Some Security Attacks

1
Some Security Attacks

• Tamper-Resistance - A Cautionary Note by
• Ross Anderson and Markus Kuhn

2
VISA security module for bank ATMs

• Stripe on your ATM card is encrypted.
• It contains your PIN and other details.
• ATM has module containing processor and key to
  encrypt, decrypt and check pin.
• It is a local operation done at the ATM, even
  when system is offline.
• Lid switches and pressure sensors to erase its
  keys if the box is opened.

3
Taxonomy of Attackers (IBM)

• Class I Clever outsiders - insufficient
  knowledge of system, no highly sophisticated
  equipment, look for existing weaknesses.
• Class II Knowledgeable Insiders - have
  potential access to most parts of systems, and
  highly sophisticated tools.
• Class III Funded Organizations governments,
  terrorists, Mafia have teams of experts, big
  budgets, most advanced tools.

4
Can you get unsupervised access? To many
devices?

• Much more vulnerable if we can experiment.
• Phone cards,
• Pay-TV, DSTV cards,
• SIM modules in a phone,
• Casino smart cards for gambling,
• smartcards, etc.

5
Pay TV, an early case

• Smartcards needed high voltage to overwrite
  memory, lower voltage to read memory.
• Mallet registers for all TV channels for one
  month, then cancels subscription. Signals sent
  to his decoder set all channels as open, which
  is written to the smartcard.
• He then disables the high voltage pin so that
  when he cancels his subscription, the decoder
  cannot close the channels.

6
Pay TV

• Newer cards generate high voltage on board from
  oscillators and capacitors and diode circuitry.
• But you can still see the components under a
  microscope, and destroy them with a laser cutter.

7
Other attacks /defenses on smartcards

• You can use acid to etch away the coating and
  expose the circuitry,
• Then insert microprobes and trace the bits on the
  buses, or even pick up signals from inductance.
• Some glues are opaque and resistant to removal,
  and will destroy underlying circuits.
• Some coatings are mildly conductive to spread
  electrical noise. Some even have random
  oscillators generating deliberate electrical
  noise to mask probes.

8
Very sophisticated power attack

• External source supplies power. You can monitor
  chip power usage very accurately.
• Some circuits had different power demands when
  processing 0 and 1 bits of the secret key in an
  encryption algorithm.
• By reading off the fluctuations in power, you
  could extract the 0 and 1s of the key.

9
Very sophisticated timing attack

• In a similar attack, a processor was discovered
  that needed a different number of processor
  cycles when processing a 0 or 1 bit of a secret
  key.
• By finding something repetitive to measure (e.g.
  power spike, electromagnetic emission), one can
  look at the inter-event timings and extract the
  key bits.

10
Nuclear Missiles have highest security we know
about.

• Launch codes are secret keys embedded in
  hardware, sited in middle of plutonium mechanism,
  with external protection too.
• A terrorist group or government who stole some
  missiles would be willing to sacrifice many just
  to get one workable device.
• Often they will only arm themselves under severe
  expected environmental conditions, e.g. a missile
  experiences many thousand G forces on launch, or
  a bomb experiences zero gravity at high altitude,
  and this may be a necessary precondition for
  arming.

11
Interesting experiment

• After they exploded the core security mechanism
  to prevent enemy access, they collected fragments
  of memory around 1mm.
• The 1mm fragments had contiguous bit-strings of
  the secret key!
• Now they scatter key bits throughout memory so
  that after explosion one cannot find sequences
  by using a crypto mapping table for address
  fetches.

12
The Dallas Crypto Processor

• Was best-of-breed commercial system at the time
  the paper was written (1997)
• Had encrypted data bus between processor and
  memory. Each memory address essentially had a
  unique encrypt/decrypt mapping for its 256
  possible data values.
• So understanding the mapping for data fetched
  from position 1020 didnt help you to understand
  the data anywhere else.

13
The Dallas Crypto Processor

• Also had separate encryption for 16-bit address
  bus so processor saw a linear memory at byte
  address 0,1,2, but physically they were
  scattered in actual memory.
• But a processor often executes the same sequence
  of instructions from successive (logical)
  locations, so youd learn a lot by watching the
  patterns of memory accesses.

14
(No Transcript)
15
The Dallas Attack

• The three-byte instruction MOV 90h xx will send
  byte xx to the parallel port. We can watch the
  port to see when weve found it.
• We cant tell what ciphercode pair will decode
  into the MOV 90h, but we can try an exhaustive
  search.
• We cut the link between memory and the bus, and
  insert our own processor which can either pass
  stuff across unchanged, or can substitute
  something else. (man-in-the-middle attack)

16
(No Transcript)
17
The Dallas Attack

• We repeatedly reset the processor, and substitute
  the first three bytes fetched from memory.
  (Theyre always fetched from the same place, the
  particular address doesnt matter. Call them A0
  A1 A2.).
• Substitute what it fetches, exhaustively trying
  all 64K bit combinations of the first two bytes,
  and watch the port. When something happens, you
  have discovered the encrypted form of the MOV 90h
  instruction at addresses A0 A1.

18
The Dallas Attack

• Once you know this, start substituting the next
  data byte. Each encrypted byte you send will
  come out of the port in plaintext.
• After 256 trials you can build a complete table
  of the encryption mapping for memory position A2.
  - You know what you fed in as the data, and you
  saw what came out of the port.

19
The Dallas Attack

• Now exhaustively search for any one-byte
  instruction that can go ahead of the MOV 90h xx.
  So look for NOP MOV 90h xx
• (You already know the encryption table for A2, so
  you know what the encrypted form of the 90h is.
  The orange font means that you dont have to vary
  this data in the search, yellow means try all
  combinations.)
• When you see output appearing on the port, you
  can find the encryption table for A3.
• Now it gets easy look for another NOP NOP
  NOP MOV 90h xx

20
The Dallas Attack

• When you know how the bus encryption works for
  about 10 consecutive bytes, you can write a small
  assembly-code loop to read all of memory and
  output it to the port.
• Encrypt this little bit of code using your
  tables, and run the program.
• All of memory contents, including any secret
  keys, will magically appear on the parallel port!

21
The Dallas Attack

• Was a Class I attacker
• Cost around 300 for equipment
• Took a student 3 months.

22
Its just one bit you need to fiddle

• A chip contains a secret key because some process
  uses that key at some stage.
• The secret data will be locked with a hardware
  lock bit. When the program authorizes itself,
  the lock is opened and the key can be accessed.
  (e.g. the processor will enter privileged or
  supervisor mode)
• Resetting the chip will re-lock this bit.
• An attacker will go after this bit

23
There are many other loopholes

• Chips misbehave when they are clocked too slowly
  or clocked too fast, or the clock is irregular,
• They might misbehave under weird power
  conditions voltage too low, or too high, or
  voltage contains spikes.

24
Some lessons and observations

• Smartcards are not secure against determined
  attacks, certainly not against foreign
  governments and well-funded organizations.
• Even our Casino in PE stores your customer number
  and balance on the card, but it accesses a
  central computer to confirm the balance. If you
  crack the security and give yourself an extra
  R500 000 on your casino card, men in black suits
  will arrive when you put your card in the slot
  machine.

25
Lessons

• In spite of claims of great security, at this
  time smartcards are only useful for low-risk
  applications. Store your passwords etc. on the
  card. But dont store value directly, unless it
  is not worth cracking amounts.
• Telephone cards all have unique ID numbers. In
  principle, Telkom could track repeated use of a
  card whose units are never depleted.
• Even Clicks loyalty points are stored centrally
  on their computers. All that is on your card is
  your customer number.