Slides from Talk (MS Powerpoint)

Download Report

Transcript Slides from Talk (MS Powerpoint)

Concede Nothing Protect Everything
Secure Processors:
Design, Pitfalls & A Few Hacks
Steve Weingart
[email protected]
561-394-5086
Concede Nothing Protect Everything
Our Business

Crypto Accelerators

Security Protocol Software

Secure Processors

Combinations of The Above
Concede Nothing Protect Everything
What is A Secure Processor?

A Programmable, Secure, Cryptographic Coprocessor
 Standard Programming Environment inside, Bus and/or Network
Attachment to the Outside
 Secure
 Tamper Resistant
 Tamper Detecting
 Tamper Responding
 Crypto Support
 Algorithms (DES, 3DES, RSA, EC, AES, RC4, etc)
 Protocols (CryptLib, SSL, CCA, etc)
 HW Random Number Generator, RTC, etc.

Commercial Work Started with IBM in the 80’s
Concede Nothing Protect Everything
Secure Processors


Create a ‘Trusted Agent’ in the Hostile Field
 The ‘Real Thing’ Doing the ‘Right Thing’
Platform to Build High Security Applications.
 Programmable, to Support Arbitrary Applications
that Need Crypto, Privacy and/or Integrity
Concede Nothing Protect Everything
Secure Processor Block Diagram
Ethernet
D
R
A
M
Serial
uProc
F
L
A
S
H
B
B
R
A
M
C
T
R
L
R
T
C
Local Bus
Crypto
& Interface
Module
Bus
Interface
R
N
G
Physical Security
Circuitry
Battery
PCI, Cardbus, USB, etc.
Physical Security
Boundary
Concede Nothing Protect Everything
What Can A Secure Processor Do?
 Intellectual property protection
 Personal Firewall / Remotely Managed
 Credit card personalization
 Kerberos master key protection
 Certification authorities
 e-postage meters
 Electronic currency dispensers
 Secret algorithms
 Electronic payments
 Secure timestamps
 Electronic benefits transfer
 Software usage metering
 Electronic securities trading
 VPN
 Banking transactions
 Hotel room gaming
 Server-based smart card
substitutes
 Advanced Navy destroyer systems control
 Home banking
 Secure Database Access Control
 Pay TV
Concede Nothing Protect Everything
Security Requirements, High Level

Most Common Requirements From NIST FIPS PUB 140-1 & -2
 Many Items are Really Assurance Issues

Tamper Detection
 50 uM Maximum Undetected Hole Size (Goal)

Tamper Response
 Must Clear All Sensitive Data

Environmental Failure Protection/Testing
 Voltage
 All Supplies (High & Low)
 Battery too
 Temperature (High & Low)
 Radiation

Must do All of the Above on Power Supply or Battery (& During Transition)
 Protection circuitry is Activated at Factory
 Stays Active for the Life of the Product
Concede Nothing Protect Everything
Interactive Considerations

Everything Has to Run on the Battery
 Must Have Reasonable Battery Life
 Must Have Sufficient Power to Respond to Tamper

Defenses have to ‘Cover Each Other’
 I.E. Unusual Considerations for Tamper Response
 Temperature
 Back Powering

Transients During Power Up/Down are Part of Normal Conditions

No False Positives or False Negatives

It has to be Manufacturable too
Concede Nothing Protect Everything
Tamper Detection
 Must Detect Very Small Holes!
 Detector is a Grid of Printed Conductors on a Flexible Substrate
 2 Layers
 One pattern on Each Side of Each Layer
 The Detector is Wrapped Around and Glued to the Package
 It is Activated in the Factory and Stays Active for the Product
Life
Concede Nothing Protect Everything
Tamper Detection
Metal Shield
Tamper Detecting Membrane
Circuit Card
Inner Cover
Potting
Shielded Base Card
Flexible Data/Power Cable
Concede Nothing Protect Everything
Tamper Detection
Test
Outside Layer
Lines on Top
Lines on Bottom
V+
V+
Inside Layer
Test
Same Pattern
GND
Interleaved on
Top and Bottom
GND
Concede Nothing Protect Everything
Basic Detection Circuit
Vcc
+
_
Input
+
_
GND
Output
1 = OK
0 = !OK
Concede Nothing Protect Everything
The Power Transient Problem
Big Problem!
Vth upper
Input
Vth lower
0V
Time
T power switch
Concede Nothing Protect Everything
Environment Failure Protection
 Uses Basic Detection Circuit to Measure Parameters
 Non-damaging Conditions: Cause Reset
 Low Voltage
 High Temperature (Above Operating, Below Storage
Limit)
 Damaging and/or Security Risk Conditions: Cause Erasure
 High Voltage (Above Storage)
 High Temperature
 Low Temperature
 Battery Voltage
 Ionizing Radiation
 These are Really Assurance Issues
Concede Nothing Protect Everything
Tamper Response

Need to Erase Secret Data When a Tamper Is Detected
 Not Allowed any Permanent or Violent Actions
 But it Still Has to be Fast

Removing Power and Shorting the Power Pin Works Well
 Reasonably Fast
 Reasonably Sure
 Not Permanent or Violent

Provided…..
 There are No Imprinting Conditions
 The Temperature has to be High Enough
 The Unit has Not Been Irradiated
 The Power Supply has Been Smooth
 The Memory has Not Been Constant for Too Long
 No Back Powering !!!!!
Concede Nothing Protect Everything
Now for the Hacks

Most Physical Attacks are Just Too Hard, so the Hacks are Smarter
 FIB Might Just Change That
 Repair of Blown Debug/Run Fuse is Still Common, But Less So With New IC
Technology

Clocking
 Clock Glitching can Cause Unexpected Actions
 DES Short Loop

Reset
 Reset Glitching can Cause Unexpected Actions
 Incomplete Reset

Power Glitching


Power Glitching can Cause Unexpected Actions
 It can Also Cause Imprinting of RAM Contents
Power Analysis
 Determine Data/Secret Parameters by Analysis of Icc
Concede Nothing Protect Everything
Lock Picking
 Popular Hobby in Security (as are other puzzles :-)
 Gets a Vacationing Office Mate’s Desk Open Quickly
 I Have Softcopy of “The MIT Guide to Lock
Picking” for those who would like to see it.
 Street Sweeper Bristles Make the Best Lock Pick
Material and are Available Everywhere
 Have Fun
Concede Nothing Protect Everything
Questions?
Concede Nothing Protect Everything
Thanks!
Steve Weingart
[email protected]
(561) 394 5086
http://www.cryptoapps.com
Recent Papers:
Physical Security for Computing Systems: A survey of Attacks and Defenses.
Cryptographic and Embedded Systems Workshop, 2000 (Weingart)
Building the IBM 4758 Secure Coprocessor. IEEE Computer, 10/2001, pp 57 – 66 (Dyer, et
al.)
Slides, MIT Guide to Lock Picking and Papers Available at: http://www.gulf-stream.net/security.html