DOCSLIB.ORG

Attacks & Analysis of Openssl AES Crypto Material From

Total Page:16

File Type:pdf, Size:1020Kb

Download full-text PDF Read full-text
Attacks & Analysis of Openssl AES Crypto Material From MASARYK UNIVERSITY FACULTY OF INFORMATICS Attacks & Analysis of OpenSSL AES crypto material from memory dumps MASTER'S THESIS Surya Prakash Mishra Delhi, Spring 2017 Replace this page with a copy of the official signed thesis assignment and a copy of the Statement of an Author. Declaration Hereby I declare that this paper is my original authorial work, which I have worked out on my own. All sources, references, and literature used or excerpted during elaboration of this work are properly cited and listed in complete reference to the due source. Surya Prakash Mishra Advisor: Chester Reibero,Petr. Svenda i Acknowledgement I would like to express my sincere thanks and gratitude to my thesis supervisor Prof. Chester Reibero for his valuable guidance, support and feedback. I owe my sincere thanks to RNDr. Petr Svenda, Ph. D for his motivation and insight because of which only I could explore the details. My thanks and gratitude to prof. RNDr. Vaclav Matyas, MSc, Ph.D who has remained source of inspiration for carrying out this work. ii Abstract In recent years, side-channel attacks[l] have seen significant progress. Among the different types of side-channel attacks, cold boot attack[2] has been considered as a very powerful attack and has created con• siderable interest among researchers. The attack was discovered by a group of researchers from Princeton University[2] in 2008 and ex• ploits memory remanence property of random access memory. This attack can be used to beat hard disk encryption system, protecting sensitive information of IT products. Success of the attack depends upon detection and correction of sensitive information in the distorted data obtained during execution of the attack. In this thesis, an at• tempt has been made to improvise key recovery methods so that the attack can be made feasible, even when more errors have been intro• duced during the execution of attack. Experiments have also been carried out to study and improve the efficacy of these techniques for mounting the attack on realistic hard disk encryption systems like Truecrypt/VeraCrypt[3]. iii Keywords clock glitching, cold boot attack, DIMM, EM attack, fault attack, light weight OS, memory remanance, power attack, side channel attack, SIMM, timing attack, voltage glitching. iv Contents 1 Introduction 1 2 Side Channel Attacks 3 3 Different types of memories and data remanence 4 4 Usage of different types of RAMs 8 5 OpenSSL[15] and AES[16] 9 5.1 OpenSSL[15] 9 5.2 AES[16] 9 5.2.1 Substitute Byte 13 5.2.2 Shift Row Transformation 15 5.2.3 Mix Column Transformation 16 5.2.4 Add Round Key Transformation 16 5.2.5 Round Key Generation 16 6 Truecrypt/Veracrypt[3] and its detailed description 19 6.1 Using Veracryptl3] for creation ofvolume or container ... 19 6.2 Technical details of creation of encrypted volume 21 6.3 XTS Mode of Operation 22 6.4 Veracrypt[3] Volume Format 22 6.5 Header Key Derivation 25 6.5.1 Random Number Generator 26 7 Steps required to mount cold boot attack 28 8 Experiments carried out and results obtained 29 8.1 Imaging Tool 29 8.1.1 Experiments of memory remanence 30 8.1.2 Study of Statistical patterns 31 8.1.3 AES Key Detection^] 34 8.1.4 AES key detection results 35 8.1.5 Reconstruction of Correct Keys 37 8.1.6 Experiments with Veracrypt/Truecrypt[3] ... 44 v 9 Conclusion Bibliography List of Tables 5.1 AES Round Transformation 10 5.2 AES S-Box[16] 14 5.3 AES Inverse S-Box[16] 15 6.1 Veracrypt[3] Volume Format 24 8.1 Statistics of distortion pattern after 2 seconds 33 8.2 Statistics of distortion pattern after 5 seconds 33 8.3 Statistics of distortion with respect to time 33 8.4 Byte wise hamming distances of distorted key from original round keys : 38 8.5 Round Key byte determination during Key Correction for 128-bit key 41 8.6 Success Rate for 128-bit AES 44 8.7 Round Key byte determination during Key Correction for 256-bit key 46 8.8 Success Rate for 256-bit AES 47 vii List of Figures 3.1 SRAM and DRAM Cell[14] 7 5.1 AES Block Diagram[16] 11 5.2 AES Round Transformation[16] 12 5.3 AES Column Transformation and Round Key Generation[16]. 17 1 Introduction Remanence effect of different types of memory has been known since long. In the case of non-volatile memory like a magnetic disk, it used to be considered as a security threat and adequate countermeasures like the use of secure erasure was already in practice. In the case of volatile memory, like SRAM and DRAM memory remanence was not taken seriously. In 2008, researchers from Prince• ton University[2], demonstrated memory remanence of RAM, as a potential security threat and named it as cold boot attack. Their re• search has established, that volatility of computer memory, should not be taken as granted because it can also be exploited to get sensi• tive information of the system. They observed that content of RAM remains intact up to few minutes at normal temperature (after power has been removed) and its duration can be increased by cooling it. In the attack, an attacker with physical access to memory tries to retrieve secret parameters like key, password and other sensitive information related to the system. To mount the attack system needs to be cold booted. In cold boot• ing, the system is reset or powered off in a way, that operating system does not get the opportunity to shutdown cleanly. The system is re• booted immediately using a lightweight operating system, which will also be used to dump the content of RAM in the disk. Other way of mounting the attack is removing memory module and putting it into a compatible system or cooling of memory modules and using it at some other point of time to retrieve sensitive information. Among these possible three approaches, the first approach seems to be more practical and less cumbersome. Although attack itself is simpler to carry out, the acquisition of memory is a volatile process and results in corrupted memory acquisition. In this approach issues related to cor• rection of distorted data and its impact on the feasibility of mounting attack is an interesting problem. In this thesis, an attempt has been made to study the distortion pattern of data with respect to time. Analysis of distortion pattern and its use for correction of keys from dumped content of RAM is also attempted. To carry out this study OpenSSL implementation of AES, as well as other implementations available over the internet has been 1 i. INTRODUCTION taken. Extensive experimentation has been carried out to see the ap• plicability of improved key correction technique for recovering the two 256-bit key used in hard disk encryption system Truecrypt/Veracrypt. 2 2 Side Channel Attacks Side channel attacks are attacks in which focus of analyst is not on the theoretical aspects of the crypto algorithm, instead it tries to exploit information gained from physical implementation of it. Some of the side channel attacks which have been effectively utilized for analysis of different cryptosystems are timing attack[4], power attack[5], elec• tromagnetic attack[6], acoustic attack[7], fault attack[8] and memory remanence attack[2]. Timing attack exploits timing variations during the execution of a cryptographic algorithm. These variations may be due to branching operations, cache memory or other micro-architectural features of the processor. Such attacks have been proved effective for the public as well as private key cryptosystems. In the case of power attack, correlation between power consumed by the device and data being manipulated is used for extraction of se• cret parameters (like the key). Simple power attack, differential power attack[5],correlation power attack[9] and template attack[10] are the different variations of this type of attacks. These attacks are more effective for embedded systems. Attack philosophy for electromagnetic attack is same as that of power attack except that the side channel exploited is electromagnetic emanations of the device. Being non-invasive in nature, this type of at• tack is easier to mount but quite often it requires extra post processing of signals before mounting the attack. In fault attack, an attempt is made to introduce the fault during execution of the algorithm and by using correct ciphertext and faulty ciphertext an attempt is made to find the key. Initially this attack was published for RSA[8] but later on, it was extended for block ciphers like DES[11] and AES[12] also. To introduce the fault during execution of algorithm clock glitching[13], voltage glitching and focused ion beam can be used. In memory remanence attack memory remanence effect of volatile and nonvolatile memory is used. Cold boot attack is memory rema• nence attack and it can be used for extraction of the key for public as well as private key cryptosystems. 3 3 Different types of memories and data rema• nence Data Remanence is a property of a storage media by which it retains the residue of data even after it has been erased in some way. This property of magnetic storage was known as early as the 1960s. In theory, there is always some possibility of recovering data using the techniques like magnetic force microscopy, if data has been sparsely written. Data encryption, overwriting, degaussing and destruction of original media were commonly used methods to safeguard against accidental disclosure of data from such devices.
Load more

Recommended publications
  • Block Ciphers
    Block Ciphers Chester Rebeiro IIT Madras CR STINSON : chapters 3 Block Cipher KE KD untrusted communication link Alice E D Bob #%AR3Xf34^$ “Attack at Dawn!!” message encryption (ciphertext) decryption “Attack at Dawn!!” Encryption key is the same as the decryption key (KE = K D) CR 2 Block Cipher : Encryption Key Length Secret Key Plaintext Ciphertext Block Cipher (Encryption) Block Length • A block cipher encryption algorithm encrypts n bits of plaintext at a time • May need to pad the plaintext if necessary • y = ek(x) CR 3 Block Cipher : Decryption Key Length Secret Key Ciphertext Plaintext Block Cipher (Decryption) Block Length • A block cipher decryption algorithm recovers the plaintext from the ciphertext. • x = dk(y) CR 4 Inside the Block Cipher PlaintextBlock (an iterative cipher) Key Whitening Round 1 key1 Round 2 key2 Round 3 key3 Round n keyn Ciphertext Block • Each round has the same endomorphic cryptosystem, which takes a key and produces an intermediate ouput • Size of the key is huge… much larger than the block size. CR 5 Inside the Block Cipher (the key schedule) PlaintextBlock Secret Key Key Whitening Round 1 Round Key 1 Round 2 Round Key 2 Round 3 Round Key 3 Key Expansion Expansion Key Key Round n Round Key n Ciphertext Block • A single secret key of fixed size used to generate ‘round keys’ for each round CR 6 Inside the Round Function Round Input • Add Round key : Add Round Key Mixing operation between the round input and the round key. typically, an ex-or operation Confusion Layer • Confusion layer : Makes the relationship between round Diffusion Layer input and output complex.
    [Show full text]
  • Revention of Coldboot Attack on Linux Systems Measures to Prevent Coldboot Attack
    Special Issue - 2017 International Journal of Engineering Research & Technology (IJERT) ISSN: 2278-0181 ICIATE - 2017 Conference Proceedings Prevention of Coldboot Attack on Linux Systems Measures to Prevent Coldboot Attack Siddhesh Patil Ekta Patel Nutan Dhange Information Technology, Atharva Information Technology, Atharva Assistant Professor College of Engineering College of Engineering Information Technology, Atharva Mumbai University Mumbai University College of Engineering Mumbai, India Mumbai, India Mumbai University Mumbai, India Abstract— Contrary to the popular belief, DDR type RAM boot attack techniques. We implement measures to ensure that data modules retain stored memory even after power is cut off. stays secure on system shutdown. Data security is critical for most Provided physical access to the cryptosystem, a hacker or a of the business and even home computer users. RAM is used to store forensic specialist can retrieve information stored in the RAM non-persistent information into it. When an application is in use, by installing it on another system and booting from a USB drive user-specific or application-specific data may be stored in RAM. to take a RAM dump. With adequate disassembly and analytic This data can be sensitive information like client information, tools, this information stored in the RAM dump can be payment details, personal files, bank account details, etc. All this deciphered. Hackers thrive on such special-case attack information, if fallen into wrong hands, can be potentially techniques to gain access to systems with sensitive information. dangerous. The goal of most unethical hackers / attackers is to An unencrypted RAM module will contain the decryption key disrupt the services and to steal information.
    [Show full text]
  • CIS 4360 Secure Computer Systems Attacks Against Boot And
    CIS 4360 Secure Computer Systems Attacks against Boot and RAM Professor Qiang Zeng Spring 2017 Previous Class • BIOS-MBR: Generation I system boot – What BIOS and MBR are? – How does it boot the system? // Jumping to MBR – How does multi-boot work? // Chain-loading • The limitations of BIOS and MBR – Disk, memory, file system, multi-booting, security, … • UEFI-GPT: Generation II system boot – What UEFI and GPT are? – How does it boot the system? // UEFI boot manager – How does multi-boot work? // separate dirs in ESP CIS 4360 – Secure Computer Systems 2 Limitations of BIOS-MBR • MBR is very limited – Support ~2TB disk only – 4 primary partitions at most (so four OSes at most) – A MBR can store only one boot loader • BIOS is very restrictive – 16-bit processor mode; 1MB memory space (little spare space to accommodate a file system driver) – Blindly executes whatever code on MBR CIS 4360 – Secure Computer Systems 3 UEFI vs. BIOS • Disk partitioning schemes – GPT (GUID Partition Table): part of UEFI spec.; to replace MBR – MBR supports disk size 232 x 512B = 2TB, while UEFI supports much larger disks (264 x 512B = 8,000,000,000 TB) – MBR supports 4 partitions, while GPT supports 128 • Memory space – BIOS: 20-bit addressing; UEFI: 32-bit or 64-bit • Pre-OS environment – BIOS only provides raw disk access, while UEFI supports the FAT file system (so you can use file names to read files) • Booting – BIOS supports boot through boot sectors (MBR and VBR) – UEFI provides a boot partition of hundreds of megabytes (and boot manager and secure boot) CIS 4360 – Secure Computer Systems 4 Previous Class How does dual-boo-ng of Linux and Windows work in UEFI-GPT? Each vendor has a separate directory storing its own boot loader code and configuraon files in the ESP (EFI System Par--on).
    [Show full text]
  • Low-Cost Mitigation Against Cold Boot Attacks for an Authentication Token
    Low-cost Mitigation against Cold Boot Attacks for an Authentication Token Ian Goldberg?1, Graeme Jenkinson2, and Frank Stajano2 1 University of Waterloo (Canada) 2 University of Cambridge (United Kingdom) Abstract. Hardware tokens for user authentication need a secure and usable mechanism to lock them when not in use. The Pico academic project proposes an authentication token unlocked by the proximity of simpler wearable devices that provide shares of the token’s master key. This method, however, is vulnera- ble to a cold boot attack: an adversary who captures a running Pico could extract the master key from its RAM and steal all of the user’s credentials. We present a cryptographic countermeasure—bivariate secret sharing—that protects all the credentials except the one in use at that time, even if the token is captured while it is on. Remarkably, our key storage costs for the wearables that supply the cryp- tographic shares are very modest (256 bits) and remain constant even if the token holds thousands of credentials. Although bivariate secret sharing has been used before in slightly different ways, our scheme is leaner and more efficient and achieves a new property—cold boot protection. We validated the efficacy of our design by implementing it on a commercial Bluetooth Low Energy development board and measuring its latency and energy consumption. For reasonable choices of latency and security parameters, a standard CR2032 button-cell battery can power our prototype for 5–7 months, and we demonstrate a simple enhancement that could make the same battery last for over 9 months.
    [Show full text]
  • Performance Evaluation of Newly Proposed Lightweight Cipher, BRIGHT
    Received: January 22, 2019 71 Performance Evaluation of Newly Proposed Lightweight Cipher, BRIGHT Deepti Sehrawat1* Nasib Singh Gill1 1Department of Computer Science & Applications, Maharshi Dayanand University, Rohtak, Haryana, India * Corresponding author’s Email: dips.scorpio@gmail.com Abstract: Lightweight security algorithms are tailored for resource-constrained environment. To improve the efficiency of an algorithm, usually, a tradeoff is involved in lightweight cryptography in terms of its memory requirements and speed. By adopting several performance enhancement techniques, a security framework for IoT enabled applications is presented in this paper. Proposed BRIGHT family of ciphers is comparably better than existing lightweight ciphers and support a range of block and key sizes for constraint environment. It enables users to match their security needs with application requirements by supporting a range of cryptographic solutions. The BRIGHT family of ciphers is a software-oriented design. The performance of BRIGHT family of lightweight ciphers is evaluated on different parameters. All versions of BRIGHT family ciphers fulfill Strict Avalanche Criteria, key sensitivity test, and randomness test. BRIGHT family ciphers show better performance in terms of memory requirements, cost and speed as compared to existing lightweight ciphers. Keywords: Performance evaluation, BRIGHT, Cryptographic solutions, Lightweight block cipher, ARX, GFN, Feistel block ciphers. devices information security is evidently necessary 1. Introduction [3]. To provide high security and privacy, cryptographic solutions must be used. However, due In IoT field, various resource constraints devices to very low available energy, the limited size of ROM communicate in the network using RFID (Radio and RAM consumption and high-security demand in Frequency Identification Devices) which is a fast- a resource-constrained environment, lightweight growing technology that allows automated cryptographic security solutions are required [4].
    [Show full text]
  • Network Security H B ACHARYA
    Network Security H B ACHARYA NETWORK SECURITY Day 2 NETWORK SECURITY Encryption Schemes NETWORK SECURITY Basic Problem ----- ----- ? Given: both parties already know the same secret How is this achieved in practice? Goal: send a message confidentially Any communication system that aims to guarantee confidentiality must solve this problem NETWORK SECURITY slide 4 One-Time Pad (Vernam Cipher) ----- 10111101… ----- = 10111101… 10001111… = 00110010… 00110010… = Key is a random bit sequence as long as the plaintext Decrypt by bitwise XOR of ciphertext and key: ciphertext key = (plaintext key) key = Encrypt by bitwise XOR of plaintext (key key) = plaintext and key: plaintext ciphertext = plaintext key Cipher achieves perfect secrecy if and only if there are as many possible keys as possible plaintexts, and every key is equally likely (Claude Shannon, 1949) NETWORK SECURITY slide 5 Advantages of One-Time Pad Easy to compute ◦ Encryption and decryption are the same operation ◦ Bitwise XOR is very cheap to compute As secure as theoretically possible ◦ Given a ciphertext, all plaintexts are equally likely, regardless of attacker’s computational resources ◦ …if and only if the key sequence is truly random ◦ True randomness is expensive to obtain in large quantities ◦ …if and only if each key is as long as the plaintext ◦ But how do the sender and the receiver communicate the key to each other? Where do they store the key? NETWORK SECURITY slide 6 Problems with One-Time Pad Key must be as long as the plaintext ◦ Impractical in most realistic
    [Show full text]
  • Applied Cryptography and Data Security
    Lecture Notes APPLIED CRYPTOGRAPHY AND DATA SECURITY (version 2.5 | January 2005) Prof. Christof Paar Chair for Communication Security Department of Electrical Engineering and Information Sciences Ruhr-Universit¨at Bochum Germany www.crypto.rub.de Table of Contents 1 Introduction to Cryptography and Data Security 2 1.1 Literature Recommendations . 3 1.2 Overview on the Field of Cryptology . 4 1.3 Symmetric Cryptosystems . 5 1.3.1 Basics . 5 1.3.2 A Motivating Example: The Substitution Cipher . 7 1.3.3 How Many Key Bits Are Enough? . 9 1.4 Cryptanalysis . 10 1.4.1 Rules of the Game . 10 1.4.2 Attacks against Crypto Algorithms . 11 1.5 Some Number Theory . 12 1.6 Simple Blockciphers . 17 1.6.1 Shift Cipher . 18 1.6.2 Affine Cipher . 20 1.7 Lessons Learned | Introduction . 21 2 Stream Ciphers 22 2.1 Introduction . 22 2.2 Some Remarks on Random Number Generators . 26 2.3 General Thoughts on Security, One-Time Pad and Practical Stream Ciphers 27 2.4 Synchronous Stream Ciphers . 31 i 2.4.1 Linear Feedback Shift Registers (LFSR) . 31 2.4.2 Clock Controlled Shift Registers . 34 2.5 Known Plaintext Attack Against Single LFSRs . 35 2.6 Lessons Learned | Stream Ciphers . 37 3 Data Encryption Standard (DES) 38 3.1 Confusion and Diffusion . 38 3.2 Introduction to DES . 40 3.2.1 Overview . 41 3.2.2 Permutations . 42 3.2.3 Core Iteration / f-Function . 43 3.2.4 Key Schedule . 45 3.3 Decryption . 47 3.4 Implementation . 50 3.4.1 Hardware .
    [Show full text]
  • Identifying Open Research Problems in Cryptography by Surveying Cryptographic Functions and Operations 1
    International Journal of Grid and Distributed Computing Vol. 10, No. 11 (2017), pp.79-98 http://dx.doi.org/10.14257/ijgdc.2017.10.11.08 Identifying Open Research Problems in Cryptography by Surveying Cryptographic Functions and Operations 1 Rahul Saha1, G. Geetha2, Gulshan Kumar3 and Hye-Jim Kim4 1,3School of Computer Science and Engineering, Lovely Professional University, Punjab, India 2Division of Research and Development, Lovely Professional University, Punjab, India 4Business Administration Research Institute, Sungshin W. University, 2 Bomun-ro 34da gil, Seongbuk-gu, Seoul, Republic of Korea Abstract Cryptography has always been a core component of security domain. Different security services such as confidentiality, integrity, availability, authentication, non-repudiation and access control, are provided by a number of cryptographic algorithms including block ciphers, stream ciphers and hash functions. Though the algorithms are public and cryptographic strength depends on the usage of the keys, the ciphertext analysis using different functions and operations used in the algorithms can lead to the path of revealing a key completely or partially. It is hard to find any survey till date which identifies different operations and functions used in cryptography. In this paper, we have categorized our survey of cryptographic functions and operations in the algorithms in three categories: block ciphers, stream ciphers and cryptanalysis attacks which are executable in different parts of the algorithms. This survey will help the budding researchers in the society of crypto for identifying different operations and functions in cryptographic algorithms. Keywords: cryptography; block; stream; cipher; plaintext; ciphertext; functions; research problems 1. Introduction Cryptography [1] in the previous time was analogous to encryption where the main task was to convert the readable message to an unreadable format.
    [Show full text]
  • Journal Paper Format
    International Journal of Advanced Science and Technology Vol. 28, No. 8, (2019), pp. 282-288 Cryptographic protocols for Mobile Cloud Computing Suresh.P1, Venkatagiri J2,Lochan B3, Dr. Pritam Gajkumar Shah4 Abstract Cloud computing will be the buzzword of an Information Technology to access the different resources placed all across the globe with the help of the Internet. With the advancement in mobile technology the number of users accessing the resources placed across the data centres will also get increased, through their mobile devices. With many technologies are evolved to provide security to the user while on transit, still not much security is given while the user is on the transit, which will be the main concern for people who are going to use the cloud resources through mobile devices across the world. Providing the security from the data which is a main concern for the data centers. Keywords: Cloud computing, protocols, Security 1. Introduction Since in todays world every human being is making use of mobile devices for their daily day to day activities. People want to access the resources while on a go. With the invention of the cloud computing the data can be accessed through the computer as well as the mobile device. Mobile cloud computing has been introduced to make use of the cloud resources through mobile servers. Mobile cloud computing is a combination of cloud computing and mobile services working together. With the accessing of the cloud resources on move, severe drawbacks has to be faced related to the performance, security(Reliability and privacy) and environment( Low bandwidth, Service and heterogeneity) along with scalability and availability.
    [Show full text]
  • Vulnerability Analysis of PRINCE and RECTANGLE Using DPA
    Side Channel Attacks: Vulnerability Analysis of PRINCE and RECTANGLE using DPA Ravikumar Selvam, Dillibabu Shanmugam, and Suganya Annadurai Hardware Security Research Group, Society for Electronic Transactions and Security, India. {ravikumar,dillibabu,asuganya}@setsindia.net http://www.setsindia.org/hardware.html Abstract. Over a decade, cryptographers are more attentive on design- ing lightweight ciphers in focus to compact cryptographic devices. More often, the security of these algorithms are defined in terms of its resis- tance to mathematical cryptanalysis methods. Nevertheless, designers are well aware of implementation attacks and concentrating on new de- sign strategies to improve the defence quality against implementation attack. PRINCE [3] and RECTANGLE [17] lightweight block ciphers are de- signed using new design strategies for efficiency and security. In this paper we analyse the security of PRINCE and RECTANGLE against a type of implementation attack called Differential Power Analysis (DPA) at- tack. Our attack reduces key search space from 2128 to 33008 for PRINCE and 280 to 288 for RECTANGLE. Keywords: Lightweight block cipher, power characteristic, FPGA imple- mentation, differential power analysis 1 Introduction Differential Power Analysis (DPA) attack, a type of implementation at- tack, exploits the power consumed by the device when it performs cryp- tography operations. In 1999, Kocher et al. [11] showed that power anal- ysis attacks can efficiently reveal the secret key. After the DPA became public, designers of cryptographic algorithm had started concentrating on the new design strategies to improve the defense quality against the attack. However, few algorithms are still vulnerable to DPA attack. This motivated us to evaluate algorithms that are vulnerable to DPA attack.
    [Show full text]
  • A Survey of ARX-Based Symmetric-Key Primitives
    397 International Journal of Communication Networks and Information Security (IJCNIS) Vol. 11, No. 3, December 2019 A Survey of ARX-based Symmetric-key Primitives Nur Fasihah Mohd Esa1, Shekh Faisal Abdul-Latip1 and Mohd Rizuan Baharon1 1INSFORNET Centre for Advanced Computing Technology, Fakulti Teknologi Maklumat dan Komunikasi, Universiti Teknikal Malaysia Melaka Abstract: Addition Rotation XOR is suitable for fast and fast software-oriented implementation. Nevertheless, the implementation symmetric –key primitives, such as stream and security properties are still not well studied in literature as block ciphers. This paper presents a review of several block and compared to SPN and Feistel ciphers. stream ciphers based on ARX construction followed by the Observation of addition from [4]: First, addition modulo discussion on the security analysis of symmetric key primitives n where the best attack for every cipher was carried out. We 2 on the window can be approximated by addition modulo benchmark the implementation on software and hardware platforms according to the evaluation metrics. Therefore, this paper aims at . Second, this addition gives a perfect approximation if providing a reference for a better selection of ARX design strategy. the carry into the window is estimated correctly. The probability distribution of the carry is generated, depending Keywords: ARX, cryptography, cryptanalysis, design, stream on the probability of approximation correctness. The ciphers, block ciphers. probability of the carry is independent of w; in fact, for 1. Introduction uniformly distributed addends it is , where The rapid development of today’s computing technology has is the position of the least significant bit in the window. made computer devices became smaller which in turn poses Thirdly, the probability of correctness for a random guess of a challenge to their security aspects.
    [Show full text]
  • A Small and Fast Lightweight Block Cipher for 32-Bit Processor
    International Journal of Engineering and Advanced Technology (IJEAT) ISSN: 2249-8958, Volume-8 Issue-5, June 2019 BRIGHT: A Small and Fast Lightweight Block Cipher for 32-bit Processor Deepti Sehrawat, Nasib Singh Gill maintenance as compared to hardware implementations. Even Abstract: Recently a number of lightweight ciphers are providing strong resistance against mathematical attacks designed for improved hardware or software performance. could not protect hardware-oriented block ciphers from side Designing block ciphers for a resource-constrained 32-bit channel attacks thereby losing its keys. So a good software processor is even more challenging. Usually, for 32-bit CPU the lightweight ciphers are designed with low-security margins. This design is required to provide enough security guard against paper presents, an efficient family of LBC, named BRIGHT. The attacks. proposed design is a software-oriented security framework for Our Contribution resource-constrained IoT-enabled applications. It has lowest code First, the analysis of various existing benchmarked designs size and fastest execution speed on 32-bit processor because of its is carried out to identify the strong points and flaws of each 32-bit ARX operations. It enables users to match their security needs with application requirements by supporting a range of one which is culminated in the publication in [3, 4]. Then the cryptographic solutions. The proposed design has 6 variants and design goals are formulated to ensure a fair comparison of the all variants of BRIGHT family ciphers fulfills Strict Avalanche proposed design with other benchmarked designs. The Criteria and key sensitivity test. BRIGHT family ciphers show framework of the proposed design is then described and the better performance in terms of memory requirements, cost and performance is evaluated on different platforms.
    [Show full text]