Physical Security
Pieter.Harte@utwente.nl
Overview
 Smart cards
 RFIDs
 Attacks
 (Semi)-Natural tags
 Conclusions
2
IIS
Smart Cards
Smart cards
Broken!
53.98 mm
85.6 mm
0.76 mm
[And96] R. J. Anderson and M. G. Kuhn. Tamper resistance - A cautionary note. In 2nd Int.
Usenix Workshop on Electronic Commerce, pages 1-11, Oakland, California, Nov 1996. USENIX
Association.
http://www.usenix.org/publications/library/proceedings/ec96/kuhn.html
IIS
4
What makes the card smart?
 CPU (8, 16, 32 bit)
 Memory (RAM, ROM, EEPROM, Flash)
 I/O channel (Contact/Contact less)
 Cryptographic co-processor
 On card devices (Fingerprint, display)
 Standards (ISO 7816, GSM, EMV, VOP)
5
IIS
Main security features
 Symmetric crypto
 Asymmetric crypto relatively slow
 Hardware random number generator
 Hardware tamper resistance
 X-tal clock vulnerable
 Life cycle management
6
IIS
Communication
 ISO 7816-4:
9600 bps : slow
 USB : bulky
 Bluetooth: power
 Biometrics: slow
www.fingerchip.com
7
IIS
Displays
 Plastic, glass
 Emissive, non-emissive
 Refresh, bi-stable
 Segment, dot-matrix
 Problems: connections,
yield, power, thickness,
price!
[Pra01] D. Praca and C. Barral. From smart cards to smart objects: the road to new smart technologies.
Computer
IIS Networks, 36(4):381-389, Jul 2001. http://dx.doi.org/10.1016/S1389-1286(01)00161-X
8
Clock & Power
 Clock
» Xtal 0.6 mm
» MEMS (0.002% acc.)
 Battery
» Thickness
» power density
» when to recharge
9
IIS
Integration is hard
 Display
 Button
 32-bit CPU
 Large memory
 Battery
 Comms
 >> 25mm2 
10
IIS
Photo: Philips Semiconductors
RFID
What is an RFID tag?
 Antenna + small chip in ambient field
 Passive, replies to queries only
 Can be used for almost anything
» Supply Chain Management & Checkout (Wallmart,
Benetton)
» Homeland security
Nokia 6131 NFC
» User convenience
» Access to buildings
12
IIS
Passport application
13
IIS
Privacy issues
 Sniffing
» Data collection in proximity (skimming)
» Correlate data from different tags
Watch this video
 Counter measures
»
»
»
»
»
»
Shield antenna in passport with tinfoil
Encrypt the template with MRZ data
Reduce transmit range
Light controlled on/off switch
Long and short range interface
Time delayed transmit of sensitive info
[Bir07] N. Bird, C. Conrado, J. Guajardo, S. Maubach, G. Jan Schrijen, B. Skorić, A. M. H. Tombeur, P.
Thueringer, and P. Tuyls. ALGSICS - combining physics and cryptography to enhance security and privacy in
RFID systems. In F. Stajano, C. Meadows, S. Capkun, and T. Moore, editors, 4th European Workshop on
Security and Privacy in Ad-hoc and Sensor Networks (ESAS), volume LNCS 4572, pages 187-202,
Cambridge,
IIS UK, Jul 2007. Springer. http://dx.doi.org/10.1007/978-3-540-73275-4_14
14
Attacks
[Wit02] M. Witteman. Advances in smartcard security. Information Security Bulletin, pages 1122, Jul 2002. http://www.riscure.com/fileadmin/images/Docs/ISB0707MW.pdf
Attacks
 Operational
» Blackmail
» Burglary
» Bribery
 Technical
» Logical
» Physical
» Side channel
 Attackers
» I: Clever outsiders
» II: Knowledgeable insiders
» III: Funded Organisations
16
IIS
Logical attacks
 The code is too complex
» Hidden commands
» Parameter poisoning & Buffer overflow
» Malicious or buggy applets
» Protocol problems (e.g. retransmit)
» Proprietary crypto
 Counter measures
» Structured design & code inspection
» Formal methods
» Testing
17
IIS
Example: RFID virus
 There is a large amount of code
 Generic protocols and facilities
 Back end data bases
 So the usual attacks:
» Buffer overflow
» SQL injection “;shutdown--”
Best paper
award
 Don’t trust data from RFID tag…
[Rie06] M. R. Rieback, B. Crispo, and A. S. Tanenbaum. Is your cat infected with a computer virus? In 4th
Annual IEEE Int. Conf. on Pervasive Computing and Communications (PerCom), pages 169-179, Pisa, Italy,
Mar
IIS IEEE Computer Society. http://dx.doi.org/10.1109/PERCOM.2006.32
18 2006.
Physical attacks
 The circuitry is complex and vulnerable
» Chemicals & etching
» SEM Voltage contrast
» Probe stations
» Focused Ion Beam (FIB) to make probe pads
 Counter measures
» Reduced feature size (100nm)
» Multi layering
» Protective layers
» Sensors
» Bus scrambling
19
IIS
Low cost physical attacks
 Block EEPROM writes by isolating Vpp
 Rent focused Ion beam
[And97d] R. J. Anderson and M. Kuhn. Low cost attacks on tamper resistant devices. In 5th Int. Workshop on
Security Protocols, volume LNCS 1361, pages 125-136, Paris, France, Apr 1997.
http://dx.doi.org/10.1007/BFb0028165
IIS
20
Side channel attacks
 Physical phenomena can be measured
» Power
Watch this video
» EM radiation (X-ray, light, sound)
» Time
 and changed
» Voltage (example later)
» Frequency (example later)
[Vua09] M. Vuagnoux and S. Pasini. Compromising electromagnetic emanations of wired andWireless
keyboards. In 18th USENIX Security Symp., pages 1-16, Montreal, Canada, Aug 2009. USENIX Assoc.
http://www.usenix.org/events/sec09/tech/full_papers/vuagnoux.pdf
IIS
21
Timing attack
 Exponentiation by square and multiply
» for i = n − 2 downto 0
»
X = X2
»
if (d[i] == 1) then
»
X = X*M
 Power trace shows bits 1 in the key
22
IIS
Simple power analysis
 16 rounds DES
 Rounds 2 & 3
[Koc99] P. C. Kocher, J. Jaffe, and B. Jun. Differential power analysis. In M. J. Wiener, editor, 19th Int. Conf.
on Advances in Cryptology (CRYPTO), volume 1666 of LNCS, pages 388-397, Santa Barbara, California, Aug
IIS
23 Springer.
1999.
http://www.cryptography.com/resources/whitepapers/DPA.pdf
Differential power attacks
 Difference in the third cycle due to
difference in input value for encryption
24
IIS
Active attacks : Power Dip
Reading
threshold
vcc
Stored value
of logical zero
A power Dip at the
Moment of reading
a memory cell
gnd
 read a 0 as a 1
 Protection measure
» Check VCC & raise an alarm if it drops
» Problem: Fast transients during start-up may raise
false alarms
25
IIS
Active attacks : Clock Glitch

Dump all of the memory

Replace 5MHz pulse by 4 pulses of 20MHz:
1. b = answer_address
2. a = answer_length
3. If (a == 0) goto 8
4.
transmit(*b)
5.
b=b+1
6.
a=a-1
Glitch here
7. goto 3
[And97d] R. J. Anderson and M. Kuhn. Low cost attacks on tamper resistant devices. In 5th Int. Workshop on
Security Protocols, volume LNCS 1361, pages 125-136, Paris, France, Apr 1997.
http://dx.doi.org/10.1007/BFb0028165
IIS
26
Countermeasures
 Hardware
» Lower power signals
» Increase noise levels
» Introduce timing noise
 Software
» Parallelism
» Introduce random delays
» Constant time execution
» Blinding intermediate values
27
IIS
Countermeasures
 Make attacks harder but not impossible
 Hard to get right
 Expensive to implement
28
IIS
Out of the box thinking
 The humble Capacitor
» Emanates acoustic signals
» Sensitive to shocks and vibration
» CA/d
29
IIS
Listen to a PC multiplying
Freeze 1500 μF
capacitor
http://people.csail.mit.edu/tromer/acoustic/
IIS
30
Shaking a smart card....
31
IIS
Attackers business case
Attack
Class
Equipment
Cost
Succ.
Rate
Devel.
Time
Exec.
Time
Logical
PC, card reader
1-10K
Low
Wks
Mins
Physical
PC, Probe Station, 100KSEM,
1M
FIB,Microscope,
Chemistry Lab
High
Mnths
Days
Side
Channel
PC, Oscilloscope,
Function Gen.
Med.
Mnths
Hours
10K100K
Rental!
32
IIS
Design guidelines
 Define the level of security needed
 Perform a risk analysis
 Consider the attackers business case
 Use the right technologies
 Build in fraud management
 Design recovery and fall-back
 Consider the overall system
33
IIS
IBM 4758 Crypto Coprocessor
 Rolls Royce of secure devices
 Tamper sensing barrier
 Keys move in the RAM
 Temperature & X-ray sensor
 Solid aluminium case & epoxy
potting
 low pass filter on power supply
 Used in ATMs
 Hacked!
[Cla03b] R. Clayton and M. Bond. Experience using a Low-Cost FPGA design to crack DES keys. In 4th Int.
Workshop on Cryptographic Hardware and Embedded Systems (CHES), volume LNCS 2523, pages 877-883,
Redwood
IISShores, California, 2003. Springer. http://dx.doi.org/10.1007/3-540-36400-5_42
34
(Semi) Natural tags
Finger printing
[Buc05] J. D. R. Buchanan, R. P. Cowburn, A.-V. Jausovec, D. Petit, P. Seem, G. Xiong, D.
Atkinson, K. Fenton, D. A. Allwood, and M. T. Bryan. Forgery: 'fingerprinting' documents and
packaging.
Nature, 436(7050):475, Jul 2005. http://dx.doi.org/10.1038/436475a
IIS
36
Philips Coating PUF
[Sko08] B. Škorić, G.-J. Schrijen, W. Ophey, R. Wolters, N. Verhaegh, and J. van Geloven. Experimental
hardware for coating PUFs and optical PUFs. In P. Tuyls, B. Škorić, and T. Kevenaar, editors, Security with
Noisy Data - On Private Biometrics, Secure Key Storage and Anti-Counterfeiting, pages 255-268. Springer
London,
2008. http://dx.doi.org/10.1007/978-1-84628-984-2_15
IIS
37
MEMS particles
 1x1x12 m particles, shapes
 Church and school roof, power line
grease/gel
Watch this video
 Jewellery fluid
 Spray vandals/thiefs
 Smart water
[Kay92] P. H. Kaye, F. Micheli, M. Tracey, E. Hirst, and A. M. Gundlach. The production of precision silicon
micromachined non-spherical particles for aerosol studies. Journal of Aerosol Science, 23(Suppl 1):201-204,
1992. http://dx.doi.org/10.1016/0021-8502(92)90384-8
http://www.redwebsecurity.com/
38
Conclusions
 Affordable tamper resistance technology
exists
 Getting it right is difficult
 Out of the box thinking required
39
IIS