Tamper Resistance - a Cautionary Note Ross Anderson Markus Kuhn - - PowerPoint PPT Presentation

a Cautionary Note

Tamper Resistance -

Markus Kuhn University of Erlangen/ Purdue University Ross Anderson University of Cambridge Computer Laboratory

Applications of Tamper Resistant Modules

Security of cryptographic applications is based on secure storage of secret keys and unobservability of computation Distributed and mobile applications allow attacker full physical access to hardware over extended period of time electronic purses anti-theft protection software copy protection cellular phones authentic telemetry protection of algorithms pay-TV access control prepayment meters financial transaction terminals ...

Classification of Attackers

Class I: Clever Outsiders. Often very intelligent, have insufficient knowledge of the system, have access to moderately sophisticated equipment, use existing weaknesses in the system. Class II: Knowledgeable Insiders. technical education and experience, varying degrees

• f understanding of the system but potential access to

Class III: Funded Organizations. most relevant information, often highly sophisticated tools. Teams of specialists with Substantial specialized complementary skills, great funding resources, capable

• f in-depth analysis and design of sophisticated attacks,

most advanced tools, access to knowledgeable insiders.

[according to Abraham, Dolan, Double, Stevens: Transaction Security System, IBM Systems Journal, Vol. 30, No. 2, 1991.]

Getting Access to the Die Surface in Plastic Chips and Smartcards

Remove covering plastic manually 1) 2) 3) 4) 5) Etching process can be accelerated by heating up chip and acid with IR radiator Wash away acid and dissolved plastic with acetone Repeat from step 2 until die surface is fully exposed Put with a pipette a few drops fuming nitric acid (>98% HNO ) on remaining plastic

3

fuse located outside the EEPROM program memory. Open chip package Cover program memory with opaque material Reset security fuse in UV EPROM eraser Access memory with program/verify commands Security Fuse UV light EEPROM

UV Read-out of Standard Microcontrollers

Many microcontrollers have an EEPROM security

Smartcard controller: low VCC causes RBG to output mostly 1 bits Security locks can often be released using unusual operating conditions: PIC16C84: raise VCC to VPP-0.5V and repeated writes to the lock bit will clear it without erasing the program memory. Try all out-of-specification voltages, timings, temperatures, and Intel 8051 compatible µC can be read-out using the EA pin to switch between internal and external ROM access. Protection flip-flops can sometimes be reset with short VCC drops. programming protocol errors [FIPS 140-1]. Other common attack techniques try to get insight by protocol timing analysis recording of leakage currents on switchable port/bus pins current consumption analysis DS5000: short voltage drops sometimes release lock

Common Attack Techniques for Microcontrollers

EEPROM high temperature aging plus VCC variations

Change single instructions by signal glitches

VCC CLK RST Fault model: Links between transistors form RC delay elements R and C vary between links and individual chips RST signal sometimes not latched, which allows partial resets Transistors compare VCC and V , which allows VCC glitches

C

Maximum RC of any link determines maximum CLK frequency R C

in order to extend loop length to send additional memory content to port. Cause CLK or VCC glitch when instruction 3 or 6 is being fetched, 3 5 4 6 7 1 a = answer_length a = a - 1 b = b + 1 if (a == 0) goto 8 ... transmit(*b) b = answer_address 2 8 goto 3

Glitch attack on an output loop

Typical data output routine in security software:

Advanced Attack Tools

Microprobing workstation Laser cutter Electron beam testing Focused ion beam workstation up to around nine needles allows to break connections and remove passivation comfortable access to bus signals Selective dry etching Automatic layout reconstruction creates circuit diagram Electro-optic sampling helps to work around depassivation sensors scans a lithium niobate crystal with IR rear access laser light for effects of E-field variations (e.g., 5 V, 25 MHz).

• bserve transistors with electro-optic effects

creates new connections from below at wavelengths at which the Si substrate is transparent

+1

Example Read-Out Operation for a Smartcard Security Processor

Disconnect most parts of the CPU from the on-chip bus Use CPU components (e.g., program counter) to generate all addresses sequentially Combine all eight data bus observations to memory dump and disassemble the secret software Problem: Minimize the number of microprobing needles required for EEPROM read-out. One solution:

low high load

• ut

load

Microcode Control Unit

EEPROM

CLK signal

• ne single

microprobing needle

Program Counter

GND

new connection established with

• ld connection opened with laser cutter

focused ion beam workstation

Observe only one data bus bit with per run, as multiple needles are difficult to handle

data bus (8 bit) address bus (16 bit)

Protection techniques

environmental sensors copier traps top-layer coating multilayer design fusible links fine wire winding package conductive ink package composite materials

• scillator salting

battery buffered SRAM Problems of battery buffered SRAM approaches long term exposure to constant bit pattern causes ion migration non-deterministic timing ... low temperature delays bit pattern degradation without VCC

tamper resistance should be only an additional layer of protection do not blindly trust manufacturer claims about tamper resistance and not a single point of failure; avoid global secrets clever protocols and public key cryptography can reduce the importance of tamper resistance use fault-tolerant machine code in smartcards smartcard form is problematic for high security applications implement fallback modes, intruder detection, intruder identification, and counter measures insist on indepth hostile review of your design

Conclusions: