From f7d35640074d159923599faedbd3d18cc56a828b Mon Sep 17 00:00:00 2001 From: jaseg Date: Tue, 11 Nov 2025 16:26:17 +0100 Subject: [PATCH] Fixes from notes --- chapter-conclusion/chapter.tex | 31 +++++++++-------- chapter-epa/chapter.tex | 9 ++--- chapter-hsms/chapter.tex | 57 ++++++++++++++++++++------------ chapter-ihsm/chapter.tex | 16 +++++---- chapter-introduction/chapter.tex | 22 ++++++------ chapter-nice-coils/chapter.tex | 12 ++++--- 6 files changed, 83 insertions(+), 64 deletions(-) diff --git a/chapter-conclusion/chapter.tex b/chapter-conclusion/chapter.tex index df0f571..5abf318 100644 --- a/chapter-conclusion/chapter.tex +++ b/chapter-conclusion/chapter.tex @@ -1,23 +1,22 @@ \chapter{Conclusion} \newpage -In this thesis, we proposed Inertial Hardware Security Modules (IHSMs), a completely new approach to physical security -that combines conventional tamper-sensing meshes with physical movement to bootstrap a highly secure system from -low-security, off-the-shelf parts. To motivate our research, we showed on the German national digital health record -system how hardware security is hard to achieve in practice. Besides some minor cryptographic oddities, our analysis -revealed at least one essential specification mistake that negates the hardware security of the system by unnecessarily -introducing a poorly protected HSM. In the following chapters, we first introduced IHSM technology, then provided deep -analyses of two of its engineering challenges, mesh monitoring and power transfer. We propose a low-cost TDR-based mesh -monitoring system that exceeds the capabilities of all previous systems from academic or from patent literature by -monitoring large meshes while simultaneously providing detailed results. Our TDR-based mesh monitoring system is of -independent interest, since it can also be integrated into traditional HSM designs. Besides improved mesh monitoring, we -also proposed a new, generalized design for high-frequency PCB inductors with low parasitic capacitance. Our design -provides better bandwidth and lower parasitic capacitance compared to the state of the art without increasing -implementation cost. We concluded our thesis with two chapters elaborating on two new use cases that are made possible -by IHSM technology due to its ability to protect large payloads that have high power consumption. +In this thesis, we propose Inertial Hardware Security Modules (IHSMs), a new approach to physical security that combines +conventional tamper-sensing meshes with physical movement to bootstrap a highly secure system from low-security, +off-the-shelf parts. To motivate our research, we show on the German national digital health record system how hardware +security is hard to achieve in practice. Besides some minor cryptographic oddities, our analysis reveals at least one +essential specification mistake that negates the hardware security of the system by unnecessarily introducing a poorly +protected HSM. We provide a deep analyses of two key engineering challenges in IHSM construction, mesh monitoring and +power transfer. We propose a low-cost TDR-based mesh monitoring system that exceeds the capabilities of previous systems +from academic or from patent literature. Our system is capable of monitoring large meshes while simultaneously providing +detailed results. Our TDR-based mesh monitoring system is of independent interest, since it can also be integrated into +traditional HSM designs. We additionally propose a new, generalized design for high-frequency PCB inductors with low +parasitic capacitance. Our design provides better bandwidth and lower parasitic capacitance compared to the state of the +art without increasing implementation cost. We conclude this thesis with two chapters elaborating on two new use cases +that are made possible by IHSM technology due to its ability to protect large payloads that have high power consumption. -We believe that with the research presented in this thesis, we substantially advanced the physical security field. In -particular, we belive that by publishing our research including its artifacts under open-source licenses, we provide the +The research presented in this thesis is aimed at advancing both academic research and applied engineering in hardware +security. We believe that by publishing our research including its artifacts under open-source licenses, we provide the basis for future research in tamper-sensing technology, a field that remains under-served in today's academic landscape. Recent history has shown that state-level adversaries are a mounting threat to civil rights organizations, human rights diff --git a/chapter-epa/chapter.tex b/chapter-epa/chapter.tex index 67d9336..910743c 100644 --- a/chapter-epa/chapter.tex +++ b/chapter-epa/chapter.tex @@ -15,8 +15,9 @@ Looking at the landscape of computer security solutions, we are presented with a that may give the impression that hardware security is a solved problem. Vendors sell various claims rangning from \emph{You don't need hardware security, just do it in the cloud!} to \emph{Buy our HSM and you will be secure!}. In practice, things are not as easy and even well-intentioned projects still often go awry on the hardware security -dimension. Concluding this chapter, we will now have a look at one such project that was done by capable people with the -best intentions, yet it resulted in a hardware security design that is dangerously inadequate for the purpose. +dimension. To motivate our research into physical security in this thesis, in this chapter we will have a look at one +such project that was done by capable people with the best intentions, yet it resulted in a hardware security design +that is dangerously inadequate for the purpose. Beginning May 2025, after several delays, Germany has started the nation-scale rollout of its new electronic medical record system. The system aims to create a national database accessible to all healthcare providers that holds the @@ -227,8 +228,8 @@ From an academic perspective, it is interesting to see how the ePA ended up in i cryptographic solutions left by academic research that contributed. A fundamental truth in cryptographic engineering is that in the absence of technical checks, political promises are no guarantees of restraint. As such, the degree of trust the ePA system places on organizational measures leads to a concerning overall picture. In particular, the system's -strong reliance on conventional HSMs built to long obsolete security standards as well as on trusted execution -environment technology that has been broken multiple times highlights the need for new approaches to hardware security +extensive reliance on not just conventional HSMs built to long obsolete security standards but also on trusted execution +environments that have been broken multiple times highlights the need for new approaches to hardware security that better accomodate real-world use cases. We believe that Inertial HSMs can address this use case by cleanly separating the physical security primitive into a diff --git a/chapter-hsms/chapter.tex b/chapter-hsms/chapter.tex index a00efb5..cedfe9e 100644 --- a/chapter-hsms/chapter.tex +++ b/chapter-hsms/chapter.tex @@ -12,11 +12,23 @@ line of defense in such physical security systems goes back more than a century, being used in the late 19\textsuperscript{th} century, around the widespread commercialization of electricity. Today, active tamper sensing meshes are used in a wide array of devices ranging from card payment terminals to atomic bombs. -In this chapter, we will start with a brief history of secure hardware with a particular focus on tamper sensing meshes. -Complementing our historical analysis, we will present the results of a survey of a range of real-world devices that use -tamper sensing meshes and analyze their implementation. We will analyze the gaps left by the current state of the art in -commercial practice, and evaluate how Inertial HSMs could close these gaps to make secure hardware accessible to a wider -range of applications. +In this chapter, we will start with a brief history of tamper sensing meshes. Complementing our historical analysis, we +will present the results of a survey of a range of real-world devices that use tamper sensing meshes and we will analyze +their implementation. We will analyze the gaps left by the current state of the art in commercial practice, and evaluate +how Inertial HSMs could close these gaps to make secure hardware accessible to a wider range of applications. The +contributions in this chapter are as follows: + +\begin{itemize} + \item We provide a historical overview of uses of tamper sensing meshes. + \item We provide the first large-scale analysis of real devices incorporating tamper sensing meshes in the academic + record. + \item We create a taxonomy of practical construction techniques and provide both detailed analyis and photos + illustrating them. + \item From our sample, we extract several design patterns that can be applied to increase the security of a design. + \item We note security flaws in several of our samples. + \item We provide the results of CT measurements of multiple samples, and we evaluate their impact on tamper sensing + mesh security. +\end{itemize} \section{The History of Tamper Sensing Meshes} @@ -54,8 +66,9 @@ the widespread adoption of cryptography in commercial applications~\cite{ \subsection{Use by the US Military} -One of the earliest practical uses of tamper sensing meshes is documented in notes on a series of lectures given by -Dr.~David~G. Boak, a specialist in communications security and signal intelligence at the US National Security +One early practical uses of tamper sensing meshes for information security as opposed to the security of some physical +good is documented in notes on a series of lectures given by Dr.~David~G. Boak, a specialist in communications security +and signal intelligence at the US National Security Agency~\cite{nsaHistoryUSCommunications1973,nsaHistoryUSCommunications1981}. In this lecture series, Boak mentions that around World War \RN{2}, the US became concerned about the security of their ciphering machines, which at the time were large, fridge-sized electro-mechanical contraptions. Initially, simple safes were used to protect those @@ -1255,29 +1268,29 @@ large-area photodiode coupled to a scintillator crystal converting X-ray photons \subsection{Application of Inertial HSM technology} The widespread use of inexpensive but low-security commodity processes shows that in practical applications, cost is -often prioritized over security. The IHSM approach naturally complements such a system that uses a low-security mesh -material and increases its security without needing a more advanced mesh material. The beneficial construction -techniques that we identified above such as the use of multiple, spaced layers and low-contrast trace materials -complement IHSM technology naturally. The three-dimensional layout of a mesh becomes easier in an IHSM implementation -since features like corners between mesh panels or gaps between mesh layers in most layouts are protected by the mesh's -motion. An unintended advantage that results in IHSM implementations over conventional meshes is that they would provide -a level of intrinsic resistance to X-ray and CT imaging. In contrast to optical cameras in the visible spectrum, X-ray -image sensors need integration times in the hundreds of milliseconds or longer, which makes them unsuitable to image a -quickly moving target. +often prioritized over security. The IHSM approach complements such a system that uses a low-security mesh material and +increases its security without needing a more advanced mesh material. Construction techniques that improve the security +of conventional systems such as the use of multiple, spaced layers and low-contrast trace materials can be directly +applied to IHSM systems. The three-dimensional layout of a mesh becomes easier in an IHSM implementation since features +like corners between mesh panels or gaps between mesh layers in most layouts are protected by the mesh's motion. An +unintended advantage that results in IHSM implementations over conventional meshes is that they would provide a level of +intrinsic resistance to X-ray and CT imaging. In contrast to optical cameras in the visible spectrum, X-ray image +sensors need integration times in the hundreds of milliseconds or longer, which makes them unsuitable to image a quickly +moving target. \section{Conclusion} -In our survey, we have found a wide variety in tamper sensing mesh construction techniques. Meshes are commonly +In this survey, we have analyzed a wide variety in tamper sensing mesh construction techniques. Meshes are commonly implemented as part of both rigid (PCB) and flexible (FPC) circuit boards, either standalone, or as part of a board also carrying other components. Silver or carbon trace patterning techniques that are normally used for membrane keyboards are also used in some meshes, but are limited in their structure size. The meshes we found in the wild almost never push the boundaries of achievable structure size for a given process. The strongest systems we found combined a mesh with potting such that separating mesh and potting destroyed the mesh's -traces. Silver printed circuits like they are normally used for keyboard matrices performed particularly well in this -regard since the silver ink adheres better to some potting compounds than to its plastic carrier substrate. We found -copper FPCs are commonly used for meshes. Interestingly, they seem to be a poor choice since they are very robust and -can even be forcibly separated from some potting compounds without destroying their traces. +traces. Silver or carbon ink printed circuits like they are normally used for keyboard matrices performed particularly +well in this regard since such inks adheres better to some potting compounds than to its plastic carrier substrate. We +found copper FPCs are commonly used for meshes. Interestingly, they seem to be a poor choice since they are very robust +and can even be forcibly separated from some potting compounds without destroying their traces. The weakest systems we found completely omitted a tamper sensing mesh. Ironically, all of these systems were devices marketed as hardware security modules. Given the inexpensive nature of tamper sensing meshes and the high price point of @@ -1285,7 +1298,7 @@ such devices, we suspect market segmentation as a driving force behind their man sensing meshes despite their low cost. The primary security standard that is most often cited for the certification of HSMs is the US government's FIPS-140, now in its third version~\cite{usnationalinstituteofstandardsandtechnologySecurityRequirementsCryptographic2019}. A peculiarity of this -standard is that it only requires active tamper sensing meshes in the highest of the four security levels it defeies. +standard is that it only requires active tamper sensing meshes in the highest of the four security levels it defines. Overall, we can conclude that the term ``HSM'' does not imply state-of-the-art physical tamper sensing. From an academic point of view, the core finding of our survey is that for academic research on mesh manufacturing, diff --git a/chapter-ihsm/chapter.tex b/chapter-ihsm/chapter.tex index 302a5c0..bf971c0 100644 --- a/chapter-ihsm/chapter.tex +++ b/chapter-ihsm/chapter.tex @@ -1,6 +1,6 @@ \chapterquote{Russell Impagliazzo~\cite{impagliazzoPersonalViewAveragecase1995}}{ One should always assume that people willing to break a system are also willing to use significantly more resources - doing so than legitimate users are willing to spend routinely! + doing so than legitimate users are willing to spend routinely. } \chaptertitle{Inertial Hardware Security Modules} \label{chapter-ihsm} @@ -983,9 +983,13 @@ allow the construction of devices secure against a wide range of practical attac specialized tools. The rotating mesh allows longitudinal gaps, which enables new applications that are impossible with traditional HSMs. Such gaps can be used to integrate a fan for air cooling into the HSM, allowing the use of powerful computing hardware inside the HSM. We hope that this simple construction will stimulate academic research into (more) -secure hardware. We published all design artifacts of our PoC online, please refer to Appendix~\ref{sec_repo} for -details. The next steps towards a practical application of our design will be to design a manufacturable stator/rotor -interface with inductive power and data transfer integrated into the motor's magnetics and a custom motor driver tuned -for the application that is able to precisely measure both angular velocity and winding current for an added degree of -tamper detection through the measurement of external forces acting on the rotor. +secure hardware. + +Building on the foundations of IHSM construction that we laid out in this chapter, in the following two chapters we will +provide detailed solutions for two key design challenges in IHSM construction. In +Chapter~\ref{chapter_sampling_mesh_mon}, we will introduce a low-cost tamper sensing mesh monitoring circuit based on +Time Domain Reflectometry. Using this approach, we can further strengthen the security of meshes created using simple +manufacturing processes in an IHSM. In Chapter~\ref{chapter-nice-coils}, we approach the question of a +rotation-invariant wireless inductive power supply for an IHSM and provide a planar inductor layout that minimizes +voltage ripple with IHSM rotation. diff --git a/chapter-introduction/chapter.tex b/chapter-introduction/chapter.tex index 593fc8d..c7ed721 100644 --- a/chapter-introduction/chapter.tex +++ b/chapter-introduction/chapter.tex @@ -18,16 +18,16 @@ attempts by states and other authorities to insert backdoor access mechanisms in andersonSecurityEngineeringGuide2020, }. -The aversion of cryptographers against backdoor access shows up everywhere---from cryptographic protocol standards like -TLS, to cryptographic applications like the Signal messenger, not only is backdoor access excluded from the system -design, its possibility is considered a potential vulnerability and measures such as forward secrecy and post-compromise -security are taken to mitigate its impact when it is achieved through other means. In computing, this design aspect -makes cryptographic protocols a unique holdout. In other parts of the stack, explicit or implicit backdoor access is -commonplace, and attempts at preventing it are rare. For instance, network providers are generally required to comply -with so-called \emph{Lawful Interception} orders on particular customers or traffic types, and datacenter operators -commonly provide hardware access to state authorities. The design decisions in cryptographic protocols generally hold, -and the gold standard for backdoor access to modern systems is either exploiting a \emph{zero-day} flaw that is not yet -publically known, or acquiring physical access to the target system. +The aversion of cryptographers against backdoor access shows up everywhere. From cryptographic protocol standards like +TLS, to cryptographic applications like the Signal messenger, backdoor access is not only excluded from the system +design, its possibility is considered a potential vulnerability. Measures such as forward secrecy and post-compromise +security are taken to mitigate its impact. In computing, this design aspect makes cryptographic protocols a unique +holdout. In other parts of the stack, explicit or implicit backdoor access is commonplace, and attempts at preventing it +are rare. For instance, network providers are generally required to comply with so-called \emph{Lawful Interception} +orders on particular customers or traffic types, and datacenter operators commonly provide hardware access to state +authorities. The design decisions in cryptographic protocols generally hold, and the gold standard for backdoor access +to modern systems is either exploiting a \emph{zero-day} flaw that is not yet publically known, or acquiring physical +access to the target system. \section{Research Questions} @@ -132,7 +132,7 @@ because of cost, computing power or implementation effort. Where conventional HS only expose limited APIs to their users, Inertial HSMs at their core are just an enclosure that the user can put whatever hardware they need into. Since the simpler tamper-sensing mesh construction of IHSMs scales to larger payload volumes, entire servers can be protected---something that is impossible with conventional HSMs. Since the mesh in an -IHSM is constantly moving, unlike a mesh in a convetional HSM, it does not have to entirely cover the payload. Instead, +IHSM is constantly moving, unlike a mesh in a conventional HSM, it does not have to entirely cover the payload. Instead, it can have gaps that allow for air flow between outside and inside, enabling active cooling of the IHSM's payload. This cooling capability sharply increases computing power by increasing feasible payload power dissipation by two orders of magnitude. diff --git a/chapter-nice-coils/chapter.tex b/chapter-nice-coils/chapter.tex index fa3d575..8cb016e 100644 --- a/chapter-nice-coils/chapter.tex +++ b/chapter-nice-coils/chapter.tex @@ -1,11 +1,13 @@ \chaptertitle{Rotation-Invariant Envelope Power Supply} +\label{chapter-nice-coils} % Twisted Inductor paper A central engineering challenge in inertial HSMs is transferring power and data between the payload and the rotating -mesh cage. Industrially, power and data transfer through rotating joints is usually done using slip ring assemblies. A -slip ring consists of one or more contacts that wipe on a rotating circular surface. Industrially, metal spring contacts -plated with hard gold or other common surface coatings are used for transferring small currents and data signals, and -carbon brushes are used for higher currents. Slip rings are widely used in motors and other rotating machinery. +mesh cage (cf.\ Chapter~\ref{chapter-ihsm}). Industrially, power and data transfer through rotating joints is usually +done using slip ring assemblies. A slip ring consists of one or more contacts that wipe on a rotating circular surface. +Industrially, metal spring contacts plated with hard gold or other common surface coatings are used for transferring +small currents and data signals, and carbon brushes are used for higher currents. Slip rings are widely used in motors +and other rotating machinery. For use in IHSMs, slip rings have several limitations. First, they are complex precision-machined components and thus are rather expensive. Beyond cost, they also have performance limitations. Generally, slip rings are most well-suited to @@ -64,7 +66,7 @@ circuits. \end{figure} \todo{Not final graphics. Get proper scans for camera-ready version} -In the WPT link powering the rotating mesh of an IHSM presentsan unusual set of constraints, which does not seem to be +In the WPT link powering the rotating mesh of an IHSM presents an unusual set of constraints, which does not seem to be addressed adequately in the existing literature on inductive WPT yet. To reduce the need for custom-wound inductors, we settled on using a planar inductor implemented in a Printed Circuit Board (PCB). Such planar PCB inductors are limited by the structure size limits of the PCB process, resulting in rotational asymmetry due to the trace width. Planar