181 lines
14 KiB
TeX
181 lines
14 KiB
TeX
\chapterquote{An unnamed atomic bomb designer~\cite{blechmanTechnologyLimitationInternational1989}}{
|
|
Bypassing a PAL [atomic bomb ignition code lock] should be about as complex as performing a tonsillectomy while
|
|
entering the patient from the wrong end.
|
|
}
|
|
|
|
\chaptertitle{Hardware Security Modules in the Wild}
|
|
|
|
In this chapter we will take a look at how Hardware Security Modules are built and what they are used for. We will
|
|
analyze the gaps left by the current state of the industry, and evaluate how Inertial HSMs could close these gaps to
|
|
make secure hardware accessible to everyone. We will start with a brief history of secure hardware with a particular
|
|
focus on tamper-sensing meshes since the tamper-sensing mesh is the primary line of defense that delineates a hardware
|
|
security module from other, weaker secure hardware primitives such as Smart Cards or Trusted Platform Modules (TPMs).
|
|
|
|
% FIXME include stuff from hsm survey paper
|
|
% FIXME include stuff from EPA paper
|
|
|
|
\section{The History of Tamper Sensing Meshes}
|
|
|
|
\subsection{Use by the US Military}
|
|
|
|
Electronic tamper sensing meshes are documented in literature beginning around World War \RN{2}. The earliest mention of
|
|
such a system we are aware of is from notes on a series of lectures given by Dr.~David~G. Boak, a specialist in
|
|
communications security and signal intelligence at the US National Security
|
|
Agency\cite{nsaHistoryUSCommunications1973,nsaHistoryUSCommunications1981}. In this lecture series, Boak mentions that
|
|
around World War \RN{2}, the US became concerned about the security of their ciphering machines, which at the time were
|
|
large, fridge-sized electro-mechanical contraptions. Initially, simple safes were used to protect those
|
|
devices---however, as Boak notes, the US was well aware that they could not build a safe that a well-equipped specialist
|
|
could not break open within an hour. As a solution, the NSA started development on what we would today call a Hardware
|
|
Security Module by encapsulating a crypto coprocessor in a tamper sensing envelope. Boak observes that as a tamper
|
|
response, reliably zeroizing the cryptographic keys would be sufficient. Today, this approach is universally taken. Boak
|
|
does note several other ways to penalize an intrusion attempt, including raising a remote alarm or--even more
|
|
exciting--exploding the device.
|
|
|
|
\subsection{Use in Nuclear Weapons}
|
|
|
|
Communications security was not the earliest use of tamper-sensing membranes in the US military, with Boak mentioning
|
|
HSMs still being under development in the second volume of the lecture series, dated 1972. An earlier reference to such
|
|
systems can be found in literature on Permissive Action Links (PALs) for nuclear weapons. In US military terminology, a
|
|
PAL is a chain of locked, tamper-proof systems required to trigger the detonation of a nuclear weapon. PALs were
|
|
developed as a consequence of nuclear weapons being stationed in countries allied with the US during the cold war. The
|
|
concern was that the host country might forcibly assume control over the US nuclear weapons stationed on their soil. The
|
|
stated goal of PALs is to protect the weapon from use without a secret passcode known only to US military command. To
|
|
achieve this goal, PALs will lock themselves when incorrect codes are entered. To protect against both intentional
|
|
tampering aiming to circumvent the PAL, as well as against accidential detonation under extreme environmental
|
|
conditions, PALs are designed such that any tampering attempt as well as any environmental deviation will be sensed by
|
|
the PAL, and will lead to the weapon being destroyed in a less harmful way that does not cause the full-scale nuclear
|
|
explosion that the weapon is capable of. This goal is achievable in practice since nuclear weapons are reportedly very
|
|
sensitive to the timing of their primary explosive charges, as the nuclear payload only produces a full-scale detonation
|
|
when triggered in just the right way.
|
|
|
|
While it is difficult to date, \textcite{carterManagingNuclearOperations1987} specifically mention a tamper-sensing
|
|
membrane being used in US PALs. Given the nature of the matter, it is safe to assume that this technology will have been
|
|
in use for some years at the point it was being discussed in an unclassified, civilian book on nuclear armament control.
|
|
|
|
\subsection{Use in Nuclear Safeguards}
|
|
|
|
Besides being used in nuclear weapons, tamper-sensing systems have another, more peaceful application in the nuclear
|
|
field. In 1957, the International Atomic Energy Agency (IAEA) was founded to coordinate and verify that civilian nuclear
|
|
energy installations are not used for military purposes. A core part of the IAEA's tasks is observing the operations at
|
|
civilian nuclear installations through inspections and through a variety of permanently deployed sensors to track the
|
|
history of nuclear material passing through these facilities.
|
|
|
|
When using sensors to monitor treaty compliance, the IAEA has to consider the possibility of a host state tampering with
|
|
its sensors to abuse nuclear material without being noticed. Historically, the IAEA has responded to this threat by the
|
|
extensive use of tamper-indicating enclosures and of seals. In both systems, the approach taken is that the enclosure or
|
|
seal is treated similarly to what these days, in computing we call a Physically Uncloneable Function. The enclosure or
|
|
seal is manufactured in a process that leaves an unpredictable and uncontrollable pattern of manufacturing variations
|
|
such as surface imperfections. A process used in the IAEA is to package devices in aluminium enclosures passivated in a
|
|
brigh color, which leaves a random, microscopic pattern of pits in the surface from the etching step. Before such a
|
|
device is deployed in the field, it is precisely measured from all sides. Later on, after field deployment, its
|
|
integrity can then be checked by comparing its current state to these initial measurements. The underlying assumption is
|
|
that drilling or cutting into something like a steel enclosure will leave detectable traces, and that perfectly
|
|
replicating an object including features such as minute surface imperfections is infeasible even to a nation
|
|
state~\cite{iaea2011}.
|
|
|
|
In IAEA terminology, both tamper detection and tamper evidence are combined into the term ``tamper indication''. The
|
|
IAEA distinguishes between active tamper indication, which we conventionally call tamper detection, and passive tamper
|
|
indication, which we conventionally call tamper evidence. Tamper indicating devices include seals, but also the
|
|
aforementioned uniquely characterizable enclosures, which IAEA terminology calls intrinsically tamper-indicating. An
|
|
example for an active tamper indicating device would be a seismic sensor at the bottom of a borehole that has been
|
|
back-filled with concrete such that any attempt to reach the sensor would be well-visible in the sensor's own
|
|
readings~\cite{simmonsHowInsureThat1988}
|
|
|
|
With smarter electronics becoming more affordable in both monetary and in power budget, over the decades, other active
|
|
tamper sensors have received attention as well. The IAEA reports on attempts at burying sensors such as piezoelectric
|
|
transducers or optical fibers inside an enclosure's walls to detect tampering, but states that these efforts have not
|
|
yielded practical results primarily due to cost concerns. In contrast to these sensors, the IAEA's Electro-Optic Sealing
|
|
System (EOSS) uses a flexible tamper sensing mesh that contains some sort of conductive traces in the same way it is
|
|
used in contemporary hardware security modules to detect attempts at drilling or cutting into the
|
|
system~\cite{iaea2011,tolkSafeguardsSensorsSystems2007}. Unfortunately, no information on the precise construction of
|
|
the tamper sensing mesh such as materials used or structure sizes are publically available.
|
|
|
|
\subsection{Commercial Use}
|
|
|
|
Commercially, tamper sensing meshes have entered widespread use beginning around the turn of the millennium, initially
|
|
in then-new HSMs, cryptographic coprocessors primarily aimed at the financial
|
|
industry~\cite{andersonSecurityEngineeringGuide2020}. Today, their use in finance has spread from HSMs in datacenters
|
|
and ATMs to the ATM pin pads themselves, which encrypt the customer's PIN right at the source, as well as in all kinds
|
|
of card payment terminals. We will analyze two such ATM pin pads later in this paper.
|
|
|
|
HSMs are used for highly sensitive operations even outside of the financial industry, although their adoption is
|
|
hampered by their high cost. Such applications include key management in the TLS certificate infrastructure. In this
|
|
paper, we will analyze a commercial HSM that was used in the key management infrastructure of a premium TV provider.
|
|
|
|
Beyond finance, tamper-sensing meshes have found applications in a variety of other use cases as well. For instance, we
|
|
have found them being used in mail franking machines to protect the credit counter and franking data, with one such unit
|
|
analyzed in this paper. Furthermore, we have identified at least one model of key safe that in Germany is mounted
|
|
externally on public buildings to provide keys to emergency services, and which includes a tamper sensing mesh on its
|
|
outside-facing wall to detect attempts at drilling into it. Finally, we have found a processing unit used in a series of
|
|
mid-2000s era slot machines in Germany that includes a tamper-sensing mesh, presumably to prevent modification or
|
|
cloning. This device will also be analyzed later in this chapter.
|
|
|
|
\section{The Principles of Tamper-Sensing Mesh Construction and Monitoring}
|
|
\subsection{Security Mesh Manufacturing}
|
|
\subsection{Security Mesh Monitoring}
|
|
\subsection{Other Tamper Sensing Techniques}
|
|
\subsection{Hardware Security Module Applications}
|
|
\subsection{The Patent Landscape}
|
|
|
|
\section{A Survey of Meshes in the Wild}
|
|
|
|
Concluding the brief history of tamper sensing meshes above, we find that they were initially developed for sensitive
|
|
military applications, and their use in civil applications is a recent phenomenon. The implementation of tamper sensing
|
|
meshes in civil applications was likely catalyzed by two advancements in electronics. First, electronic components
|
|
became less expensive and more integrated reducing the cost overhead of tamper sensing circuits. Second, the mass-scale
|
|
adoption of PCB and Flexible Printed Circuit (FPC) production processes enabled their use as inexpensive,
|
|
high-resolution substrates for such meshes. In this section, we will examine a large sample of recent devices that
|
|
include tamper-sensing meshes to gain an understanding of how they are implemented, and what security level they are
|
|
targeted towards. Since we were unable to acquire a nuclear weapon for our research, we limited our survey to commercial
|
|
devices with a focus on card payment terminals, which represent the most varied class of device incorporating such
|
|
meshes.
|
|
|
|
\subsection{Sample Selection}
|
|
|
|
Given their niche applications and high cost, devices incorporating tamper sensing meshes tend to be hard to find. For
|
|
this survey, we chose 21 different models of card payment terminals, and 6 other devices. All devices were procured from
|
|
ebay, and the majority were sold by electronic waste recycling companies.
|
|
|
|
\subsubsection{Card Payment Terminals}
|
|
|
|
Card payment terminals commonly include advanced tamper sensing features to discourage physical attacks such as
|
|
skimming that aim to exfiltrate card data and PINs entered by the customer. The Payment Card Industry Security Standards
|
|
Council (PCI SSC), an association of all major western credit card network operators assumes the role of the de-facto
|
|
standardization organization in the card payment space. Due to the international scale of the large credit card
|
|
networks, almost all payment terminals on the market irrespective of their country of origin are certified under PCI SSC
|
|
standards. Adding on to PCI's ecosystem impact, its security standards are thought out well and provide a higher level
|
|
of security than one might expect from an industry association.
|
|
|
|
The concrete requirements in the PCI SSC standards boil down to a list of logical requirements regarding key handling
|
|
that
|
|
|
|
\section{Conclusion}
|
|
|
|
In our survey, we have found a wide variety in tamper sensing mesh construction techniques. Meshes are commonly
|
|
implemented as part of both rigid (PCB) and flexible (FPC) circuit boards, either standalone, or as part of a board also
|
|
carrying other components. Silver or carbon trace patterning techniques that are normally used for membrane keyboards
|
|
are also used in some meshes, but are limited in their structure size. The meshes we found in the wild almost never push
|
|
the boundaries of achievable structure size for a given process.
|
|
|
|
The strongest systems we found combined a mesh with potting such that separating mesh and potting destroyed the mesh's
|
|
traces. Silver printed circuits like they are normally used for keyboard matrices performed particularly well in this
|
|
regard since the silver ink adheres better to some potting compounds than to its plastic carrier substrate. We found
|
|
copper FPCs are commonly used for meshes. Interestingly, they seem to be a poor choice since they are very robust and
|
|
can even be forcibly separated from some potting compounds without destroying their traces.
|
|
|
|
The weakest systems we found completely omitted a tamper sensing mesh. Ironically, all of these systems were devices
|
|
marketed as hardware secuirty modules. Given the inexpensive nature of tamper sensing meshes and the high price point of
|
|
such devices, we suspect market segmentation as a driving force behind their manufacturers' decision to omit tamper
|
|
sensing meshes. We conclude from this observation that the term ``HSM'' does not imply state-of-the-art physical tamper
|
|
sensing.
|
|
|
|
From an academic point of view, the core finding of our survey is that tamper sensing meshes manufactured in a number of
|
|
commercial manufacturing processes would yield acceptable surrogates for real devices found in the wild. With the
|
|
exception of a single device that used a particularly fine structure size in the \qty{100}{\micro\meter} range, none of
|
|
the devices we examined utilized particularly non-obvious construction techniques.
|
|
|
|
Form an engineering point of view, we observe that across application domains, tamper sensing meshes often use basic
|
|
construction techniques. Implementing such a system that matches the security of other systems seen in the wild should
|
|
be achievable to most engineers.
|
|
|
|
|