Cryptanalysis on FPGA Based Hardware
Download
Report
Transcript Cryptanalysis on FPGA Based Hardware
Cryptanalysis on FPGA Based Hardware
Malcolm Alda Sumantri
Bachelors of Engineering (Software) & Bachelors of Commerce (Finance)
Supervisors:
Matt Barrie
Craig Jin
The University of Sydney
Introduction
• Welcome to the Digital Age where everything can be replicated!
• Cryptography is used…
– To protect our privacy
• For example: our real identity, our e-mails to family and friends,
our digital photos, our work.
– To protect corporate secrets
• For example: future corporate strategies, intellectual property,
pricing information, human resources information.
– By governments
• For example: sending messages to spies, task forces, between
agencies to protect civilians and against terrorism.
• How secure are our currently deployed cryptosystems?
Motivation
• Information security is a resource game.
– More funds means more access to information.
• The US National Security Agency’s annual budget is
classified but is said to be over US $13 billion.
• Assessing the strength of our cryptosystems therefore
involves determining the cost to break them.
• Rapid development in Field Programmable Gate Array
Technology (FPGA) technology that makes it cheaper to
develop high-performance custom hardware systems.
FPGA technology has proven to be effective for
cryptographic use.
• A recent optimization in cryptanalysis.
– Rainbow Tables
Background
•
Symmetric Cipher
Key (K)
Encryption Algorithm
(E)
Plaintext
(P)
Key (K)
Ciphertext
C = EK(P)
Decryption Algorithm
(D)
Plaintext
P = DK(C)
•
Cryptanalysis: Code breaking, reveal the plaintext without the key.
– Exhaustive Key Search: Try every key possible, requires large computational
power.
– Table Lookup: Store keys and ciphertexts in a massive tables to perform a
lookup when trying to attack, requires a large amount of memory (infeasible).
– Time-memory trade-off: Give up memory to achieve a faster attack time.
•
FPGAs
– Reconfigurable logic (upload the bitstream to the hardware).
– Cheaper than Application Specific Integrated Circuits (ASICs) for small
volumes.
Time-Memory Trade-Off:
Rainbow Tables
•
How does it work?
–
Assume a chosen-plaintext attack scenario.
•
•
•
–
Rainbow Table
End-point
Start-point
...
...
...
...
...
...
The attacker can choose which plaintext to access.
This attacker will use this to attack the cryptosystem.
This is practical in the real-world (UNIX password hashing, “#include <stdio.h>”,
“\n”)
Two Phases
1.
2.
Precomputation Phase
Online Attack Phase (Cryptanalytic Attack)
•
Precomputation Phase: Generate a rainbow table.
–
A rainbow table is a two-column table (start-point, end-point)
–
These points are possible keys.
–
This table is generated by a specific algorithm.
•
Online Attack Phase: Use the rainbow table.
–
We are given a ciphertext to break.
–
Now we perform a search on the rainbow table by using another algorithm
•
•
This method is probabilistic, but faster than exhaustive key search.
Unlike exhaustive key search that only requires computational resources
(processor). This method uses memory as well as computational resources.
As a result, the attack time is faster but we have given up memory. This is the
trade-off.
•
Methodology
• Design and implement an FPGA based
cryptanalytic system that uses the rainbow
tables method of cryptanalysis.
• Use the Data Encryption Standard (DES) as
the test symmetric cipher.
– DES uses a 56-bit key.
– DES is the most widely studied cipher.
– DES is still used today (UNIX password
hashing).
• Determine the cost to break DES.
• Extrapolate the cost to break other ciphers.
Design I – Data Encryption Standard
•
•
•
In designing a cryptanalytic system,
the performance of the cipher
module will determine the
performance.
Security of DES derives from 16
rounds of permutations,
substitutions and xoring.
Each round is implemented as a 3stage pipeline. A total of 48-stages
for the 16 rounds of DES.
– Pipelining improves
performance:
• Attain higher clock
frequencies.
• Achieve parallelization:
48 encryptions per clock cycle.
Left
(32-bit)
Data Round
Entity
Right
(32-bit)
Register for
left and right
e-box
Delayed Left (32-bit)
Delayed Right (32-bit)
E(right)
(48-bit)
Register for
left and right
xor and s-box
Delayed Left
S-Boxes[E(right) xor RoundKey]
(32-bit)
Delayed Right
p-box and xor
L’=R
R’=L xor f(R’,K)
Key Input
(56-bit)
Key Shift and
PC-2
Round Key
(48-bit)
Key Round
Entity
Delayed
Next Key
(56-bit)
Register for 56-bit
Shifted Key
Delayed Next Key
(56-bit)
Register for 56-bit
Shifted Key
Next Key
(56-bit)
Design II – The Rainbow Table
Precomputation System
1. High Level System Design
Clock
Precomputation Software
Precomputation Engine
Hardware Controller
Plaintext
First Last
Start End
Start Start
Mask Mask
Point Point
2. Hardware Design
Reset
(Active-Low)
Plaintext
(64-bit)
First Start Point
First Start Point
(56-bit)
Precomputer Entity
(precomputer_nty)
Rainbow Table Manager
(Database Communication Module)
End-Point
Last Start Point
(56-bit)
Enable Pause
Starting Point Generator Unit
Start-Point / End-Point Pair
Select
Start Point
(56-bit)
Intermediate Point
(56-bit)
Initial Permutation
Permuted Plaintext
(64-bit)
Precomputation Hardware
Open-Source
SQL Database
Multiplexer
Permuted Plaintext
Register
Permuted
Plaintext
(64-bit)
Key
(56-bit)
Resume Key Generator
3. Hardware output behavior (Timing Diagram)
16 Rounds of DES
(48-stage Pipeline)
Ciphertext
(64-bit)
DES Inverse Initial
Permutation and
Reduction Function Unit
Start Point End Point
(56-bit)
(56-bit)
1.
Design III – The Rainbow Table
Online Attack System
High Level System Design
Online Attack Software Controller
Hardware Controller for Rainbow End-Point Generator
Plaintext
Ciphertext
Start
Mask
End
Mask
Hardware Controller for Rainbow End-Point Generator
Prospective Prospective
End-Point Column for Key
Plaintext
End-Point Generator
Hardware
Enable
Reset
(Active-Low)
Pause
Step
End Mask
(56-bit)
Start Mask
(56-bit)
Plaintext
(64-bit)
Prospective
End-Point
(56-bit)
Column Number
(56-bit)
Open-Source
SQL Database
Input to Tool
Output of Tool
1
Generate endpoints from the
chosen
plaintext/cipherte
xt pair.
End-Point
Generator
(Hardware)
Chosen plaintext,
chosen ciphertext,
start mark, end-mask
Prospective EndPoint, Prospective
Column Number
2
Perform table
lookup on all
end-points
generated from
Step 1.
Online Attack
Software
Application
End-Points
generated from Step
1.
Start Points that
corresponds with
matching end-points
from Step 1.
3
Generate Key
from Starting
Points found in
Step 2.
Intermediate
Key Generator
(Hardware)
Start-Point and
matching column
number (from Steps
1 and 2), start-mask,
end-mask.
Candidate Key(s)
4
Test validity of
Key
Online Attack
Software
Application
Candidate key(s)
from Step 3, chosen
plaintext, chosen
ciphertext.
Key
Preoutput
(64-bit)
16 Rounds of
DES
(48-stage
Pipeline)
End Point Generator
(oa_endpointgenerator_nty)
Start-Point
Tool
Permuted
Plaintext Register
Plaintext
(64-bit)
End-Point
Goal
Controller
Key
(56-bit)
Prospective
Key
3. Mechanism
Ciphertext
(64-bit)
Plaintext
(64-bit)
Start Last
Mask Mask
Intermediate Key Generator
Hardware
2. Hardware Design
Clock
Start
Point
Rainbow Table Manager
(Database Communication Module)
Experiment and Results
•
Experiment:
– Cryptanalytic attack on 40-bit DES since the
resources to break DES is out-of-reach for the
budget in this thesis.
– Use Sensory NetworksTM NodalCoreTM C-1000
PCI Card.
• Xilinx® Virtex-II Pro VP-40 FPGA
• Flexible chipset architecture to embed our
hardware engines.
• PCI interface allows for high-speed
communications.
Results
– 40-bit DES Rainbow Table can be
generated in less than 4 hours. Table
parameters allows for 85% cryptanalytic
success probability.
• Fastest known implementation in the
literature based on results.
– Online attack of 40-bit DES in 30.8
seconds.
Comparison of Precomputation Throughput for 40-bit DES
2.5
Throughput (Mbits/second)
•
2
1.5
1
0.5
0
Rainbow Table
Precomputer
(Sumantri)
Distinguished Points
Precomputer
(Quisquater et al)
Data Analysis
•
Performance-Cost Analysis
– Determine the FPGA chip that
provides the highest
performance for the lowest
cost.
– Synthesized the hardware
designs for various Xilinx
FPGAs.
– Spartan 3 S-1500 provides the
highest performance-cost
relative to other Xilinx® FPGA
chips.
Extrapolate the design of a
machine to break DES (56-bit key
length)
– Result: DES can be broken
with 85% success probability in
72 minutes for an
approximate cost of US
$1,210.
Performance-Cost of Precomputation Hardware System
3,500
Spartan 3
Virtex-II
Performance (end-points generated per second)
•
3,000
Virtex-II Pro
Virtex 4
2,500
2,000
1,500
1,000
500
0
0
1,000
2,000
3,000
4,000
5,000
6,000
Cost (dollar per FPGA chip)
7,000
8,000
9,000
Conclusion
• FPGAs provides a low cost and
effective solution to cryptanalysis.
• Rainbow table attacks provide a
faster attack time compared to
brute-force, but brute-force uses
less resources, that is, memory
resources.
– For large key sizes, the
rainbow table attack becomes
infeasible as memory costs is
prohibitive.
Potential Attacker
Key Length (bits)
Cost (US $)
Clever Outsider
56
353
58
1,413
60
5,650
62
22,600
64
90,400
Funded Organization
(Large Corporation,
Mafia)
66
361,601
68
1.4 million
Funded Organization
(Small Government,
Terrorist
Networks)
72
24 million
76
370 million
78
1.5 billion
Funded Organization
(Large Government
Bodies: US
National Security
Agency)
80
6 billion
82
24.7 billion
84
94.8 billion
86
380 billion
88
1.5 trillion
92
242 trillion
Knowledgeable Insiders
Not feasible