hsm-survey-paper/paper.tex

\documentclass[submission]{iacrtrans}

\usepackage[T1]{fontenc}
\usepackage[
    backend=biber,
    style=numeric,
    natbib=true,
    url=false, 
    doi=true,
    eprint=false
    ]{biblatex}
\addbibresource{paper.bib}
\usepackage{amssymb,amsmath}
\usepackage{eurosym}
\usepackage{wasysym}
\usepackage[binary-units]{siunitx}
\usepackage{commath}
\usepackage{graphicx,color}
\usepackage{colortbl}
\usepackage{subcaption}
\usepackage{placeins}
\usepackage{array}
\usepackage{censor}
\usepackage{hyperref}
\usepackage{makecell}

\DeclareSIUnit{\baud}{Bd}
\DeclareSIUnit{\year}{a}
\DeclareSIUnit{\rpm}{rpm}
\renewcommand{\floatpagefraction}{.8}
\newcommand{\degree}{\ensuremath{^\circ}}
\newcolumntype{P}[1]{>{\centering\arraybackslash}p{#1}}
\newcommand{\partno}[1]{\textsf{\small#1}}
\newcommand{\price}[2]{#1 #2}
\newcommand{\todo}[1]{\textbf{TODO}\footnote{#1}}

% By default, our biblatex style will print "In: [name of proceedings]. [year] [name of event]" for every conference
% paper. Since the name of the proceedings is usually near-identical to the name of the event, this adds a lot of noise.
% Suppress the name of the proceedings when both are given.
\AtEveryBibitem{
    \ifentrytype{inproceedings}{
        \iffieldundef{booktitle}{
        }{
            \iffieldundef{eventtitle}{
            }{
                \clearfield{booktitle}
            }
        }
    }{
    }}

\begin{document}

\author{Jan Sebastian Götte\inst{1} \and Björn Scheuermann\inst{2}}
\institute{Technical University of Darmstadt, Darmstadt, Germany, \email{research@jaseg.de}\and
    Technical University of Darmstadt, Darmstadt, Germany, \email{bjoern.scheuermann@kom.tu-darmstadt.de}}
\title{Tamper Sensing Mesh Implementations in the Wild}
\keywords{Tamper Sensing\and Tamper Response\and Physical Security\and Security Mesh\and Hardware Security Module
            (HSM)\and FIPS 140-2/3\and ISO/IEC 24759\and PCI PTS HSM MSR}
\maketitle

\begin{abstract}
\end{abstract}

\section{Introduction}

\section{Related Work}
\subsection{The History of Tamper Sensing Meshes}

\paragraph{Use by the US Military}
Electronic tamper sensing meshes are documented in literature beginning around World War \RN{2}. The earliest mention of
such a system we are aware of is from notes on a series of lectures given by Dr.~David~G. Boak, a specialist in
communications security and signal intelligence at the US National Security
Agency\cite{nsaHistoryUSCommunications1973,nsaHistoryUSCommunications1981}. In this lecture series, Boak mentions that
around World War \RN{2}, the US became concerned about the security of their ciphering machines, which at the time were
large, fridge-sized electro-mechanical contraptions. Initially, simple safes were used to protect those
devices---however, as Boak notes, the US was well aware that they could not build a safe that a well-equipped specialist
could not break open within an hour. As a solution, the NSA started development on what we would today call a Hardware
Security Module by encapsulating a crypto coprocessor in a tamper sensing envelope. Boak observes that as a tamper
response, reliably zeroizing the cryptographic keys would be sufficient. Today, this approach is universally taken. Boak
does note several other ways to penalize an intrusion attempt, including raising a remote alarm or--even more
exciting--exploding the device.

\paragraph{Use in Nuclear Weapons}
Communications security was not the earliest use of tamper-sensing membranes in the US military, with Boak mentioning
HSMs still being under development in the second volume of the lecture series, dated 1972. An earlier reference to such
systems can be found in literature on Permissive Action Links (PALs) for nuclear weapons. In US military terminology, a
PAL is a chain of locked, tamper-proof systems required to trigger the detonation of a nuclear weapon. PALs were
developed as a consequence of nuclear weapons being stationed in countries allied with the US during the cold war. The
concern was that the host country might forcibly assume control over the US nuclear weapons stationed on their soil. The
stated goal of PALs is to protect the weapon from use without a secret passcode known only to US military command. To
achieve this goal, PALs will lock themselves when incorrect codes are entered. To protect against both intentional
tampering aiming to circumvent the PAL, as well as against accidential detonation under extreme environmental
conditions, PALs are designed such that any tampering attempt as well as any environmental deviation will be sensed by
the PAL, and will lead to the weapon being destroyed in a less harmful way that does not cause the full-scale nuclear
explosion that the weapon is capable of. This goal is achievable in practice since nuclear weapons are reportedly very
sensitive to the timing of their primary explosive charges, as the nuclear payload only produces a full-scale detonation
when triggered in just the right way.

While it is difficult to date, \textcite{carterManagingNuclearOperations1987} specifically mention a tamper-sensing
membrane being used in US PALs. Given the nature of the matter, it is safe to assume that this technology will have been
in use for some years at the point it was being discussed in an unclassified, civilian book on nuclear armament control.

\paragraph{Use in Nuclear Safeguards}
Besides being used in nuclear weapons, tamper-sensing systems have another, more peaceful application in the nuclear
field. In 1957, the International Atomic Energy Agency (IAEA) was founded to coordinate and verify that civilian nuclear
energy installations are not used for military purposes. A core part of the IAEA's tasks is observing the operations at
civilian nuclear installations through inspections and through a variety of permanently deployed sensors to track the
history of nuclear material passing through these facilities.

When using sensors to monitor treaty compliance, the IAEA has to consider the possibility of a host state tampering with
its sensors to abuse nuclear material without being noticed. Historically, the IAEA has responded to this threat by the
extensive use of tamper-indicating enclosures and of seals. In both systems, the approach taken is that the enclosure or
seal is treated similarly to what these days, in computing we call a Physically Uncloneable Function. The enclosure or
seal is manufactured in a process that leaves an unpredictable and uncontrollable pattern of manufacturing variations
such as surface imperfections. A process used in the IAEA is to package devices in aluminium enclosures passivated in a
brigh color, which leaves a random, microscopic pattern of pits in the surface from the etching step. Before such a
device is deployed in the field, it is precisely measured from all sides. Later on, after field deployment, its
integrity can then be checked by comparing its current state to these initial measurements. The underlying assumption is
that drilling or cutting into something like a steel enclosure will leave detectable traces, and that perfectly
replicating an object including features such as minute surface imperfections is infeasible even to a nation
state~\cite{iaea2011}.

In IAEA terminology, both tamper detection and tamper evidence are combined into the term ``tamper indication''. The
IAEA distinguishes between active tamper indication, which we conventionally call tamper detection, and passive tamper
indication, which we conventionally call tamper evidence. Tamper indicating devices include seals, but also the
aforementioned uniquely characterizable enclosures, which IAEA terminology calls intrinsically tamper-indicating. An
example for an active tamper indicating device would be a seismic sensor at the bottom of a borehole that has been
back-filled with concrete such that any attempt to reach the sensor would be well-visible in the sensor's own
readings~\cite{simmonsHowInsureThat1988}

With smarter electronics becoming more affordable in both monetary and in power budget, over the decades, other active
tamper sensors have received attention as well. The IAEA reports on attempts at burying sensors such as piezoelectric
transducers or optical fibers inside an enclosure's walls to detect tampering, but states that these efforts have not
yielded practical results primarily due to cost concerns. In contrast to these sensors, the IAEA's Electro-Optic Sealing
System (EOSS) uses a flexible tamper sensing mesh that contains some sort of conductive traces in the same way it is
used in contemporary hardware security modules to detect attempts at drilling or cutting into the
system~\cite{iaea2011,tolkSafeguardsSensorsSystems2007}. Unfortunately, no information on the precise construction of
the tamper sensing mesh such as materials used or structure sizes are publically available.

\paragraph{Commercial Use}
Commercially, tamper sensing meshes have entered widespread use beginning around the turn of the millennium, initially
in then-new HSMs, cryptographic coprocessors primarily aimed at the financial
industry~\cite{andersonSecurityEngineeringGuide2020}. Today, their use in finance has spread from HSMs in datacenters
and ATMs to the ATM pin pads themselves, which encrypt the customer's PIN right at the source, as well as in all kinds
of card payment terminals. We will analyze two such ATM pin pads later in this paper.

HSMs are used for highly sensitive operations even outside of the financial industry, although their adoption is
hampered by their high cost. Such applications include key management in the TLS certificate infrastructure. In this
paper, we will analyze a commercial HSM that was used in the key management infrastructure of a premium TV provider.

Beyond finance, tamper-sensing meshes have found applications in a variety of other use cases as well. For instance, we
have found them being used in mail franking machines to protect the credit counter and franking data, with one such unit
analyzed in this paper. Furthermore, we have identified at least one model of key safe that in Germany is mounted
externally on public buildings to provide keys to emergency services, and which includes a tamper sensing mesh on its
outside-facing wall to detect attempts at drilling into it. Finally, we have found a processing unit used in a series of
mid-2000s era slot machines in Germany that includes a tamper-sensing mesh, presumably to prevent modification or
cloning. This device will also be analyzed later in this paper.

\subsection{Security Mesh Manufacturing}
\subsection{Security Mesh Monitoring}
\subsection{Other Tamper Sensing Techniques}
\subsection{Hardware Security Module Applications}
\subsection{The Patent Landscape}

\section{The Principles of Security Mesh Construction and Monitoring}

\section{Methodology}

\subsection{Sample selection}

Given their niche applications and high cost, samples of most types of devices incorporating tamper sensing meshes tend
to be hard to find. For this survey, we chose to collect two sets of samples: A general one representing variety across
categories, and a specialized one representing variety within one category. We selected \todo{Number} devices across
categories for the general category, and \todo{Number} payment terminals for the specialized category. All devices were
procured through ebay from second-hand sellers. Most of the payment terminals were procured from an electronic waste
recycling company through ebay.

\subsection{Notable omissions}

While we chose a wide variety of samples for this survey, ultimately, our selection was limited by constraints in time
and budget. Devices that we left for future work include additional conventional HSMs, which usually sell for hundreds
or thousands of USD. Furthermore, we are aware that tamper sensing features are commonly used in military hardware.
Naturally, such devices are especially hard to find second-hand.

\newpage
\subsection{Analysis Criteria}

\subsubsection{Mesh construction}
\begin{description}
    \item[A1 Substrate material.]
    \item[A2 Trace material.]
    \item[A3 Mechanical support.]
    \item[A4 Contact material.]
    \item[A5 Via construction.]
    \item[A6 Number of layers.]
    \item[A7 Layer distance.]
    \item[A8 Surface dimension (2D/2.5D/3D)]
    \item[A9 Specific resistance.]
    \item[A10 Temperature coefficient.]
    \item[A11 Trace thickness.]
    \item[A12 Trace edge roughness.]
\end{description}

\subsubsection{Mesh layout}
\begin{description}
    \item[B1 Number of traces. Routing.]
    \item[B2 Trace width. Trace pitch.]
    \item[B3 Enclosed sides.]
    \item[B4 Largest unidirectional gap: width and length.]
    \item[B5 Largest air gap: width and length.]
    \item[B6 Total mesh length.]
    \item[B7 Total resistance.]
    \item[B8 Total capacitance.]
    \item[B9 Total inductance.]
    \item[B10 Complex impedance.]
    \item[B11 Inter-trace capacitance.]
    \item[B12 Far-field inductive and capacitive coupling.]
    \item[B13 Trace area.]
    \item[B14 Area coverage ratio.]
\end{description}

\subsubsection{Environmental Resistivity}
\begin{description}
    \item[C1 Bending]
    \item[C2 Melting point]
    \item[C3 Solubility in water]
    \item[C4 Solubility in Isopropyl Alcohol (IPA)]
    \item[C5 Solubility in Acetone]
    \item[C6 Corrosion resistance?]
\end{description}

\subsubsection{Tamper Sensitivity}
\begin{description}
    \item[D1 Layer adhesion]
    \item[D2 Tensile strength]
    \item[D3 Nondestructive disassembly]
    \item[D4 Needle probing test mid-mesh]
    \item[D5 Disassembly detection method]
    \item[D6 Solderability]
\end{description}


\subsection{Analysis Workflow}

\begin{description}
    \item[Device Photo]
    \item[Disassembly]
    \item[Part photos]
    \item[Optical inspection]
    \item[Part x-ray]
    \item[Part CT]
    \item[Electrical tests]
    \item[Tampering tests]
    \item[Chemical tests]
\end{description}

\newpage
\paragraph{Mesh monitoring}

\section{Overview of Selected Samples}
\subsection{Traditional Hardware Security Modules}
\subsection{ATM Keypads} 
\subsection{Mail Franking Machines}
\subsection{Slot Machines}
\subsection{Payment Terminals}

\section{Analysis Results}

\section{Interpretation}

\section{Conclusion}

In our survey, we have found a wide variety in tamper sensing mesh construction techniques. Meshes are commonly
implemented as part of both rigid (PCB) and flexible (FPC) circuit boards, either standalone, or as part of a board also
carrying other components. Silver or carbon trace patterning techniques that are normally used for membrane keyboards
are also used in some meshes, but are limited in their structure size. The meshes we found in the wild almost never push
the boundaries of achievable structure size for a given process.

The strongest systems we found combined a mesh with potting such that separating mesh and potting destroyed the mesh's
traces. Silver printed circuits like they are normally used for keyboard matrices performed particularly well in this
regard since the silver ink adheres better to some potting compounds than to its plastic carrier substrate. We found
copper FPCs are commonly used for meshes. Interestingly, they seem to be a poor choice since they are very robust and
can even be forcibly separated from some potting compounds without destroying their traces.

The weakest systems we found completely omitted a tamper sensing mesh. Ironically, all of these systems were devices
marketed as hardware secuirty modules. Given the inexpensive nature of tamper sensing meshes and the high price point of
such devices, we suspect market segmentation as a driving force behind their manufacturers' decision to omit tamper
sensing meshes. We conclude from this observation that the term ``HSM'' does not imply state-of-the-art physical tamper
sensing.

From an academic point of view, the core finding of our survey is that tamper sensing meshes manufactured in a number of
commercial manufacturing processes would yield acceptable surrogates for real devices found in the wild. With the
exception of a single device that used a particularly fine structure size in the \qty{100}{\micro\meter} range, none of
the devices we examined utilized particularly non-obvious construction techniques.

Form an engineering point of view, we observe that across application domains, tamper sensing meshes often use basic
construction techniques. Implementing such a system that matches the security of other systems seen in the wild should
be achievable to most engineers.

\section*{Availability}
This is version \texttt{\input{version.tex}\unskip} of this paper, generated on \today. The git repository with the
LaTeX source for this paper, all hardware design files, and firmware and analysis source code can be found at:

\center{Note: URL elided for peer review}
% \center{\url{https://git.jaseg.de/ihsm-sampling-mesh-monitor-hw.git}}
\FloatBarrier

\printbibliography[heading=bibintoc]

\appendix
\section{Additional photos}
\label{appendix_photos}

\end{document}