Protecting contactless microcontrollers from physical breaches - Embedded.com

Protecting contactless microcontrollers from physical breaches

Smart-card securitycontrollers are constantly exposed to numerous hacker attacks.Contactless high-security chips are thus equipped with the newestcountermeasures, which have to withstand the most extensive tests.

The market distinguishes between “pure” RFID chips, standard MCUs and security controllers.Pure RFID chips are used mainly for object identification and do notcontain an MCU. Both functionality and security are limited to anextent that is reasonable for the intended applications.

In contrast, contactless applications that demand privacy and dataprotection require much higher security levels. Security MCUs can beapplied to meet these stringent requirements.Concerns have emerged onthe use of chip technology in identification documents.

A chip used in contactless applications like electronic ID cards or passportsmust be designed to protect the stored data against any illegaltampering.Some ID systems also carry out “authentication” functions,which enable a reader terminal to check the integrity and authenticityof the ID card or passport and vice versa.

The process thus involves “mutual authentication.” For bothof these options, the security controller chips carry an individualsecret key, which is used for the check operation. Overall, a chipmakerhas to set up effective, tested and certified countermeasures againstmanifold threats.

The varieties of physical threat
Disturbing the functionality of a smart card has evolved into an artform today. Thus, “fault-induction attacks,” also called semi-invasiveattacks, have become a major focus for both evaluation andcertification of security controllers.

Smart-card controllers are usually made of silicon wafers. Theelectrical behavior of silicon, in turn, may differ upon exposure tovarious environmental parameters. For example, the electricalproperties of silicon may react to different voltages, temperatures,light, ionizing radiation and also to the influence of electrical andmagnetic fields.

Changing these environmental parameters, an attacker may now try toinduce faulty behavior, including errors in the program flow of thesmart-card controller. Usually, an attacker would try to force a chipto make a wrong decision, allowing access to the stored data.

The so-called “memory dump” evolved as avariant for fault attacks. Instead of giving out its non-secretidentification data, the security controller would, after afault-induction attack, output much more data, including parts of thesoftware, secret data or even stored keys. In contrast, using the “DFA”(differential fault attack) in some cases, only one single faultycomputation is sufficient for an attacker to extract the completesecret key by using a sophisticated mathematical algorithm.

There are various methods for inducing faults, including thealteration of power supply, electromagnetic induction, irradiation ofthe chip surface with visible light or by using radioactive materials,and changes of temperature. Some of these methods can be performedusing low-cost equipment.

There are countermeasures against such attacks, but only tests canshow if these counter-measures are actually effective (Figure 1, below ). As the performanceof these countermeasures may vary by orders of magnitude, it isextremely important that the security level is checked by independentevaluation and certification.

Figure1. There are countermeasures against attacks, but only tests can showif they are effective.

Chips that are currently used in national ID cards and electronicpassports are subject to extensive security tests before their use isapproved, but the standards for these security tests may vary fordifferent ID systems used in various countries.

Concepts against fault-induction attacks must work from differentviewpoints. The security concepts of Infineon chip card controllers arebased on three lines of defense:

Preventing induction of faults;
Detecting fault-inducing conditions;
Measures against faulty behavior of the security controller.

Filtering the power supply and the input signals acts as firstbarrier; fast-reacting stabilizers are used to block voltage transientsin specific boundaries. Also, some anomalies concerning the clocksupply are blocked.

If, for example, the security controller is attacked using very highvoltage alterations that cannot be blocked just by the regulationsystem, sensors are implemented as a part of the second barrier.

If a sensor detects critical values for environmental parameters, analarm is triggered to set the chip card to a secure state. Voltagesensors check the power supply, clock sensors look for frequencyanomalies, and temperature and light sensors check for optical andtemperature attacks. As optical attacks can also be performed throughthe chip's reverse side, the optical sensors are effective againstirradiation on both surfaces.

The third barrier is built up from the design of the securitycontroller core itself. Hardware countermeasures, in combination withsoftware, are used to yield an effective third barrier. The combinationof hardware and software is essential, as pure software countermeasurescould be the target of fault attacks themselves.

Setting up defense An attacker could also try to manipulate thecircuits on a silicon chip in a more direct way—e.g. by connecting thesignal lines on an MCU with the attacker's electronic equipment,subsequently reading out secret data transmitted on lines or injectinghis own data into the chip (Figure 2,below ).

Figure2: Probing needles reveal secret signals.

To counteract physical attacks, in the first instance, it isimportant to use chip-internal encryption of the memories and bussystems, which means that the data stored on the chip itself isencrypted using a strong cryptographic algorithm so that an attacker,even if he could get hold of such data, would only yield uselessinformation.

On the other hand, an active shield can be used to build aneffective barrier against the attack itself. In this case,micrometer-fine protective lines cover the security controller. Theyare under constant supervision and initiate an alarm if one of theselines is short-circuited with another, cut or damaged. Using suchmultilevel countermeasures against physical attacks gives anappropriate protection even against high-level attack equipment.

Side-channel methods are used by an attacker to gain informationabout secret data, and this is done by carefully observing theparameters under which a chip is operating.

In the case of power analysis, the attacker tries to extract thisinformation from the power consumption or electromagnetic emanationthat can be higher or lower, depending on the type of operation and thedata processed inside a chip.

Using the “timing attacks”, the duration of an operation isanalyzed. Depending on the data which is processed or on the secretkeys that are used, timing may vary and this can be used for aneffective attack.

Research continues in the fields of both attack methodology andcountermeasures. Looming attack scenarios have to be taken into accountby designing new secure products that give efficient protection againstfuture attacks.

Peter Laackmann, is principaldeveloper, and Marcus Janke is Senior Staff Specialist, ProductSecurity, Infineon Technologies AG.

Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.