CryptoGraphics
Exploiting Graphics Cards for Security
Advances in Information Security
Sushil Jajodia
Consulting Editor
Center for Secure Information Systems George Mason University
Fairfax, VA 22030-4444 email: jajodia @ smu. edu
The goals of the Springer International Series on ADVANCES IN INFORMATION SECURITY are, one, to establish the state of the art of, and set the course for future research in information security and, two, to serve as a central reference source for advanced and timely topics in information security research and development. The scope of this series includes all aspects of computer and network security and related areas such as fault tolerance and software assurance.
ADVANCES IN INFORMATION SECURITY aims to publish thorough and cohesive overviews of specific topics in information security, as well as works that are larger in scope or that contain more detailed background information than can be accommodated in shorter survey articles. The series also serves as a forum for topics that may not have reached a level of maturity to warrant a comprehensive textbook treatment.
Researchers, as well as developers, are encouraged to contact Professor Sushil Jajodia with ideas for books under this series.
Additional titles in the series:
UNDERSTANDING INTRUSION DETECTION THROUGH VISUALIZATION by Stefan
Axelsson; ISBN-10: 0-387-27634-3
HOP INTEGRITY IN THE INTERNET by Chin-Tser Huang and Mohamed G. Gouda;
ISBN-10: 0-387-22426-3
PRIVACY PRESERVING DATA MINING by Jaideep Vaidya, Chris Clifton and Michael
Zhu; ISBN-10: 0-387- 25886-8
BIOMETRIC USER AUTHENTICATION FOR IT SECURITY: From Fundamentals to Handwriting by Claus Vielhauer; ISBN-10: 0-387-26194-X
IMPACTS AND RISK ASSESSMENT OF TECHNOLOGY FOR INTERNET SECURITY.'Enabled Information Small-Medium Enterprises (TEISMES) by Charles A.
Shoniregun; ISBN-10: 0-387-24343-7
SECURITY IN E-LEARNING by Edgar R. Weippl; ISBN: 0-387-24341-0
IMAGE AND VIDEO ENCRYPTION: From Digital Rights Management to Secured
Personal Communication by Andreas Uhl and Andreas Pommer; ISBN: 0-387-23402-0
INTRUSION DETECTION AND CORRELATION: Challenges and Solutions by
Christopher Kruegel, Fredrik Valeur and Giovanni Vigna; ISBN: 0-387-23398-9
THE AUSTIN PROTOCOL COMPILER by Tommy M. McGuire and Mohamed G. Gouda;
ISBN: 0-387-23227-3
Additional information about this series can be obtained from
CryptoGraphics
Exploiting Graphics Cards for Security
by
Debra L. Cook
Angelos D. Keromytis
Columbia University NewYork, USASpringer
Debra L. Cook AngelosD. Keromytis
Department of Computer Science Department of Computer Science 450 Computer Science Building 450 Computer Science Building Columbia University Columbia University
1214 Amsterdam Avenue, M.C. 0401 1214 Amsterdam Avenue, M.C. 0401 New York, NY 10027-7003 New York, NY 10027-7003
Library of Congress Control Number: 2006925092 CRYPTOGRAPHICS: Exploiting Graphics Cards for Security by Debra L. Cook and Angelos D. Keromytis
ISBN-13: 978-0-387-729015-7 ISBN-10: 0-387-29015-X e-ISBN-13: 978-0-387-34189-7 e-ISBN-10:0-387-34189-7 Printed on acid-free paper.
© 2006 Springer Science+Business Media, LLC
All rights reserved. This work may not be translated or copied in whole or in part without the written permission of the publisher (Springer Science+Business Media, LLC, 233 Spring Street, New York, NY 10013, USA), except for brief excerpts in connection with reviews or scholarly analysis. Use in connection with any form of information storage and retrieval, electronic adaptation, computer software, or by similar or dissimilar methodology now know or hereafter developed is forbidden. The use in this publication of trade names, trademarks, service marks and similar terms, even if the are not identified as such, is not to be taken as an expression of opinion as to whether or not they are subject to proprietary rights.
Printed in the United States of America. 9 8 7 6 5 4 3 2 1
Contents
List of Figures ix List of Tables xi Preface xiii Acknowledgments xv 1. INTRODUCTION 1 1.1 Overview 1 1.2 GPUs 3 1.3 Motivation 3 1.4 Encryption in GPUs 41.5 Remotely Keyed CryptoGraphics 5
1.6 Related Issues 5 1.7 Extensions 6 1.8 Conclusions 6 2. GRAPHICAL PROCESSING UNITS 9
2.1 Overview 9 2.2 GPU Architecture 10
2.3 GPUs and General Purpose Programming 15
2.4 APIs 17 2.5 OpenGL and Pixel Processing 19
2.6 Representing Data with Vertices 22 2.7 Non-Graphic Uses of GPUs 23
vi CRYPTOGRAPHICS 3. MOTIVATION 25
3.1 Overview 25 3.2 Accelerating Cryptographic Processing 25
3.2.1 Issue 25 3.2.2 Previous Approaches 26
3.2.3 Summary of the GPU-Based Approach 27
3.3 Malware and Spy ware 28
3.3.1 Issue 28 3.3.2 Motivating Applications 28
3.3.3 Other Related Work 30 3.3.4 Summary of the GPU-Based Approach 33
3.4 Side Channel and Differential Fault Analysis 33
4. ENCRYPTION IN CPUS 37
4.1 Overview 37 4.2 Feasibility of Asymmetric Key Ciphers 38
4.3 Feasibility of Symmetric Key Ciphers 40
4.4 Modes of Encryption 45 4.5 Example: AES 48
4.5.1 AES Background 48 4.5.2 AES in OpenGL 53 4.5.3 AES Experiments 58 4.5.4 Use of Parallel Processing in Attacks 64
4.6 GPUs and Stream Ciphers 64
4.6.1 Overview 64 4.6.2 Experiments 65 4.7 Conclusions 67 5. REMOTELY KEYED CRYPTOGRAPHICS 69
5.1 Overview 69 5.2 Keying of GPUs 69 5.3 Prototype 72 5.3.1 Purpose 72 5.3.2 Architecture 72 5.3.3 Implementation 74 5.4 Design Decisions 78 5.4.1 Remote Keying 79 5.4.2 Decryption of Data in the GPU 80
Contents vii
5.5 Experiments 82 5.6 Conclusions 87 6. RELATED ISSUES 89
6.1 Overview 89 6.2 Protecting User Input 89
6.3 Keying the GPU 90
6.4 Attacks 93 6.5 Trusted Platform Module 95
6.6 Data Compression 97 7. EXTENSIONS 99 7.1 Overview 99 7.2 Graphics-based Cipher 99 7.3 Encryption within DSPs 101 8. CONCLUSIONS 103 8.1 Summary 103 8.2 Suggested Projects 105 Appendices 107 A AES OpenGL Code for Encryption 107
A.l Overview 107 A.2 Version Using the Red Pixel Component and the Back Buffer 107
A.3 Version Using the RGB Pixel Components and the Front Buffer 116
References 131 Index 139
List of Figures
2.1 High Level View of GPU Hardware 11 2.2 GPU's Main Processing Steps 12 2.3 OpenGL Version 2.0 General Pipeline 13 2.4 OpenGL Pipeline for Pixel Processing 20 3.1 Various Attack Points for Phishing 29
4.1 ECB Encryption Mode 45 4.2 CBC Encryption Mode 46 4.3 CTR Encryption Mode 46 4.4 OFB Encryption Mode 47 4.5 CFB Encryption Mode 48 4.6 Layout of Data in Pixel Coordinates used in the OpenGL
Version of AES 59 4.7 Encryption of 300 Identical Blocks in RGB Components 60
5.1 Malware on Untrusted Client with OS-based Decryption 70 5.2 Malware on Untrusted Client with GPU-based Decryption 71 5.3 Architecture for Remotely Keyed Decryption in the GPU 73
5.4 Remotely Keyed Decryption in GPU Protocol 76
5.5 Encrypted Image Received by GPU 77 5.6 Decrypted Image Displayed in GPU 78 5.7 Decryption Rates: All Entities on a Single System 84
5.8 Decryption Rates: Dedicated Lan and Client 1 85 5.9 Decryption Rates: Shared Lan and Client 2 86
6.1 Graphical Keypad for Digits 91 6.2 Graphical Keypad for Hex Values 92
List of Tables
4.1 AES S-Box for Encryption 50 4.2 AES S-Box for Decryption 51 4.3 Encryption Rates for AES 63 4.4 XOR Rate Using System Resources (CPU) 66
4.5 XOR Rate Using CPUs - RGB Pixel Components 66 4.6 XOR Rate Using CPUs - RGBA Pixel Components 66
Preface
CryptoGraphics: Exploiting Graphics Cards for Security explores the po-tential for implementing ciphers within graphics processing units (GPUs), and describes the relevance of GPU-based encryption and decryption to the security of applications involving remote displays.
As the processing power of GPUs increases, researchers have started to study the use of GPUs for general purpose computing. While GPUs do not support the range of operations found in CPUs, their processing power has grown to exceed that of CPUs and their designs are evolving to increase their programmability. GPUs are especially attractive for applications requiring a large quantity of parallel processing. This work extends such research by considering the use of GPUs as a parallel processor for encrypting (and decrypting) data.
The authors examine the operations found in symmetric and asymmetric key ciphers to determine if encryption can be programmed in existing GPUs. While certain operations make it impossible to implement some ciphers in a GPU, the operations used in most block ciphers, including the Advanced Encryption Standard (AES), can be performed in GPUs. A detailed description and code for a GPU-based implementation of AES is provided.
The feasibility of GPU-based encryption allows the authors to explore the use of a GPU as a trusted system component, motivated by the use of thin-client and remote conferencing applications on untrusted or untrustworthy systems. By enabling encryption and decryption in GPUs, unencrypted display data can be confined to the GPU to avoid exposing it to any malware running on the operating system. The authors describe a prototype implementation of GPU-based decryption for protecting displays exported to untrusted clients. Issues and solutions related to fully securing data on untrusted clients, including the protection of user input, are also discussed.
Additional capabilities are constantly being added to GPUs: when the first experiments described in this book were performed, programmable pixel pro-cessors were a new feature. Improved programmability of GPUs will likely
xiv CRYPTOGRAPHICS
remove some of the limitations encountered when implementing ciphers to run in GPUs within the next couple of years, while other limitations are not likely to be addressed as long as GPUs are not designed or marketed for general pur-pose processing. While the capabilities of GPUs are growing, the concepts and proposed architectures described within this book are independent of the changes in GPUs and will only become easier to implement as the general programmability of GPUs evolves.
Acknowledgments
The authors jointly wish to thank John loannidis for suggesting the idea of performing encryption in a GPU which lead to this work and Ricardo Baratto for providing information on thin clients. Eran Tromer pointed out that moving encryption into GPUs can be a preventive measure against some existing side channel attacks on block ciphers.
Angelos Keromytis also wishes to thank his wife Elizabeth for her patience and understanding, as well as her careful reading of drafts of this manuscript.
Chapter 1
INTRODUCTION
1.1 Overview
The focus of this book is the use of graphics processing units (GPUs) for cryptographies operations, hence the term CryptoGraphics. The computing power of GPUs has increased substantially over the past several years to the point that GPUs are more efficient than CPUs for certain tasks. As a result, even though GPUs are not intended to be general purpose processors, researchers have begun to study the use of GPUs for non-graphics applications. In most cases, the goal is to increase the rate at which computations can be performed by an application by using the GPU for specific types of calculations. Applications that are well suited to run in a GPU use data representations and types that are compatible with the GPU's abstraction of pixels. Compatible computations involve operations that take a single pixel's value, apply a simple function to it and output the result as a new pixel value. Parallel processing on multiple data sets can be performed by using multiple sets of pixels to represent the data sets and by applying the application simultaneously to each set and/or by treating each color component of a pixel as a separate set of data and applying the algorithm in parallel to each color component.
The potential for increased processing power was the original reason for in-vestigating the use of GPUs for cryptographic operations. As the work evolved, other benefits emerged, such as avoiding the exposure of unencrypted data to an untrusted operating system where spyware can access it, and designing ciphers based on operations commonly found in graphics processing. Another, less obvious, benefit is that executing cryptographic operations entirely in a GPU provides a preventive measure against some existing side channel attacks and differential fault analysis on ciphers.
2 CRYPTOGRAPHICS The work described within this book explores the possibility of
implement-ing asymmetric key and symmetric key ciphers within GPUs, and describes the relevance of GPU-based encryption and decryption to applications involving remote displays, such as video conferencing and thin-client applications. An implementation of AES in OpenGL serves as an example of the feasibility of encrypting within a GPU. It also reflects the obstacles encountered due to lim-itations of GPUs and their APIs. A prototype application involving streaming video and GPU-based decryption is described to illustrate the benefits and is-sues of running a cipher within a GPU. Suggestions for GPU enhancements and a proposal for a GPU friendly cipher are included. In addition, methods for securing other data inputs relevant to the applications, such as keyboard input and audio, are briefly described. The relationship of this work to that of the Trusted Computing Group (TCG) is also discussed.
GPU vendors are constantly increasing the capabilities of GPUs. When the first experiments described in this book were performed, programmable pixel (fragment) processors were just being added to GPUs. During the time this book was being written, the increase in supported pixel size has resulted in an increase in the amount of data that can be encrypted simultaneously, but no new capabilities became available to address the obstacles encountered when attempting to perform certain cryptographic operations within a GPU. In the next couple of years the growing programmability of GPUs and the introduction of an API that improves access to GPUs' capabilities will likely eliminate some of the obstacles encountered, but other limitations are not likely to be addressed as long as GPUs are not designed or marketed for general purpose processing. Chapter 2 provides background information on GPUs and their APIs, which will assist the reader in understanding the capabilities and limitations of us-ing a GPU as a general purpose processor. The background information also clarifies why certain implementation decisions were made in the experiments described in Chapters 4 and 5. The motivation for the work is described in Chapter 3. The protection that GPU-based encryption and decryption provide against side channel attacks and differential fault analysis is also discussed. Chapter 4 discusses the implementation of encryption within a GPU, including an implementation of AES in OpenGL. The code for the OpenGL version of AES's encryption function is provided in Appendix A. Chapter 5 describes a prototype for encrypting displays sent to untrusted remote clients. Chapter 6 describes issues related to fully implementing a secure system based on the prototype described in Chapter 5. This includes protecting the user's inputs on the untrusted client, an option for conveying a secret key to the GPU, notes on compression of images, and the relevance of certain types of attacks to the prototype. An overview of the TCG's trusted platform module (TPM) and how GPU-based encryption can utilize the TPM is provided. Chapter 7 discusses related ideas and future work, including the encryption of audio in digital signal
Introduction 3
processors (DSPs) and designing a stream cipher to run in a GPU. Chapter 8 summarizes the work and the insights gained from the experiments. The fol-lowing is an overview of each chapter.
1.2 GPUs
This chapter provides background information on GPUs and their APIs, which will assist the reader in understanding both the motivation for the work and the implementation decisions made in the experiments described in later chapters. An overview of GPUs is provided and existing APIs to GPUs are discussed. Of the APIs, the lowest level that is publicly available and is in-dependent of the operating system is OpenGL [58]. DirectBD [51] is at the same layer as OpenGL but is Microsoft-specific.^ The experiments and imple-mentations described within this book use only the OpenGL API. Other, more user-friendly, APIs exist that provide a user interface layer above OpenGL and Direct3D. However, these provide the programmer less control over which op-erations are executed in the GPU v^. in the CPU, and over the exact commands issued to the GPU.
Processing in GPUs is split between operating on vertices (vertex processor) and on pixels (pixel processor). The cryptographic operations under considera-tion require that data be stored in and processed as pixels as opposed to vertices. This is also the case for other types of applications that have experimented with using a GPU as a general purpose processor. An explanation for why vertices cannot be used to store and process data is provided. In order to provide an understanding of what operations are provided by a GPU for cryptographic al-gorithms, some details on OpenGL and pixel processing are included. Finally, a few non-graphic applications utilizing GPUs in areas other than cryptography and security are mentioned to illustrate the growing use of GPUs as general purpose processors.
1.3 Motivation
This chapter describes the motivation for experimenting with the use of GPUs for performing cryptographic operations. The main reasons are accelerating the execution of cryptographic operations using commodity hardware, protecting data from spy ware and certain types of phishing attacks. The use of GPUs also eliminates the possibility of existing side channel attacks and existing differential fault analysis.
Cryptographic operations serve a critical role in protecting data and in insur-ing the authenticity and integrity of data. The need to perform such operations without consuming shared system resources in certain environments has lead to the development of specialized cryptographic hardware. However, such hard-ware is not a common component of most systems. In contrast, GPUs are