jaseg/phd-thesis
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

HSMs WIP

Browse source
This commit is contained in:
jaseg 2025-08-20 18:25:41 +02:00
parent aac6d0da21
commit f2b3523e3a
1 changed files with 166 additions and 0 deletions
Download patch file Download diff file Expand all files Collapse all files

166
chapter-hsms/chapter.tex
View file

@ -13,3 +13,169 @@ security module from other, weaker secure hardware primitives such as Smart Card
% FIXME include stuff from hsm survey paper
% FIXME include stuff from EPA paper
\section{The History of Tamper Sensing Meshes}
\subsection{Use by the US Military}
Electronic tamper sensing meshes are documented in literature beginning around World War \RN{2}. The earliest mention of
such a system we are aware of is from notes on a series of lectures given by Dr.~David~G. Boak, a specialist in
communications security and signal intelligence at the US National Security
Agency\cite{nsaHistoryUSCommunications1973,nsaHistoryUSCommunications1981}. In this lecture series, Boak mentions that
around World War \RN{2}, the US became concerned about the security of their ciphering machines, which at the time were
large, fridge-sized electro-mechanical contraptions. Initially, simple safes were used to protect those
devices---however, as Boak notes, the US was well aware that they could not build a safe that a well-equipped specialist
could not break open within an hour. As a solution, the NSA started development on what we would today call a Hardware
Security Module by encapsulating a crypto coprocessor in a tamper sensing envelope. Boak observes that as a tamper
response, reliably zeroizing the cryptographic keys would be sufficient. Today, this approach is universally taken. Boak
does note several other ways to penalize an intrusion attempt, including raising a remote alarm or--even more
exciting--exploding the device.
\subsection{Use in Nuclear Weapons}
Communications security was not the earliest use of tamper-sensing membranes in the US military, with Boak mentioning
HSMs still being under development in the second volume of the lecture series, dated 1972. An earlier reference to such
systems can be found in literature on Permissive Action Links (PALs) for nuclear weapons. In US military terminology, a
PAL is a chain of locked, tamper-proof systems required to trigger the detonation of a nuclear weapon. PALs were
developed as a consequence of nuclear weapons being stationed in countries allied with the US during the cold war. The
concern was that the host country might forcibly assume control over the US nuclear weapons stationed on their soil. The
stated goal of PALs is to protect the weapon from use without a secret passcode known only to US military command. To
achieve this goal, PALs will lock themselves when incorrect codes are entered. To protect against both intentional
tampering aiming to circumvent the PAL, as well as against accidential detonation under extreme environmental
conditions, PALs are designed such that any tampering attempt as well as any environmental deviation will be sensed by
the PAL, and will lead to the weapon being destroyed in a less harmful way that does not cause the full-scale nuclear
explosion that the weapon is capable of. This goal is achievable in practice since nuclear weapons are reportedly very
sensitive to the timing of their primary explosive charges, as the nuclear payload only produces a full-scale detonation
when triggered in just the right way.
While it is difficult to date, \textcite{carterManagingNuclearOperations1987} specifically mention a tamper-sensing
membrane being used in US PALs. Given the nature of the matter, it is safe to assume that this technology will have been
in use for some years at the point it was being discussed in an unclassified, civilian book on nuclear armament control.
\subsection{Use in Nuclear Safeguards}
Besides being used in nuclear weapons, tamper-sensing systems have another, more peaceful application in the nuclear
field. In 1957, the International Atomic Energy Agency (IAEA) was founded to coordinate and verify that civilian nuclear
energy installations are not used for military purposes. A core part of the IAEA's tasks is observing the operations at
civilian nuclear installations through inspections and through a variety of permanently deployed sensors to track the
history of nuclear material passing through these facilities.
When using sensors to monitor treaty compliance, the IAEA has to consider the possibility of a host state tampering with
its sensors to abuse nuclear material without being noticed. Historically, the IAEA has responded to this threat by the
extensive use of tamper-indicating enclosures and of seals. In both systems, the approach taken is that the enclosure or
seal is treated similarly to what these days, in computing we call a Physically Uncloneable Function. The enclosure or
seal is manufactured in a process that leaves an unpredictable and uncontrollable pattern of manufacturing variations
such as surface imperfections. A process used in the IAEA is to package devices in aluminium enclosures passivated in a
brigh color, which leaves a random, microscopic pattern of pits in the surface from the etching step. Before such a
device is deployed in the field, it is precisely measured from all sides. Later on, after field deployment, its
integrity can then be checked by comparing its current state to these initial measurements. The underlying assumption is
that drilling or cutting into something like a steel enclosure will leave detectable traces, and that perfectly
replicating an object including features such as minute surface imperfections is infeasible even to a nation
state~\cite{iaea2011}.
In IAEA terminology, both tamper detection and tamper evidence are combined into the term ``tamper indication''. The
IAEA distinguishes between active tamper indication, which we conventionally call tamper detection, and passive tamper
indication, which we conventionally call tamper evidence. Tamper indicating devices include seals, but also the
aforementioned uniquely characterizable enclosures, which IAEA terminology calls intrinsically tamper-indicating. An
example for an active tamper indicating device would be a seismic sensor at the bottom of a borehole that has been
back-filled with concrete such that any attempt to reach the sensor would be well-visible in the sensor's own
readings~\cite{simmonsHowInsureThat1988}
With smarter electronics becoming more affordable in both monetary and in power budget, over the decades, other active
tamper sensors have received attention as well. The IAEA reports on attempts at burying sensors such as piezoelectric
transducers or optical fibers inside an enclosure's walls to detect tampering, but states that these efforts have not
yielded practical results primarily due to cost concerns. In contrast to these sensors, the IAEA's Electro-Optic Sealing
System (EOSS) uses a flexible tamper sensing mesh that contains some sort of conductive traces in the same way it is
used in contemporary hardware security modules to detect attempts at drilling or cutting into the
system~\cite{iaea2011,tolkSafeguardsSensorsSystems2007}. Unfortunately, no information on the precise construction of
the tamper sensing mesh such as materials used or structure sizes are publically available.
\subsection{Commercial Use}
Commercially, tamper sensing meshes have entered widespread use beginning around the turn of the millennium, initially
in then-new HSMs, cryptographic coprocessors primarily aimed at the financial
industry~\cite{andersonSecurityEngineeringGuide2020}. Today, their use in finance has spread from HSMs in datacenters
and ATMs to the ATM pin pads themselves, which encrypt the customer's PIN right at the source, as well as in all kinds
of card payment terminals. We will analyze two such ATM pin pads later in this paper.
HSMs are used for highly sensitive operations even outside of the financial industry, although their adoption is
hampered by their high cost. Such applications include key management in the TLS certificate infrastructure. In this
paper, we will analyze a commercial HSM that was used in the key management infrastructure of a premium TV provider.
Beyond finance, tamper-sensing meshes have found applications in a variety of other use cases as well. For instance, we
have found them being used in mail franking machines to protect the credit counter and franking data, with one such unit
analyzed in this paper. Furthermore, we have identified at least one model of key safe that in Germany is mounted
externally on public buildings to provide keys to emergency services, and which includes a tamper sensing mesh on its
outside-facing wall to detect attempts at drilling into it. Finally, we have found a processing unit used in a series of
mid-2000s era slot machines in Germany that includes a tamper-sensing mesh, presumably to prevent modification or
cloning. This device will also be analyzed later in this chapter.
\section{The Principles of Tamper-Sensing Mesh Construction and Monitoring}
\subsection{Security Mesh Manufacturing}
\subsection{Security Mesh Monitoring}
\subsection{Other Tamper Sensing Techniques}
\subsection{Hardware Security Module Applications}
\subsection{The Patent Landscape}
\section{A Survey of Meshes in the Wild}
Concluding the brief history of tamper sensing meshes above, we find that they were initially developed for sensitive
military applications, and their use in civil applications is a recent phenomenon. The implementation of tamper sensing
meshes in civil applications was likely catalyzed by two advancements in electronics. First, electronic components
became less expensive and more integrated reducing the cost overhead of tamper sensing circuits. Second, the mass-scale
adoption of PCB and Flexible Printed Circuit (FPC) production processes enabled their use as inexpensive,
high-resolution substrates for such meshes. In this section, we will examine a large sample of recent devices that
include tamper-sensing meshes to gain an understanding of how they are implemented, and what security level they are
targeted towards. Since we were unable to acquire a nuclear weapon for our research, we limited our survey to commercial
devices with a focus on card payment terminals, which represent the most varied class of device incorporating such
meshes.
\subsection{Sample Selection}
Given their niche applications and high cost, devices incorporating tamper sensing meshes tend to be hard to find. For
this survey, we chose 21 different models of card payment terminals, and 6 other devices. All devices were procured from
ebay, and the majority were sold by electronic waste recycling companies.
\subsubsection{Card Payment Terminals}
Card payment terminals commonly include advanced tamper sensing features to discourage physical attacks such as
skimming that aim to exfiltrate card data and PINs entered by the customer. The Payment Card Industry Security Standards
Council (PCI SSC), an association of all major western credit card network operators assumes the role of the de-facto
standardization organization in the card payment space. Due to the international scale of the large credit card
networks, almost all payment terminals on the market irrespective of their country of origin are certified under PCI SSC
standards. Adding on to PCI's ecosystem impact, its security standards are thought out well and provide a higher level
of security than one might expect from an industry association.
The concrete requirements in the PCI SSC standards boil down to a list of logical requirements regarding key handling
that
\section{Conclusion}
In our survey, we have found a wide variety in tamper sensing mesh construction techniques. Meshes are commonly
implemented as part of both rigid (PCB) and flexible (FPC) circuit boards, either standalone, or as part of a board also
carrying other components. Silver or carbon trace patterning techniques that are normally used for membrane keyboards
are also used in some meshes, but are limited in their structure size. The meshes we found in the wild almost never push
the boundaries of achievable structure size for a given process.
The strongest systems we found combined a mesh with potting such that separating mesh and potting destroyed the mesh's
traces. Silver printed circuits like they are normally used for keyboard matrices performed particularly well in this
regard since the silver ink adheres better to some potting compounds than to its plastic carrier substrate. We found
copper FPCs are commonly used for meshes. Interestingly, they seem to be a poor choice since they are very robust and
can even be forcibly separated from some potting compounds without destroying their traces.
The weakest systems we found completely omitted a tamper sensing mesh. Ironically, all of these systems were devices
marketed as hardware secuirty modules. Given the inexpensive nature of tamper sensing meshes and the high price point of
such devices, we suspect market segmentation as a driving force behind their manufacturers' decision to omit tamper
sensing meshes. We conclude from this observation that the term ``HSM'' does not imply state-of-the-art physical tamper
sensing.
From an academic point of view, the core finding of our survey is that tamper sensing meshes manufactured in a number of
commercial manufacturing processes would yield acceptable surrogates for real devices found in the wild. With the
exception of a single device that used a particularly fine structure size in the \qty{100}{\micro\meter} range, none of
the devices we examined utilized particularly non-obvious construction techniques.
Form an engineering point of view, we observe that across application domains, tamper sensing meshes often use basic
construction techniques. Implementing such a system that matches the security of other systems seen in the wild should
be achievable to most engineers.