Low cost attacks on tamper resistant devices
There has been considerable recent interest in the level of tamper resistance that can be provided by low cost devices such as smart-cards. It is known that such devices can be reverse engineered using chip testing equipment, but a state of the art semiconductor laboratory costs millions of dollars. In this paper, we describe a number of attacks that can be mounted by opponents with much shallower pockets.
Three of them involve special (but low cost equipment: differential fault analysis, chip rewriting, and memory remanence. There are also attacks based on good old fashioned protocol failure which may not require any special equipment at all. We describe and give examples of each of these. Some of our attacks are significant improvements on the state of the art; others are useful cautionary tales. Together, they show that building tamper resistant devices, and using them effectively, is much harder than it looks.
Unable to display preview. Download preview PDF.
- 1.DG Abraham. GM Dolan, GP Double, JV Stevens, “Transaction Security System”, in IBM Systems Journal v 30 no 2 (1991) pp 206–229Google Scholar
- 2.RJ Anderson, MG Kuhn, “Tamper Resistance-a Cautionary Note”, in The Second USENIX Workshop on Electronic Commerce Proceedings (Nov 1996) pp 1–11Google Scholar
- 3.RJ Anderson, BM Needham, “Programming Satan's Computer”, in ‘Computer Science Today', Springer Lecture Notes in Computer Science v 1000 pp 426–441Google Scholar
- 4.RJ Anderson, “Why Cryptosystems Fail”, in Proceedings of the 1st ACM Conference on Computer and Communications Security (November 1993) pp 215–227Google Scholar
- 5.E Biham, A Shamir, “A New Cryptanalytic Attack on DES”, preprint, 18/10/96Google Scholar
- 6.E Biham, A Shamir, “Differential Fault Analysis: Identifying the Structure of Unknown Ciphers Sealed in Tamper-Proof Devices”, preprint, 10/11/96Google Scholar
- 7.E Biham, A Shamir, “Differential Fault Analysis: A New Cryptanalytic Attack on Secret Key Cryptosystems”, preprint, 21/11/96Google Scholar
- 8.M Blaze, personal communication Google Scholar
- 9.M Blaze, “Protocol Failure in the Escrowed Encryption Standard”, in Proceedings of the 2nd ACM Conference on Computer and Communications Security (2-4 November 1994), ACM Press, pp 59-67Google Scholar
- 10.F Bao, RH Deng, Y Han, A Jeng, AD Nirasimhalu, T Ngair, “Breaking Public Key Cryptosystems in the Presence of Transient Faults”, this volume Google Scholar
- 11.D Boneh, RA DeMillo, RJ Lipton, “On the Importance of Checking Computations”, preprint, 11/96Google Scholar
- 12.E Bovenlander, invited talk. on smartcard security, Eurocrypt 97Google Scholar
- 13.P Farrell, personal communication Google Scholar
- 14.L Guillou, comment from the floor of Crypto 96 Google Scholar
- 15.P Gutman, “Secure Deletion of Data from Magnetic and Solid-State Memory”, in Sixth USENIX Security Symposium Proceedings (July 1996) pp 77–89Google Scholar
- 16.M. Joye, F Koeune, JJ Quisquater, “Further results on Chinese remaindering”, Université Catholique de Louvain Technical Report. CC,-7.997-1, available at http://www.dice. ucl.ac.be/Crypto/tech reports/CG1997_l.ps.gzGoogle Scholar
- 17.O Kocar, “Hardwaresicherheit von Mikrochips in Chipkarten”, in Datenschutz and Datensicherheit v 20 no 7 (July 96) pp 421–424Google Scholar
- 18.C Mitchell, S Murphy, F Piper, P Wild, “Red Pike-An Assessment”, Codes and Ciphers Ltd 2/10/96Google Scholar
- 19.RL Rivest, “The RC5 Encryption Algorithm”, in Proceedings of the Second International Workshop on Fast Software Encryption (December 1994), Springer LNCS v 1008 pp 86-96Google Scholar
- 20.'VISA Security Module Operations Manual', VISA, 1986Google Scholar