Exploiting the Physical Disparity: Side-Channel Attacks on Memory Encryption

Memory and disk encryption is a common measure to protect sensitive information in memory from adversaries with physical access. However, physical access also comes with the risk of physical attacks. As these may pose a threat to memory confidentiality, this paper investigates contemporary memory and disk encryption schemes and their implementations with respect to Differential Power Analysis (DPA) and Differential Fault Analysis (DFA). It shows that DPA and DFA recover the keys of all the investigated schemes, including the tweakable block ciphers XEX and XTS. This paper also verifies the feasibility of such attacks in practice. Using the EM side channel, a DPA on the disk encryption employed within the ext4 file system is shown to reveal the used master key on a Zynq Z-7010 system on chip. The results suggest that memory and disk encryption secure against physical attackers is at least four times more expensive.

[1]  P. Kocher,et al.  Differential power analysis, advances in cryptology-CRYPTO'99 , 1999 .

[2]  Lionel Torres,et al.  Hardware Mechanisms for Memory Authentication: A Survey of Existing Techniques and Engines , 2009, Trans. Comput. Sci..

[3]  Siva Sai Yerubandi,et al.  Differential Power Analysis , 2002 .

[4]  Joshua Jaffe,et al.  A First-Order DPA Attack Against AES in Counter Mode with Unknown Initial Counter , 2007, CHES.

[5]  Eli Biham,et al.  Differential Fault Analysis of Secret Key Cryptosystems , 1997, CRYPTO.

[6]  Ariel J. Feldman,et al.  Lest we remember: cold-boot attacks on encryption keys , 2008, CACM.

[7]  Markku-Juhani O. Saarinen Encrypted Watermarks and Linux Laptop Security , 2004, WISA.

[8]  Christof Paar,et al.  Pushing the Limits: A Very Compact and a Threshold Implementation of AES , 2011, EUROCRYPT.

[9]  Vincent Rijmen,et al.  The Design of Rijndael , 2002, Information Security and Cryptography.

[10]  Vincent Rijmen,et al.  The Design of Rijndael: AES - The Advanced Encryption Standard , 2002 .

[11]  G. Edward Suh,et al.  Efficient Memory Integrity Verification and Encryption for Secure Processors , 2003, MICRO.

[12]  Vincent Rijmen,et al.  A More Efficient AES Threshold Implementation , 2014, AFRICACRYPT.

[13]  Phillip Rogaway,et al.  Efficient Instantiations of Tweakable Blockciphers and Refinements to Modes OCB and PMAC , 2004, ASIACRYPT.

[14]  Jean-Jacques Quisquater,et al.  A Differential Fault Attack Technique against SPN Structures, with Application to the AES and KHAZAD , 2003, CHES.

[15]  Brian Rogers,et al.  Using Address Independent Seed Encryption and Bonsai Merkle Trees to Make Secure Processors OS- and Performance-Friendly , 2007, 40th Annual IEEE/ACM International Symposium on Microarchitecture (MICRO 2007).

[16]  Debdeep Mukhopadhyay,et al.  A Diagonal Fault Attack on the Advanced Encryption Standard , 2009, IACR Cryptol. ePrint Arch..

[17]  Michael Tunstall,et al.  SoC It to EM: ElectroMagnetic Side-Channel Attacks on a Complex System-on-Chip , 2015, CHES.

[18]  Omar Choudary,et al.  Infiltrate the Vault: Security Analysis and Decryption of Lion Full Disk Encryption , 2012, IACR Cryptol. ePrint Arch..

[19]  William P. Marnane,et al.  Unknown Plaintext Template Attacks , 2009, WISA.

[20]  Christophe Clavier,et al.  Correlation Power Analysis with a Leakage Model , 2004, CHES.

[21]  Burton S. Kaliski,et al.  PKCS #5: Password-Based Cryptography Specification Version 2.0 , 2000, RFC.

[22]  Colin Percival STRONGER KEY DERIVATION VIA SEQUENTIAL MEMORY-HARD FUNCTIONS , 2009 .

[23]  Clemens Fruhwirth,et al.  New Methods in Hard Disk Encryption , 2005 .

[24]  Yuval Ishai,et al.  Private Circuits: Securing Hardware against Probing Attacks , 2003, CRYPTO.