On Selected Issues of Full Disk Encryption

Total Page:16

File Type:pdf, Size:1020Kb

On Selected Issues of Full Disk Encryption MASARYK UNIVERSITY FACULTY OF INFORMATICS On selected issues of full disk encryption DISSERTATION THESIS PROPOSAL Milan Brož Supervisor: prof. RNDr. Václav Matyáš, M.Sc, Ph.D. Brno, January 2015 Supervisor's signature: Table of contents 1 Introduction 2 1.1 Full disk encryption 2 1.2 FDE in different layers 3 1.3 FDE problem domains 4 1.4 Storage system 4 1.5 Cryptography and limiting factors 5 2 State-of-the-art research 7 2.1 Threat models 7 2.2 Storage architecture 8 2.3 Secure wipe on storage 8 2.4 Sector encryption algorithms 9 2.4.1 Block ciphers and modes 9 2.4.2 Narrow encryption modes 10 2.4.3 Initial vectors in CBC 11 2.4.4 Wide encryption modes 12 2.4.5 Integrity protection and authenticated modes 12 2.5 Key storage and management 13 2.5.1 How to store volume key 14 2.5.2 Password-based key derivation functions 15 2.5.3 Password hashing competition 16 3 Planned future research 18 3.1 Considered issues in FDE 18 3.2 Research proposal 20 4 Summary of own results 21 A Appendix 22 A.l Storage architecture 22 A. 1.1 Rotational disks 22 A. 1.2 Flash memory based storage 22 A. 1.3 Network attached storage, block storage in cloud services 23 Bibliography 23 1 1 Introduction As the requirements for security and privacy grow, encryption becomes an essential part of most systems involved in processing of sensitive data. With the availability of processors that are able to perform data encryption with throughput even higher than the throughput of high-end storage devices, the possibility to encrypt the whole storage device on-the-fiy becomes reality even for mobile and embedded devices. Full disk encryption (FDE) as transparent on-the-fly encryption of storage devices operates directly on the disk sector level. This means that it can be implemented inside an operating system (or even inside a storage device itself) without the need to adapt higher layers like filesystem or applications. FDE does not rule out encryption on higher layers. Independent encryption on various layers can still complement one another perfectly. This layer separation is an important factor in designing secure and reliable storage systems but also requires very responsible design of all involved components. In theory, the layer separation is ideal and FDE could be completely transparent for the layers below and above. In reality, security and performance of an FDE system is directly influenced by the underlying storage architecture and design should take into account relevant physical and operational limits. This leads to many inevitable trade-off decisions (and often to design mistakes deflating security). 1.1 Full disk encryption From a high level perspective, FDE just provides transparent access to a storage device using another virtual device layered on top of the encrypted one. The top level device contains clear data (plaintext) and applications can access this virtual device as normal storage. The encryption layer then encrypts and decrypts sectors on-the-fly, so that the underlying device contains only encrypted data (ciphertext). The whole underlying storage device is encrypted and if the device is properly wiped before initial use, the whole underlying disk should contain only encrypted data statistically not distinguishable from a random noise. Handling of (secure) wipe in combination with unused disk space management in modern storage systems uncovers the first problem for FDE discussed in next sections. Once a user activates the plaintext device (usually by providing a password or using some security token-based unlocking mechanism) the encryption 2 1. INTRODUCTION layer is activated and plaintext device is made accessible to the system. Management of encryption keys, in particular the techniques for generating keys and storing them securely, is a critical part of the system. 1.2 FDE in different layers FDE can be implemented in various layers, beginning with the hardware itself and ending with full software implementation running solely on the host processor. The problems to solve in various layers are usually quite similar, but implementations differ in utilizing various kinds of hardware. The hardware level FDE is processed directly inside the drive. There is a lot of products using this kind of hardware level FDE with various marketing names (meaning the same in reality). Examples are Hitachi (bulk data encryption), Seagate (full disk encryption) or Toshiba (self-encrypting drives). There is also the Opal storage specification [1] that tries to create a common standard for manufacturers of these drives. A recent security analysis of hardware FDEs is provided in [2]. Another hardware-based FDE is the Chipset FDE. This is a common stock drive without encryption capabilities, combined with a special hard• ware interface (bridge) placed between the drive and disk interface that provides encryption. The only difference from self-encrypting drives is that the encryption bridge is clearly (both logically and physically) separated from the drive. Example of such systems are almost all external USB drives with hardware-based encryption (because the USB Bridge is an additional interface, combining with encryption functionality seems to be a cost effective solution for manufacturers). The layer we are mainly interested in is a software-based FDE. The encryption runs directly on the host system processor (either directly as a generic sub-procedure or utilizing special instructions like Intel AES-NI). There can be also a special crypto processing units integrated (examples are VIA PadLock, AMD Geode AES engine or from the mainframe world IBM System z9 - CP Assist for Cryptographic functions - CPACF). The special borderline case are embedded systems using software based FDE encryption but solely designed to present storage over the network. These devices (usually running some Linux derivative inside) are very common for low-cost network attached storage (NAS) products. 3 1. INTRODUCTION Symmetric Encryption RNG Key Derivation Algorithms Modes (randomness) Algorithms 1 1 1 1 Encryption User Data Key Storage |- (plaintext) Engine Steganography Key Passphrase User Data Storage Multi-Factor (ciphertext) Authentication Storage Hardware Security Performance Secure Wipe Architectures Keystore Policy Figure 1.1: A schematic concept of FDE architectural design domains. 1.3 FDE problem domains The issues (simplified) related to FDE are illustrated in Figure 1.1. In the following description, we will focus on the cryptographic part, but under• standing other domains is crucial to designing secure and practically usable FDE systems. 1.4 Storage system A storage system here means a device intended for persistent data store. In real systems it is disk, either rotational or flash memory based, connected to operating system as a block device. The atomic accessible unit of this device is indeed block (consisting of one or more low-level disk sectors), but to avoid confusion we will use sector as the description for an atomic unit of a block device. Storage system can be locally or remotely attached. The internal architecture of storage systems is important not only for performance reasons, but also for secure design of FDE. 4 1. INTRODUCTION A good example of a performance-related attribute is the alignment of filesystem blocks to sectors (in flash memory storage even to internal memory blocks). There can be multiple virtual storage layers so the alignment of all layers becomes a critical part of the storage performance (misalignment usually means increasing of input/output operations for the drive because it must split the writing area between one or more underlying sectors). If we add a transparent encryption layer between any of these layers, we should respect all restrictions to avoid a significant performance decrease. The storage architecture can also directly influence security of the system. For example, modern solid state drives (SSDs) contain processors capable of highly sophisticated operations. The need of a complex flash sector storage management also often implies that various garbage collector and optimiza• tion processes are running inside these drives. These processes are running invisible in the background to provide optimal performance and life-time optimizations (called wear-leveling). The drive shuffles the sectors to keep the drive performance optimal. Unfortunately, it also means that with these drives it is impossible to ensure that erasing a sector really destroys the information stored there. There can be even more copies of the same sector internally as a side effect of drive optimization algorithms. The sector reallocation problem is not new. For rotational media, sector reallocation exists as well (if a drive detects a physically defective area it reallocates sectors to special reserved area). Yet what is an exceptional procedure (usually caused by a media error) for rotational drives, it becomes normal operating mode for SSDs. We will discuss relevant storage architecture issues in detail in section 2.2 and in appendix A.l. 1.5 Cryptography and limiting factors The following section introduces type of cryptographic primitives and algo• rithms used in the FDE area while the more rigorous description follows in section 2.4. High performance is an important factor for real-world usability of FDE. The storage encryption layer uses symmetric block ciphers for data encryption that can provide the needed performance. While the block size of block ciphers is usually smaller than the sector size, block ciphers must be operated in a cipher mode. Price for using a cipher mode is increased computational and time requirements. An authenticated cipher mode can also provide integrity protection. The encryption layer preserves sectors as independently accessible units. 5 1. INTRODUCTION We can define it as a format-preserving encryption where independent N-bytes sectors of plaintext encrypts into another N-bytes ciphertext sectors. Therefore there is no space available for any additional context information inside encrypted sectors (sector size is not increased).
Recommended publications
  • Computationally Data-Independent Memory Hard Functions
    Computationally Data-Independent Memory Hard Functions Mohammad Hassan Ameri∗ Jeremiah Blocki† Samson Zhou‡ November 18, 2019 Abstract Memory hard functions (MHFs) are an important cryptographic primitive that are used to design egalitarian proofs of work and in the construction of moderately expensive key-derivation functions resistant to brute-force attacks. Broadly speaking, MHFs can be divided into two categories: data-dependent memory hard functions (dMHFs) and data-independent memory hard functions (iMHFs). iMHFs are resistant to certain side-channel attacks as the memory access pattern induced by the honest evaluation algorithm is independent of the potentially sensitive input e.g., password. While dMHFs are potentially vulnerable to side-channel attacks (the induced memory access pattern might leak useful information to a brute-force attacker), they can achieve higher cumulative memory complexity (CMC) in comparison than an iMHF. In particular, any iMHF that can be evaluated in N steps on a sequential machine has CMC at 2 most N log log N . By contrast, the dMHF scrypt achieves maximal CMC Ω(N 2) — though O log N the CMC of scrypt would be reduced to just (N) after a side-channel attack. In this paper, we introduce the notion ofO computationally data-independent memory hard functions (ciMHFs). Intuitively, we require that memory access pattern induced by the (ran- domized) ciMHF evaluation algorithm appears to be independent from the standpoint of a computationally bounded eavesdropping attacker — even if the attacker selects the initial in- put. We then ask whether it is possible to circumvent known upper bound for iMHFs and build a ciMHF with CMC Ω(N 2).
    [Show full text]
  • PHC: Status Quo
    PHC: status quo JP Aumasson @veorq / http://aumasson.jp academic background principal cryptographer at Kudelski Security, .ch applied crypto research and outreach BLAKE, BLAKE2, SipHash, NORX Crypto Coding Standard Password Hashing Competition Open Crypto Audit Project board member do you use passwords? this talk might interest you! Oct 2013 "hash" = 3DES-ECB( static key, password ) users' hint made the guess game easy... (credit Jeremi Gosney / Stricture Group) May 2014; "encrypted passwords" (?) last week that's only the reported/published cases Lesson if Adobe, eBay, and Avast fail to protect their users' passwords, what about others? users using "weak passwords"? ITsec people using "weak defenses"? developers using "weak hashes"? cryptographers, who never bothered? agenda 1. how (not) to protect passwords 2. the Password Hashing Competition (PHC) 3. the 24-2 PHC candidates 4. next steps, and how to contribute WARNING this is NOT about bikeshed topics as: password policies password managers password-strength meters will-technology-X-replace-passwords? 1. how (not) to protect passwords solution of the 60's store "password" or the modern alternative: obviously a bad idea (assuming the server and its DB are compromised) solution of the early 70's store hash("password") "one-way": can't be efficiently inverted vulnerable to: ● efficient dictionary attacks and bruteforce ● time-memory tradeoffs (rainbow tables, etc.) solution of the late 70's store hash("password", salt) "one-way": can't be efficiently inverted immune to time-memory tradeoffs vulnerable to: ● dictionary attacks and bruteforce (but has to be repeated for different hashes) solution of the 2000's store hash("password", salt, cost) "one-way": can't be efficiently inverted immune to time-memory tradeoffs inefficient dictionary attacks and bruteforce main ideas: ● be "slow" ● especially on attackers' hardware (GPU, FPGA) => exploit fast CPU memory access/writes PBKDF2 (Kaliski, 2000) NIST and PKCS standard in Truecrypt, iOS, etc.
    [Show full text]
  • Permutation-Based Encryption, Authentication and Authenticated Encryption
    Permutation-based encryption, authentication and authenticated encryption Permutation-based encryption, authentication and authenticated encryption Joan Daemen1 Joint work with Guido Bertoni1, Michaël Peeters2 and Gilles Van Assche1 1STMicroelectronics 2NXP Semiconductors DIAC 2012, Stockholm, July 6 . Permutation-based encryption, authentication and authenticated encryption Modern-day cryptography is block-cipher centric Modern-day cryptography is block-cipher centric (Standard) hash functions make use of block ciphers SHA-1, SHA-256, SHA-512, Whirlpool, RIPEMD-160, … So HMAC, MGF1, etc. are in practice also block-cipher based Block encryption: ECB, CBC, … Stream encryption: synchronous: counter mode, OFB, … self-synchronizing: CFB MAC computation: CBC-MAC, C-MAC, … Authenticated encryption: OCB, GCM, CCM … . Permutation-based encryption, authentication and authenticated encryption Modern-day cryptography is block-cipher centric Structure of a block cipher . Permutation-based encryption, authentication and authenticated encryption Modern-day cryptography is block-cipher centric Structure of a block cipher (inverse operation) . Permutation-based encryption, authentication and authenticated encryption Modern-day cryptography is block-cipher centric When is the inverse block cipher needed? Indicated in red: Hashing and its modes HMAC, MGF1, … Block encryption: ECB, CBC, … Stream encryption: synchronous: counter mode, OFB, … self-synchronizing: CFB MAC computation: CBC-MAC, C-MAC, … Authenticated encryption: OCB, GCM, CCM … So a block cipher
    [Show full text]
  • Cryptographic Sponge Functions
    Cryptographic sponge functions Guido B1 Joan D1 Michaël P2 Gilles V A1 http://sponge.noekeon.org/ Version 0.1 1STMicroelectronics January 14, 2011 2NXP Semiconductors Cryptographic sponge functions 2 / 93 Contents 1 Introduction 7 1.1 Roots .......................................... 7 1.2 The sponge construction ............................... 8 1.3 Sponge as a reference of security claims ...................... 8 1.4 Sponge as a design tool ................................ 9 1.5 Sponge as a versatile cryptographic primitive ................... 9 1.6 Structure of this document .............................. 10 2 Definitions 11 2.1 Conventions and notation .............................. 11 2.1.1 Bitstrings .................................... 11 2.1.2 Padding rules ................................. 11 2.1.3 Random oracles, transformations and permutations ........... 12 2.2 The sponge construction ............................... 12 2.3 The duplex construction ............................... 13 2.4 Auxiliary functions .................................. 15 2.4.1 The absorbing function and path ...................... 15 2.4.2 The squeezing function ........................... 16 2.5 Primary aacks on a sponge function ........................ 16 3 Sponge applications 19 3.1 Basic techniques .................................... 19 3.1.1 Domain separation .............................. 19 3.1.2 Keying ..................................... 20 3.1.3 State precomputation ............................ 20 3.2 Modes of use of sponge functions .........................
    [Show full text]
  • Optimizing a Password Hashing Function with Hardware-Accelerated Symmetric Encryption
    S S symmetry Article Optimizing a Password Hashing Function with Hardware-Accelerated Symmetric Encryption Rafael Álvarez 1,* , Alicia Andrade 2 and Antonio Zamora 3 1 Departamento de Ciencia de la Computación e Inteligencia Artificial (DCCIA), Universidad de Alicante, 03690 Alicante, Spain 2 Fac. Ingeniería, Ciencias Físicas y Matemática, Universidad Central, Quito 170129, Ecuador; [email protected] 3 Departamento de Ciencia de la Computación e Inteligencia Artificial (DCCIA), Universidad de Alicante, 03690 Alicante, Spain; [email protected] * Correspondence: [email protected] Received: 2 November 2018; Accepted: 22 November 2018; Published: 3 December 2018 Abstract: Password-based key derivation functions (PBKDFs) are commonly used to transform user passwords into keys for symmetric encryption, as well as for user authentication, password hashing, and preventing attacks based on custom hardware. We propose two optimized alternatives that enhance the performance of a previously published PBKDF. This design is based on (1) employing a symmetric cipher, the Advanced Encryption Standard (AES), as a pseudo-random generator and (2) taking advantage of the support for the hardware acceleration for AES that is available on many common platforms in order to mitigate common attacks to password-based user authentication systems. We also analyze their security characteristics, establishing that they are equivalent to the security of the core primitive (AES), and we compare their performance with well-known PBKDF algorithms, such as Scrypt and Argon2, with favorable results. Keywords: symmetric; encryption; password; hash; cryptography; PBKDF 1. Introduction Key derivation functions are employed to obtain one or more keys from a master secret. This is especially useful in the case of user passwords, which can be of arbitrary length and are unsuitable to be used directly as fixed-size cipher keys, so, there must be a process for converting passwords into secret keys.
    [Show full text]
  • Lyra2 Password Hashing Scheme with Improved Security Against Time-Memory Trade-Offs (TMTO)
    Lyra2 Password Hashing Scheme with improved security against time-memory trade-offs (TMTO) Ewerton Rodrigues Andrade [email protected] Escola Polit´ecnicada Universidade de S~aoPaulo { EP/USP Ag^enciasde fomento: CAPES, FDTE e Erasmus Mundus Defesa de Tese de Doutorado 07 de junho de 2016 Banca Examinadora: Prof Dr Marcos Antonio Simplicio Junior { EP/USP (presidente) Prof Dr Wilson Vicente Ruggiero { EP/USP Profª Drª Denise Hideko Goya { CMCC/UFABC Prof Dr Diego de Freitas Aranha { IC/UNICAMP Dr Rafael Misoczki { Intel Labs Introdu¸c~ao Lyra2 Compara¸c~oes BlaMka Consider. Finais Refer^encias Sum´ario 1 Introdu¸c~ao Motiva¸c~ao Objetivos Metodologia 2 Lyra2 The Bootstrapping phase The Setup phase The Wandering phase The Wrap-up phase 3 Lyra2 x scrypt x finalistas do PHC Seguran¸ca Desempenho 4 BlaMka Resultados Parciais 5 Considera¸c~oesFinais Principais Resultados Trabalhos Futuros 2 / 51 Ewerton Rodrigues Andrade Lyra2 - Defesa de Doutorado Introdu¸c~ao Lyra2 Compara¸c~oes BlaMka Consider. Finais Motiva¸c~aoRefer^encias Objetivos Metodologia Sum´ario 1 Introdu¸c~ao Motiva¸c~ao Objetivos Metodologia 2 Lyra2 The Bootstrapping phase The Setup phase The Wandering phase The Wrap-up phase 3 Lyra2 x scrypt x finalistas do PHC Seguran¸ca Desempenho 4 BlaMka Resultados Parciais 5 Considera¸c~oesFinais Principais Resultados Trabalhos Futuros 3 / 51 Ewerton Rodrigues Andrade Lyra2 - Defesa de Doutorado Introdu¸c~ao Lyra2 Compara¸c~oes BlaMka Consider. Finais Motiva¸c~aoRefer^encias Objetivos Metodologia Motiva¸c~ao A autentica¸c~ao´evital para a seguran¸cados sistemas computacionais modernos 4 / 51 Ewerton Rodrigues Andrade Lyra2 - Defesa de Doutorado Introdu¸c~ao Lyra2 Compara¸c~oes BlaMka Consider.
    [Show full text]
  • Broad View of Cryptographic Hash Functions
    IJCSI International Journal of Computer Science Issues, Vol. 10, Issue 4, No 1, July 2013 ISSN (Print): 1694-0814 | ISSN (Online): 1694-0784 www.IJCSI.org 239 Broad View of Cryptographic Hash Functions 1 2 Mohammad A. AlAhmad , Imad Fakhri Alshaikhli 1 Department of Computer Science, International Islamic University of Malaysia, 53100 Jalan Gombak Kuala Lumpur, Malaysia, 2 Department of Computer Science, International Islamic University of Malaysia, 53100 Jalan Gombak Kuala Lumpur, Malaysia Abstract Cryptographic hash function is a function that takes an arbitrary length as an input and produces a fixed size of an output. The viability of using cryptographic hash function is to verify data integrity and sender identity or source of information. This paper provides a detailed overview of cryptographic hash functions. It includes the properties, classification, constructions, attacks, applications and an overview of a selected dedicated cryptographic hash functions. Keywords-cryptographic hash function, construction, attack, classification, SHA-1, SHA-2, SHA-3. Figure 1. Classification of cryptographic hash function 1. INTRODUCTION CRHF usually deals with longer length hash values. An A cryptographic hash function H is an algorithm that takes an unkeyed hash function is a function for a fixed positive integer n * arbitrary length of message as an input {0, 1} and produce a which has, as a minimum, the following two properties: n fixed length of an output called message digest {0, 1} 1) Compression: h maps an input x of arbitrary finite bit (sometimes called an imprint, digital fingerprint, hash code, hash length, to an output h(x) of fixed bit length n.
    [Show full text]
  • The Password Hashing Competition Prehistory of Password Protection
    The Password Hashing Competition Peter Gutmann University of Auckland Prehistory of Password Protection Before timesharing • Whoever submitted the card deck owned it Prehistory of Password Protection (ctd) Compatible Time-Sharing System (CTSS), 1963 • Introduced the use of a “private code” to protect access to users’ data Prehistory of Password Protection (ctd) Famously failed in 1966 • CTSS editor used a fixed temporary filename • Admin edited the password file and login message file at the same time… Problem occurred at 5pm on a Friday • User noticed it and deliberately executed an HCF instruction in the debugger • When machine was rebooted, users were told to change their passwords – (And given free credit monitoring) History of Password Protection Cambridge Uni Titan timesharing system, 1967, used a one-way cipher to protect the password Spread to CTSS’ successor Multics in the 1970s • And from there to a Multics successor, Unics^H^Hx History of Password Protection (ctd) Unix originally stored passwords in the clear • More problems with editor temp files Encrypt the passwords like Multics had done • Protect against brute-force by iterating the encryption • Protect against comparing encrypted passwords by adding a random quantity (salt) to the password Originally based on a software analogue of the M-209 cipher machine • Encrypt the password using itself as the key • Found to be too fast, vulnerable to brute-forcing History of Password Protection (ctd) Later Unix crypt used 25 iterations of DES encryption • Salt+password used as a
    [Show full text]
  • Expert Password Management
    Expert Password Management Elizabeth Stobert1 and Robert Biddle2 1 ETH Z¨urich Z¨urich, Switzerland [email protected] 2 Carleton University Ottawa, Canada [email protected] Abstract. Experts are often asked for advice about password manage- ment, but how do they manage their own passwords? We conducted interviews with researchers and practitioners in computer security, ask- ing them about their password management behaviour. We conducted a thematic analysis of our data, and found that experts described a di- chotomy of behaviour where they employed more secure behaviour on important accounts, but had similar practices to non-expert users on re- maining accounts. Experts’ greater situation awareness allowed them to more easily make informed decisions about security, and expert practices can suggest ways for non-experts to better manage passwords. 1 Introduction Security experts are often turned to for advice about password management, but what do experts themselves do to manage their passwords? How are the practices of those who are knowledgeable about computer security different from or similar to those of non-experts? Little work exists on the password habits of experts, who must be affected by the same problems that affect all users: difficulties choosing random passwords, difficulties remembering passwords, and multitudinous accounts. If remembering large numbers of random passwords is difficult or near-impossible for non-expert users, it should be similarly difficult for experts. We conducted a series of interviews with researchers and practitioners in com- puter security, asking them about their password management behaviour. We found that these knowledgeable users described a dichotomy of behaviour where they employed more secure behaviour on important accounts that they deemed more worthy, but employed similar practices to non-expert users on their remain- ing accounts.
    [Show full text]
  • High Throughput Implementation of the Keccak Hash Function Using the Nios-II Processor †
    technologies Article High Throughput Implementation of the Keccak Hash Function Using the Nios-II Processor † Argyrios Sideris * , Theodora Sanida and Minas Dasygenis Department of Electrical and Computer Engineering, University of Western Macedonia, 50131 Kozani, Greece; [email protected] (T.S.); [email protected] (M.D.) * Correspondence: [email protected]; Tel.: +30-24610-33101 † This paper is an extended version of our paper published in 8th International Conference on Modern Circuit and System Technologies on Electronics and Communications (MOCAST 2019), Thessaloniki, Greece, 13–15 May 2019. Received: 21 December 2019; Accepted: 6 February 2020; Published: 10 February 2020 Abstract: Presently, cryptographic hash functions play a critical role in many applications, such as digital signature systems, security communications, protocols, and network security infrastructures. The new standard cryptographic hash function is Secure Hash Algorithm 3 (SHA-3), which is not vulnerable to attacks. The Keccak algorithm is the winner of the NIST competition for the adoption of the new standard SHA-3 hash algorithm. In this work, we present hardware throughput optimization techniques for the SHA-3 algorithm using the Very High Speed Integrated Circuit Hardware Description Language (VHDL) programming language for all output lengths in the Keccak hash function (224, 256, 384 and 512). Our experiments were performed with the Nios II processor on the FPGA Arria 10 GX (10AX115N2P45E1SG). We applied two architectures, one without custom instruction and one with floating point hardware 2. Finally, we compare the results with other existing similar designs and found that the proposed design with floating point 2 optimizes throughput (Gbps) compared to existing FPGA implementations.
    [Show full text]
  • A Lightweight Implementation of Keccak Hash Function for Radio-Frequency Identification Applications
    A Lightweight Implementation of Keccak Hash Function for Radio-Frequency Identification Applications Elif Bilge Kavun and Tolga Yalcin Department of Cryptography Institute of Applied Mathematics, METU Ankara, Turkey {e168522,tyalcin}@metu.edu.tr Abstract. In this paper, we present a lightweight implementation of the permutation Keccak-f[200] and Keccak-f[400] of the SHA-3 candidate hash function Keccak. Our design is well suited for radio-frequency identification (RFID) applications that have limited resources and demand lightweight cryptographic hardware. Besides its low-area and low-power, our design gives a decent throughput. To the best of our knowledge, it is also the first lightweight implementation of a sponge function, which differentiates it from the previous works. By implementing the new hash algorithm Keccak, we have utilized unique advantages of the sponge construction. Although the implementation is targeted for Application Specific Integrated Circuit (ASIC) platforms, it is also suitable for Field Programmable Gate Arrays (FPGA). To obtain a compact design, serialized data processing principles are exploited together with algorithm-specific optimizations. The design requires only 2.52K gates with a throughput of 8 Kbps at 100 KHz system clock based on 0.13-µm CMOS standard cell library. Keywords: RFID, Keccak, SHA-3, sponge function, serialized processing, low- area, low-power, high throughput. 1 Introduction In recent years, the developments on digital wireless technology have improved many areas such as the mobile systems. Mobile and embedded devices will be everywhere in times to come, making it possible to use communication services and other applications anytime and anywhere. Among these mobile devices, radio-frequency identification (RFID) tags offer low-cost, long battery life and unprecedented mobility [1-2].
    [Show full text]
  • SHA-3 Family of Cryptographic Hash Functions and Extendable-Output Functions
    The SHA-3 Family of Cryptographic Hash Functions and Extendable-Output Functions José Luis Gómez Pardo Departamento de Álxebra, Universidade de Santiago 15782 Santiago de Compostela, Spain e-mail: [email protected] Carlos Gómez-Rodríguez Departamento de Computación, Universidade da Coruña 15071 A Coruña, Spain e-mail: [email protected] Introduction This worksheet contains a Maple implementation of the Secure Hash Algorithm-3 (SHA-3) family of functions wich have been standardized by the US National Institute of Standards and Technology (NIST) in August 2015, as specified in [FIPS PUB 202] (SHA-3 Standard). The SHA-3 family consists of four cryptographic hash functions, called SHA3-224, SHA3-256, SHA3-384, and SHA3 -512, and two extendable-output functions (XOFs), called SHAKE128 and SHAKE256. The XOFs are different from hash functions but, as stated in SHA-3 Standard, "it is possible to use them in similar ways, with the flexibility to be adapted directly to the requirements of individual applications, subject to additional security considerations". The SHA-3 functions are based on the Keccak sponge function, designed by G. Bertoni, J. Daemen, M. Peeters, G. Van Assche. Keccak was selected for this purpose because it was declared, on October 2, 2012, the winner of the NIST Hash Function Competition held by NIST. The worksheet is an updated version of a previous one which had been published in 2013 with the title "The SHA-3 family of hash functions and their use for message authentication". The new version includes the XOFs following the NIST specification and, at the programming level, the most important change is in the padding procedure.
    [Show full text]