\NeedsTeXFormat{LaTeX2e} \documentclass[a4paper,10pt,twocolumn]{article} % landscape confuses psnup und ist ungewohnt // onecolumn vs. twocolumns % article, report, book, letter, slides... (bei a., b., r. Inhaltsverz. mgl.) \input colordvi \usepackage{color} % z.B. \Blue{...} oder \textBlue ... \usepackage[dvips]{graphics} % -> \includegraphics{datei} (used only for 1 fig) %% -- \usepackage{german} \usepackage[T1]{fontenc} % T1 normal, OML kursiv \usepackage[latin1]{inputenc} %% -- \selectlanguage{german} \usepackage{times} % Vorschlag Matthias fuer schoenere PDF Version \pagestyle{headings} % nur Seitennummer in der Fusszeile: plain \pagenumbering{arabic} \setlength{\parindent}{0pt} % erste Zeile im Absatz nicht einrücken \setlength{\parskip}{12pt} %% -- \textwidth=17cm %% -- \hoffset=-1in % \addtolength{\topmargin}{-1in} % % \addtolength{\oddsidemargin}{-1in} % Workaround für eine TeX Besonderheit, % \addtolength{\evensidemargin}{-1in} % falls KEIN Rand gewünscht wird... %% -- \hyphenation{grössere } % \renewcommand{\contentsname}{{\normalsize Inhalt}} - bei Inhaltsverz... % mit \clearpage von Hand Seitenwechsel anfordern \author{Eric Auer} \title{Tamper Resistant Smartcards - Attacks and Countermeasures} \begin{document} % % % % \raggedbottom %% \raggedright % Keine Wörter trennen, sieht manchmal besser aus \sloppy % spacing mehr varieren um zu breite Zeilen zu vermeiden \maketitle \section{ \Blue{\emph{Abstract: }}} For electronic commerce and secure (encrypted/authenticated) communication you need a safe way to handle electronic keys and coins. If you store them in a small dedicated device like a smartcard you do not have to secure the complete system. This makes security a lot easier, but smartcards have their own special weaknesses. This paper gives an introduction to common attacks on smartcards and on what can be done without too much effort to increase tamper resistance to protect at least from low budget attacks. \section{ \Blue{\emph{Introduction: }}} The main reason to use smartcards for security is to keep keys out of the probably insecure rest of your system. So the keys should not be extractable even under extreme conditions, for example if the attacker managed to steal the card. The safelocks of nuclear weapons are buried deep inside the bombs and watched by armed guards. They even use explosives to destroy themselves if tampering attempts are detected, so an attacker will not gain access to the secrets stored inside. Obviously you cannot protect your electronic car keys or the smartcard unlocking your pay-tv decoder as well as a nuclear weapon. %% to the same extent. In general, small devices do not even have their own power supply that could keep security circuits ready for detecting attacks. So they cannot delete the keys under attack if tampering is detected. I will discuss the following types of attacks along with a discussion of suitable countermeasures [AK96], [KK99]: Non-invasive attacks: \begin{list}{--}{\itemsep 0.5ex \parsep 0pt \partopsep 0pt \topsep 0pt} \item finding the internal state from external traces, \item fault generation using unusual signals. \end{list} Invasive attacks: \begin{list}{--}{\itemsep 0.5ex \parsep 0pt \partopsep 0pt \topsep 0pt} \item reverse engineering, \item eavesdropping with direct access to the silicon, \item modifying circuits (eg. to ease eavesdropping). \end{list} \section{ \Blue{\emph{General attacks}}} I will not discuss details of protocol and software-only attacks, as they are not specific to smartcards. % %% Other authors wrote a lot of papers on that topic. % %% -- would need references to write that -- %% An example of a protocol attack would be %% manipulating the lists of supported encryptions that Bob and Alice send %% to each other to establish a secure connection: If the attacker manages %% to remove all strong encryption methods, Bob and Alice will use weak %% encryption for their connection. %% -- % For an introduction, have a look at [DAS-PAPER-UEBER-SSL3.0]. Sometimes an attacker just replaces your card with another one or modifies it to get access to the transmitted data. Therefore it is important to know that there are no modifications and the card is really yours. The latter can be done with public key or challenge response protocols (to avoid giving away secret keys before the authentification is complete): A sends some challenge string, and B signs it using a cryptographic algorithm. The algorithm is designed in a way that allows proofing key ownership without revealing the key. If both parties use the same key, A could encrypt some random bits, and by successfully decrypting them, B has proven to use the same key. Of course you must trust a terminal to handle most of this protocol for you. The card may bear other features like a hologram or the owners signature that are hard to forge and can be checked directly by the owner. To prevent modifications, a card has to be tamper evident, i.e. tampering must be detectable without too much effort. For the user it is useful to personalize the card by choosing a special design for the user interface, so simply replacing the card with another one from the same batch will not be enough to trick the user. Because the user himself may be a potential attacker (eg. if the card stores keys functioning as electronic coins, the user will be tempted to make copies of his card) and attack tools can be hidden even inside a point of sale terminal, special precautions have to be taken. In general, a system based on smartcards must cope with the possibility that a few of the cards are cracked. It is a good thing to start with allowing revocation of cracked keys. And of course the encryption itself must withstand cryptanalytic attacks. See [AK96] for an attack on a processor using weak encryption for external memory accesses. \section{ \Blue{\emph{Non-invasive attacks}}} Non-invasive attacks are attacks that do not require the device to be opened. They can often be done by modifying or faking a normal smartcard terminal. Even if tools are needed that cannot be hidden and the card must be stolen for analysis, there will usually be no further tamper evidence for the owner. The more you know about the internal structure of a card the easier most attacks will be. In particular, most non-invasive attacks require knowledge about internal structure. So non-invasive attacks are often based on reverse engineering results or insider knowledge. For pay-tv keys and the like, invasive reverse engineering pays back quickly because non-invasive attacks are relatively cheap, scale well and can be easily applied to a large number of cards after the costly development involving invasive techniques is done. \subsection{\Blue{\emph{Eavesdropping}}} \subsubsection{\Blue{\emph{Attack description}}} Eavesdropping in the smartcard context means attempting to deduce secret information from accessible sources. The attacker connects to the smartcard using the standard connector and tries to ``read between the lines'' instead of directly wiretapping internal bus lines. It is also possible to analyze the electromagnetic field around the device, but this usually does not give enough accuracy. The most common attack is to analyze power consumption. Every time a CMOS gate or a SRAM cell changes its state, there will be a short increase in power consumption, because a short circuit happens for a very short time during the switching. When a bus line changes its state, the bus drivers have to charge or discharge the load capacitance involved. Measuring the current drawn by the device with high accuracy and a high sampling rate (compared to the CPU clock frequency), helps you to tell about the internal state of the CPU. You can assign a current peak to a change in a particular internal unit by measuring the delay between the clock edge and the current fluctuation. The delay differs between the different units of the chip. As some crypto algorithms involve shifting key bits through flags, key bits can be recovered by eavesdropping processor flags. This can also be used to detect the outcome of some security check without having to wait for some message about the check from the card. In rare cases, even the algorithm used by a device can be deduced from its power consumption pattern. \subsubsection{\Blue{\emph{Countermeasures}}} A strong countermeasure is detailed analog simulation during development and to obscure recognizeable current peaks. Current regulators are useful for that. It is also useful to randomize the execution by inserting idle cycles on a random basis so that an attacker cannot associate a peak with the execution or outcome of a certain instruction. It is good to use an internal clock source for the same reason and to do only loose coupling to the external bus clock. Because the attacker wants to know the delay from clock edge to current peak, the attack will be harder if the clock signal is not visible from outside. An internal clock source will also protect from attacks involving low clock frequency to simplify measuring. For the randomized execution you have to take care that the idle cycles exhibit the same activity patterns to an eavesdropper as normal cycles. Filter all incoming signals and supplies to keep them in a certain range, because non-standard conditions could make your random execution less random and may decrease the security of your device in various other ways. \subsection{\Blue{\emph{Fault generation}}} \subsubsection{\Blue{\emph{Attack description}}} Fault generation means inducing errors that spoil or weaken the security of a device during operation. A simple example of fault generation is depriving a smartcard from enough power to write part of its non-volatile memory, for example to block it from changing the list of pay-tv channels it will unlock. If this succeeds, you can simply cancel your subscription to the vendor and keep on watching tv. Similar attacks were done on telephone cards. Variations in clock and power supply may cause random number generators to produce only weak randomness and tampering sensors to get less sensitive. A wide range of attacks is based on \emph{glitches} in signals and power. The idea is as follows: The capacitance and resistance of the parts of a chip determine certain signal propagation delays. Those delays show significant variance over the different units of the chip, but stay as they are if factors such as supply voltage and temperature are fixed. Once you figure out the delay for a given unit of a given chip, you can apply very short glitches on signals that will only affect the state of a few flipflops. This may allow modification of the execution flow. The glitch attack works because flipflops sample their input only during a short time window relative to when the clock edge reaches them. A glitch at the right time on power supply will have similar effect, because the flipflop compares its input to the supply voltage for sampling. It is more common and easier not to apply glitches to bus lines or power supply but to the clock input: A single clock cycle is made shorter so that some units sample their input before the updated state from the other units reaches them. The goal of all those carefully designed faulty conditions is to change the flow of execution or some intermediate results. This can be used to ease eavesdropping or to bypass security checks. For example you can try to have the device skip a conditional jump that would be taken if authorization failed. Or change an encryption loop into a single round variant that is easier to decrypt. Another good example are output loops: Imagine this: \emph{i = Pointer to beginning of array \\ j = number of bytes to output \\ while j is above 0 do \\ ( output byte selected by i, \\ increase i, decrease j ) \\ } If you can change the comparison, its associated conditional jump or the decrement of \emph{j} into something else, possibly secret data after the \emph{array} will be output. The fault must be reproduced for each round of the loop to have the loop never finish and output as much data as possible past the array. \subsubsection{\Blue{\emph{Countermeasures}}} A method to protect a device is to use a segmented memory model. Each pointer (even the instruction pointer) is divided into a base register and an offset register. The offset registers only contain few bits, so only a limited range of memory can be reached without changing the base. In the example above, the Code would change as follows: \emph{i1 = Pointer to beginning of array, i2 = 0\\ j = number of bytes to output \\ while j is above 0 do \\ ( output byte selected by (i1 + i2), \\ increase i2, decrease j ) \\ } If the register hardware for the offset (\emph{i2}) only has 8 bits, an attack similar to the example above may never reveal more than 255 bytes of data after \emph{array}. In addition, a wraparound to zero in the offset can cause an immediate processor reset or hardcoded deletion of key data. Segmenting the instruction pointer is useful to prevent invasive eavesdropping attacks using the instruction pointer, which are discussed below in section 5.5. It is important to notice that the wraparound should not only set some flag that can be tested at some time, but immediate (hardcoded) action should be triggered without waiting for the software to notice the alarm. In general you should filter any connection between the card and the outside world to enforce sanity of all signals. The problem is that glitches are very short, so simple filters often will not be enough. Be careful that even a combination of strange signals will not get one of them through the filter. For the clock signal, it is best to generate your own right on the chip and do only loose coupling to the external bus clock. The power supply needed for updating non-volatile memory can be generated from the normal power supply using a charge pump on the chip. A charge pump allows generation of some higher voltage from the input input voltage, e.g. generating 12 V programming voltage from 5 V power supply. A way to improve security in software is to check important things more than once like in this example, where two steps are taken to limit \emph{y} to values below 8, so an attacker must sabotage two instructions. Guessing two glitches for only one modification (feed an \emph{y} above 7 into ``\emph{the rest}'') is quite hard. \emph{y = x $\land$ 7, if y is below 8 then (do the rest)} \section{ \Blue{\emph{Invasive attacks}}} Larger security modules can protect themselves better against a wide range of attacks because they can contain their own power supply and complex sensors for intrusion detection. They can store key data in SRAM and delete the contents when a sensor alarm is triggered. A simple but not completely secure way is to cut power from the SRAM in that case, but part of the contents can be reconstructed if chip temperature is low and the attacker is fast enough. As smartcards are too small for even a small battery, they have to rely on passive protection while switched off. An attacker may disable intrusion sensors and then switch the device back on for further investigation after intrusion. \subsection{\Blue{\emph{Getting access to the silicon}}} Getting access to the silicon is the first step for all kinds of invasive attacks, and of course preventing it is the best countermeasure to block all kinds of invasive attacks (described in sections 5.2 -- 5.5). % %% -- WHOOPS, careful, no reference but hardcoded section numbers -- \subsubsection{\Blue{\emph{Attack description}}} Typical chip modules are fixed at the backside of the contact plate, covered with epoxy resin and then glued into the smartcard (see figure). So for depackaging, you first heat the card to soften the glue or use a knife to cut out the chip module. This method works for smartcards, small GSM chipcards and most pay-tv keys. \includegraphics{sc-xsect} Then you have to get rid of the epoxy: This can be done with fuming nitric acid ($>98$ percent $HNO_{3}$). You can accelerate the process by heating the acid. To get usable results, you have to do several rounds of putting acid on the epoxy and washing away the dissolved material with acetone. The silicon will not get damaged by this, but you have to take care not do destroy the thin bonding wires connected to it. Even though there are machines for depackaging chips, chip analysis laboratories often prefer the manual method for small batches. The chip surface will still be covered with a thin passivation layer that protects the silicon from the environment. That layer is consisting of silicon nitride or oxide. It is hard for amateur hackers to get rid of it, professionals may use dry etching with hydrogen flouride or use laser cutters to cut holes into the passivation, but those cutters are around \$100.000. For simple attacks, it is sufficient to break holes into the passivation layer using ultrasonic vibration or simple scratching. \subsubsection{\Blue{\emph{Countermeasures}}} There are special coatings that can be used instead of the epoxy resin or as an additional layer of protection. Those ``conformeal glues'' cannot be removed without damaging the chip. Most of those substances are classified technology, but any coating that is harder to remove than epoxy resin will improve security. Larger security modules sometimes use opaque fragile substances with sensor wires inside to trigger key deletion on tampering, but this requires an internal battery. \subsection{\Blue{\emph{Eavesdropping}}} \subsubsection{\Blue{\emph{Attack description}}} Most amateur hackers use invasive attacks only to reach bus lines with microprobing needles. They eavesdrop signals and apply glitches directly to the chip. The possible attacks are similar to the non-invasive ones, but there is much more flexibility if you can attach directly to internal bus lines. Microprobing needles are elastic metal hairs with a very thin tip (below 10 micrometers), and they are attached to high resolution positioners. You need a special microscope that leaves enough room between the lens and the chip to control positioning. By using second hand parts and designing your own micropositioners, you can assemble a microprobing workstation for less than \$10.000, but professional versions cost up to \$100.000. There are far more possibilities for high level attackers with high-end tools, but it is possible for amateur hackers to rent a lab with those tools for some time at chip testing laboratories. \subsubsection{\Blue{\emph{Countermeasures}}} Using a secret proprietary design is one way of protection, but reverse engineering (see section 5.4) will defeat this. Permuting bus lines is a simple way to a non-standard design but it is easy to spot for attackers. Important bus lines should be placed in the lower layers to make access difficult. An additional physical barrier are protective meshes on the chip. They are usually groups of parallel lines that are in turn connected to ground and the power supply or carry some non-secret logic state. The lower parts of the chip connect to the mesh at many points. If the mesh is partially removed, parts of the circuit are no longer functional. \subsection{\Blue{\emph{Advanced eavesdropping techniques}}} \subsubsection{\Blue{\emph{Attack description}}} For eavesdropping of many signals at the same time it is possible to ``roentgenize'' the chip using infrared laser light, which can reveal the logic states of single transistors. For faster signals, a standard method is to put crystals of lithium niobate on the chip. The optical properties of the crystals change with the voltage in their direct neighbourhood. For 5V TTL signals this works for up to 25 MHz signals. To simplify the read-out of interesting data, it is possible to reduce the clock frequency or do averaging over several measurements using repeated protocol replay. Another effective but expensive tool is an electron beam tester (EBT). They work similar to scanning electron microscopes, but can show the voltage distribution on the chip. For a single point, this works up to several gigahertz, but only for periodic signals using stroboscopic sampling. For normal real-time sampling, only a bandwith of several megahertz is available. \subsubsection{\Blue{\emph{Countermeasures}}} To block replay attacks, extensive communication logging should be done. Unluckily current non-volatile memory does not allow enough write cycles during lifetime for the complex logging that would be needed, or there is simply not enough RAM available. Ferroelectric RAM is an emerging technology that is likely to fix the first problem. Another way to make replay attacks useless is to switch keys on a regular basis, so a spotted key will not be usable for long time. Most read-out attacks do not allow sampling of fast signals or require averaging over several runs to get fast signals right. They can be blocked by protection against low clock frequency and replay attacks. A robust low-frequency sensor is proposed in [KK99]: An external reset or power-up reset only activates divisors on the clock signal, and only the internal reset then triggered by the low-frequency sensor boots the CPU. So if you destroy the sensor, the chip will no longer boot properly. \subsection{\Blue{\emph{Reverse engineering}}} \subsubsection{\Blue{\emph{Attack description}}} It is possible to do semiautomatic reverse engineering using a camera attached to a microscope and feeding the images into automated image recognition. The software may reconstruct the circuit down to the single transistor level, but it is much easier to spot standard cells or even standard processor designs because then it is not necessary to investigate the smaller details. Using a special confocal microscope, the height information gets transformed into color information, so there are no blurred areas that are out of focus. It is possible for a well funded attacker to remove the metal layers one by one to get complete insight on the structure. A well funded attacker can afford advanced techniques to make the implant mask and transistor threshold voltages visible (using so called dopant-selective crystallographic etch) or remove the top layers using hydrogen f\/luouride wet etching. Both techniques are used to make ROM contents visible. Another method that is still new and expensive is to polish the substrate until it is thin enough to allow looking from the bottom side. \subsubsection{\Blue{\emph{Countermeasures}}} Some attackers can be confused by using non-standard cells or by polishing the top layer, so the layers below will not be visible through the height variation they cause. Protective meshes can be used to further obstruct the view on the interesting parts, which should be placed in lower layers. A combination of both methods is using a polished protective mesh. A proprietary design that requires reconstruction of the complete connection list is harder to analyze than a known design or a design mostly based on standard blocks from a cell library. Quite hard for optical analysis are fusible links in lower chip layers. Using links or part of the non-volatile RAM is also useful to vary parts of the logic, so the devices do not only differ in their serial number. This will make the results of reverse engineering less useful for attacks on multiple cards. %% Once the chip is depackaged, an electromagnetic field applied to part %% of the surface can modify the operation of certain gates. EPROM cells %% may be reprogrammed using focused UV beams. \subsection{\Blue{\emph{Modifying circuits with a FIB workstation}}} \subsubsection{\Blue{\emph{Attack description}}} A very convenient thing to have for a smartcard hacker is a focused ion beam (FIB) workstation. These are extremely expensive (about \$500.000), but time on them can be rented at chip laboratories. Some are even found at universities. The FIB workstation uses an ion beam similar to the electron beam used in scanning electron microscopes. Therefore you can detect features down to 5 nanometers in size. By increasing beam current, you can ``drill'' deep and narrow holes at any angle into the silicon. By injecting special gases it is even possible to deposit platinum or insulators on the chip surface. Navigation with 150 nanometer precision can be done using laser interferometers. It is now also possible to polish the back side of the chip to far below 0.1mm, so rear access is possible. Most currently available smartcard processors have feature sizes of one or at least one half micrometer and only two metal layers, but future chips may require the use of even more expensive tools than FIB workstations. An attacker who has constant access to a FIB workstation is able to virtually edit the circuits of the target chip, given enough time. Most amateur hackers cannot afford to rent a FIB workstation for anything more than preparing chips for microprobing. In some cases it is easier to simply reactivate test circuity that was used during chip testing at fabrication time. \subsubsection{\Blue{\emph{Countermeasures}}} The only way to prevent FIB attacks is to cover the chip with something that cannot be removed without damaging the chip. But most ``conformeal glues'' are still classified technology. If the card has its own power supply, it is much easier to use active intrusion detection. A good way to keep low budget hackers out is to cover the chip surface with a sensor mesh where every other wire is connected to power and ground in turn (or transporting some non-secret signal). As described in section 5.2.2, damaging the mesh may trigger some alarm or simply inhibit normal operation. The intrusion detector should trigger deletion of key data, a processor reset or similar actions. A mesh without a continuous power supply (for immediate action when the alarm goes off) will not protect from FIB attacks. FIB workstations make it possible to drill fine holes between the sensor lines without damaging them or even to reconnect or bypass damaged lines. But if a continuous power supply is available, depackaging the device will likely trigger other intrusion sensors before the mesh itself gets under attack. A common FIB based eavesdropping attack is to destroy the instruction decoder and tap the bus while the instruction pointer passes every single byte of RAM. A way to prevent this is to use a short instruction pointer of only a few bits and another register as an offset. The idea is the same as in section 4.2.2. Using FIB editing to reactivate a test circuit that was only switched off gives easy access to your data if you fail to do proper destruction of test circuits. A good way to destroy parts of the chip after quality control is placing them into the area where the die will be splitted into chips - or put the test circuits for each chip on the neighbouring chip. \section{\Blue{\emph{Conclusion}}} It is possible to make tampering harder by using simple, relatively inexpensive countermeasures: Avoiding single points of failure, using segmented pointers and sensor meshes on the chip surface are examples. Other examples are hard to remove coatings (attempting to remove them should damage the chip), robust internal clock generation with randomized execution delays and current regulators right on the chip. Fuses hidden in the lower layers are hard to analyze for reverse engineering, and the implant mask is harder to make visible than the arrangement of connection lines on the chip. But you have to be aware that it is not possible to protect a smartcard for a long time from being hacked by a determined and ressourceful attacker. So your system should cope with some hacked devices. \section{ \Blue{\emph{References:}}} [AK96] Ross J. Anderson, Markus G. Kuhn: \emph{Tamper Resistance - a Cautionary Note}, 2nd USENIX Workshop on Electronic Commerce, Oakland, California, Nov. 18-21, 1996, pp. 1-11. %% -- XXX -- ISBN 1-880446-83-9 %% -- XXX -- \emph{http://www.cl.cam.ac.uk/Research/Security/tamper/} [KK99] Oliver Kömmerling, Markus G. Kuhn: \emph{Design Principles for Tamper-Resistant Smartcard Processors}, USENIX Workshop on Smartcard Technology, Chicago, Illinois, USA, May 10-11, 1999, pp. 9-20. %% -- XXX -- ISBN 1-880446-34-0 %% -- XXX -- \emph{http://www.cl.cam.ac.uk/Research/Security/tamper/} % [K00] % Kingpin (kingpin@atstake.com): \\ % eToken Private Information Extraction and Physical Attack \\ % L0pht Heavy Industries Security Advisories. % \emph{http://www.l0pht.com/advisories.html} % [PPSW96] % Andreas Pfitzmann, Birgit Pfitzmann, Matthias Schunter, Michael Waidner: \\ % Mobile User Devices and Security Modules: Design for Trustworthiness \\ % IBM Research Report RZ 2784 (No. 89262) 02/05/96, % IBM Research Division, Zurich, Feb. 1996. % \emph{http://www.semper.org/sirene/lit/sirene.lit.html\#PPSW\_96} % [TW96] % J. D. Tygar, Alma Whitten: \\ % WWW Electronic Commerce and Java Trojan Horses \\ % The 2nd USENIX Workshop on Electronic Commerce Proceedings, % Oakland, California, Nov. 18-21, 1996. (www.usenix.org - EC96). % \emph{http://www.cs.cmu.edu/People/decaf/usenix96/main.html} \vfill \begin{center} {\tiny \LaTeX} \end{center} \clearpage % ------------------- % % % \end{document}