for hardware or embedded security Erik Poll Digital Security - - PowerPoint PPT Presentation

for
SMART_READER_LITE
LIVE PREVIEW

for hardware or embedded security Erik Poll Digital Security - - PowerPoint PPT Presentation

Mar 02, 2024 434 likes •907 views

Attacker Models for hardware or embedded security Erik Poll Digital Security Radboud University Nijmegen 1 Security-sensitive hardware: examples 2 Naive attacker model Attacks on communication channels exploiting lousy crypto or insecure

slide-1
SLIDE 1

1

Attacker Models for hardware or embedded security Erik Poll

Digital Security Radboud University Nijmegen

slide-2
SLIDE 2

Security-sensitive hardware: examples

2

slide-3
SLIDE 3

Naive attacker model

3

Attacks on communication channels exploiting lousy crypto or insecure protocols

  • Protection by

1) mathematically strong algorithms and protocols

  • End-points regarded as black boxes
  • Attacker models: network, Man-in-the-Middle, or Dolev-Yao attacker

The mathematician’s view

slide-4
SLIDE 4

Improved attacker model

4

Attacks on communication channels or the end-points

  • eg. exploiting software bugs in end-points
  • Protection by

1) mathematically strong algorithms and protocols, 2) secure software implementations Software engineer’s view

slide-5
SLIDE 5

Embedded security attacker model

5

Attacks on communication channel or end-points, also exploiting hardware weaknesses of end-points

  • Protection by

1) mathematically strong algorithms and protocols 2) secure software implementations 3) secure hardware

  • Cryptographic operations are gray boxes that leak some info

Hardware engineer’s view

  • I. Verbauwhede, P. Schaumont
slide-6
SLIDE 6

Specific threat for embedded systems

Attacker can get physical access

6

slide-7
SLIDE 7

Secure algorithms vs secure implementations of algorithms

As we’ll see later in this course, an implementation of a ‘secure’ cryptographic primitive (eg AES, RSA, etc) can be completely insecure on given hardware Therefore 1. Never design your own cryptographic primitives 2. Never make your own implementations of these crypto primitives Maybe the same goes for security protocols using these primitives as well...

7

  • I. Verbauwhede, P. Schaumont
slide-8
SLIDE 8

8

Brainstorm

slide-9
SLIDE 9

Brainstorm

  • Why do we carry so many smartcards around?
  • What

at are the security requirements they ensure?

  • How

w do they ensure these requirements?

  • Why are they ‘better’ than the alternatives?
slide-10
SLIDE 10

Differences? Commonalities?

10

slide-11
SLIDE 11

Differences & Commonalities

  • wrt functionality:

– data storage: read and/or write? – processing for and maybe also

  • wrt security:

– confidentiality – integrity/authenticity – access control

  • by software for and maybe also
  • or is that functionality? :-)

11

slide-12
SLIDE 12

NB problems introduced by cryptography

1. key generation & distribution

  • how do we generate & distribute keys?

2. key storage

  • where can we safely store keys?

– This is an access control problem

3. en/decryption

  • who do we trust to perform en/decryption?

Smartcards provide a possible solution...

12

slide-13
SLIDE 13

Access control vs cryptography

  • Crypto involves data
  • Crypto can ensure integrity &

non-repudiation with MACs

  • r digital signatures and

confidentiality with encryption

  • Crypto can secure data that

are not under our control,

  • eg data on network or stored
  • n USB stick
  • Crypto still relies on access

control, namely for the keys

  • so crypto only moves the

security problem elsewhere

  • Access control involves

functionality

  • Access control can ensure

integrity, non-repudiation & confidentiality by preventing read and/or write access

  • Access control can only

regulate for access to resources under our control

13

slide-14
SLIDE 14

Differences? Commonalities?

14

  • Both computers, but with different resources (memory,

computing power,...) + Pro smartcard: the hardware is more secure; on PC we can remove hard disk, access memory chips,...

  • Con smartcard: does not allow I/O to the user
slide-15
SLIDE 15

15

Smartcards

slide-16
SLIDE 16

Overview

  • what is a smartcard?
  • hardware, protocols, operating systems
  • attacks and countermeasures

16

slide-17
SLIDE 17

17

What is a smartcard?

slide-18
SLIDE 18

What is a smartcard?

  • Tamper-resistant computer, embedded in piece
  • f plastic, with limited resources
  • aka chip card or integrated circuit card (ICC)
  • capable of securely

– storing data – processing data

  • This is what makes a smartcard smart; stupid cards

can store but not process

  • Processing capabilities vary greatly

18

slide-19
SLIDE 19

Smartcard form factors

  • traditional credit-card sized plastic card

– ISO 7816

  • mobile phone SIM

– cut-down in size

  • contactless cards

– aka proximity card or RFID transponder/tag – also possible: dual interface

  • iButton

19

slide-20
SLIDE 20

Smartcard example uses

  • bank cards: chipknip, new EMV creditcards
  • GSM SIM in mobile phone
  • pay TV
  • public transport

– eg OV chipkaart in NL

  • health cards

– eg UZI pas in NL

  • passports

– new generation passports with biometric information stored

  • n chip
  • access cards

– to control access to buildings, computer networks, laptops,...

20

slide-21
SLIDE 21

Smartcard example uses

  • RFID tags

– animal or human identification – product identification (like bar codes)

  • road pricing
  • electronic number plates
  • TPM (Trusted Platform Modules) in PC
  • digital signatures

– eg eNIK (elektronische Nederlandse Identiteits Kaart)

21

slide-22
SLIDE 22

Classification: functionality

Functional capabilities of smartcards & RFID tags can vary a lot: 1. device just reports data – read-only file-system 2. device reports data after some access control – protected (eg password-protected) file-system

  • read-only or read/write

3. device can take part in crypto protocol – eg for authentication Some of these cards are programmable, some have built- in functionality which you can configure but not change Which attacks can 3 withstand, that 1 & 2 can't? Replay attacks!

26

slide-23
SLIDE 23

Classic use of smartcard for authentication

  • If card can perform encryption,

then the private key K never has to leave the card

  • The card issuer does not have to trust the network, the

terminal, or the card holder

27

private key K CPU

challenge c response encK(c)

slide-24
SLIDE 24

Stupid smartcards vs smart smartcards

Capabilities of smartcards & RFID tags vary a lot:

  • Memory cards (“stupid” smartcards)

– essentially just provide a file system – possibly with some access control or, simpler still, destructive (irreversible) writes as in old payphone-cards – configurable functionality hardwired in ROM

  • Microprocessor cards (“smart” smartcard)

– contain CPU

  • possibly also crypto co-processor

– programmable

  • program burnt into ROM, or stored in EEPROM
  • RFID tags are often like old memory cards
  • Focus in this course will be on microprocessor cards

28

slide-25
SLIDE 25

Security requirements

  • integrity

– of data or functionality (incl. all software)

  • authenticity

– resistance to copying/cloning

– non-repudiation

– being able to prove (not being able to deny) that an action has been carried out by some party

  • confidentiality

– of data, or of card/card holder, ie. anonymity

  • availability aka resistance to denial-of-service
  • tamper-proof
  • tamper-resistance
  • tamper-evidence

NB hardly anything is tamper-proof

29

slide-26
SLIDE 26

30

Smartcard hardware

slide-27
SLIDE 27

Smartcard hardware

  • CPU
  • memory

– volatile (RAM) and non-volatile (ROM+EEPROM)

  • limited I/O: just a serial port

possibly:

  • crypto co-processor
  • random number generator (RNG)

No clock, no power!

31

slide-28
SLIDE 28

Smart card chip

32

Test & Security

Clock/ Charge Pump

Crypto coproc. RNG I/O CPU RAM EEPROM ROM memory management unit (MMU)

slide-29
SLIDE 29

CPU

  • 8, 16 and now also 32 bit
  • Steady need for more processing powers

– for virtual machines & cryptography

33

slide-30
SLIDE 30

Crypographic co-processor

  • DES, AES

– DES in hardware takes same size as DES program code in ROM

  • for public-key crypto, ALU providing

exponentation and modulo arithmetic with large numbers

34

slide-31
SLIDE 31

Smartcard memory

ROM

  • BIOS + operating system

EEPROM

  • the smartcard's hard disk

RAM

  • workspace

Typical modern card may have 512 bytes RAM, 16K ROM, 64K EEPROM, 13.5 MHz

35

slide-32
SLIDE 32

RAM

  • volatile aka transient memory
  • SRAM (static RAM) used rather than DRAM (Dynamic RAM) for

lower power consumption

  • used for temporary data

– stack – I/O buffer

  • typically 128 bytes to 16 Kbyte
  • volatile, but small permanent storage characteristics

36

slide-33
SLIDE 33

ROM

  • permanent storage
  • filled during production, using ROM mask
  • contains OS + possibly application code
  • typically 8 to 512 Kbyte
  • Flash is coming up as replacement of ROM
  • ptically readable after removing top layers

37

slide-34
SLIDE 34

EEPROM

  • non-volatile aka persistent, rewritable memory
  • used for applications and data:

– "the smartcard's hard disk“

  • typically 1 to 512 Kbyte
  • characteristics:

– slow: 1000x slower than RAM – has limited lifetime in # writes (> 106) – writing is two stage operation: erase & write – data retention 10-100 years – writing takes high power consumption

  • 17V, realised using charge pump

38

slide-35
SLIDE 35

ROM vs EEPROM for program code

Choice between program code in ROM or EEPROM has big impact on development – Program code in ROM must be suitable for mass-use

– It cannot be patched or updated

  • There has been a clear trend away from having a lot of code in

ROM towards

  • having smaller amount of code in ROM (eg just some standard

functionality provided by libraries or OS), and all custom functionality (the “application”) in EEPROM

39

slide-36
SLIDE 36

Other non-volatile memory types

Modern alternatives for EEPROM (and ROM)

  • Flash

– writing 10 μs instead of 3 -10 ms for EEPROM – programming voltage 12V, against 17V for EEPROM – >100,000 writes, >10 years data retention

– Flash replacing ROM eliminates need for ROM mask & reduces development time

  • FRAM (Ferro-electric RAM)

– writing 100 ns – programming voltage 5V

40

slide-37
SLIDE 37

Physical size of memory cells

  • Memory types not only vary in type (volatile vs non-volatile)

and speed, but also in amount of chip surface required per byte: – RAM requires more space than EEPROM, – EEPROM requires more space than ROM

  • Size of chip is a major cost factor, hence little RAM

Size = Money

41

slide-38
SLIDE 38

Comparison of memory types

42

# of write/ erase cycles writing time typical size RAM unlimited 70 ns 1700 μm2 EEPROM >104-106 3-10 ms 400 μm2 Flash >105 10 μs 200 μm2 FRAM >1010 100 ns 200 μm2 ROM

  • 100 μm2

source: W. Rankl & W. Effling, Smartcard Handbook, 2nd edition, 2000

NB these numbers give a rough impression, but are outdated !!!

slide-39
SLIDE 39

Memory Management

  • Responsible for allocating memory
  • Possibly also for some memory access control, eg
  • between the different types of memory (eg stack, program

data, and code)

  • between application code and the operating system (OS)
  • between applications, for cards that allow multiple

applications to be installed

43

slide-40
SLIDE 40

Clock circuit & charge pump

  • Charge pump

– to generate EEPROM programming voltage

  • Clock circuit

– eg. division of the external clock signal to get a lower clock frequency for I/O

  • Typical clock speed 8-13.5 MHz
  • Esp. for GSM SIM cards: the processor can go into sleep-

mode, where clock pulse is stopped, to reduce power consumption

44

slide-41
SLIDE 41

Test & Security

  • Self-test hardware & software

– checking if all RAM & EEPROM cells work – checksums for ROM and static EEPROM

  • Possible additional monitoring and response against

attacks

  • Test functionality is a security risk and may partly have to

be disabled before personalisation! – by writing EEPROM, blowing fuses, or even physically removing hardware

45

slide-42
SLIDE 42

Random Number Generation (RNG)

  • Needed for key generation & fresh nonces
  • Typically pseudo RNG (PRNG) in software

– True RNG that is immune to external influence is hard to realise in hardware

  • NB different cards of same production batch should

produce different sequences of random numbers

– PRNG using seed (stored in EEPROM) supplied as part of OS initialisation

  • Potential hardware security problem with storing PNRG state in

EEPROM? What if this EEPROM wears out after generating lots of random numbers? Card may have to check for this !!

46

slide-43
SLIDE 43

NB nonces vs randoms

Many security protocols require the use of nonces (numbers

  • nly used once)

– to prevent replay attacks (aka ensure freshness)

1. Random numbers are only one of the ways to generate nonces 1. Another way is to simply have an increasing counter

– Eg, your bank cards all use have a counter that is included in integrity & non-repudiation checks – Wrapping around after an integer overflow is a security risk for such counters

slide-44
SLIDE 44

Random Number Generation (RNG)

Tested eg according to FIPS 140-1 which states single stream of 20,000 consecutive bits must pass – monobit test: 9,546 < # ones < 10,346 – poker test: frequency of 4 bits patterns:

  • divide in 5000 4bits segments,
  • calculate f(p) = # of occurrence of 4 bits pattern p
  • 1.03 < X < 57.4, where X is 16/5000*Σpf(p)2-5000

– run test: requirements of runs (sequence of all 0's or all 1's) of lengths 1-6 – long run test: no runs  34

48

slide-45
SLIDE 45

Smart card chip

49

Test & Security

Clock/ Charge Pump

Crypto coproc. RNG I/O CPU RAM EEPROM ROM memory management unit (MMU)