489 lines
35 KiB
TeX
489 lines
35 KiB
TeX
|
|
\chapterquote{An unnamed atomic bomb designer~\cite{blechmanTechnologyLimitationInternational1989}}{
|
|
Bypassing a PAL [atomic bomb ignition code lock] should be about as complex as performing a tonsillectomy while
|
|
entering the patient from the wrong end.
|
|
}
|
|
|
|
\chaptertitle{Hardware Security Modules in the Wild}
|
|
|
|
In this chapter we will take a look at how Hardware Security Modules are built and what they are used for. We will
|
|
analyze the gaps left by the current state of the industry, and evaluate how Inertial HSMs could close these gaps to
|
|
make secure hardware accessible to everyone. We will start with a brief history of secure hardware with a particular
|
|
focus on tamper-sensing meshes since the tamper-sensing mesh is the primary line of defense that delineates a hardware
|
|
security module from other, weaker secure hardware primitives such as Smart Cards or Trusted Platform Modules (TPMs).
|
|
|
|
% FIXME include stuff from EPA paper
|
|
|
|
\section{The History of Tamper Sensing Meshes}
|
|
|
|
\subsection{Use by the US Military}
|
|
|
|
Electronic tamper sensing meshes are documented in literature beginning around World War \RN{2}. The earliest mention of
|
|
such a system we are aware of is from notes on a series of lectures given by Dr.~David~G. Boak, a specialist in
|
|
communications security and signal intelligence at the US National Security
|
|
Agency\cite{nsaHistoryUSCommunications1973,nsaHistoryUSCommunications1981}. In this lecture series, Boak mentions that
|
|
around World War \RN{2}, the US became concerned about the security of their ciphering machines, which at the time were
|
|
large, fridge-sized electro-mechanical contraptions. Initially, simple safes were used to protect those
|
|
devices---however, as Boak notes, the US was well aware that they could not build a safe that a well-equipped specialist
|
|
could not break open within an hour. As a solution, the NSA started development on what we would today call a Hardware
|
|
Security Module by encapsulating a crypto coprocessor in a tamper sensing envelope. Boak observes that as a tamper
|
|
response, reliably zeroizing the cryptographic keys would be sufficient. Today, this approach is universally taken. Boak
|
|
does note several other ways to penalize an intrusion attempt, including raising a remote alarm or--even more
|
|
exciting--exploding the device.
|
|
|
|
\subsection{Use in Nuclear Weapons}
|
|
|
|
Communications security was not the earliest use of tamper-sensing membranes in the US military, with Boak mentioning
|
|
HSMs still being under development in the second volume of the lecture series, dated 1972. An earlier reference to such
|
|
systems can be found in literature on Permissive Action Links (PALs) for nuclear weapons. In US military terminology, a
|
|
PAL is a chain of locked, tamper-proof systems required to trigger the detonation of a nuclear weapon. PALs were
|
|
developed as a consequence of nuclear weapons being stationed in countries allied with the US during the cold war. The
|
|
concern was that the host country might forcibly assume control over the US nuclear weapons stationed on their soil. The
|
|
stated goal of PALs is to protect the weapon from use without a secret passcode known only to US military command. To
|
|
achieve this goal, PALs will lock themselves when incorrect codes are entered. To protect against both intentional
|
|
tampering aiming to circumvent the PAL, as well as against accidential detonation under extreme environmental
|
|
conditions, PALs are designed such that any tampering attempt as well as any environmental deviation will be sensed by
|
|
the PAL, and will lead to the weapon being destroyed in a less harmful way that does not cause the full-scale nuclear
|
|
explosion that the weapon is capable of. This goal is achievable in practice since nuclear weapons are reportedly very
|
|
sensitive to the timing of their primary explosive charges, as the nuclear payload only produces a full-scale detonation
|
|
when triggered in just the right way.
|
|
|
|
While it is difficult to date, \textcite{carterManagingNuclearOperations1987} specifically mention a tamper-sensing
|
|
membrane being used in US PALs. Given the nature of the matter, it is safe to assume that this technology will have been
|
|
in use for some years at the point it was being discussed in an unclassified, civilian book on nuclear armament control.
|
|
|
|
\subsection{Use in Nuclear Safeguards}
|
|
|
|
Besides being used in nuclear weapons, tamper-sensing systems have another, more peaceful application in the nuclear
|
|
field. In 1957, the International Atomic Energy Agency (IAEA) was founded to coordinate and verify that civilian nuclear
|
|
energy installations are not used for military purposes. A core part of the IAEA's tasks is observing the operations at
|
|
civilian nuclear installations through inspections and through a variety of permanently deployed sensors to track the
|
|
history of nuclear material passing through these facilities.
|
|
|
|
When using sensors to monitor treaty compliance, the IAEA has to consider the possibility of a host state tampering with
|
|
its sensors to abuse nuclear material without being noticed. Historically, the IAEA has responded to this threat by the
|
|
extensive use of tamper-indicating enclosures and of seals. In both systems, the approach taken is that the enclosure or
|
|
seal is treated similarly to what these days, in computing we call a Physically Uncloneable Function. The enclosure or
|
|
seal is manufactured in a process that leaves an unpredictable and uncontrollable pattern of manufacturing variations
|
|
such as surface imperfections. A process used in the IAEA is to package devices in aluminium enclosures passivated in a
|
|
brigh color, which leaves a random, microscopic pattern of pits in the surface from the etching step. Before such a
|
|
device is deployed in the field, it is precisely measured from all sides. Later on, after field deployment, its
|
|
integrity can then be checked by comparing its current state to these initial measurements. The underlying assumption is
|
|
that drilling or cutting into something like a steel enclosure will leave detectable traces, and that perfectly
|
|
replicating an object including features such as minute surface imperfections is infeasible even to a nation
|
|
state~\cite{iaea2011}.
|
|
|
|
In IAEA terminology, both tamper detection and tamper evidence are combined into the term ``tamper indication''. The
|
|
IAEA distinguishes between active tamper indication, which we conventionally call tamper detection, and passive tamper
|
|
indication, which we conventionally call tamper evidence. Tamper indicating devices include seals, but also the
|
|
aforementioned uniquely characterizable enclosures, which IAEA terminology calls intrinsically tamper-indicating. An
|
|
example for an active tamper indicating device would be a seismic sensor at the bottom of a borehole that has been
|
|
back-filled with concrete such that any attempt to reach the sensor would be well-visible in the sensor's own
|
|
readings~\cite{simmonsHowInsureThat1988}
|
|
|
|
With smarter electronics becoming more affordable in both monetary and in power budget, over the decades, other active
|
|
tamper sensors have received attention as well. The IAEA reports on attempts at burying sensors such as piezoelectric
|
|
transducers or optical fibers inside an enclosure's walls to detect tampering, but states that these efforts have not
|
|
yielded practical results primarily due to cost concerns. In contrast to these sensors, the IAEA's Electro-Optic Sealing
|
|
System (EOSS) uses a flexible tamper sensing mesh that contains some sort of conductive traces in the same way it is
|
|
used in contemporary hardware security modules to detect attempts at drilling or cutting into the
|
|
system~\cite{iaea2011,tolkSafeguardsSensorsSystems2007}. Unfortunately, no information on the precise construction of
|
|
the tamper sensing mesh such as materials used or structure sizes are publically available.
|
|
|
|
\subsection{Commercial Use}
|
|
|
|
Commercially, tamper sensing meshes have entered widespread use beginning around the turn of the millennium, initially
|
|
in then-new HSMs, cryptographic coprocessors primarily aimed at the financial
|
|
industry~\cite{andersonSecurityEngineeringGuide2020}. Today, their use in finance has spread from HSMs in datacenters
|
|
and ATMs to the ATM pin pads themselves, which encrypt the customer's PIN right at the source, as well as in all kinds
|
|
of card payment terminals. We will analyze two such ATM pin pads later in this paper.
|
|
|
|
HSMs are used for highly sensitive operations even outside of the financial industry, although their adoption is
|
|
hampered by their high cost. Such applications include key management in the TLS certificate infrastructure. In this
|
|
paper, we will analyze a commercial HSM that was used in the key management infrastructure of a premium TV provider.
|
|
|
|
Beyond finance, tamper-sensing meshes have found applications in a variety of other use cases as well. For instance, we
|
|
have found them being used in mail franking machines to protect the credit counter and franking data, with one such unit
|
|
analyzed in this paper. Furthermore, we have identified at least one model of key safe that in Germany is mounted
|
|
externally on public buildings to provide keys to emergency services, and which includes a tamper sensing mesh on its
|
|
outside-facing wall to detect attempts at drilling into it. Finally, we have found a processing unit used in a series of
|
|
mid-2000s era slot machines in Germany that includes a tamper-sensing mesh, presumably to prevent modification or
|
|
cloning. This device will also be analyzed later in this chapter.
|
|
|
|
\section{The Principles of Tamper-Sensing Mesh Construction and Monitoring}
|
|
|
|
\subsection{Tamper-sensing Mesh Manufacturing}
|
|
|
|
The manufacturing technology of a tamper sensing mesh is a critical factor in its security. While in many applications,
|
|
meshes manufactured from off-the-shelf processes such as Flexible Printed Circuit (FPC) processes are used, these
|
|
processes tend to be optimzed to maximize the robustness of the produced circuits to mechanical stress. In contrast, the
|
|
ideal tamper-sensing mesh is exactly as robust as it needs to be not to be destroyed accidentially during normal
|
|
handling, but should not be more robust than that. As a result, more secure meshes tend to be manufactured in bespoke
|
|
manufacturing processes.
|
|
% FIXME cite Immler et al
|
|
|
|
One more widely cited tamper-sensing mesh implementation is a commercial product developed by IBM in collaboration with
|
|
chemical company W.\ L.\ Gore \& Asscociates Inc.\ and used in IBM's datacenter HSM products up to approximately 2020.
|
|
% FIXME mention that Immler et al. cite them
|
|
This mesh design uses a stack of multiple layers of a clear, flexible plastic substrate on which carbon-based traces are
|
|
printed. Vias, i.e. contacts between layers, are made by laser cutting small holes into the substrate before the traces
|
|
are printed. The flexible circuit layers are joined with a opaque black, stretchy glue and after installation embedded
|
|
in an elastic opaque resin. The plastic substrate foil is thinner and significantly less resistant to tearing than
|
|
plastic substrates commonly used in the electronics industry for applications like key pads and circuit boards, which
|
|
improves its security against tampering. Furthermore, both the glue fusing the foil layers together and the resin the
|
|
mesh is embedded inside after installation are clearly co-designed with the carbon trace material such that the trace
|
|
material adheres well to both, leading to the traces being destroyed when either are peeled off.
|
|
|
|
The design of these IBM/Gore meshes is documented in an extensive list of patents, mostly under IBM's name.
|
|
% FIXME list actual patents as citations or table.
|
|
|
|
\subsection{Tamper-sensing Mesh Monitoring}
|
|
|
|
Tamper-sensing meshes are most effective when they are continuously monitored using a backup power supply when the
|
|
larger system is powered off. In practice, the main challenge with continuous monitoring of tamper-sensing meshes is in
|
|
the design of the monitoring circuit. A large portion of industry attention has been spent on designing low-power
|
|
monitoring circuits that are sensitive to tampering with the mesh while using little enough power to enable years of
|
|
operation from a battery. Commonly, one or two cylindrical or large coin cell Lithium primary batteries are used,
|
|
providing in the order of \qtyrange{10}{20}{\watt\hour} over their lifetime. Broken down to an unpowered storage life of
|
|
e.g.\ 5 years, this corresponds to a maximum average power consumption of \qty{450}{\micro\watt}.
|
|
|
|
% FIXME cite patent US20010056542A1, maybe others?
|
|
% relevant categories: (H01L23/576), (G06K19/07372)
|
|
% keyword: wire covering
|
|
% FIXME US10251260B1, US9730315B1 (both square) mention wheatstone bridge
|
|
% FIXME DE2656349A1 mentions bridge circuit but applied to a fence(!)
|
|
To achieve low power consumption, a popular technique known since at least 1902
|
|
% FIXME cite US708093A
|
|
and still used today
|
|
% FIXME cite section on utimaco / gore mesh, cite US20010056542A1 (ibm), US10251260B1, US9730315B1 (square)
|
|
is to measure the mesh's deviation from its baseline value. This measurement can be implemented either by directly
|
|
comparing a mesh trace's resistance with a reference resistor, or using a wheatstone bridge.
|
|
% FIXME cite DE559905C
|
|
This technique, known since at least 1929, is still used in modern HSMs for its simple implementation: Comparators do no
|
|
need a lot of power, and similar to the layout of a strain gauge, the wheatstone bridge circuit can be implemented using
|
|
the mesh's traces. When all traces are interleaved, this also provides some degree of intrinsic temperature
|
|
compensation.
|
|
|
|
% FIXME US10321589B2 cites comparators
|
|
|
|
% US587931A (1897) describes overlapping structure
|
|
% FIXME US7345497B2 uses balanced transmission lines / fast pulses
|
|
|
|
% FIXME NCR Group patent US4593384A mentioned tamper traces in 1984
|
|
% FIXME NCR Group patent US3594770A mentions meshes in 1968
|
|
% FIXME US110362A from 1870 may be oldes mention of mesh I found
|
|
% FIXME US708093A from 1902 shows literal meshes like we do them today, just with wires not PCBs, and also describes
|
|
% bridge-like comparator circuit using counter-wound coils
|
|
% FIXME Hughes Aircraft patent US5568124A mentions mesh-like panels in 1993
|
|
|
|
% NOTE: US3882324A mentions exploding the device as tamper response
|
|
|
|
\subsection{Other Tamper Sensing Techniques}
|
|
|
|
Besides tamper-sensing meshes, environmental sensors such as temperature or light sensors are frequently used as a
|
|
secondary line of defence in HSMs and similar devices. By placing such sensors in the device and verifying the device is
|
|
within its nominal operating environment, tampering can be made less convenient. Modern security standards often mandate
|
|
the implementation of at least a temperature sensor to prevent cold-boot attacks on a device. A multitude of other
|
|
sensors have been proposed, including humidity sensors, vibration sensors, light sensors, magnetometers, and radiation
|
|
sensors such as X-ray sensors have been proposed. While the implementation cost of most sensor types is low, each
|
|
additional environmental sensor comes with an increased false alarm rate. Anecdotally, we have heard of light sensors
|
|
being removed from a datacenter HSM product because they caused frequent false alarms despite extensive efforts like
|
|
custom injection-molded plastic light baffles at all air vents of the device designed to prevent ingress of outside
|
|
light.
|
|
% FIXME citations?
|
|
|
|
\subsection{The Patent Landscape}
|
|
|
|
Tamper-sensing meshes can be implemented in many different ways. Their design offers various degrees of freedom from the
|
|
precise conductor layout, through the manufacturing technology of the mesh and how it is wrapped around the payload
|
|
during manufacturing up to its monitoring circuitry. As a result, manufacturers across application domains from
|
|
datacenter appliance HSMs through card payment terminals and including niche applications like mail franking machines
|
|
have historically used patents on parts of their tamper-sensing mesh implementations as a means to prevent copying of
|
|
their designs. While most original tamper sensing mesh implementations are covered by at least one patent, we want to
|
|
highlight IBM for dwarfing the efforts of most other companies and fielding industry's widest portfolio of related
|
|
patents.
|
|
|
|
While the patent history of HSM-like devices is rather shallow and begins in the 1990ies
|
|
% FIXME cite
|
|
with scarce prior examples,
|
|
% FIXME cite
|
|
tamper-sensing meshes have a much longer history dating back to at least 1870.
|
|
% FIXME cite
|
|
Tamper-sensing meshes were often called \emph{wire coverings} in earlier patent literature from before the widespread
|
|
adoption of printed circuits. Beginning in the late 1800s, there is an abundance of patents claiming such meshes for the
|
|
protection of safes and vault rooms.
|
|
A 1969 NCR patent
|
|
% FIXME cite US10321589B2
|
|
is the earliest mention we were able to find of such a tamper-sensing mesh being implemented in a printed circuit
|
|
process instead of by laying out a physical wire.
|
|
|
|
\section{A Survey of Meshes in the Wild}
|
|
|
|
Concluding the brief history of tamper sensing meshes above, we find that they were initially developed for sensitive
|
|
military applications, and their use in civil applications is a recent phenomenon. The implementation of tamper sensing
|
|
meshes in civil applications was likely catalyzed by two advancements in electronics. First, electronic components
|
|
became less expensive and more integrated reducing the cost overhead of tamper sensing circuits. Second, the mass-scale
|
|
adoption of PCB and Flexible Printed Circuit (FPC) production processes enabled their use as inexpensive,
|
|
high-resolution substrates for such meshes. In this section, we will examine a large sample of recent devices that
|
|
include tamper-sensing meshes to gain an understanding of how they are implemented, and what security level they are
|
|
targeted towards. Since we were unable to acquire a nuclear weapon for our research, we limited our survey to commercial
|
|
devices with a focus on card payment terminals, which represent the most varied class of device incorporating such
|
|
meshes.
|
|
|
|
\subsection{Sample Selection}
|
|
|
|
Given their niche applications and high cost, devices incorporating tamper sensing meshes tend to be hard to find. For
|
|
this survey, we chose 21 different models of card payment terminals, and 6 other devices. All devices were procured from
|
|
ebay, and the majority were sold by electronic waste recycling companies.
|
|
|
|
\subsubsection{Card Payment Terminals}
|
|
|
|
Card payment terminals commonly include advanced tamper sensing features to discourage physical attacks such as
|
|
skimming that aim to exfiltrate card data and PINs entered by the customer. The Payment Card Industry Security Standards
|
|
Council (PCI SSC), an association of all major western credit card network operators assumes the role of the de-facto
|
|
standardization organization in the card payment space. Due to the international scale of the large credit card
|
|
networks, almost all payment terminals on the market irrespective of their country of origin are certified under PCI SSC
|
|
standards. Adding on to PCI's ecosystem impact, its security standards are thought out well and provide a higher level
|
|
of security than one might expect from an industry association.
|
|
|
|
Physical security standards in card payment applications both on the client side -- payment terminals -- and on the
|
|
server side -- HSM appliances -- are more stringent than one might expect since the finance industry has been reluctant
|
|
to adopt modern cryptography. Not only are modern cryptographic protocols like Secure Multiparty Computation (SMPC) or
|
|
Zero-Knowledge Proofs (ZKPs) not commonly used. Even asymmetric cryptography has only been adopted reluctantly, and
|
|
ancient ciphers such as Triple DES are still commonly referenced in industry
|
|
standards~\cite{pci_security_standards_council_payment_2025}. As a result, increased hardware security is necessary to
|
|
safeguard weak symmetric keys, compensating for the systems' modest cryptographic security.
|
|
|
|
Since card payment terminals are widely deployed, many different models from various manufacturers are available. Each
|
|
manufacturer tends to have their own, patented tamper-sensing implementation. Being manufactured at scale, card payment
|
|
terminals are cost-sensitive devices, which is reflected in the construction of their tamper-sensing implementations.
|
|
|
|
\subsubsection{HSM Appliances}
|
|
|
|
For datacenter applications, HSMs are sold both as add-in cards and as standalone rackmount appliances with a network
|
|
interface. In practice, the standalone appliances are just low-end computers in a rackmount enclosure that expose the
|
|
API of an internal HSM add-in card to the network. In this survey, we were only able to procure a single such HSM since
|
|
these devices are expensive, and even used specimens of older models are usually listed for several hundreds to several
|
|
thousands of EUR. The one sample we procured was a 2011 model Utimaco CryptoServer LAN. Our unit was a white-label
|
|
variant procured by premium TV encryption technology provider Irdeto, presumably used in Germany to produce
|
|
cryptographic key streams for TV signal encryption. We bought the device from a recycling company specialized on
|
|
datacenter components. The device was sold with any HDDs removed. The device consisted of an older mainboard for
|
|
embedded applications containing an Intel Core 2 Duo-brand processor and 2 GiB of DDR2 RAM, which was connected to the
|
|
HSM add-in card through PCI. The device contained a small Lithium backup battery on the add-in card, and another, larger
|
|
battery in an enclosure at the front of the device that was connected to the card through a cable. The device did not
|
|
contain any obvious case intrusion sensors.
|
|
|
|
\subsubsection{ATM Encrypting Pin Pads}
|
|
|
|
ATMs are built in a modular construction approach. Physically, the enclosure of an ATM is not its only security
|
|
barrier. Besides the enclosure, there are two security barriers worthy of note. First, the bank notes in the machine are
|
|
stored in an automatic cash dispenser that is built into a traditional vault inside the machine. This vault primarily
|
|
acts as a mechanical barrier to discourage theft, but it also often includes tamper sensors that activate an Intelligent
|
|
Banknote Neutralisation System (IBNS). The IBNS is designed to spread hard-to-remove ink over the bank notes inside the
|
|
vault when tampered. The permanently stained bank notes are not accepted by banks or retailers anymore.
|
|
% FIXME cite https://www.oberthurcp.com/hubfs/Oberthur_December2020/Pdf/IBNS_Introduction_to_ink_staining_Oberthur_Cash_Protection_2019.pdf
|
|
% archive: https://web.archive.org/web/20250822134238/https://www.oberthurcp.com/hubfs/Oberthur_December2020/Pdf/IBNS_Introduction_to_ink_staining_Oberthur_Cash_Protection_2019.pdf
|
|
% FIXME cite https://www.ecb.europa.eu/euro/banknotes/damaged/html/index.en.html
|
|
% FIXME cite https://www.bcl.lu/en/Banknotes-and-Coins/remboursement/billets-macules1/index.html
|
|
|
|
Besides the vault, the other secondary security barrier is located inside the ATM's pin pad. While all communication
|
|
with the customer's card passes through an end-to-end encrypted channel from the bank's backends into the card's
|
|
smartcard IC, the customer must necessarily enter their pin in plain text. To prevent leakage of the plaintext PIN, the
|
|
PIN is encrypted inside the PIN pad itself. To this end, the PIN pad contains a microcontroller handling the encryption.
|
|
Often, both the circuit board containing the PIN pad's keyboard matrix and this microcontroller are shielded by a
|
|
tamper-sensing mesh to prevent physical attacks such as the installation of a skimming device that would record and
|
|
transmit the plaintex PIN.
|
|
|
|
We acquired three different EPPs for analysis: Two designed by Sagem and apparently re-sold as a whitelabel product by
|
|
Cryptera and Diebold, respectively, and one made by and branded NCR. All three devices have robust stainless steel front
|
|
cases.
|
|
|
|
\subsubsection{Other miscellaneous devices}
|
|
|
|
Sometimes, tamper-sensing meshes show up in other types of devices. We acquired two such devices. First, we acquired a
|
|
Neopost mail franking machine, a type of device that is used to directly print a code on an envelope that replaces a
|
|
conventional postage stamp.
|
|
|
|
\subsection{Methodology}
|
|
|
|
We proceeded by first photographing every test specimen from multiple angles, then disassembling them. After
|
|
disassembly, we photographed each major component. After photos were taken, we proceeded with destructive techniques
|
|
where necessary to obtain microscope photos of each tamper-sensing mesh component. PCBs were sectioned using a sanding
|
|
drum attachment on a Dremel rotary tool. Potted modules were disassembled using milling, cutting and prying, applying
|
|
heat from a heat gun as necessary to soften polymer compounds and to break glue joints.
|
|
|
|
\subsection{Results}
|
|
|
|
\subsubsection{Overall observations}
|
|
|
|
\paragraph{Mesh materials.}
|
|
We found meshes constructed from rigid PCBs as well as a number of Flexible Printed Circuit (FPC) processes.
|
|
Tamper-sensing meshes constructed from PCBs sometimes used parts of an existing PCB, and sometimes additional PCBs only
|
|
containing a mesh were added. Sometimes, multiple rigid PCB meshes were assembled in a house of cards fashion to enclose
|
|
part of a device. For flexible meshes, with the exception of the Utimaco HSM appliance's HSM card that used an
|
|
off-the-shelf Gore tamper sensing mesh foil were all clearly manufactured either entirely or mostly in standard
|
|
processes. We found silkscreened silver ink and silkscreened carbon ink-based foils similar to those used for membrane
|
|
keyboards, as well as conventional photolithographically etched copper/polyimide Flexible Printed Circuits (FPCs).
|
|
Overall, etched PCBs showed better resolution compared to silkscreen-printed meshes. Feature size for both rigid and
|
|
flexible etched PCB meshes was generally in the order of \qtyrange{100}{200}{\micro\meter}, while feature size for
|
|
printed foil meshes was coarser at between \qtyrange{500}{3000}{\micro\meter}.
|
|
|
|
\paragraph{Mesh layout.}
|
|
|
|
\paragraph{Contact construction.}
|
|
|
|
\subsubsection{Payment Terminal Construction}
|
|
|
|
\begin{figure}
|
|
\centering
|
|
\includegraphics[width=0.7\textwidth]{mesh_fold_screenshot.pdf}
|
|
\caption[HSM appliance CT scan]{Computed Tomography (CT) scan of a corner of the PCIe HSM module from an Utimaco
|
|
rackmount HSM appliance. Visible are several capacitors, the edge of a large IC, and a large Flat Flexible Cable
|
|
(FFC) connector. Two layers of metal enclosures with resin potting in between are visible, and the security mesh can
|
|
be seen folded between layers of the folded FFC cable connecting to the outside.}
|
|
\label{hsm_fig_utimaco_ct}
|
|
\end{figure}
|
|
|
|
\begin{figure}
|
|
\centering
|
|
\includegraphics[width=\textwidth]{cut_chip_scene.pdf}
|
|
\caption[Ingenico Payment Terminal HSM CT Section Cut]{CT Section cut across the Ingenico potted module sample. The fold pattern of the mesh foil can be seen
|
|
clearly. The mesh traces can be seen on both sides of the foil. The two-layer PCB and the lead frame and bond wires
|
|
of a chip soldered on its top side are visible.}
|
|
\label{fig_ingenico_cut}
|
|
\end{figure}
|
|
|
|
\begin{figure}
|
|
\centering
|
|
\includegraphics[width=\textwidth]{mesh_pitch.pdf}
|
|
\caption[Ingenico Payment Terminal HSM Mesh Pitch]{A horizontal cut through the Ingenico potted module with
|
|
millimeter scale next to the mesh foil. As is visible, the mesh has a trace pitch of \qty{1.0}{\milli\meter} and
|
|
traces are offset between the two mesh layers to reduce the amount of gaps between traces.}
|
|
\label{fig_ingenico_pitch}
|
|
\end{figure}
|
|
|
|
\begin{figure}
|
|
\centering
|
|
\includegraphics[width=\textwidth]{mesh_contact_joint.pdf}
|
|
\caption[Ingenico Payment Terminal HSM Mesh Contacts]{Mesh contact joints in the Ingenico potted module sample. The
|
|
mesh is a foil that is attached to the PCB through bent stamped metal contacts. The contacts are riveted into large
|
|
contact pads patterend onto the mesh foil, and are soldered to the PCB. Next to the contacts, the mesh layout is
|
|
visble clearly.}
|
|
\label{fig_ingenico_contacts}
|
|
\end{figure}
|
|
|
|
\begin{figure}
|
|
\centering
|
|
\includegraphics[width=\textwidth]{open_end_detail.pdf}
|
|
\caption[Ingenico Payment Terminal HSM End Closure]{Connector end of the Ingenico potted module sample. This cut
|
|
shows that the mesh only encloses the PCB on three sides, and the connector side is left unprotected.}
|
|
\label{fig_ingenico_end}
|
|
\end{figure}
|
|
|
|
\begin{figure}
|
|
\centering
|
|
\includegraphics[width=\textwidth]{mesh_geom.pdf}
|
|
\caption[Ingenico Payment Terminal HSM Mesh 3D]{3D reconstruction of the mesh from the Ingenico potted module
|
|
sample. The mesh layout can clearly be seen. From this 3D view, the mesh construction is evident: A T-shaped mesh
|
|
foil is wrapped around the PCB on three sides, with PCB tabs at two corners acting as locating and fixturing
|
|
features. In the corners, cylindrical components are visible that likely serve as an attempt at sensing intrusion
|
|
through the corners.}
|
|
\label{fig_ingenico_3d}
|
|
\end{figure}
|
|
|
|
|
|
|
|
\section{Discussion}
|
|
|
|
% FIXME intro here
|
|
|
|
\subsection{Tamper-sensing meshes then and now}
|
|
|
|
Concluding both our patent research and our experimental survey, we find that tamper-sensing meshes have been a
|
|
commonplace technology throughout the past 150 years. While mesh manufacturing technology has experienced some
|
|
advancements from historical wire-wound meshes to modern meshes always being constructed in printed circuit processes,
|
|
mesh monitoring approaches have received surprisingly little attention through the centuries and even in recent,
|
|
state-of-the-art systems, a simple comparator monitoring a mesh arranged in a wheatstone bridge configuration is still
|
|
considered sufficient by manufacturers.
|
|
% FIXME todo above: show wheatstone bridge schematic
|
|
|
|
\subsection{Mesh construction techniques}
|
|
|
|
We found that in almost all cases, practical tamper-sensing meshes are constructed using standard manufacturing
|
|
processes. In some card payment terminals, we found meshes that used slightly customized standard processes and e.g.
|
|
integrated a mesh layer produced in a carbon printing process into a membrane keypad, but customizations were minimal.
|
|
We only found one mesh manufactured in a bespoke process in the datacenter HSM appliance we examined, and that bespoke
|
|
process turns out to be a turnkey solution used by at least two HSM vendors.
|
|
|
|
\subsection{Mesh monitoring circuits}
|
|
|
|
We observed that in general, academic research leads before patent literature, which is ahead of actual implementations
|
|
in the field. Practical monitoring circuitry seems basic. Particularly the datacenter HSM appliance we examined showed a
|
|
contrast between a mesh manufactured in a bespoke process combined with a unsophisticated, discrete monitoring circuit
|
|
based around a number of voltage comparators.
|
|
|
|
\subsection{Computed Tomography Imaging}
|
|
|
|
CT imaging presents a serious threat to any HSM design that relies on its mesh layout remaining secret. For instance,
|
|
the Gore tamper-sensing mesh product used in IBM and Utimaco HSMs includes a feature where after production, small vias
|
|
are lasered into a specially preparte area on the mesh foil to randomize the connection pattern of the mesh on a
|
|
unit-by-unit basis. CT imaging could be used to discern this type of customization. Furthermore, CT imaging can be used
|
|
to provide sub-millimeter accurate positioning for an attack, even if the sample to be attacked has large production
|
|
tolerances. We found that CT imaging can be made more difficult using three complementary techniques.
|
|
|
|
\paragraph{Low-contrast trace materials.}
|
|
CT imaging can be made more difficult by manufacturing the mesh with very thin conductive traces, and using a trace
|
|
material that has low atomic number, corresponding to low X-ray absorption. For instance, the Gore mesh sample used a
|
|
carbon-based ink that judging by structure size was screen-printed, which leads to an economical yet relatively secure
|
|
solution.
|
|
|
|
\paragraph{Use of X-ray attenuating materials.}
|
|
We found that placing any highly X-ray attenuating material in the HSM makes CT imaging more difficult since it
|
|
makes using higher-energy X-rays necessary, which lead to poorer contrast on X-ray-transparent features like polymers.
|
|
The result of this difference can be seen in the difference in image fidelity between the Utimaco HSM appliance and
|
|
Ingenico potted module samples. The Ingenico sample was easy to image since it consisted of a PCB wrapped with a mesh
|
|
foil and encased in resin inside of an injection-molded plastic enclosure. Thus, we were able to image it at a low X-ray
|
|
energy and we were able to easily reconstruct detail on both the mesh's layout and the PCB's circuitry. In contrast, the
|
|
Utimaco HSM module was potted inside a metal shell open on one side and had a second, spot-welded metal shell enclosing
|
|
the PCB right underneath the mesh foil. While the outer metal shell could have been removed through e.g.\ milling, this
|
|
inner metal shell was inaccessible. The Utimaco CT scans look worse because we chose a higher X-ray energy due to the
|
|
large amount of metal, leading to poorer image contrast. In a practical application, a sheed made from elementary tin or
|
|
a tin alloy would be a suitable choice for such an X-ray absorbing feature since tin is cheap, non-hazardous and absorbs
|
|
X-rays almost as well as lead. Alternatively to a sheet-metal enclosure, an X-ray absorbing material could also be
|
|
incorporated into a potting compound as a powder.
|
|
|
|
\paragraph{Size.}
|
|
Finally, we found that a larger module size makes CT imaging more difficult simply due to the thickness of material that
|
|
the X-rays need to penetrate. Ideally, a HSM should aim for a cuboid form factor, as the common flat construction style
|
|
is easily penetrated by X-rays along at least one axis.
|
|
|
|
\section{Conclusion}
|
|
|
|
In our survey, we have found a wide variety in tamper sensing mesh construction techniques. Meshes are commonly
|
|
implemented as part of both rigid (PCB) and flexible (FPC) circuit boards, either standalone, or as part of a board also
|
|
carrying other components. Silver or carbon trace patterning techniques that are normally used for membrane keyboards
|
|
are also used in some meshes, but are limited in their structure size. The meshes we found in the wild almost never push
|
|
the boundaries of achievable structure size for a given process.
|
|
|
|
The strongest systems we found combined a mesh with potting such that separating mesh and potting destroyed the mesh's
|
|
traces. Silver printed circuits like they are normally used for keyboard matrices performed particularly well in this
|
|
regard since the silver ink adheres better to some potting compounds than to its plastic carrier substrate. We found
|
|
copper FPCs are commonly used for meshes. Interestingly, they seem to be a poor choice since they are very robust and
|
|
can even be forcibly separated from some potting compounds without destroying their traces.
|
|
|
|
The weakest systems we found completely omitted a tamper sensing mesh. Ironically, all of these systems were devices
|
|
marketed as hardware secuirty modules. Given the inexpensive nature of tamper sensing meshes and the high price point of
|
|
such devices, we suspect market segmentation as a driving force behind their manufacturers' decision to omit tamper
|
|
sensing meshes. We conclude from this observation that the term ``HSM'' does not imply state-of-the-art physical tamper
|
|
sensing.
|
|
|
|
From an academic point of view, the core finding of our survey is that tamper sensing meshes manufactured in a number of
|
|
commercial manufacturing processes would yield acceptable surrogates for real devices found in the wild. With the
|
|
exception of a single device that used a particularly fine structure size in the \qty{100}{\micro\meter} range, none of
|
|
the devices we examined utilized particularly non-obvious construction techniques.
|
|
|
|
Form an engineering point of view, we observe that across application domains, tamper sensing meshes often use basic
|
|
construction techniques. Implementing such a system that matches the security of other systems seen in the wild should
|
|
be achievable to most engineers.
|
|
|
|
|