563'11'3 Breaking the Chip: Vulnerabilities of Cryptographic Processors and Smart Cards

1
563.11.3 Breaking the Chip Vulnerabilities of
Cryptographic Processors and Smart Cards

• Presented by Ragib Hasan
• PISCES Group Soumyadeb Mitra, Sruthi Bandhakavi,
  Ragib Hasan, Raman Sharikyn
• University of Illinois
• Spring 2006

2
Overview

• Threat model
• Attackers
• Goals
• Types of attacks
• Attack techniques
• Cryptographic processors
• Smart cards
• Further reading

3
Threat model

• Attacker types
• Class I Clever outsiders
• Intelligent, but lack information, exploit known
  attack
• Class II Knowledgeable insiders
• Have inside information on protocols/design, can
  use sophisticated tools
• Class III Funded organizations
• Have information, resources, equipments, and
  incentives
• Can employ class II attackers in teams

Abraham et. al. Transaction Security System, IBM
Systems Journal, 1991
4
Threat model

• Attacker goals
• To get the crypto keys stored in RAM or ROM
• To learn the secret crypto algorithm used
• To obtain other information stored into the chip
  (e.g. PINs)
• To modify information on the card (e.g. calling
  card balance)

5
Types of attacks

• Non-invasive attack
• Dont modify processor, probe via other means
• Invasive attacks
• Break open processor by acids, ionization
• Reverse engineering
• Learn how the device works

Moore, Anderson, Kuhn, Improving Smartcard
Security Using Self-timed Circuit Technology
6
Overview

• Threat model
• Attackers
• Goals
• Types of attacks
• Attack techniques
• Cryptographic processors
• Smart cards
• Further reading

7
Crypto processors Attacks

• Naïve key theft
• Master Keys loaded into the chip, attacker opens
  enclosure while device is running and probes the
  chip memory
• Preventive measures
• Wire the power supply through lid switches
• Zeroize the chip memory whenever lid is opened

8
Attack (1)

• Theft of keys
• Early chips kept keys in removable PROMs or key
  was listed in paper
• Attacker removes the PROM or steals the paper
• Solution
• Shared control, by using two or more PROMs with
  master keys, and use them to derive actual key
• Keep keys in smart cards

9
Attack (2)

• Cutting through casing
• Disabling lid switches
• Solutions
• Add more sensors, photocells
• Separate the security components, and make them
  potted using epoxy resin

10
IBM 4758s epoxy potting

• IBM 4758, with epoxy potting partially removed

11
Attack (3)

• Attacker scrapes potting with a knife, and uses a
  logic probe on the bus
• RSA, DES vulnerable if attacker can see protocol
  in action
• Solution
• Use a wire mesh embedded in the epoxy
• Crude scraping can be handled, but not slow
  erosion using sandblasting
• Use a metal shield with a membrane to enclose
  processor

12
Attack (4)

• Memory remanence
• Memory gets burned into the RAM after long time,
  on power up, 90 RAM bits initialized to key
• Attacker goes dumpster diving to find old chips
• Solution
• Use RAM savers, just like screen savers
• Move data around chip to prevent burn-in

Gutman, Secure deletion of data from magnetic and
solid state memory, Usenix Security Symp. 96
13
Attack (5)

• Freeze it!
• Below -20 C (-4F), SRAM contents persist
• Attacker freezes module, removes power, removes
  potting/mesh, attaches chip to test rig, powers
  on
• Burn it!
• Attacker floods chip with ionizing radiation
  (X-Ray), key gets burned in
• Solution?
• Add temperature/radiation alarms
• Or, blow up the chip, with thermite charges!!

Skorobogatov, Low Temperature Remanence in Static
RAM
14
Attack (6)

• Tempest / power analysis
• Noninvasive
• British MI5 eavesdropped on French embassys
  crypto machine in the 1960s
• Attacker looks into RF emissions or power
  consumption of processor
• Solution
• Use Aluminum shielding (Tin foil!!)
• Obfuscate power line paths

15
Attacking 4758

• 4758 addresses most of the previous attacks
• So, how do you attack a 4758?
• Physical
• Erode potting with sandblasting, detect mesh
  lines, by pass them (magnetic force microscope)
• Drill 8mm/0.1 mm holes to go through mesh
• Send plasma jets to destroy memory zeroization
  circuits
• Protocol level attacks
• Michael Bond, a grad student, broke 4758 using a
  protocol attack to extract a 3DES key

Michael Bond. "Attacks on Cryptoprocessor
Transaction Sets" CHES 2000
16
Overview

• Threat model
• Attackers
• Goals
• Types of attacks
• Attack techniques
• Cryptographic processors
• Smart cards
• Further reading

17
Smart cards

• Generally dont have the protection of crypto
  processors
• Typically have lower security, but more commonly
  used

18
Non-invasive attacks

• Attack the protocol
• Put a laptop between the smart card and reader,
  and analyze messages
• Put a device between card and reader that blocks
  certain messages
• Prevent writing
• Early smartcards had a separate programming
  voltage pin Vpp that was needed to write to
  EEPROM
• Attacker places tape on the pin to prevent writing

19
Non-invasive attacks

• Differential power analysis
• Power supply current spikes indicate type of
  instruction being executed
• Data values can be obtained from power profile
• Clock/power modulation
• Overclocking the chip causes disruption in
  instruction (e.g. prevent branching)
• Slowing down clock allows reading voltages with
  an electron microscope
• Modulating power can prevent parts of the chip
  from working

20
Invasive attacks

• It is possible to remove the chip using cheap
  chemicals
• Attacker removes chip, fits it into a test rig
• Optical microscope can show ROM contents
• Crystallographic staining also reveal ROM content

Moore, Anderson, Kuhn, Improving Smartcard
Security Using Self-timed Circuit Technology
21
Invasive attacks

• Physical probing
• Low cost probing stations can land microprobes on
  bus lines and read values
• The information is used to figure out keys or
  crypto algorithms
• Focus Ion Beam microscopes can modify chip or
  shielding

22
Invasive attacks

• Memory linearization
• Destroy instruction decoder to prevent jumps
• Repair test circuits (blown off during
  manufacture) to allow testing routines to dump
  memory
• Problem You need to have test circuits,
  otherwise you cant test the chips working
  during production

23
Reverse engineering

• Rebuild hardware circuits
• Etch away layer on chip surface, take electron
  micrograph, create 3-D image of chip
• Use the image to recreate circuit

24
Reverse engineering

• Optical fault induction
• Use simple camera flash, tape it to proving
  station, flash the chip at a particular spot
  using a aluminum foil aperture
• Or use a cheap laser pointer

• Focusing flash on white circle makes SRAM cell
  bit go from 1 to 0
• Focusing on black circle makes SRAM cell go from
  0 to 1
• By inducing bit faults, several protocols can be
  broken

Skorobogatov and Ross J.Anderson, Optical Fault
Induction Attacks, CHES '02
25
Further reading

• Ross Andersons page at Cambridge University
• Workshop on Cryptographic Hardware and Embedded
  Systems