563.11.

3 Breaking the Chip: Vulnerabilities of Cryptographic Processors and Smart Cards

Presented by: Ragib Hasan

PISCES Group: Soumyadeb Mitra, Sruthi Bandhakavi, Ragib Hasan, Raman Sharikyn

University of Illinois Spring 2006

Overview
Threat model
Attackers Goals Types of attacks

Attack techniques
Cryptographic processors Smart cards

Further reading

Threat model
Attacker types
Class I: Clever outsiders
Intelligent, but lack information, exploit known attack

Class II: Knowledgeable insiders

Have inside information on protocols/design, can use sophisticated tools

Class III: Funded organizations

Have information, resources, equipments, and incentives Can employ class II attackers in teams
Abraham et. al. Transaction Security System, IBM Systems Journal, 1991

Threat model
Attacker goals
To get the crypto keys stored in RAM or ROM To learn the secret crypto algorithm used To obtain other information stored into the chip (e.g. PINs) To modify information on the card (e.g. calling card balance)

Types of attacks
Non-invasive attack
Dont modify processor, probe via other means

Invasive attacks
Break open processor by acids, ionization

Reverse engineering
Learn how the device works

Moore, Anderson, Kuhn, Improving Smartcard Security Using Self-timed Circuit Technology

Overview
Threat model
Attackers Goals Types of attacks

Attack techniques
Cryptographic processors Smart cards

Further reading

Crypto processors: Attacks

Nave key theft
Master Keys loaded into the chip, attacker opens enclosure while device is running and probes the chip memory

Preventive measures
Wire the power supply through lid switches Zeroize the chip memory whenever lid is opened

Attack (1)
Theft of keys
Early chips kept keys in removable PROMs or key was listed in paper Attacker removes the PROM or steals the paper

Solution
Shared control, by using two or more PROMs with master keys, and use them to derive actual key Keep keys in smart cards
8

Attack (2)
Cutting through casing Disabling lid switches

Solutions
Add more sensors, photocells Separate the security components, and make them potted using epoxy resin

IBM 4758s epoxy potting

IBM 4758, with epoxy potting partially removed

10

Attack (3)
Attacker scrapes potting with a knife, and uses a logic probe on the bus
RSA, DES vulnerable if attacker can see protocol in action

Solution:
Use a wire mesh embedded in the epoxy
Crude scraping can be handled, but not slow erosion using sandblasting

Use a metal shield with a membrane to enclose processor

11

Attack (4)
Memory remanence
Memory gets burned into the RAM after long time, on power up, 90% RAM bits initialized to key Attacker goes dumpster diving to find old chips

Solution
Use RAM savers, just like screen savers
Move data around chip to prevent burn-in

Gutman, Secure deletion of data from magnetic and solid state memory, Usenix Security Symp. 96

12

Attack (5)
Freeze it!
Below -20 C (-4F), SRAM contents persist Attacker freezes module, removes power, removes potting/mesh, attaches chip to test rig, powers on

Burn it!
Attacker floods chip with ionizing radiation (XRay), key gets burned in

Solution?
Add temperature/radiation alarms Or, blow up the chip, with thermite charges!!
Skorobogatov, Low Temperature Remanence in Static RAM

13

Attack (6)
Tempest / power analysis
Noninvasive
British MI5 eavesdropped on French embassys crypto machine in the 1960s

Attacker looks into RF emissions or power consumption of processor

Solution
Use Aluminum shielding (Tin foil!!) Obfuscate power line paths

14

Attacking 4758
4758 addresses most of the previous attacks So, how do you attack a 4758?
Physical
Erode potting with sandblasting, detect mesh lines, by pass them (magnetic force microscope) Drill 8mm/0.1 mm holes to go through mesh Send plasma jets to destroy memory zeroization circuits

Protocol level attacks

Michael Bond, a grad student, broke 4758 using a protocol attack to extract a 3DES key
Michael Bond. "Attacks on Cryptoprocessor Transaction Sets" CHES 2000

15

Overview
Threat model
Attackers Goals Types of attacks

Attack techniques
Cryptographic processors Smart cards

Further reading

16

Smart cards
Generally dont have the protection of crypto processors Typically have lower security, but more commonly used

17

Non-invasive attacks
Attack the protocol
Put a laptop between the smart card and reader, and analyze messages Put a device between card and reader that blocks certain messages

Prevent writing
Early smartcards had a separate programming voltage pin Vpp that was needed to write to EEPROM Attacker places tape on the pin to prevent writing
18

Non-invasive attacks
Differential power analysis
Power supply current spikes indicate type of instruction being executed Data values can be obtained from power profile

Clock/power modulation
Overclocking the chip causes disruption in instruction (e.g. prevent branching) Slowing down clock allows reading voltages with an electron microscope Modulating power can prevent parts of the chip from working
19

Invasive attacks
It is possible to remove the chip using cheap chemicals Attacker removes chip, fits it into a test rig Optical microscope can show ROM contents Crystallographic staining also reveal ROM content
Moore, Anderson, Kuhn, Improving Smartcard Security Using Self-timed Circuit Technology

20

Invasive attacks
Physical probing
Low cost probing stations can land microprobes on bus lines and read values The information is used to figure out keys or crypto algorithms Focus Ion Beam microscopes can modify chip or shielding

21

Invasive attacks
Memory linearization
Destroy instruction decoder to prevent jumps Repair test circuits (blown off during manufacture) to allow testing routines to dump memory
Problem: You need to have test circuits, otherwise you cant test the chips working during production

22

Reverse engineering
Rebuild hardware circuits
Etch away layer on chip surface, take electron micrograph, create 3-D image of chip Use the image to recreate circuit

23

Reverse engineering
Optical fault induction
Use simple camera flash, tape it to proving station, flash the chip at a particular spot using a aluminum foil aperture Or use a cheap laser pointer
Focusing flash on white circle makes SRAM cell bit go from 1 to 0 Focusing on black circle makes SRAM cell go from 0 to 1 By inducing bit faults, several protocols can be broken
24

Skorobogatov and Ross J.Anderson, Optical Fault Induction Attacks, CHES '02

Further reading
Ross Andersons page at Cambridge University Workshop on Cryptographic Hardware and Embedded Systems

25