From 821880961bcade62e918252c9b5daf607a4e583e Mon Sep 17 00:00:00 2001 From: jaseg Date: Mon, 27 May 2019 23:21:03 +0900 Subject: Add HSM basics and ideas post --- content/posts/hsm-basics/index.rst | 209 +++++++++++++++++++++ .../posts/hsm-basics/mori_semi_hsm_talk_web.pdf | Bin 0 -> 1075912 bytes 2 files changed, 209 insertions(+) create mode 100644 content/posts/hsm-basics/index.rst create mode 100644 content/posts/hsm-basics/mori_semi_hsm_talk_web.pdf diff --git a/content/posts/hsm-basics/index.rst b/content/posts/hsm-basics/index.rst new file mode 100644 index 0000000..99aedba --- /dev/null +++ b/content/posts/hsm-basics/index.rst @@ -0,0 +1,209 @@ +--- +title: "Hardware Security Module Basics" +date: 2019-05-17T15:29:20+08:00 +--- + +Hardware Security Modules and Security Research and Cryptography +================================================================ + +On May 17 2019 I gave a short presentation on the fundamentals of hardware security modules at the weekly seminar of +Prof. Mori's security research working group at Waseda University. The motivation for this was that outside of low-level +hardware security people and people working in the financial industry HSMs are not thought about that often. In +particular most network or systems security people would not consider them an option. Also it could turn out to be +really interesting to think about what could be done with an HSM in conjunction with modern cryptography (instead of +just plain old RSA-OAEP and AES-CBC). + +`Click here to download a PDF with the slides for this talk. `__ + +Ideas for research in HSMs +========================== + +Preparing for this talk brought me back to some research ideas I've been working on for a while now. Since I'm not sure +I'll find the time to properly research this topic, I thought it would be great to write down some rought outlines first +for future reference. + +The Problem with current HSM tech +--------------------------------- + +Currently, HSMs are only used in certain specific niche applications such as certificate authority key management and +financial transaction data handling. One key reason for this is that HSMs currently don't provide the affordances that +would be needed for them to be adopted more widely by the cryptographic and security engineering community. As far as I +can tell, the two core missing affordances are: + +1. To be more widely adopted, HSMs must become less expensive. Currently, they go for several tens of thousands of Euro, + which puts them outside most budgets. +2. To be more widely adopted, HSMs must provide the standardized programming interfaces familiar to cryptographic + developers. Currently, every HSM vendor has their own custom cryptographic API and a developer will have to train on + one specific vendor's tooling. Furthermore, any documentation of these internals is kept secret behind NDAs. This + constitutes a high barrier to entry, decreasing adoption in particular with young developers accustomed to + open-source ecosystems. + +Attacking cost of implementation +-------------------------------- + +The first issue can be addressed by simply creating a viable low-cost alternative. There is no fundamental technical +reason for the high cost of HSMs. This cost is instead due to manufacturers trying to recoup their expenses for R&D as +well as certification from the small volumes HSMs are sold in. + +Compared to system integration and certification the pure R&D cost of HSM defense mechanisms themselves is not too high +in an academic context it should be feasible to develop a sort of HSM blueprint that can then be cheaply produced by +anyone in need. Since the application areas outlined here are far from the core business areas of the clients of +established HSM vendors this would most likely not be a realistic threat to any established vendor's business and a +co-existence of both should not pose any problems in the short term. + +Benefits of an academic HSM standard +------------------------------------ + +Tackling the high cost of current HSM hardware with an open-source HSM blueprint would yield +several academic advantages beyond cost reduction. + +1. An open-source blueprint could serve as an academic reference design to evaluate and compare other HSM designs + against. For instance this would not only allow quantifying the effectiveness of academic security measures but also + allow an evaluation of commercial HSMs. +2. An open-source blueprint could stimulate academic research in this academically very quiet albeit commercially + important area. This research would ultimately benefit everyone employing HSMs by raising security standards in the + field. Since HSMs are never solely relied upon for overal system security both defensive and offensive security + research would yield these benefits. +3. An open-source blueprint would encourage new people to get into the field and both apply HSMs to practical problems + as well as improve HSMs themselves. Currently, this is highly discouraged due to the strictly proprietary nature of + all available systems. +4. Finally, developing an open-source HSM blueprint might yield new findings in adjacent academic areas due to the + hightly multi-disciplinary nature of security research in general and HSM design in particular. + +Scope of an academic HSM standard +--------------------------------- + +An academic HSM blueprint would need to be flexible so that researchers can adapt it to their particular problem. A +modular architecture would lend itself to this flexibility. Fundamentally, there would be three components to this +architecture. First, a **base** containing infrastructure such as the surveillance microcontroller, power supplies, +power supply filtering and hardware DPA countermeasures, and possibly a standardized mechanical and electrical +interface. + +Next to the base, a system integrator would put their *payload*. The nature of this payload is intentionally kept +unspecified, and it might be anything from a cryptographic microcontroller to a small embedded system such as a +raspberry pi single board computer. Keeping the *payload* open like this achieves two benefits: It gives the HSM +blueprint's user *their* familiar tooling and the hardware *they* need, allowing fast adoption. Someone well-versed in +e.g. Javascript could literally implement their cryptography in Javascript, run it on an off-the-shelf raspberry pi and +just apply the HSM blueprint around it. In addition, keeping the *payload* open reduces the scope of what needs to be +implemented. Building a general SDK on top of something like a bare ARM SoC such as a TI OMAP or a Freescale/NXP IMX +would be a considerable additional burden, on top of the actual HSM design. Keeping the *payload* open allows research +to concentrate on the actual point, the HSM design. + +The final and most important component would be a set of *security measures* that can be combined with the base to +form the final HSM. Each of these *security measures* would entail a detailed specification of its design, manufacture +and security properties. These *security measures* could be simple things like tamper switches or potting, but could +also be complex things like security meshes. + +Given these three components -- *base*, *payload* and *security measures* as detailed specifications any engineer should +be able to design and manufacture a HSM customized to their needs. Unifying these three components within the HSM +blueprint would be a set of reference designs. Each reference design would implement a particular parametrization of the +three architectural components with a physical hole cut out where the payload would go.. These reference designs would +for one serve to guide any implementer on the customization and integration of their own derivation from the blueprint. +In addition it would serve as an extremely simple, low-cost point of entry into the ecosystem. A curious researcher +could simply replicate the reference design and put their existing payload inside. Practically this might mean e.g. a +researcher having PCBs produced according to the design files for a reference design for a mesh-based HSM, producing +their own mesh, physically glueing a raspberry pi SBC into the middle of it, and potting the resulting system. Given the +ease of prototype PCB fabrication today this would realistically allow evaluation of HSM technologies on a budget that +is orders of magnitude less than the cost of current HSMs. + +Research ideas for tamper detection mechanisms +============================================== + +The core component of an HSM blueprint would be a suite of tamper detection mechanisms. Following are a few ideas on how +to improve on the current state of the art of membrane tamper switches plus temperature sensors plus PCB and printed +security meshes plus potting. + +Improvements on existing techniques +----------------------------------- + +Light sensors +~~~~~~~~~~~~~ +**Advanced analog sensing** +**Self-test functionality** + +Security meshes +~~~~~~~~~~~~~~~ +**Analog sensing** + + +DIY or small lab mesh production +-------------------------------- +**3D metal patterning techniques** refers to any technique for producing thin, patterned metal structures on a +three-dimensional plastic substrate. The basic process would consist of 3D-printing the polymer substrate, depositing a +thin metal layer on top and then patterning this metal layer. A good starting point here would be the recent work of +`Ben Kraznow`_ on this exact thing. + +**Copper filament methods** would be any method embedding copper wire from a spool in some resin or other matrix. This +could mean either of a systematic approach of carefully winding or folding the copper wire into patterns or a +non-systematic approach of simply stuffing a large tangle of copper wire into a small space. The main challenge with the +former would be to find a non-tedious way of production. The main challenge with the latter would be to find process +parameters that guarantee complete coverage of the HSM without holes or other areas of lower sensitivity to intrusions. +Both approaches would require careful consideration of the overall design including the polymer resin supporting +structure to ensure sensitivity against attacks since copper wire is mechanically much stronger than the micrometre-thin +metal coatings used in patterning techniques. + +Envelope measurement +-------------------- + +Finally, I think there is another set of currently under-utilized tamper-detection methods that would be very +interesting to explore. I am not aware of an academic term for these, so I am just going to dub them *envelope +measurement* here. + +The fundamental apporach of a mesh is to build a physical security envelope (the mesh) that physically detects when it +is disturbed (open or short circuits). This approach works well but has the disadvantage that these meshes are rather +complex to manufacture since effectively every part of them is acting as a sensing element. A conceptually more complex +but in practice potentially simpler approach might be to split the functions of security envelope and sensing element. +This would mean that in place of the mesh, some form of passive element such as metal foil forms the security envelope +which is then checked for tampering using a very sensitive sensor inside. This remote-sensing approach might simplify +the manufacture of the envelope itself and thus yield a design that is more easily customized. Following are a few ideas +on how to approach this envelope measurement problem. + +**Ultrasonic** If the HSM is potted, a few ultrasonic transducers could be added inside the potting. With several +transducers, any one could be used to transmit ultrasound while the others measure complex phase and energy of the +signal they receive. The circuitry for this could be made fairly simple if using a static transmit frequency or a low +chirp rate by using a homodyne receiver built around a comparator fed into some timers. This approach would likely +detect any mechanical attack and would also rule out chemical attacks involving liquids (though starting from which +amount of liquid depends on receiver sensitivity). The main disadvantages might be high power consumption and cost and +size of the ultrasonic transducers. Traditional cheap transducers made for air as a transmission medium are fairly large +and might not adequately couple into potting compound. If somehow one could convince a standard small piezo element to +do the same job that would be great as far as cost and size are concerned. A concern in some fringe use cases might be +suceptibility to ambient noise, though this could easily be reduced at the expense of space and heat dissipation +capacity by adding sound dampening on the outside. A likely attack vector against this approach might be using a laser +cutter to drill a hole through the potting compound, then inserting probes carefully chosen to not couple too much +to the potting compound ultrasonically. + +**Light** In either an unpotted HSM or one potted with a transparent (at some wavelengths) potting compound one could +embed LEDs and photodiodes in a similar setup to the ultrasonic setup described above. In contrast to the ultrasound, +the LEDs would literally have to light up the HSM's interior and shadows might be an issue since the HSM is likely some +flat rectangular shape. A possible solution to this would be to coat both the embedded payload and the lid with some +highly reflective paint such as some glossy silver paint or simple white paint. The basic approach might be as simple as +simply turning on several LEDs distributed throughout the HSM in turn and measuring amplitude at several photodetectors, +or as complex as doing a LIDAR-like phase measurement sweeping through a range of frequencies to determine not only +absorption but also phase/distance characteristics between emitter LED and detector photodiode. Using some high-gain TIA +along with a homodyne detector (lock-in amplifier) and changing emitter intensity, very precise measurements of both +absorption and phase might be possible, as might be measurements through almost opaque, diffuse potting compounds such +as a grey epoxide resin. The main disadvantages of this method would likely be the need to thoroughly light-proof the +entire HSM (likely by wrapping it in metal foil) and the potentially high cost of transmitter and receiver circuitry +(nice TIAs aren't cheap). To be effective against attacks using e.g. very fine drills and probes the system would likely +have to be very sensitive. + +**Radar** Finally, one could turn to standard radar techniques to fingerprint the inside of the HSM. The goal here would +be fingerprinting instead of mapping since only changes need to be detected. In this approach one could use homodyne +detection to improve sensitivity and reduce receiver complexity, and sweep frequencies similar to an FMCW radar (but +probably without exploiting the self-demodulation effect). Besides high cost, this approach has two disadvantages. +First, such a system would likely not go beyond 24GHz or maybe 40GHz due to component availability issues. Even at 40GHz +the wavelength in the potting compound would be in the order of magnitude of several millimeters. Fine intrusions using +some tool chosen to not interact too much with the EM field inside the HSM such as a heated ceramic needle or simply a +laser cutter might not be detectable using this approach. In any case, this system would certainly not be able to detect +small holes piercing the HSM enclosure. The HSM enclosure would have to be made into an RF shield, likely by using some +metal foil in it. + +Overall in the author's opinion these three techniques are most promising in order *Light*, *Ultrasonic*, *Radar*. Light +would prbably provide the best sensitivity at expense of some cost. Ultrasonic might be used in conjunction with light +to cover some additional angles since it is potentially very low-cost. Radar seems hard to engineer into a solution that +works reliably and also would likely be at least an order of magnitude more expensive than the other two technologies +while not providing better sensitivity. + +.. _`Ben Kraznow`: https://www.youtube.com/watch?v=Z228xymQYho +.. _affordances: https://en.wikipedia.org/wiki/Affordance + diff --git a/content/posts/hsm-basics/mori_semi_hsm_talk_web.pdf b/content/posts/hsm-basics/mori_semi_hsm_talk_web.pdf new file mode 100644 index 0000000..b8b7177 Binary files /dev/null and b/content/posts/hsm-basics/mori_semi_hsm_talk_web.pdf differ -- cgit