Known Attacks Against Smartcards White Paper Discretix Technologies Ltd. Author: Hagai Bar-El Title: Information Security Analyst Email: [email protected] Tel: +972-9-8858810 www.discretix.com w w w . d i s c r e t i x . c o m Advanced security solutions for constrained environments ABOUT THIS DOCUMENT This document analyzes, from a technical point of view, currently known attacks against smart card implementations. The purpose of this analysis is to give the necessary background for the assessment of the mechanisms that can enhance the security of smart cards. This document is mainly intended for people who are considering the use of cryptographic modules and who need to compare several options with respect to their security. Known Attacks Against Smartcards Page 2 of 19 REFERENCES 1. A method for resynchronizing a random clock on smart cards, By Didier Moyart and Régis Bevan, Oberthur Card Systems 2. A Timing Attack on RC5, By Helena Handschuh and Howard M. Heys 3. An Overview of Smart Card Security, By Siu-cheung Charles Chan 4. Biham-Shamir Differential Fault Analysis of DES, By Eli Biham and Adi Shamir 5. Defending against DFA, By Sandy Harris 6. Design Principles for Tamper-Resistant Smartcard Processors, By Oliver Kommerling and Markus G. Kuhn 7. Differential Power Analysis, By Paul Kocher, Joshua Jaffe, and Benjamin Jun 8. DPA Q&A, By Paul Kocher, Joshua Jaffe, and Benjamin Jun 9. Hacking EPROM based microcontrollers in general, Author unknown 10. Hardware Security of Advanced Smart Card ICs, By Koninklijke Philips Electronics 11. Improving Smartcard Security Using Self-timed Circuit Technology, By Simon Moore, Ross Anderson, and Markus Kuhn 12. Introduction to Differential Power Analysis and Related Attacks, By Paul Kocher, Joshua Jaffe, and Benjamin Jun 13. Java Smart Cards, By Y. L. Chan and H. Y. Chan 14. Low Cost Attacks on Tamper Resistant Devices, By Ross Anderson and Markus Kuhn 15. New Attacks to Public Key Cryptosystems on Tamperproof Devices, By Feng Bao, Robert Deng, Yongfei Han, Albert Jeng, Desai Narasimhalu and Teow Hin Nagir 16. Probing Attacks on Tamper-Resistant Devices, By Helena Handschuh, Pascal Paillier and Jacques Stern 17. Security Policy For Schlumberger Sema Cryptoflex 8K Smart Card, By Schlumberger 18. Smart Card Technology and Security, Author unknown 19. Smart Cards and Private Currencies, By J. Orlin Grabbe 20. Four-way encoding aims to beat smartcard hackers, Author unknown 21. Tamper Resistance - a Cautionary Note, By Ross Anderson and Markus Kuhn 22. Tamper Resistance - A Second Opinion, By Semiconductor Insights Inc. 23. Tamperproofing of Chip Card, By Ross Anderson 24. Which Smart Card technologies will you need to ride the Information Highway safely, By Patrice Peyret, Head of Research & Development, Gemplus 25. Breaking Public Key Cryptosystems on Tamper Resistant Devices in the presence of Transient Faults, By F. Bao, R. H. Deng, Y. Han, A. Jeng, A. D. Narasimhalu and T. Ngair 26. Cryptanalysis of the m-Permutation Protection Schemes, By Hongjun Wu, Feng Bao, Dingfeng Ye and Robert H. Deng 27. Introduction to Side-Channel Attacks, By Hagai Bar-El, Research Group, Discretix Technologies. Known Attacks Against Smartcards Page 3 of 19 KNOWN ATTACKS INVASIVE TAMPERING ATTACKS This section describes attacks in which the card is physically tampered with using special equipment. All micro probing techniques are invasive attacks. They require hours or weeks in a specialized laboratory and in the process they destroy the packaging of the card [ 6]. Invasive micro probing attacks require very little initial knowledge and usually work with a similar set of techniques on a wide range of products [ 6]. General Tampering Methodology DE-PACKAGING Before physical attacks can be performed, the circuit chip has to be removed from the plastic card. This can be done, by simply using a sharp knife to cut away the plastic, behind the chip module, until the epoxy resin becomes visible. Then, adding a few drops of fuming nitric acid can dissolve the resin. By shaking the card in acetone, until the silicon surface is fully exposed [ 3], the acid and resin can be washed away. LAYOUT RECONSTRUCTION After de-packaging, the next step in an invasive attack on a new processor is to create a map of it. The attacker uses an optical microscope with a CCD camera to produce large mosaics of high-resolution photographs of the chip surface. Basic structures such as data and address bus lines can be identified by studying connectivity patterns and by tracing metal lines that cross clearly visible module boundaries (ROM, RAM, EEPROM, ALU, instruction decoder, etc.) All processing modules are usually connected to the main bus via easily recognizable latches and bus drivers [ 6]. Deeper layers can only be recognized in a second series of photographs after the metal layers have been stripped off [6]. Images of successive layers of a chip can then be fed into a PC, with image processing system software, that reduces the initially fuzzy image to a clean polygon representation and identifies common chip features [ 21 23]. If the processor has a commonly accessible standard architecture, then the attacker has to reconstruct the layout only until he has identified those bus lines and functional modules that he has to manipulate in order to access all memory values [ 6]. Known Attacks Against Smartcards Page 4 of 19 At Cavendish laboratory in Cambridge, a technique has been developed for reverse engineering the circuit chips. The layout and function of the chip can be identified using this technique. Another technique developed by IBM can be used to observe the operation of the chip. As a result its secret keys can be fully revealed [ 3, 21, 23]. MANUAL MICRO-PROBING The most important tool available for invasive attacks is a micro-probing workstation. Its major component is a special optical microscope. On an arm of the microscope, the attacker installs a probe, which is a metal shaft that holds a long tungsten-hair, which has been sharpened and allows the attacker to establish electrical contact with on-chip bus lines without damaging them. The probe is connected via an amplifier to a digital signal processor card that records or overrides processor signals and also provides the power, clock, reset, and I/O signals needed to operate the processor via pins [ 6]. USING ADVANCED BEAM TECHNOLOGIES For future card generations with more metal layers and features below the wavelength of visible light, more expensive tools might have to be used in addition to the existing ones. Ion Beams A focused ion beam (FIB) workstation consists of a vacuum chamber with a particle gun. Gallium ions are accelerated and focused from a liquid metal cathode into a beam. Such beams can image samples from secondary particles [ 6, 21]. Greater precision can be achieved by injecting a gas like iodine via a needle that is brought to within a few hundred micrometers from the beam target [ 6]. Further, by increasing the beam current, chip material can be removed with high resolution [ 6]. Today, attackers primarily to simplify manual probing of deep metal and poly- silicon lines use FIBs. A hole is drilled to the signal line of interest this is filled with platinum, to bring the signal to the surface, where a large probing pad, of several micrometers, or cross is created to allow easy access [ 6]. Electron Beam Testers Other useful beam tools are electron-beam testers (EBT). EBTs are very convenient attack tools if the clock frequency of the observed processor can be reduced below 100 kHz, to allow real-time recording of all bus lines or if the processor can be forced to generate periodic signals, by continuously repeating the same transaction during the measurement [ 6]. Infrared Laser A recently declassified technique invented at Sandia National Laboratories involves looking through the chip from the rear with an infrared laser using a wavelength at which the silicon substrate is transparent. The photocurrents thus Known Attacks Against Smartcards Page 5 of 19 created allow probing of the device's operation and identification of logic states of individual transistors [ 21, 23]. Attacks KEY AND MEMORY READING Reading ROM While the ROM usually does not contain any cryptographic key material, it does often contain enough I/O, access control, and cryptographic routines to be of use in the design of a non-invasive attack [ 6]. Optical reconstruction techniques can be used to read ROM directly. The ROM bit pattern is stored in the diffusion layer, which leaves hardly any optical indication of the data on the chip surface [ 6]. Some ROM technologies store bits not in the shape of the active area but by modifying transistor threshold voltages. In this case, additional selective staining techniques have to be applied to make the bits visible [ 6]. Reading Memory Contents By Bus Probing Except for ROM, it is usually not practical to read the information stored on a security processor directly out of each single memory cell. The stored data has to be accessed via the memory bus where all data is available at a single location. Micro-probing is used to observe the entire bus and record the values in memory as they are accessed [ 6]. Just replaying transactions might not suffice to make the processor access all critical memory locations. Sometimes, hostile bus observers are lucky and encounter a card where the programmer believed that by calculating and verifying some memory checksum after every reset the tamper-resistance could somehow be increased. This, of course, gives the attacker immediate easy access to all memory locations on the bus and considerably simplifies completing the read-out operation [ 6]. In order to read out all memory cells without the help of the card software, the attacker has to abuse a CPU component, such as an address counter, for it to access all memory cells for him.
Details
-
File Typepdf
-
Upload Time-
-
Content LanguagesEnglish
-
Upload UserAnonymous/Not logged-in
-
File Pages19 Page
-
File Size-