[348] in Best-of-Security
BoS: Tamperproofing of Chip Cards
daemon@ATHENA.MIT.EDU (Travis Hassloch)
Wed Sep 10 14:14:14 1997
Old-X-Envelope-From: travish@dejanews.com Tue Sep 9 07:28:22 1997
Date: Mon, 08 Sep 1997 16:28:05 -0500
From: Travis Hassloch <travish@dejanews.com>
Old-X-Originally-To: To: best-of-security@cyber.com.au
Errors-To: best-of-security-request@cyber.com.au
To: best-of-security@cyber.com.au
Resent-From: best-of-security@cyber.com.au
I found this in our database. I've never seen it before.
I found it pretty interesting, despite being somewhat old.
Truncation in original.
* * * * *
TAMPERPROOFING OF CHIP CARDS
Ross J. Anderson
Cambridge University Computer Laboratory
Pembroke Street, Cambridge CB2 3QG
Email: ross.anderson@cl.cam.ac.uk
Abstract
There are two ways of attacking smartcards - destructive reverse
engineering of the silicon circuit (including the contents of
ROM), and discovering the memory contents by other means; a well
equipped laboratory can do both. Persistent amateurs have often
managed the latter, and may shortly be able to do the former as
well.
1 Reverse engineering the chip
A recent article[1] gives a good introduction to how reverse
engineering can be carried out in a moderately well equipped
academic microelectronics laboratory (there are three such in the
UK, and perhaps two hundred academic or industrial facilities
worldwide which can carry out such work). We will start off by
summarising it and giving some background.
1.1 How attacks are done
The authors of the article cited above worked at the Cambridge
University microelectronics lab, which is part of the department
of physics. They got interested in reverse engineering chips five
years ago to help an industrial client locate manufacturing
defects.
They built an apparatus which consists of a slightly modified
electron beam lithography machine (this functions in effect as an
electron microscope) and a PC with an image processing system (a
DCT chip and locally written software). They then developed
techniques for etching away a layer at a time without doing too
much damage. Conventional wet etching causes too much havoc with
half micron chips, so dry etching is used in which gases such as
CF4 or HF strip off layers of silica and aluminium in turn.
One of their innovations is a technique to show up N and P doped
layers in electron micrographs. This uses the Schottky effect: a
thin film of a metal such as gold or palladium is deposited on
the chip creating a diode effect which can be seen with the
electron beam.
Finally, image processing software has been developed to spot the
common chip features and reduce the initially fuzzy image of the
metal tracks into a clean polygon representation. There are also
routines to get images of successive layers, and of adjacent
parts of the chip, in register.
The system has been tested by reverse engineering the Intel 80386
and a number of other devices. The 80386 took two weeks; it takes
about six instances of a given chip to get it right. The output
can take the form of a mask diagram, a circuit diagram or even a
list of the library cells from which the chip was constructed.
This is typical of the kind of attack which an academic lab can
mount. Even more sophisticated attacks, invented at Sandia
National laboratories and recently published[2], involve looking
through the chip. Light-Induced Voltage Alteration is a non-
destructive technique that involves probing operating ICs from
the back side with an infrared laser to which the silicon
substrate is transparent. The photocurrents thus created allow
probing of the device's operation and identification of logic
states of individual transistors. Low-Energy Charge Induced
Voltage Alteration relies on a surface interaction phenomenon
that produces a negative charge-polarization wave using a low-
energy electron beam generated by a scanning electron microscope.
This allows imaging the chip to identify open conductors and
voltage levels without damage, although it does not operate
through metalization layers.
Of course, even more sophisticated techniques may be available in
classified government facilities.
1.2 The threat to smartcard systems
Smartcards typically have a few kilobytes of ROM, which being
metal can be read with the above techniques; a few hundred bytes
of RAM, which being cleared between transactions stores no long
term secrets; and a few kilobytes of EEPROM, which typically
holds the user data and key material.
The techniques described above are not directly relevant to
reading out EEPROM. However any laboratory at the level under
consideration would be able to determine EEPROM contents using
microprobe techniques. More simply, a reverse engineering
operation would pinpoint the physical location of the write
protect bit, which could then be reset using ultraviolet light.
As mentioned, the number of organisations worldwide which can do
electron beam lithography is of the order of 100-200. These
potential attackers include a number of universities, all the big
chip makers and the governments of the USA, Canada, the UK and
China. Of these, the US and Chinese governments appear to have
the greatest experience at chip breaking.
For a respectable firm to join this club costs about $2m - $1.5m
for the electron beam lithographer and ancilliary equipment, plus
a year's salary for about five professionals to get it all going
(typically a physicist to deal with the ion beams, a chemist to
deal with packaging, two computer people to write software, and a
chip person to run the whole operation).
The number of club members may rise as more and more firms,
especially in the Far East, start producing ASICs. However it is
not likely that electron beam lithography will ever become a
really widespread technology. The total number of sites with the
capability to do regular hi-tech attacks might rise to about 1000
at most.
An outsider without $2m still has a number of options. For ex-
ample, there are three universities in the UK alone which possess
the necessary equipment (Cambridge, Edinburgh and Southampton)
and an attacker might enrol for a PhD or other degree in order to
acquire access and training. It is also possible to use more
primitive equipment at the cost of spending months rather than
weeks on each reconstruction; this is apparently the approach of
the Chinese government, and could be viable where workers are
paid little (or are expecting a share of large criminal profits).
Finally, there are apparently places in the Far East, and at
least one in Silicon Valley, which reverse engineer chips for
cash. How much cash, and how many questions would be asked, are
not known to this writer.
1.3 Possible defences
A number of copy trap features are incorporated into commercial
chip designs. For example, we have heard of design elements that
look like a transistor, but are in reality only a connection
between gate and source; and 3-input NORs which function only as
2-input NORs.
Many of these copier traps are based on holes in isolating layers
or on tricks done in the diffusion layer with ion implantation
(based on the assumption that it is hard to distinguish N from
P). However the layer etching and Schottky techniques developed
by Haroun Ahmed's team can detect such traps.
Another possibility is to introduce complexity into the chip
layout and to use nonstandard cell libraries. However the chip
still has to work, which limits the complexity; and nonstandard
cells can be reconstructed at the gate level and incorporated in
the recognition software.
Finally, in the Clipper chip there are a number of silicon
features, of which the most important is a fusible link system.
These links are only fused after fabrication and hold the long
term key and other secret aspects of the chip. Details can of
course be found in a paper in the relevant data book[3], and from
the scanning electron micrographs there, it is clear that the
secret information can be recovered by sectioning the chip. This
technique has been used by Professor Ahmed's team on occasion on
obscure features in other chips.
Thus the effect of current silicon level copy traps is just to
slow down the attacker. In fact, we have heard from a usually
reliable source that Intel has reverse engineered the Clipper
chip, but that the results have been classified.
The same appears to be the case for chemical measures. Chips
intended for classified military use are often protected by
passivation layers of a tenacity never encountered in civilian
packaging[4]. But here again, informed sources agree that with
enough effort, techniques can be developed to remove them.
1.4 Relevance to smartcard products
We understand that neither silicon copy traps not advanced
passivation techniques are used by smartcard manufacturers in the
bulk of their products. The marketing director of a smartcard
manufacturer said that they simply had no demand from their users
for anything really sophisticated[5]. The most that appears to be
done is an optical sensor under an opaque coating[6].
Hi-tech techniques may indeed have been used by commercial
pirates to duplicate satellite TV smartcards[7].
Recent postings to a TV hackers' mailing list recount how an
undergraduate used nitric acid and acetone to remove ICs intact
from Sky-TV smartcards; he then put them in the University's
electron beam tester (an ICT 8020, also sold as the Advantest E
1340 - a 1991 machine). The chips were run in a test loop, but he
had been unable to remove the silicon nitride passivation layer;
the many secondary electrons removed from this caused it to get
charged positive very quickly, which obscured the underlying
circuit. He did not have access to a dry etching facility to
remove this layer, and could get no further. However it is
significant that a person with no funding or specialist knowledge
could get even this far.
However, amateur hackers have managed to break smartcard security
without having to penetrate the device physically. Instead, they
have used flaws in the design of the card's hardware or software
to determine its contents.
2 Determining the EEPROM contents
Many methods have been employed to determine the EEPROM contents
of smartcards. In addition to the very general reverse
engineering techniques described above, there are a lot of
shortcut attacks on particular designs.
2.1 How attacks are done
The following list is not exhaustive:
o raising the supply voltage above its design limit;
o cutting the supply voltage below its design limit;
o resetting random memory locations using ultraviolet light
until the read protect bit is found;
o exploiting misfeatures in the hardware, including the
manufacturer supplied ROM code;
o exploiting misfeatures in the customer written EEPROM code
(current attacks on UK satellite TV systems take this route);
o some combination of the above.
The appendix contains accounts from a hacker mailing list of two
actual attacks carried out on chips.
2.2 Threat assessment
All systems have bugs, and so the level of threat to smartcard
systems presented by exploitable loopholes is a function of how
many bugs remain (i.e. how mature the design is) and how much
effort is spent in looking for them (i.e. how many motivated
attackers there are). This in turn depends on the application
area.
Satellite TV systems attracted a great many attackers for
historical reasons; in the USA, many rural households had got
into the habit of watching satellite TV feeds as there were no
terrestrial stations in range, even although these feeds were
intended for rebroadcast rather than direct consumption. When the
feeds were encrypted, the families who depended on them for their
news and entertainment - and often could not buy decoders through
any legal channel - were outraged.
In Europe, a similar problem arose when the final season of 'Star
Trek: The Next Generation' was encrypted. This program's fans
included many with appropriate skills, and soon (March 94) there
appeared a program called Season which decoded Sky TV.
Since then, there has been a battle of wits between Sky and the
Trekkies, which has probably cost Sky somewhere between $10
million and $100 million. On May 18th 1994, Sky changed from
issue 07 cards to their new issue 09 card. Hackers refer to May
18th as Dark Wednesday. The 09 card proved harder to hack but a
temporary solution appeared in June. It only lasted a few weeks
before Sky changed codes again. Though some attempts at an issue
09 Season were made, a code change by Sky stopped it until just
before Christmas.
Then no less than three new versions of Season appeared - two for
the PC and one for the MAC. Successive code changes on January
4th and January 25th led to further updates of Season, and by
about 8th March all the secrets in the Sky 09 card were known -
and published! Hackers are awaiting the release of series 10 Sky
cards with relish.
In addition to the attacks on satellite TV, there have been a
number of attacks on banking systems and prepayment electricity
meter systems which are documented in three of my recent papers
[8, 9, 10] Most of the attacks documented there resulted from
similarly opportunistic exploitation of design and operational
errors, and some of the target systems were based on smartcards.
Finally, some concern has been expressed that attack skills may
be transferable. For example, a banking industry security expert
is worried that the satellite TV hacking community might next
turn its attention to eftpos systems.
2.3 Possible defences
The main conclusion to be drawn from the above is probably that
just as we do not know how to make a device which resists
tampering by a funded organisation, we do not know how to build a
device of any complexity to resist logical as opposed to physical
tampering.
There are a number of other lessons. For example, companies which
rely on smartcard systems should if possible avoid making a lot
of enemies. Diversity of attack has been significant in pay-TV,
metering and banking systems and just as a funded organisation
can break the silicon directly, so one must expect that many
tinkering amateurs will eventually find a flaw in any piece of
software. It is well known in the software testing community that
a significant number of bugs come to light when a piece of
software is passed on to another tester or to a customer; this is
because different testers and/or users exercise different parts
of the input space[11].
It is also imprudent to start off with weak security and then
improve it gradually in response to attacks. The satellite TV
people did this, and trained up a community of hackers. At some
point, you must invest enough to put clear water between your
systems and your opponents, and the sooner you make this
investment the smaller it is likely to be.
The main investment should be in getting the overall design
right, or at least as right as one can, from the beginning. It is
unwise to spend a lot of money on tamperproofing while ignoring
the much simpler and dirtier attacks which exploit errors in
design and operation. Quality control, and examination by
multiple independent experts, should take priority over attempts
to mimic the passivation techniques used by the military.
After all, the three published attacks on Clipper all involve the
logical design (key management protocols and modes of operation)
rather than penetration of the device itself.
3 Conclusion
At present, there are no portable tamperproof devices. If secrets
are held on smartcards which are allowed outside protected
spaces, then both physical and logical attacks should be
expected.
The scale of such attacks will depend on many things. If there is
a capable motivated opponent, such as a chip maker or the
government of a NATO country or China, then it must be assumed
that a complete penetration will take at most weeks. If there are
many less capable but still motivated opponents, then
penetrations based on the opportunistic exploitation of design
flaws are to be expected in due course.
We conclude that systems based on portable tamper-resistant
devices should be designed with caution. They should avoid
motivating a determined attack on the cards, and the penetration
of a small number of cards should not be fatal to the system
owner.
These considerations interact; for example, if the scope of
secrets kept within the card is limited so that breaking a card
allows access to only one bank account, then it is unlikely that
an attack would be economic to an attacker or prove more than a
minor nuisance to the card issuer.
APPENDIX
First account
This short essay will show you how to read the EPROM of an
AMD87C51, with all security programmed.
... the SM-card I had was programmed with both Lock bits and it
was impossible to read out the IROM.
But the data sheet also tells:
To ensure proper functionality of the chip, the internally
latched value of the EA pin must agree with its external
state.
Perhaps it was possible to confuse the processor.
I build a small device with external EPROM (64KBytes) and RAM.
The EPROM was coded with a monitor program in the upper address
range which gives me the possibility to load and execute code by
control of a PC. Starting the processor with external ROM access
disables the access of the internal ROM and due to the latching
of the EA pin during RESET, changes at the EA pin had no effect.
Also the MOVC returns only external ROM values.
Know my idea was to start the processor with internal ROM and
then to confuse him so that he accesses the external EPROM and
run into the monitor program.
I tried ...
But reduction of the power supply voltage works. At about 1,5
Volt the processor starts to access the external ROM. Rising the
voltage back to 5 Volt the processor (most of the times) still
run external, but with the possibility of access to the internal
ROM...
I programmed a small routine, which calls an address within the
internal ROM and execute this. I started at the higher end of the
internal ROM and decreased the calling address with each try by
10h. Most of the time the processor hangs up. But at some
addresses I got a return to the monitor program. So I analysed
this addresses and prepared the registers in a way to verify that
the routine could read ROM data. And I found the routine which
did this. So the internal ROM code reads itself and returns
himself to the monitor program for storage. It took about 3 days
to go through the ROM and find the routine and one long week to
understand the code.
Second account
This short story shows how to get access to a secured 87C51
microcontroller. It's a different way, than the one described by
.... Referring to his article, I assume, that this 87C51
microcontrollers and their features (including security bits) are
known.
The idea was, that the security bits are not located near the
EPROM array on the silicon. After some tests in erasing standard
EPROMS, I had the right tools to try it on a real device: With a
mask designed from black, thick paper with a small hole in it, I
started to lighten the silicon on the outer edges and sides.
Moving the mask carefully and checking the security bits (by
reading the device in a microcontroller programmer) after each
try is a long job. I did additional tests to open the chip (by
removing the windows or dividing the ceramic carrier material).
But this always led to permanent damage to the chip (broken
silicon, destroyed wires between pads and pins), so I gave this
up. So after 4 destroyed chips the fifth was the right one. You
have to be sure, that your mask is good prepared and the erasing
light doesn't diffuse across the chip. No I'am able to erase such
a device in less than 10 minutes. But ... it's only easy if the
device is one of AMD or Philips. The Intel devices have a window,
which is formed like a lens (the silicon looks very big). On this
devices it's nearly impossible to lighten a specific part of the
silicon. The job is easier on devices with standard window and a
_big_ EPROM Array (seems to be devices aged two or more years).
. . . if somebody is
interested in the 4K codes of the MasterCard (bad and dirty code)
or MovieCard (very elegant algorithm and i/o implementation),
just gimme' a direct mail. Disassembled and commented listings in
WinWord format are also available (comments in mixed English and
German language).
REFERENCES
[1] 'Layout Reconstruction of Complex Silicon Chips', S Blythe, B
Fraboni, S Lall, H Ahmed, U de Riu, IEEE J. of Solid-State
Circuits v 28 no 2 (Feb 93) pp 138-145
[2] 'Two New Imaging Techniques Promise To Improve IC Defect
Identification', C Ajluni, Electronic Design Vol 43 No 14 (10
July 1995) pp 37-38
[3] 'Conducting Filament of the Programmed Metal Electrode
Amorphous Silicon Antifuse', KE Gordon, RJ Wong,
International Electron Devices Meeting, Dec 93; reprinted as
pp 6-3 to 6-10, QuickLogic Data Book, 1994
[4] see FIPS PUB 140-1 section 4 level 4: "Removal of the coating
shall have a high probability of resulting in serious damage
to the module"
[5] Philippe Maes, GemPlus, during a panel discussion at Cardis
94
[6] message <CovCG9.581@apollo.hp.com> posted by Anne Anderson of
Hewlett-Packard aha@apollo.HP.COM to sci.crypt 26 Apr 1994
[7] apparently tiny jets of hot acid have been used to remove the
passivation layers over parts of the chip at a time
[8] 'Why Cryptosystems Fail'
[9] 'Liability and Computer Security - Nine Principles'
[10] 'Cryptographic Credit Control in Pre-payment Metering
Systems' All these can be got from
http://www.cl.cam.ac.uk:/users/rja14/
[11] 'Thermodynamic description of the defects in large
information processing systems', RM Brady, RC Ball, RJ
Anderson, to appear
--
Travis Hassloch / travish@dejanews.com / http://www.dejanews.com
Deja News System Administration Group / "When news breaks... we fix it."
PGP key C7FDD3D5 fgpt 7A 48 DD 46 E6 7F 11 E7 8F 7E 53 9A DF 33 9E FA
