The underlying differences between hardware and software when implementing critical cryptosystems.
By Kimmo Järvinen, Co-founder and CTO, Xiphera
The majority of today’s cryptographic implementations rely on software running on general-purpose processors. While this method is a practical and justified approach for many applications, software-based cryptography has inherent weaknesses when it comes to safeguarding of critical systems and applications.
Cryptography designed directly into hardware, especially on field programmable gate arrays (FPGAs) or application specific integrated circuits (ASICs), solves many weaknesses of software-based cryptography, offering superior security and efficiency compared to software-based security approach. This article scrutinizes the weaknesses of software-based cryptography and explores the advantages of the hardware-based alternatives in protecting essential systems, such as industrial control and automation systems, as well as critical communication infrastructure.
Weaknesses of software-based cryptography
One of the most crucial weaknesses of software-based cryptography is the need for implicit trust in a very deep stack of software layers. Software-based cryptography relies on a complex stack of technologies, including cryptographic library, operating system, drivers, compilers, CPU, etc. If security at any layer fails, it could compromise the entire cryptosystem. Sharing physical resources with potentially malicious programs exposes software-based implementations to multiple security risks – despite modern security protection, a successful attack to any of the physical resources can jeopardize other functions in the system.
It is also common for many computer systems to have their most sensitive data (for example, encryption keys) located in the same memory with non-sensitive data, which can be exposed by even fairly trivial bugs in a program. One of the most infamous examples is the Heartbleed buffer over-read bug in OpenSSL published in 2014, which allowed a remote attacker to read large portions of the victim’s memory that could include passwords, encryption keys, and other sensitive data.
Software-based cryptographic implementations are also harder to protect against side-channel attacks. These cryptanalytic attacks target the implementation rather than the mathematical foundations of a cryptosystem. Side-channel attacks can be based on, for example, execution time or power consumption of the computing device. Software-level implementations often lack the low-level control required to protect against such attacks due to the microarchitectural optimizations of modern processors.
Hardware-level bugs in processors may also compromise software-based security, posing challenges to fixing vulnerabilities in deployed systems. Examples of such security attacks include the Meltdown and Spectre attacks, which well demonstrated the challenges and costs of fixing processor vulnerabilities for already-deployed systems.
Benefits of hardware-based solutions
When implementing cryptography directly as hardware logic design (FPGA or ASIC), the critical computations and data can be isolated into a dedicated IP core (Intellectual Property core) segregated from the main system. Cryptographic keys are the most vital components of the entire cryptosystem. Storing these in a separate cryptographic IP core provides a significant security enhancement compared to the software-based security approach. Many software-based systems rely on hardware to secure cryptographic keys, by storing them to a Hardware Security Module.
Hardware-based cryptography offers superior resilience compared to the software-based approach when it comes to side-channel attacks. Hardware designers have granular control over implementation details, enabling fully constant-time IP cores that nullify timing attacks. This level of control is challenging to achieve in software-based implementations due to microarchitectural optimizations beyond the programmer’s reach.
In addition to enhanced security, using hardware-based cryptography offers superior performance and energy efficiency compared to software-based cryptography. High-performance cryptographic IP cores can achieve throughput levels of up to hundreds of Gigabits per second with significantly lower energy consumption per cryptographic operation.
Conclusion
A higher security level, better performance, and lower energy consumption build trust and preference in hardware-based cryptography over software-based approach in implementation of security-critical operations, such as key management or cryptographic operations. FPGAs and ASICs are already used in various industrial control and automation systems. FPGA platforms combine the best of both worlds, as they can be re-programmed and updated for already existing applications without additional hardware, or other prohibitively costly investments, while also offering full isolation of security-critical data and operations from the rest of the system. ASIC-based implementations offer further performance and lower power consumption, as well as potential cost benefits for high-volume deployments.
About the Author
Kimmo Järvinen is the co-founder and CTO of Xiphera. He received the Master of Science (Tech.) and Doctor of Science (Tech.) degrees from Helsinki University of Technology in 2003 and 2008, respectively.
Kimmo Järvinen has a strong academic background in cryptography and cryptographic hardware engineering after having various post-doctoral, research fellow, and senior researcher positions in Aalto University (Espoo, Finland), KU Leuven (Leuven, Belgium), and University of Helsinki (Helsinki, Finland). He has published more than 60 scientific articles about cryptography and security engineering.