Written by by Marcus Janke and Dr. Peter Laackmann, Infineon Technologies AG
Introduction
Security processors are vastly utilized for protected processing and storage of data in many of today’s applications. Nevertheless, each security architecture automatically implies a preferred range of use and security lifetime. Consequently, selecting a product with the right security level is not a trivial task. Security modelling, simulation and thorough system analysis are needed to yield insightful statements about product security.
Security devices that are situated in the field are facing an increasing amount of threats, which in turn grow more dangerous from day to day. Meanwhile, new applications such as government documents, e.g. electronic passports and national identification cards, demand increased security lifetimes.
Today, the security controller industry may find itself at a crossroads, a situation that demands radical rethinking. The development of future-orientated concepts, targeting complete groups of attacks by using comprehensive countermeasures, is essential.
“Known” and “Unknown” Attacks
The target of every attack is mainly determined by the specific application that is used. In the case of an access control card, the attacker would typically try to duplicate an original card to illegally gain access with his cloned version of that specific card. For identification applications, like electronic passports, a simple “cloning” of the device would often not be sufficient – in this case the attacker would, usually, also have to manipulate the contents of the chip to forge an identity. It’s not only the time that an attacker is willing to spend, but it’s also the financial efforts themselves that may sometimes be very high, especially if the anticipated profit would be great enough.
Even until today, it was often common sense to primarily survey the protection against so-called “known attacks”, which were transferred into test scenarios. Security processors were then checked against these attacks and appropriate ratings for each specific product were applied. But taking into account that such attack technologies are evolving into several hundred new attack scenarios every year, it is clear that protection against “known attacks” are simply not sufficient: many questions would be left open.
First, one should ask how “known” is defined – for example, it is important to question who would know a specific attack – is it the manufacturer, the evaluator or the certification body ? It lies in the nature of attacks; that every adversary has his own portfolio and knowledge of how a chip could be attacked. It is not surprising that proficient attackers often keep their findings secret. Attacks, that were just developed, and not yet “known” by the parties involved, would perhaps not be considered. In conclusion, it is clear that statements like “protection against known attacks” will only yield minor information to a customer or user.
Instead, manufacturers of security controllers also have to care about the question “What can be done to protect a device in a better way against unknown attacks?”.
Fighting against Classes of Attacks
For actual and upcoming security applications that are expected to have a long life, it is of utmost importance to find ways to align countermeasures not against single, dedicated attack scenarios, but instead against multiple attack approaches or, ideally, against complete attack groups.
Three attack classes, which are used against hardware, have been known since the beginnings of security chip development and even before: these classes, which remained constant for decades, are also expected to remain constant over the coming years.
— Semi-Invasive Attacks
Utilizing “Semi-Invasive” attacks, an adversary is trying to induce faulty behaviour in a security controller. By inducing faults, the attacker can attempt to circumvent security decisions in the software, or manipulate data for their own purpose. The attacker may try to force the chip to output otherwise protected, secret data, instead of the intended output. If the faults are induced while the chip is performing a cryptographic operation, a faulty calculation may even lead to the extraction of the secret cryptographic key.
Semi-invasive attacks are usually performed by electrical transients, called “Spikes” or “Glitches”, but also electromagnetic pulses, light or lasers, ionizing radiation from radioactive sources, or temperature changes are applied. Attackers can utilize everything which affects the behaviour of silicon chips, so the use of other attack “vehicles” like neutrons, X-Rays, and many more can be considered.
So, for example, a method named “laser attack” or “light attack”, often used in evaluation, would only be a single scenario inside a vast group of hundreds of alternatives. Subsequently, protective measures against “laser attacks” would not automatically give indications about protection against neighboured Semi-Invasive attack scenarios.
— Manipulative Attacks
If the attacker performs manipulations of the hardware itself, such attacks are called “Manipulative Attacks”. This could include the use of microscopic needles which are set on the signal lines, over which secret information from the heart of the chip would be extracted; or the attacker could inject their own information. Other Manipulative Attacks imply the modification of a chip’s structure and circuit by utilizing micro-surgery on the silicon, typically by the use of a Focused-Ion-Beam (FIB) workstation.
New, more recent manipulative attacks include the use of atomic force microscopy needles, which are only a few atoms wide and are compatible with even the latest, smallest technology sizes.
Observing Attacks
An attacker can try to gain information over so-called “side-channels”. For example, the observation of the power consumption of a security device could yield information concerning the secret data processed therein or even the secret key that is used to process this information. Also, the timing behaviour of a device can be analysed.
Observative attacks have existed for many decades now, and today the most prominent attacks are carried out as “Electromagnetic Analysis (EMA)”, a very potent successor of the “Differential Power Analysis (DPA)”, from the past. In principle, every side-effect of semiconductor operations, even the smallest traces of light emission or heat generation can be utilized as a source of side channel information to extract secret data. For example, protection measures against “DPA” would not automatically give indications about protection against neighboured attack scenarios.
Hundreds of New Attack Scenarios per Year
Although the three primary classes remain very constant, every year several new attack sub-groups appear in the field, and in fact, several dozen new attack scenarios are generated every month. For evaluators and manufacturers, it is very difficult to keep track with hundreds of new attack scenarios that appear every year – especially if they are kept secret by proficient attackers.
Conventional Security Concepts
Many of today’s products are equipped with security features that are focussed on very special attack scenarios or sub-groups, such as laser attacks or DPA. The situation gets worse if the counter-measures would be tailored to only meet the attack equipment or parameters that are used in common tests:
— Would such a chip be designed only for the purpose of surviving evaluation and certification?
— Would this be the intention or only the fault of a semiconductor manufacturer?
The industry was forced find a way out of this situation. The more the countermeasures would be scenario-oriented, the more available space they would leave open for an adversary. Long-term stability and security could not be reached. This is the reason why the overall philosophy of countermeasures had to be dramatically changed. Comprehensive, transparent and balanced product security must mean that the efficiency of countermeasures must not depend on the specific detailed scenario. Complete attack groups should be covered, instead of trying to cope with every small parameter change in hundreds of new attacks each year.
New, Comprehensive Security Concepts
Future-oriented security concepts must encounter complete groups of attacks. The main requirement to such countermeasures is trivial – they must not react on specific attack vehicles. Many typical features cannot be used any more for building the security layer, as they are always bound to the specific parameters of the attack.
A new comprehensive security concept must utilize security features that are working independently from the specific detailed characteristics of a single attack scenario.
For designing future-orientated security concepts, the following points are always of high importance:
- Hardware security should be strong
- Security technology should be easy to use
- Security systems should work autonomously
- Hardware should be able to check itself
- Designs should be robust
- Security mechanisms should be mathematically modelled
One way to approach appropriate concepts is to learn from nature. While many principles from nature are used already in the technical world, this step has now also been taken for the development of security processors.
A security processor protects data stored therein, usually in encrypted form, and allows the protected processing of this data. In nature, there is a quite a similar requirement that has been present for millions of years: biological cells also needs to store and protect their DNA information, and also have to process this information while they are alive. Therefore, biological cells contain the DNA information in a double helix – if one part of the helix would be damaged, then the information of the second part could be used to retrieve the original. If, on the other hand, both parts are damaged, then the cell knows the mechanisms to destroy itself, as it would be beyond repair – a self destruct mechanism, if you like.
If this cell model is transferred to security controller technology, many parallels become apparent. The DNA double helix can be transferred to a solution using a dual CPU. The information stored in the DNA helix is the program code – it can be coded differently in both CPU parts. The connection of the two helices in the DNA can be also transferred to the technical world – a mutual error check for both CPUs could be used to indicate erroneous operations and issue a security alarm.
Finally, it turned out that the biological cell would nicely serve as a “Lleitmotifv” for the development of a completely new, comprehensive security concept for long-lasting applications. Nevertheless, extraordinary efforts in cryptology and chip design were needed to turn these ideas to reality.
Technical Realization
In the history of security controllers, one of the most important aspects was typically neglected – the CPU itself, the heart of the microcontroller. Indeed, a real protection of the CPU itself, at first sight, seems to be a very difficult: simple protection concepts such as adding parity bits in the registers or other parts of the CPU, under attack conditions, turned out not to be sufficient.
Utilizing a dual-CPU allows a very comprehensive protection against fault attacks directly induced in the CPU itself. It is important that the CPUs are very closely linked together to yield the most efficient error detection rate; but such a close denticulation is only possible by designing some CPU core’s deep internals. The use of a dual-CPU system should be fully transparent for the software developer, so that no additional efforts would be needed for programming. On the other hand, the use of a dual-CPU should not have negative impact on performance of a secured chip – especially if such chips will be used in electronic passport systems which need high energy efficiency due to the contactless interface with contactless energy power supply. Interestingly, in reality it turned out that a dual-CPU could often be much more energy efficient as a conventional chip, as some software security measures that drive down system performance would no longer be needed.
For protection against observative and manipulative attacks, it is very important to keep usable information, that could be available for an attacker, as small as possible. Even older products usually employ memory encryption, which means that the information that is stored on the on-chip memories such as ROM, RAM, Flash or EEPROM would be stored in encrypted form. Conventional concepts still show a major weakness in information handling: typically, the CPU, if it wants to process the information stored in the memories, has to utilize clear text. Otherwise, a CPU could not process that information. This effect can be compared to an encrypted email – a person could store his email or files in encrypted form on his computer, but as soon as he wants to read the email, it has to be transferred to clear text first in order to make it readable. At that point, unfortunately, it would be attackable by an adversary.
Today, it is now possible to process data in encrypted form in the CPU itself – if the CPU core itself is designed from the scratch. This means that this data is not available in clear text on the chip anymore. If dynamic keys are used, both CPUs can even employ different key sets in both parts. If the chips are not powered, such keys should of course not be “present” in hardware, so they have to be volatile.
In the security evaluation, the immense advantages of such digital security concept architectures have already been impressively demonstrated. The possibility of mathematical modelling and simulation of the concept architecture, long before silicon chips for testing were available, greatly simplified the evaluation. Uncertainties concerning future, upcoming attacks, can be greatly reduced, which is an important factor for applications requiring a long-life. And, last but not least, software developers have regained their freedom in operating system design and application coding.
Outlook
The future of security controllers is built through comprehensive digital security mechanisms. Although absolute security will never be possible, this paradigm change shift towards encrypted processing of data in the CPU itself, in combination with efficient error detection, will be a major step forward in security technology, allowing for the usage of security microcontrollers. Especially within long-term, long-life security applications.
The Authors;
Since 1991 Marcus Janke has been working on the conceptions, development and realisations of smart card systems. As author and consultant, he published numerous publications covering the sector of smart card security and held several lectures in this field. At Infineon Technologies AG, he currently leads the Product and System Security department.
Dr. Peter Laackmann has been working for the smart card industry, as well as for print and TV media as a consultant since 1991. He has written numerous publications covering chip card technology and security. He currently holds the position as Senior Principal in the Chipcard and Security Division of Infineon Technologies AG.
