Secure Processors: Design, Pitfalls & A Few Hacks

1. Concede NothingProtect Everything Secure Processors:Design, Pitfalls & A Few Hacks Steve Weingart Steve@cryptoapps.com 561-394-5086

2. Our Business • Crypto Accelerators • Security Protocol Software • Secure Processors • Combinations of The Above

3. What is A Secure Processor? • A Programmable, Secure, Cryptographic Coprocessor • Standard Programming Environment inside, Bus and/or Network Attachment to the Outside • Secure • Tamper Resistant • Tamper Detecting • Tamper Responding • Crypto Support • Algorithms (DES, 3DES, RSA, EC, AES, RC4, etc) • Protocols (CryptLib, SSL, CCA, etc) • HW Random Number Generator, RTC, etc. • Commercial Work Started with IBM in the 80’s

4. Secure Processors • Create a ‘Trusted Agent’ in the Hostile Field • The ‘Real Thing’ Doing the ‘Right Thing’ • Platform to Build High Security Applications. • Programmable, to Support Arbitrary Applications that Need Crypto, Privacy and/or Integrity

5. Secure Processor Block Diagram Serial Ethernet Physical Security Boundary F L A S H B B R A M D R A M uProc Local Bus Crypto & Interface Module C T R L R N G R T C Bus Interface Physical Security Circuitry Battery PCI, Cardbus, USB, etc.

6. What Can A Secure Processor Do? • Intellectual property protection • Credit card personalization • Certification authorities • Electronic currency dispensers • Electronic payments • Electronic benefits transfer • Electronic securities trading • Banking transactions • Server-based smart card substitutes • Home banking • Personal Firewall / Remotely Managed • Kerberos master key protection • e-postage meters • Secret algorithms • Secure timestamps • Software usage metering • VPN • Hotel room gaming • Advanced Navy destroyer systems control • Secure Database Access Control • Pay TV

7. Security Requirements, High Level • Most Common Requirements From NIST FIPS PUB 140-1 & -2 • Many Items are Really Assurance Issues • Tamper Detection • 50 uM Maximum Undetected Hole Size (Goal) • Tamper Response • Must Clear All Sensitive Data • Environmental Failure Protection/Testing • Voltage • All Supplies (High & Low) • Battery too • Temperature (High & Low) • Radiation • Must do All of the Above on Power Supply or Battery (& During Transition) • Protection circuitry is Activated at Factory • Stays Active for the Life of the Product

8. Interactive Considerations • Everything Has to Run on the Battery • Must Have Reasonable Battery Life • Must Have Sufficient Power to Respond to Tamper • Defenses have to ‘Cover Each Other’ • I.E. Unusual Considerations for Tamper Response • Temperature • Back Powering • Transients During Power Up/Down are Part of Normal Conditions • No False Positives or False Negatives • It has to be Manufacturable too

9. Tamper Detection • Must Detect Very Small Holes! • Detector is a Grid of Printed Conductors on a Flexible Substrate • 2 Layers • One pattern on Each Side of Each Layer • The Detector is Wrapped Around and Glued to the Package • It is Activated in the Factory and Stays Active for the Product Life

10. Tamper Detection Metal Shield Tamper Detecting Membrane CircuitCard Inner Cover Potting Shielded Base Card Flexible Data/Power Cable

11. Tamper Detection Test Outside Layer Lines on Top Lines on Bottom V+ GND V+ Inside Layer Test Same Pattern Interleaved on Top and Bottom GND

12. Basic Detection Circuit Vcc + _ Input Output 1 = OK 0 = !OK + _ GND

13. The Power Transient Problem Big Problem! Vth upper Input Vth lower 0 V Time T power switch

14. Environment Failure Protection • Uses Basic Detection Circuit to Measure Parameters • Non-damaging Conditions: Cause Reset • Low Voltage • High Temperature (Above Operating, Below Storage Limit) • Damaging and/or Security Risk Conditions: Cause Erasure • High Voltage (Above Storage) • High Temperature • Low Temperature • Battery Voltage • Ionizing Radiation • These are Really Assurance Issues

15. Tamper Response • Need to Erase Secret Data When a Tamper Is Detected • Not Allowed any Permanent or Violent Actions • But it Still Has to be Fast • Removing Power and Shorting the Power Pin Works Well • Reasonably Fast • Reasonably Sure • Not Permanent or Violent • Provided….. • There are No Imprinting Conditions • The Temperature has to be High Enough • The Unit has Not Been Irradiated • The Power Supply has Been Smooth • The Memory has Not Been Constant for Too Long • No Back Powering !!!!!

16. Now for the Hacks • Most Physical Attacks are Just Too Hard, so the Hacks are Smarter • FIB Might Just Change That • Repair of Blown Debug/Run Fuse is Still Common, But Less So With New IC Technology • Clocking • Clock Glitching can Cause Unexpected Actions • DES Short Loop • Reset • Reset Glitching can Cause Unexpected Actions • Incomplete Reset • Power Glitching • Power Glitching can Cause Unexpected Actions • It can Also Cause Imprinting of RAM Contents • Power Analysis • Determine Data/Secret Parameters by Analysis of Icc

17. Lock Picking • Popular Hobby in Security (as are other puzzles :-) • Gets a Vacationing Office Mate’s Desk Open Quickly • I Have Softcopy of “The MIT Guide to Lock Picking” for those who would like to see it. • Street Sweeper Bristles Make the Best Lock Pick Material and are Available Everywhere • Have Fun

18. Questions?

19. Thanks! Steve Weingart Steve@CryptoApps.com (561) 394 5086 http://www.cryptoapps.com Recent Papers: Physical Security for Computing Systems: A survey of Attacks and Defenses. Cryptographic and Embedded Systems Workshop, 2000 (Weingart) Building the IBM 4758 Secure Coprocessor. IEEE Computer, 10/2001, pp 57 – 66 (Dyer, et al.)  Slides, MIT Guide to Lock Picking and Papers Available at: http://www.gulf-stream.net/security.html