Methodology for cryptographic rating of memory encryption schemes used in smartcards and

Methodology for cryptographic rating ofmemory encryption schemes used in

smartcards and similar devices

Version 1.0, 31.10.2013

Bundesamt für Sicherheit in der Informationstechnik 3

Bundesamt für Sicherheit in der InformationstechnikPostfach 20 03 6353133 BonnTel.: +49 22899 9582-111E-Mail: [email protected]: https://www.bsi.bund.de© Bundesamt für Sicherheit in der Informationstechnik 2013

Table of Contents

Table of Contents

1 Introduction.................................................................................................................................6

2 Memory encryption.....................................................................................................................72.1 Short introduction to cryptology........................................................................................................7

2.2 Memory encryption as security mechanism for smartcards and similar devices..............................10

2.3 Cryptanalysis of memory encryption...............................................................................................13

3 Methods for cryptanalysis of memory encryption....................................................................143.1 Cryptographic assumptions and prerequisites for the cryptanalysis of memory encryption............143.1.1 Cryptographic assumptions........................................................................................................143.1.2 Prerequisites for the cryptanalysis..............................................................................................15

3.2 Methods of Cryptanalysis................................................................................................................163.2.1 Cryptanalysis of block cipher ....................................................................................................163.2.2 Cryptanalysis of memory address scrambling............................................................................263.2.3 Modes of operation for memory encryption...............................................................................28

3.3 Cryptanalytic attacks using side-channel information.....................................................................29

4 Vulnerability analysis of memory encryption...........................................................................304.1 Preparation for the vulnerability analysis of memory encryption....................................................304.1.1 Identification of the security requirements for memory protection.............................................304.1.2 Description of memory encryption.............................................................................................314.1.3 Security architecture of memory encryption...............................................................................334.1.4 Physical and logical attacks on memory, buses and cryptographic modules..............................34

4.2 Identification of potential vulnerabilities of memory encryption.....................................................38

4.3 Characterization of the attack potential for cryptanalytic attacks on memory encryption................40

Literature...................................................................................................................................48

Glossary ...................................................................................................................................52

Figures

Figure 1: Cryptanalytic attacks in case of communication...................................................................8Figure 2: Buildings blocks of memory encryption.............................................................................11Figure 3: Effect of data encryption and address encryption...............................................................12Figure 4: Memory attack scenarios ...................................................................................................36

Tables

Table 1: Literature overview of cryptanalysis on block ciphers........................................................25Table 2: Literature overview on memory address scrambling...........................................................27Table 3: Literature overview on modes of operation.........................................................................28Table 4: Literature overview on combination attacks with side-channels.........................................29Table 5: Expertise of the attacker.......................................................................................................43Table 6: Knowledge of the TOE........................................................................................................44Table 7: Equipment............................................................................................................................46


Introduction

1 Introduction

The document on hand “Methodology for cryptographic rating of memory encryption schemes used in smartcards and similar devices” is intended as guideline for the vulnerability analysis of memory encryption in Common Criteria [CC] [CEM] evaluations performed in the German certification scheme.

The technology area of smartcards and similar devices is characterized by(1) target of evaluation (TOE) as one-chip hardware including dedicated, embedded or ap-

plication software, storing and operating user data and providing cryptographic services using secrets stored on the TOE,

(2) operational environment where the attacker might have physical access to the TOE,(3) TOE life cycle as described for smartcards in [SDSE].

The TOE security functionality (TSF) shall protect the confidentiality and the integrity of the user data and TSF data. The TSF implements this protection by means of physical and logical counter-measures including cryptographic security mechanisms. The security integrated circuits protect the data stored in the memory against combinations of physical and logical attacks. This memory pro-tection build the base for the logical protection implemented in the operating system running on the hardware platform. The cryptographic security mechanisms of the security integrated circuit pro-tecting the data stored in TOE memory are summarized as “memory encryption”. They protect these data as long as they are stored and transferred internally as ciphertext. The vulnerability analy-sis shall assess the resistance of the TSF – for this technology area typically with high attack poten-tial – in the intended operational environment. If the non-cryptographic security countermeasures alone are not sufficient to prevent identified potential attacks with the claimed resistance the vulner-ability analysis shall include the cryptographic security mechanisms.

The guideline focuses on specific aspects of the vulnerability analysis related to the identification of potential vulnerabilities and the assessment of the effectiveness of the cryptographic mechanisms with respect to protection of the confidentiality of the stored data. This document does neither claim to provide a complete list of possible attack methods nor to cover all possible approaches for the cryptanalysis of the memory encryption. The evaluator shall always consider that this document is intended to give a general guideline and not a “checklist” to fulfill all requirements which might arise in the course of a vulnerability assessment of a TOE. The guideline will be subject of regular updates. The reader should consult other supporting and scheme documents for related other aspects of the vulnerability analysis of smartcards and similar devices.

The document on hand is organized as follows. The chapter 2 introduces memory encryption as cryptographic technique for protection of stored and transferred data on smartcards and similar de-vices. It starts with a short introduction to basic terminology and ideas of cryptology necessary for understanding of the objective, the design, the analysis and the assessment of memory encryption. The memory encryption is described in terms of its building blocks data encryption, address encryp-tion and secret sharing for keys. This implies assumptions about the cryptographic mechanisms and the prerequisites of cryptanalytic methods described in chapter 3. Chapter 3 provides short descrip-tions and references to literature for the cryptanalytic methods most relevant for the vulnerability analysis of memory encryption. The references are accompanied with short description of methods and their relevance for memory encryption. The chapter 4 describes the identification of potential vulnerabilities and the assessment of memory encryption as part of the vulnerability analysis.

6 Bundesamt für Sicherheit in der Informationstechnik

Memory encryption

2 Memory encryption

2.1 Short introduction to cryptology

Cryptology comprises two closely linked aspects, cryptography and cryptanalysis. Cryptography embodies principles, means and methods for the transformation of data in order to hide its informa-tion content, prevent its undetected modification and/or its unauthorized use including entity au-thentication (cf. [ISO7498] [1]). Cryptanalysis is the study of techniques for attempting to defeat cryptographic techniques, i. e. to derive hidden information content, to generate data unauthorised, to manipulate data without being detected, or to claim false identity of an entity.

Encryption is a transformation of intelligible data, the semantic content of which is available (so called plaintext), into a form (so called ciphertext) in order to hide its information content and allow only the intended receiver to reconstruct the original form with use of a secret (so called decryption key) (cf. [ISO7498]). The semantic content of ciphertext is not readily available. Decryption is the reverse process of encryption reconstructing the original plaintext from the ciphertext by means of the decryption key. A cryptographic key is a variable parameter which is used in a cryptographic al-gorithm or protocol1. A cryptographic algorithm may use the same key or trivially related keys (in case of symmetric cryptographic algorithms) or different keys, where it is difficult for the adversary to derive one key from the other key (in case of asymmetric cryptographic algorithms), for comple-mentary operation like encryption / decryption, signature-creation / signature-verification or authen-tication proof / authentication verification.

Secret sharing is a cryptographic techniques that generates for a given secret (e. g. a key) a set of n secrets such that the knowledge of any set of m-1 secrets for these n secrets does not allow for cal-culation of the original secret but the knowledge of m of these secrets is sufficient to calculate the original secret (m is less or equal n).

A cryptographic module is a set of hardware and/or software that implements cryptographic algo-rithms possibly including key generation and is contained within the cryptographic boundary. The cryptographic boundary is an explicitly defined continuous perimeter that establishes the physical bounds of a cryptographic module and contains all the hardware and/or software components of a cryptographic module.

Key management is the generation, storage, distribution, deletion, archiving and application of keys in accordance with a security policy (cf. [ISO7498]). In case of communication protected by crypto-graphic techniques like encryption-decryption algorithms and data integrity protection the sender and the receiver shall agree about the cryptographic key to be used. In case of data storage encryp-tion sender and receiver may be the same device. The key management of memory encryption fo-cuses on secure storage of the key rather than the key distribution (but this might be necessary for key backup). The operational environment may imply different methods of key management and ar-eas handling the plaintexts and ciphertexts.

The cryptanalysis distinguishes attack scenarios by the goal of the attack, the operational environ-ment defining the attack context, and the specific attack method applied to the concrete crypto-graphic algorithm or protocol.

1 A cryptographic protocol describes the syntax, semantics, and synchronization of communication using crypto-graphic algorithms. The memory encryption and therefore the guideline on hand deals mainly with cryptographic al-gorithms.


Memory encryption

The attacker tries

(1) to get (at least some) information encoded by the plaintext for a given ciphertext,

(2) to reconstruct the original plaintexts for given ciphertexts or

(3) to find the decryption key for decryption of the given ciphertexts.

The cryptanalysis of an encryption-decryption algorithm supposes the attacker having knowledge of fixed parts of this algorithm and the ciphertexts but no knowledge of the decryption key (known as the Kerckhoffs’ principle). The prerequisites for cryptanalytic attacks depend on the operational en-vironment. All cryptanalytic attacks assume the attacker knowing the ciphertext transmitted from a sender to a receiver or stored in memory. The attacker has at least passive access to the communica-tion channel, the memory or the external ciphertext interfaces of the cryptographic module, i. e. the attacker intercepts the communication or eavesdrops on the interface or reads the memory. The at-tacker may also know plaintexts or any information about plaintext corresponding to intercepted or read ciphertexts by intercepting the plaintext interfaces of the cryptographic modules or from other sources. Furthermore the attacker may have active access to the communication channel, the mem-ory or the interfaces of the cryptographic modules. If the attacker may provide or manipulate plain-texts for encryption and get the corresponding ciphertext than chosen plaintext attacks are possible. If the attacker has active access to the input interface of the receiver’s cryptographic module and may provide or manipulate ciphertexts for decryption and get the corresponding plaintexts than cho-sen ciphertext attacks may be possible.

Figure 1 illustrates these attack scenarios in case of communication from a sender to a receiver. The blue arrows indicate passive and the red arrows indicate active access to the plaintexts and cipher-texts.

The cryptanalytic attacks may be further classified as follows.

(1) (Strong ciphertext only attacks) The ciphertext contains redundancy and thus provides infor-mation about the original plaintext, e. g. repetition of ciphertext parts might indicate equal plaintext parts.

(2) (Standard ciphertext only attacks) The attacker has a prior information (i. e. information the attacker has before the attack is performed) about probable plaintexts allowing a decision whether a reconstructed plaintext (e. g. by means of a guessed key) or a guessed key is cor-rect or not.


Figure 1: Cryptanalytic attacks in case of communication

Memory encryption

(3) (Known plaintext attacks) The attacker knows plaintext-ciphertext-pairs generated with the cryptographic key under attack allowing exact calculations to reconstruct the decryption key.

(4) (Chosen plaintext attacks) The attacker is able to provide chosen plaintexts to the logical ex-ternal interfaces of the cryptographic module in order to get appropriate plaintext-ciphertext-pairs for the attack.

(5) (Chosen ciphertext attacks) The attacker may provide chosen ciphertexts as input to a cryp-tographic module and getting the corresponding plaintext in order to find the decryption key or the plaintext for other ciphertexts.

(6) (Adaptive chosen plaintext attacks) In these specific variants of the chosen plaintext attacks the attacker is able to provide interactively chosen plaintexts depending on previous cipher-texts to the logical external interfaces of the cryptographic module in order to get appropri-ate plaintext-ciphertext pairs for the attack.

(7) (Adaptive chosen ciphertext attacks) Chosen ciphertext attacks where the attacker is able to provide interactively chosen ciphertexts depending on previous ciphertext-plaintext pairs to the logical external interfaces of the cryptographic module in order to get appropriate plain-text-ciphertext pairs for the analysis finding the decryption key or plaintext for other cipher-texts.

(8) (Related key attacks) Attacks as in clauses (4) and (5) under the additional condition that ci-phertext encrypted with related keys may be observed or generated.

The chosen plaintext attacks and the adaptive chosen plaintext attacks on one hand and the chosen ciphertext attacks and the adaptive chosen ciphertext attacks on the other hand differ mainly in practical way how to get the text pairs, i.e. whether the input of the cryptographic module of the sender or the receiver may be actively used by the adversary, and may use different attack algo-rithms.

The best measure of security for cryptographic algorithms is the complexity of the most successful logical cryptanalytic attack in the operational environment. The complexity of an attack can be evaluated in three factors when implementing an attack:

(1) Data complexity denotes the number of input data units required,

(2) Memory complexity is the number of storage units required,

(3) Time complexity is the number of operations required.

Note that the strength of an encryption-decryption algorithm depends on the decryption algorithm and especially on the difficulty to find the secret decryption key. The adversary might discover al-gorithms and parameters different from the decryption algorithm and the decryption key used by the receiver but attaining the original plaintext. For example, if a cipher stream (i. e. an irregular bit stream xored to the plaintext) is used twice for different sufficiently redundant plaintexts the adver-sary may reconstruct the plaintext independent on how the original cipher system generates this ci-pher stream – by means of another key or not.

In case of smartcards and similar devices attackers' physical access to the device is assumed. The physical access enables combinations of physical and logical attacks against the external communi-cation and the internal stored data of the device. The internally stored and operated plaintexts, ci-phertexts, the cryptographic keys and the cryptographic module are under direct physical attacks (cf. section 4.1.4 for details). The physical attacks may support the logical cryptanalytic attacks by additional information and attack paths, e. g.


Memory encryption

(1) the attacker observes and analyses the signals at the external physical interfaces of the cryp-tographic module in order to get some information about plaintexts or keys (known as side channel analysis ),

(2) the attacker affects the operation of the cryptographic module through the physical external interfaces in order to introduce errors in the cryptographic calculations and compare them with correct calculations (known as semi-invasive perturbation attacks ),

(3) the attacker manipulates internally stored cryptographic keys or the cryptographic module in order to affect or to disable the implementation of the cryptographic mechanisms (known as invasive attacks.)

The physical attacks give rise to specific cryptanalytic attacks like reconstruction of the decryption key if errors occur or some key bits are known by other attacks like side channel analysis.

The chapter 3 describes general cryptanalytic attacks most relevant for memory encryption.

2.2 Memory encryption as security mechanism for smartcards and similar devices

The TOE may use cryptographic techniques for memory protection on several levels if imple-mented in the TOE and in scope of the evaluation:

(1) Security integrated circuit levelThe security integrated circuit implements cryptographic mechanisms for automatic memory encryption and protection of the memory encryption keys. The TOE provides cryptographic services like cryptographic co-processors and supporting functions like arithmetic co-pro-cessors for the embedded software.

(2) Operating system levelThe operating system implements cryptographic functions and provides cryptographic ser-vices for the applications using the cryptographic co-processors of the security integrated circuit. The security of these cryptographic functions depends on the protection of their cryptographic keys provided by the memory encryption.

(3) Application levelThe application uses the cryptographic services of the operating system and may implement its own cryptographic mechanisms. It uses and relies on the protection provided by the oper-ating system for its cryptographic keys.

The guideline on hand focuses on memory encryption implemented by security integrated circuits and summarized as “memory encryption” in the following. The cryptographic system of memory encryption comprises three components

(1) the data encryption module encrypting the data written by the CPU into the memory and de-crypting the stored data read from the memory onto the CPU,

(2) the address encryption module encrypting the logical address used by the CPU and – if im-plemented as assumed in the following – shifted by the memory management unit (MMU), into the physical address and

(3) the key management possibly implementing key generation, secret-sharing algorithm and key destruction.

The TOE may implement


Memory encryption

(1) data encryption and key management for data encryption key or keys,

(2) address encryption and key management for address encryption key or keys, or

(3) data encryption, address encryption and key management for data encryption and address encryption keys.

The case (3) is typical for state of the art smartcards and will be assumed in following text.

The figure 2 shows building blocks of memory encryption. The CPU executes code and operates on data and addresses in plaintext only. It writes data into data memory and reads data from memory through data buses by providing the corresponding logical address over the address bus. The data encryption encrypts plaintext into ciphertext to be written in memory and also decrypts the cipher-text to the plaintext to be read from the memory automatically. Some memory types allow for data reading only, e. g. ROM typically storing executable code, and therefore their cryptographic mod-ules will implement decryption only. The data bus is separated by the data encryption module into two segments. The data bus segment between the CPU and the data encryption module transmits plaintext, and we call it plaintext data bus segment in the following. The data bus segment between the data encryption module and the memory transmits ciphertext, and we call it ciphertext data bus segment in the following.

The address bus is controlled by the CPU and memory management unit (MMU). The CPU output the logical address to the MMU. The MMU controls the access to the logical memory areas and may shift the logical address by a configurable value. The logical address of the CPU - or if imple-mented the shifted logical address of the MMU – is input into the address encryption module. The address encryption module encrypts the logical respective shifted logical address as plaintext into physical address as ciphertext. The address encryption module separates the address bus in to two segments as well: the plaintext address bus segment from CPU via the optional MMU to the address encryption module, and the ciphertext address bus segment between the address encryption module and the memory. The address encryption module implements encryption of the addresses only be-cause the addresses are sent on in one direction from CPU to the memory.

The memory stores arbitrary data under the physical address, and therefore does not distinguish be-tween plaintext or ciphertext because the memory does not interpret these data.


Figure 2: Buildings blocks of memory encryption

Memory encryption

The cryptographic keys of the memory encryption are stored in special memory areas (called “key storage” in the following). The confidentiality and integrity of the memory encryption keys must be ensured over the life time of the data stored in the memory. The cryptographic keys must have high cryptographic quality, i. e. generated with sufficient entropy and appropriate for the cryptographic algorithm using the key. Secret sharing mechanisms split the memory encryption keys into key components. The key components are stored physically protected in plaintext. Because the encryp-tion and decryption are performed by the same cryptographic module the algorithm may use the same key for both operations (i. e. symmetric cryptographic algorithm).

The data encryption and the address encryption shall use different cryptographic keys. The data en-cryption may use the logical address, intermediate data of the address encryption or the physical ad-dress of the data to be encrypted or decrypted as additional input parameter. In these cases the used address encryption keys are not used, partly used or completely used for the data encryption as well.

The data encryption acts as cryptographic substitution of plaintext data blocks to the ciphertext data blocks and the address encryption acts as cryptographic transposition of the ciphertext data blocks in the memory. The attacker reading ciphertext blocks stored under physical addresses must break both data encryption and address encryption in order to reconstruct the plaintext consisting of sev-eral blocks.

The data encryption and the address encryption hide the information stored in the memory if the data are compromised to the attacker. The address encryption distributes additionally the informa-tion within the memory increasing the effort of physical reading these data as shown in figure 3.

The memory address scrambling maps the logical addresses of the stored data used by the CPU to the physical locations of these data on the hardware. This mapping is the composition of the three mappings implemented by

(1) the (optional) shift of the logical address output of the CPU performed by the MMU,(2) the mapping from plaintext to ciphertext performed by the address encryption module,(3) the mapping of the physical address to the physical location defined by the layout of the

hardware.


Figure 3: Effect of data encryption and address encryption

Memory encryption

The guideline on hand assumes that the TOE will implement block cipher algorithms for data en-cryption and address encryption. Stream ciphers are out of scope of this guideline.

The TOE may implement additionally to the memory encryption a hardware bus encryption for data transferred between the memory and the CPU or memory and other components like co-processors. The bus encryption implements encryption for the sender and decryption for the receiver of the transferred data over the bus. The key of the bus encryption can be synchronously changed for sender and receiver at any time. This bus encryption is out of scope of the guideline on hand.

2.3 Cryptanalysis of memory encryption

The vulnerability analysis is an assessment to determine whether potential vulnerabilities could al-low attackers to violate the security functional requirements in the intended operational environ-ment (cf. [CC] part 3, para. 455). We assume that the TSF shall protect the confidentiality of user data and TSF data, especially cryptographic secrets, stored and operated on the TOE. Because the attacker will have physical access to the TOE the memory protection is implemented by means of physical and logical countermeasures. The physical countermeasures are implemented in hardware only. The logical countermeasures include but are not limited to cryptographic security mechanisms implemented by special hardware and maybe dedicated software.

The vulnerability analysis of the memory protection considers all relevant countermeasures. If the TSF without consideration of memory encryption provides sufficient resistance against attacks with assumed attack potential the analysis and the assessment of the effectiveness of the memory encryp-tion may be skipped. If the vulnerability analysis identifies a potential vulnerability that the attacker could exploit against the TSF without memory encryption, the analysis and the assessment of the ef-fectiveness of the cryptographic security mechanisms might be necessary in order to determine whether this vulnerability is or is not exploitable for the complete TSF in the intended operational environment (cf. chapter 4 for further details).

The following chapter 3 describes methods for cryptanalysis of memory encryption to be used in the vulnerability assessment of memory encryption described in chapter 4.


Methods for cryptanalysis of memory encryption

3 Methods for cryptanalysis of memory encryption

3.1 Cryptographic assumptions and prerequisites for the cryptanalysis of memory encryption

The cryptanalysis of the memory encryption shall take into account

• the context of the whole attack path against the data stored in the memory, which includes the cryptanalytic attack as part, and the binding of memory encryption with the other secu-rity features of the TSF , e. g. physical protection of the memory, access control to key man-agement of the memory encryption;

• the method of memory use, i. e.➢ the type of data stored in the memory as user data, TSF data or TOE implementation

stored in the memory,➢ the amount of data stored in the memory,➢ read-only memory or read-write memory;

• the method of use of the memory encryption over the life cycle of the TOE, e. g. the key management, and

• the operational environment defining the conditions under which the attack might be per-formed, e. g. the memory may store besides the unknown data under attack also data prior known to the attacker.

This chapter describes the assumptions and prerequisites for the cryptanalysis of memory encryp-tion.

3.1.1 Cryptographic assumptions

This section describes the assumptions made about cryptographic systems for memory encryption.

The memory encryption is implemented by hardware (i. e. in case of smartcards by the security in-tegrated circuit) and may be supported by dedicated software. The embedded software of a TOE may implement additional encryption of stored data on operating system or application level but this is outside the scope of the current document.

The TOE may implement different secret-sharing algorithms, data encryption-decryption algo-rithms, address encryption algorithms and key sets depending on the type of memory used for the data storage. We consider the following types of data memory:

(1) ROM storing read-only executable code. The ROM data are fixed for the TOE instantiations, i. e.

- if the TOE is a security IC than the IC dedicated software will be fixed;

- if the TOE is a smartcard the dedicated software and the embedded software will be fixed. The ROM may store dedicated and embedded software in plaintext or ciphertext. The ROM contains typically between 32K Byte and 512K Bytes (up to 4 MB and more).

(2) EEPROM or Flash is read-write memory storing executable code, user data and TSF data. This memory stores data permanently even if the TOE is switched off. The stored data may be fixed for a set of the TOE instantiations, fixed individually for each TOE instantiation or changed during operation. The EEPROM stores user data and TSF data as ciphertext only. The EEPROM contains typically between 8K Byte and 1M Bytes.



(3) RAM storing temporarily user data and TSF data during a power-on session and not avail-able outside the power-on session. The RAM stores all data in plaintext or all data in cipher-text. RAM contains typically between 512 Bytes and 64K Bytes.

The TOE uses symmetric encryption-decryption algorithms for the stored data. The data are auto-matically encrypted when writing onto the memory and automatically decrypted when reading from the memory. The address encryption is a cryptographic permutation of the logical address to the physical address of the data for reading from the memory and – if appropriate for the type of mem-ory – for writing into the memory.

The cryptographic system for memory encryption uses different key sets for different types of mem-ory. It may use different key types, e. g. long-term keys, group keys, chip-individual keys, and ses-sion-individual keys. The long-term key like S-boxes of block ciphers may have different areas of application, i. e. for one or more TOE or sets of the TOE instantiations for different costumers or applications. Group keys are used in more than one devices.

The keys for data encryption and address encryption may have different areas of application, i. e. all TOE instantiations, sets of the TOE instantiations for different costumers or applications, individual TOE instantiation, memory areas, sessions.

All data keys are secret and stored in special memory areas of the TOE. They are automatically in-stalled during secure start-up (cf. security architecture, secure TSF initialization).

3.1.2 Prerequisites for the cryptanalysis

This section describes the prerequisites for the cryptanalytic attack scenarios. The effort to gain the relevant information or perform the activities for the attack will be discussed later in chapter 4.

The adversary knows all fixed parts of the cryptographic algorithms (Kerckhoffs' principle).

The adversary knows all or parts of encrypted data stored in the different memory types and areas of the memory. The amount of known ciphertexts may be limited because of TOE design or secu-rity countermeasures. The cryptanalysis shall consider several attack scenarios with respect to the amount of necessary ciphertext and information about the plaintext for a decision about the key:

(1) The adversary knows ciphertext shorter than the key (in this case the key cannot be deter-mined completely but maybe partly reconstructed).

(2) The adversary knows sufficient ciphertext and has information about probable plaintexts al-lowing probabilistic decision about the right key based on the redundancy contained in the plaintext of the given ciphertext.

(3) The adversary knows sufficient plaintext-ciphertext pairs allowing correct decision whether a given key is the right key to be used for decryption.

The amount of plaintext-ciphertext pairs necessary to determine the key depend on the attack method, e. g. algebraic attacks may work on shorter corresponding plaintexts and ciphertexts then probabilistic attacks like linear cryptanalysis.

The adversary may know parts of but not all secret keys. The knowledge of keys depend on

(1) number of TOE instantiations where the key is used and therefore number of samples and amount data available for attacks, e. g. many devices or only one device (cf. [CEM], B.4.2.2, Knowledge of the TOE, [SDAP], chapter 3, Knowledge of the TOE and Access to TOE),

(2) time the key is used and therefore the window of opportunity to attack the key, e. g. over the life time of the TOE instantiation, life time of an application, fixed life time of the key (reg-ularly changed), during only one session (cf. [CEM], B..4.2.2, Window of opportunity).



(3) area of application, e. g. memory types and technologies define the effort to get data for the cryptanalysis.

The adversary may passive observe or active affect start-up and operation of the TOE.

3.2 Methods of Cryptanalysis

3.2.1 Cryptanalysis of block cipher

A block cipher is an invertible function which maps n-bit plaintext to n-bit ciphertexts. This func-tion, also referred as an encryption function, is parameterized by a k-bit key which is assumed to be chosen uniformly at random. Ideally, an encryption function, corresponding to a fixed key, should look like a randomly chosen invertible function to an outside observer who has no knowledge of the key. Also, if the block size n of a block cipher is too small, it may be vulnerable to statistical analy-sis such as frequency analysis of ciphertext blocks. To avoid this and to be able to encrypt large chunks of data, block ciphers are often used with a mode of operation. For data exceeding the size of n bits, one can partition the data into n-bit parts and encrypt all parts independently. This method is known as the electronic codebook mode (ECB). There are further more suitable modes of opera-tion which can be used in memory encryption systems, cf. chapter 3.2.3.

Most block ciphers encrypt a given plaintext by iteratively applying a round function a number of times. This round function is often composed of three parts: a nonlinear part for providing confu-sion, a linear diffusion part, and a key addition part. This key addition can be either XOR or modu-lar addition depending on the designer’s choice. The input length of this round function determines the overall design strategy of the block cipher. For example, block ciphers with Feistel structure have round functions of input/output length at most half of the block length of the cipher. In a two branched Feistel structure (like DES), half of the block is processed by the round function and the result is xored to the other half of the block at each round. Since this process is done simultaneously for both halves, encryption and decryption process of Feistel ciphers are very similar. On the other hand, input length of the round function of a substitution permutation network (SPN) is exactly equal to the block length of the cipher. This approach provides faster diffusion but often results in a more expensive implementation in terms of hardware area.

For each round of the encryption process, most block ciphers use individual keys which are derived from the original encryption key through a key scheduling algorithm. This algorithm should be de-signed in a way to avoid complementation property attacks, as well as weak keys and related key at-tacks. If a block cipher has the complementation property, an encryption of a plaintext under a com-plemented key results in the complemented ciphertext of the original encryption. This leads to an improved brute force attack which is twice as efficient as the original one. Similarly, weak keys re-sult in shorter cycles of encryption on average when compared to the rest of the encryption keys. For instance, DES has four weak keys which produce identical round keys. Since DES has a Feistel structure, double encryption with these keys gives the original plaintext. This is not a desired prop-erty of DES which enables the adversary to reduce the key space when doing a brute force attack. Moreover, related keys can improve an attack’s success probability by a great deal if the encryption system enables the adversary to impose encryption keys with certain relations in between. There are related key variants of almost all attacks in the literature which are currently the most powerful at-tacks against modern block ciphers. In modern block ciphers, key scheduling algorithms often con-stitute a non-linear function to achieve added resistance to related key attacks. Although related key attack model improves the success probability of almost all cryptanalytic attacks, they can be easily avoided by updating encryption keys in a random (or pseudo random) manner, i.e. either using a



physical source for randomness or by using a pseudo random number generator with a true random seed.

The attacks given in this section are evaluated according to both their relevance and practicality when memory encryption systems are considered. An attack is considered as not critical if either it requires a large portion of the codebook by its nature, or has an assumption which is not likely to be satisfied when memory encryption systems are considered. In addition, an attack is considered as partially critical if it requires the cipher to have a specific weakness, which strong ciphers should not have. Finally, an attack is considered as critical if the number of required plaintext ciphertext pairs to mount the attack is significantly small compared to the codebook size.

The amount of data required to mount an attack on a cipher is highly dependent on the design of the cipher. For example, given a block cipher which has no non-linear element in its round function, it will obviously be vulnerable to linear attacks, and therefore making linear attacks critical for that block cipher. But this is valid only for that particular block cipher and linear attacks may be infeasi-ble to mount when another block cipher with good non-linearity elements are considered. There-fore, the evaluation field given in the table below is merely a guideline as to compare linear attacks on a generic block cipher in terms of their practicality when memory encryption systems are consid-ered.



Method Reference Applicable to Description Evaluation

Text Dictionary Attacks / Matching Ciphertext At

tacks

A.J. Menezes et al: “Handbook of Applied Cryptography”, ’97 [1].

All block ciphers with small block lengths.

A method to identify ciphertext blocks en-crypting the same plaintext blocks with-out any knowledge of the key.

Partially Critical for Memory Encryption Systems

For an n-bit block cipher, a complete dictionary requires 2n plaintext-ciphertext pairs to be known. Fewer plaintext-ciphertext pairs suffice if plaintexts contain redundancy and a non-chaining mode of operation (such as electronic codebook mode) is used.

Exhaustive Key Search / Brute Force


All block ciphers with small key lengths.

A known plaintext at-tack which exhaus-tively tries all possible keys for decryption of a ciphertext to find a matching plaintext.

Critical for Memory Encryption Systems

For an n-bit block cipher with k-bit key, given a small number (e. g.,) of plaintext-ciphertext pairs encrypted under key K, K can be recovered by exhaustive key search in an expected time in the order of 2k-1 operations.

MeetintheMiddle Attack


Cascaded encryp-tion (double en-cryption) with two different k-bit keys.

An attack which de-feats double encryp-tion using on the order of 2k operations and 2k

storage for calculating the table for the first key and expected 2k-1

operations with the second key to find


It should be noted that encrypting a message with n different k-bit keys, does not provide bit n x k security. The amount of data required to implement this attack is as low as a brute force attack on one encryption i. e. only few (2 or 3) known plaintext ciphertext pairs are sufficient to




matching pairs. implement it.

A. Bogdanov, C. Rechberger. A 3-Sub-set Meet-in-the-Mid-dle Attack: Cryptanal-ysis of the Light-weight Block Cipher KTANTAN”, SAC ’10, [26].

Block ciphers with simple key sched-uling algorithms.

Known plaintext and ciphertext pairs are partially encrypted and decrypted simulta-neously to find a par-tial matching in a spe-cific intermediate state. Exploiting the weak key schedule of KTANTAN is the key point of this particular attack.


The amount of data required to implement this attack is as low as a brute force attack (3 plain-text ciphertext pairs are sufficient in this particu-lar work), which makes the attack critical for memory encryption systems.

Differential Cryptanalysis

E. Biham et al: “Dif-ferential Cryptanalysis of DES-like Cryp-tosystems”, CRYPTO ’90, [2].

Block ciphers which have highly probable differen-tial relations for all or a subset of rounds in the en-cryption process.

A chosen plaintext at-tack where the plain-texts should have a specific XOR differ-ence.


A collection of plaintext ciphertext pairs is needed of an amount depending on the attack probability.

L. R. Knudsen et al: “Truncated and Higher Order Differentials”, FSE ’95, [3].

Block ciphers which have highly probable differen-tial relations for

An improved version of differential crypt-analysis which uses truncated differentials


Required assumptions on plaintext pairs are more lax than in the original differential attack.




some rounds of the encryption.

(on DES) with the ca-pacity to break ciphers resistant to conven-tional differential cryptanalysis.

This translates into fewer amounts of data re-quired to devise the attack.

L. R. Knudsen et al: “Truncated and Higher Order Differentials”, FSE ’95, [3].

Block ciphers of any kind.

The attack makes use of quartets of plain-texts and their corre-sponding ciphertexts. The attack complexity is directly related to the algebraic degree of the round function.


The attack requires 2r+1 chosen plaintexts, where r is the algebraic degree of the round function. Therefore, block ciphers which use round func-tions of low algebraic degree are more vulnera-ble to this attack.

E. Biham et al.: “Cryptanalysis of Skipjack reduced to 31 rounds using im-possible differentials”, EUROCRYPT’99, [14].

Block ciphers which have im-probable differen-tial relations for some rounds of the encryption.

A chosen plaintext at-tack which uses differ-ential paths with prob-ability exactly equal to zero.


This attack uses a key elimination technique which increases the run time of the overall at-tack. But the amount of chosen (or even known) plaintexts can be relatively small when com-pared to other differential attacks, which makes it critical for memory encryption purposes.




D. Wagner: “Boomerang Attack”, FSE’99, [11].

Block ciphers which have highly probable differen-tial relations for few rounds of the encryption.

An adaptive chosen ci-phertext/plaintext at-tack, which makes use of two differential paths for two consecu-tive parts of a cipher.


This attack requires the decryption of ciphertexts with some specific XOR difference in between, where the corresponding plaintexts have some specific XOR difference as well. The lower the required Hamming weight of the XOR differ-ences between the ciphertexts, the more feasible the attack becomes

J. Kelsey et al.: “Am-plified Boomerang At-tacks Against Re-duced-Round MARS and Serpent”, FSE’00, [12].


A chosen plaintext at-tack which makes use of two differential paths for two consecu-tive parts of a cipher.


If there are highly probable (close to 1) differen-tial paths for n/2 rounds of an n-round cipher, the attack becomes feasible.

Linear cryptanalysis

E. Biham: “New types of cryptanalytic at-tacks using related keys”, EUROCRYPT’93, [13].

Block ciphers which lack proper diffusion in their key scheduling al-gorithm.

A chosen plaintext at-tack which also re-quires a certain rela-tion between different encryption keys.


If the key update of a memory encryption sys-tem allows the adversary to have keys with sim-ple XOR relations, this kind of attack becomes feasible.

M. Matsui, “Linear Block ciphers A known plaintext at- Critical for Memory Encryption Systems




Cryptanalysis Method for DES Cipher”, EU-ROCRYPT'93, [7].

which employ an S-Box for provid-ing non-linearity. It is easier to attack block ciphers which have high biases in the Linear Approximations Table (LAT) of their S-Boxes.

tack which statistically constructs linear ap-proximations of the round function of a ci-pher.

A collection of known plaintext-ciphertext pairs are needed depending on the attack probability. This attack is feasible when a linear approxima-tion path can be constructed, with high probabil-ity, for a sufficiently large portion of the cipher.

J. Y. Cho, “Linear Cryptanalysis of Re-duced-Round PRESENT”, CT-RSA ’10, [8].

Block ciphers with SPN structure.

An improvement of linear cryptanalysis which combines mul-tiple linear approxima-tion paths to attack the target block cipher.


This attack makes use of multiple linear approxi-mation paths to construct an attack on the whole cipher, which improves the attack probability and therefore reduces the required number of known plaintext-ciphertext pairs.

A. Bogdanov and V. Rijmen: “Zero-Corre-lation Linear Crypt-analysis of Block Ci-phers”, ’11, available online [17].

Block ciphers of any kind.

An adaptation of im-possible differential attack to the concept of linear cryptanalysis.

Not Critical for Memory Encryption Systems

Whole code book (or at least half of it) is re-quired to apply the attack. Even then the time complexity is much higher when it is compared to the other attacks.




N.T. Courtois and G.V. Bard: “Algebraic cryptanalysis of the Data Encryption Stan-dard” 11th IMA Inter-national Conference ’07, [4].

Block ciphers which have a round function that can be represented by low-degree algebraic re-lations.

A known plaintext at-tack which represents the encryption process as a system of equa-tions, and solves them to recover the key.


Minimalistic memory requirements of this attack make it feasible even on smart cards with small memories. Encryption functions of block ciphers often can be represented by low degree algebraic equations. Therefore, block ciphers requiring too few rounds for encryption should be carefully investigated concerning this aspect.

N.T. Courtois et al: “Algebraic and Slide Attacks on Keeloq”, FSE ’08, [5]

Block ciphers which have a peri-odic structure (e. g. composition of identical functions) in either encryption or key scheduling algorithms.

The periodic structure of the key schedule of Keeloq is exploited to perform an attack on the full cipher.


Keeloq is broken with 256KB of known plain-texts. Periodic structures in a block cipher should be avoided especially when the algebraic structure of the enciphering function is of low degree.

T. Jakobsen and L. R. Knudsen: “The Inter-polation Attack on Block Ciphers”, FSE ’97, [27].

Block ciphers of any kind. Espe-cially to the ones which use qua-dratic functions as their S-Boxes.

Lagrange interpolation is used for finding an alternative algorithm which maps a given plaintext to the corre-sponding ciphertext without any knowl-edge of the key.


This attack is mounted by finding a polynomial representation of the ciphertext in terms of plain-text and key bits. The number of plaintext ci-phertext pairs required is equal to the number of coefficients in the polynomial representation. Therefore, this attack is critical for block ciphers




using round functions of low algebraic degree.

M. Vielhaber: “Break-ing ONE.FIVIUM by AIDA an Algebraic IV Differential At-tack”, Cryptographic ePrint Archive: Report 2007/413, [34]

I. Dinur and A. Shamir: “Cube At-tacks on Tweakable Black Box Polynomi-als”, EUROCRYPT ’09, [28].

Block ciphers which have a round function that can be represented by low-degree algebraic re-lations.

The attacker tries to obtain linear equations of secret variables by adding polynomial representations of out-put bits and fixing some public variables (plaintext bits in the block cipher case) to zero. Once the at-tacker gathers enough linear equations, she can solve the linear system to obtain the key.


This is a chosen plaintext attack which requires the cipher to have low degree algebraic relations between its input, key and output bits. The de-gree of the polynomial which represents the rela-tion between the input, key and output bits should not exceed the number of public vari-ables available. The attack has an extensive pre-computation phase; but on the other hand, it can also be applied to proprietary ciphers in black box model.

M. Albrecht and C. Cid: “Algebraic Tech-niques in Differential Cryptanalysis” FSE ’09 [21].


Combines differential attack ideas with alge-braic cryptanalysis.


Differential characteristics are used to simplify algebraic equations which are to be solved to ap-ply a successful algebraic attack. The required number of plaintext-ciphertext-pairs is relatively low compared to plain differential attacks.




Slide Attack A. Biryukov and D. Wagner: “Slide At-tacks”, FSE ’99, [10].

Block ciphers which have a peri-odic structure in ei-ther encryption or key scheduling al-gorithms.

An adaptive chosen plaintext attack which exploits the periodic structures of modified DES (2K-DES).


An increase in the number of rounds does not al-ways result in stronger security. A 96-round variant of DES is attacked making use of peri-odic structures in the key scheduling and round functions.

Integral Cryptanalysis

N. Ferguson et al: “Improved Cryptanal-ysis of Rijndael”, FSE ’00, [9].

Applicable espe-cially to byte/nib-ble-oriented block ciphers with bijec-tive round func-tions.

Recovers the key by investigating cipher-texts of a set of chosen plaintexts with a byte/nibble ranging over all possible val-ues.


An adversary can devise this kind of an attack with relatively low number of chosen plaintext ciphertext pairs. But requires a very specific structure in the collection of plaintexts (a byte/nibble ranging over all possible values).

Table 1: Literature overview of cryptanalysis on block ciphers



3.2.2 Cryptanalysis of memory address scrambling

The memory address scrambling is the mapping of logical addresses of stored data to physi-cal locations on the chip provided by memory management units, address encryption and memory layout. It is intended as a countermeasure to information leakage of the locations of stored data in the memory caused by sequential access to memory addresses, which is very common in practical applications. Ideally, an address encryption should distribute the logical addresses uniformly over the whole memory address space when transforming them into physical addresses. In fact, data with sequential logical addresses should not be written to se-quential physical addresses and be independent of the block length of the underlying block cipher. This can be simply checked by evaluating the correlation between the logical and physical addresses. Moreover, the address encryption key should be smartcard specific.

In the literature, there are different methods to perform memory encryption (also referred to as “memory scrambling2”) such as partially or fully encrypting of the memory addresses. In the former method, only the addresses within the most recently accessed blocks of the mem-ory are encrypted. In the latter approach, the whole logical address space is encrypted at cost of additional latency and power consumption. Below table includes the address encryption schemes available in the literature and comments regarding their efficiency. Note that the referenced literature does not imply any recommendation for the use of these methods (cf. instead to technical guidance published by BSI like TR-02102).

2 Scrambling means in general (1) channel encoding in order to optimize data transmission, and (2) weak en-cryption mainly by transposition (.e. g. for voice encryption).



Reference Focus Description Evaluation

X. Zhuanget al: “HIDE: an infrastructure for effi-ciently protecting infor-mation leakage on the ad-dress bus”, ASPLOS-XI ’04 [18].

Encrypting the ad-dresses within the most re-cently ac-cessed blocks.

Permutes the addresses within blocks of variable size, using an additional per-mutation cache.

The method proposed in this paper only covers scrambling the addresses of a portion of the memory. Also, later in [19], some problems regard-ing excessive memory accesses on permutation, and redundant permuta-tions are pointed out.

X. Zhuang et al: “Hard-ware assisted control flow obfuscation for em-bedded processors”, CASES ’04 [20].

Encrypts the contents of the whole memory.

Switches ran-dom blocks in the memory by using a “shuffle buf-fer”.

Memory blocks to be scrambled have to be temporarily kept inside the cache-memory, which is referred to as “shuffle buffer”. It also has to be large enough to accommodate all the blocks to be switched.

L. Gao et al: “A low-cost memory remapping scheme for address bus protection”, PACT ’06 [19].

Encrypts the contents of the whole memory.

Handles ad-dress encryp-tion in chunks of a fixed size (128 blocks). An improve-ment to previ-ously pro-posed schemes.

Although this is an improved address encryption method compared to the previously proposed ones, it still needs a cache for permuting blocks, and another one to keep the current order of the blocks in each page/chunk of the memory.

Table 2: Literature overview on memory address scrambling



3.2.3 Modes of operation for memory encryption

As block ciphers encrypt data in n-bit blocks, one needs to use a mode of operation to be able to en-crypt data which exceeds the size of n bits. When memory encryption systems are considered, mostly address information is used as a part of the mode of operation. Below table includes a col-lection of modes of operation suitable for memory encryption together with key points of the modes. Note that the security of a mode of operation relies on the assumption that the underlying block cipher is cryptographically secure.

The presented modes of operation make use of the idea of tweakable block ciphers proposed by Liskov et al. [29]. The authors claim that using tweakable block ciphers enables having seemingly different encryption functions without changing the encryption key, which is usually a costly process, but changing the tweak instead. In tweakable block ciphers, a pseudo random tweak value is computed and used as a third input to the encryption function. Here, the idea of including a tweak is to have variability on ciphertexts corresponding to the same plaintext when different tweaks are used. Although the use of a tweak does not provide additional security to the underlying block ci-pher, the variability comes handy in some cryptographic applications such as memory encryption.

In the referenced modes below, the tweak is computed by encrypting the page information, which is a unique identifier for a collection of data blocks, using the underlying block cipher with an encryp-tion key. This way, each page has its unique encryption function and therefore making it harder to attack the system using chosen plaintexts or chosen ciphertexts which are located at different pages. Note the referenced literature does not imply any recommendation for the use of these operational modes (cf. instead to technical guidance published by BSI like TR-02102).

Reference Description Evaluation

P. Rogaway, “Efficient Instantiations of Tweak-able Block ciphers and Refinements to Modes OCB and PMAC”, ASI-ACRYPT ’04 [24].

XEX: Randomizes the input and output of the block ci-pher by xoring a tweak, which is obtained by encrypt-ing part of the address infor-mation.

XEX mode of operation requires the implementation of both encryption and decryption algorithms of the un-derlying block cipher. It is proven to be secure when less than 2n/2 block cipher calls are encrypted under the same key.

NIST, SP800-38E: “Rec-ommendation for block cipher modes of opera-tion: the XTS-AES mode for confidentiality on block-oriented storage devices”, 2009 [23].

An extension of XEX which uses different keys for en-cryptions.

This mode also supports the encryp-tion of texts of unusual size, i. e. texts of a size which is not a multiple of the block length of the underlying cipher.

Table 3: Literature overview on modes of operation



3.3 Cryptanalytic attacks using sidechannel information

In addition to the methods given in the cryptanalysis table, there are also attacks which exploit some side-channel knowledge to improve the success probability of an attack. The attacks of this kind re-quire accurate recovery of internal state bits which is often not the case in side-channel analysis. The table below includes this type of combined attacks and comments on their applicability.

Reference Applicable to Description Evaluation

M. Renauld and F.-X. Standaert: “Algebraic Side-Channel Attacks”, ’09 available online [25].

Block ciphers with round functions of a low algebraic degree.

Side channel in-formation is used for more easily solving the alge-braic system ob-tained from the encryption func-tion.

Algebraic attacks represent the encryption function as a large series of equations. Any accurate information about the internal states of the en-cryption can be used to sim-plify some of the equations.

L. Yang et al: “Side Channel Cube Attack on PRESENT” CANS ’09 [22].

Block ciphers with round functions of a low algebraic degree.

An improved al-gebraic attack us-ing accurate side channel informa-tion.

A specific bit of the third round state should be avail-able to the attacker to recover the 80-bit key of full PRESENT with 256KB of chosen plaintext data. This number can be considerably lower for weaker ciphers, which makes this attack criti-cal under the required as-sumption.

Table 4: Literature overview on combination attacks with side-channels


4 Vulnerability analysis of memory encryption

4 Vulnerability analysis of memory encryption

The memory encryption is only a part of the security features protecting the confidentiality of data stored on the memory. Therefore the evaluator shall include the memory encryption in the vulnera-bility analysis of the TOE on conditions that, provided

(1) the TSF shall protect the confidentiality of user data, TSF data or other data stored in mem-ory (called assets in the following),

(2) the TSF uses data encryption or address encryption to protect the confidentiality of these as-sets during the storage in memory or the internal transfer of the stored ciphertext, and

(3) the non-cryptographic security countermeasures alone are not sufficient to resist identified potential attacks with attack potential claimed in the security target.

The consideration of the implemented cryptographic security mechanisms will result in a more comprehensive – and follows more precise – vulnerability assessment of the TOE.

This chapter describes specific aspects of the vulnerability analysis of memory encryption as part of the vulnerability assessment of the memory protection. These aspects relate to the identification of the requirements, the examination of the security features, the identification of potential vulnerabili-ties and the assessment of the resistance against attacks. They follow the work flow of the vulnera-bility analysis. The chapter concludes with examples illustrating the general evaluation methodol-ogy for the memory encryption.

4.1 Preparation for the vulnerability analysis of memory encryption

4.1.1 Identification of the security requirements for memory protection

This chapter describes the first step on the way to a vulnerability analysis of the memory encryption - the identification of the security requirements for memory protection. The security requirements for memory protection and the claimed resistance against attacks define the criteria for the vulnera-bility analysis of its security features including those for memory encryption if implemented. In the following it is assumed that the TOE implements the protection of the assets by means of physical and logical countermeasures including cryptographic security mechanisms, i. e. the conditions (1) and (2) above are fulfilled.

The protection of the confidentiality of data stored in the memory may be explicitly required by an SFR in the security target or may implicitly follow from the security architecture of the TOE.

The security target may(1) require memory protection directly by security functional requirements (SFR) (cf.

ASE_REQ), or(2) describe memory protection as security feature against interference in the TOE summary

specification (cf. ASE_TSS.2.2C).

The ST may define an extended component (or reference to a definition of an extended component in a certified protection profile) in order to explicitly describe SFR for protection of the confiden-tiality or even the encryption of stored data in the TOE memory. The ST may describe memory en-cryption using the component FCS_COP.1. The component FPT_PHP.3 describes requirements for resistance against physical tampering such that the SFRs are always enforced. Note, CC part 2, de-fines similar SFR only for protection of the integrity of stored user data (cf. .FDP_SDI family) and internal data transfer protection with operation for confidentiality protection (cf. FDP_UIT family for user data and FPT_ITT.1 family for TSF data).


Vulnerability analysis of memory encryption

The security architecture of the TOE may include the protection of the confidentiality of data stored in the memory even it is not directly required by any SFR in the security target. The memory pro-tection and the memory encryption as a mechanism implementing this security feature may

(1) contribute to self-protection of the TSF from tampering, and(2) support the non-bypassability of the SFR-enforcing functionality.

If the security architecture include memory protection as security feature or memory encryption as security mechanism the evaluator will consider these security features to search for any ways the protection of TSF can be undermined (cf. CEM work units AVA_VAN.{2,3,4}-4, AIS34, work unit AVA_VAN.5-4). Note the criteria of the vulnerability analysis are exploitable vulnerabilities, i. e. weaknesses in the TOE that can be used to violate the SFRs in the operational environment for the TOE. Defeating the memory encryption as security feature of the security architecture is only a step on the complex attack path violating the SFR.

As output of this activity the evaluator gains information (1) whether the security target requires TSF protection for data stored in memory by SFR or as

security feature,(2) whether the security target requires memory encryption by SFR or as security feature,(3) the type and amount of data stored as user data, TSF data or TOE implementation stored in

this protected memory, and(4) the claimed resistance against attacks violating the SFR.

4.1.2 Description of memory encryption

The functional specification describes the external TSF interface of the memory protection as the physical boundary of the TOE, i. e. an explicitly defined continuous perimeter that establishes the physical bounds of the TOE and contains all the hardware, software, and/or firmware components of the TOE (cf. [SDIC] about ADV_FSP). The IC surfaces of the areas, where the encrypted mem-ory, their buses and the cryptographic modules are located, and the physical entry or exit points of physical signals of the TOE (ports) together with the internal logical interface to the memory build the attack surface of the memory encryption.

In almost all cases the functionality of the memory encryption will not be directly accessible or manageable through the external interfaces of the TSF because the CPU and other components us-ing stored data are connected with the memory through the memory encryption cryptographic mod-ules. These components will receive from and send to the memory plaintext only not having access to the corresponding ciphertexts or to the memory encryption keys. In cryptographic terms speaking - these components know or chose plaintext without knowing the corresponding ciphertext. The key management of memory encryption might be or might be not under control through external inter-faces of the TSF , e. g. the hardware or the dedicated software may control the key generation for the data and address encryption of the core external RAM during start-up after power-on but the keys are fixed after initial start-up of the TSF for the EEPROM encryption or even fixed before TOE production for ROM encryption.

The TOE design provides a thorough description of the TSF. If memory protection or memory en-cryption is claimed by SFR in the security target the TOE design shall describe the modules and the security mechanisms implementing this or these SFR (cf. purpose of modules according to ADV_TDS.3 or higher components). The security architecture description (cf. ADV_ARC.1) may also describe memory encryption as independent security feature and provide or reference to TOE design for the description of its function and cryptographic mechanisms.



The memory encryption is implemented by means of cryptographic modules for data encryption or address encryption or both including the key management. The developer shall describe the mem-ory encryption in terms of

(1) the security functions of the memory encryption, i. e. describe what (in terms of action) the memory encryption does in order to provide the intended protection. This description shall cover data encryption and address encryption as implemented and the management of the memory encryption keys (cf. chapter 2.2), and

(2) the security mechanisms of the memory encryption, i. e. describe how a security function (or its part) is implemented in order to meet an SFR or to enforce architectural soundness. The level of details is defined by purpose of modules (cf. component ADV_TDS.3 or higher).

The description shall include (3) all cryptographic algorithms implemented in the cryptographic modules, i. e. for data en-

cryption, address encryption and secret sharing mechanisms as implemented, (4) the key management for these cryptographic algorithms, i. e. how these keys are generated,

the amount of data, the number of TOE instantiations and the time the keys are used.

Note the TSF may use different cryptographic algorithms and keys for different memory areas un-der cryptographic protection.

The TOE implementation representation made available for ADV_IMP shall include the implemen-tation of the memory encryption. The evaluator will use the implementation representation to exam-ine whether the TOE conforms to its design. Note because lack of interfaces available for tests (e. g. known answer tests with plaintext and ciphertext) the examination of the implementation represen-tation maybe the only way to determine the correctness of the memory encryption implementation (cf. CEM, sec. 14.2.2).

As output of this activity the evaluator gains thorough description of the TSF and TSFI of the mem-ory encryption

(1) the external interfaces of the memory protection,(2) the internal interfaces of the memory encryption,(3) the functionality and properties of cryptographic mechanisms of the memory encryption as

for data encryption, address encryption and key management,(4) the implementation of the of cryptographic mechanisms of the memory encryption.

The evaluator should use the developer evidence provided for the memory areas under protection, the buses and the cryptographic modules which includes but are not limited to the following:

• the method of memory use, e. g. the type and amount of data stored in the memory as user data, TSF data or TOE implementation stored in the memory,

• the physical locations of the memory areas, the buses and the cryptographic modules in the device, e. g. metal layer, location viewed from the chip surface,

• the physical protection of the memory, the buses and the cryptographic modules against reading, temporarily manipulation and permanent modification,

• the logical protection of the memory against reading and writing, e. g. provided by MMU,

• stability against perturbation of the TSF components, that may affect the memory, the buses and the cryptographic modules

for the vulnerability analysis of the memory protection.



4.1.3 Security architecture of memory encryption

The security architecture of the TOE may describe security feature of memory protection provided by a combination of

(1) security properties of the memory especially of the used technology, (2) non-cryptographic countermeasures (e. g. active shielding protecting RAM), and(3) security mechanisms including the memory encryption.

The developer shall demonstrate the security properties of the memory encryption including evi-dence for the claimed cryptographic resistance of the implemented cryptographic algorithms. The security architecture of the TSF (cf. CC part 3, Assurance family ADV_ARC) shall describe how the TSF initialization process is secure (cf. element ADV_ARC.1.3C), the TSF protects itself from tampering (cf. element ADV_ARC.1.4C) and the TSF prevents bypass of the SFR-enforcing func-tionality (cf. element ADV_ARC.1.5C). The following paragraphs describe specific security archi-tectural aspects for memory encryption that

• the developer should consider in design and implementation of the TOE and the TSF,• the developer shall describe in the security architecture documentation,• the evaluator shall analyse in the vulnerability analysis.

Domain separation is a property whereby the TSF creates separate security domains on its own and for each untrusted active entity to operate on its resources, and keeps those domains separated from one another so that no entity can run in the domain of any other. If the TSF maintains security do-mains it may (but is not required to) support domain separation by memory encryption with differ-ent keys used for different memory areas assigned to these security domains.

The security architecture description shall describe how the TSF initialization process is secure. The initialization process distinguish with respect to memory encryption the transition between at least two states

(1) power-off state: The TOE stores key components in the key storage and only ciphertexts in the other protected memory areas. The TSF is non-operational in the sense that only physical protection is active for all data stored in these memory areas and the memory encryption is active for the encrypted memory.

(2) operational state: The CPU and other functional components like co-processors read, operate and write plaintext data. The encryption-decryption functionality for data and addresses is operational and transparent for these components.

In power-off state ciphertext only attacks and known plaintext attacks can be performed against the memory encryption. The key storage can be physically attacked in order to read all key components and to reconstruct the cryptographic keys. Manipulation of the stored data may prepare chosen plaintext attacks and chosen ciphertext attacks in the power-on state. In the transition phase from power-off state to the operational state the attacker may monitor initialization processes, start-up self-tests and intermediate states in order to reconstruct the cryptographic keys from the key compo-nents and side channel information. In the operational state the attacker may observe the encryption and decryption process in order to get plaintext-ciphertext pairs of the data encryption and of the ad-dress encryption for attack the as in the power-off state. Additionally chosen plaintext attack and adaptive chosen plaintext attacks, may be performed if the executed code allows such operation or the operation of the CPU is manipulated.

The security architecture description shall demonstrate the non-bypassability of the SFR-enforcing functionality. The security architecture description shall demonstrate with respect to the memory encryption that



(1) the memory encryption is effective for all assets during storage and transfer between data en-cryption module and memory (i. e. the plaintext data are available only in absolutely neces-sary areas of the TOE, e. g. in CPU, on short plaintext buses),

(2) the TSF ensures cryptographic keys are stored only in form of key components in potential readable memory areas, and therefore the necessary attack effort compromising the key is sufficiently high,

(3) plaintext-ciphertext pairs could not be easily found in the device, e. g. plaintexts are not ob-viously known for ciphertexts in unused memory areas, the same data are not stored en-crypted and unencrypted even in different memory areas,

(4) the memory encryption is resistant against side-channel attacks.

The TOE may run in power save modes when some components are switched off. The security ar-chitecture description shall demonstrate that enabling and disabling of TSF parts do not violate the security during power save modes.

The security architecture description shall demonstrate self-protection of the TSF. The TSF self-protection against compromise of data in the memory will be achieved by binding of physical and logical security mechanisms. The self-protection of memory encryption itself shall ensure that the adversary reading physically stored data from the memory must

(1) break both data encryption and address encryption or

(2) find all used keys implemented by the TOE example or

(3) combine both attack paths, i. e. find key parts and break the remaining encryption

in order to get the plaintext data. The memory encryption shall resist tampering, e. g. perturbation attacks revealing keys or plaintext.

As output of this activity the evaluator gains understanding of(1) the role of memory protection and especially memory encryption in the security architecture

of the TOE, and

(2) the security architectural properties of the memory encryption itself

as input for the vulnerability analysis.

4.1.4 Physical and logical attacks on memory, buses and cryptographic modules

The vulnerability analysis will analyse potential vulnerabilities of the memory protection identified as described in section 4.1.1 and assess whether they are exploitable with the relevant attack poten-tial in the attended operational environment. The description and the assessment of the physical at-tacks itself are outside the scope of the guideline on hand. The reader is referred instead to the rele-vant supporting documents like [SDAP]. If the vulnerability analysis identifies potential vulnerabili-ties which could be exploited if only the non-cryptographic security countermeasures are taken into account, i. e. condition (3) above is fulfilled, the evaluator shall consider implemented memory en-cryption.

In the context of the guideline on hand physical attacks include but are not limited to

(1) measurement of signals at the contactbased and contactless interfaces of the device as implemented, including power supply, external clock, output interfaces;

(2) measurement of signals at the physical boundary of the device, e. g. electromagnetic emanation, electric signals at chip surface by means of needles;



(3) measurement of internal signals of the device, e. g. on data lines after opening the device or removing metal layers of the security integrated circuit;

(4) reading the internal memory, e. g. of ROM by means optical inspection, EEPROM by means of atomic force microscope;

(5) manipulation through the contactbased and contactless interfaces of power supply, external clock, input interfaces as appropriate;

(6) manipulation of signals through the physical boundary of the device, e. g. by means of electromagnetic radiation, particle exposure, electric signals by means of needles, cutting or connecting lines;

(7) manipulation of internal signals of the device, e. g. by means of needles;(8) manipulation of the memory content, e. g. selected memory cells or registers;(9) perturbation of the program execution or the processes in TOE components like CPU,

MMU, cryptographic coprocessors, cryptographic modules.

All cryptanalytic attacks on memory encryption assume attacks providing ciphertexts, plaintext-ci-phertext pairs or allow by means of manipulation for chosen plaintext attacks, chosen ciphertext at-tacks or related key attacks. In the following we analyse such attacks as prerequisites for the crypt-analysis of the memory encryption and reconstruction of assets in plaintext.

The attacks against memory encryption are performed typically as combinations of logical cryptan-alytic attacks and physical attacks on the cryptographic module and the components handling the relevant data like the memory, the buses, the CPU or the MMU. At first non-cryptographic physical and logical attacks read ciphertext data with their physical (encrypted) addresses form memory or buses. But the semantic content of these encrypted data and addresses is not readily available. The cryptanalytic attacks try to reconstruct the plaintext data, the plaintext addresses and at best the cryptographic keys. If successful the gained plaintexts and keys (together with other information, cf. memory address scrambling) enable or support further attacks by calculation of the physical loca-tion of other ciphertexts in memory, to understand data read from the memory or the data bus, to re-construct their logical addresses, re-engineering the executed program and so forth.

These physical attacks may be conducted at different points of TOE implementation as shown in figure 4. Figure 4 illustrates these attack scenarios. The yellow ochre arrows indicate physical at-tacks, the blue arrows indicate passive and the red arrows indicate active access to the plaintexts and ciphertexts.



Passive physical attacks may bypass the encryption which include but are not limited to the follow-ing:

(1) Reading the plaintext addresses from the address bus segments between the CPU and the MMU or between the MMU and the address encryption module during reading or writing the data under attack bypasses the address encryption.

(2) Reading the plaintext data from the plaintext data bus segment during reading or writing the data under attack bypasses the data encryption. Note this bypass of data encryption reads plaintext blocks in the sequence they are used by the CPU. This information may be suffi-cient for reconstruction of the logical addresses and therefore bypass the address encryption as well.

(3) Reading the plaintext data from the plaintext data bus segment and the plaintext addresses on the bus segments during reading or writing the data under attack bypasses the memory encryption.

(4) Reading of the data decryption key components from the key storage, reading the addresses from the plaintext address bus segments, and reading the ciphertext with their physical ad-dresses bypass the memory encryption.

(5) Reading of the data decryption key components and the address encryption key components from the key storage, and reading the ciphertext with their physical addresses bypass the memory encryption.


Figure 4: Memory attack scenarios


Passive physical attacks may provide prerequisites for cryptanalytic attacks which include but are not limited to the following:

(1) Reading data on the ciphertext data bus segment provides encrypted data for ciphertext only attacks on data encryption using redundancy within data blocks without consideration of re-lationship between plaintext data blocks.

(2) Reading addresses on the ciphertext address bus segment provides encrypted physical ad-dresses for ciphertext only attacks on address encryption using redundancy within address sequences in the executed program. Note in some cases (e. g. RAM) the attacker may deter-mine the location of memory cells actual read or written by direct optical inspection thought light emission of hardware activities.

(3) Reading of stored data with their physical addresses directly from the memory provides en-crypted data and encrypted addresses for ciphertext only attacks on memory encryption (even when the TOE is switched off). This attack on memory encryption implies attacks on data encryption and address encryption.

(4) Reading data on the ciphertext data bus segment and reading addresses on the ciphertext ad-dress bus segment when the TOE is running provide encrypted data and encrypted addresses for ciphertext only attacks on memory encryption.

(5) Reading data from the plaintext data bus segment and reading data from the ciphertext data bus segment when the TOE is running provide plaintext-ciphertext pairs for known plaintext attacks on the data encryption without consideration of relationship between plaintext data blocks.

(6) Reading of addresses from the address bus segments between the CPU and the MMU or be-tween the MMU and the address encryption module, and reading of addresses from the ci-phertext address bus segment when the TOE is running provide plaintext-ciphertext pairs for known plaintext attacks on address encryption.

(7) Reading of plaintext data, ciphertext data, plaintext addresses and ciphertext addresses from the respective bus segments when the TOE is running provides plaintext-ciphertext pairs for known plaintext attacks on memory encryption with consideration of relationship between data blocks. This attack on memory encryption aims on reconstruction of the keys used for data encryption and address encryption. If it was successful performed it allows reconstruc-tion of plaintexts from ciphertexts and physical addresses read from encrypted memory.

Note the attacker may gain information about plaintext data and plaintext addresses from other sources as well, e. g. if the code executed during reading the data or addresses are known or may be guessed. These attack scenarios depend on the operational environment of the security integrated circuit or the embedded software of the smartcard or other devices as TOE.

Active physical attacks may manipulate stored data in the memory, data transferred on the data bus, the address on address bus or within the cryptomodules. They may provide prerequisites for addi-tional cryptanalytic attacks which include but are not limited to the following:

(1) Modification of data on the plaintext data bus segment and reading of data on the ciphertext data bus segment provide plaintext-ciphertext pairs for chosen plaintext attacks on data en-cryption.



(2) Modification of data on the ciphertext data bus segment and reading of data on the plaintext data bus segment provide plaintext-ciphertext pairs for chosen ciphertext attacks on data en-cryption.

(3) Modification of addresses on the address bus segments between the CPU and the MMU or between the MMU and the address encryption module and reading of addresses on the ci-phertext addresses on the address bus segment provide plaintext-ciphertext pairs for chosen plaintext attacks on address encryption.

(4) Modification of memory content and reading of corresponding data on the plaintext data bus segment when the manipulated memory part is read, provide plaintext-ciphertext pairs for chosen ciphertext attacks on data encryption.

(5) Manipulation of the key storage in order to cause errors or generate related keys.

Note chosen ciphertext attacks are not possible for address encryption because decryption algo-rithms are not implemented. Chosen ciphertext attacks for read-only memory require physical ma-nipulation of the memory content.

The attacker may use specific behavior of the TOE in cases of manipulation or perturbation which include but are not limited to the following examples:

(1) Reset of a smartcard enforces the CPU to start program execution with logical address 0.

(2) If the CPU reads program code 0x00 the CPU will execute “no operation” (i. e. assembler code NOP) and reads code byte from the next logical address.

In summary it can be said that the vulnerability analysis of the non-cryptographic memory protec-tion provides

• the base of the decision whether the vulnerability analysis of the memory encryption will be performed or not,

• the goal of the cryptanalysis of memory encryption to determine whether the cryptographic mechanisms fill the gap to the claimed resistance, and

• the conditions and the criteria of success for the cryptanalytic attacks.

As general rule one may observe that the effort of physical attacks providing the necessary condi-tions for the cryptanalytic attacks, and the effort of cryptanalytic attacks itself are antagonistic:

• easy physical attacks enable only more difficult cryptanalytic attacks based on limited infor-mation, e. g. like reading ROM provides ciphertext data and ciphertext addresses only for si-multaneously attacks data and address encryption schemes,

• comfortable cryptanalytic attacks require complex and therefore expensive (in terms of at-tack potential) physical attacks, e. g. chosen plaintext attacks require active and passive at-tacks at two different places in the device.

4.2 Identification of potential vulnerabilities of memory encryption

The vulnerability analysis of the memory protection will be performed by the evaluator in one step or two steps. In the first step the evaluator analyses the potential vulnerabilities and the resistance of the memory against attacks if only the protection provided by the non-cryptographic security mech-anisms is taken into account. Note in the first step of the vulnerability analysis the evaluator bears in



mind the existence of the memory encryption but does not assess the contribution to resist attacks. If the evaluator find potential vulnerabilities where the non-cryptographic security countermeasure alone are not sufficient to resist attacks with attack potential claimed in the security target then the evaluator will extend the vulnerability analysis in the second step analysing potential vulnerabilities and assessing the effectiveness of the cryptographic security countermeasure. The results of the as-sessment of the cryptographic security countermeasures will be taken into account for the assess-ment of the complex attacks on the data stored in the memory.

Because of the limited resources for memory encryption and the potential vulnerability of direct physical attacks on the keys and the cryptographic module itself the memory encryption cannot en-sure security strength as for communication but it may increase the necessary attack potential to the claimed level of resistance.

The evaluator shall perform an independent focused or methodical vulnerability analysis of the TOE according to the AVA component claimed in the security target. This analysis shall identify potential vulnerabilities of the TOE.

Typical potential vulnerabilities of memory encryption are the following.

(1) Keys allow for brute-force attacks. The brute force attack tries all possible cryptographic keys for decryption of given cipher-texts in order find a key providing the corresponding plaintext. Note for brute force attacks the attacker needs liable criteria for checking the correct key as redundant plaintexts or ide-ally plaintext-ciphertext pairs. The attacker will succeed if the set of possible keys is small enough (e. g. because of short keys) or the insufficient entropy used for key generation en-ables an effective key guessing strategy (cf. [KS2011]). Key generation by means of appro-priate strong true random number generator ensures the maximum guessing effort depending on the key length (cf. [RNG]). The amount of keys the attacker may guess depends on time and equipment available for the attack (cf. chapter 4.3).

(2) Low complexity of the cryptographic algorithm allows for algebraic attacks.The cryptographic modules implement simple cryptographic algorithms due to the limited resources provided for the implementation of the cryptographic modules and for time of the cryptographic operations. The low complexity of the cryptographic algorithm may allow the attacker to calculate directly the key based on known plaintext-ciphertext pairs by solving the equations between plaintext, ciphertext and keys, to approximate these equations by lin-ear equations, to split the key into parts which can be calculated separately, and so forth. Note simplified cryptographic algorithms derived from strong cryptographic algorithms may be weaker than expected after quick glance.

(3) Incorrect implementation result in cryptographic weaknesses.Only a correct implementation can reach the theoretically expected cryptographic strength of the algorithm. The security of a cryptographic module is very sensitive to implementation errors. Similar but incorrect implementations of the algorithm may have unforeseen by the developer cryptographic impact which is unlikely increasing the security but normally result in weak or unknown security.

(4) Insecure implementation bypasses cryptographic strength.Even correct algorithmic implementation may be insecure because of side channels, prone to failure and information leakage in case of perturbation and so forth.

In addition to potential vulnerabilities the evaluator may determine missing assurance of the mem-ory encryption.



(5) Proprietary algorithms are not sufficiently analysed.The developer may implement proprietary algorithms for memory encryption because their internal use does no need for interoperability. The vulnerability analysis may find obvious vulnerabilities but the evaluation framework cannot effort a comprehensive cryptographic analysis of a proprietary algorithm. to demonstrate sufficient strength. The developer is in charge of the cryptanalysis of its proprietary algorithms which may be very specific and therefore expensive. The lack of evidence of cryptographic strength may result in inconclu-sive verdict of the vulnerability analysis of the memory encryption.

The focused or methodical vulnerability for AVA_VAN.3 to AVA_VAN.5 includes the search for publicly available information about potential vulnerabilities. The encountered method of identifi-cation is dependent on the evaluator's experience and knowledge; which is monitored and controlled by the evaluation authority. Evaluator is assumed to have knowledge of the TOE-type technology and known security flaws as documented in the public domain (cf. CEM para. 1925, 1927). The vulnerability analysis shall use the CC evaluation scheme documents.

The search is expected to include

• proceedings of cryptologic conference and workshops, e. g. organized by or in cooperation with the International Association of Cryptologic Research (IACR), cf. to the home page www.iacr.org,

• cryptologic publications like the Cryptology ePrint Archive, cf. http://eprint.iacr.org.

Note the publicly available sources will rather describe cryptanalytic methods than directly applica-ble cryptanalytic attacks for the memory encryption under evaluation especially in case of propri-etary cryptographic algorithms. The application of the cryptanalytic methods to the concrete crypto-graphic algorithms depends on the expertise of the attacker and its assessment requires cryptologic knowledge and expertise of the evaluator.

The search for vulnerabilities of the memory encryption may start from different point of view, from potential physical vulnerabilities or the potential cryptographic vulnerabilities, from data en-cryption or address encryption. The evaluator should analyse the physical attack part first in order to determine the conditions for the cryptanalytic attack on data encryption or address encryption or both together by probabilistic guesses of plaintext-ciphertext pairs, known plaintext-ciphertext pairs, chosen plaintext or chosen cipher text. When these conditions are clearly understood the eval-uator may analyse whether the cryptographic algorithm is vulnerable under these conditions. The evaluator may also know potential cryptanalytic attacks against data encryption or address encryp-tion and analyse whether they can be practically mounted under the specific conditions. The at-tacker may use the redundancy within the plaintext data blocks and than use dependencies between the plaintext data blocks. In many cases the evaluator will combine these approaches.

4.3 Characterization of the attack potential for cryptanalytic attacks on memory encryption

The work units AVA_VAN.x.11 (cf. CEM and AIS34) requires the evaluator to examine the results of all penetration testing to determine that the TOE, in its operational environment, is resistant to an attacker possessing attack potential as claimed in the security target. The vulnerability analysis of memory encryption performed by the evaluators assesses the cryptanalytic attack effort as part of the effort of a complex attack on memory providing all necessary conditions for the cryptanalytic attack and violating a security functional requirement. But this vulnerability analysis neither re-quires nor claims being a comprehensive cryptanalysis of memory encryption. The certification


http://eprint.iacr.org/

http://www.iacr.org/


body shall review the vulnerability assessment of memory protection including the vulnerability analysis of memory encryption as its part. The confirmation of the resistance against attacks on memory protection cannot be seen as general confirmation of cryptographic strength of their mem-ory encryption scheme.

The attack potential calculation for smartcards and similar devices distinguishes between the identi-fication phase and the exploitation phase of an attack (cf. [SDAP]).

The identification phase of an cryptanalytic attack may include

• the determination of the fixed parts of the cryptographic algorithms implemented in the cryptographic modules of the memory encryption, e. g. from publicly available information or reconstruction means of cryptanalytic methods,

• the reconstruction of the variable parts of the cryptographic algorithms implemented in the cryptographic modules valid for the TOE under attack in the exploitation phase but also im-plemented in TOE instantiations available in the identification phase, e. g. long-term keys or group keys,

• the adaption of publicly known cryptanalytic attacks or the development of specific cryptan-alytic attacks on the memory encryption algorithms,

• development of tools for the cryptanalytic attacks applicable to the memory encryption algo-rithms.

Note the identification phase may provide keys valid for TOE samples available in the identification phase but not device individual keys used for concrete TOE under attack in the exploitation phase. E. g. the developer chooses the substitution boxes of a block cipher for each costumer specific in-stantiation of the TOE from a well-defined set of permutations. The attacker may reconstruct a sub-set of substitution boxes as long-term keys in the identification phase but must identify the concrete substitution boxes used for the TOE sample under attack. The attack effort clearly depends on the number of TOE samples implementing the same key and the availability of these samples for at-tacks.

In the exploitation phase the attacker applies the cryptanalytic attacks developed in the identifica-tion phase to attack concrete TOE samples. The attacker may use the information gained and tools developed by himself or provided by another attacker. The cryptanalytic attack aims on assets stored in the memory of the TOE samples under attack

• the reconstruction of information encoded in the plaintext for a given ciphertext enabling or supporting other attacks on the TOE,

• the reconstruction of prior unknown plaintexts for given ciphertexts of the TOE sample without reconstruction of the used cryptographic key,

• the reconstruction of prior unknown keys enabling the reconstruction of the plaintext from given ciphertext of the TOE sample.

E. g. if the ROM encryption uses ROM keys which are different for each costumer photo mask but the same for all products produced with the same photo mask the attacker will reconstruct the spe-cific ROM key in order to decrypt the ciphertext read in the ROM of the TOE sample under attack. If the dedicated software stored in this ROM is partly known from other sources (e. g. other chips) this information maybe used to reconstruct the specific ROM key and to decrypt ciphertext parts read in the ROM and containing prior unknown plaintext of the embedded software.

The calculation of the attack potential required to exploit a vulnerability is generally defined in CEM Annex B chapter 4.2:



a) Time taken to identify and exploit (Elapsed Time);

b) Specialist technical expertise required (Specialist Expertise);

c) Knowledge of the TOE design and operation (Knowledge of the TOE);

d) Window of opportunity;

e) IT hardware/software or other equipment required for exploitation.

These factors are described more detailed and extended with factor “Open samples” for the techni-cal domain smartcards in CCDB-2009-03-001 [SDIC]. The document on hand describes further de-tails for the factors “Specialist Expertise”, “Knowledge of the TOE” and “IT hardware/software or other equipment” applicable for the cryptanalysis of memory encryption in the context of the vul-nerability analysis of the memory protection. It additional gives clarification about the use of open samples. For the factors “Elapsed Time” and “Access to TOE3” no further details are provided. The points assigned for the defined categories of the factors in [SDIC] are not changed.

Note cryptanalysis normally assess the attack effort as tradeoff between time and memory for calcu-lation under the condition that all fixed parts of the cryptographic scheme are known. The evaluator is searching for the best attack minimizing the attack effort as tradeoff between

• IT hardware/software or other equipment which includes aspects of memory and time of cal-culation,

• Elapsed Time including the time for cryptanalytic calculation, but also the time for identifi-cation of the attack,

• Specialist Expertise on different levels but always assumed as Expert in the cryptanalysis,

• under different conditions given by Knowledge of the TOE.

The factor “Specialist Expertise“ refers to the level of generic knowledge of the underlying princi-ples, product type or attack methods (cf. CEM para. 1973). This factors applies for the vulnerability analysis of memory encryption to the specific cryptanalytic knowledge of the attacker necessary to perform the cryptanalytic attack.

The expert level “Laymen” is applicable to attackers without particular cryptanalytic knowledge but able to apply public available tools (cf. factor Standard equipment). The “Proficient” level of exper-tise assumes the knowledge and under standing of public known cryptanalytic attacks to be able to adapt them to the specific algorithms of the TOE memory encryption. As an example one may think of application of differential cryptanalysis to block cipher with a costumer specific substitution box. It is expected that the expert level will be requires as minimum for development of Specialized equipment as defined below. The “Expert” level attacker is familiar with and able to develop spe-cific cryptanalytic attacks for proprietary algorithm. The development of specific cryptanalytic at-tacks on the memory encryption of the TOE may require deep knowledge and experience of crypt-analytic techniques. The Expert is required if a prior unknown complex cryptographic algorithm must be reconstructed by cryptanalytic attacks instead of re-engineering the cryptographic module from TOE itself (cf. factor Knowledge of the TOE). It is expected that the Expert level will be re-quires for effective usage of Bespoke equipment as defined below.

The factor “Specialist Expertise“ shall be applied for memory encryption as summarized in table 5.

3 [SDIC] uses the term “Access to TOE” instead of “Windows of opportunity” in [CEM].



Definition according to CEM chapter B.4.2

Detailed definition to be used in smartcard evaluations (cf. CCDB200903001 [SDIC])

Detailed definition to be used in memory encryption analysis

Laymen No particular expertise No particular expertise No particular expertise.

Application of public avail-able tools to perform public known attacks only.

Proficient Familiar with security be-haviour of the TOE

Familiar with security be-haviour of the TOE and classical attacks

Familiar with and able to adapt public known cryptan-alytic attacks to specific al-gorithms.

Expert Familiar with implemented algorithms, protocols and hardware structures of the TOE; and principles and concepts of security

Familiar with developers knowledge namely algo-rithms, protocols, hardware structures, principles and concepts of security; and techniques and tools for the definition of new attacks

Familiar with and able to develop of specific cryptan-alytic attacks for proprietary algorithm

Table 5: Expertise of the attacker

The factor “Knowledge of the TOE” is concerned with the information required for attacker to be able to attack a TOE (cf. CEM para. 1983). This factor relates here to the details and the protection of information about the cryptographic modules, the variable parts of the cryptographic algorithms and data necessary for the cryptographic attack. The knowledge can be gained from the develop-ment side, the documentation provided to the users (e. g. the application developer of a composite product), public sources or by re-engineering of the TOE samples. The evaluator should consult the developers security policy and protection of the relevant TOE knowledge in order to confirm the as-sumed level (cf. ALC_DVS evaluator activities). The evaluator shall consider the other results of the vulnerability analysis in order to assess the attack effort for reconstruction of the necessary in-formation by re-engineering of the TOE samples and memory protection.

The level “Public” relates to information available in public domain. Note Public information may include information in general or even for the TOE e. g. cryptographic algorithms of the memory encryption, cryptanalytic attacks, compromised long-term or group keys, plaintext of stored data.

The levels “Restricted”, “Sensitive” and “Critical” address the protection of the information in the development environment. Table 6 provides typical examples of information expected under this protection. The evaluator is remind that this information may be also gained from the TOE sample under attack by non-cryptographic and cryptanalytic attacks. Cryptanalytic attacks without prior knowledge of the used cryptographic algorithm are possible only in rare cases of weak encryption schemes or by Experts reconstructing the encryption scheme. Note the level “Very critical hard



ware design” will be not used for the knowledge of TOE related to cryptanalytic attacks because this knowledge relates to the logical functionality of the TOE only.

The factor “Knowledge of the TOE” shall be applied for memory encryption as shown in table 6.




Public Public information concern-ing the TOE (e. g. as gained from the Internet)

This is information in the public domain.

Cryptographic algorithms of memory encryption if it is public available.

Re-stricted

Restricted information con-cerning the TOE (e. g. knowledge that is controlled within the developer organi-zation and shared with other organizations under a non-disclosure agreement)

This corresponds to assets which are passed about during the various phases of smart-card development.

Proprietary algorithm if described in documenta-tion like functional specifi-cation, guidance documen-tation

Sensitive Sensitive information about the TOE (e. g. knowledge that is shared between dis-creet teams within the de-veloper organization, access to which is constrained only to members of the specified teams)

TOE design on level of sub-systems and modules (HLD and LLD information)

Proprietary algorithm if not described in costumer documentation

Critical Critical information about the TOE (e. g. knowledge that is known by only a few individuals, access to which is very tightly controlled on a strict need to know basis and individual undertaking).

Implementation representa-tion (Design and Source Code).

Long term keys like sub-stitution boxes, group keys

Very critical hard-ware de-sign

(not defined) Information contained in data bases and bespoke develop-ment tools. The access to use-ful data requires an enormous and time consuming effort which would make detection likely even with the support from an insider.

(not applicable)

Table 6: Knowledge of the TOE



The factor “IT hardware/software or other equipment” refers to the equipment required to identify or exploit a vulnerability (cf. CEM para. 1982) and takes the equipment category, price and avail-ability into account (cf. [SDIC] para. 35). The rating “None” is applicable only if calculation may be performed by hand (e. g. if xoring of ciphertext and plaintext providing the key). The definition of “Standard equipment” includes personal computer or workstation with public available software implementing standard cryptanalytic attacks including support calculation on GPU and clusters. It takes into account that there are public available tools that implement standard cryptanalytic tech-niques for standard cryptographic algorithms and do not require cryptanalytic knowledge by the at-tacker itself. The rating “Specialized” equipment includes tools developed for proprietary crypto-graphic algorithms, adopted for cryptanalytic attacks due specific prerequisites of the TOE or run-ning on public available non-standard computer. Specialized tools may developed in the identifica-tion phase and readily available to the attacker in the exploitation phase. “Bespoke” tools are not readily available to the public as it may need to be specially produced or its distribution is con-trolled, possibly even restricted. Examples of Bespoke equipment for cryptanalytic attacks are spe-cial hardware devices with special software for cryptanalytic calculations, e. g. non-standard key cruncher.

The factor “IT hardware/software or other equipment” shall be applied for memory encryption as summarized in table 6.




None No equipment needed, e. g. for calculation performed by hand.

Standard Standard equipment is readily available to the at-tacker, either for the iden-tification of a vulnerabil-ity or for an attack.

cf. CEM for definition and [SDIC] for examples.

Public available software for PC implementing standard cryptanalytic attacks includ-ing support for calculation on GPU and cluster.

Specialized Specialised equipment is not readily available to the attacker, but could be acquired without undue effort.

This type of equipment shall be considered as the type of expensive equipment which universities have in their possession, cf. [SDIC] for examples.

Non-public available tools developed for proprietary al-gorithm but acquired with-out undue effort.

Bespoke Bespoke equipment is not readily available to the public as it may need to be specially produced (e. g. very sophisticated soft-

cf. [SDIC] Special hardware devices with special software for cryptanalytic calculations.






ware), or because the equipment is so spe-cialised that its distribu-tion is controlled, possi-bly even restricted. Alter-natively, the equipment may be very expensive.

Table 7: Equipment

The [SDIC] introduces the factors “Open sample” and “Samples with known secrets” for the techni-cal domain smartcards in the context of composite evaluations [SDCE]. Open samples allow the composite evaluator can put software on the hardware platform at his own discretion that bypasses countermeasures prescribed in the IC guidance. Samples with known secrets refers to a TOE for which the evaluator knows or can define one or more pieces of secrets data, such as a PIN or key for performing either passive (monitoring) or fault attacks. Open samples or Samples with known secrets available to an attacker enable specific attack paths and support the re-engineering of secu-rity features of the TOE. Open sample and Samples with known secrets will be of relevance for the vulnerability analysis of memory encryption in very special cases only. E. g. if the memory encryp-tion may be enabled and disabled Open samples allow malicious software running on the TOE to get direct access to ciphertext stored in the memory for known-plaintext-ciphertext pairs, chosen-plaintext-ciphertext pairs or plaintext-chosen-ciphertext pairs used by cryptanalytic attacks. Sam-ples with known secrets maybe used to generate templates for side channel analysis of memory en-cryption.

The evaluator shall calculate the attack potential necessary for all identified successful attack paths. The easiest case of cryptanalytic attacks is the exhaustive key search providing an upper bound of the time and memory complexity of the attacks in terms of the factors “Elapsed time”, “IT hard-ware/software or other equipment” and “Specialist Expertise” (necessary to handle the equipment) assuming the necessary plaintext-ciphertext pairs are given but without consideration of cryptana-lytic vulnerabilities of the cryptographic algorithms allowing for more effective attacks. The evalua-tor may use a coarse estimation of the number of keys an attacker may try per second based on brute force attacks on 128bit AES as follows

• 1 personal computer about 108 keys per second,• 1 graphical processor unit (GPU) 4*108 keys per second,• 1 FPGA running with 200MHz 2*108 keys per second, and • 1 special device with about 2500 FPGA 1.2*1011 keys per second.

A special personal computer may run with 4 GPU. The number of tried keys per second depend on the effectiveness of the implementation of the cryptographic algorithm. Some algorithms are design for high speed software implementations like AES, other algorithms are more time consuming e. g. if they require bit permutations. Note the brute force attack can be organized in parallel on several



devices. The vulnerability should consider that the range of equipment at the disposal of a potential attacker is constantly improving.


Literature

Literature

General literature

[CC] Common Criteria, Common Criteria for Information Technology Security Evaluation, Version 3.1, Revision 3, July 2009, Part 1: Introduction and General Model, CCMB-2009-07-001, Part 2: Security Functional Requirements, CCMB-2009-07-002, Part 3: Security Assurance Requirements, CCMB-2009-07-003

[CEM] Common Methodology for Information Technology Security Evaluation, Evaluation Methodology, Version 3.1, Revision 3, July 2009, CCMB-2009-07-004

[SDCE] Supporting Document Mandatory Technical Document Composite product evaluation for Smart Cards and similar devices, September 2007, Version 1.0, Revision 1, CCDB-2007-09-001

[SDAP] Supporting Document Mandatory Technical Document Application of Attack Potential to Smartcards, March 2009, Version 2.7, Revision 1, March 2009, CCDB-2009-03-001

[SDIC] Supporting Document Mandatory Technical Document Application of CC to Inte-grated Circuits, Version 3.0, March 2009, CCDB-2009-03-002

[SDSE] Supporting Document Guidance Smartcard Evaluation, February 2010, Version 2.0, CCDB-2010-03-001

[AIS34] AIS34: Evaluation Methodology for CC Assurance Classes for EAL5+ (CC v2.3 & v3.1) and EAL6 (CC v3.1), Version 3, BSI, 03.09.2009

[RNG] Evaluation of random number generators, Version 0.8, BSI, 2011

[KS2011] W. Killmann, W. Schindler, „A proposal for: Functionality classes for random number generators“, Version 2.0, September 18, 2011

[ISO7498] ISO 7498-2:189 Information processing systems – Open Systems Interconnection – Basic Reference Model-Part 2: Security Architecture

Cryptologic literature

[1] A.J. Menezes, P. van Oorschot, and S. Vanstone: “Handbook of Applied Cryptogra-phy”. CRC Press, 1997

[2] E. Biham, A. Shamir: Differential Cryptanalysis of DES-like Cryptosystems, Ad-vances in Cryptology, proceedings of CRYPTO ’90, Lecture Notes in Computer Sci-ence 537, pp. 2–21, Springer-Verlag, 1991

[3] L. R. Knudsen: Truncated and Higher Order Differentials, proceedings of Fast Soft-ware Encryption 2, Lecture Notes in Computer Science 1008, pp. 196–211, Springer-Verlag, 1995

[4] N. Courtois and G. V. Bard: Algebraic Cryptanalysis of the Data Encryption Standard, In Cryptography and Coding, 11-th IMA Conference, Cirencester, UK, 2007

[5] N. Courtois, G. V. Bard, and D. Wagner: Algebraic and slide attacks on KeeLoq, Fast Software Encryption – FSE 2008, Lecture Notes in Computer Science, pages 97–115. Springer-Verlag, Berlin, Germany, 2008


Literature

[6] D. Khovratovich and I. Nikolic: Rotational cryptanalysis of ARX, Proceedings of the 17th International Conference on Fast Software Encryption (FSE’10), Seokhie Hong and Tetsu Iwata (Eds.). Springer-Verlag, Berlin, 2010

[7] M. Matsui: Linear Cryptanalysis Method for DES Cipher, Abstracts of EUROCRYPT’93, pp. W112–W123, May 1993

[8] J. Y. Soto: Linear Cryptanalysis of Reduced-Round PRESENT, The Cryptographer’s Track at RSA Conference – CT-RSA, pp. 302-317, 2010

[9] N. Ferguson, J. Kelsey, S. Lucks, B. Schneier, M. Stay, D. Wagner, and D. Whitin: Improved Cryptanalysis of Rijndael, Proceedings of the 7th International Workshop on Fast Software Encryption (FSE ‘00), Bruce Schneier (Ed.). Springer-Verlag, London, UK, 213-230, 2000

[10] A. Biryukov and D. Wagner: Slide Attacks, Proceedings of the 6th International Work-shop on Fast Software Encryption (FSE ‘99), Lars R. Knudsen (Ed.). Springer-Verlag, London, UK, 245-259, 1999

[11] D. Wagner: The Boomerang Attack, Proceedings of the 6th International Workshop on Fast Software Encryption (FSE ‘99), Lars R. Knudsen (Ed.). Springer-Verlag, London, UK, 156-170, 1999

[12] J. Kelsey, T. Kohno, and B.Schneier: Amplified Boomerang Attacks Against Reduced-Round MARS and Serpent, Proceedings of the 7th International Workshop on Fast Software Encryption (FSE ‘00), Bruce Schneier (Ed.). Springer-Verlag, London, UK, 75-93, 2000

[13] E. Biham: New types of cryptanalytic attacks using related keys, Workshop on the the-ory and application of cryptographic techniques on Advances in cryptology (EURO-CRYPT ‘93), Tor Helleseth (Ed.). Springer-Verlag New York, Inc., Secaucus, NJ, USA, 398-409, 1994

[14] E. Biham, A. Biryukov, and A. Shamir: Cryptanalysis of Skipjack reduced to 31 rounds using impossible differentials, Proceedings of the 17th international conference on Theory and application of cryptographic techniques (EUROCRYPT’99), Jacques Stern (Ed.). Springer-Verlag, Berlin, Heidelberg, 12-23, 1999

[15] B. Collard and F. -X. Standaert: A Statistical Saturation Attack against the Block Ci-pher PRESENT, Proceedings of the The Cryptographers’ Track at the RSA Confer-ence 2009 on Topics in Cryptology (CT-RSA ‘09), Marc Fischlin (Ed.). Springer-Ver-lag, Berlin, Heidelberg, 195-210, 2009

[16] Thomas Jakobsen and Lars R. Knudsen: The Interpolation Attack on Block Ciphers, Proceedings of the 4th International Workshop on Fast Software Encryption (FSE ‘97), Eli Biham (Ed.). Springer-Verlag, London, UK, 28-40, 1997

[17] A. Bogdanov and V. Rijmen: Zero-Correlation Linear Cryptanalysis of Block Ciphers, Cryptology ePrint Archive, Report 2011/123, http://eprint.iacr.org/2011/123, 2011

[18] X. Zhuang, T. Zhang, and S. Pande: HIDE: an infrastructure for efficiently protecting information leakage on the address bus, Proceedings of the 11th international confer-ence on Architectural support for programming languages and operating systems (AS-PLOS-XI). ACM, New York, NY, USA, 72-84. DOI=10.1145/1024393.1024403 http://doi.acm.org/10.1145/1024393.1024403, 2004


Literature

[19] L. Gao, J. Yang, M. Chrobak, Y. Zhang, S. Nguyen, and H.-H. S. Lee: A low-cost memory remapping scheme for address bus protection, Proceedings of the 15 th interna-tional conference on Parallel architectures and compilation techniques (PACT ‘06). ACM, New York, NY, USA, 74-83. DOI=10.1145/1152154.1152169, 2006

[20] X. Zhuang, T. Zhang, H.-H. S. Lee, and S. Pande: Hardware assisted control flow ob-fuscation for embedded processors, Proceedings of the 2004 international conference on Compilers, architecture, and synthesis for embedded systems (CASES ‘04). ACM, New York, NY, USA, 292-302. DOI=10.1145/1023833.1023873 http://doi.acm.org/10.1145/1023833.1023873, 2004

[21] M. Albrecht and C. Cid: Algebraic Techniques in Differential Cryptanalysis, Fast Soft-ware Encryption, Orr Dunkelman (Ed.). Lecture Notes In Computer Science, Vol. 5665. Springer-Verlag, Berlin, Heidelberg 193-208, 2009

[22] L. Yang, M. Wang, and S. Qiao: Side Channel Cube Attack on PRESENT, Proceed-ings of the 8th International Conference on Cryptology and Network Security (CANS ‘09), Juan A. Garay, Atsuko Miyaji, and Akira Otsuka (Eds.). Springer-Verlag, Berlin, Heidelberg, 379-391, 2009

[23] M. Dworkin and National Institute of Standards and Technology (U.S.): Special Publi-cation 800-38, Recommendation for block cipher modes of operation: the XTS-AES mode for confidentiality on block-oriented storage devices, 2009

[24] P. Rogaway: Efficient Instantiations of Tweakable Blockciphers and Refinements to Modes OCB and PMAC, Asiacrypt 2004. LNCS vol. 3329. Springer, 2004

[25] M. Renauld, F.-X. Standaert: Algebraic Side-Channel Attacks, Cryptology ePrint Ar-chive, report 2009/179, http://eprint.iacr.org/2009/279, 2009

[26] A. Bogdanov, C. Rechberger: A 3-Subset Meet-in-the-Middle Attack: Cryptanalysis of the Lightweight Block Cipher KTANTAN, Selected Areas in Cryptography, 17th An-nual International Workshop, SAC 2010, Lecture Notes in Computer Science (LNCS), vol. 6544, A. Biryukov, G. Gong, and D. R. Stinson (eds.), pp. 229-240, Springer-Ver-lag, 2011

[27] T. Jakobsen and L. R. Knudsen: The Interpolation Attack on Block Ciphers, Proceed-ings of the 4th International Workshop on Fast Software Encryption (FSE '97), Eli Bi-ham (Ed.). Springer-Verlag, London, UK, 28-40, 1997

[28] I. Dinur and A. Shamir: Cube Attacks on Tweakable Black Box Polynomials, Proceed-ings of the 28th Annual International Conference on Advances in Cryptology: the The-ory and Applications of Cryptographic Techniques (EUROCRYPT '09), Antoine Joux (Ed.). Springer-Verlag, Berlin, Heidelberg, 278-299, 2009

[29] M. Liskov, R. L. Rivest, and D. Wagner: Tweakable Block Ciphers, Proceedings of the 22nd Annual International Cryptology Conference on Advances in Cryptology (CRYPTO '02), Moti Yung (Ed.). Springer-Verlag, London, UK, 31-46, 2002

[30] L. R. Knudsen, M. J. B. Robshaw: The Block Cipher Companion, Springer-Verlag, 2011

[31] A. Joux; Algorithmic Cryptanalysis, CRC Press, 2009

[32] G. V. Bard: Algebraic Cryptanalysis, Springer-Verlag, 2009

[33] A. Bogdanov, G. Leander, L. Knudsen, C. Paar, A. Poschmann, M. Robshaw, Y. Seurin, and C. Vikkelsoe: PRESENT - An Ultra-Lightweight Block Cipher, Crypto-


Literature

graphic Hardware and Embedded Systems (CHES 2007); number 4727 in Lecture Notes in Computer Science, pages 450–466, Springer-Verlag, 2007

[34] M. Vielhaber: Breaking ONE.FIVIUM by AIDA an Algebraic IV Differential Attack, Cryptology ePrint Archive: Report 2007/413


Glossary

Glossary

The following definitions are closely related to the ones given in [1] and [ISO7498].

Basic Definitions

Asymmetric

cryptographic algorithm

A cryptographic algorithm which uses a key pair for complementary operations where it is difficult for the adversary to derive one key from the other key of the same pair.

Avalanche effect A desirable property of block ciphers. When an input is changed slightly, then the output changes significantly.

Block cipher A cipher which encrypts data in blocks of a fixed size.

Cipher An encryption-decryption algorithm.

Ciphertext Encrypted data, the semantic content of which is not readily available (cf. [ISO7498]).

Confusion Confusion in an encryption process is provided by the substitution layer in a round of a cryptographic algorithm. Each ciphertext bit has highly nonlinear dependencies on the plaintext bits and the key bits.

Cryptography The discipline which embodies principles, means and methods for the transformation of data in order to hide its information content, prevent its undetected modification and/or its unauthorized use [ISO7498] including entity authentication [1].

Cryptology The study of cryptography and cryptanalysis [1].

Cryptosystem A system of cryptographic primitives that are used for providing security service.

Cryptographic module Cryptographic modules, which contain cryptographic algorithms, are used in systems for providing cryptographic services.

Decryption Reverse process of encryption, reconstructing the original data.

Diffusion Diffusion in an encryption process is provided by the transposition in a round of a cryptographic algorithm. It is the rearrangement or dissipation of bits in a message so that any change in the plaintext is


Glossary

dissipated over the ciphertext.

Encryption Transforming data into a form in order to hide its information content and allow only the intended receiver to reconstruct the original form with use of a cryptographic key.

Feistel network A symmetric structure used in construction of block ciphers which enables encryption and decryption algorithms to be highly similar, just requiring a reverse key schedule for decryption.

Key Variable parameter which is used in a cryptographic algorithm. Cryptographic algorithms may use the same key or different keys for complementary operation like encryption / decryption or signature-creation / signature-verification.

Mode of operation Methods for encryption and decryption of a collection of data blocks using a block cipher.

Permutation Mathematically, a mapping from a finite set of elements to itself where each element has one and only one image, i.e. an invertible function from the finite set to itself. The term is often used in cryptography for permutation of the position of characters within a string.

Plaintext Intelligible data, the semantic content of which is available [ISO7498]. Plaintext has not yet been encrypted or is the result of decryption.

Secret sharing Secret sharing is a method for distributing a secret amongst a group of participants. This secret can be reconstructed only when a sufficient number of shares are combined together.

Strict avalanche

criterion

A criterion satisfied whenever a single input bit is complemented, each of the output bits changes with a 50% probability.

Substitution Replacement of groups of bits (symbols) by other groups of bits.

Substitution-permutation

network (SP-network)

A series of separate mathematical operations for diffusion and confusion in block cipher algorithms.

Symmetric-Key Cipher A cryptographic algorithm which uses same or trivially related keys for encryption and decryption.

Transposition Permutation of characters or strings in a ciphertext, e. g. permutation of the bits in a bit-block, permutation of encrypted bit-blocks in a


Glossary

ciphertext.

Tweakable block cipher A construction which uses a (public known) parameter (the tweak) to randomize the permutations over the data blocks defined by the key of a block cipher.

Cryptanalysis Related Definitions

Active adversary A person who can also transmit, alter or delete information on an unsecured channel.

Advanced active

adversary

An active adversary which may additionally use external interfaces of a cryptographic module (e. g. for a chosen plaintext attack) but do not know the used secret or private key of the cryptographic module.

Adaptive chosen

ciphertext attack

A variant of the chosen ciphertext attack where the attacker can choose the collection of ciphertexts depending on previous trials.

Adaptive chosen

plaintext attack

A variant of the chosen plaintext attack where the attacker can choose plaintext samples based on previous trials.

Algebraic attack An attack which represents the encryption process as a set of equations and recovers the key by solving these equations.

Attack Successful or unsuccessful attempt for breaking a part or all of a cryptosystem.

Boomerang attack An attack method for cryptanalysis of block ciphers based on differential cryptanalysis.

Chosen ciphertext attack An attack where the attacker can choose the collection of ciphertexts to be decrypted.

Chosen plaintext attack An attack where the attacker can choose the collection of plaintexts to be encrypted.

Ciphertext only attack An attack where attacker has a collection of ciphertexts and their semantic content.

Cryptanalysis Use of mathematical techniques to break a cryptosystem.

Data complexity Number of plaintext-ciphertext pairs needed to execute an attack.


Glossary

Dictionary attack A brute-force attack that tries passwords and/or keys from a pre-compiled list of values.

Differential attack

(differential

cryptanalysis)

A chosen plaintext attack which relies on analysis of evolution of differences between two plaintexts.

Difference distribution

table (DDT, a.k.a. XOR

Table)

A table which represents the number of occurrences of an output difference of an S-Box for a given input difference.

Differential-linear attack A mix of both linear cryptanalysis and differential cryptanalysis.

Distinguisher Some sort of statistical test that shows an imperfect distribution in (for example) a conventional block cipher.

Distinguishing attack An attack based on the extraction of information from encrypted data sufficient to distinguish it from random data.

Exhaustive search

(brute-force attack)

An attack where the attacker tries all reasonable possibilities to recover the key of a cryptosystem.

Integral attack An attack which is particularly applicable to byte/nibble oriented block ciphers based on SP networks.

Key recovery An attacker's attempt for recovering the cryptographic key of a cipher.

Known plaintext attack An attack where the attacker examines the function that the cryptographer wants to hide with some or even an extremely large amount of plaintext and the associated ciphertext.

Linear approximation

table (LAT)

A table which identifies input and output relations of an S-Box through linear approximations.

Linear attack (linear

cryptanalysis)

A known plaintext attack which uses linear approximations to describe the behaviour of block cipher.

Meet-in-the-middle

attack

An explicit kind of cryptanalytic attack in which the attacker applies various keys on known plaintext-ciphertext pairs in an effort to seek intermediate ciphertext-plaintext values identical to the known ones. Matching pairs indicate a high probability of correct keys or key pairs.


Glossary

Passive adversary A person who is only capable of reading data from an unsecured channel and getting information about the data flow.

Passive attack An attack in which the data is observed but not modified.

Rectangle attack An improved version of boomerang attack with reduced data complexity.

Related key attack

(Chosen key attack)

An attack in which a change in any particular key bit or some other relationship between key bits can be specified.

Rotational cryptanalysis An attack method against algorithms that rely on three operations: modular addition, rotation and XOR (also known as ARX).

Saturation attack A type of integral attack which exploits the saturation of the input of a permutation function upon the saturation of its output.

Slide attack An attack which is designed to deal with the idea that even weak ciphers can become very strong by increasing the number of rounds.

Splitting Dividing a cryptographic key into two separate keys so an attacker cannot reconstruct the actual key even if one of them is intercepted.

Time complexity Amount of time required to execute an attack.


Methodology for cryptographic rating of memory encryption schemes used in smartcards and

Documents

Transcript of Methodology for cryptographic rating of memory encryption schemes used in smartcards and