How many simulation cycles are needed to crack an AES key? Plus, the impact of trade wars on semiconductor security and reliability.
Experts at the Table: Semiconductor Engineering sat down to discuss a wide range of hardware security issues and possible solutions with Norman Chang, chief technologist for the Semiconductor Business Unit at ANSYS; Helena Handschuh, fellow at Rambus, and Mike Borza, principal security technologist at Synopsys. What follows are excerpts of that conversation. The first part of this discussion can be found here. Part two is here.
SE: How do you protect data as it is being encrypted and decrypted?
Handschuh: The only thing that provably works is when you randomize master data and different orders, meaning that you split every every portion of your computation into a number of shares. So then the order of protection is is essentially one degree lower than the number of shares.
Chang: That makes it very hard to do correlations.
Handschuh: Yes, because mathematically you don’t have enough information to reconstruct the data. That’s the only way to provably do it. But then there are tons of other techniques to try to hide the signals and make a lot of noise. But for those cases, it’s only a matter of collecting enough traces.
Chang: Do you need different levels of security for different customers?
Borza: Yes, and it depends on what the area, performance and power constraints are.
SE: So what happens when you add in different use cases? One user may do a lot of streaming video, for example, while another does not.
Borza: People often make the countermeasures configurable so that you can ratchet up the countermeasures on computations that you care a lot about, and reduce the overhead and countermeasures on computations you care less about. A rule of thumb is that the more real-time the data is, the less sensitive it is because you have volumes of it. That’s not always true, of course. For some things that you try to use very seldom, like the route cryptographic keys on a device, you don’t ever want those to leak out. So you will put the maximum amount of effort into countermeasures on computations with those things to eliminate or reduce the possibility that leaks out.
SE: Some of this can be tracked through power profiles, right?
Chang: Yes, and it depends on the context of what customers are using. We can do an attack simulation for that. This is a simpler way to see differential power analysis. So it’s not depending on users’ favorite data input stream. You have to think about the right applications of the incoming data and provide a secure solution.
SE: How much does architecture play into this? For example, you may have multiple chips in a module, so now you can offload some of these functions to other channels. And so you’ve got things moving back and forth that you didn’t have before, and everything is unique because there are custom designs or configurations.
Handschuh: That’s a tough problem. You should have sensitive operations being separate from the rest, kept in a place where you can control what’s going on, and have the more high-performance things where maybe you don’t care as much about the data run somewhere else. If you want to secure the entire system, you can, but it’s going to cost you more in delays, area, and all sorts of different things, and you may not have the budget for that. So you have to make some tradeoffs.
Borza: We’re starting to see things like encryption and decryption moving to and from external memory. Five years ago, that was reserved for military systems. Today, we’re starting to see this in some consumer-electronics-class devices. That’s a very big shift, but it’s only the most security-aware, security-sensitive organizations that are doing this.
Handschuh: And it will cause delays.
Borza: Yes, and it will cost power and area, too.
Handschuh: If you’re trying to scramble things around, that’s fine. But in theory, you should put encryption on it. The problem is that’s way too slow. You can’t make an encryption algorithm that will execute in one cycle and just be completely transparent.
Fig. 1: Differential power analysis trace during a cryptographic operation. Source: Rambus Security Division
Chang: And there is no industry standard for system-level security.
Borza: No, because it has to focus on particular areas and particular parts of the threat model. The closest we’ve come is where people are starting to have common elements or common kinds of operations and functions in their secure enclaves. And so the people who have secure enclaves, they’re all very similar to each other.
SE: Is there a different profile for different processors and elements in an SoC?
Chang: Yes, but that’s very hard to map out. Providing comprehensive coverage is very difficult. You want to cover all of the possible scenarios that a customer is using, but it can involve multiple cores and memories and multiple chips, AI, and 3D-IC designs. There are so many variations of a design. How do you provide comprehensive coverage so your power supply will be on spec and electromigration won’t be a problem? There is also ESD, thermal simulation and substrate noise variation. There is so much variation of the design and that makes it harder to have comprehensive coverage. And if you come back to the security, it’s the same. Now we need to see, through a regular functions, how many cycles it takes you to detect a key. That’s one of the major question we are trying to answer. Given an AES design with very accurate power supply noise, how many cycles do you need to crack the key?
Borza: It’s a number that’s going down all the time.
Chang: And it’s a very sensitive number that customers care about.
SE: The goal here for hackers is to go undetected by trying to blend in with other traffic, right?
Handschuh: Yes, and the longer you go undetected, the more harm you can do. But I’m not sure that people are always after the the goal of not getting detected. They want to extract information keys, which are the most valuable asset. As soon as they those keys, then it’s okay for them to say, ‘Okay, I got it.’ But it does give you an advantage if nobody sees you.
Borza: And they do need to stay stealthy for as long as it takes to get there. Once that’s done, if they’re found out retrospectively, that’s usually okay. Only organizations that are interested in some kind of espionage have a long-term desire to protect the fact that they were ever there.
SE: We are starting to see the beginnings of two different supply chains. As a result of the U.S.-China trade war, China wants its own IP. What sort of issues does that open up?
Borza: The Chinese are developing a distrust for the U.S. supply chain because they don’t know which companies are reliable suppliers anymore. It can change at a moment’s notice, and that’s forcing the Chinese industry to become more creative and to advance their homegrown technologies faster. So we can expect they will develop some things that are unique to China. There are national ciphers that are approved by the government. Similar things are going on with processor technology. And so we’ll start to see more and more development. In some cases, China will continue to be a participant in standards organizations and in the development of some of the open source IP ecosystems. In other cases, they’re developing their own homegrown technology that’s informed by what they read in the open literature of the West, but which also benefits from a closed environment there. So Chinese technology will advance in different directions, including some we can’t predict, and it will make it less compatible and less similar to what we’re doing here. It’s a precipice moment where the rules of the game are changing.
Handschuh: Each country has a tendency to try to protect their supply chains. So we may start seeing different supply chains. The U.S. is trying to bring back some of the foundry work back into the country that was lost.
Borza: There’s a desire to do that, but it’s not going to succeed in the current environment because nobody’s willing to pay for a leading-edge fab that stays current for three years.
Handschuh: And if you look at the constellation of how that works, things are so intertwined in today’s world that it will be very difficult to rip things apart and bring each part back into a specific country. NIST published a report that tries to analyze all of the different steps in the design of a chip and all the different all the places that are involved in everything. It’s all over the place. So taking that apart is going to be very hard.
Chang: One of the big issues there is counterfeit parts. It doesn’t mean there is a
security breach or there is malicious code inside. And a counterfeit part is just a similar part. However, the reliability of the part may be a problem. If you want to use these for mission-critical applications, they may not be reliable for 10 or 15 years. How you’re going to detect these counterfeit parts from small companies in other countries is a major issue going forward.
SE: In the case of Russia, they’ve become very good at developing IP because in the past their engineers never had access to the most advanced computers, so they had to work much harder at understanding how these devices operate. If that IP has a different power profile, does that change how you identify aberrations?
Chang: You could have a different agent profile. You may perform the same function, but the power dissipation is different. But if you look at the agent profile, and you have an accelerated thermal cycling agent, you’ll probably see a very different profile. And you can detect that.
Related Stories
Why Data Is So Difficult To Protect In AI Chips
AI systems are designed to move data through at high speed, not limit access. That creates a security risk.
New Approaches For Hardware Security
Waiting for secure designs everywhere isn’t a viable strategy, so security experts are starting to utilize different approaches to identify attacks and limit the damage.
Semiconductor Security Knowledge Center
Who’s Responsible For Security Breaches?
How are we dealing with security threats, and what happens when it expands to a much wider network?
Can The Hardware Supply Chain Remain Secure?
The growing number of threats are cause for concern, but is it really possible to slip malicious code into a chip?
IP Security In FPGAs
How to prevent reverse engineering of IP.
 |
 |
 |
 |
 |
 |
 |
 |
 |
Leave a Reply