Methodology for cryptographic rating of memory encryption schemes used in smartcards and similar devices

Version 1.0, 31.10.2013

Bundesamt für Sicherheit in der Informationstechnik Postfach 20 03 63 53133 Bonn Tel.: +49 22899 9582-111 E-Mail: [email protected] Internet: https://www.bsi.bund.de © Bundesamt für Sicherheit in der Informationstechnik 2013 Bundesamt für Sicherheit in der Informationstechnik

3

Table of Contents

Table of Contents 1

Introduction.................................................................................................................................6

2

Memory encryption.....................................................................................................................7

2.1 2.2 2.3

3

Short introduction to cryptology........................................................................................................7 Memory encryption as security mechanism for smartcards and similar devices..............................10 Cryptanalysis of memory encryption...............................................................................................13

Methods for cryptanalysis of memory encryption....................................................................14

3.1 3.1.1 3.1.2

Cryptographic assumptions and prerequisites for the cryptanalysis of memory encryption............14 Cryptographic assumptions........................................................................................................14 Prerequisites for the cryptanalysis..............................................................................................15

3.2 3.2.1 3.2.2 3.2.3

Methods of Cryptanalysis................................................................................................................16 Cryptanalysis of block cipher ....................................................................................................16 Cryptanalysis of memory address scrambling............................................................................26 Modes of operation for memory encryption...............................................................................28

3.3

Cryptanalytic attacks using side-channel information.....................................................................29

4

Vulnerability analysis of memory encryption...........................................................................30

4.1 4.1.1 4.1.2 4.1.3 4.1.4

Preparation for the vulnerability analysis of memory encryption....................................................30 Identification of the security requirements for memory protection.............................................30 Description of memory encryption.............................................................................................31 Security architecture of memory encryption...............................................................................33 Physical and logical attacks on memory, buses and cryptographic modules..............................34

4.2 4.3

Identification of potential vulnerabilities of memory encryption.....................................................38 Characterization of the attack potential for cryptanalytic attacks on memory encryption................40

Literature...................................................................................................................................48 Glossary ...................................................................................................................................52

Figures Figure 1: Cryptanalytic attacks in case of communication...................................................................8 Figure 2: Buildings blocks of memory encryption.............................................................................11 Figure 3: Effect of data encryption and address encryption...............................................................12 Figure 4: Memory attack scenarios ...................................................................................................36

Tables Table 1: Literature overview of cryptanalysis on block ciphers........................................................25 Table 2: Literature overview on memory address scrambling...........................................................27 Table 3: Literature overview on modes of operation.........................................................................28 Table 4: Literature overview on combination attacks with side-channels.........................................29 Table 5: Expertise of the attacker.......................................................................................................43 Table 6: Knowledge of the TOE........................................................................................................44 Table 7: Equipment............................................................................................................................46

Bundesamt für Sicherheit in der Informationstechnik

5

Introduction

1

Introduction

The document on hand “Methodology for cryptographic rating of memory encryption schemes used in smartcards and similar devices” is intended as guideline for the vulnerability analysis of memory encryption in Common Criteria [CC] [CEM] evaluations performed in the German certification scheme. The technology area of smartcards and similar devices is characterized by (1) target of evaluation (TOE) as one-chip hardware including dedicated, embedded or application software, storing and operating user data and providing cryptographic services using secrets stored on the TOE, (2) operational environment where the attacker might have physical access to the TOE, (3) TOE life cycle as described for smartcards in [SDSE]. The TOE security functionality (TSF) shall protect the confidentiality and the integrity of the user data and TSF data. The TSF implements this protection by means of physical and logical countermeasures including cryptographic security mechanisms. The security integrated circuits protect the data stored in the memory against combinations of physical and logical attacks. This memory protection build the base for the logical protection implemented in the operating system running on the hardware platform. The cryptographic security mechanisms of the security integrated circuit protecting the data stored in TOE memory are summarized as “memory encryption”. They protect these data as long as they are stored and transferred internally as ciphertext. The vulnerability analysis shall assess the resistance of the TSF – for this technology area typically with high attack potential – in the intended operational environment. If the non-cryptographic security countermeasures alone are not sufficient to prevent identified potential attacks with the claimed resistance the vulnerability analysis shall include the cryptographic security mechanisms. The guideline focuses on specific aspects of the vulnerability analysis related to the identification of potential vulnerabilities and the assessment of the effectiveness of the cryptographic mechanisms with respect to protection of the confidentiality of the stored data. This document does neither claim to provide a complete list of possible attack methods nor to cover all possible approaches for the cryptanalysis of the memory encryption. The evaluator shall always consider that this document is intended to give a general guideline and not a “checklist” to fulfill all requirements which might arise in the course of a vulnerability assessment of a TOE. The guideline will be subject of regular updates. The reader should consult other supporting and scheme documents for related other aspects of the vulnerability analysis of smartcards and similar devices. The document on hand is organized as follows. The chapter 2 introduces memory encryption as cryptographic technique for protection of stored and transferred data on smartcards and similar devices. It starts with a short introduction to basic terminology and ideas of cryptology necessary for understanding of the objective, the design, the analysis and the assessment of memory encryption. The memory encryption is described in terms of its building blocks data encryption, address encryption and secret sharing for keys. This implies assumptions about the cryptographic mechanisms and the prerequisites of cryptanalytic methods described in chapter 3. Chapter 3 provides short descriptions and references to literature for the cryptanalytic methods most relevant for the vulnerability analysis of memory encryption. The references are accompanied with short description of methods and their relevance for memory encryption. The chapter 4 describes the identification of potential vulnerabilities and the assessment of memory encryption as part of the vulnerability analysis.

6

Bundesamt für Sicherheit in der Informationstechnik

Memory encryption

2

Memory encryption

2.1

Short introduction to cryptology

Cryptology comprises two closely linked aspects, cryptography and cryptanalysis. Cryptography embodies principles, means and methods for the transformation of data in order to hide its information content, prevent its undetected modification and/or its unauthorized use including entity authentication (cf. [ISO7498] [1]). Cryptanalysis is the study of techniques for attempting to defeat cryptographic techniques, i. e. to derive hidden information content, to generate data unauthorised, to manipulate data without being detected, or to claim false identity of an entity. Encryption is a transformation of intelligible data, the semantic content of which is available (so called plaintext), into a form (so called ciphertext) in order to hide its information content and allow only the intended receiver to reconstruct the original form with use of a secret (so called decryption key) (cf. [ISO7498]). The semantic content of ciphertext is not readily available. Decryption is the reverse process of encryption reconstructing the original plaintext from the ciphertext by means of the decryption key. A cryptographic key is a variable parameter which is used in a cryptographic algorithm or protocol1. A cryptographic algorithm may use the same key or trivially related keys (in case of symmetric cryptographic algorithms) or different keys, where it is difficult for the adversary to derive one key from the other key (in case of asymmetric cryptographic algorithms), for complementary operation like encryption / decryption, signature-creation / signature-verification or authentication proof / authentication verification. Secret sharing is a cryptographic techniques that generates for a given secret (e. g. a key) a set of n secrets such that the knowledge of any set of m-1 secrets for these n secrets does not allow for calculation of the original secret but the knowledge of m of these secrets is sufficient to calculate the original secret (m is less or equal n). A cryptographic module is a set of hardware and/or software that implements cryptographic algorithms possibly including key generation and is contained within the cryptographic boundary. The cryptographic boundary is an explicitly defined continuous perimeter that establishes the physical bounds of a cryptographic module and contains all the hardware and/or software components of a cryptographic module. Key management is the generation, storage, distribution, deletion, archiving and application of keys in accordance with a security policy (cf. [ISO7498]). In case of communication protected by cryptographic techniques like encryption-decryption algorithms and data integrity protection the sender and the receiver shall agree about the cryptographic key to be used. In case of data storage encryption sender and receiver may be the same device. The key management of memory encryption focuses on secure storage of the key rather than the key distribution (but this might be necessary for key backup). The operational environment may imply different methods of key management and areas handling the plaintexts and ciphertexts. The cryptanalysis distinguishes attack scenarios by the goal of the attack, the operational environment defining the attack context, and the specific attack method applied to the concrete cryptographic algorithm or protocol. 1 A cryptographic protocol describes the syntax, semantics, and synchronization of communication using cryptographic algorithms. The memory encryption and therefore the guideline on hand deals mainly with cryptographic algorithms. Bundesamt für Sicherheit in der Informationstechnik

7

Memory encryption

The attacker tries (1) to get (at least some) information encoded by the plaintext for a given ciphertext, (2) to reconstruct the original plaintexts for given ciphertexts or (3) to find the decryption key for decryption of the given ciphertexts. The cryptanalysis of an encryption-decryption algorithm supposes the attacker having knowledge of fixed parts of this algorithm and the ciphertexts but no knowledge of the decryption key (known as the Kerckhoffs’ principle). The prerequisites for cryptanalytic attacks depend on the operational environment. All cryptanalytic attacks assume the attacker knowing the ciphertext transmitted from a sender to a receiver or stored in memory. The attacker has at least passive access to the communication channel, the memory or the external ciphertext interfaces of the cryptographic module, i. e. the attacker intercepts the communication or eavesdrops on the interface or reads the memory. The attacker may also know plaintexts or any information about plaintext corresponding to intercepted or read ciphertexts by intercepting the plaintext interfaces of the cryptographic modules or from other sources. Furthermore the attacker may have active access to the communication channel, the memory or the interfaces of the cryptographic modules. If the attacker may provide or manipulate plaintexts for encryption and get the corresponding ciphertext than chosen plaintext attacks are possible. If the attacker has active access to the input interface of the receiver’s cryptographic module and may provide or manipulate ciphertexts for decryption and get the corresponding plaintexts than chosen ciphertext attacks may be possible. Figure 1 illustrates these attack scenarios in case of communication from a sender to a receiver. The blue arrows indicate passive and the red arrows indicate active access to the plaintexts and ciphertexts.

Figure 1: Cryptanalytic attacks in case of communication

The cryptanalytic attacks may be further classified as follows. (1) (Strong ciphertext only attacks) The ciphertext contains redundancy and thus provides information about the original plaintext, e. g. repetition of ciphertext parts might indicate equal plaintext parts. (2) (Standard ciphertext only attacks) The attacker has a prior information (i. e. information the attacker has before the attack is performed) about probable plaintexts allowing a decision whether a reconstructed plaintext (e. g. by means of a guessed key) or a guessed key is correct or not.

8

Bundesamt für Sicherheit in der Informationstechnik

Memory encryption

(3) (Known plaintext attacks) The attacker knows plaintext-ciphertext-pairs generated with the cryptographic key under attack allowing exact calculations to reconstruct the decryption key. (4) (Chosen plaintext attacks) The attacker is able to provide chosen plaintexts to the logical external interfaces of the cryptographic module in order to get appropriate plaintext-ciphertextpairs for the attack. (5) (Chosen ciphertext attacks) The attacker may provide chosen ciphertexts as input to a cryptographic module and getting the corresponding plaintext in order to find the decryption key or the plaintext for other ciphertexts. (6) (Adaptive chosen plaintext attacks) In these specific variants of the chosen plaintext attacks the attacker is able to provide interactively chosen plaintexts depending on previous ciphertexts to the logical external interfaces of the cryptographic module in order to get appropriate plaintext-ciphertext pairs for the attack. (7) (Adaptive chosen ciphertext attacks) Chosen ciphertext attacks where the attacker is able to provide interactively chosen ciphertexts depending on previous ciphertext-plaintext pairs to the logical external interfaces of the cryptographic module in order to get appropriate plaintext-ciphertext pairs for the analysis finding the decryption key or plaintext for other ciphertexts. (8) (Related key attacks) Attacks as in clauses (4) and (5) under the additional condition that ciphertext encrypted with related keys may be observed or generated. The chosen plaintext attacks and the adaptive chosen plaintext attacks on one hand and the chosen ciphertext attacks and the adaptive chosen ciphertext attacks on the other hand differ mainly in practical way how to get the text pairs, i.e. whether the input of the cryptographic module of the sender or the receiver may be actively used by the adversary, and may use different attack algorithms. The best measure of security for cryptographic algorithms is the complexity of the most successful logical cryptanalytic attack in the operational environment. The complexity of an attack can be evaluated in three factors when implementing an attack: (1) Data complexity denotes the number of input data units required, (2) Memory complexity is the number of storage units required, (3) Time complexity is the number of operations required. Note that the strength of an encryption-decryption algorithm depends on the decryption algorithm and especially on the difficulty to find the secret decryption key. The adversary might discover algorithms and parameters different from the decryption algorithm and the decryption key used by the receiver but attaining the original plaintext. For example, if a cipher stream (i. e. an irregular bit stream xored to the plaintext) is used twice for different sufficiently redundant plaintexts the adversary may reconstruct the plaintext independent on how the original cipher system generates this cipher stream – by means of another key or not. In case of smartcards and similar devices attackers' physical access to the device is assumed. The physical access enables combinations of physical and logical attacks against the external communication and the internal stored data of the device. The internally stored and operated plaintexts, ciphertexts, the cryptographic keys and the cryptographic module are under direct physical attacks (cf. section 4.1.4 for details). The physical attacks may support the logical cryptanalytic attacks by additional information and attack paths, e. g. Bundesamt für Sicherheit in der Informationstechnik

9

Memory encryption

(1) the attacker observes and analyses the signals at the external physical interfaces of the cryptographic module in order to get some information about plaintexts or keys (known as side channel analysis ), (2) the attacker affects the operation of the cryptographic module through the physical external interfaces in order to introduce errors in the cryptographic calculations and compare them with correct calculations (known as semi-invasive perturbation attacks ), (3) the attacker manipulates internally stored cryptographic keys or the cryptographic module in order to affect or to disable the implementation of the cryptographic mechanisms (known as invasive attacks.) The physical attacks give rise to specific cryptanalytic attacks like reconstruction of the decryption key if errors occur or some key bits are known by other attacks like side channel analysis. The chapter 3 describes general cryptanalytic attacks most relevant for memory encryption.

2.2 Memory encryption as security mechanism for smartcards and similar devices The TOE may use cryptographic techniques for memory protection on several levels if implemented in the TOE and in scope of the evaluation: (1) Security integrated circuit level The security integrated circuit implements cryptographic mechanisms for automatic memory encryption and protection of the memory encryption keys. The TOE provides cryptographic services like cryptographic co-processors and supporting functions like arithmetic co-processors for the embedded software. (2) Operating system level The operating system implements cryptographic functions and provides cryptographic services for the applications using the cryptographic co-processors of the security integrated circuit. The security of these cryptographic functions depends on the protection of their cryptographic keys provided by the memory encryption. (3) Application level The application uses the cryptographic services of the operating system and may implement its own cryptographic mechanisms. It uses and relies on the protection provided by the operating system for its cryptographic keys. The guideline on hand focuses on memory encryption implemented by security integrated circuits and summarized as “memory encryption” in the following. The cryptographic system of memory encryption comprises three components (1) the data encryption module encrypting the data written by the CPU into the memory and decrypting the stored data read from the memory onto the CPU, (2) the address encryption module encrypting the logical address used by the CPU and – if implemented as assumed in the following – shifted by the memory management unit (MMU), into the physical address and (3) the key management possibly implementing key generation, secret-sharing algorithm and key destruction. The TOE may implement 10

Bundesamt für Sicherheit in der Informationstechnik

Memory encryption

(1) data encryption and key management for data encryption key or keys, (2) address encryption and key management for address encryption key or keys, or (3) data encryption, address encryption and key management for data encryption and address encryption keys. The case (3) is typical for state of the art smartcards and will be assumed in following text.

Figure 2: Buildings blocks of memory encryption

The figure 2 shows building blocks of memory encryption. The CPU executes code and operates on data and addresses in plaintext only. It writes data into data memory and reads data from memory through data buses by providing the corresponding logical address over the address bus. The data encryption encrypts plaintext into ciphertext to be written in memory and also decrypts the ciphertext to the plaintext to be read from the memory automatically. Some memory types allow for data reading only, e. g. ROM typically storing executable code, and therefore their cryptographic modules will implement decryption only. The data bus is separated by the data encryption module into two segments. The data bus segment between the CPU and the data encryption module transmits plaintext, and we call it plaintext data bus segment in the following. The data bus segment between the data encryption module and the memory transmits ciphertext, and we call it ciphertext data bus segment in the following. The address bus is controlled by the CPU and memory management unit (MMU). The CPU output the logical address to the MMU. The MMU controls the access to the logical memory areas and may shift the logical address by a configurable value. The logical address of the CPU - or if implemented the shifted logical address of the MMU – is input into the address encryption module. The address encryption module encrypts the logical respective shifted logical address as plaintext into physical address as ciphertext. The address encryption module separates the address bus in to two segments as well: the plaintext address bus segment from CPU via the optional MMU to the address encryption module, and the ciphertext address bus segment between the address encryption module and the memory. The address encryption module implements encryption of the addresses only because the addresses are sent on in one direction from CPU to the memory. The memory stores arbitrary data under the physical address, and therefore does not distinguish between plaintext or ciphertext because the memory does not interpret these data.

Bundesamt für Sicherheit in der Informationstechnik

11

Memory encryption

The cryptographic keys of the memory encryption are stored in special memory areas (called “key storage” in the following). The confidentiality and integrity of the memory encryption keys must be ensured over the life time of the data stored in the memory. The cryptographic keys must have high cryptographic quality, i. e. generated with sufficient entropy and appropriate for the cryptographic algorithm using the key. Secret sharing mechanisms split the memory encryption keys into key components. The key components are stored physically protected in plaintext. Because the encryption and decryption are performed by the same cryptographic module the algorithm may use the same key for both operations (i. e. symmetric cryptographic algorithm). The data encryption and the address encryption shall use different cryptographic keys. The data encryption may use the logical address, intermediate data of the address encryption or the physical address of the data to be encrypted or decrypted as additional input parameter. In these cases the used address encryption keys are not used, partly used or completely used for the data encryption as well. The data encryption acts as cryptographic substitution of plaintext data blocks to the ciphertext data blocks and the address encryption acts as cryptographic transposition of the ciphertext data blocks in the memory. The attacker reading ciphertext blocks stored under physical addresses must break both data encryption and address encryption in order to reconstruct the plaintext consisting of several blocks.

Figure 3: Effect of data encryption and address encryption

The data encryption and the address encryption hide the information stored in the memory if the data are compromised to the attacker. The address encryption distributes additionally the information within the memory increasing the effort of physical reading these data as shown in figure 3. The memory address scrambling maps the logical addresses of the stored data used by the CPU to the physical locations of these data on the hardware. This mapping is the composition of the three mappings implemented by (1) the (optional) shift of the logical address output of the CPU performed by the MMU, (2) the mapping from plaintext to ciphertext performed by the address encryption module, (3) the mapping of the physical address to the physical location defined by the layout of the hardware.

12

Bundesamt für Sicherheit in der Informationstechnik

Memory encryption

The guideline on hand assumes that the TOE will implement block cipher algorithms for data encryption and address encryption. Stream ciphers are out of scope of this guideline. The TOE may implement additionally to the memory encryption a hardware bus encryption for data transferred between the memory and the CPU or memory and other components like co-processors. The bus encryption implements encryption for the sender and decryption for the receiver of the transferred data over the bus. The key of the bus encryption can be synchronously changed for sender and receiver at any time. This bus encryption is out of scope of the guideline on hand.

2.3

Cryptanalysis of memory encryption

The vulnerability analysis is an assessment to determine whether potential vulnerabilities could allow attackers to violate the security functional requirements in the intended operational environment (cf. [CC] part 3, para. 455). We assume that the TSF shall protect the confidentiality of user data and TSF data, especially cryptographic secrets, stored and operated on the TOE. Because the attacker will have physical access to the TOE the memory protection is implemented by means of physical and logical countermeasures. The physical countermeasures are implemented in hardware only. The logical countermeasures include but are not limited to cryptographic security mechanisms implemented by special hardware and maybe dedicated software. The vulnerability analysis of the memory protection considers all relevant countermeasures. If the TSF without consideration of memory encryption provides sufficient resistance against attacks with assumed attack potential the analysis and the assessment of the effectiveness of the memory encryption may be skipped. If the vulnerability analysis identifies a potential vulnerability that the attacker could exploit against the TSF without memory encryption, the analysis and the assessment of the effectiveness of the cryptographic security mechanisms might be necessary in order to determine whether this vulnerability is or is not exploitable for the complete TSF in the intended operational environment (cf. chapter 4 for further details). The following chapter 3 describes methods for cryptanalysis of memory encryption to be used in the vulnerability assessment of memory encryption described in chapter 4.

Bundesamt für Sicherheit in der Informationstechnik

13

Methods for cryptanalysis of memory encryption

3

Methods for cryptanalysis of memory encryption

3.1 Cryptographic assumptions and prerequisites for the cryptanal­ ysis of memory encryption The cryptanalysis of the memory encryption shall take into account • the context of the whole attack path against the data stored in the memory, which includes

the cryptanalytic attack as part, and the binding of memory encryption with the other security features of the TSF , e. g. physical protection of the memory, access control to key management of the memory encryption; • the method of memory use, i. e. ➢ the type of data stored in the memory as user data, TSF data or TOE implementation

stored in the memory, ➢ the amount of data stored in the memory, ➢ read-only memory or read-write memory; • the method of use of the memory encryption over the life cycle of the TOE, e. g. the key management, and • the operational environment defining the conditions under which the attack might be performed, e. g. the memory may store besides the unknown data under attack also data prior known to the attacker. This chapter describes the assumptions and prerequisites for the cryptanalysis of memory encryption.

3.1.1

Cryptographic assumptions

This section describes the assumptions made about cryptographic systems for memory encryption. The memory encryption is implemented by hardware (i. e. in case of smartcards by the security integrated circuit) and may be supported by dedicated software. The embedded software of a TOE may implement additional encryption of stored data on operating system or application level but this is outside the scope of the current document. The TOE may implement different secret-sharing algorithms, data encryption-decryption algorithms, address encryption algorithms and key sets depending on the type of memory used for the data storage. We consider the following types of data memory: (1) ROM storing read-only executable code. The ROM data are fixed for the TOE instantiations, i. e. - if the TOE is a security IC than the IC dedicated software will be fixed; - if the TOE is a smartcard the dedicated software and the embedded software will be fixed. The ROM may store dedicated and embedded software in plaintext or ciphertext. The ROM contains typically between 32K Byte and 512K Bytes (up to 4 MB and more). (2) EEPROM or Flash is read-write memory storing executable code, user data and TSF data. This memory stores data permanently even if the TOE is switched off. The stored data may be fixed for a set of the TOE instantiations, fixed individually for each TOE instantiation or changed during operation. The EEPROM stores user data and TSF data as ciphertext only. The EEPROM contains typically between 8K Byte and 1M Bytes. 14

Bundesamt für Sicherheit in der Informationstechnik

Methods for cryptanalysis of memory encryption

(3) RAM storing temporarily user data and TSF data during a power-on session and not available outside the power-on session. The RAM stores all data in plaintext or all data in ciphertext. RAM contains typically between 512 Bytes and 64K Bytes. The TOE uses symmetric encryption-decryption algorithms for the stored data. The data are automatically encrypted when writing onto the memory and automatically decrypted when reading from the memory. The address encryption is a cryptographic permutation of the logical address to the physical address of the data for reading from the memory and – if appropriate for the type of memory – for writing into the memory. The cryptographic system for memory encryption uses different key sets for different types of memory. It may use different key types, e. g. long-term keys, group keys, chip-individual keys, and session-individual keys. The long-term key like S-boxes of block ciphers may have different areas of application, i. e. for one or more TOE or sets of the TOE instantiations for different costumers or applications. Group keys are used in more than one devices. The keys for data encryption and address encryption may have different areas of application, i. e. all TOE instantiations, sets of the TOE instantiations for different costumers or applications, individual TOE instantiation, memory areas, sessions. All data keys are secret and stored in special memory areas of the TOE. They are automatically installed during secure start-up (cf. security architecture, secure TSF initialization).

3.1.2

Prerequisites for the cryptanalysis

This section describes the prerequisites for the cryptanalytic attack scenarios. The effort to gain the relevant information or perform the activities for the attack will be discussed later in chapter 4. The adversary knows all fixed parts of the cryptographic algorithms (Kerckhoffs' principle). The adversary knows all or parts of encrypted data stored in the different memory types and areas of the memory. The amount of known ciphertexts may be limited because of TOE design or security countermeasures. The cryptanalysis shall consider several attack scenarios with respect to the amount of necessary ciphertext and information about the plaintext for a decision about the key: (1) The adversary knows ciphertext shorter than the key (in this case the key cannot be determined completely but maybe partly reconstructed). (2) The adversary knows sufficient ciphertext and has information about probable plaintexts allowing probabilistic decision about the right key based on the redundancy contained in the plaintext of the given ciphertext. (3) The adversary knows sufficient plaintext-ciphertext pairs allowing correct decision whether a given key is the right key to be used for decryption. The amount of plaintext-ciphertext pairs necessary to determine the key depend on the attack method, e. g. algebraic attacks may work on shorter corresponding plaintexts and ciphertexts then probabilistic attacks like linear cryptanalysis. The adversary may know parts of but not all secret keys. The knowledge of keys depend on (1) number of TOE instantiations where the key is used and therefore number of samples and amount data available for attacks, e. g. many devices or only one device (cf. [CEM], B.4.2.2, Knowledge of the TOE, [SDAP], chapter 3, Knowledge of the TOE and Access to TOE), (2) time the key is used and therefore the window of opportunity to attack the key, e. g. over the life time of the TOE instantiation, life time of an application, fixed life time of the key (regularly changed), during only one session (cf. [CEM], B..4.2.2, Window of opportunity). Bundesamt für Sicherheit in der Informationstechnik

15

Methods for cryptanalysis of memory encryption

(3) area of application, e. g. memory types and technologies define the effort to get data for the cryptanalysis. The adversary may passive observe or active affect start-up and operation of the TOE.

3.2

Methods of Cryptanalysis

3.2.1

Cryptanalysis of block cipher

A block cipher is an invertible function which maps n-bit plaintext to n-bit ciphertexts. This function, also referred as an encryption function, is parameterized by a k-bit key which is assumed to be chosen uniformly at random. Ideally, an encryption function, corresponding to a fixed key, should look like a randomly chosen invertible function to an outside observer who has no knowledge of the key. Also, if the block size n of a block cipher is too small, it may be vulnerable to statistical analysis such as frequency analysis of ciphertext blocks. To avoid this and to be able to encrypt large chunks of data, block ciphers are often used with a mode of operation. For data exceeding the size of n bits, one can partition the data into n-bit parts and encrypt all parts independently. This method is known as the electronic codebook mode (ECB). There are further more suitable modes of operation which can be used in memory encryption systems, cf. chapter 3.2.3. Most block ciphers encrypt a given plaintext by iteratively applying a round function a number of times. This round function is often composed of three parts: a nonlinear part for providing confusion, a linear diffusion part, and a key addition part. This key addition can be either XOR or modular addition depending on the designer’s choice. The input length of this round function determines the overall design strategy of the block cipher. For example, block ciphers with Feistel structure have round functions of input/output length at most half of the block length of the cipher. In a two branched Feistel structure (like DES), half of the block is processed by the round function and the result is xored to the other half of the block at each round. Since this process is done simultaneously for both halves, encryption and decryption process of Feistel ciphers are very similar. On the other hand, input length of the round function of a substitution permutation network (SPN) is exactly equal to the block length of the cipher. This approach provides faster diffusion but often results in a more expensive implementation in terms of hardware area. For each round of the encryption process, most block ciphers use individual keys which are derived from the original encryption key through a key scheduling algorithm. This algorithm should be designed in a way to avoid complementation property attacks, as well as weak keys and related key attacks. If a block cipher has the complementation property, an encryption of a plaintext under a complemented key results in the complemented ciphertext of the original encryption. This leads to an improved brute force attack which is twice as efficient as the original one. Similarly, weak keys result in shorter cycles of encryption on average when compared to the rest of the encryption keys. For instance, DES has four weak keys which produce identical round keys. Since DES has a Feistel structure, double encryption with these keys gives the original plaintext. This is not a desired property of DES which enables the adversary to reduce the key space when doing a brute force attack. Moreover, related keys can improve an attack’s success probability by a great deal if the encryption system enables the adversary to impose encryption keys with certain relations in between. There are related key variants of almost all attacks in the literature which are currently the most powerful attacks against modern block ciphers. In modern block ciphers, key scheduling algorithms often constitute a non-linear function to achieve added resistance to related key attacks. Although related key attack model improves the success probability of almost all cryptanalytic attacks, they can be easily avoided by updating encryption keys in a random (or pseudo random) manner, i.e. either using a

16

Bundesamt für Sicherheit in der Informationstechnik

Methods for cryptanalysis of memory encryption

physical source for randomness or by using a pseudo random number generator with a true random seed. The attacks given in this section are evaluated according to both their relevance and practicality when memory encryption systems are considered. An attack is considered as not critical if either it requires a large portion of the codebook by its nature, or has an assumption which is not likely to be satisfied when memory encryption systems are considered. In addition, an attack is considered as partially critical if it requires the cipher to have a specific weakness, which strong ciphers should not have. Finally, an attack is considered as critical if the number of required plaintext ciphertext pairs to mount the attack is significantly small compared to the codebook size. The amount of data required to mount an attack on a cipher is highly dependent on the design of the cipher. For example, given a block cipher which has no non-linear element in its round function, it will obviously be vulnerable to linear attacks, and therefore making linear attacks critical for that block cipher. But this is valid only for that particular block cipher and linear attacks may be infeasible to mount when another block cipher with good non-linearity elements are considered. Therefore, the evaluation field given in the table below is merely a guideline as to compare linear attacks on a generic block cipher in terms of their practicality when memory encryption systems are considered.

Bundesamt für Sicherheit in der Informationstechnik

17

3 Methods for cryptanalysis of memory encryption

Method

Reference

Description

Evaluation

Text Dictio­ nary Attacks / Matching Ci­ phertext At­ tacks

A.J. Menezes et al: All block ciphers “Handbook of Applied with small block Cryptography”, ’97 lengths. [1].

A method to identify Partially Critical for Memory Encryption ciphertext blocks enSystems crypting the same plaintext blocks with- For an n-bit block cipher, a complete dictionary out any knowledge of requires 2n plaintext-ciphertext pairs to be the key. known. Fewer plaintext-ciphertext pairs suffice if plaintexts contain redundancy and a nonchaining mode of operation (such as electronic codebook mode) is used.

Exhaustive Key Search / Brute Force

A.J. Menezes et al: All block ciphers “Handbook of Applied with small key Cryptography”, ’97 lengths. [1].

A known plaintext attack which exhaustively tries all possible keys for decryption of a ciphertext to find a matching plaintext.

Meet­in­the­ A.J. Menezes et al: Middle Attack “Handbook of Applied Cryptography”, ’97 [1].

18

Applicable to

Cascaded encryption (double encryption) with two different k-bit keys.

An attack which defeats double encryption using on the order of 2k operations and 2k storage for calculating the table for the first key and expected 2k-1 operations with the second key to find

Critical for Memory Encryption Systems For an n-bit block cipher with k-bit key, given a small number (e. g.,) of plaintext-ciphertext pairs encrypted under key K, K can be recovered by exhaustive key search in an expected time in the order of 2k-1 operations. Critical for Memory Encryption Systems It should be noted that encrypting a message with n different k-bit keys, does not provide bit n x k security. The amount of data required to implement this attack is as low as a brute force attack on one encryption i. e. only few (2 or 3) known plaintext ciphertext pairs are sufficient to

Bundesamt für Sicherheit in der Informationstechnik

3 Methods for cryptanalysis of memory encryption

Method

Reference

Applicable to

Description matching pairs.

Differential Cryptanalysis

19

Evaluation implement it.

A. Bogdanov, C. Block ciphers with Rechberger. A 3-Sub- simple key schedset Meet-in-the-Mid- uling algorithms. dle Attack: Cryptanalysis of the Lightweight Block Cipher KTANTAN”, SAC ’10, [26].

Known plaintext and ciphertext pairs are partially encrypted and decrypted simultaneously to find a partial matching in a specific intermediate state. Exploiting the weak key schedule of KTANTAN is the key point of this particular attack.

Critical for Memory Encryption Systems

E. Biham et al: “Differential Cryptanalysis of DES-like Cryptosystems”, CRYPTO ’90, [2].

Block ciphers which have highly probable differential relations for all or a subset of rounds in the encryption process.

A chosen plaintext atPartially Critical for Memory Encryption tack where the plainSystems texts should have a specific XOR differ- A collection of plaintext ciphertext pairs is needed of an amount depending on the attack ence. probability.

L. R. Knudsen et al: “Truncated and Higher Order Differ­ entials”, FSE ’95, [3].

Block ciphers which have highly probable differential relations for

An improved version Critical for Memory Encryption Systems of differential cryptanalysis which uses Required assumptions on plaintext pairs are truncated differentials more lax than in the original differential attack.

The amount of data required to implement this attack is as low as a brute force attack (3 plaintext ciphertext pairs are sufficient in this particular work), which makes the attack critical for memory encryption systems.

Bundesamt für Sicherheit in der Informationstechnik

3 Methods for cryptanalysis of memory encryption

Method

Reference

Applicable to

Description

Evaluation

some rounds of the (on DES) with the ca- This translates into fewer amounts of data reencryption. pacity to break ciphers quired to devise the attack. resistant to conventional differential cryptanalysis. L. R. Knudsen et al: Block ciphers of The attack makes use “Truncated and any kind. of quartets of plainHigher Order Differ­ texts and their correentials”, FSE ’95, [3]. sponding ciphertexts. The attack complexity is directly related to the algebraic degree of the round function. E. Biham et al.: “Cryptanalysis of Skipjack reduced to 31 rounds using impossible differentials”, EUROCRYPT’99, [14].

20

Block ciphers which have improbable differential relations for some rounds of the encryption.

Critical for Memory Encryption Systems The attack requires 2r+1 chosen plaintexts, where r is the algebraic degree of the round function. Therefore, block ciphers which use round functions of low algebraic degree are more vulnerable to this attack.

A chosen plaintext atCritical for Memory Encryption Systems tack which uses differential paths with prob- This attack uses a key elimination technique ability exactly equal to which increases the run time of the overall attack. But the amount of chosen (or even known) zero. plaintexts can be relatively small when compared to other differential attacks, which makes it critical for memory encryption purposes.

Bundesamt für Sicherheit in der Informationstechnik

3 Methods for cryptanalysis of memory encryption

Method

Linear crypt­ analysis

21

Reference

Applicable to

Description

Evaluation

D. Wagner: Block ciphers “Boomerang Attack”, which have highly FSE’99, [11]. probable differential relations for few rounds of the encryption.

An adaptive chosen ciPartially Critical for Memory Encryption phertext/plaintext atSystems tack, which makes use of two differential This attack requires the decryption of ciphertexts paths for two consecu- with some specific XOR difference in between, where the corresponding plaintexts have some tive parts of a cipher. specific XOR difference as well. The lower the required Hamming weight of the XOR differences between the ciphertexts, the more feasible the attack becomes

J. Kelsey et al.: “Amplified Boomerang Attacks Against Reduced-Round MARS and Serpent”, FSE’00, [12].

Block ciphers which have highly probable differential relations for few rounds of the encryption.

A chosen plaintext atPartially Critical for Memory Encryption tack which makes use Systems of two differential paths for two consecu- If there are highly probable (close to 1) differential paths for n/2 rounds of an n-round cipher, tive parts of a cipher. the attack becomes feasible.

E. Biham: “New types of cryptanalytic attacks using related keys”, EUROCRYPT’93, [13].

Block ciphers which lack proper diffusion in their key scheduling algorithm.

A chosen plaintext atPartially Critical for Memory Encryption tack which also reSystems quires a certain relation between different If the key update of a memory encryption system allows the adversary to have keys with simencryption keys. ple XOR relations, this kind of attack becomes feasible.

M. Matsui, “Linear

Block

ciphers A known plaintext at-

Critical for Memory Encryption Systems Bundesamt für Sicherheit in der Informationstechnik

3 Methods for cryptanalysis of memory encryption

Method

22

Reference

Applicable to

Description

Evaluation

Cryptanalysis Method for DES Cipher”, EUROCRYPT'93, [7].

which employ an S-Box for providing non-linearity. It is easier to attack block ciphers which have high biases in the Linear Approximations Table (LAT) of their S-Boxes.

tack which statistically constructs linear approximations of the round function of a cipher.

A collection of known plaintext-ciphertext pairs are needed depending on the attack probability. This attack is feasible when a linear approximation path can be constructed, with high probability, for a sufficiently large portion of the cipher.

J. Y. Cho, “Linear Cryptanalysis of Reduced-Round PRESENT”, CT-RSA ’10, [8].

Block ciphers with An improvement of SPN structure. linear cryptanalysis which combines multiple linear approximation paths to attack the target block cipher.

A. Bogdanov and V. Rijmen: “Zero-Correlation Linear Cryptanalysis of Block Ciphers”, ’11, available online [17].

Block ciphers of any kind.

An adaptation of impossible differential attack to the concept of linear cryptanalysis.

Critical for Memory Encryption Systems This attack makes use of multiple linear approximation paths to construct an attack on the whole cipher, which improves the attack probability and therefore reduces the required number of known plaintext-ciphertext pairs. Not Critical for Memory Encryption Systems Whole code book (or at least half of it) is required to apply the attack. Even then the time complexity is much higher when it is compared to the other attacks.

Bundesamt für Sicherheit in der Informationstechnik

3 Methods for cryptanalysis of memory encryption

Method

23

Reference

Applicable to

Description

Evaluation

N.T. Courtois and G.V. Bard: “Algebraic cryptanalysis of the Data Encryption Standard” 11th IMA International Conference ’07, [4].

Block ciphers which have a round function that can be represented by lowdegree algebraic relations.

A known plaintext attack which represents the encryption process as a system of equations, and solves them to recover the key.

Critical for Memory Encryption Systems

N.T. Courtois et al: “Algebraic and Slide Attacks on Keeloq”, FSE ’08, [5]

Block ciphers which have a periodic structure (e. g. composition of identical functions) in either encryption or key scheduling algorithms.

The periodic structure Partially Critical for Memory Encryption of the key schedule of Systems Keeloq is exploited to perform an attack on Keeloq is broken with 256KB of known plaintexts. Periodic structures in a block cipher the full cipher. should be avoided especially when the algebraic structure of the enciphering function is of low degree.

T. Jakobsen and L. R. Knudsen: “The Interpolation Attack on Block Ciphers”, FSE ’97, [27].

Block ciphers of any kind. Especially to the ones which use quadratic functions as their S-Boxes.

Lagrange interpolation is used for finding an alternative algorithm which maps a given plaintext to the corresponding ciphertext without any knowledge of the key.

Minimalistic memory requirements of this attack make it feasible even on smart cards with small memories. Encryption functions of block ciphers often can be represented by low degree algebraic equations. Therefore, block ciphers requiring too few rounds for encryption should be carefully investigated concerning this aspect.

Partially Critical for Memory Encryption Systems This attack is mounted by finding a polynomial representation of the ciphertext in terms of plaintext and key bits. The number of plaintext ciphertext pairs required is equal to the number of coefficients in the polynomial representation. Therefore, this attack is critical for block ciphers Bundesamt für Sicherheit in der Informationstechnik

3 Methods for cryptanalysis of memory encryption

Method

Reference

Applicable to

Description

Evaluation using round functions of low algebraic degree.

M. Vielhaber: “Breaking ONE.FIVIUM by AIDA an Algebraic IV Differential Attack”, Cryptographic ePrint Archive: Report 2007/413, [34] I. Dinur and A. Shamir: “Cube Attacks on Tweakable Black Box Polynomials”, EUROCRYPT ’09, [28].

M. Albrecht and C. Cid: “Algebraic Techniques in Differential Cryptanalysis” FSE ’09 [21].

24

Block ciphers which have a round function that can be represented by lowdegree algebraic relations.

The attacker tries to obtain linear equations of secret variables by adding polynomial representations of output bits and fixing some public variables (plaintext bits in the block cipher case) to zero. Once the attacker gathers enough linear equations, she can solve the linear system to obtain the key.

Block ciphers Combines differential which have highly attack ideas with algeprobable differen- braic cryptanalysis. tial relations for few rounds of the encryption.

Partially Critical for Memory Encryption Systems This is a chosen plaintext attack which requires the cipher to have low degree algebraic relations between its input, key and output bits. The degree of the polynomial which represents the relation between the input, key and output bits should not exceed the number of public variables available. The attack has an extensive precomputation phase; but on the other hand, it can also be applied to proprietary ciphers in black box model.

Partially Critical for Memory Encryption Systems Differential characteristics are used to simplify algebraic equations which are to be solved to apply a successful algebraic attack. The required number of plaintext-ciphertext-pairs is relatively low compared to plain differential attacks. Bundesamt für Sicherheit in der Informationstechnik

3 Methods for cryptanalysis of memory encryption

Method Slide Attack

Integral Cryptanalysis

Reference

Applicable to

Description

Evaluation

A. Biryukov and D. Block ciphers Wagner: “Slide At- which have a peritacks”, FSE ’99, [10]. odic structure in either encryption or key scheduling algorithms.

An adaptive chosen Partially Critical for Memory Encryption plaintext attack which Systems exploits the periodic structures of modified An increase in the number of rounds does not always result in stronger security. A 96-round DES (2K-DES). variant of DES is attacked making use of periodic structures in the key scheduling and round functions.

N. Ferguson et al: “Improved Cryptanalysis of Rijndael”, FSE ’00, [9].

Recovers the key by investigating ciphertexts of a set of chosen plaintexts with a byte/nibble ranging over all possible values.

Applicable especially to byte/nibble-oriented block ciphers with bijective round functions.

Partially Critical for Memory Encryption Systems An adversary can devise this kind of an attack with relatively low number of chosen plaintext ciphertext pairs. But requires a very specific structure in the collection of plaintexts (a byte/nibble ranging over all possible values).

Table 1: Literature overview of cryptanalysis on block ciphers

25

Bundesamt für Sicherheit in der Informationstechnik

Methods for cryptanalysis of memory encryption

3.2.2

Cryptanalysis of memory address scrambling

The memory address scrambling is the mapping of logical addresses of stored data to physical locations on the chip provided by memory management units, address encryption and memory layout. It is intended as a countermeasure to information leakage of the locations of stored data in the memory caused by sequential access to memory addresses, which is very common in practical applications. Ideally, an address encryption should distribute the logical addresses uniformly over the whole memory address space when transforming them into physical addresses. In fact, data with sequential logical addresses should not be written to sequential physical addresses and be independent of the block length of the underlying block cipher. This can be simply checked by evaluating the correlation between the logical and physical addresses. Moreover, the address encryption key should be smartcard specific. In the literature, there are different methods to perform memory encryption (also referred to as “memory scrambling2”) such as partially or fully encrypting of the memory addresses. In the former method, only the addresses within the most recently accessed blocks of the memory are encrypted. In the latter approach, the whole logical address space is encrypted at cost of additional latency and power consumption. Below table includes the address encryption schemes available in the literature and comments regarding their efficiency. Note that the referenced literature does not imply any recommendation for the use of these methods (cf. instead to technical guidance published by BSI like TR-02102).

2 Scrambling means in general (1) channel encoding in order to optimize data transmission, and (2) weak encryption mainly by transposition (.e. g. for voice encryption). Bundesamt für Sicherheit in der Informationstechnik

26

Methods for cryptanalysis of memory encryption

Reference

Focus

Description

Evaluation

X. Zhuanget al: “HIDE: an infrastructure for efficiently protecting information leakage on the address bus”, ASPLOS-XI ’04 [18].

Encrypting the addresses within the most recently accessed blocks.

Permutes the addresses within blocks of variable size, using an additional permutation cache.

The method proposed in this paper only covers scrambling the addresses of a portion of the memory. Also, later in [19], some problems regarding excessive memory accesses on permutation, and redundant permutations are pointed out.

X. Zhuang et al: “Hardware assisted control flow obfuscation for embedded processors”, CASES ’04 [20].

Encrypts the contents of the whole memory.

Switches random blocks in the memory by using a “shuffle buffer”.

Memory blocks to be scrambled have to be temporarily kept inside the cache-memory, which is referred to as “shuffle buffer”. It also has to be large enough to accommodate all the blocks to be switched.

L. Gao et al: “A low-cost memory remapping scheme for address bus protection”, PACT ’06 [19].

Encrypts the contents of the whole memory.

Handles address encryption in chunks of a fixed size (128 blocks). An improvement to previously proposed schemes.

Although this is an improved address encryption method compared to the previously proposed ones, it still needs a cache for permuting blocks, and another one to keep the current order of the blocks in each page/chunk of the memory.

Table 2: Literature overview on memory address scrambling

Bundesamt für Sicherheit in der Informationstechnik

27

3 Methods for cryptanalysis of memory encryption

3.2.3

Modes of operation for memory encryption

As block ciphers encrypt data in n-bit blocks, one needs to use a mode of operation to be able to encrypt data which exceeds the size of n bits. When memory encryption systems are considered, mostly address information is used as a part of the mode of operation. Below table includes a collection of modes of operation suitable for memory encryption together with key points of the modes. Note that the security of a mode of operation relies on the assumption that the underlying block cipher is cryptographically secure. The presented modes of operation make use of the idea of tweakable block ciphers proposed by Liskov et al. [29]. The authors claim that using tweakable block ciphers enables having seemingly different encryption functions without changing the encryption key, which is usually a costly process, but changing the tweak instead. In tweakable block ciphers, a pseudo random tweak value is computed and used as a third input to the encryption function. Here, the idea of including a tweak is to have variability on ciphertexts corresponding to the same plaintext when different tweaks are used. Although the use of a tweak does not provide additional security to the underlying block cipher, the variability comes handy in some cryptographic applications such as memory encryption. In the referenced modes below, the tweak is computed by encrypting the page information, which is a unique identifier for a collection of data blocks, using the underlying block cipher with an encryption key. This way, each page has its unique encryption function and therefore making it harder to attack the system using chosen plaintexts or chosen ciphertexts which are located at different pages. Note the referenced literature does not imply any recommendation for the use of these operational modes (cf. instead to technical guidance published by BSI like TR-02102). Reference

Description

Evaluation

P. Rogaway, “Efficient Instantiations of Tweakable Block ciphers and Refinements to Modes OCB and PMAC”, ASIACRYPT ’04 [24].

XEX: Randomizes the input and output of the block cipher by xoring a tweak, which is obtained by encrypting part of the address information.

XEX mode of operation requires the implementation of both encryption and decryption algorithms of the underlying block cipher. It is proven to be secure when less than 2n/2 block cipher calls are encrypted under the same key.

NIST, SP800-38E: “Rec- An extension of XEX which ommendation for block uses different keys for encipher modes of opera- cryptions. tion: the XTS-AES mode for confidentiality on block-oriented storage devices”, 2009 [23].

This mode also supports the encryption of texts of unusual size, i. e. texts of a size which is not a multiple of the block length of the underlying cipher.

Table 3: Literature overview on modes of operation

28

Bundesamt für Sicherheit in der Informationstechnik

Methods for cryptanalysis of memory encryption

3.3

Cryptanalytic attacks using side­channel information

In addition to the methods given in the cryptanalysis table, there are also attacks which exploit some side-channel knowledge to improve the success probability of an attack. The attacks of this kind require accurate recovery of internal state bits which is often not the case in side-channel analysis. The table below includes this type of combined attacks and comments on their applicability. Reference

Applicable to

Description

Evaluation

M. Renauld and F.-X. Standaert: “Algebraic Side-Channel Attacks”, ’09 available online [25].

Block ciphers with round functions of a low algebraic degree.

Side channel information is used for more easily solving the algebraic system obtained from the encryption function.

Algebraic attacks represent the encryption function as a large series of equations. Any accurate information about the internal states of the encryption can be used to simplify some of the equations.

L. Yang et al: “Side Channel Cube Attack on PRESENT” CANS ’09 [22].

Block ciphers with round functions of a low algebraic degree.

An improved algebraic attack using accurate side channel information.

A specific bit of the third round state should be available to the attacker to recover the 80-bit key of full PRESENT with 256KB of chosen plaintext data. This number can be considerably lower for weaker ciphers, which makes this attack critical under the required assumption.

Table 4: Literature overview on combination attacks with side-channels

Bundesamt für Sicherheit in der Informationstechnik

29

4 Vulnerability analysis of memory encryption

4

Vulnerability analysis of memory encryption

The memory encryption is only a part of the security features protecting the confidentiality of data stored on the memory. Therefore the evaluator shall include the memory encryption in the vulnerability analysis of the TOE on conditions that, provided (1) the TSF shall protect the confidentiality of user data, TSF data or other data stored in memory (called assets in the following), (2) the TSF uses data encryption or address encryption to protect the confidentiality of these assets during the storage in memory or the internal transfer of the stored ciphertext, and (3) the non-cryptographic security countermeasures alone are not sufficient to resist identified potential attacks with attack potential claimed in the security target. The consideration of the implemented cryptographic security mechanisms will result in a more comprehensive – and follows more precise – vulnerability assessment of the TOE. This chapter describes specific aspects of the vulnerability analysis of memory encryption as part of the vulnerability assessment of the memory protection. These aspects relate to the identification of the requirements, the examination of the security features, the identification of potential vulnerabilities and the assessment of the resistance against attacks. They follow the work flow of the vulnerability analysis. The chapter concludes with examples illustrating the general evaluation methodology for the memory encryption.

4.1

Preparation for the vulnerability analysis of memory encryption

4.1.1

Identification of the security requirements for memory protection

This chapter describes the first step on the way to a vulnerability analysis of the memory encryption - the identification of the security requirements for memory protection. The security requirements for memory protection and the claimed resistance against attacks define the criteria for the vulnerability analysis of its security features including those for memory encryption if implemented. In the following it is assumed that the TOE implements the protection of the assets by means of physical and logical countermeasures including cryptographic security mechanisms, i. e. the conditions (1) and (2) above are fulfilled. The protection of the confidentiality of data stored in the memory may be explicitly required by an SFR in the security target or may implicitly follow from the security architecture of the TOE. The security target may (1) require memory protection directly by security functional requirements (SFR) (cf. ASE_REQ), or (2) describe memory protection as security feature against interference in the TOE summary specification (cf. ASE_TSS.2.2C). The ST may define an extended component (or reference to a definition of an extended component in a certified protection profile) in order to explicitly describe SFR for protection of the confidentiality or even the encryption of stored data in the TOE memory. The ST may describe memory encryption using the component FCS_COP.1. The component FPT_PHP.3 describes requirements for resistance against physical tampering such that the SFRs are always enforced. Note, CC part 2, defines similar SFR only for protection of the integrity of stored user data (cf. .FDP_SDI family) and internal data transfer protection with operation for confidentiality protection (cf. FDP_UIT family for user data and FPT_ITT.1 family for TSF data). 30

Bundesamt für Sicherheit in der Informationstechnik

Vulnerability analysis of memory encryption

The security architecture of the TOE may include the protection of the confidentiality of data stored in the memory even it is not directly required by any SFR in the security target. The memory protection and the memory encryption as a mechanism implementing this security feature may (1) contribute to self-protection of the TSF from tampering, and (2) support the non-bypassability of the SFR-enforcing functionality. If the security architecture include memory protection as security feature or memory encryption as security mechanism the evaluator will consider these security features to search for any ways the protection of TSF can be undermined (cf. CEM work units AVA_VAN.{2,3,4}-4, AIS34, work unit AVA_VAN.5-4). Note the criteria of the vulnerability analysis are exploitable vulnerabilities, i. e. weaknesses in the TOE that can be used to violate the SFRs in the operational environment for the TOE. Defeating the memory encryption as security feature of the security architecture is only a step on the complex attack path violating the SFR. As output of this activity the evaluator gains information (1) whether the security target requires TSF protection for data stored in memory by SFR or as security feature, (2) whether the security target requires memory encryption by SFR or as security feature, (3) the type and amount of data stored as user data, TSF data or TOE implementation stored in this protected memory, and (4) the claimed resistance against attacks violating the SFR.

4.1.2

Description of memory encryption

The functional specification describes the external TSF interface of the memory protection as the physical boundary of the TOE, i. e. an explicitly defined continuous perimeter that establishes the physical bounds of the TOE and contains all the hardware, software, and/or firmware components of the TOE (cf. [SDIC] about ADV_FSP). The IC surfaces of the areas, where the encrypted memory, their buses and the cryptographic modules are located, and the physical entry or exit points of physical signals of the TOE (ports) together with the internal logical interface to the memory build the attack surface of the memory encryption. In almost all cases the functionality of the memory encryption will not be directly accessible or manageable through the external interfaces of the TSF because the CPU and other components using stored data are connected with the memory through the memory encryption cryptographic modules. These components will receive from and send to the memory plaintext only not having access to the corresponding ciphertexts or to the memory encryption keys. In cryptographic terms speaking - these components know or chose plaintext without knowing the corresponding ciphertext. The key management of memory encryption might be or might be not under control through external interfaces of the TSF , e. g. the hardware or the dedicated software may control the key generation for the data and address encryption of the core external RAM during start-up after power-on but the keys are fixed after initial start-up of the TSF for the EEPROM encryption or even fixed before TOE production for ROM encryption. The TOE design provides a thorough description of the TSF. If memory protection or memory encryption is claimed by SFR in the security target the TOE design shall describe the modules and the security mechanisms implementing this or these SFR (cf. purpose of modules according to ADV_TDS.3 or higher components). The security architecture description (cf. ADV_ARC.1) may also describe memory encryption as independent security feature and provide or reference to TOE design for the description of its function and cryptographic mechanisms.

Bundesamt für Sicherheit in der Informationstechnik

31

Vulnerability analysis of memory encryption

The memory encryption is implemented by means of cryptographic modules for data encryption or address encryption or both including the key management. The developer shall describe the memory encryption in terms of (1) the security functions of the memory encryption, i. e. describe what (in terms of action) the memory encryption does in order to provide the intended protection. This description shall cover data encryption and address encryption as implemented and the management of the memory encryption keys (cf. chapter 2.2), and (2) the security mechanisms of the memory encryption, i. e. describe how a security function (or its part) is implemented in order to meet an SFR or to enforce architectural soundness. The level of details is defined by purpose of modules (cf. component ADV_TDS.3 or higher). The description shall include (3) all cryptographic algorithms implemented in the cryptographic modules, i. e. for data encryption, address encryption and secret sharing mechanisms as implemented, (4) the key management for these cryptographic algorithms, i. e. how these keys are generated, the amount of data, the number of TOE instantiations and the time the keys are used. Note the TSF may use different cryptographic algorithms and keys for different memory areas under cryptographic protection. The TOE implementation representation made available for ADV_IMP shall include the implementation of the memory encryption. The evaluator will use the implementation representation to examine whether the TOE conforms to its design. Note because lack of interfaces available for tests (e. g. known answer tests with plaintext and ciphertext) the examination of the implementation representation maybe the only way to determine the correctness of the memory encryption implementation (cf. CEM, sec. 14.2.2). As output of this activity the evaluator gains thorough description of the TSF and TSFI of the memory encryption (1) the external interfaces of the memory protection, (2) the internal interfaces of the memory encryption, (3) the functionality and properties of cryptographic mechanisms of the memory encryption as for data encryption, address encryption and key management, (4) the implementation of the of cryptographic mechanisms of the memory encryption. The evaluator should use the developer evidence provided for the memory areas under protection, the buses and the cryptographic modules which includes but are not limited to the following: •

the method of memory use, e. g. the type and amount of data stored in the memory as user data, TSF data or TOE implementation stored in the memory,

•

the physical locations of the memory areas, the buses and the cryptographic modules in the device, e. g. metal layer, location viewed from the chip surface,

•

the physical protection of the memory, the buses and the cryptographic modules against reading, temporarily manipulation and permanent modification,

•

the logical protection of the memory against reading and writing, e. g. provided by MMU,

•

stability against perturbation of the TSF components, that may affect the memory, the buses and the cryptographic modules

for the vulnerability analysis of the memory protection.

32

Bundesamt für Sicherheit in der Informationstechnik

Vulnerability analysis of memory encryption

4.1.3

Security architecture of memory encryption

The security architecture of the TOE may describe security feature of memory protection provided by a combination of (1) security properties of the memory especially of the used technology, (2) non-cryptographic countermeasures (e. g. active shielding protecting RAM), and (3) security mechanisms including the memory encryption. The developer shall demonstrate the security properties of the memory encryption including evidence for the claimed cryptographic resistance of the implemented cryptographic algorithms. The security architecture of the TSF (cf. CC part 3, Assurance family ADV_ARC) shall describe how the TSF initialization process is secure (cf. element ADV_ARC.1.3C), the TSF protects itself from tampering (cf. element ADV_ARC.1.4C) and the TSF prevents bypass of the SFR-enforcing functionality (cf. element ADV_ARC.1.5C). The following paragraphs describe specific security architectural aspects for memory encryption that • the developer should consider in design and implementation of the TOE and the TSF, • the developer shall describe in the security architecture documentation, • the evaluator shall analyse in the vulnerability analysis. Domain separation is a property whereby the TSF creates separate security domains on its own and for each untrusted active entity to operate on its resources, and keeps those domains separated from one another so that no entity can run in the domain of any other. If the TSF maintains security domains it may (but is not required to) support domain separation by memory encryption with different keys used for different memory areas assigned to these security domains. The security architecture description shall describe how the TSF initialization process is secure. The initialization process distinguish with respect to memory encryption the transition between at least two states (1) power-off state: The TOE stores key components in the key storage and only ciphertexts in the other protected memory areas. The TSF is non-operational in the sense that only physical protection is active for all data stored in these memory areas and the memory encryption is active for the encrypted memory. (2) operational state: The CPU and other functional components like co-processors read, operate and write plaintext data. The encryption-decryption functionality for data and addresses is operational and transparent for these components. In power-off state ciphertext only attacks and known plaintext attacks can be performed against the memory encryption. The key storage can be physically attacked in order to read all key components and to reconstruct the cryptographic keys. Manipulation of the stored data may prepare chosen plaintext attacks and chosen ciphertext attacks in the power-on state. In the transition phase from power-off state to the operational state the attacker may monitor initialization processes, start-up self-tests and intermediate states in order to reconstruct the cryptographic keys from the key components and side channel information. In the operational state the attacker may observe the encryption and decryption process in order to get plaintext-ciphertext pairs of the data encryption and of the address encryption for attack the as in the power-off state. Additionally chosen plaintext attack and adaptive chosen plaintext attacks, may be performed if the executed code allows such operation or the operation of the CPU is manipulated. The security architecture description shall demonstrate the non-bypassability of the SFR-enforcing functionality. The security architecture description shall demonstrate with respect to the memory encryption that

Bundesamt für Sicherheit in der Informationstechnik

33

Vulnerability analysis of memory encryption

(1) the memory encryption is effective for all assets during storage and transfer between data encryption module and memory (i. e. the plaintext data are available only in absolutely necessary areas of the TOE, e. g. in CPU, on short plaintext buses), (2) the TSF ensures cryptographic keys are stored only in form of key components in potential readable memory areas, and therefore the necessary attack effort compromising the key is sufficiently high, (3) plaintext-ciphertext pairs could not be easily found in the device, e. g. plaintexts are not obviously known for ciphertexts in unused memory areas, the same data are not stored encrypted and unencrypted even in different memory areas, (4) the memory encryption is resistant against side-channel attacks. The TOE may run in power save modes when some components are switched off. The security architecture description shall demonstrate that enabling and disabling of TSF parts do not violate the security during power save modes. The security architecture description shall demonstrate self-protection of the TSF. The TSF selfprotection against compromise of data in the memory will be achieved by binding of physical and logical security mechanisms. The self-protection of memory encryption itself shall ensure that the adversary reading physically stored data from the memory must (1) break both data encryption and address encryption or (2) find all used keys implemented by the TOE example or (3) combine both attack paths, i. e. find key parts and break the remaining encryption in order to get the plaintext data. The memory encryption shall resist tampering, e. g. perturbation attacks revealing keys or plaintext. As output of this activity the evaluator gains understanding of (1) the role of memory protection and especially memory encryption in the security architecture of the TOE, and (2) the security architectural properties of the memory encryption itself as input for the vulnerability analysis.

4.1.4 ules

Physical and logical attacks on memory, buses and cryptographic mod­

The vulnerability analysis will analyse potential vulnerabilities of the memory protection identified as described in section 4.1.1 and assess whether they are exploitable with the relevant attack potential in the attended operational environment. The description and the assessment of the physical attacks itself are outside the scope of the guideline on hand. The reader is referred instead to the relevant supporting documents like [SDAP]. If the vulnerability analysis identifies potential vulnerabilities which could be exploited if only the non-cryptographic security countermeasures are taken into account, i. e. condition (3) above is fulfilled, the evaluator shall consider implemented memory encryption. In the context of the guideline on hand physical attacks include but are not limited to (1) measurement of signals at the contactbased and contactless interfaces of the device as implemented, including power supply, external clock, output interfaces; (2) measurement of signals at the physical boundary of the device, e. g. electromagnetic emanation, electric signals at chip surface by means of needles; 34

Bundesamt für Sicherheit in der Informationstechnik

Vulnerability analysis of memory encryption

(3) measurement of internal signals of the device, e. g. on data lines after opening the device or removing metal layers of the security integrated circuit; (4) reading the internal memory, e. g. of ROM by means optical inspection, EEPROM by means of atomic force microscope; (5) manipulation through the contactbased and contactless interfaces of power supply, external clock, input interfaces as appropriate; (6) manipulation of signals through the physical boundary of the device, e. g. by means of electromagnetic radiation, particle exposure, electric signals by means of needles, cutting or connecting lines; (7) manipulation of internal signals of the device, e. g. by means of needles; (8) manipulation of the memory content, e. g. selected memory cells or registers; (9) perturbation of the program execution or the processes in TOE components like CPU, MMU, cryptographic coprocessors, cryptographic modules. All cryptanalytic attacks on memory encryption assume attacks providing ciphertexts, plaintext-ciphertext pairs or allow by means of manipulation for chosen plaintext attacks, chosen ciphertext attacks or related key attacks. In the following we analyse such attacks as prerequisites for the cryptanalysis of the memory encryption and reconstruction of assets in plaintext. The attacks against memory encryption are performed typically as combinations of logical cryptanalytic attacks and physical attacks on the cryptographic module and the components handling the relevant data like the memory, the buses, the CPU or the MMU. At first non-cryptographic physical and logical attacks read ciphertext data with their physical (encrypted) addresses form memory or buses. But the semantic content of these encrypted data and addresses is not readily available. The cryptanalytic attacks try to reconstruct the plaintext data, the plaintext addresses and at best the cryptographic keys. If successful the gained plaintexts and keys (together with other information, cf. memory address scrambling) enable or support further attacks by calculation of the physical location of other ciphertexts in memory, to understand data read from the memory or the data bus, to reconstruct their logical addresses, re-engineering the executed program and so forth. These physical attacks may be conducted at different points of TOE implementation as shown in figure 4. Figure 4 illustrates these attack scenarios. The yellow ochre arrows indicate physical attacks, the blue arrows indicate passive and the red arrows indicate active access to the plaintexts and ciphertexts.

Bundesamt für Sicherheit in der Informationstechnik

35

Vulnerability analysis of memory encryption

Figure 4: Memory attack scenarios

Passive physical attacks may bypass the encryption which include but are not limited to the following: (1) Reading the plaintext addresses from the address bus segments between the CPU and the MMU or between the MMU and the address encryption module during reading or writing the data under attack bypasses the address encryption. (2) Reading the plaintext data from the plaintext data bus segment during reading or writing the data under attack bypasses the data encryption. Note this bypass of data encryption reads plaintext blocks in the sequence they are used by the CPU. This information may be sufficient for reconstruction of the logical addresses and therefore bypass the address encryption as well. (3) Reading the plaintext data from the plaintext data bus segment and the plaintext addresses on the bus segments during reading or writing the data under attack bypasses the memory encryption. (4) Reading of the data decryption key components from the key storage, reading the addresses from the plaintext address bus segments, and reading the ciphertext with their physical addresses bypass the memory encryption. (5) Reading of the data decryption key components and the address encryption key components from the key storage, and reading the ciphertext with their physical addresses bypass the memory encryption.

36

Bundesamt für Sicherheit in der Informationstechnik

Vulnerability analysis of memory encryption

Passive physical attacks may provide prerequisites for cryptanalytic attacks which include but are not limited to the following: (1) Reading data on the ciphertext data bus segment provides encrypted data for ciphertext only attacks on data encryption using redundancy within data blocks without consideration of relationship between plaintext data blocks. (2) Reading addresses on the ciphertext address bus segment provides encrypted physical addresses for ciphertext only attacks on address encryption using redundancy within address sequences in the executed program. Note in some cases (e. g. RAM) the attacker may determine the location of memory cells actual read or written by direct optical inspection thought light emission of hardware activities. (3) Reading of stored data with their physical addresses directly from the memory provides encrypted data and encrypted addresses for ciphertext only attacks on memory encryption (even when the TOE is switched off). This attack on memory encryption implies attacks on data encryption and address encryption. (4) Reading data on the ciphertext data bus segment and reading addresses on the ciphertext address bus segment when the TOE is running provide encrypted data and encrypted addresses for ciphertext only attacks on memory encryption. (5) Reading data from the plaintext data bus segment and reading data from the ciphertext data bus segment when the TOE is running provide plaintext-ciphertext pairs for known plaintext attacks on the data encryption without consideration of relationship between plaintext data blocks. (6) Reading of addresses from the address bus segments between the CPU and the MMU or between the MMU and the address encryption module, and reading of addresses from the ciphertext address bus segment when the TOE is running provide plaintext-ciphertext pairs for known plaintext attacks on address encryption. (7) Reading of plaintext data, ciphertext data, plaintext addresses and ciphertext addresses from the respective bus segments when the TOE is running provides plaintext-ciphertext pairs for known plaintext attacks on memory encryption with consideration of relationship between data blocks. This attack on memory encryption aims on reconstruction of the keys used for data encryption and address encryption. If it was successful performed it allows reconstruction of plaintexts from ciphertexts and physical addresses read from encrypted memory. Note the attacker may gain information about plaintext data and plaintext addresses from other sources as well, e. g. if the code executed during reading the data or addresses are known or may be guessed. These attack scenarios depend on the operational environment of the security integrated circuit or the embedded software of the smartcard or other devices as TOE. Active physical attacks may manipulate stored data in the memory, data transferred on the data bus, the address on address bus or within the cryptomodules. They may provide prerequisites for additional cryptanalytic attacks which include but are not limited to the following: (1) Modification of data on the plaintext data bus segment and reading of data on the ciphertext data bus segment provide plaintext-ciphertext pairs for chosen plaintext attacks on data encryption. Bundesamt für Sicherheit in der Informationstechnik

37

Vulnerability analysis of memory encryption

(2) Modification of data on the ciphertext data bus segment and reading of data on the plaintext data bus segment provide plaintext-ciphertext pairs for chosen ciphertext attacks on data encryption. (3) Modification of addresses on the address bus segments between the CPU and the MMU or between the MMU and the address encryption module and reading of addresses on the ciphertext addresses on the address bus segment provide plaintext-ciphertext pairs for chosen plaintext attacks on address encryption. (4) Modification of memory content and reading of corresponding data on the plaintext data bus segment when the manipulated memory part is read, provide plaintext-ciphertext pairs for chosen ciphertext attacks on data encryption. (5) Manipulation of the key storage in order to cause errors or generate related keys. Note chosen ciphertext attacks are not possible for address encryption because decryption algorithms are not implemented. Chosen ciphertext attacks for read-only memory require physical manipulation of the memory content. The attacker may use specific behavior of the TOE in cases of manipulation or perturbation which include but are not limited to the following examples: (1) Reset of a smartcard enforces the CPU to start program execution with logical address 0. (2) If the CPU reads program code 0x00 the CPU will execute “no operation” (i. e. assembler code NOP) and reads code byte from the next logical address. In summary it can be said that the vulnerability analysis of the non-cryptographic memory protection provides • the base of the decision whether the vulnerability analysis of the memory encryption will be

performed or not, • the goal of the cryptanalysis of memory encryption to determine whether the cryptographic

mechanisms fill the gap to the claimed resistance, and • the conditions and the criteria of success for the cryptanalytic attacks.

As general rule one may observe that the effort of physical attacks providing the necessary conditions for the cryptanalytic attacks, and the effort of cryptanalytic attacks itself are antagonistic: • easy physical attacks enable only more difficult cryptanalytic attacks based on limited infor-

mation, e. g. like reading ROM provides ciphertext data and ciphertext addresses only for simultaneously attacks data and address encryption schemes, • comfortable cryptanalytic attacks require complex and therefore expensive (in terms of at-

tack potential) physical attacks, e. g. chosen plaintext attacks require active and passive attacks at two different places in the device.

4.2

Identification of potential vulnerabilities of memory encryption

The vulnerability analysis of the memory protection will be performed by the evaluator in one step or two steps. In the first step the evaluator analyses the potential vulnerabilities and the resistance of the memory against attacks if only the protection provided by the non-cryptographic security mechanisms is taken into account. Note in the first step of the vulnerability analysis the evaluator bears in 38

Bundesamt für Sicherheit in der Informationstechnik

Vulnerability analysis of memory encryption

mind the existence of the memory encryption but does not assess the contribution to resist attacks. If the evaluator find potential vulnerabilities where the non-cryptographic security countermeasure alone are not sufficient to resist attacks with attack potential claimed in the security target then the evaluator will extend the vulnerability analysis in the second step analysing potential vulnerabilities and assessing the effectiveness of the cryptographic security countermeasure. The results of the assessment of the cryptographic security countermeasures will be taken into account for the assessment of the complex attacks on the data stored in the memory. Because of the limited resources for memory encryption and the potential vulnerability of direct physical attacks on the keys and the cryptographic module itself the memory encryption cannot ensure security strength as for communication but it may increase the necessary attack potential to the claimed level of resistance. The evaluator shall perform an independent focused or methodical vulnerability analysis of the TOE according to the AVA component claimed in the security target. This analysis shall identify potential vulnerabilities of the TOE. Typical potential vulnerabilities of memory encryption are the following. (1) Keys allow for brute-force attacks. The brute force attack tries all possible cryptographic keys for decryption of given ciphertexts in order find a key providing the corresponding plaintext. Note for brute force attacks the attacker needs liable criteria for checking the correct key as redundant plaintexts or ideally plaintext-ciphertext pairs. The attacker will succeed if the set of possible keys is small enough (e. g. because of short keys) or the insufficient entropy used for key generation enables an effective key guessing strategy (cf. [KS2011]). Key generation by means of appropriate strong true random number generator ensures the maximum guessing effort depending on the key length (cf. [RNG]). The amount of keys the attacker may guess depends on time and equipment available for the attack (cf. chapter 4.3). (2) Low complexity of the cryptographic algorithm allows for algebraic attacks. The cryptographic modules implement simple cryptographic algorithms due to the limited resources provided for the implementation of the cryptographic modules and for time of the cryptographic operations. The low complexity of the cryptographic algorithm may allow the attacker to calculate directly the key based on known plaintext-ciphertext pairs by solving the equations between plaintext, ciphertext and keys, to approximate these equations by linear equations, to split the key into parts which can be calculated separately, and so forth. Note simplified cryptographic algorithms derived from strong cryptographic algorithms may be weaker than expected after quick glance. (3) Incorrect implementation result in cryptographic weaknesses. Only a correct implementation can reach the theoretically expected cryptographic strength of the algorithm. The security of a cryptographic module is very sensitive to implementation errors. Similar but incorrect implementations of the algorithm may have unforeseen by the developer cryptographic impact which is unlikely increasing the security but normally result in weak or unknown security. (4) Insecure implementation bypasses cryptographic strength. Even correct algorithmic implementation may be insecure because of side channels, prone to failure and information leakage in case of perturbation and so forth. In addition to potential vulnerabilities the evaluator may determine missing assurance of the memory encryption.

Bundesamt für Sicherheit in der Informationstechnik

39

Vulnerability analysis of memory encryption

(5) Proprietary algorithms are not sufficiently analysed. The developer may implement proprietary algorithms for memory encryption because their internal use does no need for interoperability. The vulnerability analysis may find obvious vulnerabilities but the evaluation framework cannot effort a comprehensive cryptographic analysis of a proprietary algorithm. to demonstrate sufficient strength. The developer is in charge of the cryptanalysis of its proprietary algorithms which may be very specific and therefore expensive. The lack of evidence of cryptographic strength may result in inconclusive verdict of the vulnerability analysis of the memory encryption. The focused or methodical vulnerability for AVA_VAN.3 to AVA_VAN.5 includes the search for publicly available information about potential vulnerabilities. The encountered method of identification is dependent on the evaluator's experience and knowledge; which is monitored and controlled by the evaluation authority. Evaluator is assumed to have knowledge of the TOE-type technology and known security flaws as documented in the public domain (cf. CEM para. 1925, 1927). The vulnerability analysis shall use the CC evaluation scheme documents. The search is expected to include • proceedings of cryptologic conference and workshops, e. g. organized by or in cooperation

with the International Association of Cryptologic Research (IACR), cf. to the home page www.iacr.org, • cryptologic publications like the Cryptology ePrint Archive, cf. http://eprint.iacr.org.

Note the publicly available sources will rather describe cryptanalytic methods than directly applicable cryptanalytic attacks for the memory encryption under evaluation especially in case of proprietary cryptographic algorithms. The application of the cryptanalytic methods to the concrete cryptographic algorithms depends on the expertise of the attacker and its assessment requires cryptologic knowledge and expertise of the evaluator. The search for vulnerabilities of the memory encryption may start from different point of view, from potential physical vulnerabilities or the potential cryptographic vulnerabilities, from data encryption or address encryption. The evaluator should analyse the physical attack part first in order to determine the conditions for the cryptanalytic attack on data encryption or address encryption or both together by probabilistic guesses of plaintext-ciphertext pairs, known plaintext-ciphertext pairs, chosen plaintext or chosen cipher text. When these conditions are clearly understood the evaluator may analyse whether the cryptographic algorithm is vulnerable under these conditions. The evaluator may also know potential cryptanalytic attacks against data encryption or address encryption and analyse whether they can be practically mounted under the specific conditions. The attacker may use the redundancy within the plaintext data blocks and than use dependencies between the plaintext data blocks. In many cases the evaluator will combine these approaches.

4.3 Characterization of the attack potential for cryptanalytic at­ tacks on memory encryption The work units AVA_VAN.x.11 (cf. CEM and AIS34) requires the evaluator to examine the results of all penetration testing to determine that the TOE, in its operational environment, is resistant to an attacker possessing attack potential as claimed in the security target. The vulnerability analysis of memory encryption performed by the evaluators assesses the cryptanalytic attack effort as part of the effort of a complex attack on memory providing all necessary conditions for the cryptanalytic attack and violating a security functional requirement. But this vulnerability analysis neither requires nor claims being a comprehensive cryptanalysis of memory encryption. The certification 40

Bundesamt für Sicherheit in der Informationstechnik

Vulnerability analysis of memory encryption

body shall review the vulnerability assessment of memory protection including the vulnerability analysis of memory encryption as its part. The confirmation of the resistance against attacks on memory protection cannot be seen as general confirmation of cryptographic strength of their memory encryption scheme. The attack potential calculation for smartcards and similar devices distinguishes between the identification phase and the exploitation phase of an attack (cf. [SDAP]). The identification phase of an cryptanalytic attack may include • the determination of the fixed parts of the cryptographic algorithms implemented in the

cryptographic modules of the memory encryption, e. g. from publicly available information or reconstruction means of cryptanalytic methods, • the reconstruction of the variable parts of the cryptographic algorithms implemented in the

cryptographic modules valid for the TOE under attack in the exploitation phase but also implemented in TOE instantiations available in the identification phase, e. g. long-term keys or group keys, • the adaption of publicly known cryptanalytic attacks or the development of specific cryptan-

alytic attacks on the memory encryption algorithms, • development of tools for the cryptanalytic attacks applicable to the memory encryption algo-

rithms. Note the identification phase may provide keys valid for TOE samples available in the identification phase but not device individual keys used for concrete TOE under attack in the exploitation phase. E. g. the developer chooses the substitution boxes of a block cipher for each costumer specific instantiation of the TOE from a well-defined set of permutations. The attacker may reconstruct a subset of substitution boxes as long-term keys in the identification phase but must identify the concrete substitution boxes used for the TOE sample under attack. The attack effort clearly depends on the number of TOE samples implementing the same key and the availability of these samples for attacks. In the exploitation phase the attacker applies the cryptanalytic attacks developed in the identification phase to attack concrete TOE samples. The attacker may use the information gained and tools developed by himself or provided by another attacker. The cryptanalytic attack aims on assets stored in the memory of the TOE samples under attack • the reconstruction of information encoded in the plaintext for a given ciphertext enabling or

supporting other attacks on the TOE, • the reconstruction of prior unknown plaintexts for given ciphertexts of the TOE sample

without reconstruction of the used cryptographic key, • the reconstruction of prior unknown keys enabling the reconstruction of the plaintext from

given ciphertext of the TOE sample. E. g. if the ROM encryption uses ROM keys which are different for each costumer photo mask but the same for all products produced with the same photo mask the attacker will reconstruct the specific ROM key in order to decrypt the ciphertext read in the ROM of the TOE sample under attack. If the dedicated software stored in this ROM is partly known from other sources (e. g. other chips) this information maybe used to reconstruct the specific ROM key and to decrypt ciphertext parts read in the ROM and containing prior unknown plaintext of the embedded software. The calculation of the attack potential required to exploit a vulnerability is generally defined in CEM Annex B chapter 4.2: Bundesamt für Sicherheit in der Informationstechnik

41

Vulnerability analysis of memory encryption

a) Time taken to identify and exploit (Elapsed Time); b) Specialist technical expertise required (Specialist Expertise); c) Knowledge of the TOE design and operation (Knowledge of the TOE); d) Window of opportunity; e) IT hardware/software or other equipment required for exploitation. These factors are described more detailed and extended with factor “Open samples” for the technical domain smartcards in CCDB-2009-03-001 [SDIC]. The document on hand describes further details for the factors “Specialist Expertise”, “Knowledge of the TOE” and “IT hardware/software or other equipment” applicable for the cryptanalysis of memory encryption in the context of the vulnerability analysis of the memory protection. It additional gives clarification about the use of open samples. For the factors “Elapsed Time” and “Access to TOE3” no further details are provided. The points assigned for the defined categories of the factors in [SDIC] are not changed. Note cryptanalysis normally assess the attack effort as tradeoff between time and memory for calculation under the condition that all fixed parts of the cryptographic scheme are known. The evaluator is searching for the best attack minimizing the attack effort as tradeoff between • IT hardware/software or other equipment which includes aspects of memory and time of cal-

culation, • Elapsed Time including the time for cryptanalytic calculation, but also the time for identifi-

cation of the attack, • Specialist Expertise on different levels but always assumed as Expert in the cryptanalysis, • under different conditions given by Knowledge of the TOE.

The factor “Specialist Expertise“ refers to the level of generic knowledge of the underlying principles, product type or attack methods (cf. CEM para. 1973). This factors applies for the vulnerability analysis of memory encryption to the specific cryptanalytic knowledge of the attacker necessary to perform the cryptanalytic attack. The expert level “Laymen” is applicable to attackers without particular cryptanalytic knowledge but able to apply public available tools (cf. factor Standard equipment). The “Proficient” level of expertise assumes the knowledge and under standing of public known cryptanalytic attacks to be able to adapt them to the specific algorithms of the TOE memory encryption. As an example one may think of application of differential cryptanalysis to block cipher with a costumer specific substitution box. It is expected that the expert level will be requires as minimum for development of Specialized equipment as defined below. The “Expert” level attacker is familiar with and able to develop specific cryptanalytic attacks for proprietary algorithm. The development of specific cryptanalytic attacks on the memory encryption of the TOE may require deep knowledge and experience of cryptanalytic techniques. The Expert is required if a prior unknown complex cryptographic algorithm must be reconstructed by cryptanalytic attacks instead of re-engineering the cryptographic module from TOE itself (cf. factor Knowledge of the TOE). It is expected that the Expert level will be requires for effective usage of Bespoke equipment as defined below. The factor “Specialist Expertise“ shall be applied for memory encryption as summarized in table 5.

3 [SDIC] uses the term “Access to TOE” instead of “Windows of opportunity” in [CEM]. 42

Bundesamt für Sicherheit in der Informationstechnik

Vulnerability analysis of memory encryption

Laymen

Definition according to CEM chapter B.4.2

Detailed definition to be Detailed definition to be used in smartcard evalua­ used in memory encryp­ tions (cf. tion analysis CCDB­2009­03­001 [SDIC])

No particular expertise

No particular expertise

No particular expertise. Application of public available tools to perform public known attacks only.

Proficient Familiar with security behaviour of the TOE

Familiar with security behaviour of the TOE and classical attacks

Familiar with and able to adapt public known cryptanalytic attacks to specific algorithms.

Expert

Familiar with developers knowledge namely algorithms, protocols, hardware structures, principles and concepts of security; and techniques and tools for the definition of new attacks

Familiar with and able to develop of specific cryptanalytic attacks for proprietary algorithm

Familiar with implemented algorithms, protocols and hardware structures of the TOE; and principles and concepts of security

Table 5: Expertise of the attacker The factor “Knowledge of the TOE” is concerned with the information required for attacker to be able to attack a TOE (cf. CEM para. 1983). This factor relates here to the details and the protection of information about the cryptographic modules, the variable parts of the cryptographic algorithms and data necessary for the cryptographic attack. The knowledge can be gained from the development side, the documentation provided to the users (e. g. the application developer of a composite product), public sources or by re-engineering of the TOE samples. The evaluator should consult the developers security policy and protection of the relevant TOE knowledge in order to confirm the assumed level (cf. ALC_DVS evaluator activities). The evaluator shall consider the other results of the vulnerability analysis in order to assess the attack effort for reconstruction of the necessary information by re-engineering of the TOE samples and memory protection. The level “Public” relates to information available in public domain. Note Public information may include information in general or even for the TOE e. g. cryptographic algorithms of the memory encryption, cryptanalytic attacks, compromised long-term or group keys, plaintext of stored data. The levels “Restricted”, “Sensitive” and “Critical” address the protection of the information in the development environment. Table 6 provides typical examples of information expected under this protection. The evaluator is remind that this information may be also gained from the TOE sample under attack by non-cryptographic and cryptanalytic attacks. Cryptanalytic attacks without prior knowledge of the used cryptographic algorithm are possible only in rare cases of weak encryption schemes or by Experts reconstructing the encryption scheme. Note the level “Very critical hard

Bundesamt für Sicherheit in der Informationstechnik

43

Vulnerability analysis of memory encryption

ware design” will be not used for the knowledge of TOE related to cryptanalytic attacks because this knowledge relates to the logical functionality of the TOE only. The factor “Knowledge of the TOE” shall be applied for memory encryption as shown in table 6. Definition according to CEM chapter B.4.2

Detailed definition to be Detailed definition to be used in smartcard evalua­ used in memory encryp­ tions (cf. tion analysis CCDB­2009­03­001 [SDIC])

Public

Public information concern- This is information in the ing the TOE (e. g. as gained public domain. from the Internet)

Cryptographic algorithms of memory encryption if it is public available.

Restricted

Restricted information concerning the TOE (e. g. knowledge that is controlled within the developer organization and shared with other organizations under a nondisclosure agreement)

Proprietary algorithm if described in documentation like functional specification, guidance documentation

This corresponds to assets which are passed about during the various phases of smartcard development.

Sensitive Sensitive information about TOE design on level of subthe TOE (e. g. knowledge systems and modules (HLD that is shared between dis- and LLD information) creet teams within the developer organization, access to which is constrained only to members of the specified teams)

Proprietary algorithm if not described in costumer documentation

Critical

Long term keys like substitution boxes, group keys

Critical information about Implementation representathe TOE (e. g. knowledge tion (Design and Source that is known by only a few Code). individuals, access to which is very tightly controlled on a strict need to know basis and individual undertaking).

Very (not defined) critical hardware design

Information contained in data (not applicable) bases and bespoke development tools. The access to useful data requires an enormous and time consuming effort which would make detection likely even with the support from an insider.

Table 6: Knowledge of the TOE

44

Bundesamt für Sicherheit in der Informationstechnik

Vulnerability analysis of memory encryption

The factor “IT hardware/software or other equipment” refers to the equipment required to identify or exploit a vulnerability (cf. CEM para. 1982) and takes the equipment category, price and availability into account (cf. [SDIC] para. 35). The rating “None” is applicable only if calculation may be performed by hand (e. g. if xoring of ciphertext and plaintext providing the key). The definition of “Standard equipment” includes personal computer or workstation with public available software implementing standard cryptanalytic attacks including support calculation on GPU and clusters. It takes into account that there are public available tools that implement standard cryptanalytic techniques for standard cryptographic algorithms and do not require cryptanalytic knowledge by the attacker itself. The rating “Specialized” equipment includes tools developed for proprietary cryptographic algorithms, adopted for cryptanalytic attacks due specific prerequisites of the TOE or running on public available non-standard computer. Specialized tools may developed in the identification phase and readily available to the attacker in the exploitation phase. “Bespoke” tools are not readily available to the public as it may need to be specially produced or its distribution is controlled, possibly even restricted. Examples of Bespoke equipment for cryptanalytic attacks are special hardware devices with special software for cryptanalytic calculations, e. g. non-standard key cruncher. The factor “IT hardware/software or other equipment” shall be applied for memory encryption as summarized in table 6. Definition according to CEM chapter B.4.2

Detailed definition to be Detailed definition to be used in smartcard evalua­ used in memory encryp­ tions (cf. tion analysis CCDB­2009­03­001 [SDIC])

None

Standard

No equipment needed, e. g. for calculation performed by hand. Standard equipment is cf. CEM for definition and readily available to the at- [SDIC] for examples. tacker, either for the identification of a vulnerability or for an attack.

Specialized Specialised equipment is not readily available to the attacker, but could be acquired without undue effort.

Bespoke

This type of equipment shall be considered as the type of expensive equipment which universities have in their possession, cf. [SDIC] for examples.

Bespoke equipment is not cf. [SDIC] readily available to the public as it may need to be specially produced (e. g. very sophisticated soft-

Bundesamt für Sicherheit in der Informationstechnik

Public available software for PC implementing standard cryptanalytic attacks including support for calculation on GPU and cluster. Non-public available tools developed for proprietary algorithm but acquired without undue effort.

Special hardware devices with special software for cryptanalytic calculations.

45

Vulnerability analysis of memory encryption

Definition according to CEM chapter B.4.2

Detailed definition to be Detailed definition to be used in smartcard evalua­ used in memory encryp­ tions (cf. tion analysis CCDB­2009­03­001 [SDIC])

ware), or because the equipment is so specialised that its distribution is controlled, possibly even restricted. Alternatively, the equipment may be very expensive. Table 7: Equipment The [SDIC] introduces the factors “Open sample” and “Samples with known secrets” for the technical domain smartcards in the context of composite evaluations [SDCE]. Open samples allow the composite evaluator can put software on the hardware platform at his own discretion that bypasses countermeasures prescribed in the IC guidance. Samples with known secrets refers to a TOE for which the evaluator knows or can define one or more pieces of secrets data, such as a PIN or key for performing either passive (monitoring) or fault attacks. Open samples or Samples with known secrets available to an attacker enable specific attack paths and support the re-engineering of security features of the TOE. Open sample and Samples with known secrets will be of relevance for the vulnerability analysis of memory encryption in very special cases only. E. g. if the memory encryption may be enabled and disabled Open samples allow malicious software running on the TOE to get direct access to ciphertext stored in the memory for known-plaintext-ciphertext pairs, chosenplaintext-ciphertext pairs or plaintext-chosen-ciphertext pairs used by cryptanalytic attacks. Samples with known secrets maybe used to generate templates for side channel analysis of memory encryption. The evaluator shall calculate the attack potential necessary for all identified successful attack paths. The easiest case of cryptanalytic attacks is the exhaustive key search providing an upper bound of the time and memory complexity of the attacks in terms of the factors “Elapsed time”, “IT hardware/software or other equipment” and “Specialist Expertise” (necessary to handle the equipment) assuming the necessary plaintext-ciphertext pairs are given but without consideration of cryptanalytic vulnerabilities of the cryptographic algorithms allowing for more effective attacks. The evaluator may use a coarse estimation of the number of keys an attacker may try per second based on brute force attacks on 128bit AES as follows • • • •

1 personal computer about 108 keys per second, 1 graphical processor unit (GPU) 4*108 keys per second, 1 FPGA running with 200MHz 2*108 keys per second, and 1 special device with about 2500 FPGA 1.2*1011 keys per second.

A special personal computer may run with 4 GPU. The number of tried keys per second depend on the effectiveness of the implementation of the cryptographic algorithm. Some algorithms are design for high speed software implementations like AES, other algorithms are more time consuming e. g. if they require bit permutations. Note the brute force attack can be organized in parallel on several 46

Bundesamt für Sicherheit in der Informationstechnik

Vulnerability analysis of memory encryption

devices. The vulnerability should consider that the range of equipment at the disposal of a potential attacker is constantly improving.

Bundesamt für Sicherheit in der Informationstechnik

47

Literature

Literature General literature [CC]

Common Criteria, Common Criteria for Information Technology Security Evaluation, Version 3.1, Revision 3, July 2009, Part 1: Introduction and General Model, CCMB-2009-07-001, Part 2: Security Functional Requirements, CCMB-2009-07-002, Part 3: Security Assurance Requirements, CCMB-2009-07-003

[CEM]

Common Methodology for Information Technology Security Evaluation, Evaluation Methodology, Version 3.1, Revision 3, July 2009, CCMB-2009-07-004

[SDCE]

Supporting Document Mandatory Technical Document Composite product evaluation for Smart Cards and similar devices, September 2007, Version 1.0, Revision 1, CCDB-2007-09-001

[SDAP]

Supporting Document Mandatory Technical Document Application of Attack Potential to Smartcards, March 2009, Version 2.7, Revision 1, March 2009, CCDB-2009-03-001

[SDIC]

Supporting Document Mandatory Technical Document Application of CC to Integrated Circuits, Version 3.0, March 2009, CCDB-2009-03-002

[SDSE]

Supporting Document Guidance Smartcard Evaluation, February 2010, Version 2.0, CCDB-2010-03-001

[AIS34]

AIS34: Evaluation Methodology for CC Assurance Classes for EAL5+ (CC v2.3 & v3.1) and EAL6 (CC v3.1), Version 3, BSI, 03.09.2009

[RNG]

Evaluation of random number generators, Version 0.8, BSI, 2011

[KS2011]

W. Killmann, W. Schindler, „A proposal for: Functionality classes for random number generators“, Version 2.0, September 18, 2011

[ISO7498] ISO 7498-2:189 Information processing systems – Open Systems Interconnection – Basic Reference Model-Part 2: Security Architecture Cryptologic literature [1]

A.J. Menezes, P. van Oorschot, and S. Vanstone: “Handbook of Applied Cryptography”. CRC Press, 1997

[2]

E. Biham, A. Shamir: Differential Cryptanalysis of DES-like Cryptosystems, Advances in Cryptology, proceedings of CRYPTO ’90, Lecture Notes in Computer Science 537, pp. 2–21, Springer-Verlag, 1991

[3]

L. R. Knudsen: Truncated and Higher Order Differentials, proceedings of Fast Software Encryption 2, Lecture Notes in Computer Science 1008, pp. 196–211, SpringerVerlag, 1995

[4]

N. Courtois and G. V. Bard: Algebraic Cryptanalysis of the Data Encryption Standard, In Cryptography and Coding, 11-th IMA Conference, Cirencester, UK, 2007

[5]

N. Courtois, G. V. Bard, and D. Wagner: Algebraic and slide attacks on KeeLoq, Fast Software Encryption – FSE 2008, Lecture Notes in Computer Science, pages 97–115. Springer-Verlag, Berlin, Germany, 2008

48

Bundesamt für Sicherheit in der Informationstechnik

Literature

[6]

D. Khovratovich and I. Nikolic: Rotational cryptanalysis of ARX, Proceedings of the 17th International Conference on Fast Software Encryption (FSE’10), Seokhie Hong and Tetsu Iwata (Eds.). Springer-Verlag, Berlin, 2010

[7]

M. Matsui: Linear Cryptanalysis Method for DES Cipher, Abstracts EUROCRYPT’93, pp. W112–W123, May 1993

[8]

J. Y. Soto: Linear Cryptanalysis of Reduced-Round PRESENT, The Cryptographer’s Track at RSA Conference – CT-RSA, pp. 302-317, 2010

[9]

N. Ferguson, J. Kelsey, S. Lucks, B. Schneier, M. Stay, D. Wagner, and D. Whitin: Improved Cryptanalysis of Rijndael, Proceedings of the 7 th International Workshop on Fast Software Encryption (FSE ‘00), Bruce Schneier (Ed.). Springer-Verlag, London, UK, 213-230, 2000

[10]

A. Biryukov and D. Wagner: Slide Attacks, Proceedings of the 6 th International Workshop on Fast Software Encryption (FSE ‘99), Lars R. Knudsen (Ed.). Springer-Verlag, London, UK, 245-259, 1999

[11]

D. Wagner: The Boomerang Attack, Proceedings of the 6th International Workshop on Fast Software Encryption (FSE ‘99), Lars R. Knudsen (Ed.). Springer-Verlag, London, UK, 156-170, 1999

[12]

J. Kelsey, T. Kohno, and B.Schneier: Amplified Boomerang Attacks Against ReducedRound MARS and Serpent, Proceedings of the 7th International Workshop on Fast Software Encryption (FSE ‘00), Bruce Schneier (Ed.). Springer-Verlag, London, UK, 75-93, 2000

[13]

E. Biham: New types of cryptanalytic attacks using related keys, Workshop on the theory and application of cryptographic techniques on Advances in cryptology (EUROCRYPT ‘93), Tor Helleseth (Ed.). Springer-Verlag New York, Inc., Secaucus, NJ, USA, 398-409, 1994

[14]

E. Biham, A. Biryukov, and A. Shamir: Cryptanalysis of Skipjack reduced to 31 rounds using impossible differentials, Proceedings of the 17 th international conference on Theory and application of cryptographic techniques (EUROCRYPT’99), Jacques Stern (Ed.). Springer-Verlag, Berlin, Heidelberg, 12-23, 1999

[15]

B. Collard and F. -X. Standaert: A Statistical Saturation Attack against the Block Cipher PRESENT, Proceedings of the The Cryptographers’ Track at the RSA Conference 2009 on Topics in Cryptology (CT-RSA ‘09), Marc Fischlin (Ed.). Springer-Verlag, Berlin, Heidelberg, 195-210, 2009

[16]

Thomas Jakobsen and Lars R. Knudsen: The Interpolation Attack on Block Ciphers, Proceedings of the 4th International Workshop on Fast Software Encryption (FSE ‘97), Eli Biham (Ed.). Springer-Verlag, London, UK, 28-40, 1997

[17]

A. Bogdanov and V. Rijmen: Zero-Correlation Linear Cryptanalysis of Block Ciphers, Cryptology ePrint Archive, Report 2011/123, http://eprint.iacr.org/2011/123, 2011

[18]

X. Zhuang, T. Zhang, and S. Pande: HIDE: an infrastructure for efficiently protecting information leakage on the address bus, Proceedings of the 11 th international conference on Architectural support for programming languages and operating systems (ASPLOS-XI). ACM, New York, NY, USA, 72-84. DOI=10.1145/1024393.1024403 http://doi.acm.org/10.1145/1024393.1024403, 2004

Bundesamt für Sicherheit in der Informationstechnik

49

of

Literature

[19]

L. Gao, J. Yang, M. Chrobak, Y. Zhang, S. Nguyen, and H.-H. S. Lee: A low-cost memory remapping scheme for address bus protection, Proceedings of the 15 th international conference on Parallel architectures and compilation techniques (PACT ‘06). ACM, New York, NY, USA, 74-83. DOI=10.1145/1152154.1152169, 2006

[20]

X. Zhuang, T. Zhang, H.-H. S. Lee, and S. Pande: Hardware assisted control flow obfuscation for embedded processors, Proceedings of the 2004 international conference on Compilers, architecture, and synthesis for embedded systems (CASES ‘04). ACM, New York, NY, USA, 292-302. DOI=10.1145/1023833.1023873 http://doi.acm.org/10.1145/1023833.1023873, 2004

[21]

M. Albrecht and C. Cid: Algebraic Techniques in Differential Cryptanalysis, Fast Software Encryption, Orr Dunkelman (Ed.). Lecture Notes In Computer Science, Vol. 5665. Springer-Verlag, Berlin, Heidelberg 193-208, 2009

[22]

L. Yang, M. Wang, and S. Qiao: Side Channel Cube Attack on PRESENT, Proceedings of the 8th International Conference on Cryptology and Network Security (CANS ‘09), Juan A. Garay, Atsuko Miyaji, and Akira Otsuka (Eds.). Springer-Verlag, Berlin, Heidelberg, 379-391, 2009

[23]

M. Dworkin and National Institute of Standards and Technology (U.S.): Special Publication 800-38, Recommendation for block cipher modes of operation: the XTS-AES mode for confidentiality on block-oriented storage devices, 2009

[24]

P. Rogaway: Efficient Instantiations of Tweakable Blockciphers and Refinements to Modes OCB and PMAC, Asiacrypt 2004. LNCS vol. 3329. Springer, 2004

[25]

M. Renauld, F.-X. Standaert: Algebraic Side-Channel Attacks, Cryptology ePrint Archive, report 2009/179, http://eprint.iacr.org/2009/279, 2009

[26]

A. Bogdanov, C. Rechberger: A 3-Subset Meet-in-the-Middle Attack: Cryptanalysis of the Lightweight Block Cipher KTANTAN, Selected Areas in Cryptography, 17 th Annual International Workshop, SAC 2010, Lecture Notes in Computer Science (LNCS), vol. 6544, A. Biryukov, G. Gong, and D. R. Stinson (eds.), pp. 229-240, Springer-Verlag, 2011

[27]

T. Jakobsen and L. R. Knudsen: The Interpolation Attack on Block Ciphers, Proceedings of the 4th International Workshop on Fast Software Encryption (FSE '97), Eli Biham (Ed.). Springer-Verlag, London, UK, 28-40, 1997

[28]

I. Dinur and A. Shamir: Cube Attacks on Tweakable Black Box Polynomials, Proceedings of the 28th Annual International Conference on Advances in Cryptology: the Theory and Applications of Cryptographic Techniques (EUROCRYPT '09), Antoine Joux (Ed.). Springer-Verlag, Berlin, Heidelberg, 278-299, 2009

[29]

M. Liskov, R. L. Rivest, and D. Wagner: Tweakable Block Ciphers, Proceedings of the 22nd Annual International Cryptology Conference on Advances in Cryptology (CRYPTO '02), Moti Yung (Ed.). Springer-Verlag, London, UK, 31-46, 2002

[30]

L. R. Knudsen, M. J. B. Robshaw: The Block Cipher Companion, Springer-Verlag, 2011

[31]

A. Joux; Algorithmic Cryptanalysis, CRC Press, 2009

[32]

G. V. Bard: Algebraic Cryptanalysis, Springer-Verlag, 2009

[33]

A. Bogdanov, G. Leander, L. Knudsen, C. Paar, A. Poschmann, M. Robshaw, Y. Seurin, and C. Vikkelsoe: PRESENT - An Ultra-Lightweight Block Cipher, Crypto-

50

Bundesamt für Sicherheit in der Informationstechnik

Literature

graphic Hardware and Embedded Systems (CHES 2007); number 4727 in Lecture Notes in Computer Science, pages 450–466, Springer-Verlag, 2007 [34]

M. Vielhaber: Breaking ONE.FIVIUM by AIDA an Algebraic IV Differential Attack, Cryptology ePrint Archive: Report 2007/413

Bundesamt für Sicherheit in der Informationstechnik

51

Glossary

Glossary The following definitions are closely related to the ones given in [1] and [ISO7498]. Basic Definitions Asymmetric cryptographic algorithm

A cryptographic algorithm which uses a key pair for complementary operations where it is difficult for the adversary to derive one key from the other key of the same pair.

Avalanche effect

A desirable property of block ciphers. When an input is changed slightly, then the output changes significantly.

Block cipher

A cipher which encrypts data in blocks of a fixed size.

Cipher

An encryption-decryption algorithm.

Ciphertext

Encrypted data, the semantic content of which is not readily available (cf. [ISO7498]).

Confusion

Confusion in an encryption process is provided by the substitution layer in a round of a cryptographic algorithm. Each ciphertext bit has highly nonlinear dependencies on the plaintext bits and the key bits.

Cryptography

The discipline which embodies principles, means and methods for the transformation of data in order to hide its information content, prevent its undetected modification and/or its unauthorized use [ISO7498] including entity authentication [1].

Cryptology

The study of cryptography and cryptanalysis [1].

Cryptosystem

A system of cryptographic primitives that are used for providing security service.

Cryptographic module

Cryptographic modules, which contain cryptographic algorithms, are used in systems for providing cryptographic services.

Decryption

Reverse process of encryption, reconstructing the original data.

Diffusion

Diffusion in an encryption process is provided by the transposition in a round of a cryptographic algorithm. It is the rearrangement or dissipation of bits in a message so that any change in the plaintext is

52

Bundesamt für Sicherheit in der Informationstechnik

Glossary

dissipated over the ciphertext. Encryption

Transforming data into a form in order to hide its information content and allow only the intended receiver to reconstruct the original form with use of a cryptographic key.

Feistel network

A symmetric structure used in construction of block ciphers which enables encryption and decryption algorithms to be highly similar, just requiring a reverse key schedule for decryption.

Key

Variable parameter which is used in a cryptographic algorithm. Cryptographic algorithms may use the same key or different keys for complementary operation like encryption / decryption or signature-creation / signature-verification.

Mode of operation

Methods for encryption and decryption of a collection of data blocks using a block cipher.

Permutation

Mathematically, a mapping from a finite set of elements to itself where each element has one and only one image, i.e. an invertible function from the finite set to itself. The term is often used in cryptography for permutation of the position of characters within a string.

Plaintext

Intelligible data, the semantic content of which is available [ISO7498]. Plaintext has not yet been encrypted or is the result of decryption.

Secret sharing

Secret sharing is a method for distributing a secret amongst a group of participants. This secret can be reconstructed only when a sufficient number of shares are combined together.

Strict avalanche

A criterion satisfied whenever a single input bit is complemented, each of the output bits changes with a 50% probability.

criterion Substitution

Replacement of groups of bits (symbols) by other groups of bits.

Substitution-permutation A series of separate mathematical operations for diffusion and confusion in block cipher algorithms. network (SP-network) Symmetric-Key Cipher

A cryptographic algorithm which uses same or trivially related keys for encryption and decryption.

Transposition

Permutation of characters or strings in a ciphertext, e. g. permutation of the bits in a bit-block, permutation of encrypted bit-blocks in a

Bundesamt für Sicherheit in der Informationstechnik

53

Glossary

ciphertext. Tweakable block cipher

A construction which uses a (public known) parameter (the tweak) to randomize the permutations over the data blocks defined by the key of a block cipher.

Cryptanalysis Related Definitions Active adversary

A person who can also transmit, alter or delete information on an unsecured channel.

Advanced active

An active adversary which may additionally use external interfaces of a cryptographic module (e. g. for a chosen plaintext attack) but do not know the used secret or private key of the cryptographic module.

adversary Adaptive chosen ciphertext attack Adaptive chosen plaintext attack

A variant of the chosen ciphertext attack where the attacker can choose the collection of ciphertexts depending on previous trials. A variant of the chosen plaintext attack where the attacker can choose plaintext samples based on previous trials.

Algebraic attack

An attack which represents the encryption process as a set of equations and recovers the key by solving these equations.

Attack

Successful or unsuccessful attempt for breaking a part or all of a cryptosystem.

Boomerang attack

An attack method for cryptanalysis of block ciphers based on differential cryptanalysis.

Chosen ciphertext attack An attack where the attacker can choose the collection of ciphertexts to be decrypted. Chosen plaintext attack

An attack where the attacker can choose the collection of plaintexts to be encrypted.

Ciphertext only attack

An attack where attacker has a collection of ciphertexts and their semantic content.

Cryptanalysis

Use of mathematical techniques to break a cryptosystem.

Data complexity

Number of plaintext-ciphertext pairs needed to execute an attack.

54

Bundesamt für Sicherheit in der Informationstechnik

Glossary

Dictionary attack

A brute-force attack that tries passwords and/or keys from a pre-compiled list of values.

Differential attack

A chosen plaintext attack which relies on analysis of evolution of differences between two plaintexts.

(differential cryptanalysis) Difference distribution table (DDT, a.k.a. XOR

A table which represents the number of occurrences of an output difference of an S-Box for a given input difference.

Table) Differential-linear attack A mix of both linear cryptanalysis and differential cryptanalysis. Distinguisher

Some sort of statistical test that shows an imperfect distribution in (for example) a conventional block cipher.

Distinguishing attack

An attack based on the extraction of information from encrypted data sufficient to distinguish it from random data.

Exhaustive search

An attack where the attacker tries all reasonable possibilities to recover the key of a cryptosystem.

(brute-force attack) Integral attack

An attack which is particularly applicable to byte/nibble oriented block ciphers based on SP networks.

Key recovery

An attacker's attempt for recovering the cryptographic key of a cipher.

Known plaintext attack

An attack where the attacker examines the function that the cryptographer wants to hide with some or even an extremely large amount of plaintext and the associated ciphertext.

Linear approximation

A table which identifies input and output relations of an S-Box through linear approximations.

table (LAT) Linear attack (linear cryptanalysis) Meet-in-the-middle attack

A known plaintext attack which uses linear approximations to describe the behaviour of block cipher. An explicit kind of cryptanalytic attack in which the attacker applies various keys on known plaintext-ciphertext pairs in an effort to seek intermediate ciphertext-plaintext values identical to the known ones. Matching pairs indicate a high probability of correct keys or key pairs.

Bundesamt für Sicherheit in der Informationstechnik

55

Glossary

Passive adversary

A person who is only capable of reading data from an unsecured channel and getting information about the data flow.

Passive attack

An attack in which the data is observed but not modified.

Rectangle attack

An improved version of boomerang attack with reduced data complexity.

Related key attack

An attack in which a change in any particular key bit or some other relationship between key bits can be specified.

(Chosen key attack) Rotational cryptanalysis

An attack method against algorithms that rely on three operations: modular addition, rotation and XOR (also known as ARX).

Saturation attack

A type of integral attack which exploits the saturation of the input of a permutation function upon the saturation of its output.

Slide attack

An attack which is designed to deal with the idea that even weak ciphers can become very strong by increasing the number of rounds.

Splitting

Dividing a cryptographic key into two separate keys so an attacker cannot reconstruct the actual key even if one of them is intercepted.

Time complexity

Amount of time required to execute an attack.

56

Bundesamt für Sicherheit in der Informationstechnik