Encryption Chip Fights Off Sneak Attacks
Processor obscures characteristics that enable side-channel attacks in cloud computing
Businesses offering cloud-based services face a growing data leakage threat, say Taiwanese hardware designers. They claim to have devised a tactic to fight back: a chip with circuitry to frustrate what are known as side-channel attacks.
Side-channel attacks scrutinize things like computation time, power consumption, and electromagnetic emissions to glean something about the operations of cloud servers or to steal the cryptographic keys they use. Johns Hopkins University cryptography researcher Matthew D. Green writes in the January/February issue of IEEE Security & Privacy magazine that the cloud offers “a bonanza of potential side channels, because different virtual machines share physical resources, such as processor, instruction cache, or disk, on a single computer.” If malware in one virtual machine monitors the behavior of those resources, it could, in theory, figure out the set of cryptographic keys being used by a separate virtual machine, so long as both virtual machines reside on the same physical server. In fact, researchers at RSA Laboratories, the University of North Carolina, and the University of Wisconsin created such an attack [PDF], although it was difficult to execute.
A research team from the National Chiao Tung University (NCTU) in Hsinchu, Taiwan, decided to focus its defenses on cryptography chips that perform elliptic-curve cryptography (ECC). ECC has gained popularity in recent years, especially for mobile devices, because it uses much shorter cryptographic keys than other mainstream public-key cryptography methods do.
Last month, at the 2013 IEEE International Solid-State Circuits Conference (ISSCC), in San Francisco, the NCTU team reported that their new chip is resistant to side-channel attacks. Essentially, it makes side-channel attacks take so long that they become impractical.
“In the chip, we introduced not only a simplified way to do the encryption/decryption but also a sort of random-number generator to prevent side-channel attacks,” says Chen-Yi Lee, professor of electrical and electronics engineering at NCTU. “Hackers would have to spend five or six years to gain the details that they currently can get within a day” using side-channel attacks. (The RSA Laboratories experiment required about 6 hours.)
The key was the adoption of what the engineers call a heterogeneous dual-processing-element architecture, which balances both computation time and power consumption during different types of operations. In addition, the design includes a simple but novel digitally controlled oscillator to enhance the chip’s ability to generate random numbers. Jen-Wei Lee, a Ph.D. student at NCTU and first author of the report delivered at ISSCC, says that the design prevented hackers from detecting characteristic changes in the length of computations that could reveal cryptographic keys, because it made the computation time for different types of work appear equal.
Fabricated in a 90-nanometer CMOS process, the team’s 160-bit chip is about 0.4 square millimeters in size. “It can easily be integrated to an encryption/decryption IC, becoming a module for mobile devices,” Chen-Yi Lee says.
According to Chen-Yi Lee, making a side-channel-attack-resistant ECC chip would only cost about 5 percent more than the cost of a standard encryption chip, and it would consume about 5 percent more power.
Patrick Schaumont, associate professor of electrical and computer engineering at Virginia Tech, says such encryption chips have two primary purposes in cloud security: generating electronic signatures to authenticate data items and exchanging cryptographic key material to support encrypted communication links.
The NCTU “chip design is motivated by the high computation cost of public-key cryptography. Indeed, even the generation of several thousand signatures per second already requires a high-end server,” says Schaumont. When clocked at 200 megahertz, the NCTU chip takes about 0.3 milliseconds per 160-bit signature. “This type of signature is considered low end for today’s standards,” he says, adding that people would preferably go for a 256-bit signature, which has a cryptographic strength that matches that of other contemporary crypto-algorithms, including the well-known AES-128. Nevertheless, the numbers NCTU achieved “give an idea [of] what a dedicated hardware chip can do,” Schaumont says.
Jen-Wei Lee, one of Chen-Yi Lee’s students who worked on the encryption chip, says that they will next optimize the hardware design to work with ID-based encryption—a form of public-key encryption in which the public key is some unique information about the user, such as an e-mail or IP address.
“The progress we’ve made might drive hackers to create more-powerful side-channel attacks. There will always be attacks—and solutions,” Chen-Yi Lee says.
About the Author
Yu-Tzu Chiu is a Taipei correspondent for Bloomberg BNA. She has chronicled Taiwan’s tech policies for IEEE Spectrum since 2000. In February 2013, she reported on a way to use brain activity to predict whether a new online game would be a hit or a flop.