Workshop on Applied Crypto & Hardware Security    August 12-16, 2013

Abstracts

Monday (8/12): Cryptographic Foundations

Secret-Key Cryptographic Algorithms and Modes of Operation (Tolga Acar)

Introduction to secret-key ciphers, including DES and AES. The fundamental modes of operation, ECB, CBC, CTR, CCM, GCM, and XTS. Random oracles, pseudorandom functions, and key-derivation functions. Implementation details of block ciphers. Security definitions, such CPA, CCA, CCA2, and IND. Cryptographic agility in the symmetric setting.

Public-Key Cryptography Primitives and Finite Fields (Çetin Kaya Koç)

A summary of the underlying mathematics and the algorithmic aspects of finite fields, rings and group used in public-key cryptography, including RSA encryption and digital signatures, Diffie-Hellman key exchange, and elliptic curve cryptographic techniques. These algorithms include the basic finite field operations (addition, multiplication, and inversion) and group operations (exponentiation, point multiplication), and their implementation issues on various platforms.

Public-Key Cryptographic Algorithms and Protocols (Çetin Kaya Koç)

After the public-key cryptographic primitives and their domains of operations are established, we cover the basic algorithms (RSA, Diffie-Hellman, DSA) and the elliptic curve techniques (EC-DH, EC-DSA, EC-IES), and underlying security assumptions, such as the difficulty of factoring integers, discrete logarithm problem in mod p and elliptic curve groups. We also cover Edwards curves.

Quantum Cryptography, Quantum Computation, and Post-Quantum Cryptography (Wim van Dam)

This lecture gives an introduction to quantum computers, their working principles, and their applications to breaking several commonly used public-key cryptographic methods. Furthermore, basic methods of quantum cryptography such as quantum key distribution are covered. The third topic that will be addressed is which, if any, current day public key systems will be safe from future quantum attacks.

Tuesday (8/13): Side-Channel Attacks

Hardware and Software Realizations of Public-Key Cryptography (Çetin Kaya Koç)

Due to large operand size in the groups, rings, and fields they are operating, public-key cryptographic algorithms require special attention for implementing them in hardware, on embedded and general-purpose processors. In this lecture we focus algorithms and architectures that will help us to obtain high-speed and small (code and circuit) size implementations of the RSA, Diffie-Hellman, DSA, and elliptic curve cryptographic protocols. We cover all relevant methods, such as optimal normal bases and the Montgomery method, for both binary and GF(p) fields, for general and special moduli.

Timing and Micro-architectural Attacks (Timothy Sherwood)

A summary of cryptographic implementation vulnerabilities based on observed differences in system timing introduced through a variety of algorithmic and micro-architectural effects. Beginning with a brief background on modern computer architecture as it applies to these and other attacks, and a description of exploitable variations including key-dependent loop iterations, memory access behaviors, and control flow speculations.

Simple and Differential Power Analysis (Pankaj Rohatgi)

Modern cryptographic algorithms are designed to resist all known mathematical attacks on their structure. An attacker who can observe outputs or controls inputs to a well-designed cryptographic algorithm is unlikely to gain useful information about the secret key. However physical implementations of cryptographic algorithms leak additional information beyond inputs and outputs in several subtle ways and often attackers can use such side-channel information to mount practical key recovery attacks. This lecture introduces Simple and Differential Power Analysis, a set of extremely powerful, non-invasive side-channel attacks techniques that can extract secret keys from software and hardware implementations of cryptography on a variety a device form factors, by measuring their power consumption during cryptographic calculations.

Electromagnetic and Template Attacks (Pankaj Rohatgi)

This lecture introduces techniques that can be used to collect EM side-channel signals from large devices and compares information leakage from EM and Power side-channels. We will also describe advanced analysis techniques, including template attacks, that can be used to extract the maximum amount of information from one or very few side-channel traces. These techniques can be used to break stream ciphers, ephemeral keys and to assess information leakage of devices.

Wednesday (8/14): Design for Hardware Security

Side-Channel Algorithmic Countermeasures (Pankaj Rohatgi)

Even though side-channel attacks are extremely powerful, defending against these attacks is quite practical and feasible. In fact, billions of smart-cards and other devices, used for financial, transportation and identity applications are designed to resist these attacks and most products in these industries are certified under the Common Criteria to be resistant to side-channel attacks. In this lecture, we will describe techniques that can be used to defend against side-channel attacks.

Hardware Design for Information-Flow Security (Ryan Kastner)

An introduction to hardware design using security constraints including the principle of non-interference, hardware information flow analysis, information flow control for enforcing confidentiality and integrity, and defining and detecting timing information flows. Focus on provable security properties in communication protocols (I2C, USB, and Wishbone) and a simple system-on-chip multiprocessor design.

Hardware Virtualization and Secure Boot (Timothy Sherwood)

Introduction to processor security modes, the secure boot process, the threat models addressed by these technologies, and potential security applications. Discussion of hardware support for virtualization, recent advances in dynamic root of trust, and hardware design techniques for resource sharing with provable security properties.

FPGA Security (Ryan Kastner)

Reconfigurable systems are seeing wide deployment and because the logic of the hardware can be changed it opens a host of problems that have no easy analogs in the software domain. Unless care is taken, secret data may need to share the same chip as untrusted hardware which has the potential to improperly impede or probe the device, configurations may loaded that cause short circuits, or intellectual property may be stolen off of devices at boot time. This talk will introduce the modern FPGA, describe their architecture features, and provide an overview of the most important issues in the space of reconfigurable hardware security today.

Thursday (8/15): Physical Foundations

Memory Integrity (G. Edward Suh)

While many threat models assume that an attacker is unwilling or unable to depackage a chip, there are still many opportunities for hardware-level attacks on the exposed buses of the system between the processor and memory. This class of attacks have already been carried out in the wild in a variety of systems and are difficult to overcome in practice. This talk will concentrate on the problems of maintaining memory integrity and secrecy when the physical memory system or even the operating system is controlled by an adversary, and describe the theoretical and practical methods by which this class of attacks can be thwarted.

Low-cost Randomness and Physical Fingerprinting (G. Edward Suh)

As chips continue to scale to smaller technologies, the randomness inherent in their fabrication and operation is a continuing problem for computer engineers. However, this randomness can be exploited to provide some new properties useful for secure and/or cryptographic operations. In this talk, we will introduce two of these potential areas of advancement, random number generation and physical fingerprinting with an eye towards a quantitative evaluation of the effectiveness and scalability of known techniques.

Integration of Physically Unclonable Functions (Patrick Schaumont)

We address the architecture integration problem of Physically Unclonable Functions, including their integration in Field Programmable Gate Arrays, in microprocessors and in microcontrollers. We discuss techniques for intrinsic and non-intrinsic PUF implementation by constraining and controlling FPGA design automation tools, and by exploiting various elements of microprocessor datapaths. We also address quality evaluation of PUFs, including quality metrics and the analysis of aging effects.

Trojan Hardware (Simha Sethumadhavan)

As relatively few entities have retained control of their fabrication facilities, an important question that arises is exactly what effect an adversarial manufacturer might achieve by adding or modifying the chip functionality to their advantage. The power of the different attacks possible under this threat model will be discussed, and the known mitigation strategies will be summarized.

Friday (8/16): Security Ecosystem

Authentication in Embedded Systems (Patrick Schaumont)

This talk reviews protocols and protocol implementations for authenticating hardware and software in embedded systems. We cover shared-secret protocols as well as public-key protocols. We cover the use of Physically Unclonable Functions and various other means of storing secrets in embedded systems. We show how to support authentication protocols in embedded systems of varying capability, from simple micro-controllers to dedicated challenge/response chips.

Fault-Based Attacks and Probing Attacks (Timothy Sherwood)

While passive (read-only) attacks on hardware systems are very powerful, a new set of vulnerabilities present themselves when we consider active system interference or even destructive attacks. Depending on the operation being performed, even a single event upset can be enough to cause the leakage of significant amounts of secret information. We will discuss the different classes of tampering, the ways in which faults might be injected into a system with varying levels of precision and cost, attacks possible when the hardware can be physically probed or even modified, and a variety of known countermeasures.

Tools, Integration, and Lifecycle Threats (Simha Sethumadhavan)

While there is a great deal of work existing on attacks which concentrate on a physical artifact, any security or cryptographic scheme lives in a complex and nuanced environment. This talk will discuss some less traditional threats, and will provide some insights into the new space of software tools that attempt to characterize, formalize, and/or quantify critical aspects of security.

Discussion and Panel

The lecturers and the participants will gather in an informal session of questions and answers on applied cryptography and hardware security.