1. Field of the Invention
The present disclosure relates in general to the field of data encryption and data storage systems, and particularly to an encryption and/or decryption method and device in which confidentiality and integrity of data are protected.
It applies particularly but not exclusively to embedded systems such as PDAs (Personal Digital Assistant), mobile phones, MP3 players, set-top box, video equipments, etc., comprising a processing integrated circuit linked to at least one memory or storage device through a wired or wireless communication link.
The range of services provided by such an embedded system tends to widen rapidly and applications like on-line banking transactions, web browsing, email, and application and game downloading become common on mobile devices. As a consequence the amount of sensitive information such as private data (bank information, passwords, email, photos . . . ), or data protected by intellectual property rights (software, digital multimedia content . . . ) contained or transiting in those devices also increases. The issue is that today's embedded systems are considered as untrustworthy hosts since the owner, or anyone else who succeeds in getting access, is a potential adversary. Thus, one of the challenges for the high-technology industry in the development of pervasive computing is the ability to ensure secured computation and storage.
The attacks conducted on embedded systems challenge several security services such as data confidentiality, data integrity and system availability. Data confidentiality is designed to limit reading of data stored in or transiting through embedded systems to authorized parties, while data integrity is designed to prevent those data from being tampered with, deleted or altered by malicious entities. Availability refers to providing the user with access to the device while avoiding unexpected delay or obstacle.
The objectives of attacks directed against an embedded system include retrieving information, possibly private, or to taking control of it. One of the weakest points of such a system is the memory bus between the System on Chip (SoC) and the off-chip memory which contains sensitive data (end users private data, software code, etc.). Those data are usually exchanged in clear over the memory bus during software loading and execution. Therefore an adversary may probe the memory bus to read and retrieve private data or software code (data confidentiality concern). Another possible attack relies on code injection and on data tampering (data integrity concern).
An attacker can thus monitor the processor-memory communications and intercept the data transmitted (passive attacks). Another possibility is to directly read data in memory. This raises the issue of data confidentiality. Then the adversary may insert chosen texts—called “fake” in the following—into the processor-memory communication channels and thus challenge data integrity. The objective of the attacker could be to take control of the system by injecting malicious codes or to constrain the search space in case of a message or secret key recovery attack. Thus the following three kinds of active attacks are conceivable even if data are encrypted.
Spoofing attacks: this kind of attack consists in exchanging a memory block transmitted in the communication channel with a random fake one. The attacker mainly alters program behavior but cannot foresee the results of his attack if the data are encrypted.
Splicing or relocation attacks: this kind of attack consists in swapping a memory block transmitted in the communication channel with another one previously recorded in the external memory. Such an attack may be viewed as a spatial permutation of memory blocks. When data are encrypted, the benefit for an attacker of using a memory block copy as a fake is the knowledge of the system behavior if the latter has been previously observed.
Replay attacks: this kind of attack is nearly the same as the splicing attack one. However the fake memory block is recorded at a specific address location and inserted later on at the same address (current data value replaced by an older one). Such an attack may be viewed as a temporal permutation of memory blocks at a specific address location.
In order to perform those kinds of active attacks, the adversary may interfere in the protocol of communication between the system and the memory to handle the data, address and control lines. In this way an attacker may insert data directly into RAM memory or switch between the attacker's RAM and the device RAM at run-time.
2. Description of the Related Art
The known countermeasures consist in checking the integrity of or authenticating the data read in the external memory against spoofing attacks, and authenticating transactions against splicing and replay attacks.
Protecting confidentiality of external memory content consists in preventing any useful information leakages from the external memory. Hence, the basic goal is that data monitored by an eavesdropper on the processor-memory communication channel or retrieved in memory be unintelligible. This task is achieved by performing bus encryption. Data are encrypted on write operations and decrypted on read operations. In this way data transiting in the communication channel and stored in the external memory are encrypted, making them incomprehensible from an adversary point of view. However, targeted memories are generally of the type Random Access Memory (RAM), meaning that memory accesses could be of any length and start from any address. Hence a granularity of encryption i.e., the size of the atomic block processed by the encryption engine on external memory accesses is defined. Such a size is one of the parameters which fix the trade-off between performance and security. Data block that are too short lead to weak encryption while too long ones may decrease computation performance, e.g., by polluting the memory bandwidth on small memory accesses.
The integrity of the memory content is protected by checking that read data has not been tampered during external storage or transmission over the communication channel. Like for encryption, a granularity of integrity checking on read operations is defined. To fulfill the integrity checking objective, a value is concatenated with each data block stored in the external memory. This value called “tag” is usually computed on-chip with a MAC (Message Authentication Code) algorithm on write operations. Such an algorithm based on hash functions or on symmetric block encryption accepts as inputs the data block and a secret key. Theoretically the generated tag gives a compact representative image of the data block and its source, i.e., the processor. Moreover, only the system on-chip is capable of computing this tag, as the secret key is stored on-chip. On read operations, the integrity of the loaded data block is checked by verifying the tag.
Such a system with integrity control of the external memory is described in “Authenticated Encryption: Relations among notions and analysis of the generic composition paradigm”, M. Bellare, C. Namprempre, ASIACRYPT '00, September 2000. According to this document, the MAC can be computed after (encrypt-then-MAC scheme), in parallel (encrypt-and-MAC scheme) or before (MAC-then-encrypt scheme) the data block is encrypted. A system in which the data block is encrypted before the MAC is computed (encrypt-then-MAC scheme) is represented in block form in FIG. 1. In FIG. 1, the system SoC 100 is connected to an external memory EMEM 102 through a memory bus MB 104. The system SoC 100 comprises a processing unit CPU 106, a memory controller MCTL 108, and a protection device ETC1 110 therebetween. The device ETC1 110 comprises an encryption module ENCM 112, a decryption module DECM 114, a MAC computation module MCM 116 and a tag comparator COMP1 118. The module ENCM 112 is connected to a write data bus WDB 120 between the unit CPU 106 and the controller MCTL 108. The module ENCM 112 encrypts data blocks to be transmitted from the unit CPU 106 to the memory EMEM 102 via the memory controller 108. The module DECM 114 is connected to a read data bus RDB 122 between the controller MCTL 108 and the unit CPU 106. The module DECM 114 decrypts data blocks received from the memory EMEM 102 via the memory controller 108. The module MCM 116 receives encrypted data blocks from the module ENCM 112 and from the controller MCTL 108. The module MCM 116 provides a tag T 124 to each encrypted data block CMB 126 to be written in the memory EMEM 102 and provides a reference tag to an input of the comparator COMP1 118 during read operations. The tag extracted from each data block read in the memory EMEM 102 is provided to the comparator COMP1 118. The output of the comparator is connected to an input of the unit CPU 106. The encryption algorithms used by the modules ENCM 112 and DECM 114 are for example of the symmetrical type.
During a write operation, the data block CMB 126 to be written in the memory EMEM 102 is encrypted by the module ENCM 112. A tag T 124 is computed by the module MCM 116 from the encrypted data block, using for example the address in the memory EMEM 102 of the data block CMB 126. The data block CMB 126 associated with the tag T 124 is then transmitted on the bus MB 104 to be written in the memory EMEM 102.
During a read operation, the tag associated with the loaded data block is checked. To this purpose, a tag reference is computed by the module MCM 116 on the encrypted data block read in the memory using the read address and compared by the comparator COMP1 118 with the tag associated with the data block retrieved from the memory EMEM 102. If the tag matching process fails, an integrity checking flag informs the CPU unit 106 which in turn adopts an adequate behavior (for instance execution of a HALT instruction to stop processor execution).
In an encrypt-then-MAC system as shown in FIG. 1, encryption and tag computation are necessarily performed sequentially. Thus the latencies of each computation (encryption and tag computation) are added. In addition, the hardware cryptographic circuits should be duplicated to be able to parallelize the processes of decryption and MAC computation. Thus this system presents the drawbacks of an increased latency and duplicated hardware.