HSMs: Include patent citations
This commit is contained in:
jaseg
parent
c2878d8a59
commit
aed9cb59ae
3 changed files with 420 additions and 63 deletions
|
|
@ -112,6 +112,37 @@ cloning. This device will also be analyzed later in this chapter.
|
|||
|
||||
\section{The Principles of Tamper-Sensing Mesh Construction and Monitoring}
|
||||
|
||||
Tamper-sensing meshes can be implemented in many different ways. Their design offers various degrees of freedom from the
|
||||
precise conductor layout, through the manufacturing technology of the mesh and how it is wrapped around the payload
|
||||
during manufacturing up to its monitoring circuitry. As a result, manufacturers across application domains from
|
||||
datacenter appliance HSMs through card payment terminals have historically used patents on parts of their tamper-sensing
|
||||
mesh implementations as a means to prevent copying of their designs~\cite{
|
||||
razaghiCircuitBoardHold2019,
|
||||
heitmannTamperBarrierElectronic2005,
|
||||
clarkTamperDetectionSystem2005,
|
||||
heitmannMethodMakingTamper2009,
|
||||
perreaultSystemMethodInstalling2005
|
||||
}. The basic principle of modern tamper-sensing meshes of preventing intrusion by force through embedding a looped
|
||||
conductor to cover a surface traces back as far as at least 1870~\cite{
|
||||
ImprovementProtectingSafes1870,
|
||||
ImprovementElectromagneticEnvelopes1870}, when it was applied to the protection of bank vaults from robbers
|
||||
attempting to dig, drill and saw through the vault's floor and walls. Even multi-layer, orthogonal tamper-sensing meshes
|
||||
are documented as far back as 1902~\ref{suttonElectricallyprotectedStructure1902}. Using printed circuits instead of
|
||||
wires for this purpose occurs in literature as soon as printed circuit technology finds widespread commercial adoption
|
||||
in the 1960ies~\cite{hamPrintedcircuitTypeSecurity1971}. The history of more HSM-like devices begins in the 1990ies with
|
||||
the widespread adoption of cryptography in commercial applications~\cite{
|
||||
kleijneSecurityDeviceSecure1986,
|
||||
joyceMethodDetectPenetration1996,
|
||||
droegeSicherheitsmodulMitEinteiliger1997,
|
||||
cesanaTamperResistantCard2001,
|
||||
cesanaSecurityClothDesign2006,
|
||||
elbertSecureCircuitAssembly2006,
|
||||
cookTamperDetectionCircuit2020,
|
||||
brodskyCircuitLayoutsTamperrespondent2018,
|
||||
cobianuLargeAreaDistributed2008,
|
||||
phamAntitamperMesh2011
|
||||
} when instead of protecting an entire device it became feasible to create a protected cryptographic coprocessor.
|
||||
|
||||
\subsection{Tamper-sensing Mesh Manufacturing}
|
||||
|
||||
The manufacturing technology of a tamper sensing mesh is a critical factor in its security. While in many applications,
|
||||
|
|
@ -119,12 +150,14 @@ meshes manufactured from off-the-shelf processes such as Flexible Printed Circui
|
|||
processes tend to be optimzed to maximize the robustness of the produced circuits to mechanical stress. In contrast, the
|
||||
ideal tamper-sensing mesh is exactly as robust as it needs to be not to be destroyed accidentially during normal
|
||||
handling, but should not be more robust than that. As a result, more secure meshes tend to be manufactured in bespoke
|
||||
manufacturing processes.
|
||||
% FIXME cite Immler et al
|
||||
manufacturing processes~\cite{
|
||||
immlerBTREPIDBatterylessTamperresistant2018,
|
||||
immlerSecurePhysicalEnclosures2018,
|
||||
ImprovementProtectingSafes1870}.
|
||||
% TODO cite hennigApparatusMethodComprising2020 and obermaierPUFfilmMethodProducing2023 on immler et al PUF tech
|
||||
|
||||
One more widely cited tamper-sensing mesh implementation is a commercial product developed by IBM in collaboration with
|
||||
chemical company W.\ L.\ Gore \& Asscociates Inc.\ and used in IBM's datacenter HSM products up to approximately 2020.
|
||||
% FIXME mention that Immler et al. cite them
|
||||
This mesh design uses a stack of multiple layers of a clear, flexible plastic substrate on which carbon-based traces are
|
||||
printed. Vias, i.e. contacts between layers, are made by laser cutting small holes into the substrate before the traces
|
||||
are printed. The flexible circuit layers are joined with a opaque black, stretchy glue and after installation embedded
|
||||
|
|
@ -134,8 +167,10 @@ improves its security against tampering. Furthermore, both the glue fusing the f
|
|||
mesh is embedded inside after installation are clearly co-designed with the carbon trace material such that the trace
|
||||
material adheres well to both, leading to the traces being destroyed when either are peeled off.
|
||||
|
||||
The design of these IBM/Gore meshes is documented in an extensive list of patents, mostly under IBM's name.
|
||||
% FIXME list actual patents as citations or table.
|
||||
The design of these IBM/Gore meshes is documented in an extensive list of patents, mostly under IBM's name. Its
|
||||
fundamental layout has not changed much since the early 1990ies~\cite{
|
||||
macphersonImprovementsSecurityEnclosures1993,
|
||||
macphersonTamperRespondentEnclosure1999}.
|
||||
|
||||
\subsection{Tamper-sensing Mesh Monitoring}
|
||||
|
||||
|
|
@ -147,35 +182,20 @@ operation from a battery. Commonly, one or two cylindrical or large coin cell Li
|
|||
providing in the order of \qtyrange{10}{20}{\watt\hour} over their lifetime. Broken down to an unpowered storage life of
|
||||
e.g.\ 5 years, this corresponds to a maximum average power consumption of \qty{450}{\micro\watt}.
|
||||
|
||||
% FIXME cite patent US20010056542A1, maybe others?
|
||||
% relevant categories: (H01L23/576), (G06K19/07372)
|
||||
% keyword: wire covering
|
||||
% FIXME US10251260B1, US9730315B1 (both square) mention wheatstone bridge
|
||||
% FIXME DE2656349A1 mentions bridge circuit but applied to a fence(!)
|
||||
To achieve low power consumption, a popular technique known since at least 1902
|
||||
% FIXME cite US708093A
|
||||
and still used today
|
||||
% FIXME cite section on utimaco / gore mesh, cite US20010056542A1 (ibm), US10251260B1, US9730315B1 (square)
|
||||
is to measure the mesh's deviation from its baseline value. This measurement can be implemented either by directly
|
||||
comparing a mesh trace's resistance with a reference resistor, or using a wheatstone bridge.
|
||||
% FIXME cite DE559905C
|
||||
This technique, known since at least 1929, is still used in modern HSMs for its simple implementation: Comparators do no
|
||||
need a lot of power, and similar to the layout of a strain gauge, the wheatstone bridge circuit can be implemented using
|
||||
the mesh's traces. When all traces are interleaved, this also provides some degree of intrinsic temperature
|
||||
compensation.
|
||||
|
||||
% FIXME US10321589B2 cites comparators
|
||||
|
||||
% US587931A (1897) describes overlapping structure
|
||||
% FIXME US7345497B2 uses balanced transmission lines / fast pulses
|
||||
|
||||
% FIXME NCR Group patent US4593384A mentioned tamper traces in 1984
|
||||
% FIXME NCR Group patent US3594770A mentions meshes in 1968
|
||||
% FIXME US110362A from 1870 may be oldes mention of mesh I found
|
||||
% FIXME US708093A from 1902 shows literal meshes like we do them today, just with wires not PCBs, and also describes
|
||||
% bridge-like comparator circuit using counter-wound coils
|
||||
% FIXME Hughes Aircraft patent US5568124A mentions mesh-like panels in 1993
|
||||
To achieve low power consumption, a popular technique known since at least
|
||||
1902~\cite{suttonElectricallyprotectedStructure1902} and still used
|
||||
today~\cite{cesanaTamperResistantCard2001,razaghiCircuitBoardHold2019} is to measure the mesh's deviation from its
|
||||
baseline value. This measurement can be implemented either by directly comparing a mesh trace's resistance with a
|
||||
reference resistor, or using a wheatstone bridge. Using a bridge circuit was already used in early tamper-sensing mesh
|
||||
implementations~\cite{
|
||||
ElektrischeSicherheitseinrichtungSchutze1932,
|
||||
hamPrintedcircuitTypeSecurity1971,
|
||||
dalphinEnceinteProtegeeAvec1987
|
||||
} and makes it possible to detect small changes in the mesh's resistance with little complexity.
|
||||
|
||||
% TODO US7345497B2 uses balanced transmission lines / fast pulses
|
||||
% NOTE: US3882324A mentions exploding the device as tamper response
|
||||
|
||||
\subsection{Other Tamper Sensing Techniques}
|
||||
|
|
@ -192,31 +212,6 @@ custom injection-molded plastic light baffles at all air vents of the device des
|
|||
light.
|
||||
% FIXME citations?
|
||||
|
||||
\subsection{The Patent Landscape}
|
||||
|
||||
Tamper-sensing meshes can be implemented in many different ways. Their design offers various degrees of freedom from the
|
||||
precise conductor layout, through the manufacturing technology of the mesh and how it is wrapped around the payload
|
||||
during manufacturing up to its monitoring circuitry. As a result, manufacturers across application domains from
|
||||
datacenter appliance HSMs through card payment terminals and including niche applications like mail franking machines
|
||||
have historically used patents on parts of their tamper-sensing mesh implementations as a means to prevent copying of
|
||||
their designs. While most original tamper sensing mesh implementations are covered by at least one patent, we want to
|
||||
highlight IBM for dwarfing the efforts of most other companies and fielding industry's widest portfolio of related
|
||||
patents.
|
||||
|
||||
While the patent history of HSM-like devices is rather shallow and begins in the 1990ies
|
||||
% FIXME cite
|
||||
with scarce prior examples,
|
||||
% FIXME cite
|
||||
tamper-sensing meshes have a much longer history dating back to at least 1870.
|
||||
% FIXME cite
|
||||
Tamper-sensing meshes were often called \emph{wire coverings} in earlier patent literature from before the widespread
|
||||
adoption of printed circuits. Beginning in the late 1800s, there is an abundance of patents claiming such meshes for the
|
||||
protection of safes and vault rooms.
|
||||
A 1969 NCR patent
|
||||
% FIXME cite US10321589B2
|
||||
is the earliest mention we were able to find of such a tamper-sensing mesh being implemented in a printed circuit
|
||||
process instead of by laying out a physical wire.
|
||||
|
||||
\section{A Survey of Meshes in the Wild}
|
||||
|
||||
Concluding the brief history of tamper sensing meshes above, we find that they were initially developed for sensitive
|
||||
|
|
@ -605,12 +600,12 @@ overlap the mesh in the corner is likely caused by manufacturing considerations,
|
|||
proper folding of a small foil tab with adhesive pre-applied.
|
||||
~
|
||||
Figure~\ref{hsm_fig_3d_struct_vacuum_form} shows a sample of a flexible circuit manufactured in a screenprinted
|
||||
silver-ink process thermoformed into a three-dimensional shape. The flexible circuit mesh is first produced in a
|
||||
standard planar printing process. After printing and curing, the resulting foil is then heated to soften it, and forced
|
||||
into a three-dimensional shape using a mold. Depending on the process, one or two molds, and vacuum or pressured air can
|
||||
be used to shape the foil. The process requires a screenprinted flexible circuit, and would not work with
|
||||
copper/polyimide flexible PCBs since their copper layer is too thick to plastically deform without tearing, and because
|
||||
polyimide is not sufficiently thermoplastic at low temperatures.
|
||||
silver-ink process thermoformed into a three-dimensional shape~\cite{weidnerHardwareschutzFormHalbschalen2007}. The
|
||||
flexible circuit mesh is first produced in a standard planar printing process. After printing and curing, the resulting
|
||||
foil is then heated to soften it, and forced into a three-dimensional shape using a mold. Depending on the process, one
|
||||
or two molds, and vacuum or pressured air can be used to shape the foil. The process requires a screenprinted flexible
|
||||
circuit, and would not work with copper/polyimide flexible PCBs since their copper layer is too thick to plastically
|
||||
deform without tearing, and because polyimide is not sufficiently thermoplastic at low temperatures.
|
||||
|
||||
Thermoforming is a cheap industry standard process, but applied to flexible circuits it has some limitations. First,
|
||||
only 2.5-dimensional structures can be created since the starting product is always a planar sheet. Second, the sheet
|
||||
|
|
@ -741,7 +736,7 @@ to target the metal contacts with a tool like a needle probe. From the CT scan w
|
|||
the device has a pitch of \qty{1.0}{\milli\meter}. Thus, even inserting a thin needle probe right through one of the
|
||||
mesh's traces should be possible without breaking the trace.
|
||||
|
||||
Figure~\ref{hsm_fig_ingenioc_potted_ct_3d} shows a 3D reconstruction of the mesh's conductor layout. While the
|
||||
Figure~\ref{hsm_fig_ingenico_potted_ct_3d} shows a 3D reconstruction of the mesh's conductor layout. While the
|
||||
reconstruction is slightly noisy due to the limited scan time available, it contains ample detail to reconstruct the
|
||||
mesh's layout and conductor count, and even to derive conductor dimensions in order to calculate resistance and other
|
||||
electronic parameters. The mesh's foil is wrapped around the circuit board forming a pillow shape, which is clearly
|
||||
|
|
|
|||
Loading…
Add table
Add a link
Reference in a new issue