FIPS Physical security conference, Hawaii 2005

# Adequate physical security requirem ents

TNO ITSEF

Jan Blonk

TNO ITSEF

www.itsef.com

Blonk@ itsef.com



#### TNO ITSEF

"IT Security Evaluation Facility"



- TNO is an independent R&D company in the Netherlands
- ITSEF is ow ned by TNO
- TNO ITSEF provides services for:
  - -security evaluations
  - -developer support services
- ITSEF has strict procedures for maintaining client secrecy of sensitive information

### Chip security evaluations

TNO ITSEF performs chip evaluations according to different schemes (VISA, MasterCard, CC)





#### Sm art Card security evaluations

TNO ITSEF performs form aland inform alevaluations on smart cards with Global Platform or proprietary OSs according to different schemes (VRIR, CAST, CC, other)





#### Term inal security evaluations

TNO ITSEF performs form aland inform alsecurity evaluations on payment term in als according to different schemes (PCI/PED, CC, other)





#### Approaches for security requirem ents

Physical security requirem ents can be given at:

- High abstraction level
  - -driven from threats, assets and security level
- Technical level
  - -driven from generic models



### Single chip crypto module

#### Possible attacks:

• Internal attacks
Observation
Chip modification

Side channelattacks

SPA DPA

EM A DEM A

Perturbation

Light

Excess voltage

Voltage glitches

Tem perature







#### Internal attacks

Access chip w ires w ith m icro probe needles





#### Internalattack

Modify chip with a Focused Ion Beam

- access w ires in low er layers
- cut wires in lower layers







#### Perturbation

#### Light attack

- Transistors are susceptable to light
- Changes in instruction processing





#### Example of Security levels

Chip m ust have protection against:

1. Attack on surface

2. Reverse engineering of design

🔏. Mem ory data read

4. Access to buses

5. Physicalm odification

6. Information extraction

Level1

Level 2

Level3



#### Security Levels abandoned

Reasons for abandoning leveled model:

• Dificult to fit in non physical attacks

-perturbation

-side channel attacks

• Modern chips have protection at all

levels

Criterium is w ork effort



## Multichip standalone crypto modules

Paym ent term inal or Host Security Module





#### Architecture model

#### Possible attacks:

- Physical penetration
- Misuse of maintenance covers
- Environm entalattacks
- Misuse of device
- Side channel
  - -EM A
  - -SPA DPA
  - -Noise
  - -cross talk
- Perturbation
  - -Tem perature
  - -Radiation
  - -voltage





#### Example security requirem ents

• Secure enclosure

Tam per evidence

Tam per resistance

Tam per responsive

• Secure area

e.g potting

- Sw itches
- Unique enclosure
- Environm ental protection





# Adequacy of requirem ents

Requirem ent for potting and effectiveness of potting





### Adequacy of requirem ent

Requirem ent for protection against penetration of enclosure preventing holes larger than ... .





# Adequate security requirem ents

Light sensor





#### Problem s

- Term inals get internet connections; reference model is incomplete for these options
- Manufacturer has a solution that overcom es the use of potting; product very good but problem s to get it accepted;
- Integration of keyboard and display in touchscreen;
  Reference model is no longer applicable which
  presents problems on what and how to test;
- Open Platform PDA's provide opportunities but also threats on uniqueness of enclosures



#### Conflicting interests

- Manufacturers tend to design towards the requirem ents to m in im ise costs:
  - -clear requirem ents on what and how to test;
- End users want protection against threats:
  - -security is a moving target
- Labs are asked to evaluate security?
  - -validate im plem ented m easures
  - -evaluate effectiveness?
  - -how far to go?



## Approaches in security requirem ents

How to get the best of two extremes?

| High level Techn:                                                | ical level                                                                       |
|------------------------------------------------------------------|----------------------------------------------------------------------------------|
| of technology and design becom  • Facilitates innovation • May 1 | et life because m odel es inadequate ham per innovation sistency in testing (box |

### Suggestions

- Do not make requirements restrictive
- Address the test goal
- Give some freedom to the lab?

