresses directly from the memory provides encrypted data and encrypted addresses for ciphertext only attacks on memory encryption
(even when the TOE is switched off). This attack on memory encryption implies attacks on
data encryption and address encryption.
(4) Reading data on the ciphertext data bus segment and reading addresses on the ciphertext address bus segment when the TOE is running provide encrypted data and encrypted addresses
for ciphertext only attacks on memory encryption.
(5) Reading data from the plaintext data bus segment and reading data from the ciphertext data
bus segment when the TOE is running provide plaintext-ciphertext pairs for known plaintext
attacks on the data encryption without consideration of relationship between plaintext data
blocks.
(6) Reading of addresses from the address bus segments between the CPU and the MMU or between the MMU and the address encryption module, and reading of addresses from the ciphertext address bus segment when the TOE is running provide plaintext-ciphertext pairs for
known plaintext attacks on address encryption.
(7) Reading of plaintext data, ciphertext data, plaintext addresses and ciphertext addresses from
the respective bus segments when the TOE is running provides plaintext-ciphertext pairs for
known plaintext attacks on memory encryption with consideration of relationship between
data blocks. This attack on memory encryption aims on reconstruction of the keys used for
data encryption and address encryption. If it was successful performed it allows reconstruction of plaintexts from ciphertexts and physical addresses read from encrypted memory.
Note the attacker may gain information about plaintext data and plaintext addresses from other
sources as well, e. g. if the code executed during reading the data or addresses are known or may be
guessed. These attack scenarios depend on the operational environment of the security integrated
circuit or the embedded software of the smartcard or other devices as TOE.
Active physical attacks may manipulate stored data in the memory, data transferred on the data bus,
the address on address bus or within the cryptomodules. They may provide prerequisites for additional cryptanalytic attacks which include but are not limited to the following:
(1) Modification of data on the plaintext data bus segment and reading of data on the ciphertext
data bus segment provide plaintext-ciphertext pairs for chosen plaintext attacks on data encryption.
Bundesamt für Sicherheit in der Informationstechnik
37
Vulnerability analysis of memory encryption
(2) Modification of data on the ciphertext data bus segment and reading of data on the plaintext
data bus segment provide plaintext-ciphertext pairs for chosen ciphertext attacks on data encryption.
(3) Modification of addresses on the address bus segments between the CPU and the MMU or
between the MMU and the address encryption module and reading of addresses on the ciphertext addresses on the address bus segment provide plaintext-ciphertext pairs for chosen
plaintext attacks on address encryption.
(4) Modification of memory content and reading of corresponding data on the plaintext data bus
segment when the manipulated memory part is read, provide plaintext-ciphertext pairs for
chosen ciphertext attacks on data encryption.
(5) Manipulation of the key storage in order to cause errors or generate related keys.
Note chosen ciphertext attacks are not possible for address encryption because decryption algorithms are not implemented. Chosen ciphertext attacks for read-only memory require physical manipulation of the memory content.
The attacker may use specific behavior of the TOE in cases of manipulation or perturbation which
include but are not limited to the following examples:
(1) Reset of a smartcard enforces the CPU to start program execution with logical address 0.
(2) If the CPU reads program code 0x00 the CPU will execute “no operation” (i. e. assembler
code NOP) and reads code byte from the next logical address.
In summary it can be said that the vulnerability analysis of the non-cryptographic memory protection provides
• the base of the decision whether the vulnerability analysis of the memory encryption will be
performed or not,
• the goal of the cryptanalysis of memory encryption to determine whether the cryptographic
mechanisms fill the gap to the claimed resistance, and
• the conditions and the criteria of success for the cryptanalytic attacks.
As general rule one may observe that the effort of physical attacks providing the necessary conditions for the cryptanalytic attacks, and the effort of cryptanalytic attacks itself are antagonistic:
• easy physical attacks enable only more difficult cryptanalytic attacks based on limited infor-
mation, e. g. like reading ROM provides ciphertext data and ciphertext addresses only for simultaneously attacks data and address encryption schemes,
• comfortable cryptanalytic attacks require complex and therefore expensive (in terms of at-
tack potential) physical attacks, e. g. chosen plaintext attacks require active and passive attacks at two different places in the device.
4.2
Identification of potential vulnerabilities of memory encryption
The vulnerability analysis of the memory protection will be performed by the evaluator in one step
or two steps. In the first step the evaluator analyses the potential vulnerabilities and the resistance of
the memory against attacks if only the protection provided by the non-cryptographic security mechanisms is taken into account. Note in the first step of the vulnerability analysis the evaluator bears in
38
Bundesamt für Sicherheit in der Informationstechnik
Vulnerability analysis of memory encryption
mind the existence of the memory encryption but does not assess the contribution to resist attacks.
If the evaluator find potential vulnerabilities where the non-cryptographic security countermeasure
alone are not sufficient to resist attacks with attack potential claimed in the security target then the
evaluator will extend the vulnerability analysis in the second step analysing potential vulnerabilities
and assessing the effectiveness of the cryptographic security countermeasure. The results of the assessment of the cryptographic security countermeasures will be taken into account for the assessment of the complex attacks on the data stored in the memory.
Because of the limited resources for memory encryption and the potential vulnerability of direct
physical attacks on the keys and the cryptographic module itself the memory encryption cannot ensure security strength as for communication but it may increase the necessary attack potential to the
claimed level of resistance.
The evaluator shall perform an independent focused or methodical vulnerability analysis of the
TOE according to the AVA component claimed in the security target. This analysis shall identify
potential vulnerabilities of the TOE.
Typical potential vulnerabilities of memory encryption are the following.
(1) Keys allow for brute-force attacks.
The brute force attack tries all possible cryptographic keys for decryption of given ciphertexts in order find a key providing the corresponding plaintext. Note for brute force attacks
the attacker needs liable criteria for checking the correct key as redundant plaintexts or ideally plaintext-ciphertext pairs. The attacker will succeed if the set of possible keys is small
enough (e. g. because of short keys) or the insufficient entropy used for key generation enables an effective key guessing strategy (cf. [KS2011]). Key generation by means of appropriate strong true random number generator ensures the maximum guessing effort depending
on the key length (cf. [RNG]). The amount of keys the attacker may guess depends on time
and equipment available for the attack (cf. chapter 4.3).
(2) Low complexity of the cryptographic algorithm allows for algebraic attacks.
The cryptographic modules implement simple cryptographic algorithms due to the limited
resources provided for the implementation of the cryptographic modules and for time of the
cryptographic operations. The low complexity of the cryptographic algorithm may allow the
attacker to calculate directly the key based on known plaintext-ciphertext pairs by solving
the equations between plaintext, ciphertext and keys, to approximate these equations by linear equations, to split the key into parts which can be calculated separately, and so forth.
Note simplified cryptographic algorithms derived from strong cryptographic algorithms may
be weaker than expected after quick glance.
(3) Incorrect implementation result in cryptographic weaknesses.
Only a correct implementation can reach the theoretically expected cryptographic strength
of the algorithm. The security of a cryptographic module is very sensitive to implementation
errors. Similar but incorrect implementations of the algorithm may have unforeseen by the
developer cryptographic impact which is unlikely increasing the security but normally result
in weak or unknown security.
(4) Insecure implementation bypasses cryptographic strength.
Even correct algorithmic implementation may be insecure because of side channels, prone to
failure and information leakage in case of perturbation and so forth.
In addition to potential vulnerabilities the evaluator may determine missing assurance of the memory encryption.
Bundesamt für Sicherheit in der Informationstechnik
39
Vulnerability analysis of memory encryption
(5) Proprietary algorithms are not sufficiently analysed.
The developer may implement proprietary algorithms for memory encryption because their
internal use does no need for interoperability. The vulnerability analysis may find obvious
vulnerabilities but the evaluation framework cannot effort a comprehensive cryptographic
analysis of a proprietary algorithm. to demonstrate sufficient strength. The developer is in
charge of the cryptanalysis of its proprietary algorithms which may be very specific and
therefore expensive. The lack of evidence of cryptographic strength may result in inconclusive verdict of the vulnerability analysis of the memory encryption.
The focused or methodical vulnerability for AVA_VAN.3 to AVA_VAN.5 includes the search for
publicly available information about potential vulnerabilities. The encountered method of identification is dependent on the evaluator's experience and knowledge; which is monitored and controlled
by the evaluation authority. Evaluator is assumed to have knowledge of the TOE-type technology
and known security flaws as documented in the public domain (cf. CEM para. 1925, 1927). The
vulnerability analysis shall use the CC evaluation scheme documents.
The search is expected to include
• proceedings of cryptologic conference and workshops, e. g. organized by or in cooperation
with the International Association of Cryptologic Research (IACR), cf. to the home page
www.iacr.org,
• cryptologic publications like the Cryptology ePrint Archive, cf. http://eprint.iacr.org.
Note the publicly available sources will rather describe cryptanalytic methods than directly applicable cryptanalytic attacks for the memory encryption under evaluation especially in case of proprietary cryptographic algorithms. The application of the cryptanalytic methods to the concrete cryptographic algorithms depends on the expertise of the attacker and its assessment requires cryptologic
knowledge and expertise of the evaluator.
The search for vulnerabilities of the memory encryption may start from different point of view,
from potential physical vulnerabilities or the potential cryptographic vulnerabilities, from data encryption or address encryption. The evaluator should analyse the physical attack part first in order to
determine the conditions for the cryptanalytic attack on data encryption or address encryption or
both together by probabilistic guesses of plaintext-ciphertext pairs, known plaintext-ciphertext
pairs, chosen plaintext or chosen cipher text. When these conditions are clearly understood the evaluator may analyse whether the cryptographic algorithm is vulnerable under these conditions. The
evaluator may also know potential cryptanalytic attacks against data encryption or address encryption and analyse whether they can be practically mounted under the specific conditions. The attacker may use the redundancy within the plaintext data blocks and than use dependencies between
the plaintext data blocks. In many cases the evaluator will combine these approaches.
4.3 Characterization of the attack potential for cryptanalytic at­
tacks on memory encryption
The work units AVA_VAN.x.11 (cf. CEM and AIS34) requires the evaluator to examine the results
of all penetration testing to determine that the TOE, in its operational environment, is resistant to an
attacker possessing attack potential as claimed in the security target. The vulnerability analysis of
memory encryption performed by the evaluators assesses the cryptanalytic attack effort as part of
the effort of a complex attack on memory providing all necessary conditions for the cryptanalytic
attack and violating a security functional requirement. But this vulnerability analysis neither requires nor claims being a comprehensive cryptanalysis of memory encryption. The certification
40
Bundesamt für Sicherheit in der Informationstechnik
Vulnerability analysis of memory encryption
body shall review the vulnerability assessment of memory protection including the vulnerability
analysis of memory encryption as its part. The confirmation of the resistance against attacks on
memory protection cannot be seen as general confirmation of cryptographic strength of their memory encryption scheme.
The attack potential calculation for smartcards and similar devices distinguishes between the identification phase and the exploitation phase of an attack (cf. [SDAP]).
The identification phase of an cryptanalytic attack may include
• the determination of the fixed parts of the cryptographic algorithms implemented in the
cryptographic modules of the memory encryption, e. g. from publicly available information
or reconstruction means of cryptanalytic methods,
• the reconstruction of the variable parts of the cryptographic algorithms implemented in the
cryptographic modules valid for the TOE under attack in the exploitation phase but also implemented in TOE instantiations available in the identification phase, e. g. long-term keys or
group keys,
• the adaption of publicly known cryptanalytic attacks or the development of specific cryptan-
alytic attacks on the memory encryption algorithms,
• development of tools for the cryptanalytic attacks applicable to the memory encryption algo-
rithms.
Note the identification phase may provide keys valid for TOE samples available in the identification
phase but not device individual keys used for concrete TOE under attack in the exploitation phase.
E. g. the developer chooses the substitution boxes of a block cipher for each costumer specific instantiation of the TOE from a well-defined set of permutations. The attacker may reconstruct a subset of substitution boxes as long-term keys in the identification phase but must identify the concrete
substitution boxes used for the TOE sample under attack. The attack effort clearly depends on the
number of TOE samples implementing the same key and the availability of these samples for attacks.
In the exploitation phase the attacker applies the cryptanalytic attacks developed in the identification phase to attack concrete TOE samples. The attacker may use the information gained and tools
developed by himself or provided by another attacker. The cryptanalytic attack aims on assets
stored in the memory of the TOE samples under attack
• the reconstruction of information encoded in the plaintext for a given ciphertext enabling or
supporting other attacks on the TOE,
• the reconstruction of prior unknown plaintexts for given ciphertexts of the TOE sample
without reconstruction of the used cryptographic key,
• the reconstruction of prior unknown keys enabling the reconstruction of the plaintext from
given ciphertext of the TOE sample.
E. g. if the ROM encryption uses ROM keys which are different for each costumer photo mask but
the same for all products produced with the same photo mask the attacker will reconstruct the specific ROM key in order to decrypt the ciphertext read in the ROM of the TOE sample under attack.
If the dedicated software stored in this ROM is partly known from other sources (e. g. other chips)
this information maybe used to reconstruct the specific ROM key and to decrypt ciphertext parts
read in the ROM and containing prior unknown plaintext of the embedded software.
The calculation of the attack potential required to exploit a vulnerability is generally defined in
CEM Annex B chapter 4.2:
Bundesamt für Sicherheit in der Informationstechnik
41
Vulnerability analysis of memory encryption
a) Time taken to identify and exploit (Elapsed Time);
b) Specialist technical expertise required (Specialist Expertise);
c) Knowledge of the TOE design and operation (Knowledge of the TOE);
d) Window of opportunity;
e) IT hardware/software or other equipment required for exploitation.
These factors are described more detailed and extended with factor “Open samples” for the technical domain smartcards in CCDB-2009-03-001 [SDIC]. The document on hand describes further details for the factors “Specialist Expertise”, “Knowledge of the TOE” and “IT hardware/software or
other equipment” applicable for the cryptanalysis of memory encryption in the context of the vulnerability analysis of the memory protection. It additional gives clarification about the use of open
samples. For the factors “Elapsed Time” and “Access to TOE3” no further details are provided. The
points assigned for the defined categories of the factors in [SDIC] are not changed.
Note cryptanalysis normally assess the attack effort as tradeoff between time and memory for calculation under the condition that all fixed parts of the cryptographic scheme are known. The evaluator
is searching for the best attack minimizing the attack effort as tradeoff between
• IT hardware/software or other equipment which includes aspects of memory and time of cal-
culation,
• Elapsed Time including the time for cryptanalytic calculation, but also the time for identifi-
cation of the attack,
• Specialist Expertise on different levels but always assumed as Expert in the cryptanalysis,
• under different conditions given by Knowledge of the TOE.
The factor “Specialist Expertise“ refers to the level of generic knowledge of the underlying principles, product type or attack methods (cf. CEM para. 1973). This factors applies for the vulnerability
analysis of memory encryption to the specific cryptanalytic knowledge of the attacker necessary to
perform the cryptanalytic attack.
The expert level “Laymen” is applicable to attackers without particular cryptanalytic knowledge but
able to apply public available tools (cf. factor Standard equipment). The “Proficient” level of expertise assumes the knowledge and under standing of public known cryptanalytic attacks to be able to
adapt them to the specific algorithms of the TOE memory encryption. As an example one may think
of application of differential cryptanalysis to block cipher with a costumer specific substitution box.
It is expected that the expert level will be requires as minimum for development of Specialized
equipment as defined below. The “Expert” level attacker is familiar with and able to develop specific cryptanalytic attacks for proprietary algorithm. The development of specific cryptanalytic attacks on the memory encryption of the TOE may require deep knowledge and experience of cryptanalytic techniques. The Expert is required if a prior unknown complex cryptographic algorithm
must be reconstructed by cryptanalytic attacks instead of re-engineering the cryptographic module
from TOE itself (cf. factor Knowledge of the TOE). It is expected that the Expert level will be requires for effective usage of Bespoke equipment as defined below.
The factor “Specialist Expertise“ shall be applied for memory encryption as summarized in table 5.
3 [SDIC] uses the term “Access to TOE” instead of “Windows of opportunity” in [CEM].
42
Bundesamt für Sicherheit in der Informationstechnik
Vulnerability analysis of memory encryption
Laymen
Definition according to
CEM chapter B.4.2
Detailed definition to be
Detailed definition to be
used in smartcard evalua­ used in memory encryp­
tions (cf.
tion analysis
CCDB­2009­03­001
[SDIC])
No particular expertise
No particular expertise
No particular expertise.
Application of public available tools to perform public
known attacks only.
Proficient Familiar with security behaviour of the TOE
Familiar with security behaviour of the TOE and
classical attacks
Familiar with and able to
adapt public known cryptanalytic attacks to specific algorithms.
Expert
Familiar with developers
knowledge namely algorithms, protocols, hardware
structures, principles and
concepts of security; and
techniques and tools for the
definition of new attacks
Familiar with and able to
develop of specific cryptanalytic attacks for proprietary
algorithm
Familiar with implemented
algorithms, protocols and
hardware structures of the
TOE; and principles and
concepts of security
Table 5: Expertise of the attacker
The factor “Knowledge of the TOE” is concerned with the information required for attacker to be
able to attack a TOE (cf. CEM para. 1983). This factor relates here to the details and the protection
of information about the cryptographic modules, the variable parts of the cryptographic algorithms
and data necessary for the cryptographic attack. The knowledge can be gained from the development side, the documentation provided to the users (e. g. the application developer of a composite
product), public sources or by re-engineering of the TOE samples. The evaluator should consult the
developers security policy and protection of the relevant TOE knowledge in order to confirm the assumed level (cf. ALC_DVS evaluator activities). The evaluator shall consider the other results of
the vulnerability analysis in order to assess the attack effort for reconstruction of the necessary information by re-engineering of the TOE samples and memory protection.
The level “Public” relates to information available in public domain. Note Public information may
include information in general or even for the TOE e. g. cryptographic algorithms of the memory
encryption, cryptanalytic attacks, compromised long-term or group keys, plaintext of stored data.
The levels “Restricted”, “Sensitive” and “Critical” address the protection of the information in the
development environment. Table 6 provides typical examples of information expected under this
protection. The evaluator is remind that this information may be also gained from the TOE sample
under attack by non-cryptographic and cryptanalytic attacks. Cryptanalytic attacks without prior
knowledge of the used cryptographic algorithm are possible only in rare cases of weak encryption
schemes or by Experts reconstructing the encryption scheme. Note the level “Very critical hard
Bundesamt für Sicherheit in der Informationstechnik
43
Vulnerability analysis of memory encryption
ware design” will be not used for the knowledge of TOE related to cryptanalytic attacks because
this knowledge relates to the logical functionality of the TOE only.
The factor “Knowledge of the TOE” shall be applied for memory encryption as shown in table 6.
Definition according to
CEM chapter B.4.2
Detailed definition to be
Detailed definition to be
used in smartcard evalua­
used in memory encryp­
tions (cf.
tion analysis
CCDB­2009­03­001 [SDIC])
Public
Public information concern- This is information in the
ing the TOE (e. g. as gained public domain.
from the Internet)
Cryptographic algorithms
of memory encryption if it
is public available.
Restricted
Restricted information concerning the TOE (e. g.
knowledge that is controlled
within the developer organization and shared with other
organizations under a nondisclosure agreement)
Proprietary algorithm if
described in documentation like functional specification, guidance documentation
This corresponds to assets
which are passed about during
the various phases of smartcard development.
Sensitive Sensitive information about TOE design on level of subthe TOE (e. g. knowledge
systems and modules (HLD
that is shared between dis- and LLD information)
creet teams within the developer organization, access
to which is constrained only
to members of the specified
teams)
Proprietary algorithm if
not described in costumer
documentation
Critical
Long term keys like substitution boxes, group keys
Critical information about
Implementation representathe TOE (e. g. knowledge
tion (Design and Source
that is known by only a few Code).
individuals, access to which
is very tightly controlled on
a strict need to know basis
and individual undertaking).
Very
(not defined)
critical
hardware design
Information contained in data (not applicable)
bases and bespoke development tools. The access to useful data requires an enormous
and time consuming effort
which would make detection
likely even with the support
from an insider.
Table 6: Knowledge of the TOE
44
Bundesamt für Sicherheit in der Informationstechnik
Vulnerability analysis of memory encryption
The factor “IT hardware/software or other equipment” refers to the equipment required to identify
or exploit a vulnerability (cf. CEM para. 1982) and takes the equipment category, price and availability into account (cf. [SDIC] para. 35). The rating “None” is applicable only if calculation may
be performed by hand (e. g. if xoring of ciphertext and plaintext providing the key). The definition
of “Standard equipment” includes personal computer or workstation with public available software
implementing standard cryptanalytic attacks including support calculation on GPU and clusters. It
takes into account that there are public available tools that implement standard cryptanalytic techniques for standard cryptographic algorithms and do not require cryptanalytic knowledge by the attacker itself. The rating “Specialized” equipment includes tools developed for proprietary cryptographic algorithms, adopted for cryptanalytic attacks due specific prerequisites of the TOE or running on public available non-standard computer. Specialized tools may developed in the identification phase and readily available to the attacker in the exploitation phase. “Bespoke” tools are not
readily available to the public as it may need to be specially produced or its distribution is controlled, possibly even restricted. Examples of Bespoke equipment for cryptanalytic attacks are special hardware devices with special software for cryptanalytic calculations, e. g. non-standard key
cruncher.
The factor “IT hardware/software or other equipment” shall be applied for memory encryption as
summarized in table 6.
Definition according to
CEM chapter B.4.2
Detailed definition to be
Detailed definition to be
used in smartcard evalua­ used in memory encryp­
tions (cf.
tion analysis
CCDB­2009­03­001
[SDIC])
None
Standard
No equipment needed, e. g.
for calculation performed by
hand.
Standard equipment is
cf. CEM for definition and
readily available to the at- [SDIC] for examples.
tacker, either for the identification of a vulnerability or for an attack.
Specialized Specialised equipment is
not readily available to
the attacker, but could be
acquired without undue
effort.
Bespoke
This type of equipment shall
be considered as the type of
expensive equipment which
universities have in their
possession, cf. [SDIC] for
examples.
Bespoke equipment is not cf. [SDIC]
readily available to the
public as it may need to
be specially produced (e.
g. very sophisticated soft-
Bundesamt für Sicherheit in der Informationstechnik
Public available software for
PC implementing standard
cryptanalytic attacks including support for calculation
on GPU and cluster.
Non-public available tools
developed for proprietary algorithm but acquired without undue effort.
Special hardware devices
with special software for
cryptanalytic calculations.
45
Vulnerability analysis of memory encryption
Definition according to
CEM chapter B.4.2
Detailed definition to be
Detailed definition to be
used in smartcard evalua­ used in memory encryp­
tions (cf.
tion analysis
CCDB­2009­03­001
[SDIC])
ware), or because the
equipment is so specialised that its distribution is controlled, possibly even restricted. Alternatively, the equipment
may be very expensive.
Table 7: Equipment
The [SDIC] introduces the factors “Open sample” and “Samples with known secrets” for the technical domain smartcards in the context of composite evaluations [SDCE]. Open samples allow the
composite evaluator can put software on the hardware platform at his own discretion that bypasses
countermeasures prescribed in the IC guidance. Samples with known secrets refers to a TOE for
which the evaluator knows or can define one or more pieces of secrets data, such as a PIN or key
for performing either passive (monitoring) or fault attacks. Open samples or Samples with known
secrets available to an attacker enable specific attack paths and support the re-engineering of security features of the TOE. Open sample and Samples with known secrets will be of relevance for the
vulnerability analysis of memory encryption in very special cases only. E. g. if the memory encryption may be enabled and disabled Open samples allow malicious software running on the TOE to
get direct access to ciphertext stored in the memory for known-plaintext-ciphertext pairs, chosenplaintext-ciphertext pairs or plaintext-chosen-ciphertext pairs used by cryptanalytic attacks. Samples with known secrets maybe used to generate templates for side channel analysis of memory encryption.
The evaluator shall calculate the attack potential necessary for all identified successful attack paths.
The easiest case of cryptanalytic attacks is the exhaustive key search providing an upper bound of
the time and memory complexity of the attacks in terms of the factors “Elapsed time”, “IT hardware/software or other equipment” and “Specialist Expertise” (necessary to handle the equipment)
assuming the necessary plaintext-ciphertext pairs are given but without consideration of cryptanalytic vulnerabilities of the cryptographic algorithms allowing for more effective attacks. The evaluator may use a coarse estimation of the number of keys an attacker may try per second based on
brute force attacks on 128bit AES as follows
•
•
•
•
1 personal computer about 108 keys per second,
1 graphical processor unit (GPU) 4*108 keys per second,
1 FPGA running with 200MHz 2*108 keys per second, and
1 special device with about 2500 FPGA 1.2*1011 keys per second.
A special personal computer may run with 4 GPU. The number of tried keys per second depend on
the effectiveness of the implementation of the cryptographic algorithm. Some algorithms are design
for high speed software implementations like AES, other algorithms are more time consuming e. g.
if they require bit permutations. Note the brute force attack can be organized in parallel on several
46
Bundesamt für Sicherheit in der Informationstechnik
Vulnerability analysis of memory encryption
devices. The vulnerability should consider that the range of equipment at the disposal of a potential
attacker is constantly improving.
Bundesamt für Sicherheit in der Informationstechnik
47
Literature
Literature
General literature
[CC]
Common Criteria, Common Criteria for Information Technology Security Evaluation,
Version 3.1, Revision 3, July 2009, Part 1: Introduction and General Model,
CCMB-2009-07-001, Part 2: Security Functional Requirements, CCMB-2009-07-002,
Part 3: Security Assurance Requirements, CCMB-2009-07-003
[CEM]
Common Methodology for Information Technology Security Evaluation, Evaluation
Methodology, Version 3.1, Revision 3, July 2009, CCMB-2009-07-004
[SDCE]
Supporting Document Mandatory Technical Document Composite product evaluation
for Smart Cards and similar devices, September 2007, Version 1.0, Revision 1,
CCDB-2007-09-001
[SDAP]
Supporting Document Mandatory Technical Document Application of Attack Potential
to Smartcards, March 2009, Version 2.7, Revision 1, March 2009, CCDB-2009-03-001
[SDIC]
Supporting Document Mandatory Technical Document Application of CC to Integrated Circuits, Version 3.0, March 2009, CCDB-2009-03-002
[SDSE]
Supporting Document Guidance Smartcard Evaluation, February 2010, Version 2.0,
CCDB-2010-03-001
[AIS34]
AIS34: Evaluation Methodology for CC Assurance Classes for EAL5+ (CC v2.3 &
v3.1) and EAL6 (CC v3.1), Version 3, BSI, 03.09.2009
[RNG]
Evaluation of random number generators, Version 0.8, BSI, 2011
[KS2011]
W. Killmann, W. Schindler, „A proposal for: Functionality classes for random number
generators“, Version 2.0, September 18, 2011
[ISO7498] ISO 7498-2:189 Information processing systems – Open Systems Interconnection –
Basic Reference Model-Part 2: Security Architecture
Cryptologic literature
[1]
A.J. Menezes, P. van Oorschot, and S. Vanstone: “Handbook of Applied Cryptography”. CRC Press, 1997
[2]
E. Biham, A. Shamir: Differential Cryptanalysis of DES-like Cryptosystems, Advances in Cryptology, proceedings of CRYPTO ’90, Lecture Notes in Computer Science 537, pp. 2–21, Springer-Verlag, 1991
[3]
L. R. Knudsen: Truncated and Higher Order Differentials, proceedings of Fast Software Encryption 2, Lecture Notes in Computer Science 1008, pp. 196–211, SpringerVerlag, 1995
[4]
N. Courtois and G. V. Bard: Algebraic Cryptanalysis of the Data Encryption Standard,
In Cryptography and Coding, 11-th IMA Conference, Cirencester, UK, 2007
[5]
N. Courtois, G. V. Bard, and D. Wagner: Algebraic and slide attacks on KeeLoq, Fast
Software Encryption – FSE 2008, Lecture Notes in Computer Science, pages 97–115.
Springer-Verlag, Berlin, Germany, 2008
48
Bundesamt für Sicherheit in der Informationstechnik
Literature
[6]
D. Khovratovich and I. Nikolic: Rotational cryptanalysis of ARX, Proceedings of the
17th International Conference on Fast Software Encryption (FSE’10), Seokhie Hong
and Tetsu Iwata (Eds.). Springer-Verlag, Berlin, 2010
[7]
M. Matsui: Linear Cryptanalysis Method for DES Cipher, Abstracts
EUROCRYPT’93, pp. W112–W123, May 1993
[8]
J. Y. Soto: Linear Cryptanalysis of Reduced-Round PRESENT, The Cryptographer’s
Track at RSA Conference – CT-RSA, pp. 302-317, 2010
[9]
N. Ferguson, J. Kelsey, S. Lucks, B. Schneier, M. Stay, D. Wagner, and D. Whitin:
Improved Cryptanalysis of Rijndael, Proceedings of the 7 th International Workshop on
Fast Software Encryption (FSE ‘00), Bruce Schneier (Ed.). Springer-Verlag, London,
UK, 213-230, 2000
[10]
A. Biryukov and D. Wagner: Slide Attacks, Proceedings of the 6 th International Workshop on Fast Software Encryption (FSE ‘99), Lars R. Knudsen (Ed.). Springer-Verlag,
London, UK, 245-259, 1999
[11]
D. Wagner: The Boomerang Attack, Proceedings of the 6th International Workshop on
Fast Software Encryption (FSE ‘99), Lars R. Knudsen (Ed.). Springer-Verlag, London,
UK, 156-170, 1999
[12]
J. Kelsey, T. Kohno, and B.Schneier: Amplified Boomerang Attacks Against ReducedRound MARS and Serpent, Proceedings of the 7th International Workshop on Fast
Software Encryption (FSE ‘00), Bruce Schneier (Ed.). Springer-Verlag, London, UK,
75-93, 2000
[13]
E. Biham: New types of cryptanalytic attacks using related keys, Workshop on the theory and application of cryptographic techniques on Advances in cryptology (EUROCRYPT ‘93), Tor Helleseth (Ed.). Springer-Verlag New York, Inc., Secaucus, NJ,
USA, 398-409, 1994
[14]
E. Biham, A. Biryukov, and A. Shamir: Cryptanalysis of Skipjack reduced to 31
rounds using impossible differentials, Proceedings of the 17 th international conference
on Theory and application of cryptographic techniques (EUROCRYPT’99), Jacques
Stern (Ed.). Springer-Verlag, Berlin, Heidelberg, 12-23, 1999
[15]
B. Collard and F. -X. Standaert: A Statistical Saturation Attack against the Block Cipher PRESENT, Proceedings of the The Cryptographers’ Track at the RSA Conference 2009 on Topics in Cryptology (CT-RSA ‘09), Marc Fischlin (Ed.). Springer-Verlag, Berlin, Heidelberg, 195-210, 2009
[16]
Thomas Jakobsen and Lars R. Knudsen: The Interpolation Attack on Block Ciphers,
Proceedings of the 4th International Workshop on Fast Software Encryption (FSE ‘97),
Eli Biham (Ed.). Springer-Verlag, London, UK, 28-40, 1997
[17]
A. Bogdanov and V. Rijmen: Zero-Correlation Linear Cryptanalysis of Block Ciphers,
Cryptology ePrint Archive, Report 2011/123, http://eprint.iacr.org/2011/123, 2011
[18]
X. Zhuang, T. Zhang, and S. Pande: HIDE: an infrastructure for efficiently protecting
information leakage on the address bus, Proceedings of the 11 th international conference on Architectural support for programming languages and operating systems (ASPLOS-XI). ACM, New York, NY, USA, 72-84. DOI=10.1145/1024393.1024403
http://doi.acm.org/10.1145/1024393.1024403, 2004
Bundesamt für Sicherheit in der Informationstechnik
49
of
Literature
[19]
L. Gao, J. Yang, M. Chrobak, Y. Zhang, S. Nguyen, and H.-H. S. Lee: A low-cost
memory remapping scheme for address bus protection, Proceedings of the 15 th international conference on Parallel architectures and compilation techniques (PACT ‘06).
ACM, New York, NY, USA, 74-83. DOI=10.1145/1152154.1152169, 2006
[20]
X. Zhuang, T. Zhang, H.-H. S. Lee, and S. Pande: Hardware assisted control flow obfuscation for embedded processors, Proceedings of the 2004 international conference
on Compilers, architecture, and synthesis for embedded systems (CASES ‘04). ACM,
New
York,
NY,
USA,
292-302.
DOI=10.1145/1023833.1023873
http://doi.acm.org/10.1145/1023833.1023873, 2004
[21]
M. Albrecht and C. Cid: Algebraic Techniques in Differential Cryptanalysis, Fast Software Encryption, Orr Dunkelman (Ed.). Lecture Notes In Computer Science, Vol.
5665. Springer-Verlag, Berlin, Heidelberg 193-208, 2009
[22]
L. Yang, M. Wang, and S. Qiao: Side Channel Cube Attack on PRESENT, Proceedings of the 8th International Conference on Cryptology and Network Security (CANS
‘09), Juan A. Garay, Atsuko Miyaji, and Akira Otsuka (Eds.). Springer-Verlag, Berlin,
Heidelberg, 379-391, 2009
[23]
M. Dworkin and National Institute of Standards and Technology (U.S.): Special Publication 800-38, Recommendation for block cipher modes of operation: the XTS-AES
mode for confidentiality on block-oriented storage devices, 2009
[24]
P. Rogaway: Efficient Instantiations of Tweakable Blockciphers and Refinements to
Modes OCB and PMAC, Asiacrypt 2004. LNCS vol. 3329. Springer, 2004
[25]
M. Renauld, F.-X. Standaert: Algebraic Side-Channel Attacks, Cryptology ePrint Archive, report 2009/179, http://eprint.iacr.org/2009/279, 2009
[26]
A. Bogdanov, C. Rechberger: A 3-Subset Meet-in-the-Middle Attack: Cryptanalysis of
the Lightweight Block Cipher KTANTAN, Selected Areas in Cryptography, 17 th Annual International Workshop, SAC 2010, Lecture Notes in Computer Science (LNCS),
vol. 6544, A. Biryukov, G. Gong, and D. R. Stinson (eds.), pp. 229-240, Springer-Verlag, 2011
[27]
T. Jakobsen and L. R. Knudsen: The Interpolation Attack on Block Ciphers, Proceedings of the 4th International Workshop on Fast Software Encryption (FSE '97), Eli Biham (Ed.). Springer-Verlag, London, UK, 28-40, 1997
[28]
I. Dinur and A. Shamir: Cube Attacks on Tweakable Black Box Polynomials, Proceedings of the 28th Annual International Conference on Advances in Cryptology: the Theory and Applications of Cryptographic Techniques (EUROCRYPT '09), Antoine Joux
(Ed.). Springer-Verlag, Berlin, Heidelberg, 278-299, 2009
[29]
M. Liskov, R. L. Rivest, and D. Wagner: Tweakable Block Ciphers, Proceedings of the
22nd Annual International Cryptology Conference on Advances in Cryptology
(CRYPTO '02), Moti Yung (Ed.). Springer-Verlag, London, UK, 31-46, 2002
[30]
L. R. Knudsen, M. J. B. Robshaw: The Block Cipher Companion, Springer-Verlag,
2011
[31]
A. Joux; Algorithmic Cryptanalysis, CRC Press, 2009
[32]
G. V. Bard: Algebraic Cryptanalysis, Springer-Verlag, 2009
[33]
A. Bogdanov, G. Leander, L. Knudsen, C. Paar, A. Poschmann, M. Robshaw, Y.
Seurin, and C. Vikkelsoe: PRESENT - An Ultra-Lightweight Block Cipher, Crypto-
50
Bundesamt für Sicherheit in der Informationstechnik
Literature
graphic Hardware and Embedded Systems (CHES 2007); number 4727 in Lecture
Notes in Computer Science, pages 450–466, Springer-Verlag, 2007
[34]
M. Vielhaber: Breaking ONE.FIVIUM by AIDA an Algebraic IV Differential Attack,
Cryptology ePrint Archive: Report 2007/413
Bundesamt für Sicherheit in der Informationstechnik
51
Glossary
Glossary
The following definitions are closely related to the ones given in [1] and [ISO7498].
Basic Definitions
Asymmetric
cryptographic algorithm
A cryptographic algorithm which uses a key pair for complementary
operations where it is difficult for the adversary to derive one key from
the other key of the same pair.
Avalanche effect
A desirable property of block ciphers. When an input is changed
slightly, then the output changes significantly.
Block cipher
A cipher which encrypts data in blocks of a fixed size.
Cipher
An encryption-decryption algorithm.
Ciphertext
Encrypted data, the semantic content of which is not readily available
(cf. [ISO7498]).
Confusion
Confusion in an encryption process is provided by the substitution
layer in a round of a cryptographic algorithm. Each ciphertext bit has
highly nonlinear dependencies on the plaintext bits and the key bits.
Cryptography
The discipline which embodies principles, means and methods for the
transformation of data in order to hide its information content, prevent
its undetected modification and/or its unauthorized use [ISO7498]
including entity authentication [1].
Cryptology
The study of cryptography and cryptanalysis [1].
Cryptosystem
A system of cryptographic primitives that are used for providing
security service.
Cryptographic module
Cryptographic modules, which contain cryptographic algorithms, are
used in systems for providing cryptographic services.
Decryption
Reverse process of encryption, reconstructing the original data.
Diffusion
Diffusion in an encryption process is provided by the transposition in a
round of a cryptographic algorithm. It is the rearrangement or
dissipation of bits in a message so that any change in the plaintext is
52
Bundesamt für Sicherheit in der Informationstechnik
Glossary
dissipated over the ciphertext.
Encryption
Transforming data into a form in order to hide its information content
and allow only the intended receiver to reconstruct the original form
with use of a cryptographic key.
Feistel network
A symmetric structure used in construction of block ciphers which
enables encryption and decryption algorithms to be highly similar, just
requiring a reverse key schedule for decryption.
Key
Variable parameter which is used in a cryptographic algorithm.
Cryptographic algorithms may use the same key or different keys for
complementary operation like encryption / decryption or
signature-creation / signature-verification.
Mode of operation
Methods for encryption and decryption of a collection of data blocks
using a block cipher.
Permutation
Mathematically, a mapping from a finite set of elements to itself where
each element has one and only one image, i.e. an invertible function
from the finite set to itself. The term is often used in cryptography for
permutation of the position of characters within a string.
Plaintext
Intelligible data, the semantic content of which is available [ISO7498].
Plaintext has not yet been encrypted or is the result of decryption.
Secret sharing
Secret sharing is a method for distributing a secret amongst a group of
participants. This secret can be reconstructed only when a sufficient
number of shares are combined together.
Strict avalanche
A criterion satisfied whenever a single input bit is complemented, each
of the output bits changes with a 50% probability.
criterion
Substitution
Replacement of groups of bits (symbols) by other groups of bits.
Substitution-permutation A series of separate mathematical operations for diffusion and
confusion in block cipher algorithms.
network (SP-network)
Symmetric-Key Cipher
A cryptographic algorithm which uses same or trivially related keys for
encryption and decryption.
Transposition
Permutation of characters or strings in a ciphertext, e. g. permutation of
the bits in a bit-block, permutation of encrypted bit-blocks in a
Bundesamt für Sicherheit in der Informationstechnik
53
Glossary
ciphertext.
Tweakable block cipher
A construction which uses a (public known) parameter (the tweak) to
randomize the permutations over the data blocks defined by the key of
a block cipher.
Cryptanalysis Related Definitions
Active adversary
A person who can also transmit, alter or delete information on an
unsecured channel.
Advanced active
An active adversary which may additionally use external interfaces of
a cryptographic module (e. g. for a chosen plaintext attack) but do not
know the used secret or private key of the cryptographic module.
adversary
Adaptive chosen
ciphertext attack
Adaptive chosen
plaintext attack
A variant of the chosen ciphertext attack where the attacker can choose
the collection of ciphertexts depending on previous trials.
A variant of the chosen plaintext attack where the attacker can choose
plaintext samples based on previous trials.
Algebraic attack
An attack which represents the encryption process as a set of equations
and recovers the key by solving these equations.
Attack
Successful or unsuccessful attempt for breaking a part or all of a
cryptosystem.
Boomerang attack
An attack method for cryptanalysis of block ciphers based on
differential cryptanalysis.
Chosen ciphertext attack An attack where the attacker can choose the collection of ciphertexts to
be decrypted.
Chosen plaintext attack
An attack where the attacker can choose the collection of plaintexts to
be encrypted.
Ciphertext only attack
An attack where attacker has a collection of ciphertexts and their
semantic content.
Cryptanalysis
Use of mathematical techniques to break a cryptosystem.
Data complexity
Number of plaintext-ciphertext pairs needed to execute an attack.
54
Bundesamt für Sicherheit in der Informationstechnik
Glossary
Dictionary attack
A brute-force attack that tries passwords and/or keys from a
pre-compiled list of values.
Differential attack
A chosen plaintext attack which relies on analysis of evolution of
differences between two plaintexts.
(differential
cryptanalysis)
Difference distribution
table (DDT, a.k.a. XOR
A table which represents the number of occurrences of an output
difference of an S-Box for a given input difference.
Table)
Differential-linear attack A mix of both linear cryptanalysis and differential cryptanalysis.
Distinguisher
Some sort of statistical test that shows an imperfect distribution in (for
example) a conventional block cipher.
Distinguishing attack
An attack based on the extraction of information from encrypted data
sufficient to distinguish it from random data.
Exhaustive search
An attack where the attacker tries all reasonable possibilities to recover
the key of a cryptosystem.
(brute-force attack)
Integral attack
An attack which is particularly applicable to byte/nibble oriented block
ciphers based on SP networks.
Key recovery
An attacker's attempt for recovering the cryptographic key of a cipher.
Known plaintext attack
An attack where the attacker examines the function that the
cryptographer wants to hide with some or even an extremely large
amount of plaintext and the associated ciphertext.
Linear approximation
A table which identifies input and output relations of an S-Box through
linear approximations.
table (LAT)
Linear attack (linear
cryptanalysis)
Meet-in-the-middle
attack
A known plaintext attack which uses linear approximations to describe
the behaviour of block cipher.
An explicit kind of cryptanalytic attack in which the attacker applies
various keys on known plaintext-ciphertext pairs in an effort to seek
intermediate ciphertext-plaintext values identical to the known ones.
Matching pairs indicate a high probability of correct keys or key pairs.
Bundesamt für Sicherheit in der Informationstechnik
55
Glossary
Passive adversary
A person who is only capable of reading data from an unsecured
channel and getting information about the data flow.
Passive attack
An attack in which the data is observed but not modified.
Rectangle attack
An improved version of boomerang attack with reduced data
complexity.
Related key attack
An attack in which a change in any particular key bit or some other
relationship between key bits can be specified.
(Chosen key attack)
Rotational cryptanalysis
An attack method against algorithms that rely on three operations:
modular addition, rotation and XOR (also known as ARX).
Saturation attack
A type of integral attack which exploits the saturation of the input of a
permutation function upon the saturation of its output.
Slide attack
An attack which is designed to deal with the idea that even weak
ciphers can become very strong by increasing the number of rounds.
Splitting
Dividing a cryptographic key into two separate keys so an attacker
cannot reconstruct the actual key even if one of them is intercepted.
Time complexity
Amount of time required to execute an attack.
56
Bundesamt für Sicherheit in der Informationstechnik