Fix second batch of Konrad's review
This commit is contained in:
jaseg
parent
34c0657e66
commit
eff0e47df7
1 changed files with 84 additions and 84 deletions
|
|
@ -42,8 +42,8 @@ prevent copying of their designs~\cite{
|
|||
clarkTamperDetectionSystem2005,
|
||||
heitmannMethodMakingTamper2009,
|
||||
perreaultSystemMethodInstalling2005,
|
||||
}. The basic principle of modern tamper sensing meshes, preventing physical intrusion using an embedded looped conductor
|
||||
to cover a surface, traces back at least as far as 1870~\cite{
|
||||
}. The basic principle of modern tamper sensing meshes is to reliably detect physical intrusion using an embedded looped
|
||||
conductor to cover a surface. This concept traces back at least as far as 1870~\cite{
|
||||
ImprovementProtectingSafes1870,
|
||||
ImprovementElectromagneticEnvelopes1870}, when it was applied to the protection of bank vaults from robbers
|
||||
attempting to dig, drill and saw through the vault's floor and walls. Even multi-layer, orthogonal tamper sensing meshes
|
||||
|
|
@ -147,14 +147,12 @@ and ATMs to the ATM pin pads themselves, which encrypt the customer's PIN right
|
|||
of card payment terminals. We will analyze two such ATM pin pads later in this chapter.
|
||||
|
||||
HSMs are used for highly sensitive operations even outside of the financial industry, although their adoption is
|
||||
hampered by their high cost. Such applications include key management in the TLS certificate infrastructure. In this
|
||||
hampered by their high cost. These applications include key management in the TLS certificate infrastructure. In this
|
||||
chapter, we will analyze a commercial HSM that was used in the key management infrastructure of a premium TV provider.
|
||||
|
||||
Beyond finance, tamper sensing meshes have found applications in a variety of other use cases as well. For instance, we
|
||||
have found them being used in mail franking machines to protect the credit counter and franking data, with one such unit
|
||||
analyzed in this chapter. Furthermore, we have identified several models of key safes that in Germany are mounted
|
||||
externally on public buildings to provide keys to emergency services, and which include tamper sensing meshes on their
|
||||
door and interior walls to detect attempts at drilling into them~\cite{SD04203RB25D5,
|
||||
Other applications include mail franking machines, where they are used to protect the credit counter and franking data,
|
||||
with one such unit analyzed in this chapter. Furthermore, we have identified several models of key safes that in Germany
|
||||
are mounted externally on public buildings to provide keys to emergency services, and which include tamper sensing
|
||||
meshes on their door and interior walls to detect attempts at drilling into them~\cite{SD04203RB25D5,
|
||||
krusesicherheitssystemeDatenblattKRUSEFWSchlusseldepot2018}. Finally, we have found a processing unit used in a series
|
||||
of mid-2000s era slot machines in Germany that includes a tamper sensing mesh, presumably to prevent modification or
|
||||
cloning. This device will also be analyzed later in this chapter.
|
||||
|
|
@ -178,16 +176,19 @@ manufacturing processes~\cite{
|
|||
smithBuildingHighperformanceProgrammable1999}.
|
||||
|
||||
One more widely cited tamper sensing mesh implementation is a commercial product developed by IBM in collaboration with
|
||||
chemical company W.\ L.\ Gore \& Asscociates Inc.\ and used in IBM's datacenter HSM products up to approximately
|
||||
2020~\cite{obermaier2018,andersonSecurityEngineeringGuide2020,smithBuildingHighperformanceProgrammable1999}.
|
||||
This mesh design uses a stack of multiple layers of a clear, flexible plastic substrate on which carbon-based traces are
|
||||
printed. Vias, i.e. contacts between layers, are made by laser cutting small holes into the substrate before the traces
|
||||
are printed. The flexible circuit layers are joined with a opaque black, stretchy glue and after installation embedded
|
||||
in an elastic opaque resin. The plastic substrate foil is thinner and significantly less resistant to tearing than
|
||||
plastic substrates commonly used in the electronics industry for applications like key pads and circuit boards, which
|
||||
improves its security against tampering. Furthermore, both the glue fusing the foil layers together and the resin the
|
||||
mesh is embedded inside after installation are clearly co-designed with the carbon trace material such that the trace
|
||||
material adheres well to both, leading to the traces being destroyed when either are peeled off.
|
||||
chemical company W.\ L.\ Gore \& Asscociates Inc. This product is used in IBM's datacenter HSM products up to
|
||||
approximately 2020~\cite{
|
||||
obermaier2018,
|
||||
andersonSecurityEngineeringGuide2020,
|
||||
smithBuildingHighperformanceProgrammable1999}.
|
||||
It uses a stack of multiple layers of a clear, flexible plastic substrate on which carbon-based traces are printed.
|
||||
Vias, i.e. contacts between layers, are made by laser cutting small holes into the substrate before the traces are
|
||||
printed. The flexible circuit layers are joined with a opaque black, stretchy glue and are embedded in an elastic opaque
|
||||
resin after installation. The plastic substrate foil is thinner and significantly less resistant to tearing than plastic
|
||||
substrates commonly used in the electronics industry for applications like key pads and circuit boards, which improves
|
||||
its security against tampering. It is clear that both the glue fusing the foil layers together and the resin that the
|
||||
mesh is embedded inside are co-designed with the carbon trace material such that the trace material adheres well to
|
||||
both, leading to the traces being destroyed when either are peeled off.
|
||||
|
||||
The design of these IBM/Gore meshes is documented in an extensive list of patents, mostly under IBM's name. Its
|
||||
basic construction and layout has not changed much since the early 1990ies~\cite{
|
||||
|
|
@ -196,7 +197,7 @@ basic construction and layout has not changed much since the early 1990ies~\cite
|
|||
|
||||
\subsection{Monitoring Circuit Approaches}
|
||||
|
||||
tamper sensing meshes are most effective when they are continuously monitored using a backup power supply while the rest
|
||||
Tamper sensing meshes are most effective when they are continuously monitored using a backup power supply while the rest
|
||||
of the system is powered off. In practice, the main challenge with continuous monitoring of tamper sensing meshes is in
|
||||
the design of the monitoring circuit. A large portion of industry attention has been spent on designing low-power
|
||||
monitoring circuits that are sensitive to tampering with the mesh while using little enough power to enable years of
|
||||
|
|
@ -210,12 +211,12 @@ To achieve low power consumption, a popular technique known since at least
|
|||
1902~\cite{suttonElectricallyprotectedStructure1902} and still used
|
||||
today~\cite{cesanaTamperResistantCard2001,razaghiCircuitBoardHold2019} is to measure the deviation of the mesh's
|
||||
end-to-end ohmic resistance from its baseline value. This measurement can be implemented either by directly comparing a
|
||||
mesh trace's resistance with a reference resistor, or using a wheatstone bridge. Using a bridge circuit was already used
|
||||
mesh trace's resistance with a reference resistor, or using a wheatstone bridge. Bridge circuits were already used
|
||||
in early tamper sensing mesh implementations~\cite{
|
||||
ElektrischeSicherheitseinrichtungSchutze1932,
|
||||
hamPrintedcircuitTypeSecurity1971,
|
||||
dalphinEnceinteProtegeeAvec1987,
|
||||
} and makes it possible to detect small changes in the mesh's resistance with little complexity.
|
||||
} since they make it possible to detect small changes in the mesh's resistance with little complexity.
|
||||
|
||||
\subsection{Other Tamper Sensing Techniques}
|
||||
|
||||
|
|
@ -237,12 +238,11 @@ Concluding the brief history of tamper sensing meshes above, we find that they w
|
|||
military applications, and their use in civil applications is a recent phenomenon. The implementation of tamper sensing
|
||||
meshes in civil applications was likely catalyzed by two advancements in electronics. First, electronic components
|
||||
became less expensive and more integrated reducing the cost overhead of tamper sensing circuits. Second, the mass-scale
|
||||
adoption of PCB and Flexible Printed Circuit (FPC) production processes enabled their use as inexpensive,
|
||||
high-resolution substrates for such meshes. In this section, we will examine a large sample of recent devices that
|
||||
include tamper sensing meshes to gain an understanding of how they are implemented, and what security level they are
|
||||
targeted towards. Since we were unable to acquire a nuclear weapon for our research, we limited our survey to commercial
|
||||
devices with a focus on card payment terminals, which represent the most varied class of device incorporating such
|
||||
meshes.
|
||||
adoption of PCB and FPC production processes enabled their use as inexpensive, high-resolution substrates for such
|
||||
meshes. In this section, we will examine a large sample of recent devices that include tamper sensing meshes to gain an
|
||||
understanding of how they are implemented, and what security level they are targeted towards. Since we were unable to
|
||||
acquire a nuclear weapon for our research, we limited our survey to commercial devices with a focus on card payment
|
||||
terminals, which represent the most varied class of device incorporating such meshes.
|
||||
|
||||
\subsection{Specimen Selection}
|
||||
|
||||
|
|
@ -353,13 +353,13 @@ networks, almost all payment terminals on the market irrespective of their count
|
|||
standards. Adding on to PCI's ecosystem impact, its security standards are thought out well and provide a higher level
|
||||
of security than one might expect from an industry association.
|
||||
|
||||
Physical security standards in card payment applications both on the client side (payment terminals) and on the server
|
||||
side (HSM appliances) are more stringent than one might expect since the finance industry has been reluctant to adopt
|
||||
One reason for the high level of physical security standards in card payment applications both on the client side
|
||||
(payment terminals) and on the server side (HSM appliances) is that the finance industry has been reluctant to adopt
|
||||
modern cryptography. Not only are modern cryptographic protocols like Secure Multiparty Computation (SMPC) or
|
||||
Zero-Knowledge Proofs (ZKPs) not commonly used. Even asymmetric cryptography has only been adopted reluctantly, and
|
||||
ancient ciphers such as Triple DES are still commonly referenced in industry
|
||||
standards~\cite{pcisecuritystandardscouncilPaymentCardIndustry2025}. As a result, increased hardware security is necessary to
|
||||
safeguard weak symmetric keys, compensating for the systems' modest cryptographic security.
|
||||
standards~\cite{pcisecuritystandardscouncilPaymentCardIndustry2025}. As a result, increased hardware security is
|
||||
necessary to safeguard weak symmetric keys, compensating for the systems' modest cryptographic security.
|
||||
|
||||
Since card payment terminals are widely deployed, many different models from various manufacturers are available. Each
|
||||
manufacturer tends to have their own, patented tamper sensing implementation. Being manufactured at scale, card payment
|
||||
|
|
@ -371,16 +371,18 @@ When credit card payments are handled on the web as opposed to in a physical sto
|
|||
handle plaintext payment data such as credit card numbers. Such HSM appliances are usually standalone rackmount devices
|
||||
and are used across application domains. Depending on the application, these HSMs can be programmed with custom code, or
|
||||
can be used as coprocessors through an API. In practice, the standalone appliances are just low-end computers in a
|
||||
rackmount enclosure that expose the API of an internal HSM add-in card to the network. In this survey, we were only able
|
||||
to procure a single such HSM since these devices are expensive, and even used specimens of older models are usually
|
||||
listed for several hundreds to several thousands of EUR. The one specimen we procured was a 2011 model Utimaco
|
||||
CryptoServer LAN. Our unit was a white-label variant procured by premium TV encryption technology provider Irdeto,
|
||||
presumably used in Germany to produce cryptographic key streams for TV signal encryption. We bought the device from a
|
||||
recycling company specialized on datacenter components. The device was sold with any HDDs removed. The device consisted
|
||||
of an older mainboard for embedded applications containing an Intel Core 2 Duo-brand processor and 2 GiB of DDR2 RAM,
|
||||
which was connected to the HSM add-in card through PCI. The device contained a small Lithium backup battery on the
|
||||
add-in card, and another, larger battery in an enclosure at the front of the device that was connected to the card
|
||||
through a cable. The device did not contain any obvious case intrusion sensors.
|
||||
rackmount enclosure that expose the API of an internal HSM add-in card to the network. In this survey, we obtained two
|
||||
devices labelled as HSMs. We were only able to procure two such devices since they are expensive, and even used
|
||||
specimens of older models are usually listed for several hundreds to several thousands of EUR. Unfortunately, one of the
|
||||
devices we obtained did not contain any security meshes in its case, and thus would not provide adequate protection
|
||||
against advanced attacks. The other specimen we procured was a 2011 model Utimaco CryptoServer LAN. Our unit was a
|
||||
white-label variant procured by premium TV encryption technology provider Irdeto, presumably used in Germany to produce
|
||||
cryptographic key streams for TV signal encryption. We bought the device from a recycling company specialized on
|
||||
datacenter components. The device was sold with any HDDs removed. The device consisted of an older mainboard for
|
||||
embedded applications containing an Intel Core 2 Duo-brand processor and 2 GiB of DDR2 RAM, which was connected to the
|
||||
HSM add-in card through PCI. The device contained a small Lithium backup battery on the add-in card, and another, larger
|
||||
battery in an enclosure at the front of the device that was connected to the card through a cable. The device did not
|
||||
contain any obvious case intrusion sensors.
|
||||
|
||||
\subsubsection{ATM Encrypting Pin Pads}
|
||||
|
||||
|
|
@ -395,13 +397,13 @@ vault when tampered. The permanently stained bank notes are not accepted by bank
|
|||
% FIXME cite https://www.ecb.europa.eu/euro/banknotes/damaged/html/index.en.html
|
||||
% FIXME cite https://www.bcl.lu/en/Banknotes-and-Coins/remboursement/billets-macules1/index.html
|
||||
|
||||
Besides the vault, the other secondary security barrier is located inside the ATM's pin pad. While all communication
|
||||
with the customer's card passes through an end-to-end encrypted channel from the bank's backends into the card's
|
||||
smartcard IC, the customer must necessarily enter their pin in plain text. To prevent leakage of the plaintext PIN, the
|
||||
PIN is encrypted inside the PIN pad itself. To this end, the PIN pad contains a microcontroller handling the encryption.
|
||||
Often, both the circuit board containing the PIN pad's keyboard matrix and this microcontroller are shielded by a
|
||||
tamper sensing mesh to prevent physical attacks such as the installation of a skimming device that would record and
|
||||
transmit the plaintex PIN.
|
||||
Besides the vault, the another security barrier is located inside the ATM's pin pad. While all communication with the
|
||||
customer's card passes through an end-to-end encrypted channel from the bank's backends into the card's smartcard IC,
|
||||
the customer must necessarily enter their pin in plain text. To prevent leakage of the plaintext PIN, the PIN is
|
||||
encrypted inside the PIN pad itself. To this end, the PIN pad contains a microcontroller handling the encryption. Often,
|
||||
both the circuit board containing the PIN pad's keyboard matrix and this microcontroller are shielded by a tamper
|
||||
sensing mesh to prevent physical attacks such as the installation of a skimming device that would record and transmit
|
||||
the plaintex PIN.
|
||||
|
||||
We acquired three different EPPs for analysis: Two designed by Sagem and apparently re-sold as a whitelabel product by
|
||||
Cryptera and Diebold, respectively, and one made by and branded NCR. All three devices have robust stainless steel front
|
||||
|
|
@ -481,19 +483,19 @@ supplementary material to this thesis.
|
|||
|
||||
\subsubsection{Mesh materials.}
|
||||
|
||||
We found meshes constructed from rigid PCBs (e.g.\ specimens~\sampleno{H02}, \sampleno{H03} and \sampleno{H08}) as well as
|
||||
a number of Flexible Printed Circuit (FPC) processes. Tamper sensing meshes constructed from PCBs sometimes used parts
|
||||
of an existing PCB (e.g.\ specimens~\sampleno{H03} and \sampleno{H10}), and sometimes additional PCBs only containing a
|
||||
mesh were added (e.g.\ specimen~\sampleno{H02} and \sampleno{H08}). In some samples (e.g.\ specimens~\sampleno{H08} and
|
||||
\sampleno{H18}), multiple rigid PCB meshes were assembled in a house of cards fashion to enclose a card slot. For
|
||||
flexible meshes, with the exception of the Utimaco HSM appliance's HSM card (specimen~\sampleno{H30}) that used an
|
||||
off-the-shelf Gore tamper sensing mesh foil, all were clearly manufactured either entirely or mostly in standard
|
||||
processes. We found printed silver ink (e.g.\ specimen~\sampleno{H12}) and printed carbon ink-based foils (e.g.\
|
||||
specimen~\sampleno{H09}) similar to those used for membrane keyboards, as well as conventional photolithographically
|
||||
etched copper/polyimide Flexible Printed Circuits (FPCs) (e.g.\ specimens~\sampleno{H03}, \sampleno{H04} and
|
||||
We found meshes constructed from rigid PCBs (e.g.\ specimens~\sampleno{H02}, \sampleno{H03} and \sampleno{H08}) as well
|
||||
as a number of FPC processes. Tamper sensing meshes constructed from PCBs sometimes used parts of an existing PCB (e.g.\
|
||||
specimens~\sampleno{H03} and \sampleno{H10}), and sometimes additional PCBs only containing a mesh were added (e.g.\
|
||||
specimen~\sampleno{H02} and \sampleno{H08}). In some samples (e.g.\ specimens~\sampleno{H08} and \sampleno{H18}),
|
||||
multiple rigid PCB meshes were assembled in a house of cards fashion to enclose a card slot. All flexible meshes that we
|
||||
found with the exception of the Utimaco HSM appliance's HSM card (specimen~\sampleno{H30}) were clearly manufactured
|
||||
either entirely or mostly in standard processes. We found printed silver ink (e.g.\ specimen~\sampleno{H12}) and printed
|
||||
carbon ink-based foils (e.g.\ specimen~\sampleno{H09}) similar to those used for membrane keyboards, as well as
|
||||
conventional photolithographically etched copper/polyimide FPCs (e.g.\ specimens~\sampleno{H03}, \sampleno{H04} and
|
||||
\sampleno{H08}). Overall, etched PCBs showed better resolution compared to silkscreen-printed meshes. Feature size for
|
||||
both rigid and flexible etched PCB meshes was generally in the order of \qtyrange{100}{200}{\micro\meter}, while feature
|
||||
size for screen printed foil meshes was coarser at between \qtyrange{500}{3000}{\micro\meter}.
|
||||
size for screen printed foil meshes was coarser at between \qtyrange{500}{3000}{\micro\meter}. In contrast to these
|
||||
standard processes, the Utimaco HSM used a mesh foil that is manufactured in a proprietary, bespoke process by Gore.
|
||||
|
||||
\subsubsection{Mesh layout.}
|
||||
|
||||
|
|
@ -612,13 +614,12 @@ tamper sensing mesh, trace patterns manufactured to be more fragile might be adv
|
|||
are made using a rigid FR-4 fiberglass/epoxy substrate. Since a tamper sensing mesh must often enclose all sides of a
|
||||
payload, flexible foils offer benefits over rigid PCBs.
|
||||
|
||||
Figure~\ref{hsm_fig_materials_pcb_flex} shows a Flexible Printed Circuits (FPCs) produced in a standard commercial
|
||||
process similar to PCB production. In FPCs, a copper foil adhered to a substrate is etched, but the substrate here
|
||||
usually is a thin foil made from polyimide, an orange, temperature-resistant polymer that survives common reflow (hot
|
||||
air) soldering temperatures. In contrast to rigid PCBs, FPCs are usually limited to no more than four layers before
|
||||
losing flexibility. Flexible PCBs are often used for tamper sensing meshes that wrap around a payload, but they come
|
||||
with the same limitation as standard PCBs: Due to their robust substrate and thick copper layers, they are easily
|
||||
manipulated by hand.
|
||||
Figure~\ref{hsm_fig_materials_pcb_flex} shows an FPCs produced in a standard commercial process similar to PCB
|
||||
production. In FPCs, a copper foil adhered to a substrate is etched, but the substrate here usually is a thin foil made
|
||||
from polyimide, an orange, temperature-resistant polymer that survives common reflow (hot air) soldering temperatures.
|
||||
In contrast to rigid PCBs, FPCs are usually limited to no more than four layers before losing flexibility. Flexible PCBs
|
||||
are often used for tamper sensing meshes that wrap around a payload, but they come with the same limitation as standard
|
||||
PCBs: Due to their robust substrate and thick copper layers, they are easily manipulated by hand.
|
||||
|
||||
Figure~\ref{hsm_fig_materials_silver_ink} shows an FPC created in a different process. Here, instead of
|
||||
photolithographically etching a continuous copper foil adhered to a flexible substrate, the substrate is instead printed
|
||||
|
|
@ -652,10 +653,9 @@ mechanically fragile contacts that must be contacted using a soft material, usua
|
|||
\end{subfigure}
|
||||
\quad
|
||||
\begin{subfigure}[t]{0.3\textwidth}
|
||||
\centering\includegraphics[width=\linewidth]{connector_stacking.jpg}
|
||||
\caption{Elastomeric connector landing pattern as well as stacking board-to-board connector
|
||||
(specimen~\sampleno{H17}).}
|
||||
\label{hsm_fig_connector_stack}
|
||||
\centering\includegraphics[width=\linewidth]{connector_elastomeric.jpg}
|
||||
\caption{Direct soldering of an FPC and an elastomeric connector (specimen~\sampleno{H31}).}
|
||||
\label{hsm_fig_connector_elastomeric}
|
||||
\end{subfigure}
|
||||
\quad
|
||||
\begin{subfigure}[t]{0.3\textwidth}
|
||||
|
|
@ -665,9 +665,10 @@ mechanically fragile contacts that must be contacted using a soft material, usua
|
|||
\end{subfigure}
|
||||
\quad
|
||||
\begin{subfigure}[t]{0.3\textwidth}
|
||||
\centering\includegraphics[width=\linewidth]{connector_elastomeric.jpg}
|
||||
\caption{Direct soldering of an FPC and an elastomeric connector (specimen~\sampleno{H31}).}
|
||||
\label{hsm_fig_connector_elastomeric}
|
||||
\centering\includegraphics[width=\linewidth]{connector_stacking.jpg}
|
||||
\caption{Elastomeric connector landing pattern as well as stacking board-to-board connector
|
||||
(specimen~\sampleno{H17}).}
|
||||
\label{hsm_fig_connector_stack}
|
||||
\end{subfigure}
|
||||
\quad
|
||||
\begin{subfigure}[t]{0.3\textwidth}
|
||||
|
|
@ -779,7 +780,7 @@ three-dimensional structures from planar meshes. Figure~\ref{hsm_fig_3d_struct}
|
|||
we saw among our samples. Figure~\ref{hsm_fig_3d_struct_folded_overlap} and
|
||||
Figure~\ref{hsm_fig_3d_struct_folded_no_overlap} have meshes produced as flexible printed circuits, in
|
||||
Figure~\ref{hsm_fig_3d_struct_folded_overlap} using a standard photolithographic copper/polyimide FPC process usually
|
||||
used for flexible PCBs, and in Figure~\ref{hsm_fig_3d_struct_folded_nooverlap} using a standard silver ink
|
||||
used for flexible PCBs, and in Figure~\ref{hsm_fig_3d_struct_folded_no_overlap} using a standard silver ink
|
||||
screenprinting process. The choice in Figure~\ref{hsm_fig_3d_struct_folded_no_overlap} not to overlap the mesh in the
|
||||
corner is likely caused by manufacturing considerations, since it might be difficult to ensure proper folding of a small
|
||||
foil tab with adhesive pre-applied.
|
||||
|
|
@ -850,8 +851,8 @@ the lid using board-to-board stacking connectors (cf. Figure~\ref{hsm_fig_connec
|
|||
mesh PCB was soldered flat on top of the base PCB to cover the open side of the mesh lid, creating an overlap at the
|
||||
edges. In specimen~\sampleno{H08}, a card payment terminal, a simpler construction was used with a simple metal ring
|
||||
soldered to the base PCB mechanically shielding the edge. We are unable to ascertain why this purely mechanical
|
||||
shielding technique was used instead of the more secure overlapping technique seen in sample~\ref{H03}, which should
|
||||
have a similar, low manufacturing cost.
|
||||
shielding technique was used instead of the more secure overlapping technique seen in sample~\sampleno{H03}, which
|
||||
should have a similar, low manufacturing cost.
|
||||
|
||||
Figure~\ref{hsm_fig_3d_struct_lds} shows the result of Laser Direct Structuring (LDS), a process that avoids some of the
|
||||
limitations of thermoformed planar meshes. In LDS, a plastic part is covered in a conductive pattern in a combination of
|
||||
|
|
@ -937,17 +938,16 @@ we commonly found a combination of a rigid PCB mesh in the specimen's main PCB a
|
|||
structure above its main PCB. The mesh inside the rigid PCB would protect the payload components soldered to the top
|
||||
surface of the PCB such as pin pad buttons or crytographic coprocessors from probing from underneath, while the flexible
|
||||
mesh lid would protect them from attacks from above or from the side. We only found two specimens that wrapped an entire
|
||||
payload PCB inside of a mesh, the Utimaco datacenter HSM appliance \sampleno{H30} and an older Ingenico payment
|
||||
terminal,\sampleno{H18}. Only the datacenter HSM followed this approach through, its manufacturer going to some length
|
||||
payload PCB inside of a mesh, the Utimaco datacenter HSM appliance (\sampleno{H30}) and an older Ingenico payment
|
||||
terminal (\sampleno{H18}). Only the datacenter HSM followed this approach through, its manufacturer going to some length
|
||||
to carefully fold the mesh around corners and the entry point of its Flat Flex Cable (FFC) connections to the outside
|
||||
world to avoid possible weak points there. The payment terminal module had weak points at the corners of the wrapped
|
||||
mesh, and its wrapping pattern only covered five of the six sides of a cuboid, with the remaining side left open to
|
||||
allow for the payload PCB to pass out of the mesh for its external connections.
|
||||
|
||||
We found an approximately even split between flexible copper/polyimide printed circuit (FPCs) and silver ink printing
|
||||
processes being used for flexible meshes. Printed carbon ink processes were less popular, presumably because they offer
|
||||
no significant cost savings but the resulting mesh has a much higher electrical resistance, limiting possible mesh
|
||||
length.
|
||||
We found an approximately even split between copper/polyimide FPCs and silver ink printing processes being used for
|
||||
flexible meshes. Printed carbon ink processes were less popular, presumably because they offer no significant cost
|
||||
savings but the resulting mesh has a much higher electrical resistance, limiting possible mesh length.
|
||||
|
||||
We found potting was only infrequently used across our sample, presumably because of the limited protection it provides.
|
||||
We found conductive ink printed meshes commonly used opaque base foils and opaque lacquer cover layers to obscure their
|
||||
|
|
@ -1221,7 +1221,7 @@ Chapter~\ref{chapter_sampling_mesh_mon}.
|
|||
|
||||
CT imaging presents a serious threat to any HSM design that relies on its mesh layout remaining secret. For instance,
|
||||
the Gore tamper sensing mesh product used in IBM and Utimaco HSMs includes a feature where after production, small vias
|
||||
are lasered into a specially preparte area on the mesh foil to randomize the connection pattern of the mesh on a
|
||||
are lasered into a specially prepared area on the mesh foil to randomize the connection pattern of the mesh on a
|
||||
unit-by-unit basis. CT imaging could be used to discern this type of customization. Furthermore, CT imaging can be used
|
||||
to provide sub-millimeter accurate positioning for an attack, even if the specimen to be attacked has large production
|
||||
tolerances. We found that CT imaging can be made more difficult using three complementary techniques.
|
||||
|
|
|
|||
Loading…
Add table
Add a link
Reference in a new issue