Smart card security issues.

Problems of smart card protection.

Problems of smart card protection

A typical smart card is an 8-bit microprocessor, read-only memory or ROM, electrically erasable programmable ROM, random access memory (RAM), serial input and output. All of this is housed in a single chip enclosed in a plastic card case. The cryptographic key material is stored in the EEPROM. A standard cryptographic device (and in particular a smart card) uses a secret key to process input information and/or produce output information. Common traditional protocol designs assume that the input and output messages are accessible to an attacker, and that any information about the keys is unknown to the attacker. However, in reality, the attacker may have access to all sorts of side information emitted by the cryptographic device: electromagnetic radiation, signals about errors or time intervals between instructions being executed, fluctuations in power consumption, and other data (P. Kocher, D. Jaffe, V. June, “Introduction to Differential Power Analysis”). As evidenced by numerous published works by research scientists, all this leaked information can be used to analyze and open chips in order to access the secret information stored in them.

It is known that certain levels of radiation or heat, improper supply voltage, or nonstandard clock frequency can be applied to engineered secure devices such as smart cards, which are typically small and compact, to cause a computational error. It is also known that when a computational failure occurs, a computing device can produce information useful for recovering secret data. In late September 1996, a team of authors from Bellcore, a research center of the American company Bell, reported that they had discovered a serious potential general weakness in secure cryptographic devices, in particular, smart cards for electronic payments. The authors of this research work were Dan Boneh, a research scientist at Bellcore; Rich DeMillo, who heads the center's information technology lab; and Richard Lipton, a professor at Princeton University and a part-time consultant to Bellcore.

The authors called their cracking method «Cryptanalysis in the Presence of Hardware Faults»; it is based on an algorithm for comparing faulty values ​​with correct values, which then allows restoring cryptographic information stored in a smart card. Research has shown that all engineering-protected devices that use public-key cryptographic algorithms to encrypt information and authenticate users are susceptible to the new threat. These may include smart cards used to store certain data (such as electronic money); identification cards for cellular telephony; cards that generate electronic signatures or provide user authentication for remote access to corporate networks. The attack developed by Bellcore scientists is applicable specifically to devices that use public-key cryptography. Their new technique was shown to be able to break well-known cryptographic algorithms such as RSA, the Rabin digital signature scheme, and the Fiat-Shamir identification scheme. Bellcore's attack relies on specific algebraic properties of modular arithmetic and cannot be applied to the complex bitwise manipulations that underlie most secret-key algorithms such as DES.

The authors theoretically demonstrated that the attack they proposed is much more powerful than the known factorization-based cryptanalysis. Since real physical impacts require the creation of special laboratory studies, the authors limited themselves to testing the algorithm only under hypothetical computational failures. However, in the cryptographic community it is believed that there is no need to fully simulate an attack in order to demonstrate its seriousness. It is already well known that even the mere possibility of such an attack is a sign of great danger. One way to protect against the discovered attack method is to have the cryptographic device check the calculated values, for example, by repeating the calculations and comparing the values ​​obtained in both cases. Unfortunately, this form of protection usually reduces the speed of calculations by about half. For some applications, this calculation method is not applicable.

Less than a month after the Bellcore scientists' work appeared (in October 1996), it became known that a similar theoretical attack had been developed against symmetric cryptographic algorithms. The new method for cracking cryptographic smart cards was called «differential fault analysis» or DFA. Its authors were the famous Israeli cryptographers Eli Biham from the Technion Institute and Adi Shamir from the Weizmann Institute. In the world of computer security, these scientists are best known for the differential cryptanalysis method they developed in the early 1990s. Today, almost all cryptanalytic attacks against block ciphers are based on the principles of this method. Biham and Shamir based their DFA method on the idea of ​​the Bellcore researchers. That is, a fundamental assumption is put forward that by subjecting a device protected from engineering access (such as a smart card) to a certain physical effect (for example, ionization or microwave radiation), it is possible with a significant probability to cause a bit distortion in one of the arbitrary places of one of the registers in some arbitrary intermediate state of the cryptographic computation process. It is further assumed that the attacker has physical access to the smart card, that is, the ability to repeat his experiment with the same plaintext and key, but without using external physical influence. The result is two ciphertexts obtained from the same (unknown) plaintext and on the same key, but where one of the ciphertexts is correct, and the other is the result of a calculation distorted by a glitch in one bit during the transformation process. The technique for analyzing such pairs of texts developed by the Israeli authors turned out to be applicable to virtually all cryptosystems with a secret key described in the open literature. In particular, they applied DAI to the case of DES and showed that, under the same hardware failure model considered in Bellcore, it is possible to «extract» the full DES key from a sealed, tamper-resistant cipher by analyzing less than 200 ciphertext blocks generated by an unknown plaintext. The power of DAI can be illustrated by the fact that even if DES is replaced by triple DES (whose 168-bit key length made it virtually inaccessible to «classical» cryptanalysis), the same attack can break it using the same number of ciphertexts.

In a number of subsequent publications and in the paper by E. Biham and A. Shamir, «Differential Distortion Analysis in Secret-Key Cryptography,» which concludes this study, the authors presented a modified DAI model that allows one to find a secret key stored in a smart card under conditions where virtually nothing is known about the architecture and operation of a particular cryptosystem. Using a DES-like block cipher as an example, the authors proved that the structure of an unknown cryptographic algorithm hidden in an engineering-protected device can be established in polynomial time, including the determination of its cycle functions, S-boxes, and subkeys.

The theoretical attacks described above received a fairly wide response in the press and, along with considerable interest, caused a lot of critical responses. The most common criticism was that this entire technique is purely theoretical: no one has demonstrated in practice that in a real cryptographic device individual bit errors can really be caused in the key unfolding algorithm. It is known that in most smart cards the keys are stored in the reprogrammable EEPROM memory, which also contains almost all the software applications of the given device. Therefore, errors caused by ionizing radiation are much more likely to damage the software, which will lead either to the failure of the entire system as a whole, or to uninformative erroneous actions. However, in the spring of 1997, a much more practical and improved attack of the DAI type was published, requiring less than 10 ciphertexts (R. Anderson, M. Kuhn «Inexpensive attacks against tamper-resistant devices»). The new method is quite practical, as it uses a forced distortion model that has already been successfully implemented in attacks on real smart cards. The trick is to induce small changes in the program codes, rather than trying to distort the keys or other data. Kuhn and Anderson's method is based on the important fact that smart cards and other cryptoprocessors can often be attacked by manipulating the clock frequency or supply voltage (so-called «glitch attacks»). Significant increases in the clock frequency or short-term power surges cause situations where the program counter increments its value, and the current instruction is either executed incorrectly or not executed at all. A typical attack used by crackers to hack pay TV is to replace the 5 MHz clock pulse in a smart card with four 20 MHz pulses. This extends the output cycles, which makes it possible to dump key material to the output port. The authors emphasize that attacks based on non-standard instructions are not only confirmed in practice (in contrast to purely theoretical methods of distorting individual bits by irradiation), but also serve as a basis for more powerful attacks on many cryptographic algorithms. In particular, they demonstrate a model of an effective «glitch attack» for cracking an RSA signature, a model for cracking a 40-bit DES key using 8 blocks of distorted ciphertext (the remaining 16 bits of the key are found by trivial enumeration), and a method for restoring the structure of an unknown block cipher hidden in an engineering-protected casing (R. Anderson, M. Kuhn «Resistance to Attack. Warning»).

In the summer of 1998, another method for cracking smart cards was discovered, and it was more than successfully implemented in practice. As it turned out, a four-person cryptographic consulting firm called Cryptography Research from San Francisco had developed technically sophisticated and extremely effective analysis tools that a potential attacker could use to extract secret keys from cryptographic devices. As Paul Kocher, the firm's 25-year-old head, said, «We haven't found a single card that can't be cracked yet.» Kocher and his colleagues managed to crack smart card protection by using mathematical apparatus to analyze fluctuations in the chip's power consumption.

In fact, for a year and a half, specialists from Cryptography Research have been working on the problem of how to increase the security of portable cryptographic tokens, including smart cards. All these months, without making their research widely public, they have been introducing the community of smart card manufacturers to the types of attacks developed by the company, which were called «simple power analysis» (SPA), «differential power analysis» (DPA), and «high-order differential analysis» (HODA) (P. Kocher, D. Jaffe, W. June «Introduction to differential power analysis»). The researchers are confident that these analysis methods should be taken seriously, since such attacks can be carried out quickly and using off-the-shelf equipment costing from several hundred to several thousand dollars. The basic concepts of the new attack method were formulated in the famous work of Paul Kocher (1995) «Cryptanalysis based on a timer attack», which showed that it is possible to break cryptographic devices simply by accurately measuring the time intervals that they require to process data.

In PAP attacks, the cryptanalyst directly observes the dynamics of the system's power consumption. The amount of power consumed varies depending on the instruction executed by the microprocessor. Power characteristics can be measured precisely. In particular, a simple ammeter constructed on the basis of a resistive load can be used to track fluctuations in power consumption. Large blocks of instructions can be identified, such as DES cycles, RSA operations, etc., since these operations performed by the processor have significantly different fragments within them. With higher amplification, individual instructions can be isolated. Although Cryptography Research has found many smart cards vulnerable to PAP analysis, it is also recognized that creating devices resistant to PAP attacks is not particularly difficult.

Differential Power Analysis (DPA) is a much more powerful attack than PPA and much more difficult to counter. While PPA attacks rely primarily on visual analysis to identify significant power fluctuations, DPA relies on statistical analysis and error correction techniques to identify information that correlates with secret keys. To use the statistical technique, the results of 1000 transactions are analyzed.

An even more sophisticated analysis method is the DAP-HP. While the DAP technique analyzes information between data samples during a single event, the method of high-order differential analysis can be used to correlate information between many cryptographic sub-operations. In high-order DAP attacks, signals are collected from many sources, different measurement techniques are used to collect them, and signals with different time shifts are combined in the process of applying the DAP techniques.

Cryptography Research has developed a number of methods to counter DAP and related attacks. In particular, a design of semiconductor gate logic has been created that provides a significantly lower level of information leakage. For systems with physical or cost limitations, Cryptography Research has developed hardware and software methods that include reducing leakage information, introducing noise into measurements, decorrelation of internal variables and secret parameters, and decorrelation in the time of cryptographic operations (P. Kocher, D. Jaffe, W. June, «Introduction to Differential Power Analysis»).

All the above methods of cracking smart cards are quite «soft» and do not require opening the device case. However, there are other, more severe methods, when attackers destroy the smart card to obtain information. It was precisely these methods of physical and destructive attacks on cryptographic controllers that were the subject of the presentation by the already mentioned Kuhn and Anderson at the Second USENIX Workshop on Electronic Commerce (R. Anderson, M. Kuhn «Resistance to cracking. Warning»). Here are some excerpts from this report.

Physical attacks on some microcontrollers are almost trivial. For example, the lock bit of some early devices with on-chip EEPROM memory was reset by simply focusing a beam of ultraviolet light on its cell, which was far enough away from the rest of the memory. Modern smart cards are a little harder to attack, but not much. Typically, the most manufacturers do to protect the chip is install a capacitive sensor or optical sensor under an opaque shell.

However, practice shows that these means are not used very often, and if they are used, they are easy to detect and bypass. A typical chip module has a thin plastic base about a square centimeter in size with contact zones on both sides. One side of the module is visible on the smart card itself and contacts the reader: the silicon matrix is ​​glued to the other side of the base, connected with thin gold or aluminum wires. The side of the plate where the chip is located is covered with epoxy resin, and the resulting chip module is glued into the card. Removing the chip from the card is easy. First, using a sharp knife or lancet, cut the plastic on the back of the card until the epoxy resin appears. Then a few drops of concentrated nitric acid (>98% HNO3) are applied to the resin and wait a few minutes until some of the resin dissolves (the process can be accelerated by heating the acid with infrared radiation). Before the acid dissolves too much of the epoxy layer and hardens, the acid and resin are washed off with acetone. This procedure is repeated 5 to 10 times until the silicon matrix is ​​completely exposed. The chip can then be washed and will be fully functional unless the connecting wiring has been damaged. Most chips have a protective surface layer of silicon oxide or nitrate, which protects them from equipment radiation and ion diffusion.

Nitric acid does not affect it, so to remove it, specialists use a complex method of dry etching. But this is not the only way to access the chip. Another method is to use microneedles-probes, which use ultrasonic vibration to remove the protective layer directly under the contact point. In addition, laser cutters-microscopes used in cell biology laboratories can also be used for localized removal of the protective layer. The opening technique described above is successfully used by amateur crackers. Below, some technologies available to well-equipped laboratories studying semiconductors will be briefly described. Today, there are several hundred such laboratories in the world, for example, at universities and industrial research centers.

In 1993, a review of technology developed at the Cavendish Laboratory in Cambridge for reverse engineering of complex silicon chips was published. The authors of the article developed a technique that allows for successive removal of chip layers one after another. One of the innovations used is a technique for displaying impurity N and P layers based on the Schottky effect: a thin film of gold or palladium is applied to the chip, forming a diode that can be seen in an electron beam. Images of successive chip layers are fed into a computer, special software cleans up the initially fuzzy images, produces a clear representation of them, and recognizes standard chip elements. This system was tested on an Intel 80386 processor and a number of other devices. The work on restoring the 80386 took two weeks, and about six chip samples are usually required for correct reconstruction. The result of the work can be mask and circuit diagrams or even a list of library cells from which the chip was constructed.

In conditions where the design and operation of the chip are already known, there is a very powerful technology developed by IBM for studying the chip in operation even without removing the protective layer. To measure the operating characteristics of the device, a lithium niobate crystal is placed above it. The refractive index of this substance changes with the electric field, and the potential of the silicon underneath can be read using an ultraviolet laser beam passing through the crystal at a grazing angle. The capabilities of this technology are such that it is possible to read a signal of 5 V with a frequency of up to 25 MHz. It is clear that this is the standard way for well-equipped laboratories to restore cryptographic keys in chips whose design is known.

Chipmakers' response to these types of attacks has been to develop a «special adhesive» coating for chips that is not only opaque and conductive, but also reliably resists attempts to destroy it, usually by destroying the silicon layer underneath. Such coatings are covered by the US federal standard FIPS 140-1 and are widely used in the US military, but are not generally available.

There are also sophisticated methods for reconstructing a chip with a well-protected surface. For example, a recently declassified technology invented at Sandia National Laboratories (USA) allows the contents of a chip to be examined from the back using an infrared laser with a wavelength that makes the silicon substrate transparent. This technology allows the device's operations to be examined and the logic states of individual transistors to be identified.

The study of chip-cutting techniques leads to a more general (and relatively unexplored) problem: attacks that involve actively modifying the chip being probed, rather than just passively probing it. For example, there is good reason to believe that some successful pirate attacks on pay-TV systems were carried out using a focused ion beam workstation (FIB). Such a machine can cut tracks in the metallized layer of a chip and form new tracks or insulating layers. In addition, the machine can implant ions to change the thickness of the silicon layer and even build through-vias to conductive structures in the underlying layers of the chip. Such machines cost several million dollars, but insufficiently wealthy attackers rent them for a period of time from large semiconductor companies. With such tools, attacks on smart cards become simpler and more powerful. A typical attack involves disconnecting almost all CPU processes from the bus except the EEPROM and the CPU component that generates read access. For example, the program counter could be left connected so that memory areas are accessed in order as the clock pulses are issued.

Once this is done, an attacker only needs a single probe tip or electro-optical probe to read the entire EEPROM content. This makes the analysis process easier than passive probing, which typically only analyzes the execution trace. It also avoids the purely mechanical difficulties of handling multiple probe tips on bus lines that are only a few microns wide (R. Anderson, M. Kuhn, «Tamper Resistance: A Warning»).

All of the information presented here suggests that it is unreasonable to assume that the design of a miniature silicon chip or the information stored on it can be inaccessible to a well-trained attacker.

Public confidence in the new technology is the most important factor for the implementation of the industry's plans for the widespread introduction of smart cards. This is why industrial and commercial circles involved in smart cards try to either simply ignore reports of device hacking or minimize their significance, calling them «purely laboratory attacks» that only a few specialists in the world can repeat.

However, the results of research by specialists indicate the opposite. And it is worth recalling the words of Paul Kocher, whose very small company does not have any super-complex expensive equipment: «We have not yet found a single card that could not be hacked.»