Journal Home > Volume 28 , Issue 2

With the large scale adoption of Internet of Things (IoT) applications in people’s lives and industrial manufacturing processes, IoT security has become an important problem today. IoT security significantly relies on the security of the underlying hardware chip, which often contains critical information, such as encryption key. To understand existing IoT chip security, this study analyzes the security of an IoT security chip that has obtained an Arm Platform Security Architecture (PSA) Level 2 certification. Our analysis shows that the chip leaks part of the encryption key and presents a considerable security risk. Specifically, we use commodity equipment to collect electromagnetic traces of the chip. Using a statistical T-test, we find that the target chip has physical leakage during the AES encryption process. We further use correlation analysis to locate the detailed encryption interval in the collected electromagnetic trace for the Advanced Encryption Standard (AES) encryption operation. On the basis of the intermediate value correlation analysis, we recover half of the 16-byte AES encryption key. We repeat the process for three different tests; in all the tests, we obtain the same result, and we recover around 8 bytes of the 16-byte AES encryption key. Therefore, experimental results indicate that despite the Arm PSA Level 2 certification, the target security chip still suffers from physical leakage. Upper layer application developers should impose strong security mechanisms in addition to those of the chip itself to ensure IoT application security.


menu
Abstract
Full text
Outline
About this article

Arm PSA-Certified IoT Chip Security: A Case Study

Show Author's information Fei Chen1Duming Luo1Jianqiang Li1( )Victor C. M. Leung1,2( )Shiqi Li3Junfeng Fan3
College of Computer Science and Software Engineering, Shenzhen University, Shenzhen 518060, China
Department of Electrical and Computer Engineering, the University of British Columbia, Vancouver, BC V6T 1Z4, Canada
Open Security Research, Inc., Shenzhen 518000, China

Abstract

With the large scale adoption of Internet of Things (IoT) applications in people’s lives and industrial manufacturing processes, IoT security has become an important problem today. IoT security significantly relies on the security of the underlying hardware chip, which often contains critical information, such as encryption key. To understand existing IoT chip security, this study analyzes the security of an IoT security chip that has obtained an Arm Platform Security Architecture (PSA) Level 2 certification. Our analysis shows that the chip leaks part of the encryption key and presents a considerable security risk. Specifically, we use commodity equipment to collect electromagnetic traces of the chip. Using a statistical T-test, we find that the target chip has physical leakage during the AES encryption process. We further use correlation analysis to locate the detailed encryption interval in the collected electromagnetic trace for the Advanced Encryption Standard (AES) encryption operation. On the basis of the intermediate value correlation analysis, we recover half of the 16-byte AES encryption key. We repeat the process for three different tests; in all the tests, we obtain the same result, and we recover around 8 bytes of the 16-byte AES encryption key. Therefore, experimental results indicate that despite the Arm PSA Level 2 certification, the target security chip still suffers from physical leakage. Upper layer application developers should impose strong security mechanisms in addition to those of the chip itself to ensure IoT application security.

Keywords:

Internet of Things (IoT) security chip, Arm Platform Security Architecture (PSA) certification, electromagnetic side-channel attack, Advanced Encryption Standard (AES) encryption, key leakage
Received: 28 July 2021 Revised: 12 December 2021 Accepted: 13 December 2021 Published: 29 September 2022 Issue date: April 2023
References(49)
[1]
Z. Ling, J. Z. Luo, Y. L. Xu, C. Gao, K. Wu, and X. W. Fu, Security vulnerabilities of internet of things: A case study of the smart plug system, IEEE Internet Things J., vol. 4, no. 6, pp. 1899–1909, 2017.
[2]
Z. N. Mohammad, F. Farha, A. O. M. Abuassba, S. K. Yang, and F. Zhou, Access control and authorization in smart homes: A survey, Tsinghua Science and Technology, vol. 26, no. 6, pp. 906–917, 2021.
[3]
D. W. Wei, H. S. Ning, F. F. Shi, Y. L. Wan, J. B. Xu, S. K. Yang, and L. Zhu, Dataflow management in the internet of things: Sensing, control, and security, Tsinghua Science and Technology, vol. 26, no. 6, pp. 918–930, 2021.
[4]
Z. Ling, C. Gao, C. Sano, C. Toe, Z. P. Li, and X. W. Fu, STIR: A smart and trustworthy IoT system interconnecting legacy IR devices, IEEE Internet Things J., vol. 7, no. 5, pp. 3958–3967, 2020.
[5]
W. P. Wang, Z. R. Wang, Z. F. Zhou, H. X. Deng, W. L. Zhao, C. Y. Wang, and Y. Z. Guo, Anomaly detection of industrial control systems based on transfer learning, Tsinghua Science and Technology, vol. 26, no. 6, pp. 821–832, 2021.
[6]
Arm, Arm platform security architecture: Overview, , 2021.
[7]
PSA, PSA Certified Products, , 2021.
[8]
J. L. Zhang, A practical logic obfuscation technique for hardware security, IEEE Trans. Very Large Scale Integr. Syst., vol. 24, no. 3, pp. 1193–1197, 2016.
[9]
Y. Bi, X. S. Hu, Y. Jin, M. Niemier, K. Shamsi, and X. Z. Yin, Enhancing hardware security with emerging transistor technologies, in Proc. 26th Edition on Great Lakes Symp. on VLSI, Boston, MA, USA, 2016, pp. 305–310.
[10]
G. Qu, C. Dunbar, X. Chen, and A. J. Cui, Digital fingerprint: A practical hardware security primitive, in Digital Fingerprinting, C. Wang, R. Gerdes, Y. Guan, S. Kasera, eds. New York, NY, USA: Springer, 2016, pp. 89–114.
DOI
[11]
Q. Alasad, J. Yuan, and D. L. Fan, Leveraging all-spin logic to improve hardware security, in Proc. of the on Great Lakes Symp. on VLSI 2017, Banff, Canada, 2017, pp. 491–494.
[12]
M. Chen, E. Moghaddam, N. Mukherjee, J. Rajski, J. Tyszer, and J. Zawada, Hardware protection via logic locking test points, IEEE Trans. Comput. Aided Des. Integr. Circuits Syst., vol. 37, no. 12, pp. 3020–3030, 2018.
[13]
S. Patnaik, M. Ashraf, O. Sinanoglu, and J. Knechtel, A modern approach to IP protection and Trojan prevention: Split manufacturing for 3D ICs and obfuscation of vertical interconnects, IEEE Trans. Emerg. Top. Comput., vol. 9, no. 4, pp. 1815–1834, 2021.
[14]
P. C. Kocher, Timing attacks on implementations of Diffie-Hellman, RSA, DSS, and other systems, in Proc. 16th Annu. Int. Cryptology Conf., Santa Barbara, CA, USA, 1996, pp. 104–113.
[15]
D. Boneh, R. A. DeMillo, and R. J. Lipton, On the importance of checking cryptographic protocols for faults, in Proc. Int. Conf. on the Theory and Applications of Cryptographic Techniques, Konstanz, Germany, 1997, pp. 37–51.
[16]
P. Kocher, J. Jaffe, and B. Jun, Differential power analysis, in Proc. 19th Annu. Int. Cryptology Conf., Santa Barbara, CA, USA, 1999, pp. 388–397.
[17]
J. J. Quisquater, and D. Samyde, A new tool for non-intrusive analysis of smart cards based on electromagnetic emissions: The SEMA and DEMA methods, presented at the EUROCRYPT 2000 Rump Session, , 2000.
[18]
D. Genkin, A. Shamir, and E. Tromer, Acoustic cryptanalysis, J. Cryptol., vol. 30, no. 2, pp. 392–443, 2017.
[19]
P. Kocher, J. Jaffe, B. Jun, and P. Rohatgi, Introduction to differential power analysis, J. Cryptogr. Eng., vol. 1, no. 1, pp. 5–27, 2011.
[20]
E. Brier, C. Clavier, and F. Olivier, Correlation power analysis with a leakage model, in Proc. 6th Int. Workshop on Cryptographic Hardware and Embedded Systems, Cambridge, MA, USA, 2004, pp. 16–29.
[21]
S. Mangard, A simple power-analysis (SPA) attack on implementations of the AES key expansion, in Proc. 5th Int. Conf. on Information Security and Cryptology, Seoul, Republic of Korea, 2002, pp. 343–358.
[22]
S. Chari, J. R. Rao, and P. Rohatgi, Template attacks, in Proc. 4th Int. Workshop on Cryptographic Hardware and Embedded Systems, Redwood Shores, CA, USA, 2002, pp. 13–28.
[23]
M. Renauld and F. X. Standaert, Algebraic side-channel attacks, in Proc. 5th Int. Conf. on Information Security and Cryptology, Beijing, China, 2009, pp. 393–410.
[24]
I. Dinur and A. Shamir, Side channel cube attacks on block ciphers, , 2021.
[25]
B. Gierlichs, L. Batina, P. Tuyls, and B. Preneel, Mutual information analysis, in Proc. 10th Int. Workshop on Cryptographic Hardware and Embedded Systems, Washington, DC, USA, 2008, pp. 426–442.
[26]
L. Batina, B. Gierlichs, E. Prouff, M. Rivain, F. X. Standaert, and N. Veyrat-Charvillon, Mutual information analysis: A comprehensive study, J. Cryptol., vol. 24, no. 2, pp. 269–291, 2011.
[27]
S. Bhasin, J. L. Danger, S. Guilley, and Z. Najm, NICV: Normalized inter-class variance for detection of side-channel leakage, in Proc. 2014 Int. Symp. on Electromagnetic Compatibility, Tokyo, Japan, 2014, pp. 310–313.
[28]
S. M. Del Pozo, F. X. Standaert, D. Kamel, and A. Moradi, Side-channel attacks from static power: When should we care? in Proc. 2015 Design, Automation & Test in EuropeConf. & Exhibition, Grenoble, France, 2015, pp. 145–150.
DOI
[29]
Y. S. Fei, A. A. Ding, J. Lao, and L. W. Zhang, A statistics-based fundamental model for side-channel attack analysis, , 2014.
[30]
J. W. Chou, M. H. Chu, Y. L. Tsai, Y. Jin, C. M. Cheng, and S. D. Lin, An unsupervised learning model to perform side channel attack, in Proc. 17th Pacific-Asia Conf. on Knowledge Discovery and Data Mining, Gold Coast, Australia, 2013, pp. 414–425.
[31]
S. Picek, A. Heuser, A. Jovic, S. A. Ludwig, S. Guilley, D. Jakobovic, and N. Mentens, Side-channel analysis and machine learning: A practical perspective, in Proc. 2017 Int. Joint Conf. on Neural Networks, Anchorage, AK, USA, 2017, pp. 4095–4102.
[32]
L. X. Wei, B. Luo, Y. Li, Y. N. Liu, and Q. Xu, I know what you see: Power side-channel attack on convolutional neural network accelerators, in Proc. 34th Annu. Comput. Security Applications Conf., San Juan, UT, USA, 2018, pp. 393–406.
[33]
W. Yu and J. Chen, Deep learning-assisted and combined attack: A novel side-channel attack, Electron. Lett., vol. 54, no. 19, pp. 1114–1116, 2018.
[34]
O. Lo, W. J. Buchanan, and D. Carson, Power analysis attacks on the AES-128 S-box using differential power analysis (DPA) and correlation power analysis (CPA), J. Cyber Secur. Technol., vol. 1, no. 2, pp. 88–107, 2017.
[35]
S. Mangard, E. Oswald, and T. Popp, Power Analysis Attacks: Revealing the Secrets of Smart Cards. Boston, MA, USA: Springer, 2007.
[36]
J. Li, W. W. Shan, and C. X. Tian, Hamming distance model based power analysis for cryptographic algorithms, Appl. Mech. Mater., vols. 121–126, pp. 867–871, 2011.
[37]
E. de Chérisey, S. Guilley, O. Rioul, and P. Piantanida, Best Information is most successful: Mutual information and success rate in side-channel analysis, IACR Transactions on Cryptographic Hardware and Embedded Systems, .
[38]
J. Doget, E. Prouff, M. Rivain, and F. X. Standaert, Univariate side channel attacks and leakage modeling, J. Cryptogr. Eng., vol. 1, no. 2, pp. 123–144, 2011.
[39]
V. Kepuska and G. Bohouta, Next-generation of virtual personal assistants (Microsoft Cortana, Apple Siri, Amazon Alexa and Google Home), in Proc. 2018 IEEE 8th Annu. Computing and Communication Workshop and Conf. (CCWC), Las Vegas, NV, USA, 2018, pp. 99–103.
[40]
W. R. Diao, X. Y. Liu, Z. Zhou, and K. H. Zhang, Your voice assistant is mine: How to abuse speakers to steal information and control your phone, in Proc. 4th ACM Workshop on Security and Privacy in Smartphones & Mobile Devices, Scottsdale, AZ, USA, 2014, pp. 63–74.
DOI
[41]
J. Mabrouki, M. Azrour, D. Dhiba, Y. Farhaoui, and S. El Hajjaji, IoT-based data logger for weather monitoring using Arduino-based wireless sensor networks with remote graphical application and alerts, Big Data Mining and Analytics, vol. 4, no. 1, pp. 25–32, 2021.
[42]
M. Azrour, J. Mabrouki, A. Guezzaz, and Y. Farhaoui, New enhanced authentication protocol for internet of things, Big Data Mining and Analytics, vol. 4, no. 1, pp. 1–9, 2021.
[43]
T. Alladi, V. Chamola, B. Sikdar, and K. K. R. Choo, Consumer IoT: Security vulnerability case studies and solutions, IEEE Consum. Electron. Mag., vol. 9, no. 2, pp. 17–25, 2020.
[44]
F. Chen, D. M. Luo, T. Xiang, P. Chen, J. F. Fan, and H. L. Truong, IoT cloud security review: A case study approach using emerging consumer-oriented applications, ACM Comput. Surv., vol. 54, no. 4, pp. 75, 2022.
[45]
ARM, ARMv8-A architecture overview, , 2015.
[46]
Arm trustzone technology for the armv8-m architecture, , 2021.
[47]
PicoScope 3000 series oscilloscope software, Pico Technology, , 2021.
[48]
Daxia, SSCOM, , 2021.
[49]
eShard, Scared, , 2021.
Publication history
Copyright
Acknowledgements
Rights and permissions

Publication history

Received: 28 July 2021
Revised: 12 December 2021
Accepted: 13 December 2021
Published: 29 September 2022
Issue date: April 2023

Copyright

© The author(s) 2023.

Acknowledgements

This work was partially supported by the National Natural Science Foundation of China (Nos. 61872243 and U1713212), Guangdong Basic and Applied Basic Research Foundation (No. 2020A1515011489), the Natural Science Foundation of Guangdong Province-Outstanding Youth Program (No. 2019B151502018), and Shenzhen Science and Technology Innovation Commission (No. R2020A045).

Rights and permissions

The articles published in this open access journal are distributed under the terms of the Creative Commons Attribution 4.0 International License (http://creativecommons.org/licenses/by/4.0/).

Return