From 358b988a55a289fdcd82341ff5f4f4327fa5f942 Mon Sep 17 00:00:00 2001 From: jaseg Date: Tue, 9 Sep 2025 17:16:44 +0200 Subject: [PATCH] WIP --- chapter-hsms/chapter.tex | 128 ++++++++++++++++++++++++++------------- 1 file changed, 85 insertions(+), 43 deletions(-) diff --git a/chapter-hsms/chapter.tex b/chapter-hsms/chapter.tex index f52af28..e59e227 100644 --- a/chapter-hsms/chapter.tex +++ b/chapter-hsms/chapter.tex @@ -411,14 +411,14 @@ structure size, which limits the possible angles an attack tool could be inserte \end{subfigure} \quad \begin{subfigure}[t]{0.3\textwidth} - \centering\includegraphics[width=\linewidth]{3d_construction_cards.jpg} + \centering\includegraphics[width=\linewidth]{3d_construction_cards_standalone.jpg} \caption{House-of-Cards construction} \label{hsm_fig_3d_struct_house_of_cards} \end{subfigure} \quad \begin{subfigure}[t]{0.3\textwidth} - \centering\includegraphics[width=\linewidth]{hsm_3d_style_lds.jpg} - \caption{Laser Direct Structuring, Image from \cite{mahungORWLPCMost2016}} + \centering\includegraphics[width=\linewidth]{3d_construction_lds_top.jpg} + \caption{Laser Direct Structuring} \label{hsm_fig_3d_struct_lds} \end{subfigure} \caption[3D mesh construction styles]{Construction styles used to fit tamper sensing meshes into 3D envelopes.} @@ -433,9 +433,9 @@ Figure~\ref{hsm_fig_3d_struct_folded_overlap} and Figure~\ref{hsm_fig_3d_struct_ as flexible printed circuits, in Figure~\ref{hsm_fig_3d_struct_folded_overlap} using a standard photolithographic copper/polyimide FPC process usually used for flexible PCBs, and in Figure~\ref{hsm_fig_3d_struct_folded_overlap} using a standard silver ink screenprinting process. The choice in Figure~\ref{hsm_fig_3d_struct_folded_no_overlap} not to -overlap the mesh in the corner is likely caused by manufacturing considerations, since it might be difficult to ensure +overlap the mesh in the corner is likely caused by manufacturing considerations, since it mig~ht be difficult to ensure proper folding of a small foil tab with adhesive pre-applied. - +~ Figure~\ref{hsm_fig_3d_struct_vacuum_form} shows a sample of a flexible circuit manufactured in a screenprinted silver-ink process thermoformed into a three-dimensional shape. The flexible circuit mesh is first produced in a standard planar printing process. After printing and curing, the resulting foil is then heated to soften it, and forced @@ -458,14 +458,7 @@ components on the PCB from tampering, this leaves a large gap between the bottom through which probes can be inserted to access either the payload circuit or the mesh monitoring circuitry. \todoplaceholder{take pic of sample H08 card slot cover} -Figure~\ref{house of cards pcb construction} shows a card slot being protected by several rigid PCBs assembled into a -three-dimensional structure. Solder connections between large pads are used to mechanically and electrically join the -boards. While the rigid PCBs used in such as structure can be produced in a highly inexpensive, standard process, this -style of construction requires manual assembly leading to increased labor cost. Furthermore, the construction leaves -large gaps at edges and corners, which is not a problem for card slot protection in payment applications but which would -be a flaw in a more standard HSM application. - -Figure~\ref{hsm_fig_3d_struct_lds} shows the resutl of Laser Direct Structuring (LDS), a process that avoids some of the +Figure~\ref{hsm_fig_3d_struct_lds} shows the result of Laser Direct Structuring (LDS), a process that avoids some of the limitations of thermoformed planar meshes. In LDS, a plastic part is covered in a conductive pattern in a combination of selective laser erosion of its surface and a series of preparation and electroless metal plating steps. LDS allows covering complex three-dimensional shapes, with the main limitation being that all patterned areas must have a direct @@ -476,56 +469,93 @@ disadvantage of LDS is that it is only suitable for single-layer patterns, while silkscreen and photolithographic PCB processes by patterning both sides of the substrate. More layers can be achived in these processes by simply stacking multiple foil layers and adding vias (through contacts), or by folding. +Figure~\ref{hsm_fig_3d_struct_house_of_cards} shows an assembly of several rigid PCBs assembled into a three-dimensional +structure to protect a card slot. Solder connections between large pads are used to mechanically and electrically join +the boards. While the rigid PCBs used in such as structure can be produced in a highly inexpensive, standard process, +this style of construction requires manual assembly leading to increased labor cost. Furthermore, the construction +leaves large gaps at edges and corners, which is not a problem for card slot protection in payment applications but +which would be a flaw in a more standard HSM application. + \begin{figure} \centering - \begin{subfigure}[t]{0.3\textwidth} - \centering\includegraphics[width=\linewidth]{} + \begin{subfigure}[t]{0.45\textwidth} + \centering\includegraphics[width=\linewidth]{3d_construction_offset_mesh_delayered_contrast_improved.jpg} \caption{Small obstacle mesh coupons} \label{hsm_fig_3d_sandwich_obstacle} \end{subfigure} \quad - \begin{subfigure}[t]{0.3\textwidth} - \centering\includegraphics[width=\linewidth]{} + \begin{subfigure}[t]{0.45\textwidth} + \centering\includegraphics[width=\linewidth]{3d_construction_via_stitch_mesh_delayer_2.jpg} \caption{Via-fence meshes} \label{hsm_fig_3d_sandwich_via_fence} \end{subfigure} \quad - \begin{subfigure}[t]{0.3\textwidth} - \centering\includegraphics[width=\linewidth]{} - \caption{PCB lid with routed cavity and embedded planar and via-fence meshes} - \label{hsm_fig_3d_sandwich_lid} + \begin{subfigure}[t]{0.45\textwidth} + \centering\includegraphics[width=\linewidth]{3d_construction_planar_stack.jpg} + \caption{Planar sandwich stack protecting the back of a connector} + \label{hsm_fig_3d_sandwich_stack} \end{subfigure} \quad - \begin{subfigure}[t]{0.3\textwidth} - \centering\includegraphics[width=\linewidth]{} - \caption{Sandwich stack} - \label{hsm_fig_3d_sandwich_stack} + \begin{subfigure}[t]{0.45\textwidth} + \centering\includegraphics[width=\linewidth]{3d_construction_cavity_2.jpg} + \caption{PCB lid with routed cavity and embedded planar and via-fence meshes} + \label{hsm_fig_3d_sandwich_lid} \end{subfigure} \caption[Sandwich mesh construction styles]{Construction styles used to cover 3D volumes using sandwich-style construction.} \label{hsm_fig_3d_sandwich} \end{figure} +Besides the house of cards construction style shown in Figure~\ref{hsm_fig_3d_struct_house_of_cards} where PCBs are +hand-assembled into a 3D shape, rigid PCBs are also often soldered planar on top of other PCBs to serve as meshes. +Figure~\ref{hsm_fig_3d_sandwich} shows examples of such sandwich-style constructions. +Figure~\ref{hsm_fig_3d_sandwich_obstacle} and Figure~\ref{hsm_fig_3d_sandwich_via_fence} show a popular construction +technique where a small mesh PCB coupon is soldered using a Land Grid Array (LGA)-technique on top of a larger base PCB +containing circuitry. The goal in this technique is to project a small part of the mesh into the space above the base +PCB. While this does not prvevent targeted drilling, as the small coupon is easy to avoid, it does prevent an attacker +from sawing or laser-cutting into the side of the device parallel to the base PCB. In the implementation shown in +Figure~\ref{hsm_fig_3d_sandwich_obstacle}, the coupon simply contains a small mesh embedded in an inner layer. +Figure~\ref{hsm_fig_3d_sandwich_via_fence} shows a different technique, where the mesh inside the coupon is not +primarily laid out in the PCB plane, but instead a large number of vias is used to create a three-dimensional zig-zag +trace structure. While due to structure size limitations this via structure is much coarser than a planar mesh like that +in Figure~\ref{hsm_fig_3d_sandwich_obstacle} would be, it increases the fraction of the vertical space inside the coupon +that is covered by the mesh. + +Figure~\ref{hsm_fig_3d_sandwich_stack} shows a variation of this coupon technique where two such coupons are stacked to +create a small overhang, here attempting to protect the back side of a magnetic stripe reader contact in a payment +terminal. While a similar result could also be achieved by milling a slot into the side of a single custom-thickness +PCB, the economics of PCB manufacturing are such that it may be more cost-effective to bond two standard-thickness PCBs +on top of one another instead. + +Figure~\ref{hsm_fig_3d_sandwich_lid} finally shows an advanced construction technique that uses a custom PCB with a +large indent milled into its underside soldered on top of a base PCB to create a protected cavity on top of the base +PCB. This PCB lid shows a complex internal structure. It is built up in a custom stackup with a total of six layers: A +ground plane filling the top layer, then two orthogonal planar mesh layers covering the inside of the lid above the +cavity. Below this standard mesh stackup are two that are used to create a via fence structure similar to that shown in +Figure~\ref{hsm_fig_3d_sandwich_via_fence} in an attempt to protect the sides around the central cavity. Below these two +via fence layers, at the bottom of the PCB is one more layer containing the pads connecting it to the base PCB. + \subsubsection{Contact and trace construction.} +Contacts + +Figure~\ref{hsm_fig_materials_gold_lds} shows part of a mesh and a contact created +using Laser Direct Structuring and electroless gold plating. Where in electroplating electrical current is used to +deposit metal atoms on a surface, in electroless plating a series of chemical reactions is used. Electroplating requires +all traces to be electrically connected to form a single electrode, while electroless plating can be used on the +finished circuit. In Figure~\ref{hsm_fig_materials_gold_lds}, it is visible how the trace was created using three +parallel passes by the laser. The micrograph also shows the rather coarse edge structure created by LDS, which is caused +by the rough surface left after pulsed laser ablation. The uneven, thin layer of metallization created by LDS results in +mechanically fragile contacts. They must be contacted using a soft material, usually an elastomeric connector. + +Figure~\ref{hsm_fig_materials_carbon_ink} + \begin{figure} \centering \begin{subfigure}[t]{0.3\textwidth} - \centering\includegraphics[width=\linewidth]{trace_material_carbon.jpg} - \caption{Screen printing process using carbon ink} - \label{hsm_fig_materials_carbon_ink} - \end{subfigure} - \quad - \begin{subfigure}[t]{0.3\textwidth} - \centering\includegraphics[width=\linewidth]{trace_material_silver.jpg} - \caption{Screen printing process using silver ink} - \label{hsm_fig_materials_silver_ink} - \end{subfigure} - \quad - \begin{subfigure}[t]{0.3\textwidth} - % FIXME \centering\includegraphics[width=\linewidth]{trace_material_gold.jpg} - \caption{Laser direct structuring using electroless gold or other metals} - \label{hsm_fig_materials_gold_lds} + \centering\includegraphics[width=\linewidth]{trace_material_copper_pcb.jpg} + \caption{Standard photolithographic copper PCB process on rigid FR-4 fiberglass substrate} + \label{hsm_fig_materials_pcb_rigid} \end{subfigure} \quad \begin{subfigure}[t]{0.3\textwidth} @@ -535,9 +565,21 @@ these processes by simply stacking multiple foil layers and adding vias (through \end{subfigure} \quad \begin{subfigure}[t]{0.3\textwidth} - \centering\includegraphics[width=\linewidth]{trace_material_copper_pcb.jpg} - \caption{Standard photolithographic copper PCB process on rigid FR-4 fiberglass substrate} - \label{hsm_fig_materials_pcb_rigid} + \centering\includegraphics[width=\linewidth]{trace_material_silver.jpg} + \caption{Screen printing process using silver ink with some carbon ink contact pads for embedded buttons} + \label{hsm_fig_materials_silver_ink} + \end{subfigure} + \quad + \begin{subfigure}[t]{0.3\textwidth} + \centering\includegraphics[width=\linewidth]{trace_material_contact_gold_lds.jpg} + \caption{Laser direct structuring using electroless gold plating} + \label{hsm_fig_materials_gold_lds} + \end{subfigure} + \quad + \begin{subfigure}[t]{0.3\textwidth} + \centering\includegraphics[width=\linewidth]{trace_material_carbon.jpg} + \caption{Screen printing process using carbon ink} + \label{hsm_fig_materials_carbon_ink} \end{subfigure} \caption[Mesh materials]{Materials and manufacturing processes used for mesh traces and contacts.} \label{hsm_fig_materials}