diff --git a/Makefile b/Makefile index 29293d6..77d7c76 100644 --- a/Makefile +++ b/Makefile @@ -14,20 +14,34 @@ all: thesis.pdf # We need three runs for biblatex's defernumbers %.pdf: %.tex common-packages.tex common-defs.tex main.bib version.tex - pdflatex -shell-escape -jobname thesis '\def\thesispreviewmode{}\input{$<}' + pdflatex -shell-escape -jobname $* '\def\thesispreviewmode{}\input{$<}' biber $* - pdflatex -shell-escape -jobname thesis '\def\thesispreviewmode{}\input{$<}' - pdflatex -shell-escape -jobname thesis '\def\thesispreviewmode{}\input{$<}' + pdflatex -shell-escape -jobname $* '\def\thesispreviewmode{}\input{$<}' + pdflatex -shell-escape -jobname $* '\def\thesispreviewmode{}\input{$<}' echo echo "Undefined biblatex references:" grep -A2 'Package biblatex Warning: The following entry could not be found' thesis.log | sed -n '3~4{s/(biblatex) *//;p}' || echo "" -#.PHONY: preview -final: - pdflatex -shell-escape $< - biber $* - pdflatex -shell-escape $< - pdflatex -shell-escape $< +%-oneside.pdf: %.tex common-packages.tex common-defs.tex main.bib version.tex + pdflatex -shell-escape -jobname $*-oneside '\def\thesispreviewmode{}\def\thesisoneside{}\input{$<}' + biber $*-oneside + pdflatex -shell-escape -jobname $*-oneside '\def\thesispreviewmode{}\def\thesisoneside{}\input{$<}' + pdflatex -shell-escape -jobname $*-oneside '\def\thesispreviewmode{}\def\thesisoneside{}\input{$<}' + echo + echo "Undefined biblatex references:" + grep -A2 'Package biblatex Warning: The following entry could not be found' thesis.log | sed -n '3~4{s/(biblatex) *//;p}' || echo "" + +%-final.pdf: %.tex common-packages.tex common-defs.tex main.bib version.tex + pdflatex -jobname $*-final -shell-escape $< + biber $*-final + pdflatex -jobname $*-final -shell-escape $< + pdflatex -jobname $*-final -shell-escape $< + +%-final-oneside.pdf: %.tex common-packages.tex common-defs.tex main.bib version.tex + pdflatex -shell-escape -jobname $*-final-oneside '\def\thesisoneside{}\input{$<}' + biber $*-final-oneside + pdflatex -shell-escape -jobname $*-final-oneside '\def\thesisoneside{}\input{$<}' + pdflatex -shell-escape -jobname $*-final-oneside '\def\thesisoneside{}\input{$<}' version.tex: thesis.tex $(addsuffix /chapter.tex,${CHAPTERS}) echo "${VERSION_STRING}" > $@ diff --git a/abstract.tex b/abstract.tex index e47b77f..6701f46 100644 --- a/abstract.tex +++ b/abstract.tex @@ -27,8 +27,13 @@ hardware by presenting an analysis of problematic aspects in the hardware securi electronic health record system. To pave the way for practical implementations of IHSM technology, we present solutions to key engineering challenges in -IHSM construction including a highly symmetric planar inductor design for rotating wireless power transfer and a -high-fidelity monitoring system for low-cost security meshes. +IHSM construction. We present a design and analysis of highly symmetric planar inductors for rotating wireless power +transfer. +% FIXME improvement in numbers +We present a high-fidelity, low-cost monitoring system for security meshes that is based on the principles of +Time-Domain Reflectometry (TDR). We validate our system and find that it is able to reliably detect several classes of +advanced physical attacks. We find that our system is sensitive enough to detect differences between identical copies of +the same mesh, suggesting PUF-like properties. Applying IHSM technology, we analyse two use cases that are unlocked by the increased size and power dissipation capability of IHSMs. In the first analysis, an IHSM-secured relay node for Quantum Key Distribution (QKD) systems is diff --git a/chapter-epa/chapter.tex b/chapter-epa/chapter.tex index 53e92a3..3466696 100644 --- a/chapter-epa/chapter.tex +++ b/chapter-epa/chapter.tex @@ -7,6 +7,7 @@ } \chaptertitle{The German ePA: A Motivating Counter-Example} +\label{chapter-epa} \todo{FIXME: Proper citation here} \sourceattrib{This part is based on a short paper written by me and presented by me at the HS3 workshop at ESORICS diff --git a/chapter-introduction/chapter.tex b/chapter-introduction/chapter.tex index 63f0b06..0a353df 100644 --- a/chapter-introduction/chapter.tex +++ b/chapter-introduction/chapter.tex @@ -88,11 +88,11 @@ today, average computing hardware provides little physical security~\cite{ moghimiTPMFAILTPMMeets2020}. \emph{Hardware Security Modules} are a class of devices specifically designed to execute cryptographic algorithms while providing strict physical security guarantees, but these systems are expensive, -and their physical security is often questionable (cf.~Chapter~\ref{chapter-survey})~\cite{ +and their physical security is often questionable~\cite{ obermaier2018, - andersonSecurityEngineeringGuide2020}. -As \textcite{andersonSecurityEngineeringGuide2020} writes on HSMs and their security standards: -% FIXME page numbers + andersonSecurityEngineeringGuide2020}, +which we wi elaborate further in Chapter~\ref{chapter-survey}. \textcite{andersonSecurityEngineeringGuide2020} writes on +HSMs and their security standards: \begin{quote} Security economics remains a big soft spot, with security chips being in many ways a market for lemons. A banker @@ -139,65 +139,82 @@ This creates a single point of failure in the manufacturer, and opens up an oppo attack~\cite{harrisonSoKSecurityArchitects2025}. Such supply chain attacks can be mitigated by independently manufacturing our design. -\section{Research Questions and Contributions} +%%% +\section{A Note on Hardware Security Module Terminology} -Based on the current state of the field of hardware security, we deduce three overarching research questions for this -thesis that progress from theory to practical deployment. +In this thesis, we use the term \emph{Hardware Security Module (HSM)} to refer to a security device that has the +following three properties. -% Research questions: -% 1. can hsm w/o proprietary mesh? -% 2. how do meshes look like in practice? -% 3. can we improve monitoring? -% 4. can we solve power transfer issue -% 5. applications -% \begin{enumerate} - \item Can we achieve physical security without relying on a conventional tamper-sensing meshes that requires a - bespoke manufacturing process? - \item Can we monitor tamper-sensing meshes at a higher detail level than the state of the art of a single, scalar - measurement? - \item Can we create the support components necessary to integrate a system that provides a practical security - guarantee? +\item A HSM targets the prevention of any conceivable physical attack. In particular, this includes intrusion attempts + such as careful drilling or cutting into the device from any direction. +\item A HSM includes tamper sensors that when triggered result in an active tamper response, usually deleting all + cryptographic secrets and rendering the device inoperable. +\item A HSM's tamper sensing and response subsystem is continuously powered from a backup power supply, usually a + battery. Loss of power triggers the tamper response. \end{enumerate} -To answer our first research question, we propose the Inertial Hardware Security Module (IHSM), a new type of HSM that -extends the high level of protection offered by the modern cryptographic software stack down to the hardware level, -enabling secure computation in insecure places. +This use of the term \emph{HSM} aligns with common usage of the term both in the academic literature and in everyday +conversation. Particularly the requirement of active tamper detection and response is crucial to distinguish a HSM from +simpler devices such as TPMs, smart cards or secure enclaves in SoCs. Note that our use of the term HSM is slightly +different from its use in government standards, from its use in the PCI SSC (Payment Card Industry Security Standards +Council) standards, and from its industry use. -To answer our second question, we propose improvements to the state of the art in HSM tamper sensors such as the use of -low-cost, embeddable Time-Domain Reflectometry (TDR) that not only improve the security of IHSMs, but that can even be -applied to conventional HSMs. +In industry, the term HSM is often used for solutions that are only logically segregated and that do not include any +particular defense against hardware attacks. Our conjecture is that this is a consequence of the standardization +landscape, where for applications outside of card payment processing the US FIPS +140-22~\cite{usnationalinstituteofstandardsandtechnologySecurityRequirementsCryptographic2002} standard was central to +the industry. Despite encompassing both devices that include active tamper detection and response, FIPS 140-2 did not +draw a distinction in its terminology between the two classes. -Finally, we answer our last research question by showing in two case studies how an end-to-end design of an IHSM-secured -data processing system could look like. Both case studies concern scenarios that IHSMs unlock that were previously -infeasible using conventional HSMs: Datacenter-scale Secure Multiparty Computation (SMPC) and long-range Quantum Key -Distribution (QKD) networks. As part of this effort we provide a solution adapting and improving upon the state of the -art in wireless power transfer to supply a rotating inertial HSM with a clean, stable power supply. +\subsection{Use in government standards} -We chose to publish all of our research as open source and unencumbered by patents to enable widespread adoption. IHSMs -can be custom built with only basic manufacturing capabilities at small scale and enable the deployment of secure -computation in insecure places even to small organizations such as university research departments, NGOs and small -businesses. +Under the still widely used US national standard FIPS 140 in in its 2002 version +2~\cite{usnationalinstituteofstandardsandtechnologySecurityRequirementsCryptographic2002}, a HSM would be called a +\emph{Multiple-Chip Cryptographic Module} that conforms to the standard's \emph{Security Level} 4 out of 4. Interesting +to note are that only level 4 requires any active tamper detection and response, so devices compliant only up to levels +3 and below do not align with our HSM definition. Futher of note is that according to the standard, a single-chip +solution does not require any tamper detection and response either to meet the standard's security level 4, which is in +misalignment with our definition. The standard's 2019 updated version FIPS +140-3~\cite{usnationalinstituteofstandardsandtechnologySecurityRequirementsCryptographic2019} defers to the +international standards ISO/IEC 19790 and 24759. -%\section{Cryptographic Principles and Physical Reality} +ISO/IEC 19790~\cite{ISOIEC19790} and ISO/IEC 24759~\cite{ISOIEC24759} call what we call a HSM a \emph{Hardware +Cryptographic Module} corresponding with the standards \emph{Security Level 4}. However, these standards only require +active tamper detection and response when cryptographic secrets are transmitted in plaintext between chips. -%Let's take a basic videoconferencing system as an example. In our example system's deployment, users log on to a central -%conference server, which receives and distributes the users' video streams. Allowing backdoor access to the video -%streams to some third party like a datacenter operator or a state would violate Kerckhoffs' principle since it would -%have to be hidden from the systems' participants, who would therefore not have a complete view of the systems' deployed -%architecture. The principle of least authority would also be violated since in almost all cases, such a backdoor access -%system would not see legitimate use. As a result, it would possess capabilities that almost never would be essential to -%the proper function of the videoconference system. +\subsection{Use in card payment processing (PCI SSC) standards} -%In their design, almost all modern software -- especially open source -- cleanly applies these principles. However, the -%practical reality after deployment almost always deviates from them. While backdoors are vanishingly rare in modern -%open-source software, practical deployments usually are vulnerable to physical attacks. Computer hardware generally is -%not designed with a local attacker with advanced physical attack capabilities in mind since no mitigation can fully -%prevent them---such attacks usually can only be detected, or at best slowed down. As a result, commonplace attacks -%against modern software often involve taking over the hardware at some point in the chain. Even End-to-End-Encrypted -%(E2EE) communication systems can be compromised if one of the encrypted channel's endpoints can be physically -%compromised. Corresponding \emph{digital forensics} capabilities are commonplace among state actors, and are available -%as a turnkey solution on the market. +The Payment Card Industry Security Standards Council (PCI SSC) is an association of credit card network operators that +defines standards for all layers of card payment processing, from card payment terminals in stores to the handling of +payment data in online shop backend systems. + +PCI SSC terminology aligns with our definition and with common everyday use of the term HSM. In PCI SSC terminology, a +HSM is a crytographic device that has active tamper detecion and response circuitry. However, PCI SSC terminology +differs from our use of the term HSM in one nuance: In PCI SSC terminology, a HSM is specifically a datacenter device +used for backend processing of payment data. The general class of ``hardware devices performing some security function +with or without particular physical security requirements'' that ISO/IEC 19790 and other standards call a \emph{Hardware +Cryptographic Module}, in PCI SSC terminology is termed \emph{Secure Cryptographic Device (SCD)} in more recent standard +versions, which was updated from the previous term \emph{Tamper-Resistant Security Module (TRSM)}. Other than HSMs, PCI +SSC includes smartcards and card payment terminals in this category. Card payment terminals, referred to as +\emph{Pin-Entry Device (PED)} in PCI SSC standards, have to include a surprising amount of active tamper detection and +response functionality including partial coverage of areas like their main cryptographic processor and smart card reader +by battery-backed tamper-sensing meshes. Under our definition, these devices can be classified as a type of HSM. + +\subsection{Tamper-Sensing Meshes} + +In this thesis, we use the terms \emph{Tamper-Sensing Mesh} and \emph{Security Mesh} synonymous. We use both terms to +refer to any electrical circuit whose path is laid out to cover a surface with the intent of detecting attempts at +drilling, cutting or otherwise manipulating this surface. While the term \emph{Security Mesh} is more concise, it is +less clear to people unfamiliar with the matter. It is also polysemous, and depending on context can also refer to woven +or stamped metal meshes used as fences or as screens in front of windows to prevent break-ins. As a result, it is harder +to use in online searches, and when using Large Language Models (LLMs), it frequently leads to amusing hallucinations. + +% FIXME note leo: Das ganze wirkt wie ein guter baustein für eine Einleitung. Für einen Terminologie übersicht ist es +% ansonsten auch eigentlich zu lang. +% Splitte das vielleicht auf, ein paar mehr details in den Abstract um die HSM definition etwas zu präzisieren, den rest +% in die Intro? +%%% \section{Inertial Hardware Security Modules} @@ -239,6 +256,68 @@ cover the payload. Instead, it can have gaps that allow for air flow between out of the IHSM's payload. This cooling capability sharply increases computing power by increasing feasible payload power dissipation by two orders of magnitude. +\section{Research Questions and Contributions} + +Based on the current state of the field of hardware security, we deduce three overarching research questions for this +thesis that progress from theory to practical deployment. + +% Research questions: +% 1. can hsm w/o proprietary mesh? +% 2. how do meshes look like in practice? +% 3. can we improve monitoring? +% 4. can we solve power transfer issue +% 5. applications +% +\begin{enumerate} + \item What is the state of the art in commercial tamper sensing mesh implementations? + \item What are criteria and approaches for the design of secure tamper sensing meshes? + \item Can we achieve physical security without relying on a conventional tamper-sensing meshes that requires a + bespoke manufacturing process? + \item Can we monitor tamper-sensing meshes at a higher detail level than the state of the art of a single, scalar + measurement? + \item Can we improve the ripple voltage performance of Wireless Power Transfer (WPT) through rotating joints to + adapt it to IHSM applications? + \item What applications does our IHSM technology open up through its increase in power dissipation and size + capabilities? +\end{enumerate} + +We answer our first research question in two parts. In Chapter~\ref{chapter-epa}, we analyze the hardware security +design of Germany's new national electronic health record system. Our analysis unveils a combination of problematic +choices resulting from conflicting constraints and lack of awareness. In Chapter~\ref{chapter-survey}, we present the +results of a survey across approximately 30 real world tamper sensing mesh implementations, analyzing common design +features. + +The latter half of our survey in Chapter~\ref{chapter-survey} answers our second research quesion. From our analysis of +this large corpus of devices, we deduce a list of design criteria that can be applied to increase the security of any +tamper sensing mesh implementation. + +To answer our third research question, in Chapter~\ref{chapter-ihsm} we propose the Inertial Hardware Security Module +(IHSM), a new type of HSM that extends the high level of protection offered by the modern cryptographic software stack +down to the hardware level, enabling secure computation in insecure places. IHSMs can be built from basic, off-the-shelf +components and do not require bespoke manufacturing processes. + +IHSMs come with unique power supply constraints since their rotating mesh must be continuously powered. A +straightforward solution utilizes Wireless Power Transfer using planar inductors, but existing WPT designs exhbit a +ripple voltage due to an asymmetry of conventional planar inductors. This leads to our fourth research question, which +we solve in Chapter~\ref{chapter-nice-coils} with the design and experimental evaluation of a new, generalized class of +\emph{twisted} planar inductors that reduces voltage ripple in rotating shaft setups. + +To answer our fifth research question, in Chapter~\ref{chapter_sampling_mesh_mon} we propose improvements to the state +of the art in HSM tamper sensors based on the use of low-cost, embeddable Time-Domain Reflectometry (TDR). Our +improvements can be applied to both IHSMs and conventional HSMs. + +Finally, we answer our last research question by showing in two case studies how an end-to-end design of an IHSM-secured +data processing system could look like. Both case studies concern scenarios that IHSMs unlock that were previously +infeasible using conventional HSMs: In Chapter~\ref{chapter-qkd}, we explore how IHSMs enable long-range Quantum Key +Distribution (QKD) networks using trustable physically secured relay nodes and in Chapter~\ref{chapter-smpc} we +elaborate how datacenter-scale Secure Multiparty Computation (SMPC) clusters can be created using IHSM enclosures with +commercial server hardware. + +We chose to publish all of our research as open source and unencumbered by patents to enable widespread adoption. IHSMs +can be custom built with only basic manufacturing capabilities at small scale and enable the deployment of secure +computation in insecure places even to small organizations such as university research departments, NGOs and small +businesses. + \section{Conclusion} Looking at the practice of applied hardware security, we observe that despite ample availability of commercial solutions diff --git a/common-defs.tex b/common-defs.tex index 144493a..c93358b 100644 --- a/common-defs.tex +++ b/common-defs.tex @@ -52,12 +52,20 @@ \ifdefined\thesispreviewmode % (draft \texttt{\input{version.tex}\unskip}) % \fi % -\leftmark} -\fancyhead[OL]{\footnotesize\rightmark} + \leftmark} +\fancyhead[OL]{\footnotesize% + \ifdefined\thesisoneside % + \leftmark% + \ifdefined\thesispreviewmode % + \\(draft \texttt{\input{version.tex}\unskip}) % + \fi % + \else% + \rightmark% + \fi} \fancyhead[EL,OR]{\thepage} - \fancyfoot[LCR]{} +\setlength{\headheight}{13.6pt} \fancypagestyle{plain}{% \fancyhf{}% \renewcommand{\headrulewidth}{0pt}% diff --git a/hsm-terminology-notes.tex b/hsm-terminology-notes.tex deleted file mode 100644 index 45f8cf8..0000000 --- a/hsm-terminology-notes.tex +++ /dev/null @@ -1,77 +0,0 @@ -\chapter*{A Note on Hardware Security Module Terminology} -\adjustmtc -\addcontentsline{toc}{chapter}{A Note on Hardware Security Module Terminology} - -In this thesis, we use the term \emph{Hardware Security Module (HSM)} to refer to a security device that has the -following three properties. - -\begin{enumerate} -\item A HSM targets the prevention of any conceivable physical attack. In particular, this includes intrusion attempts - such as careful drilling or cutting into the device from any direction. -\item A HSM includes tamper sensors that when triggered result in an active tamper response, usually deleting all - cryptographic secrets and rendering the device inoperable. -\item A HSM's tamper sensing and response subsystem is continuously powered from a backup power supply, usually a - battery. Loss of power triggers the tamper response. -\end{enumerate} - -This use of the term \emph{HSM} aligns with common usage of the term both in the academic literature and in everyday -conversation. Particularly the requirement of active tamper detection and response is crucial to distinguish a HSM from -simpler devices such as TPMs, smart cards or secure enclaves in SoCs. Note that our use of the term HSM is slightly -different from its use in government standards, from its use in the PCI SSC (Payment Card Industry Security Standards -Council) standards, and from its industry use. - -In industry, the term HSM is often used for solutions that are only logically segregated and that do not include any -particular defense against hardware attacks. Our conjecture is that this is a consequence of the standardization -landscape, where for applications outside of card payment processing the US FIPS -140-22~\cite{usnationalinstituteofstandardsandtechnologySecurityRequirementsCryptographic2002} standard was central to -the industry. Despite encompassing both devices that include active tamper detection and response, FIPS 140-2 did not -draw a distinction in its terminology between the two classes. - -\section{Use in government standards} - -Under the still widely used US national standard FIPS 140 in in its 2002 version -2~\cite{usnationalinstituteofstandardsandtechnologySecurityRequirementsCryptographic2002}, a HSM would be called a -\emph{Multiple-Chip Cryptographic Module} that conforms to the standard's \emph{Security Level} 4 out of 4. Interesting -to note are that only level 4 requires any active tamper detection and response, so devices compliant only up to levels -3 and below do not align with our HSM definition. Futher of note is that according to the standard, a single-chip -solution does not require any tamper detection and response either to meet the standard's security level 4, which is in -misalignment with our definition. The standard's 2019 updated version FIPS -140-3~\cite{usnationalinstituteofstandardsandtechnologySecurityRequirementsCryptographic2019} defers to the -international standards ISO/IEC 19790 and 24759. - -ISO/IEC 19790~\cite{ISOIEC19790} and ISO/IEC 24759~\cite{ISOIEC24759} call what we call a HSM a \emph{Hardware -Cryptographic Module} corresponding with the standards \emph{Security Level 4}. However, these standards only require -active tamper detection and response when cryptographic secrets are transmitted in plaintext between chips. - -\section{Use in card payment processing (PCI SSC) standards} - -The Payment Card Industry Security Standards Council (PCI SSC) is an association of credit card network operators that -defines standards for all layers of card payment processing, from card payment terminals in stores to the handling of -payment data in online shop backend systems. - -PCI SSC terminology aligns with our definition and with common everyday use of the term HSM. In PCI SSC terminology, a -HSM is a crytographic device that has active tamper detecion and response circuitry. However, PCI SSC terminology -differs from our use of the term HSM in one nuance: In PCI SSC terminology, a HSM is specifically a datacenter device -used for backend processing of payment data. The general class of ``hardware devices performing some security function -with or without particular physical security requirements'' that ISO/IEC 19790 and other standards call a \emph{Hardware -Cryptographic Module}, in PCI SSC terminology is termed \emph{Secure Cryptographic Device (SCD)} in more recent standard -versions, which was updated from the previous term \emph{Tamper-Resistant Security Module (TRSM)}. Other than HSMs, PCI -SSC includes smartcards and card payment terminals in this category. Card payment terminals, referred to as -\emph{Pin-Entry Device (PED)} in PCI SSC standards, have to include a surprising amount of active tamper detection and -response functionality including partial coverage of areas like their main cryptographic processor and smart card reader -by battery-backed tamper-sensing meshes. Under our definition, these devices can be classified as a type of HSM. - -\section*{Tamper-Sensing Meshes} -\addcontentsline{toc}{subsection}{Tamper-Sensing Meshes} - -In this thesis, we use the terms \emph{Tamper-Sensing Mesh} and \emph{Security Mesh} synonymous. We use both terms to -refer to any electrical circuit whose path is laid out to cover a surface with the intent of detecting attempts at -drilling, cutting or otherwise manipulating this surface. While the term \emph{Security Mesh} is more concise, it is -less clear to people unfamiliar with the matter. It is also polysemous, and depending on context can also refer to woven -or stamped metal meshes used as fences or as screens in front of windows to prevent break-ins. As a result, it is harder -to use in online searches, and when using Large Language Models (LLMs), it frequently leads to amusing hallucinations. - -% FIXME note leo: Das ganze wirkt wie ein guter baustein für eine Einleitung. Für einen Terminologie übersicht ist es -% ansonsten auch eigentlich zu lang. -% Splitte das vielleicht auf, ein paar mehr details in den Abstract um die HSM definition etwas zu präzisieren, den rest -% in die Intro? diff --git a/thesis.tex b/thesis.tex index ef0c3a6..092d9bc 100644 --- a/thesis.tex +++ b/thesis.tex @@ -1,5 +1,10 @@ -\documentclass[11pt,a4paper,notitlepage,twoside]{book} -\usepackage[a4paper, top=3cm, bottom=3.5cm, inner=3.5cm, outer=5cm, marginpar=3.8cm]{geometry} +\ifdefined\thesisoneside % + \documentclass[11pt,a4paper,notitlepage,oneside]{book} + \usepackage[a4paper, top=3cm, bottom=3.5cm, inner=3.5cm, outer=5cm, marginpar=3.5cm]{geometry} +\else % + \documentclass[11pt,a4paper,notitlepage,twoside]{book} + \usepackage[a4paper, top=3cm, bottom=3.5cm, inner=3.5cm, outer=5cm, marginpar=3.5cm]{geometry} +\fi % \input{common-packages} \input{common-defs} @@ -31,7 +36,6 @@ \input{abstract-de.tex} \input{abstract.tex} \input{ai-llm-use-disclosure.tex} -\input{hsm-terminology-notes.tex} \clearpage \tableofcontents