Secure Processors: Design, Pitfalls & A Few Hacks

Secure Processors:Design, Pitfalls & A Few

Hacks

Steve [email protected]

561-394-5086

Concede Nothing Protect Everything

mailto:[email protected]


Our Business Crypto Accelerators

Security Protocol Software

Secure Processors

Combinations of The Above

Concede Nothing Protect Everything What is A Secure Processor? A Programmable, Secure, Cryptographic Coprocessor

Standard Programming Environment inside, Bus and/or Network Attachment to the Outside

Secure Tamper Resistant Tamper Detecting Tamper Responding

Crypto Support Algorithms (DES, 3DES, RSA, EC, AES, RC4, etc) Protocols (CryptLib, SSL, CCA, etc) HW Random Number Generator, RTC, etc.

Commercial Work Started with IBM in the 80’s


Secure Processors

Create a ‘Trusted Agent’ in the Hostile Field The ‘Real Thing’ Doing the ‘Right Thing’

Platform to Build High Security Applications. Programmable, to Support Arbitrary

Applications that Need Crypto, Privacy and/or Integrity

Concede Nothing Protect Everything Secure Processor Block Diagram

uProc

DRAM

FLASH

BBRAM

Crypto& Interface

Module

BusInterface

Ethernet Serial

PCI, Cardbus, USB, etc.

Physical SecurityBoundary

CTRL

Battery

RNG

Physical SecurityCircuitry

RTC

Local Bus

Concede Nothing Protect Everything What Can A Secure Processor Do?

Intellectual property protection

Credit card personalization

Certification authorities

Electronic currency dispensers

Electronic payments

Electronic benefits transfer

Electronic securities trading

Banking transactions

Server-based smart card substitutes

Home banking

Personal Firewall / Remotely Managed

Kerberos master key protection

e-postage meters

Secret algorithms

Secure timestamps

Software usage metering

VPN

Hotel room gaming

Advanced Navy destroyer systems control

Secure Database Access Control

Pay TV

Concede Nothing Protect Everything Security Requirements, High Level

Most Common Requirements From NIST FIPS PUB 140-1 & -2 Many Items are Really Assurance Issues

Tamper Detection 50 uM Maximum Undetected Hole Size (Goal)

Tamper Response Must Clear All Sensitive Data

Environmental Failure Protection/Testing Voltage

All Supplies (High & Low) Battery too

Temperature (High & Low) Radiation

Must do All of the Above on Power Supply or Battery (& During Transition) Protection circuitry is Activated at Factory Stays Active for the Life of the Product


Everything Has to Run on the Battery Must Have Reasonable Battery Life Must Have Sufficient Power to Respond to Tamper

Defenses have to ‘Cover Each Other’ I.E. Unusual Considerations for Tamper Response

Temperature Back Powering

Transients During Power Up/Down are Part of Normal Conditions

No False Positives or False Negatives

It has to be Manufacturable too

Interactive Considerations


Tamper Detection Must Detect Very Small Holes!

Detector is a Grid of Printed Conductors on a Flexible Substrate

2 Layers One pattern on Each Side of Each Layer

The Detector is Wrapped Around and Glued to the Package

It is Activated in the Factory and Stays Active for the Product Life


Tamper Detection

Circuit CardInner Cover

Tamper Detecting Membrane

Potting

Metal Shield

Shielded Base Card

Flexible Data/Power Cable


Tamper Detection

V+ GND

Outside Layer

Inside Layer

V+

Test

Test

GND

Lines on Top Lines on Bottom

Same PatternInterleaved onTop and Bottom


Basic Detection Circuit

+

_

+

_

GND

Input

Output1 = OK0 = !OK

Vcc

Concede Nothing Protect Everything The Power Transient Problem

0 V

T power switch

Vth upper

Vth lower

Time

Input

Big Problem!

Concede Nothing Protect Everything Environment Failure Protection

Uses Basic Detection Circuit to Measure Parameters

Non-damaging Conditions: Cause Reset

Low Voltage

High Temperature (Above Operating, Below Storage Limit)

Damaging and/or Security Risk Conditions: Cause Erasure

High Voltage (Above Storage)

High Temperature

Low Temperature

Battery Voltage

Ionizing Radiation

These are Really Assurance Issues


Tamper Response Need to Erase Secret Data When a Tamper Is Detected

Not Allowed any Permanent or Violent Actions But it Still Has to be Fast

Removing Power and Shorting the Power Pin Works Well Reasonably Fast Reasonably Sure Not Permanent or Violent

Provided….. There are No Imprinting Conditions

The Temperature has to be High Enough The Unit has Not Been Irradiated The Power Supply has Been Smooth The Memory has Not Been Constant for Too Long No Back Powering !!!!!


Now for the Hacks Most Physical Attacks are Just Too Hard, so the Hacks are Smarter

FIB Might Just Change That Repair of Blown Debug/Run Fuse is Still Common, But Less So With New IC

Technology

Clocking Clock Glitching can Cause Unexpected Actions

DES Short Loop

Reset Reset Glitching can Cause Unexpected Actions

Incomplete Reset

Power Glitching

Power Glitching can Cause Unexpected Actions It can Also Cause Imprinting of RAM Contents

Power Analysis

Determine Data/Secret Parameters by Analysis of Icc


Lock Picking Popular Hobby in Security (as are other puzzles :-)

Gets a Vacationing Office Mate’s Desk Open Quickly

I Have Softcopy of “The MIT Guide to Lock Picking” for those who would like to see it.

Street Sweeper Bristles Make the Best Lock Pick Material and are Available Everywhere

Have Fun


Questions?


Thanks!Steve [email protected](561) 394 5086http://www.cryptoapps.com

Recent Papers: Physical Security for Computing Systems: A survey of Attacks and Defenses. Cryptographic and Embedded Systems Workshop, 2000 (Weingart) Building the IBM 4758 Secure Coprocessor. IEEE Computer, 10/2001, pp 57 – 66 (Dyer, et al.)

Slides, MIT Guide to Lock Picking and Papers Available at: http://www.gulf-stream.net/security.html

Documents

Secure Processors: Design, Pitfalls & A Few Hacks