From 18956ffe75e68426fd3a2f7bbc6692f83ac73265 Mon Sep 17 00:00:00 2001 From: jaseg Date: Fri, 28 Nov 2025 18:10:56 +0100 Subject: [PATCH] Finish the rest of leo's annotations --- chapter-epa/chapter.tex | 65 +++++---- chapter-hsms/chapter.tex | 224 ++++++++++++++++--------------- chapter-introduction/chapter.tex | 9 +- common-defs.tex | 34 +++++ main.bib | 68 +++++----- 5 files changed, 223 insertions(+), 177 deletions(-) diff --git a/chapter-epa/chapter.tex b/chapter-epa/chapter.tex index 46258d8..a5d9315 100644 --- a/chapter-epa/chapter.tex +++ b/chapter-epa/chapter.tex @@ -36,13 +36,13 @@ only having access to a subset of patient's medical records. Data in scope for t laboratory results, and medical imaging files. Due to Germany's mandatory health insurance laws, the system's user base encompasses the majority of all German -residents, approximately 90\textpercent. People who have replaced their public health insurance with private insurance -as of now are not subject to the system. In Germany, by law private health insurance is only available to people from -the top 10th percentile of household income. This means that the system disproportionally affects people who have low -income, creating an equity issue. While it is possible to opt out from the use of the new digital record, the process of -opting out is difficult. Additionally, the government and health insurance providers have publically depicted the system -in a one-sidedly positive way, meaning that it is unlikely the majority of people subject to the system have a -comprehensive understanding of the system's benefits and risks that would be necessary for an informed decision. +residents, approximately 90\%. People who have replaced their public health insurance with private insurance as of now +are not subject to the system. In Germany, by law private health insurance is only available to people from the top 10th +percentile of household income. This means that the system disproportionally affects people who have low income, +creating an equity issue. While it is possible to opt out from the use of the new digital record, the process of opting +out is difficult. Additionally, the government and health insurance providers have publically depicted the system in a +one-sidedly positive way, meaning that it is unlikely the majority of people subject to the system have a comprehensive +understanding of the system's benefits and risks that would be necessary for an informed decision. While there has been loud criticism of the system's security from civil society organizations such as digital rights nonprofit organization Chaos Computer Club (CCC) \cite{kochMoreMoreExperts2025} and several severe security flaws have @@ -118,19 +118,20 @@ records can be accessed. \subsection{Related Work} -The state-owned company specifying the system commissioned several security assessments of the system relating to the -key escrow service. \textcite{fischlinKryptographischeAnalyseSpezifikation2021} focuses on the cryptographic -dimension of the key escrow service used in an older version of the standard, and is now obsolete. -\textcite{slanySicherheitsanalyseZurSicherheit2020} approaches the system at a higher level, and focuses on the -cryptography of the inner protocol layers spoken between the system's components. Industry research organization +\emph{gematik}, the state-owned company specifying the system, commissioned several security assessments of the system +relating to the key escrow service. +\citeauthor{fischlinKryptographischeAnalyseSpezifikation2021}~\cite{fischlinKryptographischeAnalyseSpezifikation2021} +focuses on the cryptographic dimension of the key escrow service used in an older version of the standard, and is now +obsolete. \textcite{slanySicherheitsanalyseZurSicherheit2020} approaches the system at a higher level, and focuses on +the cryptography of the inner protocol layers spoken between the system's components. Industry research organization Fraunhofer SIT was comissioned for a structured, theoretical assessment of attack paths to the system -\cite{fraunhofersitAbschlussberichtSicherheitsanalyseGesamtsystems2024}. We are not currently aware of -independent academic security research on the system. +\cite{fraunhofersitAbschlussberichtSicherheitsanalyseGesamtsystems2024}. We are not currently aware of independent +academic security research on the system. The design and operation of the system have been independently described in detail by civil society activists, who have -demonstrated several successful attacks on the system. \textcite{tschirsichHackerHinOder0100} demonstrated how they +demonstrated several successful attacks on the system. \textcite{tschirsichHackerHinOder2019} demonstrated how they could trivially acquire each of the smartcards as well as the Konnektor necessary for accessing the system. -\textcite{tschirsichKonnteBisherNoch0100} summarize the history of attacks demonstrated on the system and show multiple +\textcite{tschirsichKonnteBisherNoch2024} summarize the history of attacks demonstrated on the system and show multiple practical attacks on various parts of the system's implementation. \section{Concerning Cryptographic Engineering Choices} @@ -140,11 +141,11 @@ by no means an exhaustive list, and is only meant to underscore why we believe t \subsection{Use of Key Escrow} -First, the system's general approach of using a key escrow service instead of securely storing the keys inside the -system's already existing smart card infrastructure is concerning, given that this key escrow service poses a -centralized security risk. The system's designers made this decision since it was deemed important that access to an -encrypted record can be restored quickly after an insurance ID card is lost, without requiring the cooperation of the -healthcare providers holding the primary copies of the person's medical records. +Key escrow describes a concept that was originally devised during the 1990ies out of a fear that the widespread +availability of strong encryption would stifle the ability of law enforcement agencies to wiretap communications in the +prosecution of crime. At the core of the concept rests the idea that a trusted \emph{key escrow} service should hold a +copy of every private key in use. In case the government wants to access one of these keys, the key escrow service can +provide this access\textcite{andersonSecurityEngineeringGuide2020,jarvisCryptoWarsFight2020}. While key escrow services have been a topic of political debate in decades past, in the cryptographic community, consensus generally is that they are a bad idea since they pose a centralized target for attack, and increase attack @@ -155,6 +156,12 @@ surface \cite{ rogawayMoralCharacterCryptographic2015, }. +Our first concern is the system's general approach of using a key escrow service instead of securely storing the keys +inside the system's already existing smart card infrastructure. Like any other key escrow system, this key escrow +service poses a centralized security risk. The system's designers made this decision since it was deemed important that +access to an encrypted record can be restored quickly after an insurance ID card is lost, without requiring the +cooperation of the healthcare providers holding the primary copies of the person's medical records. + \subsection{Cryptographic Design} The system's overall cryptographic design is intentionally kept simple. The standard explicitly mentions that symmetric @@ -178,21 +185,21 @@ the key escrow service in an identifiable way. We observe that the system as a whole does not appear to be designed to defend against well-resourced adversaries. The series of practical attacks that have been demonstrated on the system confirm this impression. In -\textcite{tschirsichKonnteBisherNoch0100} summarize a series of successful attacks. Attacks include social engineering +\textcite{tschirsichKonnteBisherNoch2024} summarize a series of successful attacks. Attacks include social engineering resulting in access to copies of smartcards enabling accessing patient records, using misconfigured Konnektor VPN appliances with their LAN DMZ and authentication interface exposed on the public internet, circumventing video-based authentication processes resulting in duplicate file keys being provided, classis SQL injection on a backend service maintaining an authentication database, accessing all national patient records through brute-force enumeration of weak identifiers, and several more. -We believe that a system like this must be designed to withstand well-resourced adversaries such as enemy secret +We believe that a system like this must be designed to withstand well-resourced adversaries such as foreign secret services, since the medical data stored in such as information on chronic illness, sexually transmittable disease or severe food allergies has intelligence value. Repeated breaches of national digital infrastructure such as the 2015 breach of the US Office of Personnel Management \cite{barrettUSSuspectsHackers2015} or the 2024 compromise of US telecommunications wiretapping systems \cite{mennChineseGovernmentHackers2024} demonstrate that such state-sponsored attacks on national digital infrastructure are a realistic concern. A possible scenario in the ePA system would be an -enemy secret service gaining access to one of the HSMs storing the systems' root secrets, extracting the root secret by -an advanced physical attack, then being able to decrypt captured encrypted health records at will. Similarly, a +foreign secret service gaining access to one of the HSMs storing the systems' root secrets, extracting the root secret +by an advanced physical attack, then being able to decrypt captured encrypted health records at will. Similarly, a nation-state adversary might have access to an exploit allowing the compromise of the system's TEEs, which would enable the extraction of any patient records being processed in plaintext inside these TEEs. @@ -203,8 +210,8 @@ for authentication. Second, Hardware Security Modules are used in key locations cryptographic secrets. The core of the system's key escrow service is implemented inside an HSM. However, it is notable that the actual security level required for this HSM is only FIPS 140-2 level 3 \cite{usnationalinstituteofstandardsandtechnologySecurityRequirementsCryptographic2002}. FIPS 140-2 is a US government -standard that used to be popular for the specification of HSMs. However, not only has FIPS 140-2 been superseded by FIPS -140-3 since 2019 \cite{usnationalinstituteofstandardsandtechnologySecurityRequirementsCryptographic2019}, its security +standard that used to be popular for the specification of HSMs. However, not only has FIPS 140-2 been made obsolete by +FIPS 140-3 in 2019 \cite{usnationalinstituteofstandardsandtechnologySecurityRequirementsCryptographic2019}, its security level 3 mostly provides logical separation of cryptographic functions from other logic and is not very meaningful in the context of physical attacks. The only physical requirement of FIPS 140-2 level 3 is that the HSM has a hard, opaque coating. This coating is specified to be tamper-evident, but notably no active tamper detection or response features are @@ -239,5 +246,7 @@ that better accomodate real-world use cases. We believe that Inertial HSMs can address this use case by cleanly separating the physical security primitive into a retargetable design that can be applied to entire servers if needed, and augment or replace technology like conventional -HSMs or trusted execution environments to provide high-level hardware security. +HSMs or trusted execution environments to provide high-level hardware security. Before introducing IHSMs in +Chapter~\ref{chapter-ihsm}, in the following chapter, we will first complement this chapter's outlook on the state of +the art in hardware security with a survey of tamper sensing meshes in a wide range of real world devices. diff --git a/chapter-hsms/chapter.tex b/chapter-hsms/chapter.tex index d4bb6f6..0342999 100644 --- a/chapter-hsms/chapter.tex +++ b/chapter-hsms/chapter.tex @@ -14,7 +14,7 @@ being used in the late 19\textsuperscript{th} century, around the widespread com active tamper sensing meshes are used in a wide array of devices ranging from card payment terminals to atomic bombs. In this chapter, we will start with a brief history of tamper sensing meshes. Complementing our historical analysis, we -will present the results of a survey of a range of real-world devices that use tamper sensing meshes and we will analyze +will present the results of a survey of a range of real-world devices that use tamper sensing meshes and we will examine their implementation. We will analyze the gaps left by the current state of the art in commercial practice, and evaluate how Inertial HSMs could close these gaps to make secure hardware accessible to a wider range of applications. The contributions in this chapter are as follows: @@ -27,8 +27,8 @@ contributions in this chapter are as follows: illustrating them. \item From our sample, we extract several design patterns that can be applied to increase the security of a design. \item We note security flaws in several of our samples. - \item We provide the results of CT measurements of multiple samples, and we evaluate their impact on tamper sensing - mesh security. + \item We provide the results of Computed Tomography (CT) imaging of multiple samples, and we evaluate their impact + on tamper sensing mesh security. \end{itemize} \section{The History of Tamper Sensing Meshes} @@ -70,9 +70,9 @@ the widespread adoption of cryptography in commercial applications~\cite{ One early practical uses of tamper sensing meshes for information security as opposed to the security of some physical good is documented in notes on a series of lectures given by Dr.~David~G. Boak, a specialist in communications security and signal intelligence at the US National Security -Agency~\cite{nsaHistoryUSCommunications1973,nsaHistoryUSCommunications1981}. In this lecture series, Boak mentions that -around World War \RN{2}, the US became concerned about the security of their ciphering machines, which at the time were -large, fridge-sized electro-mechanical contraptions. Initially, simple safes were used to protect those +Agency~\cite{boakHistoryUSCommunications1981,boakHistoryUSCommunications1973}. In this lecture series, Boak mentions +that around World War \RN{2}, the US became concerned about the security of their ciphering machines, which at the time +were large, fridge-sized electro-mechanical contraptions. Initially, simple safes were used to protect those devices---however, as Boak notes, the US was well aware that they could not build a safe that a well-equipped specialist could not break open within an hour. As a solution, the NSA started development on what we would today call a Hardware Security Module by encapsulating a crypto coprocessor in a tamper sensing envelope. Boak observes that as a tamper @@ -111,24 +111,29 @@ history of nuclear material passing through these facilities. When using sensors to monitor treaty compliance, the IAEA has to consider the possibility of a host state tampering with its sensors to abuse nuclear material without being noticed. Historically, the IAEA has responded to this threat by the -extensive use of tamper-indicating enclosures and of seals. In both systems, the approach taken is that the enclosure or -seal is treated similarly to what these days, in computing we call a Physically Uncloneable Function. The enclosure or -seal is manufactured in a process that leaves an unpredictable and uncontrollable pattern of manufacturing variations -such as surface imperfections. A process used in the IAEA is to package devices in aluminium enclosures passivated in a -bright color, which leaves a random, microscopic pattern of pits in the surface from the etching step. Before such a -device is deployed in the field, it is precisely measured from all sides. Later on, after field deployment, its -integrity can then be checked by comparing its current state to these initial measurements. The underlying assumption is -that drilling or cutting into something like a metal enclosure will leave detectable traces, and that perfectly -replicating an object including features such as minute surface imperfections is infeasible even to a nation -state~\cite{iaea2011}. +extensive use of tamper-indicating enclosures and of seals\footnote{ + Note that in IAEA terminology, both tamper detection and tamper evidence are combined into the term ``tamper + indication''. The IAEA distinguishes between active tamper indication, which we conventionally call tamper + detection, and passive tamper indication, which we conventionally call tamper evidence. Tamper indicating devices + include seals, but also the aforementioned uniquely characterizable enclosures, which IAEA terminology calls + intrinsically tamper-indicating. An example for an active tamper indicating device would be a seismic sensor at the + bottom of a borehole that has been back-filled with concrete such that any attempt to reach the sensor would be + well-visible in the sensor's own readings~\cite{simmonsHowInsureThat1988}. +}. In both systems, the approach taken is that the enclosure or seal is treated similarly to what these days, in +computing we call a Physically Unclonable Function (PUF). The concept of a PUF centers on electronic component +manufactured such that random manufacturing variations can later be measured by the finished circuit. The core idea is +that since these manufacturing variations are random, they can be used as a source for cryptographic entropy. +Furthermore, the concept is based on the assumption that these manufacturing variations cannot be controlled, hence +making the device \emph{unclonable}. -In IAEA terminology, both tamper detection and tamper evidence are combined into the term ``tamper indication''. The -IAEA distinguishes between active tamper indication, which we conventionally call tamper detection, and passive tamper -indication, which we conventionally call tamper evidence. Tamper indicating devices include seals, but also the -aforementioned uniquely characterizable enclosures, which IAEA terminology calls intrinsically tamper-indicating. An -example for an active tamper indicating device would be a seismic sensor at the bottom of a borehole that has been -back-filled with concrete such that any attempt to reach the sensor would be well-visible in the sensor's own -readings~\cite{simmonsHowInsureThat1988}. +Similar to a PUF, in the IAEA's application an enclosure or seal is manufactured in a process that leaves an +unpredictable and uncontrollable pattern of manufacturing variations such as surface imperfections. A process used in +the IAEA is to package devices in aluminium enclosures passivated in a bright color, which leaves a random, microscopic +pattern of pits in the surface from the etching step. Before such a device is deployed in the field, it is precisely +measured from all sides. Later on, after field deployment, its integrity can then be checked by comparing its current +state to these initial measurements. The underlying assumption is that drilling or cutting into something like a metal +enclosure will leave detectable traces, and that perfectly replicating an object including features such as minute +surface imperfections is infeasible even to a nation state~\cite{iaea2011}. With smarter electronics becoming more affordable in both monetary and in power budget, over the decades, other active tamper sensors have received attention as well. The IAEA reports on attempts at burying sensors such as piezoelectric @@ -148,12 +153,12 @@ and ATMs to the ATM pin pads themselves, which encrypt the customer's PIN right of card payment terminals. HSMs are used for highly sensitive operations even outside of the financial industry, although their adoption is -hampered by their high cost. These applications include key management in the TLS certificate infrastructure. In this -chapter, we will analyze a commercial HSM that was used in the key management infrastructure of a premium TV provider. -Other applications include mail franking machines, where they are used to protect the credit counter and franking data, -with one such unit analyzed in this chapter. Furthermore, we have identified several models of key safes that in Germany -are mounted externally on public buildings to provide keys to emergency services, and which include tamper sensing -meshes on their door and interior walls to detect attempts at drilling into them~\cite{SD04203RB25D5, +hampered by their high cost. In this chapter, we will analyze a commercial HSM that was used in the key management +infrastructure of a premium TV provider as one example of such uses. Examples of other applications include mail +franking machines, where they are used to protect the credit counter and franking data, with one such unit analyzed in +this chapter. Furthermore, we have identified several models of key safes that in Germany are mounted externally on +public buildings to provide keys to emergency services, and which include tamper sensing meshes on their door and +interior walls to detect attempts at drilling into them~\cite{SD04203RB25D5, krusesicherheitssystemeDatenblattKRUSEFWSchlusseldepot2018}. Finally, we have found a processing unit used in a series of mid-2000s era slot machines in Germany that includes a tamper sensing mesh, presumably to prevent modification or cloning. This device will also be analyzed later in this chapter. @@ -213,7 +218,7 @@ To achieve low power consumption, a popular technique known since at least 1902~\cite{suttonElectricallyprotectedStructure1902} and still used today~\cite{cesanaTamperResistantCard2001,razaghiCircuitBoardHold2019} is to measure the deviation of the mesh's end-to-end ohmic resistance from its baseline value. This measurement can be implemented either by directly comparing a -mesh trace's resistance with a reference resistor, or using a wheatstone bridge. Bridge circuits were already used +mesh trace's resistance with a reference resistor, or using a Wheatstone bridge. Bridge circuits were already used in early tamper sensing mesh implementations~\cite{ ElektrischeSicherheitseinrichtungSchutze1932, hamPrintedcircuitTypeSecurity1971, @@ -228,10 +233,7 @@ within its nominal operating environment, tampering can be made less convenient. the implementation of at least a temperature sensor to prevent cold-boot attacks on a device. A multitude of other sensors have been proposed, including humidity sensors, vibration sensors, light sensors, magnetometers, and radiation sensors such as X-ray sensors have been proposed. While the implementation cost of most sensor types is low, each -additional environmental sensor comes with an increased false alarm rate. Anecdotally, we have heard of light sensors -being removed from a datacenter HSM product because they caused frequent false alarms despite extensive efforts like -custom injection-molded plastic light baffles at all air vents of the device designed to prevent ingress of outside -light. +additional environmental sensor comes with an increased false alarm rate. % FIXME citations? \section{A Survey of Meshes in the Wild} @@ -250,9 +252,9 @@ terminals, which represent the most varied class of device incorporating such me Given their niche applications and high cost, devices incorporating tamper sensing meshes tend to be hard to find. For this survey, we chose 30 total devices including 23 different models of card payment terminals, and 7 other devices. -Some devices were procured by dumpster diving, while most were sourced from ebay. The majority of these were sold by -electronic waste recycling companies. A complete list of our specimens can be found in -Table~\ref{tab_hsm_survey_sample_list}. External photos of each device are shown in +Some devices were procured by intercepting electronic waste, while most were sourced from ebay in Februrary and March +2025. The majority of these were sold by electronic waste recycling companies. A complete list of our specimens can be +found in Table~\ref{tab_hsm_survey_sample_list}. External photos of each device are shown in Figure~\ref{fig_hsm_survey_sample_pics} and internal photos are shown in Figure~\ref{fig_hsm_survey_sample_internal_pics}. In the following sections, we will go into detail on the classes of devices we selected for this study. @@ -353,12 +355,11 @@ skimming that aim to exfiltrate card data and PINs entered by the customer. The Council (PCI SSC), an association of all major western credit card network operators assumes the role of the de-facto standardization organization in the card payment space. Due to the international scale of the large credit card networks, almost all payment terminals on the market irrespective of their country of origin are certified under PCI SSC -standards. Adding on to PCI's ecosystem impact, its security standards are thought out well and provide a higher level -of security than one might expect from an industry association. +standards. Adding on to PCI's ecosystem impact, its security standards are thought out well. One reason for the high level of physical security standards in card payment applications both on the client side (payment terminals) and on the server side (HSM appliances) is that the finance industry has been reluctant to adopt -modern cryptography. Not only are modern cryptographic protocols like Secure Multiparty Computation (SMPC) or +modern cryptography. Not only are modern cryptographic protocols like secure Multiparty Computation (MPC) or Zero-Knowledge Proofs (ZKPs) not commonly used. Even asymmetric cryptography has only been adopted reluctantly, and ancient ciphers such as Triple DES are still commonly referenced in industry standards~\cite{pcisecuritystandardscouncilPaymentCardIndustry2025}. As a result, increased hardware security is @@ -376,8 +377,8 @@ and are used across application domains. Depending on the application, these HSM can be used as coprocessors through an API. In practice, the standalone appliances are just low-end computers in a rackmount enclosure that expose the API of an internal HSM add-in card to the network. In this survey, we obtained two devices labelled as HSMs. We were only able to procure two such devices since they are expensive, and even used -specimens of older models are usually listed for several hundreds to several thousands of EUR. Unfortunately, one of the -devices we obtained did not contain any security meshes in its case, and thus would not provide adequate protection +specimens of older models are usually listed for several hundreds to several thousands of Euro. Unfortunately, one of +the devices we obtained did not contain any security meshes in its case, and thus would not provide adequate protection against advanced attacks. The other specimen we procured was a 2011 model Utimaco CryptoServer LAN. Our unit was a white-label variant procured by premium TV encryption technology provider Irdeto, presumably used in Germany to produce cryptographic key streams for TV signal encryption. We bought the device from a recycling company specialized on @@ -607,6 +608,7 @@ list, we will address several common structural features that we observed across \label{hsm_fig_materials} \end{figure} +\todo{FIXME: Add scale / structure size to photos?} Regular Printed Circuit Boards are frequently used to implement tamper sensing meshes as shown in Figure~\ref{hsm_fig_materials_pcb_rigid}. PCB production is a highly advanced, large-scale industry and PCBs are inexpensive, commodity products. PCBs can be manufactured with many layers, at almost arbitrary total thickness, and @@ -700,11 +702,11 @@ across the contact as shown in Figure~\ref{hsm_fig_connector_elastomeric}, but t soldering. Hand soldering increases unit cost over mechanized soldering techniques such as wave soldering or reflow soldering. -FPCs are suitable for use with standard Zero Insertion Force (ZIF) FPC connectors as shown in -Figure~\ref{hsm_fig_connector_fpc} that directly mate to a contact area, called \emph{gold fingers} in industry terms, -on the FPC. Both FPCs and rigid PCBs can be used with standard board-to-board stacking connectors such as the one -visible in the center of Figure~\ref{hsm_fig_connector_stack}, but their use on FPCs requires a stiffener on the FPC's -back side to ensure the solder joints don't break from mechanical stress when connecting or disconnecting. +FPCs are suitable for use with standard FPC connectors as shown in Figure~\ref{hsm_fig_connector_fpc}. These connectors +mate directly to a contact area on the FPC, called \emph{gold fingers} in industry terms. Both FPCs and rigid PCBs can +be used with standard board-to-board stacking connectors such as the one visible in the center of +Figure~\ref{hsm_fig_connector_stack}, but their use on FPCs requires a stiffener on the FPC's back side to ensure the +solder joints don't break from mechanical stress when connecting or disconnecting. In our survey, we frequently found elastomeric connectors used to connect to both flexible and rigid tamper sensing mesh assemblies. Elastomeric connectors such as the one shown in the center of Figure~\ref{hsm_fig_connector_elastomeric} are @@ -802,7 +804,7 @@ Thermoforming is a cheap industry standard process, but applied to flexible circ only 2.5-dimensional structures can be created since the starting product is always a planar sheet. Second, the sheet cannot be cut or contain slots or large holes before forming since it needs to be kept under a constant tension from all sides to ensure it evenly stretches into the mold. Finally, the depth achievable in such a process is rather limited, -with no sample in our survey exceeding \qty{2}{\milli\meter}\todo{Get proper number}. Higher depths would require +with no sample in our survey exceeding \qty{2}{\milli\meter}.\todo{Get proper number} Higher depths would require extensive deformation of the mesh circuit's plastic substrate, which could lead to tears in the mesh traces since the particle-based conductive inks used for screen-printed electronics are inelastic. Among our samples, we saw two instances of thermoformed meshes. First, all recent Ingenico terminals (\sampleno{H06,H13,H23,H24}) integrated an ink @@ -840,7 +842,7 @@ access by probes. \label{fig_ingenico_forming} \end{figure} -specimen~\sampleno{H12}, shown in Figure~\ref{hsm_fig_3d_struct_vacuum_form}, displays one further design defect. The mesh +Specimen~\sampleno{H12}, shown in Figure~\ref{hsm_fig_3d_struct_vacuum_form}, displays one further design defect. The mesh shown does not extend to the edges of the plastic cover it has been molded into. When this cover is placed on top of a PCB to protect components on the PCB from tampering, this leaves a large gap between the bottom edge of the mesh and the PCB surface, through which probes can be inserted to access either the payload circuit or the mesh monitoring circuitry. @@ -928,15 +930,69 @@ terminal. While a similar result could also be achieved by milling a slot into t PCB, the economics of PCB manufacturing are such that it may be more cost-effective to bond two standard-thickness PCBs on top of one another instead. -Figure~\ref{hsm_fig_3d_sandwich_lid} finally shows an advanced construction technique that uses a custom PCB with a -large indent milled into its underside soldered on top of a base PCB to create a protected cavity on top of the base -PCB. This PCB lid shows a complex internal structure. It is built up in a custom stackup with a total of six layers: A -ground plane filling the top layer, then two orthogonal planar mesh layers covering the inside of the lid above the -cavity. Below this standard mesh stackup are two that are used to create a via fence structure similar to that shown in +Figure~\ref{hsm_fig_3d_sandwich_lid} shows an advanced construction technique that uses a custom PCB with a large indent +milled into its underside soldered on top of a base PCB to create a protected cavity on top of the base PCB. This PCB +lid shows a complex internal structure. It is built up in a custom stackup with a total of six layers: A ground plane +filling the top layer, then two orthogonal planar mesh layers covering the inside of the lid above the cavity. Below +this standard mesh stackup are two that are used to create a via fence structure similar to that shown in Figure~\ref{hsm_fig_3d_sandwich_via_fence} in an attempt to protect the sides around the central cavity. Below these two via fence layers, at the bottom of the PCB is one more layer containing the pads connecting it to the base PCB. -\subsubsection{Tabular results} +\subsubsection{CT Imaging} + +\begin{figure} + \centering + \begin{subfigure}[t]{0.45\textwidth} + \centering + \includegraphics[width=\linewidth]{mesh_contact_joint.pdf} + \caption{CT section cut with part of a mesh layer and the crimped metal mesh contacts visible.} + \label{hsm_fig_ingenico_potted_ct_cut} + \end{subfigure} + \quad + \begin{subfigure}[t]{0.45\textwidth} + \centering + \includegraphics[width=\linewidth]{mesh_geom.pdf} + \caption{CT 3D reconstruction of the mesh's trace geometry.} + \label{hsm_fig_ingenico_potted_ct_3d} + \end{subfigure} + \quad + \begin{subfigure}[t]{0.45\textwidth} + \centering + \includegraphics[width=\linewidth]{ingenico_hsm_module.jpg} + \caption{Photo of the HSM module seated on the payment terminal's main PCB.} + \label{hsm_fig_ingenico_potted_seated} + \end{subfigure} + \caption[Potted module CT images]{Optical photograph and CT pictures of a potted HSM module + (specimen~\sampleno{H18}).} + \label{hsm_fig_ingenico_potted} +\end{figure} + +% FIXME put the CT people in the acknowledgements! Also the microwave people! +Hardware manufacturers implementing security meshes often attempt to keep the meshes' layouts hidden as a way of +security by obscurity. In practice, this can take the form of opaque potting compounds (cf. +Figure~\ref{hsm_fig_ingenico_potted_seated}), opaque cover layers (cf. Figure~\ref{hsm_fig_materials_gold_lds}), and +burying the mesh beneath other features such as PCB ground planes (cf. Figure~\ref{hsm_fig_3d_sandwich_lid}, e.g.\ +specimens~\sampleno{H03}, \sampleno{H17} and \sampleno{H32}). To circumvent such attempts, an obvious attack vector is +to use radiographical imaging techniques such as X-ray or CT imaging. To evaluate CT imaging as an attack method, we +experimentally imaged the potted HSM module of specimen~\sampleno{H18}, an Ingenico payment terminal, using an +industrial CT. Figure~\ref{hsm_fig_ingenico_potted} shows the module we analyzed and two images exported from the +resulting CT scan data. Figure~\ref{hsm_fig_ingenico_potted_ct_cut} shows a horizontal cut across part of the module. In +this cut, we can clearly identify a mesh layer with multiple traces, four solid metal contacts crimped to the mesh foil, +and two unused contact pads and mesh traces in the lower part of the picture. An attacker would be able to use this +information to target the metal contacts with a tool like a needle probe. From the CT scan we were able to measure that +the mesh of the device has a pitch of \qty{1.0}{\milli\meter}. Thus, even inserting a thin needle probe right through +one of the mesh's traces should be possible without breaking the trace. + +Figure~\ref{hsm_fig_ingenico_potted_ct_3d} shows a 3D reconstruction of the mesh's conductor layout. While the +reconstruction is slightly noisy due to the limited scan time available, it contains ample detail to reconstruct the +mesh's layout and conductor count, and even to derive conductor dimensions in order to calculate resistance and other +electronic parameters. The mesh's foil is wrapped around the circuit board forming a pillow shape, which is clearly +reflected in the reconstructed 3D mesh geometry. This information could be used to guide a CNC milling machine to +selectively ablate the device's potting precisely down to the mesh's conductors to enable direct patching attacks on the +mesh. + + +\subsubsection{Results summary} Below is a table representing which features discussed in the sections above we found in which of our samples. Overall, we commonly found a combination of a rigid PCB mesh in the specimen's main PCB and and flexible meshes formed into a lid @@ -969,7 +1025,7 @@ reverse engineering. \newcolumntype{M}{>{\centering\arraybackslash}p{4mm}} \setlength{\tabcolsep}{0pt} \begin{tabular}{ll|MMMMM|MMMM|MMMMM|MMMMM|MMMMM|MMM|MM} - &&\multicolumn{29}{c}{\textbf{Mesh}}\\ + &&\multicolumn{29}{c}{\textbf{Specimen}}\\ \textbf{Feature} & \textbf{Figures} & 1 & 2 & 3 & 4 & 5 & 6 & 8 & 9 & 10 & 11 & 12 & 13 & 14 & 15 & 16 & 17 & 18 & 19 & 20 & 21 & 22 & 23 & 24 & 25 & 27 & 28 & 30 & 31 & 32 \\\hline @@ -1135,64 +1191,12 @@ Integrated contact pads & \ref{hsm_fig_connector_fpc} & & & \\ % 30 - 32 \end{tabular} - \caption{Feature matrix of all specimens analyzed.} + \caption[Feature matrix of all specimens analyzed.]{Feature matrix of all specimens analyzed. Dots indicate presence + of a feature. The figures column lists which figures above contain examples of a particular feature.} \label{tab_hsm_survey_sample_results} \end{table} \end{landscape} -\subsubsection{CT Imaging} - -\begin{figure} - \centering - \begin{subfigure}[t]{0.45\textwidth} - \centering - \includegraphics[width=\linewidth]{mesh_contact_joint.pdf} - \caption{CT section cut with part of a mesh layer and the crimped metal mesh contacts visible.} - \label{hsm_fig_ingenico_potted_ct_cut} - \end{subfigure} - \quad - \begin{subfigure}[t]{0.45\textwidth} - \centering - \includegraphics[width=\linewidth]{mesh_geom.pdf} - \caption{CT 3D reconstruction of the mesh's trace geometry.} - \label{hsm_fig_ingenico_potted_ct_3d} - \end{subfigure} - \quad - \begin{subfigure}[t]{0.45\textwidth} - \centering - \includegraphics[width=\linewidth]{ingenico_hsm_module.jpg} - \caption{Photo of the HSM module seated on the payment terminal's main PCB.} - \label{hsm_fig_ingenico_potted_seated} - \end{subfigure} - \caption[Potted module CT images]{Optical photograph and CT pictures of a potted HSM module - (specimen~\sampleno{H18}).} - \label{hsm_fig_ingenico_potted} -\end{figure} - -% FIXME put the CT people in the acknowledgements! Also the microwave people! -Hardware manufacturers implementing security meshes often attempt to keep the meshes' layouts hidden as a way of -security by obscurity. In practice, this can take the form of opaque potting compounds (cf. -Figure~\ref{hsm_fig_ingenico_potted_seated}), opaque cover layers (cf. Figure~\ref{hsm_fig_materials_gold_lds}), and -burying the mesh beneath other features such as PCB ground planes (cf. Figure~\ref{hsm_fig_3d_sandwich_lid}, e.g.\ -specimens~\sampleno{H03}, \sampleno{H17} and \sampleno{H32}). To circumvent such attempts, an obvious attack vector is -to use radiographical imaging techniques such as X-ray or CT imaging. To evaluate CT imaging as an attack method, we -experimentally imaged the potted HSM module of specimen~\sampleno{H18}, an Ingenico payment terminal, using an -industrial CT. Figure~\ref{hsm_fig_ingenico_potted} shows the module we analyzed and two images exported from the -resulting CT scan data. Figure~\ref{hsm_fig_ingenico_potted_ct_cut} shows a horizontal cut across part of the module. In -this cut, we can clearly identify a mesh layer with multiple traces, four solid metal contacts crimped to the mesh foil, -and two unused contact pads and mesh traces in the lower part of the picture. An attacker would be able to use this -information to target the metal contacts with a tool like a needle probe. From the CT scan we were able to measure that -the mesh of the device has a pitch of \qty{1.0}{\milli\meter}. Thus, even inserting a thin needle probe right through -one of the mesh's traces should be possible without breaking the trace. - -Figure~\ref{hsm_fig_ingenico_potted_ct_3d} shows a 3D reconstruction of the mesh's conductor layout. While the -reconstruction is slightly noisy due to the limited scan time available, it contains ample detail to reconstruct the -mesh's layout and conductor count, and even to derive conductor dimensions in order to calculate resistance and other -electronic parameters. The mesh's foil is wrapped around the circuit board forming a pillow shape, which is clearly -reflected in the reconstructed 3D mesh geometry. This information could be used to guide a CNC milling machine to -selectively ablate the device's potting precisely down to the mesh's conductors to enable direct patching attacks on the -mesh. - \section{Discussion} In our survey, we have seen the technological state of the art to which tamper-sensing meshes have evolved since the diff --git a/chapter-introduction/chapter.tex b/chapter-introduction/chapter.tex index 0a353df..a296b9c 100644 --- a/chapter-introduction/chapter.tex +++ b/chapter-introduction/chapter.tex @@ -134,10 +134,11 @@ existing HSM tamper sensing designs require bespoke manufacturing methods or cus obermaierPUFfilmMethodProducing2023, immler2019, garbTamperSensitiveDesignPUFBased, - immlerBTREPIDBatterylessTamperresistant2018}. -This creates a single point of failure in the manufacturer, and opens up an opportunity for a hardware supply-chain -attack~\cite{harrisonSoKSecurityArchitects2025}. Such supply chain attacks can be mitigated by independently -manufacturing our design. + immlerBTREPIDBatterylessTamperresistant2018}. Custom ICs require a large up-front financial commitment to produce. +Bespoke manufacturing methods may require custom machines, training, and specialty materials, also incurring a high +startup cost. This creates a single point of failure in the manufacturer, and opens up an opportunity for a hardware +supply-chain attack~\cite{harrisonSoKSecurityArchitects2025}. Such supply chain attacks can be mitigated by +independently manufacturing our design. %%% \section{A Note on Hardware Security Module Terminology} diff --git a/common-defs.tex b/common-defs.tex index c93358b..fc3f952 100644 --- a/common-defs.tex +++ b/common-defs.tex @@ -7,11 +7,13 @@ \usepackage[ backend=biber, style=numeric, + backref=true, natbib=true, url=false, doi=true, eprint=false, refsegment=chapter, + date=iso, ]{biblatex} \addbibresource{main.bib} \DeclareSourcemap{ @@ -173,6 +175,38 @@ \printbibliography[nottype={online},nottype={patent},heading=subbibliography,resetnumbers=false,segment=\therefsegment] } +% Fix for random mixed date formats, generated with claude.ai +% Redefine the date printing macro +\renewbibmacro*{date}{% + \iffieldundef{year} + {} + {\printtext{% + \thefield{year}% + \iffieldundef{month} + {} + {-\mkdatezeros{\thefield{month}}% + \iffieldundef{day} + {} + {-\mkdatezeros{\thefield{day}}}}% + }}% +} + +% Redefine urldate printing +\renewbibmacro*{urldate}{% + \iffieldundef{urlyear} + {} + {\printtext[urldate]{% + \thefield{urlyear}% + \iffieldundef{urlmonth} + {} + {-\mkdatezeros{\thefield{urlmonth}}% + \iffieldundef{urlday} + {} + {-\mkdatezeros{\thefield{urlday}}}}% + }}% +} +% end fix + \newrefcontext{defref} \hyphenation{a-me-na-ble} diff --git a/main.bib b/main.bib index c12b876..93398ff 100644 --- a/main.bib +++ b/main.bib @@ -844,6 +844,30 @@ organization = {US National Security Agency (NSA)} } +@book{boakHistoryUSCommunications1973, + title = {A {{History}} of {{U}}.{{S}}. {{Communications Security}} ({{The David G}}. {{Boak Lectures}}), {{Volume I}}}, + author = {Boak, David G.}, + date = {1973}, + publisher = {(US) National Security Agency}, + url = {http://archive.org/details/history_comsec-nsa}, + urldate = {2025-02-18}, + langid = {english}, + keywords = {NSA}, + annotation = {2015 re-declassified version contains more material} +} + +@book{boakHistoryUSCommunications1981, + title = {A {{History}} of {{U}}.{{S}}. {{Communications Security}} ({{The David G}}. {{Boak Lectures}}), {{Volume II}}}, + author = {Boak, David G.}, + date = {1981}, + publisher = {(US) National Security Agency}, + url = {http://archive.org/details/history_comsec_ii-nsa}, + urldate = {2025-02-18}, + langid = {english}, + keywords = {NSA}, + annotation = {2015 re-declassified version contains more material} +} + @book{bogatinSignalPowerIntegrity2018, title = {Signal and Power Integrity, Simplified}, author = {Bogatin, Eric}, @@ -1868,7 +1892,7 @@ @patent{droegeSicherheitsmodulMitEinteiliger1997, type = {patentde}, title = {Sicherheitsmodul Mit Einteiliger {{Sicherheitsfolie}}}, - author = {Droege, Hartmut Dipl Ing and Fischer, Ludwig Dipl Ing and Scheibel, Markus Dipl Ing and Sonnentag, Dieter Dipl Ing}, + author = {Droege, Hartmut and Fischer, Ludwig and Scheibel, Markus and Sonnentag, Dieter}, holder = {{International Business Machines Corp}}, date = {1997-07-17}, number = {19600769A1}, @@ -3130,7 +3154,7 @@ @book{huangHardwareHackerAdventures2019, title = {The {{Hardware Hacker}}: {{Adventures}} in {{Making}} and {{Breaking Hardware}}}, shorttitle = {The {{Hardware Hacker}}}, - author = {Huang, Andrew "bunnie"}, + author = {Huang, Andrew ``bunnie''}, date = {2019}, publisher = {No Starch Press}, location = {San Francisco}, @@ -5432,32 +5456,6 @@ keywords = {twisted-inductors} } -@book{nsaHistoryUSCommunications1973, - title = {A {{History}} of {{U}}.{{S}}. {{Communications Security}} ({{The David G}}. {{Boak Lectures}}), {{Volume I}}}, - author = {{NSA}}, - namea = {{Michael Best}}, - nameatype = {collaborator}, - date = {1973}, - url = {http://archive.org/details/history_comsec-nsa}, - urldate = {2025-02-18}, - langid = {english}, - keywords = {NSA}, - annotation = {2015 re-declassified version contains more material} -} - -@book{nsaHistoryUSCommunications1981, - title = {A {{History}} of {{U}}.{{S}}. {{Communications Security}} ({{The David G}}. {{Boak Lecture}}), {{Volume II}}}, - author = {{NSA}}, - namea = {{Michael Best}}, - nameatype = {collaborator}, - date = {1981}, - url = {http://archive.org/details/history_comsec_ii-nsa}, - urldate = {2025-02-18}, - langid = {english}, - keywords = {NSA}, - annotation = {2015 re-declassified version contains more material} -} - @article{obermaier2018, title = {The Past, Present, and Future of Physical Security Enclosures: {{From}} Battery-Backed Monitoring to {{PUF-based}} Inherent Security and Beyond}, author = {Obermaier, Johannes and Immler, Vincent}, @@ -5501,7 +5499,7 @@ @patent{obermaierPUFfilmMethodProducing2023, type = {patentus}, title = {{{PUF-film}} and Method for Producing the Same}, - author = {Obermaier, Johannes and Immler, Vincent and HESSELBARTH, Robert}, + author = {Obermaier, Johannes and Immler, Vincent and Hesselbarth, Robert}, holder = {{Fraunhofer Gesellschaft zur Foerderung der Angewandten Forschung eV}}, date = {2023-02-21}, number = {11586780B2}, @@ -7233,22 +7231,22 @@ Archive 2: https://web.archive.org/web/20250510104017/https://de.linkedin.com/pu keywords = {Benchmark testing,Computer architecture,Computer performance,Conferences,Energy efficiency,Focusing,Hardware,High performance computing,Market research,Performance analysis,Power demand,Processor energy efficiency,Servers,Software} } -@online{tschirsichHackerHinOder0100, +@online{tschirsichHackerHinOder2019, title = {"{{Hacker}} Hin Oder Her": {{Die}} Elektronische {{Patientenakte}} Kommt!}, shorttitle = {"{{Hacker}} Hin Oder Her"}, - author = {Tschirsich, Martin and Brodowski, cbro-Dr med Christian and Zilch, Dr André}, - year = {01:00:00 +0100}, + author = {Tschirsich, Martin and Brodowski, Dr med Christian and Zilch, Dr André}, + date = {2019-12-27}, url = {https://media.ccc.de/v/36c3-10595-hacker_hin_oder_her_die_elektronische_patientenakte_kommt}, urldate = {2025-05-15}, abstract = {Herzstück der digitalen Gesundheitsversorgung für 73 Millionen Versicherte ist die hochsichere, kritische Telematik-Infrastruktur mit ber...}, langid = {english} } -@online{tschirsichKonnteBisherNoch0100, +@online{tschirsichKonnteBisherNoch2024, title = {„{{Konnte}} Bisher Noch Nie Gehackt Werden“: {{Die}} Elektronische {{Patientenakte}} Kommt - Jetzt Für Alle!}, shorttitle = {„{{Konnte}} Bisher Noch Nie Gehackt Werden“}, author = {Tschirsich, Martin and Kastl, Bianca}, - year = {00:00:00 +0100}, + date = {2024-12-27}, url = {https://media.ccc.de/v/38c3-konnte-bisher-noch-nie-gehackt-werden-die-elektronische-patientenakte-kommt-jetzt-fr-alle}, urldate = {2025-05-15}, abstract = {In wenigen Wochen werden die Gesundheitsdaten von rund 73 Millionen in Deutschland Krankenversicherten ohne deren Zutun über Praxis- und ...}, @@ -7768,7 +7766,7 @@ Archive 2: https://web.archive.org/web/20250510104017/https://de.linkedin.com/pu @patent{weidnerHardwareschutzFormHalbschalen2007, type = {patent}, - title = {Hardwareschutz in form von zu halbschalen tiefgezogenen leiterplatten}, + title = {Hardwareschutz in Form von zu Halbschalen tiefgezogenen Leiterplatten}, author = {Weidner, Karl and Wimmer, Anton}, holder = {{Siemens Aktiengesellschaft}}, date = {2007-01-11},