563-1.11.3 breaking the chip
TRANSCRIPT
-
7/31/2019 563-1.11.3 Breaking the Chip
1/25
563.11.3 Breaking the Chip:
Vulnerabilities of CryptographicProcessors and Smart Cards
Presented by: Ragib Hasan
PISCES Group: Soumyadeb Mitra, Sruthi Bandhakavi, Ragib Hasan, RamanSharikyn
University of Illinois
Spring 2006
-
7/31/2019 563-1.11.3 Breaking the Chip
2/25
2
Overview
Threat model Attackers
Goals
Types of attacks
Attack techniques
Cryptographic processors
Smart cards
Further reading
-
7/31/2019 563-1.11.3 Breaking the Chip
3/25
3
Threat model
Attacker types Class I: Clever outsiders
Intelligent, but lack information, exploit known attack
Class II: Knowledgeable insiders Have inside information on protocols/design, can use
sophisticated tools
Class III: Funded organizations
Have information, resources, equipments, andincentives
Can employ class II attackers in teams
Abraham et. al. Transaction Security System, IBM Systems Journal, 1991
http://www.research.ibm.com/journal/sj/302/ibmsj3002G.pdfhttp://www.research.ibm.com/journal/sj/302/ibmsj3002G.pdf -
7/31/2019 563-1.11.3 Breaking the Chip
4/25
4
Threat model
Attacker goals To get the crypto keys stored in RAM or ROM
To learn the secret crypto algorithm used
To obtain other information stored into thechip (e.g. PINs)
To modify information on the card (e.g. callingcard balance)
-
7/31/2019 563-1.11.3 Breaking the Chip
5/25
5
Types of attacks
Non-invasive attack Dont modify processor, probe via other
means
Invasive attacks Break open processor by acids, ionization
Reverse engineering
Learn how the device works
Moore, Anderson, Kuhn, Improving Smartcard Security Using Self-timed Circuit Technology
http://tima.imag.fr/cis/acid/slides/moore.pdhttp://tima.imag.fr/cis/acid/slides/moore.pdhttp://tima.imag.fr/cis/acid/slides/moore.pdhttp://tima.imag.fr/cis/acid/slides/moore.pd -
7/31/2019 563-1.11.3 Breaking the Chip
6/25
6
Overview
Threat model Attackers
Goals
Types of attacks
Attack techniques
Cryptographic processors
Smart cards
Further reading
-
7/31/2019 563-1.11.3 Breaking the Chip
7/25
7
Crypto processors: Attacks
Nave key theft Master Keys loaded into the chip, attacker
opens enclosure while device is running and
probes the chip memory Preventive measures
Wire the power supply through lid switches
Zeroize the chip memory whenever lid isopened
-
7/31/2019 563-1.11.3 Breaking the Chip
8/258
Attack (1)
Theft of keys Early chips kept keys in removable PROMs or
key was listed in paper
Attacker removes the PROM or steals the paper Solution
Shared control, by using two or more PROMs
with master keys, and use them to derive actualkey
Keep keys in smart cards
-
7/31/2019 563-1.11.3 Breaking the Chip
9/259
Attack (2)
Cutting through casing Disabling lid switches
Solutions
Add more sensors, photocells
Separate the security components, and make
them potted using epoxy resin
-
7/31/2019 563-1.11.3 Breaking the Chip
10/2510
IBM 4758s epoxy potting
IBM 4758, with epoxy potting partially removed
-
7/31/2019 563-1.11.3 Breaking the Chip
11/2511
Attack (3)
Attacker scrapes potting with a knife, anduses a logic probe on the bus
RSA, DES vulnerable if attacker can see
protocol in action Solution:
Use a wire mesh embedded in the epoxy
Crude scraping can be handled, but not slowerosion using sandblasting
Use a metal shield with a membrane toenclose processor
-
7/31/2019 563-1.11.3 Breaking the Chip
12/2512
Attack (4)
Memory remanence Memory gets burned into the RAM after long time,
on power up, 90% RAM bits initialized to key
Attacker goes dumpster diving to find old chips
Solution
Use RAM savers, just like screen savers Move data around chip to prevent burn-in
Gutman, Secure deletion of data from magnetic and solid state memory, Usenix Security Symp. 96
http://www.cs.auckland.ac.nz/~pgut001/pubs/secure_del.htmlhttp://www.cs.auckland.ac.nz/~pgut001/pubs/secure_del.html -
7/31/2019 563-1.11.3 Breaking the Chip
13/2513
Attack (5)
Freeze it! Below -20 C (-4F), SRAM contents persist
Attacker freezes module, removes power,removes potting/mesh, attaches chip to testrig, powers on
Burn it! Attacker floods chip with ionizing radiation (X-
Ray), key gets burned in Solution?
Add temperature/radiation alarms
Or, blow up the chip, with thermite charges!!Skorobogatov, Low Temperature Remanence in Static RAM
http://www.cl.cam.ac.uk/TechReports/UCAM-CL-TR-536.pdfhttp://www.cl.cam.ac.uk/TechReports/UCAM-CL-TR-536.pdf -
7/31/2019 563-1.11.3 Breaking the Chip
14/2514
Attack (6)
Tempest / power analysis Noninvasive
British MI5 eavesdropped on French embassys
crypto machine in the 1960s
Attacker looks into RF emissions or powerconsumption of processor
Solution
Use Aluminum shielding (Tin foil!!)
Obfuscate power line paths
-
7/31/2019 563-1.11.3 Breaking the Chip
15/2515
Attacking 4758
4758 addresses most of the previous attacks So, how do you attack a 4758?
Physical
Erode potting with sandblasting, detect mesh lines, bypass them (magnetic force microscope)
Drill 8mm/0.1 mm holes to go through mesh
Send plasma jets to destroy memory zeroization
circuits
Protocol level attacks
Michael Bond, a grad student, broke 4758 using aprotocol attack to extract a 3DES key
Michael Bond. "Attacks on Cryptoprocessor Transaction Sets" CHES 2000
http://www.cl.cam.ac.uk/~mkb23/research/Attacks-on-Crypto-TS.pdfhttp://www.cl.cam.ac.uk/~mkb23/research/Attacks-on-Crypto-TS.pdf -
7/31/2019 563-1.11.3 Breaking the Chip
16/2516
Overview
Threat model Attackers
Goals
Types of attacks
Attack techniques
Cryptographic processors
Smart cards
Further reading
-
7/31/2019 563-1.11.3 Breaking the Chip
17/2517
Smart cards
Generally dont have the protection ofcrypto processors
Typically have lower security, but more
commonly used
-
7/31/2019 563-1.11.3 Breaking the Chip
18/2518
Non-invasive attacks
Attack the protocol Put a laptop between the smart card and
reader, and analyze messages
Put a device between card and reader thatblocks certain messages
Prevent writing Early smartcards had a separate
programming voltage pin Vpp that was neededto write to EEPROM
Attacker places tape on the pin to preventwriting
-
7/31/2019 563-1.11.3 Breaking the Chip
19/2519
Non-invasive attacks
Differential power analysis Power supply current spikes indicate type of
instruction being executed
Data values can be obtained from power profile
Clock/power modulation Overclocking the chip causes disruption in
instruction (e.g. prevent branching)
Slowing down clock allows reading voltages withan electron microscope
Modulating power can prevent parts of the chipfrom working
-
7/31/2019 563-1.11.3 Breaking the Chip
20/2520
Invasive attacks
It is possible toremove the chipusing cheapchemicals
Attacker removes
chip, fits it into atest rig
Opticalmicroscope canshow ROM
contents Crystallographic
staining alsoreveal ROMcontent
Moore, Anderson, Kuhn, Improving Smartcard Security Using Self-timed Circuit Technology
http://tima.imag.fr/cis/acid/slides/moore.pdhttp://tima.imag.fr/cis/acid/slides/moore.pdhttp://tima.imag.fr/cis/acid/slides/moore.pdhttp://tima.imag.fr/cis/acid/slides/moore.pd -
7/31/2019 563-1.11.3 Breaking the Chip
21/2521
Invasive attacks
Physical probing Low cost probing stations can
land microprobes on bus lines
and read values The information is used to
figure out keys or cryptoalgorithms
Focus Ion Beam microscopescan modify chip or shielding
-
7/31/2019 563-1.11.3 Breaking the Chip
22/2522
Invasive attacks
Memory linearization Destroy instruction decoder to prevent jumps
Repair test circuits (blown off during
manufacture) to allow testing routines todump memory
Problem: You need to have test circuits, otherwiseyou cant test the chips working during production
-
7/31/2019 563-1.11.3 Breaking the Chip
23/2523
Reverse engineering
Rebuild hardwarecircuits
Etch away layer on chipsurface, take electron
micrograph, create 3-Dimage of chip
Use the image to
recreate circuit
-
7/31/2019 563-1.11.3 Breaking the Chip
24/2524
Reverse engineering
Optical fault induction Use simple camera flash, tape it to proving
station, flash the chip at a particular spot
using a aluminum foil aperture Or use a cheap laser pointer
Focusing flash on white circle makesSRAM cell bit go from 1 to 0
Focusing on black circle makes SRAMcell go from 0 to 1
By inducing bit faults, several protocolscan be broken
Skorobogatov and Ross J.Anderson, Optical Fault Induction Attacks, CHES '02
http://www.cl.cam.ac.uk/~sps32/ches02-optofault.pdfhttp://www.cl.cam.ac.uk/~sps32/ches02-optofault.pdf -
7/31/2019 563-1.11.3 Breaking the Chip
25/25
Further reading
Ross Andersons page at Cambridge University
Workshop on Cryptographic Hardware andEmbedded Systems
http://www.cl.cam.ac.uk/~rja14/http://islab.oregonstate.edu/ches/http://islab.oregonstate.edu/ches/http://islab.oregonstate.edu/ches/http://islab.oregonstate.edu/ches/http://www.cl.cam.ac.uk/~rja14/