View
221
Download
2
Category
Preview:
Citation preview
Copyright © 2005 InfoGard Laboratories Proprietary 1
2005 Physical Security Conference
Physical Security 101
Tom Caddy
September 26, 2005
Copyright © 2005 InfoGard Laboratories Proprietary 2
Agenda• Introduction
– Objective– Threat Models– Threat Taxonomy– Access Threats
• Physical Security– Role– Technologies– External Environment
• Attacks & Mitigations– Attack Points– Level of Effort– Mitigation Strategies
• Challenges– Standard– Validation– Lifecycle
• Constituents• Summary
Copyright © 2005 InfoGard Laboratories Proprietary 3
Objective
““It should be very clear that It should be very clear that compromised physical security always compromised physical security always means that all security layers have been compromisedmeans that all security layers have been compromised. All security . All security discussed in this solution is based on the assumption that physical discussed in this solution is based on the assumption that physical security has been addressed.security has been addressed. Without physical security, Without physical security, nono other other security measures can be considered effectivesecurity measures can be considered effective..”
• Microsoft Website Discussing System Security
Copyright © 2005 InfoGard Laboratories Proprietary 4
Physical Security Role
Physical Security Protects all other Module aspects
Critical Security Parameters
Data, Information or Cargo
Module IntegrityPhysical and Logical
Physical Security at Cryptographic Boundary
Physical Security is Access Control
Copyright © 2005 InfoGard Laboratories Proprietary 5
General Threat Models
Low ThreatLow ThreatEnvironmentEnvironment
User/Owner benefitby module
security
High ThreatHigh ThreatEnvironmentEnvironment
User/Owner benefitby module
compromise
Custom ThreatCustom ThreatEnvironmentEnvironmentHigh Value Data
Unique Environment
Typically 140-2Level 1 and Level 2 Modules
Typically 140-2Level 3 and Level 4 Modules
External Environment Effect• Space• Vault
Data Value• Cost of Loss• Cost of Loss of Integrity
Copyright © 2005 InfoGard Laboratories Proprietary 6
Threat/Attacker Taxonomy
• Class I - (Clever Outsiders) - opportunistic
– Intelligent; limited system knowledge
– Limited access to module, and limited equipment and tools
– Exploit obvious weaknesses
*IBM Systems Journal v30 no 2 (1991)
Copyright © 2005 InfoGard Laboratories Proprietary 7
Threat/Attacker Taxonomy
• Class I - (Clever Outsiders) - opportunistic
– Intelligent; limited system knowledge
– Limited access to module, and limited equipment and tools
– Exploit obvious weakness’
• Class II - (Knowledgeable Insider) - motivated
– Specialized education, knowledge and experience
– Significant access to module; sophisticated equipment and tools
– Exploit subtle vulnerability, create opportunity
*IBM Systems Journal v30 no 2 (1991)
Copyright © 2005 InfoGard Laboratories Proprietary 8
Threat/Attacker Taxonomy
• Class I - (Clever Outsiders) - opportunistic– Intelligent; limited system knowledge– Limited access to module, and limited
equipment and tools– Exploit obvious weakness’
• Class II - (Knowledgeable Insider) - motivated– Specialized education, knowledge and
experience– Significant access to module; sophisticated
equipment and tools– Exploit subtle vulnerability, create opportunity
• Class III - (Funded Organization) – highly motivated
– Teams of specialists, complimentary skills, extensive experience
– Virtually unlimited access to module; advanced analysis and tools
– Exploit hidden vulnerabilities or create vulnerabilities
*IBM Systems Journal v30 no 2 (1991)
Copyright © 2005 InfoGard Laboratories Proprietary 9
• Availability of the module is a major factor in assessing risk– Time that a threat has access to the module(s)
• Growing risks to module access– Distribution of systems and other lifecycle phases– Flexibility and configurability – Administration, maintenance and remote access roles
• Invasive vs. Non-Invasive– Skills require specific knowledge, skills and practice in
performing a non invasive attack– Non Invasive compromises can be particularly damaging as
compromise may not be discovered for considerable time
Availability Risk
Copyright © 2005 InfoGard Laboratories Proprietary 10
Physical Security Technology
Detection CktZeroization CktAnalog CircuitsElectromagnetic
RF and Emissions
AdhesivesSolvents
LightRadiation
SoundThermal
System RequirementsRisk Assessment
Vulnerability AssessmentSecurity Policy, Manuals
PlasticsMetals
Composites
DesignTolerancesFasteners
Assembly Processes
Cryptographic ModuleLogic, Function
And Data
““Crown Jewels”Crown Jewels”
Copyright © 2005 InfoGard Laboratories Proprietary 11
External Environment
External EnvironmentPhysical SecurityUsually only worksfor limited threatsand roles
Vulnerabilitiesand mitigation
are often hidden in the Details
Interfaces between technologies can be vulnerabilities
Cryptographic ModuleLogic, Function
And Data
““Crown Jewels”Crown Jewels”
Copyright © 2005 InfoGard Laboratories Proprietary 12
Attack Plan
• Identify the weakest points in the “system”– Physical inspection– Available documentation
• Develop “attack” plan based on vulnerable points• Acquire resources
– Skills– Tools– Materials
• Test “attack” plan and refine as necessary
As currently defined, FIPS 140-2 evaluation As currently defined, FIPS 140-2 evaluation is a physical security evaluation not a full attackis a physical security evaluation not a full attack
Copyright © 2005 InfoGard Laboratories Proprietary 13
Mitigation Strategies
Tamper EvidenceTamper Evidence
Tamper ResistanceTamper Resistance
Door and Cover Tamper Door and Cover Tamper Detection and ResponseDetection and Response
Production GradeProduction Grade
Envelope Tamper Detection Envelope Tamper Detection and Responseand Response
Security requires trust; Trust requires reliability Commercial Grade equipment is expected to be reliable
User detectable Evidence vs. Forensic Evidence or Warranty evidence is effective when User is motivated to trust the module
Feature to sense basic threat conditions and respond with defensive action – zeroization of critical security parameters
Adding complexity, difficulty and risk to compromising a module
Feature to sense any breach of the cryptographic boundary and respond with defensive action – zeroization of critical security parameters
Includes concepts of obscurity, vents and pick resistant locks
Copyright © 2005 InfoGard Laboratories Proprietary 14
Attack Level of Effort (LOE)
• Increasing Level of Effort is directly related to an increase in Tamper Resistance not security features
• Range that effectiveness or tamper resistance of the implementation can have on security
LOE
Trus
t and
Lev
el o
f Effo
rt fo
r Suc
cess
ful A
ttack
1 2 3 4Level of Security
EffectivenessRange
Copyright © 2005 InfoGard Laboratories Proprietary 15
Specification Challenges
• Standard – Security Effectiveness
definition vs. Security Feature Definition
– Tamper Resistance Definition
– The affect module embodiment has on tamper resistance
– Allowance for innovation
• Module designs• Attack methods • Tools and techniques
Copyright © 2005 InfoGard Laboratories Proprietary 16
• Testing and Evaluation– Testing Efficiency
• Establishing a DTR to have an effective test that costs significantly less then the value of an attack
– Testing Consistency• Establishing test, lab
and personnel requirements that allow multiple test entities and personnel to consistently obtain similar results
Validation Challenges
Copyright © 2005 InfoGard Laboratories Proprietary 17
Basic…
Manufacturing Initialization ScrapOperational
Typical Transportation Points
Cryptographic ModuleTypical Lifecycle
Current FIPS 140-2 requirements are applicable in Current FIPS 140-2 requirements are applicable in the operational environmentthe operational environment
Copyright © 2005 InfoGard Laboratories Proprietary 18
Manufacturing Initialization ScrapOperational
Typical Transportation Points
For high security devices physical security threats For high security devices physical security threats exist throughout the module lifecycleexist throughout the module lifecycle
High Security Crypto Module Lifecycle
Expanded…..
Copyright © 2005 InfoGard Laboratories Proprietary 19
Summary
• 140-1 and 140-2 have done a remarkable job of establishing a great foundation
• A high Level of Physical Security is complicated and cannot be an after thought
• Recognize that effective physical security requires different skills then used during 140-2 logical and assurance compliance
• Recognize the role of Tamper Resistance as a key characteristic in physical security effectiveness
• 140-3 is an opportunity to review, revisit and improve
Recommended