IEEE P1735 Encryption is broken
Researchers have uncovered several major weaknesses in the implementation of the Institute of Electrical and Electronics Engineers (IEEE) P1735 cryptography standard that can be exploited to unlock, modify or steal encrypted system-on-chip blueprints.
The IEEE P1735 scheme was designed to encrypt electronic-design intellectual property (IP) in the hardware and software so that chip designers can protect their IPs from hackers and other prying eyes.
Majority of mobile and embedded devices include a System-on-Chip (SoC), a single integrated circuit that can consist of multiple IPs—a collection of reusable design specifications—like a radio-frequency receiver, an analogue-to-digital converter, a digital signal processing unit, a graphics processing unit, a cryptographic engine, from different vendors.
Therefore, these licensed IPs are quite valuable to their vendors, so to protect them from being reverse engineered after being sold, the IEEE developed the P1735 standard to encrypts electronic-design IP.
However, an alert published Friday by the Department of Homeland Security's US-CERT warned that the IEEE P1735 standard is flawed.
"In the most egregious cases, [these mistakes] enable attack vectors [like padding-oracle attacks] that allow recovery of the entire underlying plaintext IP," US-CERT warned.
"Implementations of IEEE P1735 may be weak to cryptographic attacks that allow an attacker to obtain plaintext intellectual property without the key, among other impacts."
The US-CERT warning came after a recent academic paper [PDF], titled "Standardizing Bad Cryptographic Practice," released by a team of researchers from University of Florida discovered and reported a total of seven vulnerabilities in the IEEE P1735 standard.
Here's the list of all vulnerabilities in P1735 standard with their assigned CVE IDs:
- CVE-2017-13091: Improperly specified padding in the standard's use of AES-CBC mode allows the use of an Electronic Design Automation (EDA) tool as a decryption oracle.
- CVE-2017-13092: Improperly specified HDL (hardware description language) syntax allows the use of an EDA tool as a decryption oracle.
- CVE-2017-13093: Modification of encrypted intellectual property (IP) cyphertexts to include hardware Trojans.
- CVE-2017-13094: Modification of the encryption key and insertion of hardware trojans in any IP without knowledge of the key.
- CVE-2017-13095: Modification of a license-deny response to a license grant or vice versa.
- CVE-2017-13096: Modification of Rights Block, which contains the RSA-encryption of an AES key, to get rid of or relax access control.
- CVE-2017-13097: Modification of Rights Block to get rid of or relax license requirement.
The main vulnerability (CVE-2017-13091) resides in the IEEE P1735 standard's use of AES-CBC mode.
Since the standard makes no recommendation for any specific padding scheme, the developers often choose the wrong scheme, making it possible for attackers to use a well-known classic padding-oracle attack (POA) technique to decrypt the system-on-chip blueprints without knowledge of the key.
"While the confidentiality attacks can reveal the entire plaintext IP, the integrity attack enables an attacker to insert hardware trojans into the encrypted IP," the researchers concluded.
"This not only destroys any protection that the standard was supposed to provide but also increases the risk premium of the IP."
The researchers also proposed various optimisations of the basic confidentiality attacks that can reduce the complexity.
Vendors using the IEEE P1735 scheme in an insecure manner have already been alerted by US-CERT. The vendors contacted by the US-CERT include AMD, Intel, Qualcomm, Cisco, IBM, Samsung, Synopsys, Mentor Graphics, Marvell, NXP, Cadence Design Systems, Xilinx and Zuken.
All of the above vendors are believed to be at a potential risk of these vulnerabilities, but so far it is not confirmed.
The researchers have suggested quick fixes which EDA software developers can apply to address the issues. Users are recommended to wait for an update from their EDA software vendors and apply as it becomes available.