Physical Security

Pieter.Harte@utwente.nl

IIS2

Overview

Smart cards

RFIDs

Attacks

(Semi)-Natural tags

Conclusions

Smart Cards

IIS4

Smart cards

85.6 mm

53.98 mm

0.76 mm

[And96] R. J. Anderson and M. G. Kuhn. Tamper resistance - A cautionary note. In 2nd Int. Usenix Workshop on Electronic Commerce, pages 1-11, Oakland, California, Nov 1996. USENIX Association. http://www.usenix.org/publications/library/proceedings/ec96/kuhn.html

Broken!

IIS5

What makes the card smart?

CPU (8, 16, 32 bit)

Memory (RAM, ROM, EEPROM, Flash)

I/O channel (Contact/Contact less)

Cryptographic co-processor

On card devices (Fingerprint, display)

Standards (ISO 7816, GSM, EMV, VOP)

IIS6

Main security features

Symmetric crypto

Asymmetric crypto relatively slow

Hardware random number generator

Hardware tamper resistance

X-tal clock vulnerable

Life cycle management

IIS7

Communication

ISO 7816-4:

9600 bps : slow

USB : bulky

Bluetooth: power

Biometrics: slow

www.fingerchip.com

IIS8

Displays

Plastic, glass

Emissive, non-emissive

Refresh, bi-stable

Segment, dot-matrix

Problems: connections, yield, power, thickness, price!

[Pra01] D. Praca and C. Barral. From smart cards to smart objects: the road to new smart technologies. Computer Networks, 36(4):381-389, Jul 2001. http://dx.doi.org/10.1016/S1389-1286(01)00161-X

IIS9

Clock & Power

Clock» Xtal 0.6 mm

» MEMS (0.002% acc.)

Battery» Thickness

» power density

» when to recharge

IIS10

Integration is hard

Display

Button

32-bit CPU

Large memory

Battery

Comms

>> 25mm2

Photo: Philips Semiconductors

RFID

IIS12

What is an RFID tag?

Antenna + small chip in ambient field

Passive, replies to queries only

Can be used for almost anything» Supply Chain Management & Checkout (Wallmart,

Benetton)

» Homeland security

» User convenience

» Access to buildings

Nokia 6131 NFC

IIS13

Passport application

IIS14

Privacy issues Sniffing

» Data collection in proximity (skimming)» Correlate data from different tags

Counter measures» Shield antenna in passport with tinfoil» Encrypt the template with MRZ data» Reduce transmit range» Light controlled on/off switch» Long and short range interface» Time delayed transmit of sensitive info

[Bir07] N. Bird, C. Conrado, J. Guajardo, S. Maubach, G. Jan Schrijen, B. Skorić, A. M. H. Tombeur, P. Thueringer, and P. Tuyls. ALGSICS - combining physics and cryptography to enhance security and privacy in RFID systems. In F. Stajano, C. Meadows, S. Capkun, and T. Moore, editors, 4th European Workshop on Security and Privacy in Ad-hoc and Sensor Networks (ESAS), volume LNCS 4572, pages 187-202, Cambridge, UK, Jul 2007. Springer. http://dx.doi.org/10.1007/978-3-540-73275-4_14

Watch this video

Attacks

[Wit02] M. Witteman. Advances in smartcard security. Information Security Bulletin, pages 11-22, Jul 2002. http://www.riscure.com/fileadmin/images/Docs/ISB0707MW.pdf

IIS16

Attacks

Operational» Blackmail» Burglary» Bribery

Technical» Logical» Physical» Side channel

Attackers» I: Clever outsiders» II: Knowledgeable insiders» III: Funded Organisations

IIS17

Logical attacks

The code is too complex» Hidden commands

» Parameter poisoning & Buffer overflow

» Malicious or buggy applets

» Protocol problems (e.g. retransmit)

» Proprietary crypto

Counter measures» Structured design & code inspection

» Formal methods

» Testing

IIS18

Example: RFID virus

There is a large amount of code

Generic protocols and facilities

Back end data bases

So the usual attacks:» Buffer overflow

» SQL injection “;shutdown--”

Don’t trust data from RFID tag…

[Rie06] M. R. Rieback, B. Crispo, and A. S. Tanenbaum. Is your cat infected with a computer virus? In 4th Annual IEEE Int. Conf. on Pervasive Computing and Communications (PerCom), pages 169-179, Pisa, Italy, Mar 2006. IEEE Computer Society. http://dx.doi.org/10.1109/PERCOM.2006.32

Best paperaward

IIS19

Physical attacks

The circuitry is complex and vulnerable» Chemicals & etching» SEM Voltage contrast» Probe stations» Focused Ion Beam (FIB) to make probe pads

Counter measures» Reduced feature size (100nm)» Multi layering» Protective layers» Sensors» Bus scrambling

IIS20

Low cost physical attacks

Block EEPROM writes by isolating Vpp

Rent focused Ion beam

[And97d] R. J. Anderson and M. Kuhn. Low cost attacks on tamper resistant devices. In 5th Int. Workshop on Security Protocols, volume LNCS 1361, pages 125-136, Paris, France, Apr 1997. http://dx.doi.org/10.1007/BFb0028165

IIS21

Side channel attacks

Physical phenomena can be measured» Power

» EM radiation (X-ray, light, sound)

» Time

and changed» Voltage (example later)

» Frequency (example later)

[Vua09] M. Vuagnoux and S. Pasini. Compromising electromagnetic emanations of wired andWireless keyboards. In 18th USENIX Security Symp., pages 1-16, Montreal, Canada, Aug 2009. USENIX Assoc. http://www.usenix.org/events/sec09/tech/full_papers/vuagnoux.pdf

Watch this video

Timing attack

Exponentiation by square and multiply» for i = n − 2 downto 0

» X = X2

» if (d[i] == 1) then

» X = X*M

Power trace shows bits 1 in the key

IIS22

Simple power analysis

16 rounds DES

Rounds 2 & 3

IIS23

[Koc99] P. C. Kocher, J. Jaffe, and B. Jun. Differential power analysis. In M. J. Wiener, editor, 19th Int. Conf. on Advances in Cryptology (CRYPTO), volume 1666 of LNCS, pages 388-397, Santa Barbara, California, Aug 1999. Springer. http://www.cryptography.com/resources/whitepapers/DPA.pdf

IIS24

Differential power attacks

Difference in the third cycle due to difference in input value for encryption

IIS25

Active attacks : Power Dip

read a 0 as a 1

Protection measure» Check VCC & raise an alarm if it drops

» Problem: Fast transients during start-up may raise false alarms

Readingthreshold

Stored valueof logical zero

vcc

gnd

A power Dip at theMoment of reading

a memory cell

IIS26

Active attacks : Clock Glitch

Dump all of the memory

Replace 5MHz pulse by 4 pulses of 20MHz:1. b = answer_address

2. a = answer_length

3. If (a == 0) goto 8

4. transmit(*b)

5. b=b+1

6. a=a-1

7. goto 3

[And97d] R. J. Anderson and M. Kuhn. Low cost attacks on tamper resistant devices. In 5th Int. Workshop on Security Protocols, volume LNCS 1361, pages 125-136, Paris, France, Apr 1997. http://dx.doi.org/10.1007/BFb0028165

Glitch here

IIS27

Countermeasures

Hardware» Lower power signals

» Increase noise levels

» Introduce timing noise

Software» Parallelism

» Introduce random delays

» Constant time execution

» Blinding intermediate values

IIS28

Countermeasures

Make attacks harder but not impossible

Hard to get right

Expensive to implement

IIS29

Out of the box thinking

The humble Capacitor » Emanates acoustic signals

» Sensitive to shocks and vibration

» C A / d

IIS30

Listen to a PC multiplying

http://people.csail.mit.edu/tromer/acoustic/

Freeze 1500 μFcapacitor

IIS31

Shaking a smart card....

IIS32

Attackers business case

Attack Class

Equipment Cost Succ. Rate

Devel. Time

Exec. Time

Logical PC, card reader 1-10K Low Wks Mins

Physical PC, Probe Station, SEM, FIB,Microscope, Chemistry Lab

100K-1M

High Mnths Days

Side Channel

PC, Oscilloscope, Function Gen.

10K-100K

Med. Mnths Hours

Rental!

IIS33

Design guidelines

Define the level of security needed

Perform a risk analysis

Consider the attackers business case

Use the right technologies

Build in fraud management

Design recovery and fall-back

Consider the overall system

IIS34

IBM 4758 Crypto Coprocessor

Rolls Royce of secure devices

Tamper sensing barrier

Keys move in the RAM

Temperature & X-ray sensor

Solid aluminium case & epoxy potting

low pass filter on power supply

Used in ATMs

Hacked!

[Cla03b] R. Clayton and M. Bond. Experience using a Low-Cost FPGA design to crack DES keys. In 4th Int. Workshop on Cryptographic Hardware and Embedded Systems (CHES), volume LNCS 2523, pages 877-883, Redwood Shores, California, 2003. Springer. http://dx.doi.org/10.1007/3-540-36400-5_42

(Semi) Natural tags

IIS36

Finger printing

[Buc05] J. D. R. Buchanan, R. P. Cowburn, A.-V. Jausovec, D. Petit, P. Seem, G. Xiong, D. Atkinson, K. Fenton, D. A. Allwood, and M. T. Bryan. Forgery: 'fingerprinting' documents and packaging. Nature, 436(7050):475, Jul 2005. http://dx.doi.org/10.1038/436475a

IIS37

Philips Coating PUF

[Sko08] B. Škorić, G.-J. Schrijen, W. Ophey, R. Wolters, N. Verhaegh, and J. van Geloven. Experimental hardware for coating PUFs and optical PUFs. In P. Tuyls, B. Škorić, and T. Kevenaar, editors, Security with Noisy Data - On Private Biometrics, Secure Key Storage and Anti-Counterfeiting, pages 255-268. Springer London, 2008. http://dx.doi.org/10.1007/978-1-84628-984-2_15

MEMS particles

1x1x12 m particles, shapes

Church and school roof, power line grease/gel

Jewellery fluid

Spray vandals/thiefs

Smart water

IIS38

[Kay92] P. H. Kaye, F. Micheli, M. Tracey, E. Hirst, and A. M. Gundlach. The production of precision silicon micromachined non-spherical particles for aerosol studies. Journal of Aerosol Science, 23(Suppl 1):201-204, 1992. http://dx.doi.org/10.1016/0021-8502(92)90384-8

http://www.redwebsecurity.com/

Watch this video

IIS39

Conclusions

Affordable tamper resistance technology exists

Getting it right is difficult

Out of the box thinking required