jaseg/ihsm
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

techrepor: Update paper. I think this is as far as I'll go before the prototype.

Browse source
This commit is contained in:
jaseg 2020-11-06 14:35:21 +01:00
parent e31d7a98d0
commit ac6fbd9e8e
2 changed files with 152 additions and 128 deletions
Download patch file Download diff file Expand all files Collapse all files

37
doc/quick-tech-report/rotohsm.bib
View file

@ -20,7 +20,9 @@
date = {2019},
doi = {10.13154/tches.v2019.i1.51-96},
issn = {2569-2925},
journal = {IACR transactions on cryptographic hardware and embedded systems.},
journaltitle = {IACR Transactions on Cryptographic Hardware and Embedded Systems},
publisher = {IACR},
title = {Secure Physical Enclosures from Covers with Tamper-Resistance},
url = {https://tches.iacr.org/index.php/TCHES/article/view/7334/6506},
urldate = {2020-09-16}
@ -123,3 +125,38 @@
year = {2018}
}
@inproceedings{johnson2018,
author = {Scott Johnson and Dominic Rizzo and Parthasarathy Ranganathan and Jon McCune and Richard Ho},
booktitle = {Hot Chips: A Symposium on High Performance Chips},
title = {Titan: enabling a transparent silicon root of trust for Cloud},
x-fetchedfrom = {Google Scholar},
year = {2018}
}
@inproceedings{isaacs2013,
author = {Phil Isaacs and Thomas {Morris Jr} and Michael J Fisher and Keith Cuthbert},
booktitle = {Pan Pacific Symposium},
title = {Tamper proof, tamper evident encryption technology},
x-fetchedfrom = {Google Scholar},
year = {2013}
}
@inproceedings{drimer2008,
author = {Saar Drimer and Steven J Murdoch and Ross Anderson},
booktitle = {2008 IEEE Symposium on Security and Privacy (sp 2008)},
organization = {IEEE},
pages = {281295},
title = {Thinking inside the box: system-level failures of tamper proofing},
x-fetchedfrom = {Google Scholar},
year = {2008}
}
@misc{terdiman2013,
author = {Daniel Terdiman},
month = jul,
publisher = {CNET},
title = {Aboard America's Doomsday command and control plane},
url = {https://www.cnet.com/news/aboard-americas-doomsday-command-and-control-plane},
year = {2013}
}

243
doc/quick-tech-report/rotohsm_tech_report.tex
View file

@ -93,63 +93,64 @@ offers a level of security that is comparable to even the best commercial offeri
\section{Introduction}
While information security technology has matured a great deal in the last half century, physical security has barely
changed. Given the right skills, physical access to a computer still usually equates full compromise. The physical
security of modern server hardware hinges on what lock you put on the room it is in. Systems such as Trusted Platform
Modules attempt to alleviate this problem, but they are hard to use and even with them a system still offers
considerable attack surface\cite{heise2020t2jailbreak}.
changed. Given the right skills, physical access to a computer still often equates full compromise. The physical
security of modern server hardware hinges on what lock you put on the room it is in.
In modern systems, high-level physical security is usually limited to small physical dimensions. Secure enclaves and
smartcards provide security on the scale of a single chip. Commercial HSMs have a small circuit
board\cite{anderson2020,immler2019}. Security systems such as TPMs effectively allow tying a larger system's physical
security to that of a small TPM chip embedded inside. The protection that exists at the level of a single server
enclosure is usually limited to a lid switch and some tamper-evident seals.
Currently, servers and other computers are rarely physically secured as a whole. Servers sometimes have a simple lid
switch and are put in locked ``cages'' inside guarded facilities. This usually provides a good compromise between
physical security and ease of maintenance. To handle highly sensitive data in applications such as banking or public key
infrastructure, general-purpose and low-security servers are augmented with dedicated, physically secure cryptographic
co-processors in form of smartcards or hardware security modules (HSMs). Smartcards and HSMs protect a physically small
volume of a single chip or circuit board, respectively. In lower-security applications\cite{heise2020t2jailbreak},
smartcard-like trusted platform modules (TPMs) and other types of security platform controllers allow an administrator
to tie a whole computer's security to that of the small security chip inside\cite{frazelle2019,johnson2018}.
\subsection{Technical approaches to physical security}
Shrinking things to the nanoscopic level to secure them against tampering is increasing in popularity. Apple today uses
a secure enclave IC in their line of laptops. Likewise, Google has developed its own security IC with a similar
application\cite{frazelle2019}. These chips are an engineering solution to problems that cannot be solved with
cryptographic security. The security of these chips rests on the assumption that due to their fine structure, they are
hard to reverse engineer or modify. As of now, this property holds and in the authors' opinion it will likely be a
reasonable assumption for some years to come. However, in its essence this is a type of security by obscurity:
Obscurity here meaning the rarity of the equipment necessary to attack these chips\cite{albartus2020,anderson2020}.
Shrinking things to the nanoscopic level to secure them against tampering is an engineering solution to problems that
cannot be solved (yet) with cryptographic security. The security of these chips rests on the assumption that their fine
structures are hard to reverse engineer and modify. As of now, this property holds and in the authors' opinion it will
likely be a reasonable assumption for some years to come. However, in essence this is a type of security by obscurity:
Obscurity here referring to the rarity of the equipment necessary to attack these chips\cite{albartus2020,anderson2020}.
\subsection{Hardware Security Modules}
Right now, Hardware security modules (HSMs) are the commercial devices offering the highest ``physical
security-volume-product''. Whereas smartcards secure a single chip, HSMs secure a small circuit board. In contrast to a
security-to-volume-product''. Where smartcards secure a single chip, HSMs secure a small circuit board. In contrast to a
smartcard, the HSM actively deletes its secrets when it detects a manipulation. Commercial HSMs commonly employ what we
call \emph{boundary monitoring}. They have a physical security barrier that they continuously monitor for holes.
Usually, this barrier is a thin foil that is patterned with at least two electrical traces that are folded many times to
cover the entire area of the foil. The HSM monitors these traces for shorts or breaks. This simple construction
transforms the security problem into a manufacturing challenge.
transforms the security problem into a manufacturing challenge\cite{isaacs2013,immler2019,anderson2020}.
In our classification the other type of HSMs are \emph{volumetric} HSMs. They monitor their entire internal volume for
changes using e.g.\ electromagnetic radiation\cite{tobisch2020,kreft2012} or ultrasound. Their security is limited by
the analog sensitivity of their transceivers. Their practicality is limited by their complex transceiver and signal
processing circuitry. They promise to secure larger volumes than boundary monitoring at higher parts cost.
processing circuitry. They promise to secure larger volumes than boundary monitoring at higher parts cost. A problem
with volumetric designs is their security analysis, which is hard to do without significant guesswork. In e.g.\ a
device that use electromagnetic radiation to monitor its volume, one has to numerically solve the electromagnetic field
equations inside the HSM to validate its impenetrability.
A problem with volumetric designs is their security analysis, which is hard to do without significant guesswork. In
e.g.\ a device that use electromagnetic radiation to monitor its volume, one has to numerically solve the
electromagnetic field equations inside the HSM to validate its impenetrability.
\subsection{Inertial HSMs: A new approach to physical security} We are certain that there is still much work to be done
and many insights to be gained in both HSM and in smartcard technology\footnote{For example, consider a box with
mirrored walls that contains a smaller box suspended on thin wires that has cameras looking outward in all directions at
the mirrored walls. Given that the defender can control lighting conditions inside this kaleidoscopic box in this
application modern cameras perform better than the human eye. Thus, a successful physical attack on this system would
likely an ``invisibility cloak''--and the system would remain secure as long as no such thing exists. This example is a
useful point of reference. To be viable, an HSM technology must be either cheaper, smaller or more sensitive than this
strawman setup\cite{kim2018}.}. % TODO perhaps misplaced citation and/or poor source?
\subsection{Inertial HSMs: A new approach to physical security}
We are certain that there is still much work to be done and many insights to be gained in both HSM and in smartcard
technology\footnote{
As a baseline, consider a box with mirrored walls that contains a smaller box suspended on thin wires that has
cameras looking outward in all directions at the mirrored walls. Given that the defender can control lighting
conditions inside this kaleidoscopic box in this application modern cameras perform better than the human eye.
Thus, a successful physical attack on this system would likely an ``invisibility cloak''--and the system would
remain secure as long as no such thing exists. To be viable, an HSM technology must be either cheaper, smaller or
more sensitive than this strawman setup\cite{kim2018}.
}. % TODO perhaps misplaced citation and/or poor source?
Still, we wish to introduce a novel approach to sidestep the issues of conventional HSMs and provide radically better
security against physical attacks. Our core observation is that any cheap but coarse HSM technology can be made much
more difficult to attack by moving it very quickly. As a trivial example, consider an HSM as it is used in
ecommerce applications for credit card payments. Its physical security level is set by the structure size of its
security mesh. An attack on its mesh might involve fine drill bits, needles, wires, glue, solder and lasers.
security mesh. An attack on its mesh might involve fine drill bits, needles, wires, glue, solder and
lasers\cite{drimer2008}.
Now consider the same HSM mounted on a large flywheel. In addition to its usual defenses the HSM is now equipped with an
accelerometer that it uses to verify that it is rotating at high speed. How would an attacker approach this HSM? They
accelerometer that it uses to verify that it is spinning at high speed. How would an attacker approach this HSM? They
would have to either slow down the rotation, triggering the accelerometer, or they would have to attack the HSM in
motion. The HSM literally becomes a moving target. At slow speeds, rotating the entire attack workbench might be
possible but rotating frames of reference quickly become inhospitable to human life\footnote{See Appendix
@ -178,7 +179,7 @@ evolved much in the last two decades. Apart from some auxiliary temperature and
attacks on the built-in SRAM memory, the module's main security barrier uses the traditional construction of a flexible
mesh wrapped around the module's core. In \cite{smith1998}, the authors claim the module monitors this mesh for short
circuits, open circuits and conductivity. The fundamental approach to tamper detection and construction is similar to
other commercial offerings\cite{obermaier2018}.
other commercial offerings\cite{obermaier2018,drimer2008,anderson2020,isaacs2013}.
In \cite{immler2019}, Immler et al. describe a HSM based on precise capacitance measurements of a mesh. In contrast to
traditional meshes, the mesh they use consists of a large number of individual traces (more than 32 in their example).
@ -205,59 +206,60 @@ transceivers is shaped by the precise three-dimensional distribution of RF-refle
compound.
Our concept is novel in that mechanical motion has not been proposed before as part of a hardware security module. Most
academic research concentrates on the issue of creating new, more sensitive security barriers for HSMs while commercial
vendors concentrate on means to cheaply manufacture these security barriers. Our concept instead focuses on the issue of
taking any existing, cheap low-performance security barrier and transforming it into a marginally more expensive but
very high-performance one. The closes to a mechanical HSM that we were able to find during our research is an 1988
patent \cite{rahman1988} that describes an mechanism to detect tampering along a communication cable by enclosing the
cable inside a conduit filled with pressurized gas.
academic research concentrates on the issue of creating new, more sensitive security barriers for HSMs\cite{immler2019}
while commercial vendors concentrate on means to cheaply manufacture and certify these security
barriers\cite{drimer2008}. Our concept instead focuses on the issue of taking any existing, cheap low-performance
security barrier and transforming it into a marginally more expensive but very high-performance one. The closes to a
mechanical HSM that we were able to find during our research is an 1988 patent \cite{rahman1988} that describes an
mechanism to detect tampering along a communication cable by enclosing the cable inside a conduit filled with
pressurized gas.
\section{Inertial HSM construction and operation}
\subsection{Using motion for tamper detection}
Mechanical motion has been proposed as a means of making things harder to see with the human eye\cite{haines2006} but we
seem to be the first to use it in tamper detection. Let us think about the constraints of our approach.
Mechanical motion has been proposed as a means of making things harder to see with the human eye\cite{haines2006} and is
routinely used in military applications to make things harder to hit\cite{terdiman2013} but we seem to be the first to
use it in tamper detection. Let us think about the constraints of our approach.
\begin{enumerate}
\item We need the sensor's motion to be fairly fast. If any point of the sensor moves slow enough for a human to
follow, it becomes a weak spot.
\item We need to keep the sensor's motion inside a reasonable space. Otherwise we could just load our HSM on an
airplane and assume that mid-flight, airplanes are hard to stop non-destructively.
\item We need the tamper sensor's motion to be fairly fast. If any point of the sensor moves slow enough for a human
to follow, it becomes a weak spot.
\item We need to keep the entire apparatus compact.
\item We need the sensor's motion to be very predictable so that we can detect an attacker trying to stop it.
\end{enumerate}
From this, we can make a few observations.
\begin{enumerate}
\item Non-periodic linear motion is likely to be a poor choice since it requires a large amount of space, and it is
comparatively easy to follow something moving linearly.
\item Oscillatory motion such as linear vibration or a pendulum motion might be a good candidate but for the
instant at its apex when the vibration reverses direction the object is stationary, which is a weak spot.
\item Rotation is a very good choice. Not only does it not require much space to execute, but also if the axis of
\item Non-periodic linear motion (like a train on wheels) is likely to be a poor choice since it requires a large
amount of space, and it is comparatively easy to follow something moving linearly.
\item Oscillatory motion such as linear vibration or a pendulum motion might be a good candidate would there not be
the moment at its apex when the vibration reverses direction the object is stationary. This is a weak spot.
\item Rotation is a very good choice. It does not require much space to execute. Additionally, if the axis of
rotation is within the HSM itself, an attacker trying to follow the motion would have to rotate around the same
axis. Since their tangential linear velocity would rise linearly with the radius from the axis of rotation, an
assumption on tolerable centrifugal force allows one to limit the approximate maximum size and mass of an
attacker. For an HSM measuring at most a few tens of centimeters across, it is easy to build something that
rotates too fast for a human to be able to follow it. The axis of rotation is a weak spot, but this can be
alleviated by placing additional internal sensors around it and locating all sensitive parts of the sensing
circuit radially away from it.
attacker (see Appendix \ref{sec_minimum_angular_velocity}). The axis of rotation is a weak spot, but we can
simply nest multiple layers of protection at an angle to each other.
\item We do not have to move the entire contents of the HSM. It suffices if we move the tamper detection barrier
around a stationary payload. This reduces the inertial mass of the moving part and eases data communication and
power supply of the payload.
around a stationary payload. This reduces the moment of inertia of the moving part and it means we can use
cables for payload power and data.
\end{enumerate}
\begin{figure}
\center
\includegraphics{concept_vis_one_axis.pdf}
\caption{Concept of a simple rotating inertial HSM. 1 - Axis of rotation. 2 - Security mesh. 3 - Payload. 4 -
\caption{Concept of a simple spinning inertial HSM. 1 - Shaft. 2 - Security mesh. 3 - Payload. 4 -
Accelerometer. 5 - Shaft penetrating security mesh.}
\label{fig_schema_one_axis}
\end{figure}
In a rotating reference frame centrifugal force is proportional to the square of angular velocity and proportional to
distance from the axis of rotation. We can exploit this fact to create a sensor that detects any disturbance of the
rotation by simply placing a linear accelerometer at some distance from the axis of rotation. During constant rotation,
both acceleration tangential to the rotation and along the axis of rotation will be zero. Centrifugal acceleration will
be constant. At high speeds, this acceleration may become very large. This poses the engineering challenge of preventing
rotation by placing a linear accelerometer at some distance from the axis of rotation. During constant rotation, both
acceleration tangential to the rotation and along the axis of rotation will be zero. Centrifugal acceleration will be
constant. At high speeds, this acceleration may become very large. This poses the engineering challenge of preventing
the whole thing from flying apart, but also creates an obstacle to any attacker trying to manipulate the sensor.
In Appendix \ref{sec_minimum_angular_velocity} we present some back-of-the-envelope calculations on minimum angular
@ -269,14 +271,14 @@ disturbances if we over-determine the system of equation determining its motion
\subsection{Payload mounting mechanisms}
The simplest way to mount a stationary payload in a rotating security mesh is to drive the rotor using a hollow shaft.
The simplest way to mount a stationary payload in a spinning security mesh is to drive the rotor using a hollow shaft.
This allows the payload to be mounted on a fixed rod threaded through this hollow shaft along with wires for power and
data. The stationary rod and cables on the axis of rotation inside the hollow shaft are a weak spot of the system, but
this weak spot can be alleviated through either careful construction or a second layer of rotating meshes with a
different axis of rotation. Configurations that do not use a hollow-shaft motor are possible, but may require more
bearings to keep the stator from vibrating.
\subsection{Rotating mesh power supply}
\subsection{Spinning mesh power supply}
There are several options to transfer power to the rotor from its stationary frame.
@ -296,70 +298,25 @@ There are several options to transfer power to the rotor from its stationary fra
\subsection{Payload cooling}
In boundary-sensing HSMs, cooling of the processor inside is a serious issue since any air
duct or heat pipe would have to penetrate the HSM's sensitive boundary. This problem can be solve by complex and costly
siphon-style constructions, but in commercial systems heat conduction is used exclusively. This severely limiting the
maximum power dissipation of the payload and thus its processing power. In our rotating HSM concept, the rotating mesh
can have longitudindal gaps in the mesh without impeding its function. This allows air to pass through the mesh during
rotation, and one could even integrate a fan into the rotor. This greatly increases the maximum possible power
dissipation of the payload and unlocks much more powerful processing capabilities.
In boundary-sensing HSMs, cooling of the processor inside is a serious issue since any air duct or heat pipe would have
to penetrate the HSM's security boundary. This problem can be solve by complex and costly siphon-style constructions,
but in commercial systems heat conduction is used exclusively\cite{isaacs2013}. This limits the maximum power
dissipation of the payload and thus its processing power. In our spinning HSM concept, the spinning mesh can have
longitudindal gaps in the mesh without impeding its function. This allows air to pass through the mesh during rotation,
and one could even integrate an actual fan into the rotor. This greatly increases the maximum possible power dissipation
of the payload and unlocks much more powerful processing capabilities.
\subsection{Rotating mesh data communication}
\subsection{Spinning mesh data communication}
As we discussed above, while slip rings are the obvious choice to couple electrical signals through a rotating joint,
they are likely to be too expensive and have too short a life span for our application. Since the only information that
needs to pass between payload and rotor are the occassional status report and a high-frequency heartbeat signal that
acts as the alarm trigger, a simple optocoupler close to the axis of rotation is a good solution.
As for power, slip rings are the obvious choice to couple data signals through the rotating joint. Like for power, for
data, too they are too expensive for our application.
In our design with a stationary payload where only the security mesh and sensors are spinning, only occassional status
reports and a high-frequency alarm trigger heartbeat signal have to pass from rotor to stator. For this, a simple
optocoupler close to the axis of rotation is a good solution.
% FIXME note prototype implementation here
\section{Design space exploration}
\subsection{Other modes of movement}
Though we decided to use rotation as an easy-to-implement yet secure option, other modes of movement bear promise as
well. Particularly for less high-security applications without strict space constraints, a variant based on a pendulum
motion may be worth investigating as it would simplify the mechanical construction. Power and data transfer to the
moving part could simply be done with very flexible cables.
\subsection{Multiple axes of rotation}
One option to alleviate the weak spot a rotating mesh has at its axis of rotation, a system with two or more axes of
rotation could be used. A single mesh would still suffice in this case, but when evaluating accelerometer readings, the
braking detection algorithm would have to superimpose both.
\subsection{Means of power transmission}
Power transmission from payload to rotor is another point worth investigating. It may be possible to use some statically
mounted permanent magnets with a coil integrated into the rotor's PCB as a low-power generator. While likely
inefficient, this setup would be low-cost and would still suffice for the meager power requirements of the rotor's
monitoring circuitry.
\subsection{Other sensing modes}
Since the security requirement the primary tamper-detection barrier needs to measure up to are much more lenient in the
rotating HSM concept than in traditional HSMs, other coarse sensing modes besides low-tech meshes may be attractive. One
possibility that would also eliminate the need of any active circuitry on the rotor would be to print the inside of the
rotor with a pattern, then have a linear array of reflective optical sensors located close to the rotor along a
longitudinal line. These sensors would observe the printed pattern passing by at high speed, and could compare their
measurements against a model of the rotor. Tampering by drilling holes or slots would show up as adding an offset to
part or all of the pattern. Likewise, the speed of rotation can be deducted directly from a sequence of measurements.
\subsection{Longevity}
A core issue with a mechanical HSM is component longevity. Save for dust and debris clogging up the system's mechanics
the primary failure point are the bearings. A good partner for further development or even commercialization might be a
manufacturer of industrial ducted fans as they are used e.g.\ in servers for cooling. Small industrial fans usually use
BLDC motors and bearings specially optimized for longevity.
\subsection{Transportation of an active device}
A rotating mass responds to torque not co-linear with its axis of rotation with a gyroscopic precession force. In
practice, this means that moving a device containing a spun-up rotating HSM on its inside might induce significant
forces on both the HSM (posing the danger of false alarms) and on the carrier of the device (potentially making handling
challenging). This effect would have to be taken into account in a real-world deployment, especially if the finished
device is to be shipped by post or courier services after spin-up.
\subsection{Hardware prototype}
% FIXME expand & update below w/ hw proto findings
@ -379,7 +336,7 @@ itself, to prevent a damaged mesh from triggering an alarm and causing the HSM t
locations are electronic attacks, i.e. they require electrical contact to parts of the circuit. Traditionally, this
contact is made by soldering, or by placing a probe such as a thin needle. Any kind of electrical contact that does not
involve an electron or ion beam or a liquid requires mechanical contact. We consider none of these forms feasible to be
performed on an object rotating at high speed without a complex setup that rotates along with the object. Thus, we
performed on an object spinning at high speed without a complex setup that rotates along with the object. Thus, we
consider them to be practically infeasible outside of a well-funded, special-purpose laboratory.
\subsection{Attacks on the alarm circuitry}
@ -407,7 +364,7 @@ MEMS accelerometer. An electronic attack on the sensor or the monitoring microco
directly bridging the mesh traces and would not make sense. Physical attacks on the accelerometer are
possible\cite{trippel2017}, but in the authors' estimate are too hard to control to be practically useful.
A possible attack scenario would be to instantly stop the rotating motion and accelerate the HSM linearly such that the
A possible attack scenario would be to instantly stop the spinning motion and accelerate the HSM linearly such that the
linear acceleration as measured equals the previous centrifugal acceleration. Since commercial accelerometers are very
precise we do not consider this type of attack feasible.
@ -427,18 +384,47 @@ If the rate of rotation is set to change on a schedule, it is trivially detectab
%FIXME
FIXME
\section{Future Work}
\paragraph{Other modes of movement}
We decided to build a spinning HSM because it is the easiest option. Still, other modes of movement are also promising.
Particularly an oscillating HSM may be easier to construct at the expense of security. In it, power and data transfer to
the moving part could simply be done with cables.
\paragraph{Multiple axes of rotation}
The baseline single-axis spining HSM we propose has a weak spot at its shaft. This weak spot can be alleviated using a
gyroscoping mount, allowing the HSM to continuously change its axis of rotation.
\paragraph{Other sensing modes}
Beyond traditional security meshes, other sensing modes might be interesting in our unique setting. One possible option
without any moving electronics would be to print the inside of the rotor with a pattern, then have a linear CCD look at
the rotor. The CCD would see the printed pattern passing by at high speed, and one could compare its measurement
against a model of the rotor to check both speed of rotation and rotor integrity at once.
\paragraph{Longevity}
A core issue with a mechanical HSM is component longevity. Save for dust and debris clogging up the HSM's mechanics,
the primary failure point are the bearings. Industrial ducted fans such as servers fans may be a good source for
inspiration.
\paragraph{Transportation of an active device}
A rotating mass responds to torque that is not co-linear with its axis of rotation with a gyroscopic precession force.
In practice, this means that moving a device containing a spun-up rotating HSM on its inside might induce significant
forces on both the HSM (and cause false alarms) and on the carrier of the device (making handling challenging). A
real-world deployment would have to take this into account, especially if the finished device is to be shipped by post
or courier services after spin-up.
\section{Conclusion}
In this paper, we have presented inertial hardware security modules, a novel concept for the construction of highly
secure hardware security modules from inexpensive, commonly available parts. We have elaborated the engineering
considerations underlying a practical implementation of this concept. We have analyzed the concept for its security
properties and highlighted its ability to significantly strengthen otherwise weak tamper detection barriers. We have
laid out some ideas for future research on the concept, and we will continue our own research on the topic.
laid out some ideas for future research on the concept.
\printbibliography[heading=bibintoc]
\appendix
\subsection{Rotating mesh energy calculations}
\subsection{Spinning mesh energy calculations}
\label{sec_energy_calculations}
Assume that the rotating mesh sensor should send its tamper status to the static monitoring circuit at least once every
Assume that the spinning mesh sensor should send its tamper status to the static monitoring circuit at least once every
$T_\text{tx} = \SI{10}{\milli\second}$. At $\SI{100}{\kilo\baud}$ a transmission of a single byte in standard UART
framing would take $\SI{100}{\micro\second}$ and yield an $\SI{1}{\percent}$ duty cycle. If we assume an optical or RF
transmitter that requires $\SI{10}{\milli\ampere}$ of active current, this yields an average operating current of
@ -484,7 +470,8 @@ already have to circumvent the rotor's security mesh.
Assuming the HSM is stationary, a sensor on the rotating part will experience two significant accelerations:
\begin{enumerate}
\item Gravity $g = 9.8\frac{m}{s^2}$
\item Centrifugal force $a_C=\omega^2 r$, in the order of $\SI{1000}{\meter\per\second^2}$ or $100 g$
\item Centrifugal force $a_C=\omega^2 r$, in the order of $\SI{1000}{\meter\per\second^2}$ or $100 g$ at
$r=\SI{100}{\milli\meter}$ and $\SI{1000}{rpm}$
\end{enumerate}
Due to the vast differences in both radius and angular velocity, we can neglegt any influence of the earth's rotation on