250 lines
17 KiB
TeX
250 lines
17 KiB
TeX
|
||
\chapterquote{Meredith Whittaker~\cite{greenbergSignalMoreEncrypted2024}}{
|
||
It’s not for lack of ideas or possibilities. It’s that we actually have to start taking seriously the shifts that
|
||
are going to be required to do this thing—to build tech that rejects surveillance and centralized control—whose
|
||
necessity is now obvious to everyone.
|
||
}
|
||
|
||
\chaptertitle{Introduction}
|
||
\label{chapter-intro}
|
||
|
||
% New draft:
|
||
%
|
||
% Passionate statement about democracy and academic freedom
|
||
%
|
||
% We live in times of rising fascist and authoritarian sentiment worldwide. While computer science and cryptography are
|
||
% often portrayed as politically neutral technologies, their practice is a political act and can have grave real-world
|
||
% consequences.
|
||
% maybe: Within mathematics and computer science, the field of cryptography is unique in that it smainstream views
|
||
% link to cypherpunks, hackers
|
||
% Hardware Security Modules (HSMs) are an example of such a political technology. The core function of HSMs is to
|
||
% protect cryptographic secrets against \emph{any} physical attack. Even though they are widely used in finance and
|
||
% business applications, in their design, they curiously embody the radical idiology of the cypherpunk and hacker
|
||
% movements.
|
||
%
|
||
% We believe physically secure devices like HSMs can be a keystone technology in the creation of secure systems for
|
||
% communication and computation in a free, democratic society. However, while current state-of-the art commercial
|
||
% devices can be expected to resist a fascist police force or even some authoritarian states' secret services, their
|
||
% physical security is still lacking due to misaligned ecosystem incentices. As Anderson put it,
|
||
% todo cite: betrusted
|
||
%
|
||
%
|
||
% Meanwhile in academia,
|
||
% In this thesis, we aim to significantly advance the field of hardware security module construction. We publish all
|
||
% designs, code and data as open source to create the groundwork for future research, and sow the seeds for a new
|
||
% generation of secure hardware that will be able to resist a rising tide of fascist and authoritarian movements.
|
||
%
|
||
%
|
||
%
|
||
% Research questions:
|
||
% 1. can hsm w/o proprietary mesh?
|
||
% 2. how do meshes look like in practice?
|
||
% 3. can we improve monitoring?
|
||
% 4. can we solve power transfer issue
|
||
% 5. applications
|
||
%
|
||
|
||
\emph{No Gods, No Masters} is an anarchist slogan originating in the 19\textsuperscript{th} century that expresses a
|
||
rejection of authorities~\cite{broussaisOriginesDeviseAnarchiste2022,guerinNoGodsNo2005,blomNoGodsNo2025}. In modern
|
||
cryptography, it is generally seen as best practice to have the least amount of parties possible involved in any
|
||
computation.
|
||
Most cryptographic problems are easily solved by involving a trusted third party (TTP).
|
||
Yet, cryptographers have time and again vocally rejected attempts to involve third parties in cryptographic
|
||
protocols~\cite{
|
||
abelsonRisksKeyRecovery1997,
|
||
abelsonKeysDoormats2015,
|
||
andersonSecurityEngineeringGuide2020,
|
||
rogawayMoralCharacterCryptographic2015,
|
||
}.
|
||
|
||
Considerable research has been focused on creating a versatile set of tools to perform tasks as diverse as secure
|
||
communication~\cite{
|
||
alwenDoubleRatchetSecurity2019,
|
||
marlinspikeDoubleRatchetAlgorithm2025,
|
||
dowlingFlexibleAuthenticatedConfidential2020,
|
||
sasySoKMetadataProtectingCommunication2024},
|
||
oblivious database access~\cite{
|
||
chorPrivateInformationRetrieval,
|
||
aguilar-melchorXPIRPrivateInformation2016,
|
||
reichertMenhirObliviousDatabase2024},
|
||
and even general computation~\cite{
|
||
goosInformationTheoreticallySecure1999,
|
||
aumannSecurityCovertAdversaries2010,
|
||
chorPrivateInformationRetrieval}
|
||
in a decentralized way that avoids trusted authorities.
|
||
While politically, this blanket rejection of authority represents a fringe viewpoint, in cryptography it has a long
|
||
tradition originating with the Cypherpunk and Hacker movements~\cite{
|
||
andersonCypherpunkEthicsRadical2022,
|
||
hughesCypherpunksManifesto,
|
||
jarvisCryptoWarsFight2020,
|
||
marlinspikeWeShouldAll2013},
|
||
and extending throughout mainstream academic cryptography.
|
||
|
||
While the aforementioned cryptographic tools enable a large gamut of use cases in theory, in practice cryptographic
|
||
systems are still routinely compromised~\cite{
|
||
gellmanNSAInfiltratesLinks2013,
|
||
goldmanUnrestrainedChineseCyberattackers2025,
|
||
scott-railtonWhoseAuthorityPegasus2024,
|
||
quintinSomethingRememberUs2024,
|
||
marczakGraphiteCaughtFirst2025}.
|
||
A fundamental flaw of any practical cryptographic system is that secure algorithms have to run on hardware, and even
|
||
today, average computing hardware provides little physical security~\cite{
|
||
gotzfriedCacheAttacksIntel2017,
|
||
Lipp2018meltdown,
|
||
Kocher2018spectre,
|
||
moghimiTPMFAILTPMMeets2020}.
|
||
\emph{Hardware Security Modules} are a class of devices specifically designed to execute cryptographic algorithms while
|
||
providing strict physical security guarantees, but these systems are expensive,
|
||
and their physical security is often questionable (cf.~Chapter~\ref{chapter-survey})~\cite{
|
||
obermaier2018,
|
||
andersonSecurityEngineeringGuide2020}.
|
||
As \textcite{andersonSecurityEngineeringGuide2020} writes on HSMs and their security standards:
|
||
% FIXME page numbers
|
||
|
||
\begin{quote}
|
||
Security economics remains a big soft spot, with security chips being in many ways a market for lemons. A banker
|
||
buying HSMs probably won’t be aware of the huge gap between FIPS\footnote{Anderson here refers to the US national
|
||
HSM security standard FIPS
|
||
140~\cite{usnationalinstituteofstandardsandtechnologySecurityRequirementsCryptographic2002,
|
||
usnationalinstituteofstandardsandtechnologySecurityRequirementsCryptographic2019}} level 3 and level 4, and
|
||
understand that level 3 can sometimes be defeated with a Swiss army knife. The buying incentive there is compliance,
|
||
and where real security clashes with operations it’s not surprising to see weaker standards designed to make
|
||
compliance easier.
|
||
|
||
\begin{flushright}
|
||
\textit{\textcite{andersonSecurityEngineeringGuide2020} p. 629}
|
||
\end{flushright}
|
||
\end{quote}
|
||
|
||
In this thesis, we aim to fill this gap in easily obtainable, secure hardware and extend the level of protection
|
||
afforded by cryptographic protocol design down the technology stack to the hardware level. We propose a new HSM design
|
||
that unlike existing designs can be manufactured at low cost and without access to specialized tools.
|
||
|
||
% Go into drawbacks of existing HSMs
|
||
|
||
We publish our design fully open source, including all detials necessary for replication. A fundamental principle in
|
||
cryptographic engineering is Kerckhoffs' principle\footnote{
|
||
\textcite{petitcolasKerckhoffsPrinciplesCryptographie} contains a high-quality OCR'ed copy of the original source,
|
||
as well as a translation of the cited part from French. The original source is
|
||
\textcite{kerckhoffsCryptographieMilitaire1883}.
|
||
}, named after Dutch military cryptographer Auguste Kerckhoffs. Kerckhoffs' principle expresses that the security of a
|
||
cryptographic system should only depend on the secrecy of its keys, not on the secrecy of its design. In this way,
|
||
Kerckhoff's principle states the opposite of the widespread industry practice of \emph{Security by Obscurity}, which
|
||
aims to achieve security by making it sufficiently costly to cryptoanalyze a system that the attempt becomes
|
||
unattractive. All existing commercial HSM designs as well as some existing academic related work violate this principle
|
||
by keeping details of their implementation such as the precise mesh dimensions and manufacturing methods secret. By
|
||
publishing all details of our research into HSMs and their components, we provide the foundation for future independent
|
||
research.
|
||
|
||
Complementary to Kerckhoff's principle is the principle of least authority, which describes that in a secure system each
|
||
component should only have access to the smallest set of capabilities necessary to fulfill its purpose. Applying both to
|
||
a cryptographic system means that the system's design should be transparent and not include any hidden components or
|
||
opaque parts that cannot be inspected, and that the system's keys should be scoped to place the least amount of trust
|
||
possible in each participating party. Existing HSMs are an example of a violation of the principle of least authority
|
||
since they elevate the HSM manufacturer to a single point of failure. The tamper sensing mesh foils used in conventional
|
||
HSMs are made in proprietary, bespoke processes, and cannot be manufactured independently. Our proposed design can be
|
||
replicated from standard components and eliminates this issue.
|
||
|
||
\section{Research Questions and Contributions}
|
||
|
||
Based on the current state of the field of hardware security, we deduce three overarching research questions for this
|
||
thesis that progress from theory to practical deployment.
|
||
|
||
\begin{enumerate}
|
||
\item Can we achieve physical security without relying on conventional tamper-sensing meshes?
|
||
\item Can we monitor tamper-sensing meshes at a higher detail level than the state of the art of a single, scalar
|
||
measurement?
|
||
\item Can we create the support components necessary to integrate a system that provides a practical security
|
||
guarantee?
|
||
\end{enumerate}
|
||
|
||
To answer our first research question, we propose the Inertial Hardware Security Module (IHSM), a new type of HSM that
|
||
extends the high level of protection offered by the modern cryptographic software stack down to the hardware level,
|
||
enabling secure computation in insecure places.
|
||
|
||
To answer our second question, we propose improvements to the state of the art in HSM tamper sensors such as the use of
|
||
low-cost, embeddable Time-Domain Reflectometry (TDR) that not only improve the security of IHSMs, but that can even be
|
||
applied to conventional HSMs.
|
||
|
||
Finally, we answer our last research question by showing in two case studies how an end-to-end design of an IHSM-secured
|
||
data processing system could look like. Both case studies concern scenarios that IHSMs unlock that were previously
|
||
infeasible using conventional HSMs: Datacenter-scale Secure Multiparty Computation (SMPC) and long-range Quantum Key
|
||
Distribution (QKD) networks. As part of this effort we provide a solution adapting and improving upon the state of the
|
||
art in wireless power transfer to supply a rotating inertial HSM with a clean, stable power supply.
|
||
|
||
We chose to publish all of our research as open source and unencumbered by patents to enable widespread adoption. IHSMs
|
||
can be custom built with only basic manufacturing capabilities at small scale and enable the deployment of secure
|
||
computation in insecure places even to small organizations such as university research departments, NGOs and small
|
||
businesses.
|
||
|
||
%\section{Cryptographic Principles and Physical Reality}
|
||
|
||
%Let's take a basic videoconferencing system as an example. In our example system's deployment, users log on to a central
|
||
%conference server, which receives and distributes the users' video streams. Allowing backdoor access to the video
|
||
%streams to some third party like a datacenter operator or a state would violate Kerckhoffs' principle since it would
|
||
%have to be hidden from the systems' participants, who would therefore not have a complete view of the systems' deployed
|
||
%architecture. The principle of least authority would also be violated since in almost all cases, such a backdoor access
|
||
%system would not see legitimate use. As a result, it would possess capabilities that almost never would be essential to
|
||
%the proper function of the videoconference system.
|
||
|
||
%In their design, almost all modern software -- especially open source -- cleanly applies these principles. However, the
|
||
%practical reality after deployment almost always deviates from them. While backdoors are vanishingly rare in modern
|
||
%open-source software, practical deployments usually are vulnerable to physical attacks. Computer hardware generally is
|
||
%not designed with a local attacker with advanced physical attack capabilities in mind since no mitigation can fully
|
||
%prevent them---such attacks usually can only be detected, or at best slowed down. As a result, commonplace attacks
|
||
%against modern software often involve taking over the hardware at some point in the chain. Even End-to-End-Encrypted
|
||
%(E2EE) communication systems can be compromised if one of the encrypted channel's endpoints can be physically
|
||
%compromised. Corresponding \emph{digital forensics} capabilities are commonplace among state actors, and are available
|
||
%as a turnkey solution on the market.
|
||
|
||
\section{Inertial Hardware Security Modules}
|
||
|
||
In this thesis, we propose Inertial Hardware Security Modules (IHSMs) to fill the gap of protecting systems that handle
|
||
highly sensitive data but that cannot use conventional HSMs for cost or performance reasons. In a system with a secure
|
||
software stack, the role of a HSM is to secure the hardware part of the stack. The basic approach of a HSM is to combine
|
||
a secure software stack with tamper sensors connected to a fast self-destruct mechanism. The tamper sensors are tasked
|
||
with detecting any physical attack an attacker could mount on the device. Common classes of such sensors include
|
||
environmental sensors such as temperature or radiation sensors that detect attempts at causing controllable faults in
|
||
the HSM by heating, cooling or irradiating it. Building on the basic protection offered by such sensors,
|
||
\emph{tamper-sensing meshes} are often employed. These \emph{meshes} are flexible foils containing circuit traces that
|
||
are attached to the HSM's enclosure to detect attempts at penetrating the shell of the device with probes.
|
||
Tamper-sensing meshes usually are the primary line of defense against most physical attacks. They are very effective at
|
||
mitigating a large variety of physical attacks, but they are difficult to construct securely as they usually require
|
||
bespoke manufacturing processes. As a result, they are currently only used in niche applications, and even there not
|
||
every realization is equally secure. The self-destruct mechanism can be hardware or software that quickly and securely
|
||
destroys all cryptographic secrets, thereby rendering the device worthless to an attacker.
|
||
|
||
IHSMs are a new design approach that utilizes mechanical motion to create secure tamper-sensing meshes from simple
|
||
components. IHSMs solve the issue of creating an impenetrable tamper-sensing envelope by replacing the bespoke
|
||
tamper-sensing mesh foil with a set of simple, rigid meshes made from commodity Printed Circuit Boards (PCBs) that are
|
||
rotating at high speed. In motion, these simple PCB tamper-sensing meshes are as secure as the much more sophisticated
|
||
bespoke foils used in conventional HSMs, yet they are simpler and less expensive to manufacture. To verify that the mesh
|
||
is rotating correctly, an accelerometer is placed on the rotating mesh, and its centrifugal force reading is used to
|
||
validate its path of motion.
|
||
|
||
IHSMs enable the protection of much larger payloads compared to conventional mesh designs, and they can support larger
|
||
power dissipation. Combined with their low cost, this enables the implementation of high-level hardware security in
|
||
applications that previously would not have been possible to secure.
|
||
|
||
IHSMs are the first fully open source HSM with advanced tamper sensing features. Across application domains, IHSMs can
|
||
be applied to gain resistance to physical attacks in scenarios where conventional HSMs were not used because of cost,
|
||
computing power or implementation effort. Where conventional HSMs come as fully integrated devices that only expose
|
||
limited APIs to their users, IHSMs at their core are just an enclosure that the user can put whatever hardware they need
|
||
into, adapting the tamper response to their application's needs. Since the simpler tamper-sensing mesh construction of
|
||
IHSMs scales to larger payload volumes, entire servers can be protected---something that is impossible with conventional
|
||
HSMs. Since the mesh in an IHSM is constantly moving, unlike a mesh in a conventional HSM, it does not have to entirely
|
||
cover the payload. Instead, it can have gaps that allow for air flow between outside and inside, enabling active cooling
|
||
of the IHSM's payload. This cooling capability sharply increases computing power by increasing feasible payload power
|
||
dissipation by two orders of magnitude.
|
||
|
||
\section{Conclusion}
|
||
|
||
Looking at the practice of applied hardware security, we observe that despite ample availability of commercial solutions
|
||
promising easy hardware security, clearly there is still a lack of solutions that provide the adaptability necessary for
|
||
some real use cases at low enough cost. By publishing the tamper-sensing technology we developed during the making of
|
||
this thesis as open source hardware designs, we aim to provide this missing building block to provide high-level
|
||
hardware security in real-world applications. Our hardware designs can be adapted to devices ranging from Single-Board
|
||
Computers (SBCs) to servers, they are compatible with non-computing applications like Quantum Key Distribution (QKD) and
|
||
their design approaches can even be integrated into existing HSM designs to provide better security at little additional
|
||
cost.
|
||
|