Intro to Hardware Security Smartcards Erik Poll Digital
- Slides: 50
Intro to Hardware Security & Smartcards Erik Poll Digital Security Radboud University Nijmegen 1
Overview • What is hardware security? – Applications – Attacker models – Security requirements • Smartcards
What is hardware security? hardware as security solution physical attacks on hardware as threat
Applications of ‘secure’ hardware
Hardware as security solution Payment authentication (and non-repudiation? ) Authentication (or just identification? ) 5
Hardware as security solution smart meter physical access control HSM voting computer (Hardware Security Module) 6
Hardware as security solution Fngerprint scanner, hard disk encryption, . . . Security features of chips in these devices: TPM, ARM Trust. Zone, Intel SGX, Apple Secure Enclave, . . . (aka TEEs) At a more fundamental level, most CPUs have some hardware security features (with privilege levels, eg kernel vs user mode) 7
Exit smart cards? mobile payments m. DL (mobile Driving License)
Common types of functionality here • Crypto: storing cryptographic keys & executing cryptographic operations • Access control in the device to secure the functionality provided – Eg with a PIN code Incl. functionality to install keys! Easy to overlook, but crucial of course…
Crypto solves some problems • ensuring integrity, authenticity, non-repudiation, confidentiality, … but also introduces new problems: – – Where to store keys? How to distribute them? What hw/sw can we trust to do crypto operations? How to ensure integrity & confidentiality of the cryptographic key? Here we will need access control again
Attacker models
Hardware as target: physical attacks Bery different attacker model than usual: attacker with physical access We can consider security at different levels of abstractions, eg • abstract protocols (eg TLS) • cryptographic primitives (eg SHA-1) • software implementation of protocols (eg Heart. Bleed) • key management (eg Digi. Notar) • side-channel attacks on hw/sw (eg Spectre & Meltdown) and physical attacks can undermine security at lowest level of abstraction
Man-in-the-Middle attacker (aka Dolev-Yao) Attacks on communication channels exploiting lousy crypto or insecure protocols End-points regarded as black boxes The mathematician’s view 14
Mit. M & End-Point attacker model Attacks on communication channels or the end-points eg. exploiting software bugs in end-points Software engineer’s view 15
Embedded security attacker model Attacks on communication channel or end-points, also exploiting hardware weaknesses of end-points Cryptographic operations are gray boxes that leak some info Hardware engineer’s view 16 I. Verbauwhede, P. Schaumont
Secure algorithms vs secure implementations of algorithms An implementation of a ‘secure’ cryptographic primitive (eg AES, RSA, SHA-3, etc) can be completely insecure on given hardware Therefore 1. Never design your own cryptographic primitives 2. Never make your own implementations of these crypto primitives The same goes for security protocols built using these primitives 17 I. Verbauwhede, P. Schaumont
Functionality & Security Requirements
Differences & commonalities? 1) W. r. t. functionality? 2) W. r. t. security? 20
Differences & commonalities wrt functionality: – data storage – read-only, writeable, or one-time writeable – data processing for and maybe wrt security: – integrity/authenticity – confidentiality – access control (in sw or hw) – tamper-resistant or tamper-evident 21
Differences & commonalities? • Both computers, but with different resources (memory, computing power, . . . ) + Pro smartcard: the hardware is more secure; on PC we can remove hard disk, access memory chips, . . . - Con smartcard: does not allow I/O to the user 22
Smartcards 23
Overview • • • what is a smartcard? hardware, protocols, operating systems attacks and countermeasures 24
What is a smartcard? • Tamper-resistant computer, embedded in piece of plastic, with limited resources • aka chip card or integrated circuit card (ICC) • capable of securely – storing data – processing data • This is what makes a smartcard smart; stupid cards can store but not process • Processing capabilities vary greatly! 25
Smartcard form factors • traditional credit-card sized plastic card – ISO 7816 • mobile phone SIM – cut-down in size • contactless cards – aka proximity card or RFID tag – also possible: dual interface • i. Button 26
Classification: functionality Capabilities of smartcards & RFID tags can vary a lot: 1. Device just reports data – read-only file-system 2. Device reports data after some access control – protected (eg password-protected) file-system • read-only or read/write 3. Device can take part in crypto protocol – eg for authentication Some of these cards are programmable, some have built-in functionality which you can configure but not change Which attacks can 3 withstand, that 1 & 2 can't? Replay attacks! 29
Classic use of smartcard for authentication private key K CPU challenge c response enc. K(c) • If card can perform encryption, then the private key K never has to leave the card • The card issuer does not have to trust the network, the terminal, or the card holder 30
Stupid vs smartcards • Memory cards (“stupid” smartcards) – essentially just provide a file system – possibly with some access control or, simpler still, destructive (irreversible) writes as in old payphone-cards – configurable functionality hardwired in ROM • Microprocessor cards (“smart” smartcard) – contain CPU • possibly also crypto co-processor – programmable • program burnt into ROM, or stored in EEPROM • • RFID tags are often like old memory cards Focus in this course will be on microprocessor cards 31
Security requirements • Integrity – of data or functionality (incl. all software on the card!) • Authenticity – resistance to copying/cloning • Non-repudiation – being able to prove (not being able to deny) that an action has been carried out by some party • Confidentiality – of data, or of card/card holder, ie. anonymity • Tamper-proof vs tamper-resistant vs tamper-evident Of course, hardly anything is tamper-proof 32
Smart card hardware CPU ROM RAM EEPROM memory management unit (MMU) Test & Security Crypto coproc. RNG Clock/ Charge Pump I/O 33
Smartcard hardware • CPU • memory – volatile (RAM) and non-volatile (ROM+EEPROM) • limited I/O: just a serial port Possibly: • crypto co-processor • random number generator (RNG) No clock, no power! 35
CPU • 8, 16 and now also 32 bit • Steady need for more processing powers – for virtual machines & cryptography 36
Crypographic co-processor • DES, AES – DES in hardware takes same size as DES program code in ROM • For public-key crypto, ALU providing exponentation and modulo arithmetic with large numbers 37
Smartcard memory ROM • BIOS + operating system EEPROM • the smartcard's hard disk RAM • workspace Typical modern card may have 512 bytes RAM, 16 K ROM, 64 K EEPROM, 13. 5 MHz 38
RAM • Volatile aka transient memory • SRAM (static RAM) used rather than DRAM (Dynamic RAM) for lower power consumption • Used for temporary data – stack – I/O buffer • Typically 128 bytes to 16 Kbyte • Volatile, but small permanent storage characteristics 39
Reading RAM with scanning electron microscope? Very tricky, and only if card operates at a low frequency 40
ROM • Permanent storage • Filled during production, using ROM mask • Contains OS + possibly application code • Typically 8 to 512 Kbyte • Flash is coming up as replacement of ROM • Optically readable after removing top layers 41
Extraction of ROM content 10 x 16 bits of NOR ROM visible outlines reveal content 14 x 20 bits of NAND ROM after staining, shadows reveal content [Source: Oliver Kömmerling, Marcus Kuhn] 42
Staining for ion implant ROM array Stai [Source: Brightsight] 43
EEPROM • Non-volatile aka persistent, rewritable memory • Used for applications and data: – "the smartcard's hard disk“ • Typically 1 to 512 Kbyte • Characteristics: – – slow: 1000 x slower than RAM has limited lifetime in # writes (but > 106) writing is two stage operation: erase & write data retention 10 -100 years – writing takes high power consumption • 17 V, realised using charge pump 44
ROM vs EEPROM for program code? Choice between code in ROM or EEPROM has big impact on development • Program code in ROM must be suitable for mass-use – And can never be patched or updated • Trend away from having a lot of code in ROM towards • eg just some library code or OS in ROM, and all custom functionality (the ‘application’) in EEPROM 45
Other non-volatile memory types Modern alternatives for EEPROM and ROM • Flash – writing 10 μs instead of 3 -10 ms for EEPROM – programming voltage 12 V, against 17 V for EEPROM – >100, 000 writes, >10 years data retention – Flash replacing ROM eliminates need for ROM mask & reduces development time • FRAM (Ferro-electric RAM) – writing 100 ns – programming voltage 5 V 46
Size matters! Memory types also vary in amount of chip surface per byte: RAM requires more space than EEPROM, EEPROM requires more space than ROM Size of chip is a major cost factor, hence little RAM Size = Money 47
Comparison of memory types # of write/ erase cycles writing time typical size RAM unlimited 70 ns 1700 μm 2 EEPROM >104 -106 3 -10 ms 400 μm 2 Flash >105 10 μs 200 μm 2 FRAM >1010 100 ns 200 μm 2 ROM - - 100 μm 2 source: W. Rankl & W. Effling, Smartcard Handbook, 2 nd edition, 2000 These numbers give a rough impression, but are outdated !!! 48
Memory Management • Responsible for allocating memory • Possibly also for some memory access control, eg • • • between the different types of memory (eg stack, program data, and code) between application code and the operating system (OS) between applications, for cards that allow multiple applications to be installed 49
Clock circuit & charge pump • Charge pump – to generate EEPROM programming voltage • Clock circuit – eg. division of the external clock signal to get a lower clock frequency for I/O • Typical clock speed 8 -13. 5 MHz • Esp. for SIM cards: the processor can go into sleep-mode, where clock pulse is stopped, to reduce power consumption 50
Test & Security • Self-test hardware & software – checking if all RAM & EEPROM cells work – checksums for ROM and static EEPROM • Possible additional monitoring and response against attacks • Test functionality is a security risk and may partly have to be disabled before personalisation! – by writing EEPROM, blowing fuses, or even physically removing hardware 51
Random Number Generation (RNG) • Needed for key generation & fresh nonces • Typically pseudo RNG (PRNG) in software – True RNG that is immune to external influence is hard to realise in hardware • NB different cards of same production batch should produce different sequences of random numbers – PRNG using seed (stored in EEPROM) supplied as part of OS initialisation • Potential hardware security problem with storing PNRG state in EEPROM? What if this EEPROM wears out after generating lots of random numbers? Card may have to check for this !! 52
Random Number Generation (RNG) Tested eg according to FIPS 140 -1 which states single stream of 20, 000 consecutive bits must pass – monobit test: 9, 546 < # ones < 10, 346 – poker test: frequency of 4 bits patterns: • divide in 5000 4 bits segments, • calculate f(p) = # of occurrence of 4 bits pattern p • 1. 03 < X < 57. 4, where X is 16/5000*Σpf(p)2 -5000 – run test: requirements of runs (sequence of all 0's or all 1's) of lengths 1 -6 – long run test: no runs 34 54
Smart card chip CPU ROM RAM EEPROM memory management unit (MMU) Test & Security Crypto coproc. RNG Clock/ Charge Pump I/O 55
- Erik poll
- Datalogar
- Erik poll
- Erik poll
- Erik poll
- Erik poll
- Private securit
- External components of a computer
- Intro to offensive security
- Intro to digital technology
- Poll monitoring system app download
- Sms poll voting
- Sms based poll monitoring system
- Poll ev.com
- Modbus rtu wireshark
- Who is this
- Jim crow character
- Create doodle poll
- Gallup employee engagement index 2012
- Poll everywhere register
- Louisiana 1918 poll tax receipt
- Poll day monitoring system
- Poll rules
- A sample poll of 100 voters chosen at random
- A sample poll of 100 voters chosen at random
- Abac poll
- Sector officer
- Instagram poll slider
- Zoom meeting
- "gallup student poll"
- Www polleverywhere com register
- Poll everywhere nus
- The gallup poll once asked an srs
- "ccsi"
- Osi security architecture model
- Security guide to network security fundamentals
- Wireless security in cryptography and network security
- Visa international security model in information security
- Electronic mail security in network security
- Cnss model 27 cells example
- E commerce security policy
- Software security building security in
- Security guide to network security fundamentals
- Security guide to network security fundamentals
- Vectra gartner magic quadrant
- Digital signature in cryptography and network security
- Apa yang dimaksud dengan warga digital.
- Digital market and digital goods
- Digital data digital signals
- Data encoding and transmission
- E-commerce: digital markets, digital goods