Tamper Resistance - a Cautionary Note Ross Anderson Markus Kuhn

Size: px

Start display at page:

Download "Tamper Resistance - a Cautionary Note Ross Anderson Markus Kuhn"

Vivian Edwards
5 years ago
Views:

1 Tamper Resistance - a Cautionary Note Ross Anderson University of Cambridge Computer Laboratory Markus Kuhn University of Erlangen/ Purdue University

2 Applications of Tamper Resistant Modules Security of cryptographic applications is based on secure storage of secret keys and unobservability of computation Distributed and mobile applications allow attacker full physical access to hardware over extended period of time pay-tv access control electronic purses financial transaction terminals software copy protection prepayment meters anti-theft protection authentic telemetry protection of algorithms cellular phones...

3 Classification of Attackers Class I: Class II: Class III: Clever Outsiders. Often very intelligent, have insufficient knowledge of the system, have access to moderately sophisticated equipment, use existing weaknesses in the system. Knowledgeable Insiders. Substantial specialized technical education and experience, varying degrees of understanding of the system but potential access to most relevant information, often highly sophisticated tools. Funded Organizations. Teams of specialists with complementary skills, great funding resources, capable of in-depth analysis and design of sophisticated attacks, most advanced tools, access to knowledgeable insiders. [according to Abraham, Dolan, Double, Stevens: Transaction Security System, IBM Systems Journal, Vol. 30, No. 2, 1991.]

Getting Access to the Die Surface in Plastic Chips and Smartcards 1) 2) 3) 4) 5) Remove covering plastic manually Put with a pipette a few drops fuming nitric acid (>98% HNO 3) on remaining

4 Getting Access to the Die Surface in Plastic Chips and Smartcards 1) 2) 3) 4) 5) Remove covering plastic manually Put with a pipette a few drops fuming nitric acid (>98% HNO 3) on remaining plastic Etching process can be accelerated by heating up chip and acid with IR radiator Wash away acid and dissolved plastic with acetone Repeat from step 2 until die surface is fully exposed

5 UV Read-out of Standard Microcontrollers UV light EEPROM Security Fuse Many microcontrollers have an EEPROM security fuse located outside the EEPROM program memory. Open chip package Cover program memory with opaque material Reset security fuse in UV EPROM eraser Access memory with program/verify commands

6 Common Attack Techniques for Microcontrollers Security locks can often be released using unusual operating conditions: PIC16C84: raise VCC to VPP-0.5V and repeated writes to the lock bit will clear it without erasing the program memory. DS5000: short voltage drops sometimes release lock Smartcard controller: low VCC causes RBG to output mostly 1 bits Intel 8051 compatible µc can be read-out using the EA pin to switch between internal and external ROM access. Protection flip-flops can sometimes be reset with short VCC drops. Try all out-of-specification voltages, timings, temperatures, and programming protocol errors [FIPS 140-1]. Other common attack techniques try to get insight by protocol timing analysis EEPROM high temperature aging plus VCC variations current consumption analysis recording of leakage currents on switchable port/bus pins

7 Change single instructions by signal glitches VCC CLK RST Fault model: R C Links between transistors form RC delay elements R and C vary between links and individual chips Maximum RC of any link determines maximum CLK frequency RST signal sometimes not latched, which allows partial resets Transistors compare VCC and V C, which allows VCC glitches

8 Glitch attack on an output loop Typical data output routine in security software: b = answer_address a = answer_length if (a == 0) goto 8 transmit(*b) b = b + 1 a = a - 1 goto 3... Cause CLK or VCC glitch when instruction 3 or 6 is being fetched, in order to extend loop length to send additional memory content to port.

9 Advanced Attack Tools Microprobing workstation up to around nine needles Laser cutter allows to break connections and remove passivation Electron beam testing comfortable access to bus signals Focused ion beam workstation creates new connections Selective dry etching helps to work around depassivation sensors Automatic layout reconstruction creates circuit diagram Electro-optic sampling scans a lithium niobate crystal with laser light for effects of E-field variations (e.g., 5 V, 25 MHz). IR rear access observe transistors with electro-optic effects from below at wavelengths at which the Si substrate is transparent

10 Example Read-Out Operation for a Smartcard Security Processor CLK signal Microcode Control Unit GND Program Counter load low high load out +1 one single microprobing needle data bus (8 bit) EEPROM address bus (16 bit) old connection opened with laser cutter new connection established with focused ion beam workstation Problem: Minimize the number of microprobing needles required for EEPROM read-out. One solution: Disconnect most parts of the CPU from the on-chip bus Use CPU components (e.g., program counter) to generate all addresses sequentially Observe only one data bus bit with per run, as multiple needles are difficult to handle Combine all eight data bus observations to memory dump and disassemble the secret software

11 Protection techniques environmental sensors copier traps top-layer coating multilayer design fusible links fine wire winding package conductive ink package composite materials oscillator salting battery buffered SRAM non-deterministic timing... Problems of battery buffered SRAM approaches low temperature delays bit pattern degradation without VCC long term exposure to constant bit pattern causes ion migration

12 Conclusions: do not blindly trust manufacturer claims about tamper resistance tamper resistance should be only an additional layer of protection and not a single point of failure; avoid global secrets clever protocols and public key cryptography can reduce the importance of tamper resistance use fault-tolerant machine code in smartcards smartcard form is problematic for high security applications implement fallback modes, intruder detection, intruder identification, and counter measures insist on indepth hostile review of your design

Lecture Notes 20 : Smartcards, side channel attacks

6.857 Computer and Network Security November 14, 2002 Lecture Notes 20 : Smartcards, side channel attacks Lecturer: Ron Rivest Scribe: Giffin/Greenstadt/Plitwack/Tibbetts [These notes come from Fall 2001.