Tamper Resistance - a Cautionary Note Ross Anderson Markus Kuhn - PowerPoint PPT Presentation

Tamper Resistance - a Cautionary Note Ross Anderson Markus Kuhn University of Cambridge University of Erlangen/ Computer Laboratory Purdue University

Applications of Tamper Resistant Modules Security of cryptographic applications is based on secure storage of secret keys and unobservability of computation Distributed and mobile applications allow attacker full physical access to hardware over extended period of time pay-TV access control anti-theft protection electronic purses authentic telemetry financial transaction terminals protection of algorithms software copy protection cellular phones prepayment meters ...

Classification of Attackers Class I: Clever Outsiders. Often very intelligent, have insufficient knowledge of the system, have access to moderately sophisticated equipment, use existing weaknesses in the system. Class II: Knowledgeable Insiders. Substantial specialized technical education and experience, varying degrees of understanding of the system but potential access to most relevant information, often highly sophisticated tools. Class III: Funded Organizations. Teams of specialists with complementary skills, great funding resources, capable of in-depth analysis and design of sophisticated attacks, most advanced tools, access to knowledgeable insiders. [according to Abraham, Dolan, Double, Stevens: Transaction Security System, IBM Systems Journal, Vol. 30, No. 2, 1991.]

Getting Access to the Die Surface in Plastic Chips and Smartcards 1) Remove covering plastic manually 2) Put with a pipette a few drops fuming nitric acid (>98% HNO ) on remaining plastic 3 3) Etching process can be accelerated by heating up chip and acid with IR radiator 4) Wash away acid and dissolved plastic with acetone 5) Repeat from step 2 until die surface is fully exposed

UV Read-out of Standard Microcontrollers UV light EEPROM Security Fuse Many microcontrollers have an EEPROM security fuse located outside the EEPROM program memory. Open chip package Cover program memory with opaque material Reset security fuse in UV EPROM eraser Access memory with program/verify commands

Common Attack Techniques for Microcontrollers Security locks can often be released using unusual operating conditions: PIC16C84: raise VCC to VPP-0.5V and repeated writes to the lock bit will clear it without erasing the program memory. DS5000: short voltage drops sometimes release lock Smartcard controller: low VCC causes RBG to output mostly 1 bits Intel 8051 compatible µC can be read-out using the EA pin to switch between internal and external ROM access. Protection flip-flops can sometimes be reset with short VCC drops. Try all out-of-specification voltages, timings, temperatures, and programming protocol errors [FIPS 140-1]. Other common attack techniques try to get insight by protocol timing analysis EEPROM high temperature aging plus VCC variations current consumption analysis recording of leakage currents on switchable port/bus pins

Change single instructions by signal glitches VCC CLK RST Fault model: R C Links between transistors form RC delay elements R and C vary between links and individual chips Maximum RC of any link determines maximum CLK frequency RST signal sometimes not latched, which allows partial resets Transistors compare VCC and V , which allows VCC glitches C

Glitch attack on an output loop Typical data output routine in security software: b = answer_address 1 2 a = answer_length 3 if (a == 0) goto 8 4 transmit(*b) 5 b = b + 1 6 a = a - 1 7 goto 3 8 ... Cause CLK or VCC glitch when instruction 3 or 6 is being fetched, in order to extend loop length to send additional memory content to port.

Advanced Attack Tools Microprobing workstation up to around nine needles Laser cutter allows to break connections and remove passivation Electron beam testing comfortable access to bus signals Focused ion beam workstation creates new connections Selective dry etching helps to work around depassivation sensors Automatic layout reconstruction creates circuit diagram Electro-optic sampling scans a lithium niobate crystal with laser light for effects of E-field variations (e.g., 5 V, 25 MHz). IR rear access observe transistors with electro-optic effects from below at wavelengths at which the Si substrate is transparent

Example Read-Out Operation for a Smartcard Security Processor CLK signal Program Microcode +1 load Counter one single Control Unit microprobing load needle low high out GND data bus (8 bit) EEPROM address bus (16 bit) old connection opened with laser cutter new connection established with focused ion beam workstation Problem: Minimize the number of microprobing needles required for EEPROM read-out. One solution: Disconnect most parts of the CPU from the on-chip bus Use CPU components (e.g., program counter) to generate all addresses sequentially Observe only one data bus bit with per run, as multiple needles are difficult to handle Combine all eight data bus observations to memory dump and disassemble the secret software

Protection techniques environmental sensors fine wire winding package copier traps conductive ink package top-layer coating composite materials multilayer design oscillator salting fusible links battery buffered SRAM non-deterministic timing ... Problems of battery buffered SRAM approaches low temperature delays bit pattern degradation without VCC long term exposure to constant bit pattern causes ion migration

Conclusions: do not blindly trust manufacturer claims about tamper resistance tamper resistance should be only an additional layer of protection and not a single point of failure; avoid global secrets clever protocols and public key cryptography can reduce the importance of tamper resistance use fault-tolerant machine code in smartcards smartcard form is problematic for high security applications implement fallback modes, intruder detection, intruder identification, and counter measures insist on indepth hostile review of your design