563-1.11.3 breaking the chip

7/31/2019 563-1.11.3 Breaking the Chip

1/25

563.11.3 Breaking the Chip:

Vulnerabilities of CryptographicProcessors and Smart Cards

Presented by: Ragib Hasan

PISCES Group: Soumyadeb Mitra, Sruthi Bandhakavi, Ragib Hasan, RamanSharikyn

University of Illinois

Spring 2006


2/25

2

Overview

Threat model Attackers

Goals

Types of attacks

Attack techniques

Cryptographic processors

Smart cards

Further reading


3/25

3

Threat model

Attacker types Class I: Clever outsiders

Intelligent, but lack information, exploit known attack

Class II: Knowledgeable insiders Have inside information on protocols/design, can use

sophisticated tools

Class III: Funded organizations

Have information, resources, equipments, andincentives

Can employ class II attackers in teams

Abraham et. al. Transaction Security System, IBM Systems Journal, 1991
http://www.research.ibm.com/journal/sj/302/ibmsj3002G.pdfhttp://www.research.ibm.com/journal/sj/302/ibmsj3002G.pdf


4/25

4

Threat model

Attacker goals To get the crypto keys stored in RAM or ROM

To learn the secret crypto algorithm used

To obtain other information stored into thechip (e.g. PINs)

To modify information on the card (e.g. callingcard balance)


5/25

5

Types of attacks

Non-invasive attack Dont modify processor, probe via other

means

Invasive attacks Break open processor by acids, ionization

Reverse engineering

Learn how the device works

Moore, Anderson, Kuhn, Improving Smartcard Security Using Self-timed Circuit Technology
http://tima.imag.fr/cis/acid/slides/moore.pdhttp://tima.imag.fr/cis/acid/slides/moore.pdhttp://tima.imag.fr/cis/acid/slides/moore.pdhttp://tima.imag.fr/cis/acid/slides/moore.pd


6/25

6

Overview


Goals

Types of attacks

Attack techniques


Smart cards

Further reading


7/25

7

Crypto processors: Attacks

Nave key theft Master Keys loaded into the chip, attacker

opens enclosure while device is running and

probes the chip memory Preventive measures

Wire the power supply through lid switches

Zeroize the chip memory whenever lid isopened


8/258

Attack (1)

Theft of keys Early chips kept keys in removable PROMs or

key was listed in paper

Attacker removes the PROM or steals the paper Solution

Shared control, by using two or more PROMs

with master keys, and use them to derive actualkey

Keep keys in smart cards


9/259

Attack (2)

Cutting through casing Disabling lid switches

Solutions

Add more sensors, photocells

Separate the security components, and make

them potted using epoxy resin


10/2510

IBM 4758s epoxy potting

IBM 4758, with epoxy potting partially removed


11/2511

Attack (3)

Attacker scrapes potting with a knife, anduses a logic probe on the bus

RSA, DES vulnerable if attacker can see

protocol in action Solution:

Use a wire mesh embedded in the epoxy

Crude scraping can be handled, but not slowerosion using sandblasting

Use a metal shield with a membrane toenclose processor


12/2512

Attack (4)

Memory remanence Memory gets burned into the RAM after long time,

on power up, 90% RAM bits initialized to key

Attacker goes dumpster diving to find old chips

Solution

Use RAM savers, just like screen savers Move data around chip to prevent burn-in

Gutman, Secure deletion of data from magnetic and solid state memory, Usenix Security Symp. 96
http://www.cs.auckland.ac.nz/~pgut001/pubs/secure_del.htmlhttp://www.cs.auckland.ac.nz/~pgut001/pubs/secure_del.html


13/2513

Attack (5)

Freeze it! Below -20 C (-4F), SRAM contents persist

Attacker freezes module, removes power,removes potting/mesh, attaches chip to testrig, powers on

Burn it! Attacker floods chip with ionizing radiation (X-

Ray), key gets burned in Solution?

Add temperature/radiation alarms

Or, blow up the chip, with thermite charges!!Skorobogatov, Low Temperature Remanence in Static RAM
http://www.cl.cam.ac.uk/TechReports/UCAM-CL-TR-536.pdfhttp://www.cl.cam.ac.uk/TechReports/UCAM-CL-TR-536.pdf


14/2514

Attack (6)

Tempest / power analysis Noninvasive

British MI5 eavesdropped on French embassys

crypto machine in the 1960s

Attacker looks into RF emissions or powerconsumption of processor

Solution

Use Aluminum shielding (Tin foil!!)

Obfuscate power line paths


15/2515

Attacking 4758

4758 addresses most of the previous attacks So, how do you attack a 4758?

Physical

Erode potting with sandblasting, detect mesh lines, bypass them (magnetic force microscope)

Drill 8mm/0.1 mm holes to go through mesh

Send plasma jets to destroy memory zeroization

circuits

Protocol level attacks

Michael Bond, a grad student, broke 4758 using aprotocol attack to extract a 3DES key

Michael Bond. "Attacks on Cryptoprocessor Transaction Sets" CHES 2000
http://www.cl.cam.ac.uk/~mkb23/research/Attacks-on-Crypto-TS.pdfhttp://www.cl.cam.ac.uk/~mkb23/research/Attacks-on-Crypto-TS.pdf


16/2516

Overview


Goals

Types of attacks

Attack techniques


Smart cards

Further reading


17/2517

Smart cards

Generally dont have the protection ofcrypto processors

Typically have lower security, but more

commonly used


18/2518

Non-invasive attacks

Attack the protocol Put a laptop between the smart card and

reader, and analyze messages

Put a device between card and reader thatblocks certain messages

Prevent writing Early smartcards had a separate

programming voltage pin Vpp that was neededto write to EEPROM

Attacker places tape on the pin to preventwriting


19/2519

Non-invasive attacks

Differential power analysis Power supply current spikes indicate type of

instruction being executed

Data values can be obtained from power profile

Clock/power modulation Overclocking the chip causes disruption in

instruction (e.g. prevent branching)

Slowing down clock allows reading voltages withan electron microscope

Modulating power can prevent parts of the chipfrom working


20/2520

Invasive attacks

It is possible toremove the chipusing cheapchemicals

Attacker removes

chip, fits it into atest rig

Opticalmicroscope canshow ROM

contents Crystallographic

staining alsoreveal ROMcontent

Moore, Anderson, Kuhn, Improving Smartcard Security Using Self-timed Circuit Technology
http://tima.imag.fr/cis/acid/slides/moore.pdhttp://tima.imag.fr/cis/acid/slides/moore.pdhttp://tima.imag.fr/cis/acid/slides/moore.pdhttp://tima.imag.fr/cis/acid/slides/moore.pd


21/2521

Invasive attacks

Physical probing Low cost probing stations can

land microprobes on bus lines

and read values The information is used to

figure out keys or cryptoalgorithms

Focus Ion Beam microscopescan modify chip or shielding


22/2522

Invasive attacks

Memory linearization Destroy instruction decoder to prevent jumps

Repair test circuits (blown off during

manufacture) to allow testing routines todump memory

Problem: You need to have test circuits, otherwiseyou cant test the chips working during production


23/2523

Reverse engineering

Rebuild hardwarecircuits

Etch away layer on chipsurface, take electron

micrograph, create 3-Dimage of chip

Use the image to

recreate circuit


24/2524

Reverse engineering

Optical fault induction Use simple camera flash, tape it to proving

station, flash the chip at a particular spot

using a aluminum foil aperture Or use a cheap laser pointer

Focusing flash on white circle makesSRAM cell bit go from 1 to 0

Focusing on black circle makes SRAMcell go from 0 to 1

By inducing bit faults, several protocolscan be broken

Skorobogatov and Ross J.Anderson, Optical Fault Induction Attacks, CHES '02
http://www.cl.cam.ac.uk/~sps32/ches02-optofault.pdfhttp://www.cl.cam.ac.uk/~sps32/ches02-optofault.pdf


25/25

Further reading

Ross Andersons page at Cambridge University

Workshop on Cryptographic Hardware andEmbedded Systems
http://www.cl.cam.ac.uk/~rja14/http://islab.oregonstate.edu/ches/http://islab.oregonstate.edu/ches/http://islab.oregonstate.edu/ches/http://islab.oregonstate.edu/ches/http://www.cl.cam.ac.uk/~rja14/

563-1.11.3 breaking the chip

Documents