23-05-2012, 01:16 PM
Attacks Against Smartcards
[attachment=22856]
General Tampering Methodology
DE-PACKAGING
Before physical attacks can be performed, the circuit chip has to be removed from
the plastic card. This can be done, by simply using a sharp knife to cut away the
plastic, behind the chip module, until the epoxy resin becomes visible. Then,
adding a few drops of fuming nitric acid can dissolve the resin. By shaking the
card in acetone, until the silicon surface is fully exposed [ 3], the acid and resin
can be washed away.
LAYOUT RECONSTRUCTION
After de-packaging, the next step in an invasive attack on a new processor is to
create a map of it. The attacker uses an optical microscope with a CCD camera to
produce large mosaics of high-resolution photographs of the chip surface. Basic
structures such as data and address bus lines can be identified by studying
connectivity patterns and by tracing metal lines that cross clearly visible module
boundaries (ROM, RAM, EEPROM, ALU, instruction decoder, etc.) All processing
modules are usually connected to the main bus via easily recognizable latches
and bus drivers [ 6].
Deeper layers can only be recognized in a second series of photographs after the
metal layers have been stripped off [6]. Images of successive layers of a chip can
then be fed into a PC, with image processing system software, that reduces the
initially fuzzy image to a clean polygon representation and identifies common chip
features [ 21 23].
If the processor has a commonly accessible standard architecture, then the
attacker has to reconstruct the layout only until he has identified those bus lines
and functional modules that he has to manipulate in order to access all memory
values [ 6].
Known Attacks Against Smartcards Page 5 of 19
At Cavendish laboratory in Cambridge, a technique has been developed for
reverse engineering the circuit chips. The layout and function of the chip can be
identified using this technique. Another technique developed by IBM can be used
to observe the operation of the chip. As a result its secret keys can be fully
revealed [ 3, 21, 23].
MANUAL MICRO-PROBING
The most important tool available for invasive attacks is a micro-probing
workstation. Its major component is a special optical microscope. On an arm of
the microscope, the attacker installs a probe, which is a metal shaft that holds a
long tungsten-hair, which has been sharpened and allows the attacker to
establish electrical contact with on-chip bus lines without damaging them. The
probe is connected via an amplifier to a digital signal processor card that records
or overrides processor signals and also provides the power, clock, reset, and I/O
signals needed to operate the processor via pins [ 6].
USING ADVANCED BEAM TECHNOLOGIES
For future card generations with more metal layers and features below the
wavelength of visible light, more expensive tools might have to be used in
addition to the existing ones.
Attacks
KEY AND MEMORY READING
Reading ROM
While the ROM usually does not contain any cryptographic key material, it does
often contain enough I/O, access control, and cryptographic routines to be of use
in the design of a non-invasive attack [ 6].
Optical reconstruction techniques can be used to read ROM directly. The ROM bit
pattern is stored in the diffusion layer, which leaves hardly any optical indication
of the data on the chip surface [ 6]. Some ROM technologies store bits not in the
shape of the active area but by modifying transistor threshold voltages. In this
case, additional selective staining techniques have to be applied to make the bits
visible [ 6].
Reading Memory Contents By Bus Probing
Except for ROM, it is usually not practical to read the information stored on a
security processor directly out of each single memory cell. The stored data has to
be accessed via the memory bus where all data is available at a single location.
Micro-probing is used to observe the entire bus and record the values in memory
as they are accessed [ 6].
Just replaying transactions might not suffice to make the processor access all
critical memory locations. Sometimes, hostile bus observers are lucky and
encounter a card where the programmer believed that by calculating and
verifying some memory checksum after every reset the tamper-resistance could
somehow be increased. This, of course, gives the attacker immediate easy access
to all memory locations on the bus and considerably simplifies completing the
read-out operation [ 6].
In order to read out all memory cells without the help of the card software, the
attacker has to abuse a CPU component, such as an address counter, for it to
access all memory cells for him. The program counter is already incremented
automatically during every instruction cycle and used to read the next address,
which makes it perfectly suited to serve as an address sequence generator. The
attacker has to prevent the processor from executing jump, call, or return
instructions, which would disturb the program counter in its normal read
sequence. Tiny modifications of the instruction decoder or program counter
circuit, which can easily be performed by opening the correct metal interconnect
with a laser, often have the desired effect [ 6].
[attachment=22856]
General Tampering Methodology
DE-PACKAGING
Before physical attacks can be performed, the circuit chip has to be removed from
the plastic card. This can be done, by simply using a sharp knife to cut away the
plastic, behind the chip module, until the epoxy resin becomes visible. Then,
adding a few drops of fuming nitric acid can dissolve the resin. By shaking the
card in acetone, until the silicon surface is fully exposed [ 3], the acid and resin
can be washed away.
LAYOUT RECONSTRUCTION
After de-packaging, the next step in an invasive attack on a new processor is to
create a map of it. The attacker uses an optical microscope with a CCD camera to
produce large mosaics of high-resolution photographs of the chip surface. Basic
structures such as data and address bus lines can be identified by studying
connectivity patterns and by tracing metal lines that cross clearly visible module
boundaries (ROM, RAM, EEPROM, ALU, instruction decoder, etc.) All processing
modules are usually connected to the main bus via easily recognizable latches
and bus drivers [ 6].
Deeper layers can only be recognized in a second series of photographs after the
metal layers have been stripped off [6]. Images of successive layers of a chip can
then be fed into a PC, with image processing system software, that reduces the
initially fuzzy image to a clean polygon representation and identifies common chip
features [ 21 23].
If the processor has a commonly accessible standard architecture, then the
attacker has to reconstruct the layout only until he has identified those bus lines
and functional modules that he has to manipulate in order to access all memory
values [ 6].
Known Attacks Against Smartcards Page 5 of 19
At Cavendish laboratory in Cambridge, a technique has been developed for
reverse engineering the circuit chips. The layout and function of the chip can be
identified using this technique. Another technique developed by IBM can be used
to observe the operation of the chip. As a result its secret keys can be fully
revealed [ 3, 21, 23].
MANUAL MICRO-PROBING
The most important tool available for invasive attacks is a micro-probing
workstation. Its major component is a special optical microscope. On an arm of
the microscope, the attacker installs a probe, which is a metal shaft that holds a
long tungsten-hair, which has been sharpened and allows the attacker to
establish electrical contact with on-chip bus lines without damaging them. The
probe is connected via an amplifier to a digital signal processor card that records
or overrides processor signals and also provides the power, clock, reset, and I/O
signals needed to operate the processor via pins [ 6].
USING ADVANCED BEAM TECHNOLOGIES
For future card generations with more metal layers and features below the
wavelength of visible light, more expensive tools might have to be used in
addition to the existing ones.
Attacks
KEY AND MEMORY READING
Reading ROM
While the ROM usually does not contain any cryptographic key material, it does
often contain enough I/O, access control, and cryptographic routines to be of use
in the design of a non-invasive attack [ 6].
Optical reconstruction techniques can be used to read ROM directly. The ROM bit
pattern is stored in the diffusion layer, which leaves hardly any optical indication
of the data on the chip surface [ 6]. Some ROM technologies store bits not in the
shape of the active area but by modifying transistor threshold voltages. In this
case, additional selective staining techniques have to be applied to make the bits
visible [ 6].
Reading Memory Contents By Bus Probing
Except for ROM, it is usually not practical to read the information stored on a
security processor directly out of each single memory cell. The stored data has to
be accessed via the memory bus where all data is available at a single location.
Micro-probing is used to observe the entire bus and record the values in memory
as they are accessed [ 6].
Just replaying transactions might not suffice to make the processor access all
critical memory locations. Sometimes, hostile bus observers are lucky and
encounter a card where the programmer believed that by calculating and
verifying some memory checksum after every reset the tamper-resistance could
somehow be increased. This, of course, gives the attacker immediate easy access
to all memory locations on the bus and considerably simplifies completing the
read-out operation [ 6].
In order to read out all memory cells without the help of the card software, the
attacker has to abuse a CPU component, such as an address counter, for it to
access all memory cells for him. The program counter is already incremented
automatically during every instruction cycle and used to read the next address,
which makes it perfectly suited to serve as an address sequence generator. The
attacker has to prevent the processor from executing jump, call, or return
instructions, which would disturb the program counter in its normal read
sequence. Tiny modifications of the instruction decoder or program counter
circuit, which can easily be performed by opening the correct metal interconnect
with a laser, often have the desired effect [ 6].