Abstract

The security of Internet of Things (IoT) devices relies on fundamental concepts such as cryptographically protected firmware updates. In this context attackers usually have physical access to a device and therefore side-channel attacks have to be considered. This makes the protection of required cryptographic keys and implementations challenging, especially for commercial off-the-shelf (COTS) microcontrollers that typically have no hardware countermeasures. In this work, we demonstrate how unprotected hardware AES engines of COTS microcontrollers can be efficiently protected against side-channel attacks by constructing a leakage resilient pseudo random function (LR-PRF). Using this side-channel protected building block, we implement a leakage resilient authenticated encryption with associated data (AEAD) scheme that enables secured firmware updates. We use concepts from leakage resilience to retrofit side-channel protection on unprotected hardware AES engines by means of software-only modifications. The LR-PRF construction leverages frequent key changes and low data complexity together with key dependent noise from parallel hardware to protect against side-channel attacks. Contrary to most other protection mechanisms such as time-based hiding, no additional true randomness is required. Our concept relies on parallel S-boxes in the AES hardware implementation, a feature that is fortunately present in many microcontrollers as a measure to increase performance. In a case study, we implement the protected AEAD scheme for two popular ARM Cortex-M microcontrollers with differing parallelism. We evaluate the protection capabilities in realistic IoT attack scenarios, where non-invasive EM probes or power consumption measurements are employed by the attacker. We show that the concept provides the side-channel hardening that is required for the long-term security of IoT devices.

Highlights

  • The information security of inexpensive Internet of Things (IoT) devices is especially important due to their high quantity, prevalence, and high threat potential

  • In the improved leakage resilient pseudo random function (LR-pseudorandom function (PRF)) with unknown inputs [MSNF16], the plaintexts are unknown to an attacker because they are generated in an additional preprocessing step using a leakage resilient pseudo random generator (LR-PRG) proposed by Standaert et al [SPY13]

  • In this work we use concepts from leakage resilient cryptography to tackle the difficult problem of securing commercial off-the-shelf (COTS) microcontrollers against side-channel attacks

Read more

Summary

Introduction

The information security of inexpensive IoT devices is especially important due to their high quantity, prevalence, and high threat potential. The root of trust, i.e., cryptographic keys and operations used for secured updates, requires hardening against hardware attacks. A team from the French ANSSI published an open-source implementation of a side-channel protected AES targeted for COTS microcontrollers [BKPT7f] As it is state of the art, they combine masking and shuffling countermeasures to protect against side-channel attacks and provide leakage tests that do not show significant leakage after 100,000 traces. The fact that the only hardware requirement is an AES accelerator with parallel S-boxes makes this solution applicable to a wide range of microcontrollers It is highly relevant when retrofitting side-channel protection to existing devices, especially when no true random noise sources are available. In such cases, masking or hiding is even impossible and this concept is without alternatives.

Background on leakage resilience
Leakage resilient authenticated encryption
Attacker model and evaluation methodology
Attacker model
Assessing the side-channel security
Profiled side-channel attacks with limited data complexity
Leakage resilient AEAD on COTS microcontrollers
Devices under test
Side-channel evaluation
Measurement setups
Template attacks on key transfer
Template attack on unprotected AES
Template attacks on LR-PRFs with different data complexities
64 Data complexity
Performance analysis
Findings
Conclusion
Full Text
Published version (Free)

Talk to us

Join us for a 30 min session where you can share your feedback and ask us any queries you have

Schedule a call