Power-up of a SRAM as a source of Entropy and Identification

Many years ago I was involved in a research project looking to use tiny differences in processing time inside a computer as a way to fingerprint the device. The idea was not unique, I guess that at the same time many were busy looking for similar things.

The reason was that in the framework of Internet security protocols such as SSL, if each party can fingerprint the other party’s computer, that will add another dimension to the development of a strong authentication scheme. Eventually the company supporting the research run out of interest and money and I forgot all about the idea until I recently read the news.

Enter the Fingerprint Extraction and Random Numers in SRAM (FERNS) method developed by Holcomb,  Burleson and Fu of the University of California Berkeley. They analyzed the initial state of the cells of a 512 kb Static Random Access Memory (SRAM) after power up and discovered that the stable states of some cells representing the bits were random, that is they have equal probability to be 1 or 0, while others cells were skewed to start as a 1 or as a 0. This property of the cells is due to imperfections of the fabrication process and are impossible to control.

A paper describing Burleson’s group work is going to appears in the IEEE Transactions on Computers.

From the Abstract
…..  We use experimental data from high performance SRAM, and the WISP UHF RFID tag to validate the principles behind FERNS. We demonstrate that 8 byte fingerprints from an SRAM chip are sufficient for uniquely identifying circuits among a population of 5,120 and extrapolate that 16 to 24 bytes of SRAM would be sufficient for uniquely identifying every instance of the SRAM ever produced. Using a smaller population, we demonstrate similar identifying ability from the embedded SRAM microcontroller memory of the WISP. In addition to identification, we show that SRAM fingerprints capture noise, enabling true random number generation. We demonstrate that the initial states of a 256 byte SRAM can produce 128 bit true random numbers capable of passing the NIST approximate entropy test.

The possibilities for the application of this technology to authentication and key generation schemes are enormous, specially in the field of portable devices. To have an entropy generator “in a chip” is great, if you get that together with a fingerprint of the chip is wonderful news. Certainly we’ll hear more about it.

 

Related reading: Quirks of RFID Memory Make for Cheap Security Scheme

 

del.icio.us Tags: Authetication,Fingerprint,SRAM,Random Numbers,Entropy,RFID,Cryptoblog

Filed under: Authentication, Entropy, Fingerprint, RAM, RFID, Random Numbers, SRAM, Security, Technology , Authentication, Entropy, Fingerprint, Random Numbers, SRAM, Technology

Secure Processors, the ultimate battlefield

Continuing with the main theme my last two posts, hacking, I am going to wrap up with this post about Secure Processors.

A secure processor is meant to protect the information and the communications, validate the communications channel and be tamper-resistant, should it falls into the adversary’s hands.  

Successful hacking of secrets has the duality of being a happy/sad event, depending on which team are you playing for. The design of secure processors makes this duality patent as, in practice, the most important evaluation criterion is that the resulting product should resist the designer’s best attempts at hacking it.

The current research and development efforts are guided by U.S. DoD Anti-Tamper specifications. To prevent reverse engineering, architectures of secure processors are based on a combination of hardware and encrypted software in such a way that if the hardware is captured, its exact functions cannot be guessed without knowing the encryption keys. During WWII, the capture of an ENIGMA machine paved the way for the breaking of the enciphering by the allied forces. These historical lessons are incorporated into today’s design criteria. Some design even incorporate sensors that will detect attempts at using physical means to force the hardware and destroy the critical information upon detection (often called zeroization).

A new dimension to the problem is added by procurement system. Electronic chips are nowadays a commodity and absolute control over the manufacturing of  chips is not possible. Therefore it is essential to ensure that the critical parts, that is the processors, are designed and made in controlled facilities.

The lessons learned in military applications are now being applied to commercial system. This is where the lines blurred because in the interconnected world the enemy can wreak havoc on the infrastructure without firing a shot. Communication and control networks associated with utilities will become more resistant to attacks by using computers fitted with secure processors.

Related:

New Chip Brings Military Security to Commercial Processors

The Hunt for the Kill Switch

Secure Processors – IBM

Acalis White Paper

 

del.icio.us Tags: anti-tamper,secure processor,encryption,hacking,security,technology,kill switch,Cryptoblog

Filed under: Anti-tamper, Cryptography, Encryption, Hacking, Security, Software, Technology , Anti-tamper, secure processors, Security, Technology

That good old hacking.

After the Conficker April fool’s day scare fizzled, they try to scare us saying that utilities can be hacked through the internet …

Wait!, they already were hacked !

 

del.icio.us Tags: insecurity,internet,hacking,conficker,in the news

Filed under: InSecurity, Misc., in the News

ENIGMA encryption cracker Heroes

ENIGMA crackers reunite at Bletchley Park

I had the honour to meet one of them, now an emeritus math professor.

Check this article for pictures of the Turing Bombe the electronic-mechanical code-breaking machine used by the British to crack 3,000 Enigma messages a day during the Second World War.

Cryptool ver 1.4 has a very well done simulator of the ENIGMA machine encryption.

 

 

del.icio.us Tags: ENIGMA,encryption,Cryptoblog,cryptography,Information Theory,cracking,in the news

Filed under: Cryptography, ENIGMA, Encryption, Information Theory, Math & Computers, in the News , codebreakers, Cryptography, Cryptool, Encryption, ENIGMA, in the News, Information Theory

One Password fits all

I recently discussed the problems associated with weak passwords here. Since then, there have been a few cases of hackers publishing stolen passwords form popular sites such as phpbb or the passwords that the conficker worm uses to spread across shares. Some researches report that people often use the same password on many websites making themselves vulnerable to serious attack if the password for a low value website is the same as the one used in a high value target

Password selection tips abound and as long as your password has enough entropy, users data is somewhat out of reach of most hackers.

Despite the advice of security gurus, the manifest limitations of the average human brain for generating and remembering more than a few passwords is a physical barrier to a widespread adoption secure practices. Password managers may help to keep your passwords organized. They have functions to generate strong passwords and can connect directly with browsers or e-mail programs.

Another way around is the OpenID network that allow users to have one identity for multiple on-line services. The OpenID protocol is inclusive enough that can work as an Authenticator using biometrics or smart-tokens.  Open ID is still in the adoption phase, not all online services accept it.

del.icio.us Tags: Cryptoblog,Authentication,passwords,biometrics,security,OpenID

Filed under: Authentication, Security, biometrics, in the News, passwords , Authentication, Cryptography, passwords, Security

Medical Identity Theft

If you are already scared of ID thieves getting your financial information,  prepare to panic about this:

Medical identity theft is a growing issue in North America and growing even larger in a recession where pinching pennies can mean pinching someone else’s identity to get access to health care services, prescription drugs, elective surgery and dental care.

“Stolen patient identities not only create a financial problem for the victim; the corruption of the individual’s medical history could prove lethal in a medical emergency,” says Darin Johnson, vice-president of marketing for HealthCare Insight, based in South Jordan, Utah.

Read the whole article here.

Also: A crime that does pay, Better safeguards in the cards

del.icio.us Tags: ID theft,biometrics,insecurity

.

Filed under: ID Theft, InSecurity, biometrics, in the News , biometrics, ID Theft, in the News, InSecurity

Identity theft report 2008

Highlights from reports on identity theft from the ITRC Breaches 2008 Summary 

Reports of data breaches increased dramatically in 2008. The Identity Theft Resource Center’s 2008 breach report reached 656 reported breaches at the end of 2008, reflecting an increase of 47% over last year’s total of 446.

and

According to ITRC reports, only 2.4% of all breaches had encryption or other strong protection methods in use. Only 8.5% of reported breaches had password protection. It is obvious that the bulk of breached data was unprotected by either encryption or even passwords.

Interesting…

 

 

del.icio.us Tags: security,Insecurity,id theft

Filed under: ID Theft, InSecurity , ID Theft, InSecurity

Collisions, a secure hash function killer (MD5, SHA1, SHA2)

The trouble with the use of MD5 in digital signatures recently uncovered by Sotirov et al. is common to other hash functions.

NIST has been discouraging people to use MD5 and even SHA 1 since many years ago. A good account of this was posted by Dustin Trammell here.

Because the output of a hash function is of a fixed length, usually smaller that the input, there will necessarily be collisions. The collision-free property for hash is thus defined by:

A function that maps an arbitrary length message to a fixed length message digest is a collision-free hash function if:

1. It is a one-way hash function.

2. It is hard to find two distinct messages that hash to the same result .

Cryptographers talk about “relatively collision free” hash functions. A good hash function should be designed with the Avalanche Criterion in mind.

The Avalanche Criterion (AC) is used in the analysis of S-boxes or substitution boxes. S-boxes take a string as input and produce an encoded string as output.

The avalanche criterion requires that if any one bit of the input to an S-box is changed, about half of the bits that are output by the S-box should change their values. Therefore, even if collisions are unavoidable, there is no way to generate two strings with the same hash value other than brute force.

 

del.icio.us Tags: authentication,hash functions,collisions,MD5,SHA1,encryption

Filed under: Authentication, Cryptography, Encryption, Hash Functions , Authentication, Cryptography, Encryption, Hash Functions, MD5, SHA1

Un-Happy Friday the 13th.

Fittingly, the newspaper carry this two items for Friday 13th:

let’s call them Something you should know and something they have.

They are not exactly news for most people with a functional understanding of how the Internet and Governments work. However, it is always good to remind people that, unless you use an anonymity service, your ISP knows “what you did last summer” and that you can trust governments to be sloppy with information that the “the body snatchers” will find useful.

del.icio.us Tags: anonymity,privacy,ISP,Internet

Filed under: ID Theft, InSecurity, in the News , ID Theft, in the News, InSecurity

Authentication – Part IV Password Protocols

To be useful, passwords need to be transmitted or negotiated between the server and the client.

Transmission of the password in the clear is subjected to eavesdropping and therefore very insecure. The password storage on the servers side must also be protected from the possibility that the file falls on the wrong hands, compromising the security of the system.

There are several constraints to the design of password protections protocols, one of the most important being the limited amount of entropy that user memorized passwords necessarily have. Computation time is another big constraint. Even small delays in the response time can make the difference between a system the user is happy to interact with, and a system in which security features will be disabled for the sake of interactivity.

The key features of a password protection protocol are described below:

1. The transmission and storage of passwords should be non plain-text equivalent: This means, the protocol should be such that even if an attacker obtains the database containing the password or eavesdrop the exchange between client and server, this will not compromise the security of the exchange.
2. The protocol must be resistant to replay attack: That is, if an eavesdropper successfully record a login session, the information can not be used to compromise a future (or past) exchange between the Client and the server.
3. The protocol must be resistant to the Denning-Sacco attack: In this attack, by capturing the session key (not the raw password) the eavesdropper has enough information to successfully mount a brute force attack or at least to successfully impersonate the user.
4. The protocol must be resistant to active attacks:In these situations the protocol leaks enough information that allows the attacker to impersonate the server to the client, make a guess of the correct password and then, by faking a failure, obtain confirmation from the client when the guessed password is correct.
5. Protocols that work on the base of zero-knowledge proof of password possession are preferable: Zero-knowledge means that the server does not need to know the password to prove that the client knows the password. Passwords are never stored on the server therefore they cannot be stolen. 

Some protocols encrypt the exchange of information to avoid the plain-text equivalence. Others used a form of asymmetric key exchange (a la Diffie-Helmann) that are generated based on the password but do not leak any information about it.

The following is a list of the some of the commonly used password schemes, classified by its strength:

(adapted from SRP competitive analysis)

Weak (not to be used)

• Clear-text passwords (such as unsecured telnet, rlogin, etc.)
• Encoded passwords (HTTP Basic Authentication)
• Classic challenge-response protocols (HTTP Digest Authentication, Windows NTLM Authentication, APOP, CRAM, CHAP, etc.)
• One-Time Password schemes based on a human memorable (low entropy) secret (S/Key, OPIE)
• Kerberos V4

 

Pseudo-Strong (they have known vulnerabilities in some implementations)

• SSH Public Key Authentication or “Secure Shell”,

• SSH Password Authentication

• Kerberos V5 – To fix the password security weaknesses in Kerberos V4, version 5 added preauthentication, (the client needs to prove knowledge of the password before the server starts authentication).

Strong

• Secure Remote Password (SRP) – Developed in 1997 by Wu, is a strong password authentication protocol now widespread among Open Source and commercial products. SRP does not expose passwords to either passive or active network intruders, and it stores passwords as a “non-plaintext-equivalent” one-way hash on the server. SRP is available as part of standard Telnet and FTP implementations, and is being rapidly incorporated into Internet protocols that require strong password authentication.
• Encrypted Key Exchange(EKE) – Developed by Bellovin & Merritt in 1992 is one of the earliest examples of secure password protocols.
• Strong Password Exponential Key Exchange (SPEKE) developed by David Jablon . It is licensed by Entrust for their TruePass product.
• Diffie-Helmann Encrypted Key Exchange (DH-EKE)
• AMP
• SNAPI
• AuthA
• OKE
• Variations of all of the above.

 

See also: Authentication – Part I, Part II and Part III.

del.icio.us Tags: passwords,security,protocols,encryption

Filed under: Authentication, Security, passwords , Authentication, passwords, Security, SSL