Page 128 - Cyber Defense eMagazine February 2024
P. 128
Weaknesses of software-based cryptography
One of the most crucial weaknesses of software-based cryptography is the need for implicit trust in a
very deep stack of software layers. Software-based cryptography relies on a complex stack of
technologies, including cryptographic library, operating system, drivers, compilers, CPU, etc. If security
at any layer fails, it could compromise the entire cryptosystem. Sharing physical resources with potentially
malicious programs exposes software-based implementations to multiple security risks – despite modern
security protection, a successful attack to any of the physical resources can jeopardize other functions in
the system.
It is also common for many computer systems to have their most sensitive data (for example, encryption
keys) located in the same memory with non-sensitive data, which can be exposed by even fairly trivial
bugs in a program. One of the most infamous examples is the Heartbleed buffer over-read bug in
OpenSSL published in 2014, which allowed a remote attacker to read large portions of the victim’s
memory that could include passwords, encryption keys, and other sensitive data.
Software-based cryptographic implementations are also harder to protect against side-channel attacks.
These cryptanalytic attacks target the implementation rather than the mathematical foundations of a
cryptosystem. Side-channel attacks can be based on, for example, execution time or power consumption
of the computing device. Software-level implementations often lack the low-level control required to
protect against such attacks due to the microarchitectural optimizations of modern processors.
Hardware-level bugs in processors may also compromise software-based security, posing challenges to
fixing vulnerabilities in deployed systems. Examples of such security attacks include the Meltdown and
Spectre attacks, which well demonstrated the challenges and costs of fixing processor vulnerabilities for
already-deployed systems.
Benefits of hardware-based solutions
When implementing cryptography directly as hardware logic design (FPGA or ASIC), the critical
computations and data can be isolated into a dedicated IP core (Intellectual Property core) segregated
from the main system. Cryptographic keys are the most vital components of the entire cryptosystem.
Storing these in a separate cryptographic IP core provides a significant security enhancement compared
to the software-based security approach. Many software-based systems rely on hardware to secure
cryptographic keys, by storing them to a Hardware Security Module.
Hardware-based cryptography offers superior resilience compared to the software-based approach when
it comes to side-channel attacks. Hardware designers have granular control over implementation details,
enabling fully constant-time IP cores that nullify timing attacks. This level of control is challenging to
achieve in software-based implementations due to microarchitectural optimizations beyond the
programmer's reach.
In addition to enhanced security, using hardware-based cryptography offers superior performance and
energy efficiency compared to software-based cryptography. High-performance cryptographic IP cores
Cyber Defense eMagazine – February 2024 Edition 128
Copyright © 2024, Cyber Defense Magazine. All rights reserved worldwide.
