CryptoGraphics Exploiting Graphics Cards for Security Advances in Information Security Sushil Jajodia Consulting Editor Center for Secure Information Systems George Mason University Fairfax, VA 22030-4444 email: jajodia @ smu edu The goals of the Springer International Series on ADVANCES IN INFORMATION SECURITY are, one, to establish the state of the art of, and set the course for future research in information security and, two, to serve as a central reference source for advanced and timely topics in information security research and development The scope of this series includes all aspects of computer and network security and related areas such as fault tolerance and software assurance ADVANCES IN INFORMATION SECURITY aims to publish thorough and cohesive overviews of specific topics in information security, as well as works that are larger in scope or that contain more detailed background information than can be accommodated in shorter survey articles The series also serves as a forum for topics that may not have reached a level of maturity to warrant a comprehensive textbook treatment Researchers, as well as developers, are encouraged to contact Professor Sushil Jajodia with ideas for books under this series Additional titles in the series: UNDERSTANDING INTRUSION DETECTION THROUGH VISUALIZATION by Stefan Axelsson; ISBN-10: 0-387-27634-3 HOP INTEGRITY IN THE INTERNET by Chin-Tser Huang and Mohamed G Gouda; ISBN10: 0-387-22426-3 PRIVACY PRESERVING DATA MINING by Jaideep Vaidya, Chris Clifton and Michael Zhu; ISBN-10: 0-387- 25886-8 BIOMETRIC USER AUTHENTICATION FOR IT SECURITY: From Fundamentals to Handwriting by Claus Vielhauer; ISBN-10: 0-387-26194-X IMPACTS AND RISK ASSESSMENT OF TECHNOLOGY FOR INTERNET SECURITY.'Enabled Information Small-Medium Enterprises (TEISMES) by Charles A Shoniregun; ISBN-10: 0-387-24343-7 SECURITY IN E-LEARNING by Edgar R Weippl; ISBN: 0-387-24341-0 IMAGE AND VIDEO ENCRYPTION: From Digital Rights Management to Secured Personal Communication by Andreas Uhl and Andreas Pommer; ISBN: 0-387-23402-0 INTRUSION DETECTION AND CORRELATION: Challenges and Solutions by Christopher Kruegel, Fredrik Valeur and Giovanni Vigna; ISBN: 0-387-23398-9 THE AUSTIN PROTOCOL COMPILER by Tommy M McGuire and Mohamed G Gouda; ISBN: 0-387-23227-3 Additional information about http://www.springeronline.com this series can be obtained from CryptoGraphics Exploiting Graphics Cards for Security by Debra L Cook Angelos D Keromytis Columbia University NewYork, USA Springer Debra L Cook Department of Computer Science 450 Computer Science Building Columbia University 1214 Amsterdam Avenue, M.C 0401 New York, NY 10027-7003 AngelosD Keromytis Department of Computer Science 450 Computer Science Building Columbia University 1214 Amsterdam Avenue, M.C 0401 New York, NY 10027-7003 Library of Congress Control Number: 2006925092 CRYPTOGRAPHICS: Exploiting Graphics Cards for Security by Debra L Cook and Angelos D Keromytis ISBN-13: 978-0-387-729015-7 ISBN-10: 0-387-29015-X e-ISBN-13: 978-0-387-34189-7 e-ISBN-10:0-387-34189-7 Printed on acid-free paper © 2006 Springer Science+Business Media, LLC All rights reserved This work may not be translated or copied in whole or in part without the written permission of the publisher (Springer Science+Business Media, LLC, 233 Spring Street, New York, NY 10013, USA), except for brief excerpts in connection with reviews or scholarly analysis Use in connection with any form of information storage and retrieval, electronic adaptation, computer software, or by similar or dissimilar methodology now know or hereafter developed is forbidden The use in this publication of trade names, trademarks, service marks and similar terms, even if the are not identified as such, is not to be taken as an expression of opinion as to whether or not they are subject to proprietary rights Printed in the United States of America springer.com Contents List of Figures List of Tables Preface Acknowledgments ix xi xiii xv INTRODUCTION 1.1 Overview 1.2 GPUs 1.3 Motivation 1.4 Encryption in GPUs 1.5 Remotely Keyed CryptoGraphics 1.6 Related Issues 1.7 Extensions 1.8 Conclusions GRAPHICAL PROCESSING UNITS 2.1 Overview 9 2.2 GPU Architecture 10 2.3 GPUs and General Purpose Programming 15 2.4 APIs 17 2.5 OpenGL and Pixel Processing 19 2.6 Representing Data with Vertices 22 2.7 Non-Graphic Uses of GPUs 23 vi CRYPTOGRAPHICS MOTIVATION 25 3.1 Overview 25 3.2 Accelerating Cryptographic Processing 3.2.1 Issue 3.2.2 Previous Approaches 3.2.3 Summary of the GPU-Based Approach 25 25 26 27 3.3 Malware and Spy ware 3.3.1 Issue 3.3.2 Motivating Applications 3.3.3 Other Related Work 3.3.4 Summary of the GPU-Based Approach 28 28 28 30 33 3.4 Side Channel and Differential Fault Analysis 33 ENCRYPTION IN CPUS 4.1 Overview 37 37 4.2 Feasibility of Asymmetric Key Ciphers 38 4.3 Feasibility of Symmetric Key Ciphers 40 4.4 Modes of Encryption 45 4.5 Example: AES 4.5.1 AES Background 4.5.2 AES in OpenGL 4.5.3 AES Experiments 4.5.4 Use of Parallel Processing in Attacks 48 48 53 58 64 4.6 GPUs and Stream Ciphers 4.6.1 Overview 4.6.2 Experiments 64 64 65 4.7 Conclusions 67 REMOTELY KEYED CRYPTOGRAPHICS 69 5.1 Overview 69 5.2 Keying of GPUs 69 5.3 Prototype 5.3.1 Purpose 5.3.2 Architecture 5.3.3 Implementation 72 72 72 74 5.4 Design Decisions 5.4.1 Remote Keying 5.4.2 Decryption of Data in the GPU 78 79 80 Contents vii 5.5 Experiments 82 5.6 Conclusions 87 RELATED ISSUES 89 6.1 Overview 89 6.2 Protecting User Input 89 6.3 Keying the GPU 90 6.4 Attacks 93 6.5 Trusted Platform Module 95 6.6 Data Compression 97 EXTENSIONS 7.1 Overview 99 99 7.2 Graphics-based Cipher 99 7.3 Encryption within DSPs 101 CONCLUSIONS 103 8.1 Summary 103 8.2 Suggested Projects 105 Appendices A AES OpenGL Code for Encryption 107 107 A.l Overview 107 A.2 Version Using the Red Pixel Component and the Back Buffer 107 A.3 Version Using the RGB Pixel Components and the Front Buffer 116 References 131 Index 139 List of Figures 2.1 2.2 2.3 2.4 3.1 4.1 4.2 4.3 4.4 4.5 4.6 4.7 5.1 5.2 5.3 5.4 5.5 5.6 5.7 5.8 5.9 6.1 6.2 High Level View of GPU Hardware GPU's Main Processing Steps OpenGL Version 2.0 General Pipeline OpenGL Pipeline for Pixel Processing Various Attack Points for Phishing ECB Encryption Mode CBC Encryption Mode CTR Encryption Mode OFB Encryption Mode CFB Encryption Mode Layout of Data in Pixel Coordinates used in the OpenGL Version of AES Encryption of 300 Identical Blocks in RGB Components Malware on Untrusted Client with OS-based Decryption Malware on Untrusted Client with GPU-based Decryption Architecture for Remotely Keyed Decryption in the GPU Remotely Keyed Decryption in GPU Protocol Encrypted Image Received by GPU Decrypted Image Displayed in GPU Decryption Rates: All Entities on a Single System Decryption Rates: Dedicated Lan and Client Decryption Rates: Shared Lan and Client Graphical Keypad for Digits Graphical Keypad for Hex Values 11 12 13 20 29 45 46 46 47 48 59 60 70 71 73 76 77 78 84 85 86 91 92 List of Tables 4.1 4.2 4.3 4.4 4.5 4.6 AES S-Box for Encryption AES S-Box for Decryption Encryption Rates for AES XOR Rate Using System Resources (CPU) XOR Rate Using CPUs - RGB Pixel Components XOR Rate Using CPUs - RGBA Pixel Components 50 51 63 66 66 66 Preface CryptoGraphics: Exploiting Graphics Cards for Security explores the potential for implementing ciphers within graphics processing units (GPUs), and describes the relevance of GPU-based encryption and decryption to the security of applications involving remote displays As the processing power of GPUs increases, researchers have started to study the use of GPUs for general purpose computing While GPUs not support the range of operations found in CPUs, their processing power has grown to exceed that of CPUs and their designs are evolving to increase their programmability GPUs are especially attractive for applications requiring a large quantity of parallel processing This work extends such research by considering the use of GPUs as a parallel processor for encrypting (and decrypting) data The authors examine the operations found in symmetric and asymmetric key ciphers to determine if encryption can be programmed in existing GPUs While certain operations make it impossible to implement some ciphers in a GPU, the operations used in most block ciphers, including the Advanced Encryption Standard (AES), can be performed in GPUs A detailed description and code for a GPU-based implementation of AES is provided The feasibility of GPU-based encryption allows the authors to explore the use of a GPU as a trusted system component, motivated by the use of thin-client and remote conferencing applications on untrusted or untrustworthy systems By enabling encryption and decryption in GPUs, unencrypted display data can be confined to the GPU to avoid exposing it to any malware running on the operating system The authors describe a prototype implementation of GPUbased decryption for protecting displays exported to untrusted clients Issues and solutions related to fully securing data on untrusted clients, including the protection of user input, are also discussed Additional capabilities are constantly being added to GPUs: when the first experiments described in this book were performed, programmable pixel processors were a new feature Improved programmability of GPUs will likely Appendix A: AES OpenGL Code for Encryption ekey[92] ekey[93] ekey[94] ekey[95] = = = = (GLubyte) (GLubyte) (GLubyte) (GLubyte) 0xf8; 0x87; Oxbc; Oxbc; /* 6th round key */ ekey[96] = (GLubyte) 0x6d ekey[97] = (GLubyte) 0x11 ekey[98] = (GLubyte) Oxdb ekey[99] = (GLubyte) Oxca ekeyElOO] = (GLubyte 0x88 (GLubyte OxOb ekeyElOl] (GLubyte 0xf9 ekey[102] (GLubyte 0x00 ekey[103] (GLubyte' 0xa3 ekey[104] (GLubyte; 0x3e ekey[105] (GLubyte; 0x86 ekey[106] (GLubyte 0x93 ekey[107] (GLubyte; 0x7a ekey[108] (GLubyte Oxfd ekey[109] (GLubyte 0x41 ekeyLllO] (GLubyte Oxfd ekeyElll] /* 7th round key */ ekey[112] = (GLubyte ekey[113] = (GLubyte ekey[114] = (GLubyte ekey[115] = (GLubyte ekey[116] = (GLubyte ekey[117] = (GLubyte ekey[118] = (GLubyte ekey[119] = (GLubyte; ekey[120] = (GLubyte; ekey[121] = (GLubyte ekeyCl22] = (GLubyte ekey[123] = (GLubyte ekey[124] = (GLubyte ekey[125] = (GLubyte ekey[126] = (GLubyte ekey[127] = (GLubyte 0x4e 0x5f 0x84 0x4e 0x54 0x5f 0xa6 0xa6 0xf7 0xc9 0x4f Oxdc OxOe 0xf3 0xb2 Ox4f /* 8th round key */ ekey[128] = (GLubyte ekey[129] = (GLubyte ekey[130] = (GLubyte ekey[131] = (GLubyte ekey[132] = (GLubyte ekey[133] = (GLubyte ekey[134] = (GLubyte ekey[135] = (GLubyte Oxea 0xb5 0x31 0x7f 0xd2 0x8d 0x2b 0x8d 123 124 CRYPTOGRAPHICS (GLubyte (GLubyte (GLubyte (GLubyte (GLubyte (GLubyte (GLubyte (GLubyte 0x73 Oxba 0xf5 0x29 0x21 0xd2 0x60 0x2f /* 9th round key */ ekey[144] = (GLubyte ekey[145] = (GLubyte ekey[146] = (GLubyte ekey[147] = (GLubyte ekey[148] = (GLubyte ekey[149] = (GLubyte ekey[150] = (GLubyte ekey[151] = (GLubyte ekey[152] = (GLubyte ekey[153] = (GLubyte ekey[154] = (GLubyte ekey[155] = (GLubyte ekey[156] = (GLubyte ekey[157] = (GLubyte ekey[158] = (GLubyte ekey[159] = (GLubyte Oxac 0x19 0x28 0x57 0x77 Oxfa Oxdl 0x5c 0x66 Oxdc 0x29 0x00 0xf3 0x21 0x41 0x6e /* 10th round key */ ekey[160] = (GLubyte ekey[161] = (GLubyte ekey[162] = (GLubyte ekey[163] = (GLubyte ekey[164] = (GLubyte ekey[165] = (GLubyte ekey[166] = (GLubyte ekey[167] = (GLubyte ekey[168] = (GLubyte ekey[169] = (GLubyte ekey[170] = (GLubyte ekey[171] = (GLubyte ekey[172] = (GLubyte ekey[173] = (GLubyte ekey[174] = (GLubyte ekey[175] = (GLubyte OxdO 0xc9 Oxel 0xb6 0x14 Oxee 0x3f 0x63 0xf9 0x25 OxOc OxOc 0xa8 0x89 0xc8 0xa6 ekey[136] ekey[137] ekey[138] ekey[139] ekey[140] ekey[141] ekey[142] ekey[143] for (i=0; i < 176; ++i) { for (j=0; j < 3; ++j) { rgba_ekey[i] [j] = ekey[i] ; } } Appendix A: AES OpenGL Code for Encryption 125 } /* end of maketestekey */ /* helper function - performs copies */ void add_layer(int dxl,int dyl,int sxl,int syl,int wl,int hi, int dx2,int dy2,int sx2,int sy2,int w2,int h2) { glRasterPos2i(dxl,dyl); glCopyPixels(sxl,sy1,wl,hi,GL.COLOR); glRasterPos2i(dx2,dy2); glCopyPixels(sx2,sy2,w2,h2,GL_COLOR); /* encryption function */ void encrypt(void) { int r = 0; int ri = 0; int k; int key.ind = KEY_START_POS; int nuin_rnds = 9; int cnt=0; /* index used in print statements */ glDisable(GL_COLOR_LOGIC_OP); glPixelTransferi(GL_MAP_COLOR,0); /* load expanded key at (KEY_START_POS,0) NBLK copies (rows) of expanded key are needed */ for (k = 0; k < NBLK; ++k) { glRasterPos2i(KEY_START_P0S,k); glDrawPixels(EKEY.BYTES,1,GL.RGB,GL_UNSIGNED_BYTE,rgba.ekey); } // end of for k /* load data at (0,0) */ glRasterPos2i(0,0); glDrawPixels(BYTES_PER_BLK,NBLK,GL.RGB,GL.UNSIGNED.BYTE,dat /* perform first xor with key */ glEnable(GL_COLOR_LOGIC_OP); glLogicOp(GL_XOR); glRasterPos2i(0,0); glCopyPixels(KEY_START_POS,0,16,NBLK,GL.COLOR); glDisable(GL_COLOR_LOGIC_OP); /* start of round */ /* compute 1*,2*,3* Sbox of each byte */ for (r = 0; r < 9; ++r) { glPixelTransferi(GL_MAP_COLOR,1); glPixelMapfv(GL_PIXEL_MAP_R_T0_R,256,Tel); glPixelMapfV(GL_PIXEL_MAP_G_TO_G,256,Tel); glPixelMapfV(GL_PIXEL_MAP_B_TO_B,256,Tel); glRasterPos2i(192,0); /* destination of copy */ glCopyPixels(0,0,16,NBLK,GL.COLOR); a); 126 CRYPTOGRAPHICS glPixelMapfV(GL_PIXEL_MAP_R_TO_R,256,Te2); glPixelMapfV(GL_PIXEL_MAP_G_TO_G,256,Te2); glPixelMapfV(GL_PIXEL_MAP_B_TO_B,256,Te2); glRasterPos2i(208,0); /* destination of copy */ glCopyPixels(0,0,16,NBLK,GL.COLOR); glPixelMapfV(GL_PIXEL_MAP_R_TO_R,256,Te3); glPixelMapfV(GL_PIXEL_MAP_G_TO_G,256,Te3); glPixelMapfv(GL_PIXEL_MAP_B_TO_B,256,Te3); glRasterPos2i(224,0); /* destination of copy */ glCopyPixels(0,0,16,NBLK,GL.COLOR); glPixelTransferi(GL_MAP_COLOR,0); /* turn mapping off */ /* create "TO[rowl]" */ /* 1st of layers of 1st row 2* entry */ glRasterPos2i(0,0); glCopyPixels(208,0,4,NBLK,GL.COLOR); /* 1st of layers of 2nd row 1* entry */ glRasterPos2i(4,0); glCopyPixels(192,0,4,NBLK,GL.COLOR); /* 1st of layers of 3rd row 1* entry*/ glRasterPos2i(8,0); glCopyPixels(192,0,4,NBLK,GL.COLOR); /* 1st of layers of 4th row 3* entry/ glRasterPos2i(12,0); glCopyPixels(224,0,4,NBLK,GL_COLOR); /* turn xor on */ glEnable(GL_COLOR_LOGIC_OP); glLogicOp(GL_XOR); /* create "Tl[row2]" */ /* 2nd of layers of 1st row 3* entry */ add.layer(0,0,229,0,3,NBLK,3,0,228,0,1,NBLK); /* 2nd of layers of 2nd row 2* entry */ add.layer(4,0,213,0,3,NBLK,7,0,212,0,1,NBLK); /* 2nd of layers of 3rd row 1* entry */ add.layer(8,0,197,0,3,NBLK,11,0,196,0,1,NBLK); /* 2nd of layers of 4th row 1* entry */ add.layer(12,0,197,0,3,NBLK,15,0,196,0,1,NBLK); /* create "T2[row3]" */ Appendix A: AES OpenGL Code for Encryption /* 3rd of layers of 1st row 1* entry */ add_layer(0,0,202,0,2,NBLK,2,0,200,0,2,NBLK); /* 3rd of layers of 2nd row 3* entry */ add_layer(4,0,234,0,2,NBLK,6,0,232,0,2,NBLK); /* 3rd of layers of 3rd row 2* entry*/ add_layer(8,0,218,0,2,NBLK,10,0,216,0,2,NBLK); /* 3rd of layers of 4th row l*entry */ add.layer(12,0,202,0,2,NBLK,14,0,200,0,2,NBLK); /* create "T3[row4]" */ /* 4th of layers of 1st row 1* entry */ add.layer(0,0,207,0,1,NBLK,1,0,204,0,3,NBLK); /* 4th of layers of 2nd row 1* entry */ add_layer(4,0,207,0,1,NBLK,5,0,204,0,3,NBLK); /* 4th of layers of 3rd row 3* entry */ add.layer(8,0,239,0,1,NBLK,9,0,236,0,3,NBLK); /* 4th of layers of 4th row 2* entry */ add.layer(12,0,223,0,1,NBLK,13,0,220,0,3,NBLK); /* xor with round key */ key_ind = key_ind + 16; glRasterPos2i(0,0); glCopyPixels(key.ind,0,16,NBLK,GL.COLOR); /* turn off XOR before starting the next round */ glDisable(GL_COLOR_LOGIC_OP); } /* end of for r */ /* last round Sbox, ShiftRows and XOR with round key */ glDisable(GL_COLOR_LOGIC_OP); /* SBox */ glPixelTransferi(GL_MAP_COLOR,1); glPixelMapfV(GL_PIXEL_MAP_R_TO_R,256,Te1); glPixelMapfv(GL_PIXEL_MAP_G_T0_G,256,Tel); glPixelMapfv(GL_PIXEL_MAP_B_T0_B,256,Tel); glRasterPos2i(192,0); /* destination of copy */ glCopyPixels(0,0,16,NBLK,GL.COLOR); /* ShiftRows */ glPixelTransferi(GL_MAP_COLOR,0); glRasterPos2i(0,0); glCopyPixels(192,0,4,NBLK,GL_COLOR); 127 128 CRYPTOGRAPHICS add_layer(4,0,197,0,3,NBLK,7,0,196,0,l,NBLK); add.layer(8,0,202,0,2,NBLK,10,0,200,0,2,NBLK); add_layer(12,0,207,0,1,NBLK,13,0,204,0,3,NBLK); /* xor with round key */ glEnable(GL_COLOR_LOGIC_OP); glLogicOp(GL_XOR); key_ind = key_ind + 16; glRasterPos2i(0,0); glCopyPixels(key_ind,0,16,NBLK,GL.COLOR); /* read buffer to system memory */ // glReadPixels(0,0,BYTES_PER_BLK,NBLK,GL.RGB,GL_UNSIGNED_BYTE,out.data); /* Uncomment the above line to read all pixels to a single array which can then be written to a file The following prints one row (since all blocks being encrypted are identical in this example, just check one row) of each pixel component so the user can verify the ciphertext */ /* line of each pixel color */ glReadPixels(0,0,16,1,GL.RED,GL_UNSIGNED_BYTE,out.red); for (ri=0; ri < 16; ++ri) { printfC'/oX ", out_red[ri] ) ; } printf("\n"); glReadPixels(0,0,16,1,GL.GREEN,GL_UNSIGNED_BYTE,out_green); for (ri=0; ri < 16; ++ri) { printf ("'/oX " , out_green [ri] ); } printf("\n"); glReadPixels(0,0,16,l,GL_BLUE,GL_UNSIGNED_BYTE,out_blue); for (ri=0; ri < 16; ++ri) { printf ("7oX '•, out_blue [ri] ); } printf("\n"); } /* end of encrypt*/ void init(void) { /* dithering needs to be off Initialize all pixels to */ glDisable(GL_DITHER); glClearColor(1.0,1.0,1.0,1.0); glClearDepth(l.O); /* to simplify indexing: set raster positions to correspond to pixels, 0,0 = lower left */ glMatrixMode(GL_PROJECTION); Appendix A: AES OpenGL Code for Encryption glLoadldentityO ; gluOrtho2D(0.0,300.0, 0.0, 410.0); glMatrixMode(GL_MODELVIEW); glLoadldentityO ; glDrawBuffer(GL_FRONT); glReadBuffer(GL_FRONT); maketestdataO ; maketestekeyO ; glPixelStorei(GL_UNPACK_ALIGNMENT,1); } /* end of init */ void display(void) { glClear(GL_COLOR_BUFFER_BIT); encrypt ; glFlushO; } /* end of display */ int main(int argc, char **argv) { const GLubyte *ver_str; glutlnit(&argc, argv); glutlnitDisplayMode(GLUT.SINGLEI GLUT.RGB); glutInitWindowSize(300,410); glutInitWindowPosition(50,10); glutCreateWindowC'aes") ; initO ; ver.str = glGetString(GL_VERSION); fprintf(stderr, "OpenGL version /.s \n" ,ver_str); glutDisplayFunc(display); glutMainLoopO ; return 0; } 129 References [1] W A Arbaugh Chaining Layered Integrity Checks PhD thesis, University of Pennsylvania, Philadelphia, 1999 [2] W A Arbaugh, D J Farber, and J M Smith A secure and reliable bootstrap architecture In IEEE Security and Privacy Conference, pages 65-71, May 1997 [3] P Biddle, M Peinado, and D Flanagan Privacy, Security and Content Protection http://download.microsoft.eom/download/a/f/c/ afcf8195-0eda-4190-a46d-aa60b45e0740/Secure.ppt 14] E Biham A Fast New DES Implementation in Software In Workshop on Fast Software Encryption (FSE), pages 260-272, 1997 [5] E Biham and A Shamir Differential Fault Analysis of Secret Key Cryptosystems Computer Science Technical Report CS0910, Technion, 1997 [6] Boneh, Demillo, and Lipton On the Importance of Checking Cryptgraphic Protocols for Faults In Proceedings of Advances in Cryptology - Eurocrypt, pages 37-51, 1997 [7] D Boneh and N Shacham Improving SSL Handshake Performance via Batching In Proceedings of the RSA Conference, January 2001 [8] I Buck BrookGPU i n d e x h t m l , 2003 http://graphics.stanford.edu/projects/brookgpu/ [9] J Butler and S Sparks Spy ware and Rootkits - The Future Convergence USENIX ;login:, 29(6):8-15, December 2004 [10] C.Elliot Vertigo h t t p : / / w w w c o n a l n e t / V e r t i g o [11] A Carroll, M Juarez, J Polk, and T Leininger Overview White paper, Microsoft, August 2002 Microsoft Palladium: A Business [12] N Chou, R Ledesma, Y Teraguchi, and J C Mitchell Client-Side Defense Against WebBased Identity Theft In Proceedings of the ISOC Symposium on Network and Distributed Systems Security (SNDSS), February 2004 132 REFERENCES [13] M Christodorescu and S Jha Testing Malware Detectors In Proceedings of the International Symposium on Software Testing and Analysis (ISSTA), July 2004 [14] P C Clark BITS: A Smartcard Protected Operating System PhD thesis, George Washington University, 1994 [15] C Coarfa, P Druschel, and D Wallach Performance Analysis of TLS Web Servers In Proceedings of the ISOC Symposium on Network and Distributed Systems Security (SNDSS), February 2002 [16] D Cook, R Baretto, and A Keromytis Remotely Keyed Cryptographies - Secure Remote Display Access Using (Mostly) Untrusted Hardware In Proceedings of ICICS, pages 363-375, December 2005 [17] D Cook, J loannidis, A Keromytis, and J Luck CryptoGraphics: Secret Key Cryptography Using Graphics Cards In Proceedings of the RSA Conference, Cryptographer's Track (CT-RSA), pages 334-350, February 2005 [18] D Coppersmith, et.al The MARS Cipher, security/mars.html, 1999 http://www.research.ibm.com/ [19] J Daemon and V Rijmen The Design ofRijndael: AES the Advanced Encryption Standard Springer-Verlag, Berlin, 2002 [20] D Davis, F Monrose, and M K Reiter On User Choice in Graphical Password Schemes In Proceedings of the 13*^ USENIX Security Symposium, pages 151-163, August 2004 [21] T Dierks and C Allen The TLS protocol version 1.0 Request for Comments (Proposed Standard) 2246, Jan 1999 [22] P Druschel, M Abbott, M Pagels, and L Peterson Network subsystem design IEEE Network, 7(4):8-17, July 1993 [23] P Ekdahl and T Johansson A New Version of the Stream Cipher SNOW In Proceedings of SAC, 2002 [24] W Feghali, B Burres, G Wolrich, and D Carrigan Security: Adding Protection to the Network via the Network Processor Intel Technology Journal, 6, August 2002 [25] R Fernando and M Kilgard The Cg Tutorial Addison-Wesley, 2003 [26] N Galoppo, N Govindoraju, M Henson, and D Manocha LU-GPU: Efficient Algorithms for Solving Dense Linear Systems on Graphics Hardware In Proceedings of ACM/IEEE Super Computing Conference, 2005 [27] A Goldberg, R Buff, and A Schmitt Secure Web Server Performance Dramatically Improved By Caching SSL Session Keys In Workshop on Internet Server Performance, held in conjunction with SIGMETRICS, June 1998 [28] V Gupta, D Stebila, S Fung, S C Shantz, N Gura, and H Eberle Speeding up Secure Web Transactions Using Elliptic Curve Cryptography In Proceedings of the ISOC Symposium on Network and Distributed System Security (SNDSS), pages 231-239, February 2004 REFERENCES 133 [29] P Gutmann The Design of a Cryptographic Security Architecture In Proceedings of the 8*^ USENIX Security Symposium, August 1999 [30] P Gutmann An Open-source Cryptographic Coprocessor In Proceedings of the 9*^ USENIX Security Symposium, August 2000 [31] H Gobioff and S Smith and J Tygar and B Yee Smart Cards in Hostile Environments In 2"^"^ USENIX Workshop on Electronic Commerce, 1996 [32] Helion Technology Limited High Performance Solutions in Silicon, AES (Rijndael) Core, http://www.heliontech.com/core2.htm, 2003 [33] Y.-C Hu, A Perrig, and D B Johnson Paclcet Leashes: A Defense against Wormhole Attacks in Wireless Networks In Proceedings of IEEE Infocomm, April 2003 [34] N L P Jr., T Fraser, J Molina, and W A Arbaugh Copilot - a Coprocessor-based Kernel Runtime Integrity Monitor In Proceedings of the 13*^ USENIX Security Symposium, pages 179-194, August 2004 [35] J Kay and J Pasquale The Importance of Non-Data Touching Processing Overheads in TCP/IP In Proceedings ACM SIGCOMM Conference, pages 259-269, September 1993 [36] J Kelsey, B Schneier, D Wagner, and C Hall Side Channel Cryptanalysis of Product Ciphers Journal of Computer Security, 8(2-3):141-158, 2000 [37] S Kent and R Atkinson Security Architecture for the Internet Protocol Request for Comments (Proposed Standard) 2401, Internet Engineering Task Force, Nov 1998 [38] A D Keromytis, J L Wright, and T de Raadt The Design of the OpenBSD Cryptographic Framework In Proceedings of the USENIX Annual Technical Conference, pages 181-196, June 2003 [39] J Kessenich, D Baldwin, and R Rost The OpenGL Shading Language Version 1.10 h t t p : //www opengl org, April 2004 [40] P Kocher Timing Attacks on Implementations of Diffie-Hellman, RSA, DSS and Other Systems In Proceedings of Advances in Cryptology - Crypto, pages 104—113, 1996 [41] D KoUer, M Turitzin, M Levoy, M Tarini, G Croccia, P Cignoni, and R Scopigno Protected Interactive 3D Graphics Via Remote Rendering In Proceedings of ACM SIGGRAPH, 2004 [42] H Kuo and I Verbauwhede Architectual Optimization for 1.82 Gbits/sec VLSI Implementation of Rijndael Algorithm In Proceedings ofCHES, pages 51-64, 2001 [43] X Lai and J Massey A Proposal for a New Block Encryption Standard In Proceedings ofEUROCRYPT1990, pages 389-404, 1991 [44] E Levy Interface Illusions IEEE Security & Privacy, 2(6):66-69, November/December 2004 [45] A Lutz, J Treichler, F Gurkeynak, H Kaeslin, G Bosler, A Erni, S Reichmuth, P Rommens, S Oetiker, and W Fichtner 2G bits/s Hardware Realizations of Rijndael and Serpent: A Comparative Analysis In Proceedings ofCHES, pages 144-158, 2002 134 REFERENCES [46] M Abadi and M Burrows and C Kaufman and B Lampson Authentication and Delegation with Smart-cards In Theoretical Aspects of Computer Software, 1991 [47] M Macedonia The GPU Enters Computing's Mainstream IEEE Computer Magazine, pages 106-108, October 2003 [48] J McCune, J Perrig, and M Reiter Bump in Ether: Mobile Phones as Proxies for Sensitive Input Computer Science Technical Report CyLab-05-007, Carnigie Mellon University, 2005 [49] J P McGregor and R B Lee Protecting Cryptographic Keys and Computations via Virtual Secure Coprocessing In Proceedings of the Workshop on Architectural Support for Security and Anti-virus (WASSA), pages 11-21, October 2004 [50] M McLoone and J McConny High Performance Single Chip FPGA Rijndael Algorithms Implementations In Proceedings ofCHES, pages 65-76, 2001 [51] Microsoft Microsoft DirectX, default.aspx http://www.microsoft.com/windows/directx/ [52] Microsoft Windows Media Series Digital Rights Management microsoft.com/windows/windowsmedia/drm.aspx http://www [53] S Miltchev, S loannidis, and A D Keromytis A Study of the Relative Costs of Network Security Protocols In Proceedings of USENIX Annual Technical Conference, Freenix Track, pages 41-48, June 2002 [54] J Nieh, S J Yang, and N Novik Measuring Thin-Client Performance Using SlowMotion Benchmarking ACM Transactions on Computer Systems (TOCS), 21(1):87-115, Feb 2003 [55] NIST PIPS 46-3 Data Encryption Standard (DES), 1999 [56] NIST PIPS 197 Advanced Encryption Standard (AES), 2001 [57] Nvidia GPGPU Presentation, 2005 [58] OpenGL Organization OpenGL h t t p : //www o p e n g l org, 2005 [59] G Organization General Purpose Computation Using Graphics Hardware, h t t p : / / www.gpgpu.org [60] D Osvik, A Shamir, and E Tromer Cache Attacks and Countermeasures: The Case of AES In Proceedings ofRSA Conference Cryptographers Track (CT-RSA), 2006 [61] P Rogaway A Software Optimized Encryption Algorithm, pages 273-287, 1998 [62] M Pharr, editor GPU Gems2 Addison-Wesley, 2005 [63] C Pu, H Massalin, J loannidis, and P Metzger The Synthesis System Systems, 1(1), 1988 Computing [64] R lannella Digital Rights Management (DRM) Architectures D-Lib Magazine, 1(6), June 2001 REFERENCES 135 [65] V Rijmen, A Bosselaers, and P Barreto AES Optimized ANSI C Code, h t t p : //www e s a t k u l e u v e n a c b e / ~ r i j m e n / r i j n d a e l / r i j n d a e l - f s t - z i p , 2002 [66] Rivest, Robshaw, Sidney, and Yin RC6 Block Cipher, http://www.rsasecurity com/rsalabs/node.asp?id=2512, 1998 [67] R Rivest The RC5 Encryption Algorithm CryptoBytes, 1(1), 1995 [68] G Rose A Stream Cipher Based on Linear Feedback Over GF (28) In Information Security and Privacy LNCS 1438, page 135ff, 1998 [69] V Roth, K Richter, and R Freidinger A PIN-Entry Method Resilient Against Shoulder Surfing In Proceedings of the 11* ACM Conference on Computer and Communications Security (CCS), pages 236-245, October 2004 [70] RSA Laboratories PKCS #7.- RSA Encryption Standard, Version 7.5, November 1993 [71] C B S and J M Smith Hardware/Software Organization of a High-Performance ATM Host Interface IEEE Journal on Selected Areas in Communications (Special Issue on High Speed Computer/Network Interfaces), 11 (2):240-253, February 1993 [72] R Sailer, X Zhang, T Jaeger, and L van Doom Design and Implementation of a TCGbased Integrity Measurement Architecture In Proceedings of the 13*^ USENIX Security Symposium, pages 223-238, August 2004 [73] S Saroiu, S D Gribble, and H M Levy Measurement and Analysis of Spyware in a University Environment In Proceedings of the ACM/USENIX Symposium on Networked Systems Design and Implementation (NSDI), March 2004 [74] B K Schmidt, M S Lam, and J D Northcutt The Interactive Performance of SLIM: A Stateless, Thin-Client Architecture In Proceedings of the 17*^ ACM Symposium on Operating Systems Principles (SOSP), pages 32-47, Kiawah Island Resort, SC, December 1999 [75] M Segal and K Akeley The OpenGL Graphics System, A Specification, Version 2.0 h t t p : //www opengl org, SiliconGraphics, Inc., October 2004 [76] A Shamir and E Tromer Acoustic Cryptanalysis On Nosy People and Noisy Machines Eurocrypt rump session presentation, 2004 [77] M Shirase and Y Hibino An architecture for elliptic curve cryptograph computation In Proceedings of the Workshop on Architectural Support for Security and Anti-virus (WASSA), pages 120-129, October 2004 [78] Simpson, Dawson, Golic, and Millar LILI Keystream Generator In Selected Areas in Cryptology, LNCS 2012, page 248ff, 2000 [79] J M Smith and C B S Traw Giving Applications Access to Gb/s Networking IEEE Network, 7(4):44-52, July 1993 [80] J M Smith, C B S Traw, and D J Farber Cryptographic Support for a Gigabit Network In Proceedings oflNET, pages 229-237, June 1992 [81] S Smith Magic Boxes and Boots: Security in Hardware IEEE Computer, 37(10): 106109, October 2004 136 REFERENCES [82] C Thompson, S Hahn, and M Oskin Using Modern Graphics Architectures for GeneralPurpose Computing: A Framework and Analysis In 35*^ Annual IEEE/ACM International Symposium on Micro Architecture - MICRO-35, pages 306-317, 2002 [83] J Thorpe and P C van Oorschot Graphical Dictionaries and the Memorable Space of Graphical Passwords ]In Proceedings of the 13*^ USENIX Security Symposium, pages 135-150, August 2004 [84] Trusted Computing Group TCG Specification Architecture Overview, version 1.2 h t t p s : //\j\j\j trustedcomputinggroup org/home, April 2004 [85] J Tygar and B Yee DYAD: A System for Using Physically Secure Coprocessors Technical Report CMU-CS-91-140R, Carnegie Mellon University, May 1991 [86] Veritest i-Bench version 1.5, Ziff-Davis, Inc, 2004 http://www.veritest.com/ benchmarks/i-bench/ [87] T J Walsh and D R Kuhn Challenges in Securing Voice over IP IEEE Security & Privacy Magazine, 3(3):44-49, May/June 2005 [88] S Wasson NVIDIA's GeForce 7800 GTX graphics processor The Tech Report, h t t p : / / t e c h r e p o r t com, June 2005 [89] M Woo, J Neider, T Davis, and D Shreiner The OpenGL Programming Guide, S^'^ edition Addison-Wesley, 1999 [90] Z Ye, S Smith, and D Anthony Trusted Paths for Browsers ACM Transactions on Information and System Security (TISSEC), 8(2):153-186, May 2005 [91] B Yee Using Secure Coprocessors PhD thesis, Carnegie Mellon University, 1994 [92] Q Yu, C Chen, and Z Pan Parallel Genetic Algorithms in Programmable Graphics Hardware In Proceedings oflCNC, pages 1051-1059, 2005 About the Authors Debra Cook is a Ph.D student with the Department of Computer Science at Columbia University in New York She is completing her doctorate in 2006 Her research interests are focused in applied cryptography and security She has a B.S and M.S.E in mathematical sciences from the Johns Hopkins University in Baltimore, Maryland and a M.S in computer science from Columbia University After graduating from Johns Hopkins, she was a senior technical staff member at Bell Labs and AT&T Labs before pursuing her Ph.D Angelos Keromytis is an Associate Professor of Computer Science at Columbia University in New York His research interests include design and analysis of network and cryptographic protocols, software security and reliability, and operating system design He received his Ph.D and M.Sc in computer science from the University of Pennsylvania, Philadelphia, PA in 200 L He received his B.S in computer science from the University of Crete, Heraclion, Greece in 1996 Index AES, 27, 34, 39-^1, 48 64, 105 experiments, 58-64 key schedule, 52 OpenGLcode, 107-129 OpenGL implementation, 53-58 asymmetric key ciphers, 38 block ciphers, 24, 34, 40, 82, 99 BrookOPU, 17 Cg, 17 cryptographic accelerators, 25 data compression and CPUs, 97 DES, 34, 42 differential fault analysis, 33-35 Diffie-Hellman, 39 digital rights management, 29 digital signal processors, 101, 106 Direct3D, 17 elliptical curve cryptography, 39 GLUT, 18,58,62, 82 GLX, 62 GPU, 9-24 APIs, 17 architecture, 10 pixel processor, 10 vertex processor, 10 GPUs and general purpose programming, 15, 23 graphical keypad, 90, 106 graphics based stream cipher, 99, 105 keying of GPUs, 69, 90 experiments, 82 remote keying protocol, 75 MAC, 82 malware, 28, 30, 32, 42, 69, 90, 93 man-in-the-middle attack, 93 modes of encryption, 45-48, 105 OpenGL, 12, 16-22, 48, 78 phishing, 28, 94 pixel processing, 10, 12, 15, 19-22 projects, 105 RC4,43,79, 81 RC6, 42 remotely keyed CryptoGraphics, 69 RSA, 39, 80 side channel attacks, 33-35 spy ware, 28, 30, 32, 37, 71, 87, 96, 97 stream ciphers, 40, 44 experiments, 64-67 symmetric key ciphers, 40 thin-clients, 28, 69, 83 Trusted Computing Group, 29, 95 trusted platform module, 30, 95 untrusted clients, 69 user input - protecting, 89 vertex processing, 10, 13, 22 Vertigo, 17 video conferencing, 28, 69, 83 window toolkits - wrappers for APIs, 19 ... ISBN: 0-387-23227-3 Additional information about http://www.springeronline.com this series can be obtained from CryptoGraphics Exploiting Graphics Cards for Security by Debra L Cook Angelos D... 0401 New York, NY 10027-7003 Library of Congress Control Number: 2006925092 CRYPTOGRAPHICS: Exploiting Graphics Cards for Security by Debra L Cook and Angelos D Keromytis ISBN-13: 978-0-387-729015-7... ADVANCES IN INFORMATION SECURITY are, one, to establish the state of the art of, and set the course for future research in information security and, two, to serve as a central reference source for advanced