jaseg/phd-thesis
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

Add harris presentation

Browse source
This commit is contained in:
jaseg 2026-03-23 20:57:08 +01:00
parent 90a24c0cf1
commit 6c461a2711
1 changed files with 488 additions and 0 deletions
Download patch file Download diff file Expand all files Collapse all files

488
chapter-hsms/pres-harris.tex Normal file
View file

@ -0,0 +1,488 @@
\documentclass[aspectratio=169]{beamer}
\usetheme{default}
\usepackage[T1]{fontenc}
\usepackage{textcomp}
\usepackage{graphicx}
\usepackage{subcaption}
\usepackage{siunitx}
\usepackage{booktabs}
\usepackage{array}
\usepackage{ragged2e}
\usepackage{colortbl}
\usepackage{pdflscape}
\usepackage[percent]{overpic}
\graphicspath{{figures}}
% Define custom commands if not already defined
\newcommand{\surveypic}[2]{
\begingroup
\setlength{\fboxsep}{0.2mm}
\begin{overpic}[percent,height=10mm]{#2}
\put(100,85){\makebox[0pt][r]{\colorbox{white}{\footnotesize H#1}}}
\end{overpic}
\endgroup
}
\newcommand{\sampleno}[1]{#1}
\title{Tamper-Sensing Meshes in the Wild}
\author{Jan Sebastian Götte, TU Darmstadt}
\date{2026-03-24}
\begin{document}
\begin{frame}
\titlepage
\end{frame}
\begin{frame}{What is a Tamper Sensing Mesh?}
\begin{itemize}
\item Embedded looped conductor covering a surface
\item Detects physical intrusion
\begin{itemize}
\item Drills, saws, lasers etc.
\end{itemize}
\item Triggers some tamper response
\begin{itemize}
\item Deleting keys
\item Raising alarms
\item Explosions?
\end{itemize}
\item Widely used in HSMs, payment terminals, ATMs, nuclear weapons
\end{itemize}
\end{frame}
\begin{frame}{The History of Tamper-Sensing Meshes}
\begin{itemize}
\item \textbf{1870}: First patents using literal wire meshes to protect bank vaults
\item \textbf{1902}: Multi-layer, orthogonal meshes documented
\item \textbf{1971}: Printed circuit technology adopted
\item \textbf{1990s}: Widespread commercial adoption with cryptographic applications
\end{itemize}
Other, hard to date examples: NSA use for protecting ciphering machines (earlier than 1973), US use in nuclear weapons
\end{frame}
\begin{frame}{Commercial Applications Today}
\begin{itemize}
\item Datacenter HSMs (Key management, payment processing)
\item Card Payment Terminals (PIN encryption)
\item ATM Encrypting Pin Pads (PIN encryption)
\item Key Safes for Emergency services access (Germany only?)
\item Mail Franking Machines (credit counter)
\item Slot Machines (likely for DRM)
\end{itemize}
\end{frame}
\begin{frame}{Our Survey}
\textbf{Sample Size}: 30 devices
\textbf{Device Types}:
\begin{itemize}
\item 23 Card payment terminals (Verifone, Ingenico, SumUp, etc.)
\item 3 ATM Encrypting Pin Pads (NCR, Sagem)
\item 2 HSM modules (SafeNet, Utimaco)
\item 1 Franking machine
\item 1 German slot machine CPU
\end{itemize}
\end{frame}
\begin{frame}{Mesh Materials and Structure Sizes Observed}
\begin{itemize}
\item \textbf{Rigid PCB (FR-4):} Photolithographic etching, \SIrange{100}{200}{\micro\meter}
\item \textbf{Polyimide/Copper FPC:} Photolithographic etching, \SIrange{100}{200}{\micro\meter}
\item \textbf{Silver ink FPC:} Screen printing, \SIrange{500}{3000}{\micro\meter}
\item \textbf{Carbon ink FPC:} Screen printing, \SIrange{500}{3000}{\micro\meter}
\item \textbf{Gold laser direct structuring:} Laser Direct Structuring, \SIrange{50}{200}{\micro\meter}
\item \textbf{IBM/Gore mesh:} Printed, \SIrange{200}{1500}{\micro\meter}
\end{itemize}
\end{frame}
\begin{frame}{Survey Specimens - External Photos}
\begin{figure}
\centering
\footnotesize
\begin{tabular}[c]{cccccc}
\surveypic{02}{survey_diag_S02.jpg}&
\surveypic{03}{survey_diag_S03.jpg}&
\surveypic{04}{survey_diag_S04.jpg}&
\surveypic{05}{survey_diag_S05.jpg}&
\surveypic{06}{survey_diag_S06.jpg}&
\surveypic{08}{survey_diag_S08.jpg}\\
\surveypic{09}{survey_diag_S09.jpg}&
\surveypic{10}{survey_diag_S10.jpg}&
\surveypic{11}{survey_diag_S11.jpg}&
\surveypic{12}{survey_diag_S12.jpg}&
\surveypic{13}{survey_diag_S13.jpg}&
\surveypic{14}{survey_diag_S14.jpg}\\
\surveypic{15}{survey_diag_S15.jpg}&
\surveypic{16}{survey_diag_S16.jpg}&
\surveypic{17}{survey_diag_S17.jpg}&
\surveypic{18}{survey_diag_S18.jpg}&
\surveypic{19}{survey_diag_S19.jpg}&
\surveypic{20}{survey_diag_S20.jpg}\\
\surveypic{21}{survey_diag_S21.jpg}&
\surveypic{22}{survey_diag_S22.jpg}&
\surveypic{23}{survey_diag_S23.jpg}&
\surveypic{24}{survey_diag_S24.jpg}&
\surveypic{25}{survey_diag_S25.jpg}&
\surveypic{27}{survey_diag_S27.jpg}\\
\surveypic{28}{survey_diag_S28.jpg}&
\surveypic{29}{survey_diag_S29.jpg}&
\surveypic{30}{survey_diag_S30.jpg}&
\surveypic{31}{survey_diag_S31.jpg}&
\surveypic{32}{survey_diag_S32.jpg}&
\\
\end{tabular}
\end{figure}
\end{frame}
\begin{frame}{Survey Specimens - Internal Photos}
\begin{figure}
\centering
\footnotesize
\begin{tabular}[c]{cccccc}
\surveypic{01}{survey_internal_09_S01.jpg}&
\surveypic{02}{survey_internal_20_S02.jpg}&
\surveypic{03}{survey_internal_11_S03.jpg}&
\surveypic{04}{survey_internal_03_S04.jpg}&
\surveypic{05}{survey_internal_10_S05.jpg}&
\surveypic{06}{survey_internal_08_S06.jpg}\\
\surveypic{08}{survey_internal_24_S08.jpg}&
\surveypic{09}{survey_internal_13_S09.jpg}&
\surveypic{10}{survey_internal_23_S10.jpg}&
\surveypic{11}{survey_internal_17_S11.jpg}&
\surveypic{12}{survey_internal_19_S12.jpg}&
\surveypic{13}{survey_internal_02_S13.jpg}\\
\surveypic{14}{survey_internal_00_S14.jpg}&
\surveypic{15}{survey_internal_04_S15.jpg}&
\surveypic{16}{survey_internal_05_S16.jpg}&
\surveypic{17}{survey_internal_22_S17.jpg}&
\surveypic{18}{survey_internal_21_S18.jpg}&
\surveypic{19}{survey_internal_26_S19.jpg}\\
\surveypic{20}{survey_internal_12_S20.jpg}&
\surveypic{21}{survey_internal_15_S21.jpg}&
\surveypic{22}{survey_internal_16_S22.jpg}&
\surveypic{23}{survey_internal_07_S23.jpg}&
\surveypic{24}{survey_internal_06_S24.jpg}&
\surveypic{25}{survey_internal_25_S25.jpg}\\
\surveypic{27}{survey_internal_18_S27.jpg}&
\surveypic{28}{survey_internal_14_S28.jpg}&
\surveypic{30}{survey_internal_29_S30.jpg}&
\surveypic{31}{survey_internal_27_S31.jpg}&
\surveypic{32}{survey_internal_28_S32.jpg}&
\\
\end{tabular}
\end{figure}
\end{frame}
\begin{frame}{Mesh Trace Layouts}
\begin{columns}[T]
\begin{column}{0.5\textwidth}
\centering
\begin{overpic}[width=.45\textwidth]{hsm_mesh_offset.jpg}
\put(5,92){\colorbox{white}{\footnotesize\bfseries A}}
\end{overpic}
\hspace{1mm}
\begin{overpic}[width=.45\textwidth]{hsm_mesh_orthogonal.jpg}
\put(5,92){\colorbox{white}{\footnotesize\bfseries B}}
\end{overpic}
\vspace{5mm}
\begin{overpic}[width=.45\textwidth]{hsm_utimaco_mesh_gore.jpg}
\put(5,92){\colorbox{white}{\footnotesize\bfseries C}}
\end{overpic}
\hspace{1mm}
\begin{overpic}[width=.45\textwidth]{hsm_mesh_stack_epp.jpg}
\put(5,92){\colorbox{white}{\footnotesize\bfseries D}}
\end{overpic}
\end{column}
\begin{column}{0.45\textwidth}
\raggedright
\textbf{A:} Offset layers (H12)
\textbf{B:} Orthogonal patterns (H14)
\textbf{C:} Orthogonal + area pattern (H30)
\textbf{D:} Spaced layers (H28)
\end{column}
\end{columns}
\end{frame}
\begin{frame}{Mesh Materials and Manufacturing}
\centering
\begin{tabular}{lll}
\begin{overpic}[width=.22\textwidth]{trace_material_copper_pcb.jpg}
\put(5,92){\colorbox{white}{\footnotesize\bfseries A}}
\end{overpic}
&
\begin{overpic}[width=.22\textwidth]{trace_material_copper_flex.jpg}
\put(5,92){\colorbox{white}{\footnotesize\bfseries B}}
\end{overpic}
&
\begin{overpic}[width=.22\textwidth]{trace_material_silver.jpg}
\put(5,92){\colorbox{white}{\footnotesize\bfseries C}}
\end{overpic}
\\[3mm]
\begin{overpic}[width=.22\textwidth]{trace_material_contact_gold_lds.jpg}
\put(5,92){\colorbox{white}{\footnotesize\bfseries D}}
\end{overpic}
&
\begin{overpic}[width=.22\textwidth]{trace_material_carbon.jpg}
\put(5,92){\colorbox{white}{\footnotesize\bfseries E}}
\end{overpic}
&
\begin{tabular}[b]{@{}l@{}}
\textbf{A:} Rigid PCB (H10) \\
\textbf{B:} Flexible PCB (H15) \\
\textbf{C:} Silver ink (H14) \\
\textbf{D:} Laser Direct Structuring (H32) \\
\textbf{E:} Carbon ink (H30)
\end{tabular}
\end{tabular}
\end{frame}
\begin{frame}{Mesh Connection Methods}
\centering
\begin{tabular}{ccc}
\begin{overpic}[width=.20\textwidth]{connector_castellated_edge.jpg}
\put(5,92){\colorbox{white}{\footnotesize\bfseries A}}
\end{overpic}
&
\begin{overpic}[width=.20\textwidth]{connector_elastomeric.jpg}
\put(5,92){\colorbox{white}{\footnotesize\bfseries B}}
\end{overpic}
&
\begin{overpic}[width=.20\textwidth]{connector_rf_gasket.jpg}
\put(5,92){\colorbox{white}{\footnotesize\bfseries C}}
\end{overpic}
\\[2mm]
\begin{overpic}[width=.20\textwidth]{connector_zif_fpc_2.jpg}
\put(5,92){\colorbox{white}{\footnotesize\bfseries D}}
\end{overpic}
&
\begin{overpic}[width=.20\textwidth]{connector_stacking.jpg}
\put(5,92){\colorbox{white}{\footnotesize\bfseries E}}
\end{overpic}
&
\begin{overpic}[width=.20\textwidth]{connector_metal_dome.jpg}
\put(5,92){\colorbox{white}{\footnotesize\bfseries F}}
\end{overpic}
\end{tabular}
\vspace{3mm}
\small
\textbf{A:} Direct soldering (H05) \quad
\textbf{B:} Elastomeric connector (H31) \quad
\textbf{C:} EMI gasket (H14) \\
\textbf{D:} FPC connector (H20) \quad
\textbf{E:} Stacking connector (H17) \quad
\textbf{F:} Tactile dome (H06)
\end{frame}
\begin{frame}{3D Mesh Construction Styles}
\centering
\begin{tabular}{lll}
\begin{overpic}[width=.22\textwidth]{hsm_3d_style_fold_overlap.jpg}
\put(5,92){\colorbox{white}{\footnotesize\bfseries A}}
\end{overpic}
&
\begin{overpic}[width=.22\textwidth]{hsm_3d_style_fold_no_overlap.jpg}
\put(5,92){\colorbox{white}{\footnotesize\bfseries B}}
\end{overpic}
&
\begin{overpic}[width=.22\textwidth]{3d_construction_lds_top.jpg}
\put(5,92){\colorbox{white}{\footnotesize\bfseries C}}
\end{overpic}
\\[3mm]
\begin{overpic}[width=.22\textwidth]{hsm_3d_style_vacform.jpg}
\put(5,92){\colorbox{white}{\footnotesize\bfseries D}}
\end{overpic}
&
\begin{overpic}[width=.22\textwidth]{3d_construction_cards_standalone.jpg}
\put(5,92){\colorbox{white}{\footnotesize\bfseries E}}
\end{overpic}
&
\begin{tabular}[b]{@{}l@{}}
\textbf{A:} Folded with overlap (H03) \\
\textbf{B:} Folded without overlap (H14) \\
\textbf{C:} Laser Direct Structuring (H32) \\
\textbf{D:} Thermoformed (H12) \\
\textbf{E:} House-of-Cards (H08)
\end{tabular}
\end{tabular}
\end{frame}
\begin{frame}{Thermoforming Example}
\begin{columns}[T]
\begin{column}{0.32\textwidth}
\centering
\includegraphics[width=.6\textwidth]{survey_formed_mesh_before.jpg}\\
\small Before removing lacquer
\end{column}
\begin{column}{0.32\textwidth}
\centering
\includegraphics[width=.6\textwidth]{survey_formed_mesh_after.jpg}\\
\small After removing lacquer
\end{column}
\end{columns}
\vspace{3mm}
\small Formed cavities in printed foil mesh specimen H24
\end{frame}
\begin{frame}{Sandwich-Style Construction}
\begin{columns}[T]
\begin{column}{0.5\textwidth}
\centering
\begin{overpic}[width=.45\textwidth]{3d_construction_offset_mesh_delayered_contrast_improved.jpg}
\put(5,92){\colorbox{white}{\footnotesize\bfseries A}}
\end{overpic}
\hspace{1mm}
\begin{overpic}[width=.45\textwidth]{3d_construction_via_stitch_mesh_delayer_2.jpg}
\put(5,92){\colorbox{white}{\footnotesize\bfseries B}}
\end{overpic}
\vspace{3mm}
\begin{overpic}[width=.45\textwidth]{3d_construction_planar_stack.jpg}
\put(5,92){\colorbox{white}{\footnotesize\bfseries C}}
\end{overpic}
\hspace{1mm}
\begin{overpic}[width=.45\textwidth]{3d_construction_cavity_2.jpg}
\put(5,92){\colorbox{white}{\footnotesize\bfseries D}}
\end{overpic}
\end{column}
\begin{column}{0.45\textwidth}
\raggedright
\textbf{A:} Obstacle mesh coupons (H17)
\textbf{B:} Via-fence meshes (H24)
\textbf{C:} Planar sandwich stack (H24)
\textbf{D:} PCB lid with cavity (H14)
\end{column}
\end{columns}
\end{frame}
\begin{frame}{Security Issues Observed}
\textbf{Design Defects:}
\begin{itemize}
\item Meshes not overlapping at edges leaving gaps for probe insertion
\item Gaps at mesh-PCB interfaces
\item Thermoformed cavities with enlarged structure size at corners
\end{itemize}
\textbf{Obscurity Failures:}
\begin{itemize}
\item In one case, an opaque lacquer was easily removed with acetone (without damaging the mesh!)
\item Trace patterns visible through cover layers due to surface unevenness
\end{itemize}
\end{frame}
\begin{frame}{Design Recommendations (1/2)}
\begin{itemize}
\item Commodity PCB manufacturing process design rules in the \SIrange{100}{200}{\micro\meter} range are better than the state of the art in mesh structure size
\item Avoid ink printing processes or thermoforming because of their large structure size
\item Carefully think about your literal corner cases (and edges)!
\begin{itemize}
\item Overlap meshes where possible.
\end{itemize}
\item Use potting and cover layers, but verify that they work
\begin{itemize}
\item Check that you \emph{actually} can't see what's below
\item Test their chemical resistance (and that of your mesh)
\end{itemize}
\end{itemize}
\end{frame}
\begin{frame}{Design Recommendations (2/2)}
\begin{itemize}
\item Mixing tough potting or enclosure materials and fragile mesh materials makes life harder for an attacker
\begin{itemize}
\item Consider using steel instead of plastic (also helps against X-ray inspection!)
\item Use thin substrates and thin conductive layers for the mesh
\item Balance adhesion so removing potting / cover layers tears away traces below
\end{itemize}
\item Overlap mesh layers at a 50\% structure size offset
\item Space (some) mesh layers apart in Z direction to constrain attack tools
\item Use a pressure-sensitive connection method like tactile domes or elastomeric conncetors
\end{itemize}
\end{frame}
\begin{frame}
\centering
\Huge Thank you!
\vspace{1cm}
\Large Questions?
\end{frame}
\begin{frame}
\centering
Long-form version of this presentation in my thesis:
\url{https://jaseg.de/thesis-final-web.pdf}
\includegraphics{thesis_qr.png}
\end{frame}
\begin{frame}{Specimen List (1/2)}
\footnotesize
\begin{tabular}{c>{\RaggedRight\arraybackslash}p{25mm}>{\RaggedRight\arraybackslash}p{35mm}ll}
\toprule
\textbf{ID} & \textbf{Device} & \textbf{Manufacturer} & \textbf{Type} & \textbf{Year} \\
\midrule
H01 & PED & Verifone & VX 570 & ca. 2010 \\
H02 & Slot machine & Merkur / ADP & Sam 12 EC2 & ca. 2012 \\
H03 & EPP & Sagem & USA1315-4240 & 2014 \\
H04 & EPP & Sagem & USA1316-5120 & 2007 \\
H05 & PED & Xac & xAPT-103 & 2014 \\
H06 & PED & Ingenico & iCT250-11T1860A & 2016-17 \\
H08 & PED & Sagem & NOR4100-4220 & 2012 \\
H09 & PED & Hypercom & M4230 & 2010 \\
H10 & PED & Worldline & YOMANI XR & 2016 \\
H11 & PED & Banksys & C-ZAM Smash & 2004 \\
H12 & PED & Hypercom & Optimum P2100 & 2010 \\
H13 & PED & Ingenico & iCT 220-11T2938A & 2016 \\
H14 & PED & Verifone & H5000 & 2016 \\
H15 & PED & Verifone & MX 925 & 2018 \\
H16 & PED & Verifone & V200c CTLS & 2021 \\
H17 & PED & Verifone & VX 680 & 2014 \\
\bottomrule
\end{tabular}
\end{frame}
\begin{frame}{Specimen List (2/2)}
\footnotesize
\begin{tabular}{c>{\RaggedRight\arraybackslash}p{25mm}>{\RaggedRight\arraybackslash}p{35mm}ll}
\toprule
\textbf{ID} & \textbf{Device} & \textbf{Manufacturer} & \textbf{Type} & \textbf{Year} \\
\midrule
H18 & PED & Ingenico & i7910 & 2010 \\
H19 & PED & Banksys & XENTA & 2004-2011 \\
H20 & PED & Verifone & VX 520 3G & 2017 \\
H21 & PED & Verifone & V400m Plus 4G & 2018 \\
H22 & PED & Ingenico & Move 3500 & 2020 \\
H23 & PED & Ingenico & iPP 350-11T1718A & 2015 \\
H24 & PED & Ingenico & iWL255-01T2117A & 2016 \\
H25 & Franking Mach. & Neopost & IJ-25 & ca. 2001 \\
H27 & PED & Sumup & AIR1E205 & 2021 \\
H28 & EPP & NCR & 5814 UEPP & 2019 \\
H29 & HSM & SafeNet & VBD-05 & 2018 \\
H30 & HSM & Irdeto & Mayflower & 2011 \\
H31 & PED & SumUp & SumUp 3G & 2019 \\
H32 & PED & SumUp & SumUp Air & 2022 \\
\bottomrule
\end{tabular}
\vspace{3mm}
\tiny PED: Pin Entry Device; EPP: Encrypting Pin Pad; HSM: Hardware Security Module
\end{frame}
\end{document}