Small fixes in survey chapter
This commit is contained in:
jaseg
parent
033ce4fe69
commit
5c6dc73248
2 changed files with 581 additions and 999 deletions
|
|
@ -6,35 +6,35 @@
|
|||
|
||||
\chaptertitle{Active Tamper Sensing in the Wild}
|
||||
|
||||
Inertial Hardware Security Modules are the latest link in a series o developments bringing hardware security primitives
|
||||
from niche military cipher machines to mass-market applications. The tamper-sensing technology that forms the primary
|
||||
line of defense in such physical security systems goes back more than a century, with the earliest tamper-sensing meshes
|
||||
Inertial Hardware Security Modules are the latest link in a series of developments bringing hardware security primitives
|
||||
from niche military cipher machines to mass-market applications. The tamper sensing technology that forms the primary
|
||||
line of defense in such physical security systems goes back more than a century, with the earliest tamper sensing meshes
|
||||
being used in the late 19\textsuperscript{th} century, around the widespread commercialization of electricity. Today,
|
||||
active tamper-sensing meshes are used in a wide array of devices ranging from card payment terminals to atomic bombs.
|
||||
active tamper sensing meshes are used in a wide array of devices ranging from card payment terminals to atomic bombs.
|
||||
|
||||
In this chapter, we will start with a brief history of secure hardware with a particular focus on tamper-sensing meshes.
|
||||
Complementing our historical analysis, we will present the results of a survey of a range of real-world devices using
|
||||
tamper-sensing meshes and analyze their implementation. We will analyze the gaps left by the current state of the
|
||||
industry, and evaluate how Inertial HSMs could close these gaps to make secure hardware accessible to a wider range of
|
||||
applications. We will start with a brief history of secure hardware with a particular focus on tamper-sensing meshes.
|
||||
In this chapter, we will start with a brief history of secure hardware with a particular focus on tamper sensing meshes.
|
||||
Complementing our historical analysis, we will present the results of a survey of a range of real-world devices that use
|
||||
tamper sensing meshes and analyze their implementation. We will analyze the gaps left by the current state of the art in
|
||||
commercial practice, and evaluate how Inertial HSMs could close these gaps to make secure hardware accessible to a wider
|
||||
range of applications.
|
||||
|
||||
\section{The History of Tamper Sensing Meshes}
|
||||
|
||||
Tamper-sensing meshes offer many degrees of freedom in their design ranging from the precise conductor layout, through
|
||||
tamper sensing meshes offer many degrees of freedom in their design ranging from the precise conductor layout, through
|
||||
the manufacturing technology of the mesh and how it is wrapped around the payload during manufacturing up to their
|
||||
monitoring circuitry. As a result, manufacturers across application domains from datacenter appliance HSMs through card
|
||||
payment terminals have historically used patents on parts of their tamper-sensing mesh implementations as a means to
|
||||
monitoring circuitry. As a result, manufacturers across application domains from datacenter appliance HSMs to card
|
||||
payment terminals have historically used patents on parts of their tamper sensing mesh implementations as a means to
|
||||
prevent copying of their designs~\cite{
|
||||
razaghiCircuitBoardHold2019,
|
||||
heitmannTamperBarrierElectronic2005,
|
||||
clarkTamperDetectionSystem2005,
|
||||
heitmannMethodMakingTamper2009,
|
||||
perreaultSystemMethodInstalling2005,
|
||||
}. The basic principle of modern tamper-sensing meshes, preventing physical intrusion using an embedded looped conductor
|
||||
to cover a surface traces back as far as at least 1870~\cite{
|
||||
}. The basic principle of modern tamper sensing meshes, preventing physical intrusion using an embedded looped conductor
|
||||
to cover a surface, traces back at least as far as 1870~\cite{
|
||||
ImprovementProtectingSafes1870,
|
||||
ImprovementElectromagneticEnvelopes1870}, when it was applied to the protection of bank vaults from robbers
|
||||
attempting to dig, drill and saw through the vault's floor and walls. Even multi-layer, orthogonal tamper-sensing meshes
|
||||
attempting to dig, drill and saw through the vault's floor and walls. Even multi-layer, orthogonal tamper sensing meshes
|
||||
are documented as far back as 1902~\cite{suttonElectricallyprotectedStructure1902}. Using printed circuits instead of
|
||||
wires for this purpose occurs in literature as soon as printed circuit technology finds widespread commercial adoption
|
||||
in the 1960ies~\cite{hamPrintedcircuitTypeSecurity1971}. The history of more HSM-like devices begins in the 1990ies with
|
||||
|
|
@ -56,7 +56,7 @@ the widespread adoption of cryptography in commercial applications~\cite{
|
|||
|
||||
One of the earliest practical uses of tamper sensing meshes is documented in notes on a series of lectures given by
|
||||
Dr.~David~G. Boak, a specialist in communications security and signal intelligence at the US National Security
|
||||
Agency\cite{nsaHistoryUSCommunications1973,nsaHistoryUSCommunications1981}. In this lecture series, Boak mentions that
|
||||
Agency~\cite{nsaHistoryUSCommunications1973,nsaHistoryUSCommunications1981}. In this lecture series, Boak mentions that
|
||||
around World War \RN{2}, the US became concerned about the security of their ciphering machines, which at the time were
|
||||
large, fridge-sized electro-mechanical contraptions. Initially, simple safes were used to protect those
|
||||
devices---however, as Boak notes, the US was well aware that they could not build a safe that a well-equipped specialist
|
||||
|
|
@ -68,7 +68,7 @@ exciting--exploding the device.
|
|||
|
||||
\subsection{Use in Nuclear Weapons}
|
||||
|
||||
Communications security was not the earliest use of tamper-sensing membranes in the US military, with Boak mentioning
|
||||
Communications security was not the earliest use of tamper sensing membranes in the US military, with Boak mentioning
|
||||
HSMs still being under development in the second volume of the lecture series, dated 1972. An earlier reference to such
|
||||
systems can be found in literature on Permissive Action Links (PALs) for nuclear weapons. In US military terminology, a
|
||||
PAL is a chain of locked, tamper-proof systems required to trigger the detonation of a nuclear weapon. PALs were
|
||||
|
|
@ -83,13 +83,13 @@ explosion that the weapon is capable of. This goal is achievable in practice sin
|
|||
sensitive to the timing of their primary explosive charges, as the nuclear payload only produces a full-scale detonation
|
||||
when triggered in just the right way.
|
||||
|
||||
While it is difficult to date, \textcite{carterManagingNuclearOperations1987} specifically mention a tamper-sensing
|
||||
While it is difficult to date, \textcite{carterManagingNuclearOperations1987} specifically mention a tamper sensing
|
||||
membrane being used in US PALs. Given the nature of the matter, it is safe to assume that this technology will have been
|
||||
in use for some years at the point it was being discussed in an unclassified, civilian book on nuclear armament control.
|
||||
|
||||
\subsection{Use in Nuclear Safeguards}
|
||||
|
||||
Besides being used in nuclear weapons, tamper-sensing systems have another, more peaceful application in the nuclear
|
||||
Besides being used in nuclear weapons, tamper sensing systems have another, more peaceful application in the nuclear
|
||||
field. In 1957, the International Atomic Energy Agency (IAEA) was founded to coordinate and verify that civilian nuclear
|
||||
energy installations are not used for military purposes. A core part of the IAEA's tasks is observing the operations at
|
||||
civilian nuclear installations through inspections and through a variety of permanently deployed sensors to track the
|
||||
|
|
@ -101,10 +101,10 @@ extensive use of tamper-indicating enclosures and of seals. In both systems, the
|
|||
seal is treated similarly to what these days, in computing we call a Physically Uncloneable Function. The enclosure or
|
||||
seal is manufactured in a process that leaves an unpredictable and uncontrollable pattern of manufacturing variations
|
||||
such as surface imperfections. A process used in the IAEA is to package devices in aluminium enclosures passivated in a
|
||||
brigh color, which leaves a random, microscopic pattern of pits in the surface from the etching step. Before such a
|
||||
bright color, which leaves a random, microscopic pattern of pits in the surface from the etching step. Before such a
|
||||
device is deployed in the field, it is precisely measured from all sides. Later on, after field deployment, its
|
||||
integrity can then be checked by comparing its current state to these initial measurements. The underlying assumption is
|
||||
that drilling or cutting into something like a steel enclosure will leave detectable traces, and that perfectly
|
||||
that drilling or cutting into something like a metal enclosure will leave detectable traces, and that perfectly
|
||||
replicating an object including features such as minute surface imperfections is infeasible even to a nation
|
||||
state~\cite{iaea2011}.
|
||||
|
||||
|
|
@ -114,7 +114,7 @@ indication, which we conventionally call tamper evidence. Tamper indicating devi
|
|||
aforementioned uniquely characterizable enclosures, which IAEA terminology calls intrinsically tamper-indicating. An
|
||||
example for an active tamper indicating device would be a seismic sensor at the bottom of a borehole that has been
|
||||
back-filled with concrete such that any attempt to reach the sensor would be well-visible in the sensor's own
|
||||
readings~\cite{simmonsHowInsureThat1988}
|
||||
readings~\cite{simmonsHowInsureThat1988}.
|
||||
|
||||
With smarter electronics becoming more affordable in both monetary and in power budget, over the decades, other active
|
||||
tamper sensors have received attention as well. The IAEA reports on attempts at burying sensors such as piezoelectric
|
||||
|
|
@ -137,22 +137,23 @@ HSMs are used for highly sensitive operations even outside of the financial indu
|
|||
hampered by their high cost. Such applications include key management in the TLS certificate infrastructure. In this
|
||||
chapter, we will analyze a commercial HSM that was used in the key management infrastructure of a premium TV provider.
|
||||
|
||||
Beyond finance, tamper-sensing meshes have found applications in a variety of other use cases as well. For instance, we
|
||||
Beyond finance, tamper sensing meshes have found applications in a variety of other use cases as well. For instance, we
|
||||
have found them being used in mail franking machines to protect the credit counter and franking data, with one such unit
|
||||
analyzed in this chapter. Furthermore, we have identified at least one model of key safe that in Germany is mounted
|
||||
externally on public buildings to provide keys to emergency services, and which includes a tamper sensing mesh on its
|
||||
outside-facing wall to detect attempts at drilling into it. Finally, we have found a processing unit used in a series of
|
||||
mid-2000s era slot machines in Germany that includes a tamper-sensing mesh, presumably to prevent modification or
|
||||
analyzed in this chapter. Furthermore, we have identified several models of key safes that in Germany are mounted
|
||||
externally on public buildings to provide keys to emergency services, and which include tamper sensing meshes on their
|
||||
door and interior walls to detect attempts at drilling into them~\cite{SD04203RB25D5,
|
||||
krusesicherheitssystemeDatenblattKRUSEFWSchlusseldepot2018}. Finally, we have found a processing unit used in a series
|
||||
of mid-2000s era slot machines in Germany that includes a tamper sensing mesh, presumably to prevent modification or
|
||||
cloning. This device will also be analyzed later in this chapter.
|
||||
|
||||
\section{Tamper-Sensing Mesh Design Principles}
|
||||
\section{tamper sensing Mesh Design Principles}
|
||||
|
||||
%\subsection{Tamper-sensing Mesh Manufacturing}
|
||||
%\subsection{tamper sensing Mesh Manufacturing}
|
||||
|
||||
The manufacturing technology of a tamper sensing mesh is a critical factor in its security. While in many applications,
|
||||
meshes manufactured from off-the-shelf processes such as Flexible Printed Circuit (FPC) processes are used, these
|
||||
processes tend to be optimzed to maximize the robustness of the produced circuits to mechanical stress. In contrast, the
|
||||
ideal tamper-sensing mesh is exactly as robust as it needs to be not to be destroyed accidentially during normal
|
||||
ideal tamper sensing mesh is exactly as robust as it needs to be not to be destroyed accidentially during normal
|
||||
handling, but should not be more robust than that. As a result, more secure meshes tend to be manufactured in bespoke
|
||||
manufacturing processes~\cite{
|
||||
immlerBTREPIDBatterylessTamperresistant2018,
|
||||
|
|
@ -160,7 +161,7 @@ manufacturing processes~\cite{
|
|||
ImprovementProtectingSafes1870}.
|
||||
% TODO cite hennigApparatusMethodComprising2020 and obermaierPUFfilmMethodProducing2023 on immler et al PUF tech
|
||||
|
||||
One more widely cited tamper-sensing mesh implementation is a commercial product developed by IBM in collaboration with
|
||||
One more widely cited tamper sensing mesh implementation is a commercial product developed by IBM in collaboration with
|
||||
chemical company W.\ L.\ Gore \& Asscociates Inc.\ and used in IBM's datacenter HSM products up to approximately 2020.
|
||||
This mesh design uses a stack of multiple layers of a clear, flexible plastic substrate on which carbon-based traces are
|
||||
printed. Vias, i.e. contacts between layers, are made by laser cutting small holes into the substrate before the traces
|
||||
|
|
@ -178,8 +179,8 @@ basic construction and layout has not changed much since the early 1990ies~\cite
|
|||
|
||||
\subsection{Monitoring Circuit Approaches}
|
||||
|
||||
Tamper-sensing meshes are most effective when they are continuously monitored using a backup power supply when the
|
||||
larger system is powered off. In practice, the main challenge with continuous monitoring of tamper-sensing meshes is in
|
||||
tamper sensing meshes are most effective when they are continuously monitored using a backup power supply while the rest
|
||||
of the system is powered off. In practice, the main challenge with continuous monitoring of tamper sensing meshes is in
|
||||
the design of the monitoring circuit. A large portion of industry attention has been spent on designing low-power
|
||||
monitoring circuits that are sensitive to tampering with the mesh while using little enough power to enable years of
|
||||
operation from a battery. Commonly, one or two cylindrical or large coin cell Lithium primary batteries are used,
|
||||
|
|
@ -193,7 +194,7 @@ To achieve low power consumption, a popular technique known since at least
|
|||
today~\cite{cesanaTamperResistantCard2001,razaghiCircuitBoardHold2019} is to measure the deviation of the mesh's
|
||||
end-to-end ohmic resistance from its baseline value. This measurement can be implemented either by directly comparing a
|
||||
mesh trace's resistance with a reference resistor, or using a wheatstone bridge. Using a bridge circuit was already used
|
||||
in early tamper-sensing mesh implementations~\cite{
|
||||
in early tamper sensing mesh implementations~\cite{
|
||||
ElektrischeSicherheitseinrichtungSchutze1932,
|
||||
hamPrintedcircuitTypeSecurity1971,
|
||||
dalphinEnceinteProtegeeAvec1987,
|
||||
|
|
@ -201,7 +202,7 @@ in early tamper-sensing mesh implementations~\cite{
|
|||
|
||||
\subsection{Other Tamper Sensing Techniques}
|
||||
|
||||
Besides tamper-sensing meshes, environmental sensors such as temperature or light sensors are frequently used as a
|
||||
Besides tamper sensing meshes, environmental sensors such as temperature or light sensors are frequently used as a
|
||||
secondary line of defence in HSMs and similar devices. By placing such sensors in the device and verifying the device is
|
||||
within its nominal operating environment, tampering can be made less convenient. Modern security standards often mandate
|
||||
the implementation of at least a temperature sensor to prevent cold-boot attacks on a device. A multitude of other
|
||||
|
|
@ -221,7 +222,7 @@ meshes in civil applications was likely catalyzed by two advancements in electro
|
|||
became less expensive and more integrated reducing the cost overhead of tamper sensing circuits. Second, the mass-scale
|
||||
adoption of PCB and Flexible Printed Circuit (FPC) production processes enabled their use as inexpensive,
|
||||
high-resolution substrates for such meshes. In this section, we will examine a large sample of recent devices that
|
||||
include tamper-sensing meshes to gain an understanding of how they are implemented, and what security level they are
|
||||
include tamper sensing meshes to gain an understanding of how they are implemented, and what security level they are
|
||||
targeted towards. Since we were unable to acquire a nuclear weapon for our research, we limited our survey to commercial
|
||||
devices with a focus on card payment terminals, which represent the most varied class of device incorporating such
|
||||
meshes.
|
||||
|
|
@ -317,8 +318,8 @@ Figure~\ref{fig_hsm_survey_sample_internal_pics}.
|
|||
\surveypic{28}{survey_diag_S28.jpg}&
|
||||
\surveypic{29}{survey_diag_S29.jpg}&
|
||||
\surveypic{30}{survey_diag_S30.jpg}&
|
||||
\surveypic{30}{survey_diag_S31.jpg}\\
|
||||
\surveypic{30}{survey_diag_S32.jpg}&
|
||||
\surveypic{31}{survey_diag_S31.jpg}\\
|
||||
\surveypic{32}{survey_diag_S32.jpg}&
|
||||
\end{tabular}
|
||||
\caption{External photos of all survey samples}
|
||||
\label{fig_hsm_survey_sample_pics}
|
||||
|
|
@ -343,8 +344,8 @@ standards~\cite{pcisecuritystandardscouncilPaymentCardIndustry2025}. As a result
|
|||
safeguard weak symmetric keys, compensating for the systems' modest cryptographic security.
|
||||
|
||||
Since card payment terminals are widely deployed, many different models from various manufacturers are available. Each
|
||||
manufacturer tends to have their own, patented tamper-sensing implementation. Being manufactured at scale, card payment
|
||||
terminals are cost-sensitive devices, which is reflected in the construction of their tamper-sensing implementations.
|
||||
manufacturer tends to have their own, patented tamper sensing implementation. Being manufactured at scale, card payment
|
||||
terminals are cost-sensitive devices, which is reflected in the construction of their tamper sensing implementations.
|
||||
|
||||
\subsubsection{HSM Appliances}
|
||||
|
||||
|
|
@ -379,7 +380,7 @@ with the customer's card passes through an end-to-end encrypted channel from the
|
|||
smartcard IC, the customer must necessarily enter their pin in plain text. To prevent leakage of the plaintext PIN, the
|
||||
PIN is encrypted inside the PIN pad itself. To this end, the PIN pad contains a microcontroller handling the encryption.
|
||||
Often, both the circuit board containing the PIN pad's keyboard matrix and this microcontroller are shielded by a
|
||||
tamper-sensing mesh to prevent physical attacks such as the installation of a skimming device that would record and
|
||||
tamper sensing mesh to prevent physical attacks such as the installation of a skimming device that would record and
|
||||
transmit the plaintex PIN.
|
||||
|
||||
We acquired three different EPPs for analysis: Two designed by Sagem and apparently re-sold as a whitelabel product by
|
||||
|
|
@ -388,7 +389,7 @@ cases.
|
|||
|
||||
\subsubsection{Other miscellaneous devices}
|
||||
|
||||
Sometimes, tamper-sensing meshes show up in other types of devices. We acquired two such devices. First, we acquired a
|
||||
Sometimes, tamper sensing meshes show up in other types of devices. We acquired two such devices. First, we acquired a
|
||||
Neopost mail franking machine, a type of device that is used to directly print a code on an envelope that replaces a
|
||||
conventional postage stamp. Since in businesses handling large volumes of mail these devices were routinely charged with
|
||||
large sums of money in postage, such devices have security features ranging from physical seals on their enclosure to
|
||||
|
|
@ -398,7 +399,7 @@ specimen only contained a sturdy cast zinc case that was welded shut with a spri
|
|||
miscellaneous device we found is a broken CPU module from a German slot machine manufacturer. While it would be
|
||||
reasonable to assume this type of device might include active tamper sensing features to enforce state gambling
|
||||
regulations, other slot machine manufacturers seem not to use tamper sensing in their systems so the more likely reason
|
||||
is DRM. Our specimen included both a tamper-sensing mesh as well as a semiconductor junction light sensor inside of a
|
||||
is DRM. Our specimen included both a tamper sensing mesh as well as a semiconductor junction light sensor inside of a
|
||||
sealed sheet metal enclosure.
|
||||
|
||||
\subsection{Methodology}
|
||||
|
|
@ -406,7 +407,7 @@ sealed sheet metal enclosure.
|
|||
We proceeded by first photographing every test specimen from multiple angles, then disassembling them. After
|
||||
disassembly, we photographed each major component. Figure~\ref{fig_hsm_survey_sample_internal_pics} shows a selection of
|
||||
these photos showing the major internal components of the devices. After photos were taken, we proceeded with
|
||||
destructive techniques where necessary to obtain microscope photos of each tamper-sensing mesh component. PCBs were
|
||||
destructive techniques where necessary to obtain microscope photos of each tamper sensing mesh component. PCBs were
|
||||
sectioned using a sanding drum attachment on a Dremel rotary tool. Potted modules were disassembled using milling,
|
||||
cutting and prying, and applying heat from a heat gun as necessary to soften polymer compounds and to break glue joints.
|
||||
|
||||
|
|
@ -459,7 +460,7 @@ supplementary material to this thesis.
|
|||
|
||||
\subsubsection{Mesh materials.}
|
||||
We found meshes constructed from rigid PCBs as well as a number of Flexible Printed Circuit (FPC) processes.
|
||||
Tamper-sensing meshes constructed from PCBs sometimes used parts of an existing PCB, and sometimes additional PCBs only
|
||||
tamper sensing meshes constructed from PCBs sometimes used parts of an existing PCB, and sometimes additional PCBs only
|
||||
containing a mesh were added. Sometimes, multiple rigid PCB meshes were assembled in a house of cards fashion to enclose
|
||||
part of a device. For flexible meshes, with the exception of the Utimaco HSM appliance's HSM card that used an
|
||||
off-the-shelf Gore tamper sensing mesh foil were all clearly manufactured either entirely or mostly in standard
|
||||
|
|
@ -500,7 +501,7 @@ printed foil meshes was coarser at between \qtyrange{500}{3000}{\micro\meter}.
|
|||
\label{hsm_fig_mesh_layout}
|
||||
\end{figure}
|
||||
|
||||
A key goal in tamper-sensing mesh design is to avoid any gaps in coverage. In single-layer meshes, gaps between adjacent
|
||||
A key goal in tamper sensing mesh design is to avoid any gaps in coverage. In single-layer meshes, gaps between adjacent
|
||||
mesh traces cannot be avoided, and provide an easy approach for an attack. In multi-layer meshes, these structure
|
||||
size-dependent gaps can be mitigated in multiple ways as shown in Figure~\ref{hsm_fig_mesh_layout}.
|
||||
|
||||
|
|
@ -515,7 +516,7 @@ mesh pattern mostly orthogonal on the mesh's two layers as shown in Figure~\ref{
|
|||
this leads to a larger amount of gaps compared to offset patterns as described above, it also reduces the largest gap
|
||||
size to about one structure size by one structure size.
|
||||
|
||||
\paragraph{Combined approaches.} Figure~\ref{hsm_fig_mesh_layout_utimaco} shows the layout of a Gore tamper-sensing mesh
|
||||
\paragraph{Combined approaches.} Figure~\ref{hsm_fig_mesh_layout_utimaco} shows the layout of a Gore tamper sensing mesh
|
||||
foil used in an Utimaco HSM. This mesh consists of two foil layers bonded to each other. The outer foil is patterned on
|
||||
both sides with a sparse pattern of thin serpentine traces with the patterns on both layers being orthogonal to each
|
||||
other. Both patterns are oriented at a \qty{45}{\degree} angle relative to the sides of the rectangular enclosed volume.
|
||||
|
|
@ -568,23 +569,23 @@ structure size, which limits the possible angles an attack tool could be inserte
|
|||
\label{hsm_fig_materials}
|
||||
\end{figure}
|
||||
|
||||
Regular Printed Circuit Boards are frequently used to implement tamper-sensing meshes as shown in
|
||||
Regular Printed Circuit Boards are frequently used to implement tamper sensing meshes as shown in
|
||||
Figure~\ref{hsm_fig_materials_pcb_rigid}. PCB production is a highly advanced, large-scale industry and PCBs are
|
||||
inexpensive, commodity products. PCBs can be manufactured with many layers, at almost arbitrary total thickness, and
|
||||
offer small structure sizes enabling the creation of fine features down to approximately \qty{100}{\micro\meter} even on
|
||||
commodity processes. The primary disadvantage of using PCBs to implement tamper-sensing meshes is that PCBs are
|
||||
commodity processes. The primary disadvantage of using PCBs to implement tamper sensing meshes is that PCBs are
|
||||
fundamentally designed to be as robust as possible. The traces on the top of a PCB are etched from a thick (usually
|
||||
\qty{35}{\micro\meter} on the outer layers) copper foil adhered to the PCB substrate. As a result, the PCB and the
|
||||
traces on its surface are easy to manipulate by hand using tools like knives and techniques like soldering. For a
|
||||
tamper-sensing mesh, trace patterns manufactured to be more fragile might be advantageous. Additionally, standard PCBs
|
||||
are made using a rigid FR-4 fiberglass/epoxy substrate. Since a tamper-sensing mesh must often enclose all sides of a
|
||||
tamper sensing mesh, trace patterns manufactured to be more fragile might be advantageous. Additionally, standard PCBs
|
||||
are made using a rigid FR-4 fiberglass/epoxy substrate. Since a tamper sensing mesh must often enclose all sides of a
|
||||
payload, flexible foils offer benefits over rigid PCBs.
|
||||
|
||||
Figure~\ref{hsm_fig_materials_pcb_flex} shows a Flexible Printed Circuits (FPCs) produced in a standard commercial
|
||||
process similar to PCB production. In FPCs, a copper foil adhered to a substrate is etched, but the substrate here
|
||||
usually is a thin foil made from polyimide, an orange, temperature-resistant polymer that survives common reflow (hot
|
||||
air) soldering temperatures. In contrast to rigid PCBs, FPCs are usually limited to no more than four layers before
|
||||
losing flexibility. Flexible PCBs are often used for tamper-sensing meshes that wrap around a payload, but they come
|
||||
losing flexibility. Flexible PCBs are often used for tamper sensing meshes that wrap around a payload, but they come
|
||||
with the same limitation as standard PCBs: Due to their robust substrate and thick copper layers, they are easily
|
||||
manipulated by hand.
|
||||
|
||||
|
|
@ -595,7 +596,7 @@ small conductive particles suspended in a hardening binder. Common conductive in
|
|||
Silver-based inks offer lower resistance compared to carbon-based inks, but are prone to surface oxitation and as such
|
||||
are not suitable for contacts. As such, they are often combined with a carbon ink used in contact areas. Carbon-based
|
||||
inks have high resistance, and can be used to create embedded resistors. The circuit shown in
|
||||
Figure~\ref{hsm_fig_materials_silver_ink} contains a tamper-sensing mesh on a lower layer, and a keypad matrix with
|
||||
Figure~\ref{hsm_fig_materials_silver_ink} contains a tamper sensing mesh on a lower layer, and a keypad matrix with
|
||||
carbon contacts on its surface.
|
||||
|
||||
Figure~\ref{hsm_fig_materials_gold_lds} shows part of a mesh and a contact created using Laser Direct Structuring and
|
||||
|
|
@ -646,11 +647,11 @@ contacts. They must be contacted using a soft material, usually an elastomeric c
|
|||
\caption{}
|
||||
\label{hsm_fig_connector_dome}
|
||||
\end{subfigure}
|
||||
\caption[Mesh connecting methods]{Connecting methods used between tamper-sensing mesh assemblies and their base PCBs}
|
||||
\caption[Mesh connecting methods]{Connecting methods used between tamper sensing mesh assemblies and their base PCBs}
|
||||
\label{hsm_fig_connector}
|
||||
\end{figure}
|
||||
|
||||
In our survey, we found a wide variety of connecting methods used to connect tamper-sensing mesh assemblies with their
|
||||
In our survey, we found a wide variety of connecting methods used to connect tamper sensing mesh assemblies with their
|
||||
base PCBs with a selection shown in Figure~\ref{hsm_fig_connector}. Both rigid PCBs and FPCs can be soldered directly to
|
||||
a PCB using either a Land Grid Array (LGA) technique where pads on both PCBs are soldered facing each other, or using
|
||||
\emph{castellated} edges, where pads on the base PCB are soldered sideways to holes on the top PCB that have been milled
|
||||
|
|
@ -664,15 +665,15 @@ on the FPC. Both FPCs and rigid PCBs can be used with standard board-to-board st
|
|||
visible in the center of Figure~\ref{hsm_fig_connector_stack}, but their use on FPCs requires a stiffener on the FPC's
|
||||
back side to ensure the solder joints don't break from mechanical stress when connecting or disconnecting.
|
||||
|
||||
In our survey, we frequently found elastomeric connectors used to connect to both flexible and rigid tamper-sensing mesh
|
||||
In our survey, we frequently found elastomeric connectors used to connect to both flexible and rigid tamper sensing mesh
|
||||
assemblies. Elastomeric connectors such as the one shown in the center of Figure~\ref{hsm_fig_connector_elastomeric} are
|
||||
usually used in LCD construction to contact a PCB to the LCD's Indium Tin Oxide (ITO)-coated conductive glass, but they
|
||||
can be used between any two parallel, conductive surfaces\cite{andreaElectronicConnectorBook2022}. Elastomeric
|
||||
can be used between any two parallel, conductive surfaces~\cite{andreaElectronicConnectorBook2022}. Elastomeric
|
||||
connectors consist of two insulating elastic polymer layers on the outside, with a thin strip of fine, alternating
|
||||
conductive and insulating elastic polymer layers sandwiched in between. In Figure~\ref{hsm_fig_connector_elastomeric}
|
||||
the outer insulating layers are the blue polymer, and the alternating pattern can be seen embedded in their middle. The
|
||||
fine alternating pattern mates to much larger pads on the two contact surfaces, ensuring that adjacent contacts are
|
||||
electrically insulated. In tamper-sensing mesh applications, elastomeric connectors provide an intrinsic disassembly
|
||||
electrically insulated. In tamper sensing mesh applications, elastomeric connectors provide an intrinsic disassembly
|
||||
detection since they require continuous pressure to maintain electrical contact. In the top part of
|
||||
Figure~\ref{hsm_fig_connector_stack}, a land pattern for an elastomeric connector is visible.
|
||||
|
||||
|
|
@ -689,7 +690,7 @@ to a base PCB. Here, a tactile metal dome intended to be used for creating butto
|
|||
connect the mesh to the base PCB.
|
||||
|
||||
An alternative to soldering and elastomeric connectors that we did not observe during our survey but that deserves
|
||||
mention here is Anisotropic Conductive Film (ACF)\cite{huangHardwareHackerAdventures2019}. Similar to elastomeric
|
||||
mention here is Anisotropic Conductive Film (ACF)~\cite{huangHardwareHackerAdventures2019}. Similar to elastomeric
|
||||
connectors, ACF is industrially used to contact flexible PCBs to ITO-coated glass in TFT displays. ACF comes as a
|
||||
double-sided tape that is bonded using pressure and sometimes high temperatures, and creates a connection between
|
||||
conductive surfaces on both sides of the tape. This connection has an anisotropic nature, meaning that the tape only
|
||||
|
|
@ -896,9 +897,9 @@ mesh.
|
|||
|
||||
% FIXME intro here
|
||||
|
||||
%\subsection{Tamper-sensing meshes then and now}
|
||||
%\subsection{tamper sensing meshes then and now}
|
||||
|
||||
Concluding both our patent research and our experimental survey, we find that tamper-sensing meshes have been a
|
||||
Concluding both our patent research and our experimental survey, we find that tamper sensing meshes have been a
|
||||
commonplace technology throughout the past 150 years. While mesh manufacturing technology has experienced some
|
||||
advancements from historical wire-wound meshes to modern meshes always being constructed in printed circuit processes,
|
||||
mesh monitoring approaches have received surprisingly little attention through the centuries and even in recent,
|
||||
|
|
@ -908,7 +909,7 @@ considered sufficient by manufacturers.
|
|||
|
||||
\subsection{Mesh construction techniques}
|
||||
|
||||
We found that in almost all cases, practical tamper-sensing meshes are constructed using standard manufacturing
|
||||
We found that in almost all cases, practical tamper sensing meshes are constructed using standard manufacturing
|
||||
processes. In some card payment terminals, we found meshes that used slightly customized standard processes and e.g.
|
||||
integrated a mesh layer produced in a carbon printing process into a membrane keypad, but customizations were minimal.
|
||||
We only found one mesh manufactured in a bespoke process in the datacenter HSM appliance we examined, and that bespoke
|
||||
|
|
@ -924,7 +925,7 @@ based around a number of voltage comparators.
|
|||
\subsection{Computed Tomography Imaging}
|
||||
|
||||
CT imaging presents a serious threat to any HSM design that relies on its mesh layout remaining secret. For instance,
|
||||
the Gore tamper-sensing mesh product used in IBM and Utimaco HSMs includes a feature where after production, small vias
|
||||
the Gore tamper sensing mesh product used in IBM and Utimaco HSMs includes a feature where after production, small vias
|
||||
are lasered into a specially preparte area on the mesh foil to randomize the connection pattern of the mesh on a
|
||||
unit-by-unit basis. CT imaging could be used to discern this type of customization. Furthermore, CT imaging can be used
|
||||
to provide sub-millimeter accurate positioning for an attack, even if the sample to be attacked has large production
|
||||
|
|
@ -949,7 +950,7 @@ solution.
|
|||
\paragraph{Use of X-ray attenuating materials.}
|
||||
We found that placing any highly X-ray attenuating material in the HSM makes CT imaging more difficult.
|
||||
Figure~\ref{hsm_fig_utimaco_ct} shows a CT image taken from an Utimaco HSM. The device has two thick metal layers with a
|
||||
potting resin and the tamper-sensing mesh in between, so high-energy X-rays were necessary to penetrate both metal
|
||||
potting resin and the tamper sensing mesh in between, so high-energy X-rays were necessary to penetrate both metal
|
||||
layers and image the device. As a result, the contrast on X-ray-transparent features like polymers is low. In
|
||||
comparison, the Ingenico sample was easy to image since it consisted of a PCB wrapped with a mesh foil and encased in
|
||||
resin inside of an injection-molded plastic enclosure. Thus, we were able to image it at a low X-ray energy and we were
|
||||
|
|
@ -1011,7 +1012,7 @@ Form an engineering point of view, we observe that across application domains, t
|
|||
construction techniques. Implementing such a system that matches the security of other systems seen in the wild should
|
||||
be achievable to most engineers.
|
||||
|
||||
We find that the IHSM approach is a natural extension of the state of the art that we saw reflected in tamper-sensing
|
||||
We find that the IHSM approach is a natural extension of the state of the art that we saw reflected in tamper sensing
|
||||
mesh implementations in the field, and that the construction techniques that have been applied to improve their security
|
||||
can be carried over to IHSM implementations.
|
||||
|
||||
|
|
|
|||
Loading…
Add table
Add a link
Reference in a new issue