Date post: | 16-Dec-2015 |
Category: |
Documents |
Upload: | yvette-weyman |
View: | 231 times |
Download: | 2 times |
Cryptanalysis on FPGA Based Hardware
Malcolm Alda SumantriBachelors of Engineering (Software) & Bachelors of Commerce (Finance)
The University of Sydney
Supervisors:Matt Barrie
Craig Jin
Introduction• Welcome to the Digital Age where everything can be
replicated!• Cryptography is used…
– To protect our privacy• For example: our real identity, our e-mails to family and
friends, our digital photos, our work.
– To protect corporate secrets• For example: future corporate strategies, intellectual
property, pricing information, human resources information.
– By governments• For example: sending messages to spies, task forces,
between agencies to protect civilians and against terrorism.
• How secure are our currently deployed cryptosystems?
Motivation• Information security is a resource game.
– More funds means more access to information.• The US National Security Agency’s annual budget
is classified but is said to be over US $13 billion. • Assessing the strength of our cryptosystems
therefore involves determining the cost to break them.
• Rapid development in Field Programmable Gate Array Technology (FPGA) technology that makes it cheaper to develop high-performance custom hardware systems. FPGA technology has proven to be effective for cryptographic use.
• A recent optimization in cryptanalysis.– Rainbow Tables
Background• Symmetric Cipher
• Cryptanalysis: Code breaking, reveal the plaintext without the key.– Exhaustive Key Search: Try every key possible, requires large
computational power.– Table Lookup: Store keys and ciphertexts in a massive tables to
perform a lookup when trying to attack, requires a large amount of memory (infeasible).
– Time-memory trade-off: Give up memory to achieve a faster attack time.
• FPGAs– Reconfigurable logic (upload the bitstream to the hardware).– Cheaper than Application Specific Integrated Circuits (ASICs) for small
volumes.
Encryption Algorithm (E)
CiphertextC = EK(P)
Key (K)
Plaintext(P)
Decryption Algorithm (D)
Key (K)
PlaintextP = DK(C)
Time-Memory Trade-Off:Rainbow Tables• How does it work?
– Assume a chosen-plaintext attack scenario.• The attacker can choose which plaintext to access.• This attacker will use this to attack the cryptosystem.• This is practical in the real-world (UNIX password hashing, “#include <stdio.h>”,
“\n”)– Two Phases
1. Precomputation Phase2. Online Attack Phase (Cryptanalytic Attack)
• Precomputation Phase: Generate a rainbow table.– A rainbow table is a two-column table (start-point, end-point)– These points are possible keys.– This table is generated by a specific algorithm.
• Online Attack Phase: Use the rainbow table.– We are given a ciphertext to break.– Now we perform a search on the rainbow table by using another
algorithm
• This method is probabilistic, but faster than exhaustive key search.• Unlike exhaustive key search that only requires computational resources
(processor). This method uses memory as well as computational resources. • As a result, the attack time is faster but we have given up memory. This is
the trade-off.
End-point Start-point
... ...
... ...
... ...
Rainbow Table
Methodology• Design and implement an FPGA based
cryptanalytic system that uses the rainbow tables method of cryptanalysis.
• Use the Data Encryption Standard (DES) as the test symmetric cipher.– DES uses a 56-bit key.– DES is the most widely studied cipher.– DES is still used today (UNIX password
hashing).• Determine the cost to break DES.• Extrapolate the cost to break other
ciphers.
• In designing a cryptanalytic system, the performance of the cipher module will determine the performance.
• Security of DES derives from 16 rounds of permutations, substitutions and xoring.
• Each round is implemented as a 3-stage pipeline. A total of 48-stages for the 16 rounds of DES.– Pipelining improves
performance:• Attain higher clock
frequencies.• Achieve parallelization:
48 encryptions per clock cycle.
e-box
Right(32-bit)
xor and s-box
E(right)(48-bit)
p-box and xor
S-Boxes[E(right) xor RoundKey](32-bit)
Register for left and right
Register for left and right
Delayed Left (32-bit)Delayed Right (32-bit)
Delayed Left
Key Shift andPC-2
Register for 56-bit Shifted Key
Left(32-bit)
Register for 56-bit Shifted Key
DelayedNext Key(56-bit)
Round Key(48-bit)
Delayed Next Key(56-bit)
Key Input(56-bit)
R’=L xor f(R’,K) Next Key(56-bit)
L’=R
Data RoundEntity
Key RoundEntity
Delayed Right
Design I – Data Encryption Standard
Design II – The Rainbow Table Precomputation System
Starting Point Generator Unit
Enable Pause
First Start PointLast Start Point
(56-bit)
Multiplexer
Select
Key(56-bit)
16 Rounds of DES(48-stage Pipeline)
Start Point(56-bit)
DES Inverse Initial Permutation and
Reduction Function Unit
Ciphertext(64-bit)
Intermediate Point(56-bit)
Resume Key Generator
Permuted Plaintext Register
Plaintext(64-bit)
PermutedPlaintext(64-bit)
End Point(56-bit)
Start Point(56-bit)
First Start PointFirst Start Point
(56-bit)
Initial Permutation
Permuted Plaintext(64-bit)
Reset(Active-Low)
Clock
Precomputer Entity(precomputer_nty)Precomputation Engine
Hardware ControllerRainbow Table Manager
(Database Communication Module)
Precomputation Hardware
End-Point
Precomputation Software
PlaintextStartMask
End Mask
FirstStart Point
LastStart Point
Open-Source SQL Database
Start-Point / End-Point Pair
1. High Level System Design
2. Hardware Design
3. Hardware output behavior (Timing Diagram)
Design III – The Rainbow Table Online Attack System
Hardware Controller for Rainbow End-Point Generator Hardware Controller for Rainbow End-Point GeneratorRainbow Table Manager
(Database Communication Module)
End-Point GeneratorHardware
ProspectiveEnd-Point
ProspectiveColumn for Key
Intermediate Key GeneratorHardware
Online Attack Software Controller
Plaintext CiphertextStart Mask
End Mask
ProspectiveKey
PlaintextStart Mask
LastMask
StartPoint
Open-Source SQL Database
End-Point Start-Point
Enable
Pause
16 Rounds of DES
(48-stage Pipeline)
Preoutput(64-bit)
Reset(Active-Low)
Clock
End Point Generator(oa_endpointgenerator_nty)
Controller
Plaintext(64-bit)
Key(56-bit)
ProspectiveEnd-Point
(56-bit)
Column Number(56-bit)
Plaintext(64-bit)
PermutedPlaintext Register
Plaintext(64-bit)
Ciphertext(64-bit)
Start Mask(56-bit)
End Mask(56-bit)
Step Goal Tool Input to Tool Output of Tool
1 Generate end-points from the chosen plaintext/ciphertext pair.
End-Point Generator (Hardware)
Chosen plaintext, chosen ciphertext, start mark, end-mask
Prospective End-Point, Prospective Column Number
2 Perform table lookup on all end-points generated from Step 1.
Online Attack Software Application
End-Points generated from Step 1.
Start Points that corresponds with matching end-points from Step 1.
3 Generate Key from Starting Points found in Step 2.
Intermediate Key Generator (Hardware)
Start-Point and matching column number (from Steps 1 and 2), start-mask, end-mask.
Candidate Key(s)
4 Test validity of Key
Online Attack Software Application
Candidate key(s) from Step 3, chosen plaintext, chosen ciphertext.
Key
1. High Level System Design
2. Hardware Design 3. Mechanism
Experiment and Results• Experiment:
– Cryptanalytic attack on 40-bit DES since the resources to break DES is out-of-reach for the budget in this thesis.
– Use Sensory NetworksTM NodalCoreTM C-1000 PCI Card.
• Xilinx® Virtex-II Pro VP-40 FPGA• Flexible chipset architecture to embed
our hardware engines.• PCI interface allows for high-speed
communications.
• Results– 40-bit DES Rainbow Table can be
generated in less than 4 hours. Table parameters allows for 85% cryptanalytic success probability.
• Fastest known implementation in the literature based on results.
– Online attack of 40-bit DES in 30.8 seconds.
0
0.5
1
1.5
2
2.5
Th
rou
gh
pu
t (M
bits
/se
con
d)
Rainbow TablePrecomputer
(Sumantri)
Distinguished PointsPrecomputer
(Quisquater et al)
Comparison of Precomputation Throughput for 40-bit DES
Data Analysis• Performance-Cost
Analysis– Determine the FPGA chip
that provides the highest performance for the lowest cost.
– Synthesized the hardware designs for various Xilinx FPGAs.
– Spartan 3 S-1500 provides the highest performance-cost relative to other Xilinx® FPGA chips.
• Extrapolate the design of a machine to break DES (56-bit key length)– Result: DES can be
broken with 85% success probability in 72 minutes for an approximate cost of US $1,210.
0
500
1,000
1,500
2,000
2,500
3,000
3,500
0 1,000 2,000 3,000 4,000 5,000 6,000 7,000 8,000 9,000Cost (dollar per FPGA chip)
Perfo
rman
ce (e
nd-p
oint
s ge
nera
ted
per s
econ
d)
Spartan 3
Virtex-II
Virtex-II Pro
Virtex 4
Performance-Cost of Precomputation Hardware System
Conclusion• FPGAs provides a low cost
and effective solution to cryptanalysis.
• Rainbow table attacks provide a faster attack time compared to brute-force, but brute-force uses less resources, that is, memory resources.– For large key sizes, the
rainbow table attack becomes infeasible as memory costs is prohibitive.
Potential Attacker Key Length (bits) Cost (US $)
Clever Outsider 56 353
58 1,413
60 5,650
Knowledgeable Insiders 62 22,600
64 90,400
Funded Organization(Large Corporation,
Mafia)
66 361,601
68 1.4 million
Funded Organization(Small Government,
Terrorist Networks)
72 24 million
76 370 million
78 1.5 billion
Funded Organization(Large Government
Bodies: US National Security
Agency)
80 6 billion
82 24.7 billion
84 94.8 billion
86 380 billion
88 1.5 trillion
Not feasible 92 242 trillion