Secure Physical Enclosures from Covers with Tamper-Resistance - - PowerPoint PPT Presentation
Secure Physical Enclosures from Covers with Tamper-Resistance Vincent Immler, Johannes Obermaier, Kuan Kuan Ng, Fei Xiang Ke, JinYu Lee, Yak Peng Lim, Wei Koon Oh, Keng Hoong Wee, Georg Sigl Conference on Cryptographic Hardware and Embedded
Vincent Immler, Johannes Obermaier, Kuan Kuan Ng, Fei Xiang Ke, JinYu Lee, Yak Peng Lim, Wei Koon Oh, Keng Hoong Wee, Georg Sigl Conference on Cryptographic Hardware and Embedded Systems, Atlanta, Aug 26, 2019
Tamper Attempts any tool any time any technique
| 1
“Security outside the black-box model” by Ventzi Nikov at CARDIS 2016 (Invited Talk)
| 2
“Security outside the black-box model” by Ventzi Nikov at CARDIS 2016 (Invited Talk)
| 2
tamper-detection tamper-response zeroization batery-backed mechanism for continuous protection zeroization wipes volatile memory containing critical security parameters
| 3
countermeasures: active meshes, obfuscation, light sensors, switches, poting, ... ADP Gauselmann HP Atalla IBM Cryptographic Coprocessor
| 4
Access Denial System
desired level of security: no demonstrable way to circumvent → secure in the field; prevent HW trojans in distribution chain
| 5
Producibility: Envelopes: complex manufacturing but highest geometrical security Covers/shells/housings: less complex but also less secure Usability: Batery typically limits operating range w.r.t. temperature Shelf life is limited or necessitates additional service Security: Energy-preserving approach leads to crude measurement resolution Prone to single point of failure at PCB-level (e.g., cut-off alarm, fake check signal) Security mostly based on black-box model | 6
| 7
“True” purpose of PUFs: tamper-detection w/o batery-backed sensors Upon power-on: key derivation from tamper-evident PUF enclosure If it fails: goal achieved, still initiate further countermeasures If it succeeds: decrypt system or unlock critical security parameters Unfortunately, very litle (public) work in this area! Move towards white-box PUF design w/o diminishing security Additional obfuscation then makes it even more difficult to atack | 8
Cover
sensoric region with fine mesh Physical Domain Analog Domain Digital Domain Application Domain Capacitance Measurement Signal Processing Key Generation Tamper Detection Alarm and Zeroization Integrity Detection
Host System Evaluation Unit
Alarm and Zeroization HSM Application CSPs (encrypted)
| 9
Design Goals: Investigate how far we can get with COTS components Check validity of concept and if it is worth developing further Make physical integrity check complex and bury deep inside IC Concept must scale with advancements in manufacturing Security Objectives: “Deny physical access” = disassembly is destructive; force multiple holes Maximize distance from enclosure surface to insides of targeted chip Entropy loss upon atack substantial, not possible to reconstruct Increase need for customized tooling Considered diameter = 300 µm | 10
PCB manufacturing process causes intrinsic variation in mutual capacitance CM Layer Description Comment 1 Shield Facing to outside Bonding 2 Tx electrodes Driven electrodes Polyimide Mutual capacitance CM 3 Rx electrodes Receiving electrodes Bonding 4 Shield
Polyimide 5 Connectors and routing
| 11
Ri1 Ri2 Ri3 Ri4 Ri5 Ri6 Ri7 Ri8 Ri9 Ri10 Ri11 Ri12 Ri13 Ri14 Ri15 Ri16 Ro1 Ro2 Ro3 Ro4 Ro5 Ro6 Ro7 Ro8 Ro9 Ro10 Ro11 Ro12 Ro13 Ro14 Ro15 Ro16 Ti
1
TX TX RX RX
Ti13 Ti14 Ri3 Ri4 Cs = sensor node 16 × 16 = 256 sensor nodes Ti
2
Ti
3
Ti
4
Ti
5
Ti
6
Ti
7
Ti
8
Ti
9
Ti
1
Ti
1 1
Ti
1 2
Ti
1 3
Ti
1 4
Ti
1 5
Ti
1 6
To
1
To
2
To
3
To
4
To
5
To
6
To
7
To
8
To
9
To
1
To
1 1
To
1 2
To
1 3
To
1 4
To
1 5
To
1 6
Ti1Ti2 1 mm sensor cell layer 3 layer 2 300 µm Sensor Mesh Concept Ri1 Ri2 Ro1 Ro2 To1To2 sensoric region
| 12
All tiny track overlaps behave like capacitors in parallel CM comprised of nominal capacitance CN and variation CV Differential measurement needed to remove common offset CN CV <<< CN requiring high-resolution circuit | 13
Dual DAC Sine Generator TX1 TX2 RX1 ∆C IRX ADC JFET TIA DFT Phase Amplitude Analog Domain Digital Domain Digital Domain LP Fully Differential Amplifier HP Amplifier LP Rescaling + Adjust CM CM Measurements of different nature, one cannot exist w/o the other: Absolute capacitance measurement Differential capacitance measurement Integrity measurement (open/short circuit) Applications: Integrity for rapid measurements and factory-initialization Differential measurement for key generation and on-the-fly rate and range limits Absolute measurement for additional tamper detection and temperature sensor | 14
Cap Meas Integrity Detection Cap Meas Integrity Detection Cap Meas Integrity Detection Power-On Event
device running
PUF Key Generation System Decrypt
time
Tamper Detection A
unverified preverified fully verified
Tamper Detection A Tamper Detection A Tamper Detection B1 Tamper Detection B1
heartbeat
Tamper Detection B2
example attack
Operational Mode Tamper Detection B1 Tamper Detection B2
zeroization
Tamper Detection C Tamper Detection C Tamper Detection C
| 15
Data acquired from 115 flexPCB covers at constant environmental conditions.
50 100 150 200 250 300 350 −10000 −5000 5000 10000 Occurence Difgerential Capacitance
Figure: PDF of differential capacitance.
3500 4000 4500 5000 5500 50 100 150 200 250 Mean Absolute Sensor Node No.
Figure: Absolute capacitance per node position.
Data in line with expectations. Low noise essential for tamper-evident application.
| 16
Shannon entropy over PUF population: 5.2 bit per node / 4.17 bit (with temperature)
100 20 40 60 80 100 Occurence Percent of Changed Symbols
Figure: Uniqueness computed via Hamming distance over symbols (higher-order alphabet).
50 100 20 40 60 80 100 Occurence Change in Combined Symbols and Magnitude
Figure: Uniqueness computed via Manhatan distance over symbols (higher-oder alphabet).
Uniquess for tamper-evident PUFs: think beyond Hamming over binary responses!
| 17
X (joint work with Michael Pehl of TU Munich; to be published) Investigate
Tamper-Evident PUF Results
exists due to crude layout and PCB process
radius 1 radius 2
strong atack: given information around drill hole, complexity to reconstruct X prevent atacker from obtaining PUF output; consider helper data leakage
| 18
| 19
Still, only a tiny step towards access denial systems without batery Full stack approach needed for tamper-evidence/resistance COTS-based approach has its limits, especially regarding repairs Development of access denial systems in white-box model challenging Always use a layered approach to security! | 20
Layout Randomization: Increase # of electrode pairs, recombination based on challenge Naturally translates to layout randomization; breaks up local dependencies Customize PDF: Impregnation of paired nominal CN values without altering variation CV Bimodal or arbitrary PDF for improved circuit and tamper behavior Tailored Materials: Increase CV and reduce CN to improve local entropy loss Make repairs more difficult
...and so much more!
| 21
Vincent Immler Central Office for Information Technology in the Security Sector (ZITiS) For government inquiries only: e u r m .i m . i b nd i s c l t e t d z n . n e @ i v All other inquiries: 2 e c c m s 9 m i e t h s @ e + . 1 c n s
This work was performed while with Fraunhofer Institute AISEC.
| 22
| 23
| 24
heatsink screw stiffener frame top cover bottom cover connectors PCB vertical protection structure metal core potting resin
| 25
16 Coarse Current Sources 16-to-1 Tx1 Tx2 Tx3 Tx16 Dual 1-to-8 TIA 16-to-1 HP Amplifier LP ADC DFT Rescaling + Adjust Rx1 Rx2 Rx16 Rx3 ADC LP Comparator DFT Rescaling + Adjust Digital Domain Analog Domain Fully Differential Amplifier LP Dual DAC Sine Generator Digital Domain TxR1 TxR2 TxR3 TxR16 Comparator C CM RX Integrity TX Integrity RxR1 RxR2 RxR3 RxR16 16 4 3 3 4 Enclosure Tx/TxR Control Rx/RxR Control TIA TIA TIA
| 26
PUF Primitive Discretization Filtering Compensation Normalization Quantization ECC Application Measurement Circuit PUF Data Processing Cover
ab c d f gh i
System
ECC Enc SYN Enc Quant. Secret PUF Key CSPs Decrypt z−1
| 27