Secure Physical Enclosures from Covers with Tamper-Resistance Vincent Immler, Johannes Obermaier, Kuan Kuan Ng, Fei Xiang Ke, JinYu Lee, Yak Peng Lim, Wei Koon Oh, Keng Hoong Wee, Georg Sigl Conference on Cryptographic Hardware and Embedded Systems, Atlanta, Aug 26, 2019
The Physical Security Challenge Tamper Attempts any tool any time any technique | 1
Where We Stand in Physical Security “Security outside the black-box model” by Ventzi Nikov at CARDIS 2016 (Invited Talk) | 2
Where We Stand in Physical Security “Security outside the black-box model” by Ventzi Nikov at CARDIS 2016 (Invited Talk) skip the rest, let’s make this green (at least try) | 2
Security Enclosures = Access Denial Systems goal: detect and counteract physical atacks tamper-detection tamper-response zeroization batery-backed mechanism for continuous protection zeroization wipes volatile memory containing critical security parameters | 3
Access Denial Systems: Commercial Examples IBM Cryptographic Coprocessor ADP Gauselmann HP Atalla countermeasures: active meshes, obfuscation, light sensors, switches, poting, ... | 4
High-Level Goals of Access Denial Systems Usability Access Denial System Producibility Security desired level of security: no demonstrable way to circumvent → secure in the field; prevent HW trojans in distribution chain | 5
Selected Properties of Shown Examples � Producibility: � Envelopes: complex manufacturing but highest geometrical security � Covers/shells/housings: less complex but also less secure � Usability: � Batery typically limits operating range w.r.t. temperature � Shelf life is limited or necessitates additional service � Security: � Energy-preserving approach leads to crude measurement resolution � Prone to single point of failure at PCB-level (e.g., cut-off alarm, fake check signal) � Security mostly based on black-box model | 6
| 7
Tamper-Evident PUFs as Designated Alternative � “True” purpose of PUFs: tamper-detection w/o batery-backed sensors � Upon power-on: key derivation from tamper-evident PUF enclosure � If it fails: goal achieved, still initiate further countermeasures � If it succeeds: decrypt system or unlock critical security parameters � Unfortunately, very litle (public) work in this area! � Move towards white-box PUF design w/o diminishing security � Additional obfuscation then makes it even more difficult to atack | 8
Proof of Concept: Design Overview Cover Physical Domain Evaluation Unit Key Capacitance Generation Measurement Signal Alarm and Processing Zeroization Integrity Tamper Detection Detection Analog Domain Digital Domain Host System HSM CSPs Alarm and Application (encrypted) Zeroization Application Domain sensoric region with fine mesh | 9
Design Goals and Security Objectives � Design Goals: � Investigate how far we can get with COTS components � Check validity of concept and if it is worth developing further � Make physical integrity check complex and bury deep inside IC � Concept must scale with advancements in manufacturing � Security Objectives: � “Deny physical access” = disassembly is destructive; force multiple holes � Maximize distance from enclosure surface to insides of targeted chip � Entropy loss upon atack substantial, not possible to reconstruct � Increase need for customized tooling � Considered diameter = 300 µ m | 10
Physical Domain: Layer Stack-Up of Cover PCB manufacturing process causes intrinsic variation in mutual capacitance C M Layer Description Comment 1 Shield Facing to outside Bonding 2 Tx electrodes Driven electrodes � Mutual capacitance C M Polyimide 3 Rx electrodes Receiving electrodes Bonding 4 Shield � Polyimide Facing inside (to PCB) 5 Connectors and routing | 11
Physical Domain: Mesh with 16 RX × 16 TX Electrodes Sensor Mesh Concept TX 0 1 2 3 4 5 6 1 2 3 4 5 6 7 8 9 1 1 1 1 1 1 1 To 1 To 2 Ti Ti Ti Ti Ti Ti Ti Ti Ti Ti Ti Ti Ti Ti Ti Ti RX RX Ri 1 Ro 1 Ri 1 Ro 2 Ri 2 Ri 2 Ro 3 Ri 3 Ro 4 Ri 4 Ro 5 Ri 5 Ro 6 Ri 6 Ti 13 Ti 14 Ro 7 Ri 7 Ri 3 Ro 8 Ri 8 Ro 9 Ri 9 Ri 4 Ro 10 Ri 10 Ro 1 Ro 11 Ri 11 Ro 12 Ri 12 Ro 2 sensor C s = sensor node Ro 13 Ri 13 Ro 14 Ri 14 16 × 16 = 256 sensor nodes cell Ti 1 Ti 2 Ro 15 Ri 15 1 mm Ro 16 Ri 16 layer 2 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 layer 3 To To To To To To To To To 1 1 1 1 1 1 1 To To To To To To To 300 µ m sensoric region TX | 12
Stochastic Model of Sensor Nodes � All tiny track overlaps behave like capacitors in parallel � C M comprised of nominal capacitance C N and variation C V � Differential measurement needed to remove common offset C N � C V <<< C N requiring high-resolution circuit | 13
Analog/Digital Domain: Abs+Diff+Integrity Measurement Digital Domain Analog Domain Digital Domain TX 1 I RX Amplitude Fully Dual DAC LP HP LP C M Rescaling JFET RX 1 Sine Differential Amplifier ADC DFT Phase ∆C + Adjust TIA C M Amplifier Generator TX 2 � Measurements of different nature, one cannot exist w/o the other: � Absolute capacitance measurement � Differential capacitance measurement � Integrity measurement (open/short circuit) � Applications: � Integrity for rapid measurements and factory-initialization � Differential measurement for key generation and on-the-fly rate and range limits � Absolute measurement for additional tamper detection and temperature sensor | 14
Application Domain / Boot Process preverified fully verified unverified example time attack System PUF Key Operational Decrypt Generation Mode device running Power-On Integrity Cap Integrity Cap Integrity Cap Event Detection Meas Detection Meas Detection Meas Tamper Tamper Tamper Detection A Detection A Detection A Tamper Tamper Tamper Detection B1 Detection B1 Detection B1 Tamper Tamper Detection B2 Detection B2 Tamper Tamper Tamper Detection C Detection C Detection C heartbeat zeroization | 15
Basic Statistics Data acquired from 115 flexPCB covers at constant environmental conditions. 5500 350 300 Occurence 5000 250 Mean 200 4500 150 100 4000 50 0 3500 − 10000 − 5000 0 5000 10000 0 50 100 150 200 250 Difgerential Capacitance Absolute Sensor Node No. Figure: PDF of differential capacitance. Figure: Absolute capacitance per node position. Data in line with expectations. Low noise essential for tamper-evident application. | 16
Entropy and PUF Assessment (Global) Shannon entropy over PUF population: 5.2 bit per node / 4.17 bit (with temperature) 100 100 Occurence Occurence 50 0 0 0 20 40 60 80 100 0 20 40 60 80 100 Percent of Changed Symbols Change in Combined Symbols and Magnitude Figure: Uniqueness computed via Hamming Figure: Uniqueness computed via Manhatan distance over symbols (higher-order alphabet). distance over symbols (higher-oder alphabet). Uniquess for tamper-evident PUFs: think beyond Hamming over binary responses! | 17
Entropy Assessment (Localized) – Spatial Context-Tree-Weighting Investigate Tamper-Evident PUF Results radius 2 radius 1 • Spatial entropy dependencies • Entropy = 3.7 bit (radius 1) • Context around drill hole • Entropy = 3.1 bit (radius 2,3) X • Worst-case (on average) • Degradation exists due to crude layout and PCB process strong atack: given information around drill hole, complexity to reconstruct X prevent atacker from obtaining PUF output; consider helper data leakage (joint work with Michael Pehl of TU Munich; to be published) | 18
More Data/Atacks/Inspection/Environmental Tests – See Paper | 19
Conclusions � Still, only a tiny step towards access denial systems without batery � Full stack approach needed for tamper-evidence/resistance � COTS-based approach has its limits, especially regarding repairs � Development of access denial systems in white-box model challenging � Always use a layered approach to security! | 20
Selected Future Work � Layout Randomization: � Increase # of electrode pairs, recombination based on challenge � Naturally translates to layout randomization; breaks up local dependencies � Customize PDF: � Impregnation of paired nominal C N values without altering variation C V � Bimodal or arbitrary PDF for improved circuit and tamper behavior � Tailored Materials: � Increase C V and reduce C N to improve local entropy loss � Make repairs more difficult ...and so much more! | 21
Contact Information Vincent Immler Central Office for Information Technology in the Security Sector (ZITiS) For government inquiries only: v i n c e n t .i m m l e r @ z i s t i b nd . u . d e All other inquiries: s c n i e c e + c h s e 2 0 1 9 @ m m . s t This work was performed while with Fraunhofer Institute AISEC. | 22
Thank You! Qestions? | 23
Backup | 24
Packaging Concept potting resin heatsink connectors screw stiffener frame top cover vertical protection PCB structure metal core bottom cover | 25
Recommend
More recommend