diff options
author | jaseg <git-bigdata-wsl-arch@jaseg.de> | 2020-12-02 14:59:25 +0100 |
---|---|---|
committer | jaseg <git-bigdata-wsl-arch@jaseg.de> | 2020-12-02 14:59:25 +0100 |
commit | 04ddee015bd37233cb06cda627bcf9c3df8226a9 (patch) | |
tree | 006491d0c47b1efd5f8be6efd647e333fb3f4bc8 | |
parent | 0e6fbeecf12d5176f0db75ad2752692b3c3a649d (diff) | |
download | ihsm-04ddee015bd37233cb06cda627bcf9c3df8226a9.tar.gz ihsm-04ddee015bd37233cb06cda627bcf9c3df8226a9.tar.bz2 ihsm-04ddee015bd37233cb06cda627bcf9c3df8226a9.zip |
Initial proofreading complete
-rw-r--r-- | doc/quick-tech-report/Makefile | 4 | ||||
-rw-r--r-- | doc/quick-tech-report/rotohsm.bib | 20 | ||||
-rw-r--r-- | doc/quick-tech-report/rotohsm_tech_report.bib | 0 | ||||
-rw-r--r-- | doc/quick-tech-report/rotohsm_tech_report.pdf | bin | 1194508 -> 1196066 bytes | |||
-rw-r--r-- | doc/quick-tech-report/rotohsm_tech_report.tex | 245 |
5 files changed, 145 insertions, 124 deletions
diff --git a/doc/quick-tech-report/Makefile b/doc/quick-tech-report/Makefile index 259f303..a2c5f12 100644 --- a/doc/quick-tech-report/Makefile +++ b/doc/quick-tech-report/Makefile @@ -14,7 +14,7 @@ VERSION_STRING := $(shell git describe --tags --long --dirty) all: ${main_tex}.pdf -%.pdf: %.tex %.bib version.tex +%.pdf: %.tex rotohsm.bib version.tex pdflatex -shell-escape $< biber $* pdflatex -shell-escape $< @@ -23,7 +23,7 @@ all: ${main_tex}.pdf preview: pdflatex -shell-escape ${main_tex}.tex -version.tex: ${main_tex}.tex ${main_tex}.bib +version.tex: ${main_tex}.tex rotohsm.bib echo "${VERSION_STRING}" > $@ resources/%.pdf: $(LAB_PATH)/%.ipynb diff --git a/doc/quick-tech-report/rotohsm.bib b/doc/quick-tech-report/rotohsm.bib index 17ee18a..0401c1e 100644 --- a/doc/quick-tech-report/rotohsm.bib +++ b/doc/quick-tech-report/rotohsm.bib @@ -1,3 +1,4 @@ +% Encoding: UTF-8
@comment{x-kbibtex-encoding=utf-8} @book{anderson2020, @@ -159,4 +160,21 @@ url = {https://www.cnet.com/news/aboard-americas-doomsday-command-and-control-plane}, year = {2013} } - +
+@Thesis{vrijaldenhoven2004,
+ author = {Serge Vrijaldenhoven},
+ date = {2004-10-01},
+ institution = {Technische Universiteit Eindhoven},
+ title = {Acoustical Physical Uncloneable Functions},
+ type = {mathesis},
+ url = {https://pure.tue.nl/ws/files/46971492/600055-1.pdf},
+}
+
+@Unpublished{dexter2015,
+ author = {Karsten Nohl and Fabian Bräunlein and dexter},
+ date = {2015-12-27},
+ title = {Shopshifting: The potential for payment system abuse},
+ url = {https://media.ccc.de/v/32c3-7368-shopshifting#t=2452},
+}
+
+@Comment{jabref-meta: databaseType:biblatex;}
diff --git a/doc/quick-tech-report/rotohsm_tech_report.bib b/doc/quick-tech-report/rotohsm_tech_report.bib deleted file mode 100644 index e69de29..0000000 --- a/doc/quick-tech-report/rotohsm_tech_report.bib +++ /dev/null diff --git a/doc/quick-tech-report/rotohsm_tech_report.pdf b/doc/quick-tech-report/rotohsm_tech_report.pdf Binary files differindex a7d2162..2c8995b 100644 --- a/doc/quick-tech-report/rotohsm_tech_report.pdf +++ b/doc/quick-tech-report/rotohsm_tech_report.pdf diff --git a/doc/quick-tech-report/rotohsm_tech_report.tex b/doc/quick-tech-report/rotohsm_tech_report.tex index bf51a87..f69301a 100644 --- a/doc/quick-tech-report/rotohsm_tech_report.tex +++ b/doc/quick-tech-report/rotohsm_tech_report.tex @@ -84,11 +84,12 @@ In this paper, we introduce a novel, highly effective countermeasure against phy security modules. Conventional systems have in common that they try to detect attacks by crafting sensors responding to increasingly minute manipulations of the monitored security boundary or volume. Our approach is novel in that we reduce the sensitivity requirement of security meshes and other sensors and increase the complexity of any manipulations by -rotating the security mesh or sensor at high speed--presenting a moving target to an attacker. Attempts to stop the -rotation are easily monitored with commercial MEMS accelerometers and gyroscopes. +rotating the security mesh or sensor at high speed---thereby presenting a moving target to an attacker. Attempts to stop +the rotation are easily monitored with commercial MEMS accelerometers and gyroscopes. Our approach leads to a HSM that can easily be built from off-the-shelf parts by any university electronics lab, yet -offers a level of security that is comparable to even the best commercial offerings. +offers a level of security that is comparable to even the best commercial offerings. By building prototype hardware we +have demonstrated solutions to the concept's engineering challenges. \section{Introduction} @@ -100,36 +101,38 @@ Currently, servers and other computers are rarely physically secured as a whole. switch and are put in locked ``cages'' inside guarded facilities. This usually provides a good compromise between physical security and ease of maintenance. To handle highly sensitive data in applications such as banking or public key infrastructure, general-purpose and low-security servers are augmented with dedicated, physically secure cryptographic -co-processors in form of smartcards or hardware security modules (HSMs). Smartcards and HSMs protect a physically small -volume of a single chip or circuit board, respectively. In lower-security applications\cite{heise2020t2jailbreak}, -smartcard-like trusted platform modules (TPMs) and other types of security platform controllers allow an administrator -to tie a whole computer's security to that of the small security chip inside\cite{frazelle2019,johnson2018}. +co-processors in form of smartcard-like trusted platform modules (TPMs) or hardware security modules (HSMs). Using a +limited amount of trust in components such as the CPU, the larger system's security can be reduced to that of its +physically secured TPM\cite{heise2020t2jailbreak,frazelle2019,johnson2018}. Being physcially small, physical security is +less of a challenge on the scale of a TPM. \subsection{Technical approaches to physical security} Shrinking things to the nanoscopic level to secure them against tampering is an engineering solution to problems that -cannot be solved (yet) with cryptographic security. The security of these chips rests on the assumption that their fine -structures are hard to reverse engineer and modify. As of now, this property holds and in the authors' opinion it will -likely be a reasonable assumption for some years to come. However, in essence this is a type of security by obscurity: -Obscurity here referring to the rarity of the equipment necessary to attack these chips\cite{albartus2020,anderson2020}. +cannot be solved (yet) with cryptographic security. The security of chips like smartcards and TPMs often rests on the +assumption that their fine structures are hard to reverse engineer and modify. As of now, this property holds and in the +authors' opinion it will likely be a reasonable assumption for some years to come. However, in essence this is a type +of security by obscurity: Obscurity here referring to the rarity of the equipment necessary to attack these +chips\cite{albartus2020,anderson2020}. \subsection{Hardware Security Modules} -Right now, Hardware security modules (HSMs) are the commercial devices offering the highest ``physical -security-to-volume-product''. Where smartcards secure a single chip, HSMs secure a small circuit board. In contrast to a -smartcard, the HSM actively deletes its secrets when it detects a manipulation. Commercial HSMs commonly employ what we -call \emph{boundary monitoring}. They have a physical security barrier that they continuously monitor for holes. -Usually, this barrier is a thin foil that is patterned with at least two electrical traces that are folded many times to -cover the entire area of the foil. The HSM monitors these traces for shorts or breaks. This simple construction -transforms the security problem into a manufacturing challenge\cite{isaacs2013,immler2019,anderson2020}. +Right now, Hardware security modules (HSMs) are the class of commercial devices offering the highest ``physical +security-to-volume-product''. Where smartcards physically secure a single chip, HSMs secure a small circuit board. In +contrast to a smartcard, in a tradeoff between security and convenience the HSM actively deletes its secrets when it +detects a manipulation. Commercial HSMs commonly employ what we call \emph{boundary monitoring}. They have a physical +security barrier that they continuously monitor for holes. Usually, this barrier is a thin foil that is patterned with +at least two meandering electrical traces that is folded in layers to cover the entire area of the foil. The HSM +monitors these traces for shorts or breaks. This simple construction transforms the security problem into a +manufacturing challenge\cite{isaacs2013,immler2019,anderson2020}. In our classification the other type of HSMs are \emph{volumetric} HSMs. They monitor their entire internal volume for -changes using e.g.\ electromagnetic radiation\cite{tobisch2020,kreft2012} or ultrasound. Their security is limited by -the analog sensitivity of their transceivers. Their practicality is limited by their complex transceiver and signal -processing circuitry. They promise to secure larger volumes than boundary monitoring at higher parts cost. A problem -with volumetric designs is their security analysis, which is hard to do without significant guesswork. In e.g.\ a -device that use electromagnetic radiation to monitor its volume, one has to numerically solve the electromagnetic field -equations inside the HSM to validate its impenetrability. +changes using e.g.\ electromagnetic radiation\cite{tobisch2020,kreft2012} or ultrasound\cite{vrijaldenhoven2004}. Their +security is limited by the analog sensitivity of their transceivers. Their practicality is limited by their complex +transceiver and signal processing circuitry. They promise to secure larger volumes than boundary monitoring at higher +parts cost. A problem with volumetric designs is their security analysis, which is hard to do without significant +guesswork. In e.g.\ a device that use electromagnetic radiation to monitor its volume, one might have to numerically +solve the electromagnetic field equations inside the HSM to validate its impenetrability. \subsection{Inertial HSMs: A new approach to physical security} @@ -154,9 +157,8 @@ accelerometer that it uses to verify that it is spinning at high speed. How woul would have to either slow down the rotation, triggering the accelerometer, or they would have to attack the HSM in motion. The HSM literally becomes a moving target. At slow speeds, rotating the entire attack workbench might be possible but rotating frames of reference quickly become inhospitable to human life\footnote{See Appendix -\label{sec_minimum_angular_velocity}}. Non-contact electromagnetic or optical attacks that do not require mechanical -contact are more limited in the first place and can be shielded, so we have effectively forced the attacker to make an -attack robot. +\ref{sec_minimum_angular_velocity}}. Since non-contact electromagnetic or optical attacks are more limited in the first +place and can be shielded, we have effectively forced the attacker to use an attack robot. \subsection{Contributions} This work contains the following contributions: @@ -164,8 +166,8 @@ This work contains the following contributions: \item We present the \emph{Inertial HSM} concept. Inertial HSMs enable cost-effective small-scale production of highly secure HSMs. \item We discuss possible boundary sensing modes for inertial HSMs. - \item We explore the design space our inertial HSM concept. - \item We present a prototype of an inertial HSM. + \item We explore the design space of our inertial HSM concept. + \item We present our work on a prototype inertial HSM. % FIXME \item Measurement of the prototype HSM's susceptibility to various types of attack. \end{enumerate} @@ -174,19 +176,19 @@ This work contains the following contributions: % beyond ultrasound. In \cite{anderson2020}, Anderson gives a comprehensive overview on physical security. An example they cite is the IBM 4758 HSM whose details are laid out in depth in \cite{smith1998}. This HSM is an example of an industry-standard -construction. Though it is now a bit dated, the construction techniques of the physical security mechanisms have not -evolved much in the last two decades. Apart from some auxiliary temperature and radiation sensors to guard against -attacks on the built-in SRAM memory, the module's main security barrier uses the traditional construction of a flexible -mesh wrapped around the module's core. In \cite{smith1998}, the authors claim the module monitors this mesh for short -circuits, open circuits and conductivity. The fundamental approach to tamper detection and construction is similar to -other commercial offerings\cite{obermaier2018,drimer2008,anderson2020,isaacs2013}. +construction. Though its turn of the century design is now a bit dated, the construction techniques of the physical +security mechanisms have not evolved much in the last two decades. Apart from some auxiliary temperature and radiation +sensors to guard against attacks on the built-in SRAM memory, the module's main security barrier uses the traditional +construction of a flexible mesh wrapped around the module's core. In \cite{smith1998}, the authors state the module +monitors this mesh for short circuits, open circuits and conductivity. The fundamental approach to tamper detection and +construction is similar to other commercial offerings\cite{obermaier2018,drimer2008,anderson2020,isaacs2013}. In \cite{immler2019}, Immler et al. describe a HSM based on precise capacitance measurements of a mesh. In contrast to -traditional meshes, the mesh they use consists of a large number of individual traces (more than 32 in their example). +traditional meshes, the mesh they use consists of a large number of individual traces (more than 30 in their example). Their concept promises a very high degree of protection. The main disadvantages of their concept are a limitation in -both covered area and component height, as well as the high cost of the advanced analog circuitry required for -monitoring. A core component of their design is that they propose its use as a PUF to allow for protection even when -powered off, similar to a smart card--but the design is not limited to this use. +covered area and component height, as well as the high cost of the advanced analog circuitry required for monitoring. A +core component of their design is that they propose its use as a PUF to allow for protection even when powered off, +similar to a smart card---but the design is not limited to this use. In \cite{tobisch2020}, Tobisch et al.\ describe a construction technique for a hardware security module that is based around commodity Wifi hardware inside a conductive enclosure. In their design, an RF transmitter transmits a reference @@ -196,7 +198,9 @@ the RF behavior of the cavity is inscrutable from the outside, and that even a s volume of the cavity will cause a significant change in its RF response. The core idea in \cite{tobisch2020} is to use commodity Wifi hardware to reduce the cost of the HSM's sensing circuitry. The resulting system is likely both much cheaper and capable of protecting a much larger security envelope than e.g. the design from \cite{immler2019}, at the -cost of worse and less predictable security guarantees. +cost of worse and less predictable security guarantees. Where \cite{tobisch2020} use electromagnetic radiation, +Vrijaldenhoven in \cite{vrijaldenhoven2004} uses ultrasound waves travelling on a surface acoustic wave (SAW) device to +a similar end. While \cite{tobisch2020} approach the sensing frontend cost as their only optimization target, the prior work of Kreft and Adi \cite{kreft2012} considers sensing quality. Their target is an HSM that envelopes a volume barely larger than a @@ -209,7 +213,7 @@ Our concept is novel in that mechanical motion has not been proposed before as p academic research concentrates on the issue of creating new, more sensitive security barriers for HSMs\cite{immler2019} while commercial vendors concentrate on means to cheaply manufacture and certify these security barriers\cite{drimer2008}. Our concept instead focuses on the issue of taking any existing, cheap low-performance -security barrier and transforming it into a marginally more expensive but very high-performance one. The closes to a +security barrier and transforming it into a marginally more expensive but very high-performance one. The closest to a mechanical HSM that we were able to find during our research is an 1988 patent \cite{rahman1988} that describes an mechanism to detect tampering along a communication cable by enclosing the cable inside a conduit filled with pressurized gas. @@ -267,7 +271,7 @@ velocity. We conclude that even at moderate speeds above $\SI{500}{rpm}$, an att robot. In Appendix \ref{sec_degrees_of_freedom} we consider sensor configurations and we conclude that one three-axis accelerometer each in the rotor and in the stator are a good baseline configuration. Other configurations such as one using two two-axis accelerometers in the rotor are also possible. In general, the system will be more sensitive to -disturbances if we over-determine the system of equation determining its motion by using more sensors than necessary. +attacks if we over-determine the system of equations describing its motion by using more sensors than necessary. \subsection{Payload mounting mechanisms} @@ -275,8 +279,8 @@ The simplest way to mount a stationary payload in a spinning security mesh is to This allows the payload to be mounted on a fixed rod threaded through this hollow shaft along with wires for power and data. The stationary rod and cables on the axis of rotation inside the hollow shaft are a weak spot of the system, but this weak spot can be alleviated through either careful construction or a second layer of rotating meshes with a -different axis of rotation. Configurations that do not use a hollow-shaft motor are possible, but may require more -bearings to keep the stator from vibrating. +different axis of rotation. Configurations that do not use a hollow-shaft motor are possible, but may require +additional bearings to keep the stator from vibrating. \subsection{Spinning mesh power supply} @@ -285,21 +289,23 @@ There are several options to transfer power to the rotor from its stationary fra \begin{enumerate} \item Slip ring contacts are a poor candidate as they are limited in their maximum speed and lifetime, and as precision mechanical components are expensive. - \item Inductive power transfer as used in inductive charging systems can be used without modification. + \item Inductive power transfer as used in inductive charging systems can be used without modification if both coils + are mounted axially. \item A second brushless motor on the axis of rotation can be used as a generator, with its axis connected to the - fixed frame and its stator mounted and connected to the rotor. - \item A bright LED along with some small solar cells may be a practical approach for small amounts of + fixed frame and its stator mounted and connected to the rotor. Likewise, a custom-made drive motor that includes + some auxiliary rotor windings for power transfer in addition to the rotor's magnets would be possible. + \item A bright lamp along with some small solar cells may be a practical approach for small amounts of energy\footnote{See Appendix \ref{sec_energy_calculations} for a back-of-the-envelope calculation}. \item For a very low-power security mesh, a battery specified to last for the lifetime of the device may be practical\footnote{See Appendix \ref{sec_energy_calculations}}. \end{enumerate} -% FIXME not prototype implementation here +In our prototype, we settled on a solar cell-based solution for its simplicity. \subsection{Payload cooling} In boundary-sensing HSMs, cooling of the processor inside is a serious issue since any air duct or heat pipe would have -to penetrate the HSM's security boundary. This problem can be solve by complex and costly siphon-style constructions, +to penetrate the HSM's security boundary. This problem can be solved with complex and costly siphon-style constructions, but in commercial systems heat conduction is used exclusively\cite{isaacs2013}. This limits the maximum power dissipation of the payload and thus its processing power. In our spinning HSM concept, the spinning mesh can have longitudindal gaps in the mesh without impeding its function. This allows air to pass through the mesh during rotation, @@ -308,35 +314,43 @@ of the payload and unlocks much more powerful processing capabilities. \subsection{Spinning mesh data communication} -As for power, slip rings are the obvious choice to couple data signals through the rotating joint. Like for power, for -data, too they are too expensive for our application. +As for power, slip rings are the obvious choice to couple data signals through the rotating joint. Like for power, ones +that match our reliability and speed constraints are expensive. -In our design with a stationary payload where only the security mesh and sensors are spinning, only occassional status -reports and a high-frequency alarm trigger heartbeat signal have to pass from rotor to stator. For this, a simple -optocoupler close to the axis of rotation is a good solution. +Our design has a stationary payload and only the security mesh and sensors are spinning. The rotor only needs to send +occassional status reports and a high-frequency alarm trigger heartbeat signal to the stator. For +this, a simple optocoupler close to the axis of rotation is a good solution that we implemented in our prototype. \section{Attacks} \subsection{Attacks on the mesh} -There are two locations where one can attack a tamper-detection mesh. Either, the mesh itself can be tampered with. This -includes bridging its traces to allow for a hole to be cut. The other option is to tamper with the monitoring circuit -itself, to prevent a damaged mesh from triggering an alarm and causing the HSM to erase its contents. Attacks in both -locations are electronic attacks, i.e. they require electrical contact to parts of the circuit. Traditionally, this -contact is made by soldering, or by placing a probe such as a thin needle. Any kind of electrical contact that does not -involve an electron or ion beam or a liquid requires mechanical contact. We consider none of these forms feasible to be -performed on an object spinning at high speed without a complex setup that rotates along with the object. Thus, we -consider them to be practically infeasible outside of a well-funded, special-purpose laboratory. +There are two locations where one can attack a tamper-detection mesh. On one hand, the mesh itself can be tampered with. +This includes bridging its traces to allow for a hole to be cut. The other option is to tamper with the monitoring +circuit itself, to prevent a damaged mesh from triggering an alarm and causing the HSM to erase its +contents\cite{dexter2015}. Attacks in both locations are electronic attacks, i.e. they require electrical contact to +parts of the circuit. Traditionally, this contact is made by soldering or by placing a probe such as a thin needle. We +consider this contact infeasible to be performed on an object spinning at high speed without a complex setup that +rotates along with the object or that involves ion beams, electron beams or liquids. Thus, we consider them to be +practically infeasible outside of a well-funded, special-purpose laboratory. \subsection{Attacks on the alarm circuitry} An electronic attack could also target the alarm circuitry inside the stationary payload, or the communication link between rotor and payload. The link can easily be proofed by using a cryptographically secured protocol along with a high-frequency heartbeat message. The alarm circuitry has to be designed such that it is entirely contained within the -HSM's security envelope and has to tolerate environmental attacks such as through temperature, ionizing radiation, +HSM's security envelope and has to tolerate environmental attacks such as ones using temperature, ionizing radiation, lasers, supply voltage variations, ultrasound or other vibration and gases or liquids. The easiest way to proof an alarm system against these is to employ adequate filtering of the incoming power supply and use sensors for the others, triggering an alarm in case extraordinary environmental variations are detected. +If the alarm link between rotor and stator uses a spoofable interface such as an optical link, this link must be +bidirectional to allow the alarm signal receiver to verify link latency. In a purely unidirectional spoofable link, an +attacker could record the authenticated "no alarm" signal from the transmitter while simultaneously replaying it just +slightly slower (say at $\SI{99}{\percent}$ speed) to the receiver. The receiver would not be able to distinguish +between this attack and ordinary deviations in the transmitter's local clock frequency. However, the attacker can at any +point simply stop the rotor and replay the leftover recorded "no alarm" signal. Given the frequency stability of +commercial crystals, this would allow for an attack duration of several seconds per hour of recording time. + \subsection{Fast and violent attacks} A variation of the above attacks on the alarm circuitry would be an attack that @@ -349,27 +363,22 @@ or active-low alarm signal cannot be considered fail-safe in this scenario. An attacker may try to stop the rotor before tampering with the mesh. To succeed, they would need to fool the rotor's MEMS accelerometer. An electronic attack on the sensor or the monitoring microcontroller would be no easier than -directly bridging the mesh traces and would not make sense. Physical attacks on the accelerometer are -possible\cite{trippel2017}, but in the authors' estimate are too hard to control to be practically useful. - -A possible attack scenario would be to instantly stop the spinning motion and accelerate the HSM linearly such that the -linear acceleration as measured equals the previous centrifugal acceleration. Since commercial accelerometers are very -precise we do not consider this type of attack feasible. +directly bridging the mesh traces. Physical attacks on the accelerometer are possible\cite{trippel2017}, but in the +authors' estimate are too hard to control to be practically useful. A last type of attack might be to try to physically tamper with the accelerometer's sensing mechanism. MEMS -accelerometers usually use a simple cantilever design, where a proof mass moves a cantilever whose precise position can -be measured electronically. A possible way to attack such a device might be to first decapsulate it using laser ablation +accelerometers usually use a cantilever design, where a proof mass moves a cantilever whose precise position can be +measured electronically. A possible way to attack such a device might be to first decapsulate it using laser ablation synchronized with the device's rotation. Then, a fast-setting glue such as a cyanoacrylate could be deposited on the -moving MEMS parts in either liquid or gaseous form, locking them in place after hardening. This attack would require -direct access to the accelerometer from the outside and can be prevented by mounting the accelerometer inside the -security envelope. This attack only works if the rate of rotation and thus the accelerometer's readings are constant. -If the rate of rotation is set to change on a schedule, it is trivially detectable. +moving MEMS parts, locking them in place. This attack would require direct access to the accelerometer from the outside +and can be prevented by mounting the accelerometer in a shielded place inside the security envelope. This attack can +only work if the rate of rotation and thus the accelerometer's readings are constant. If the rate of rotation is set to +change on a schedule, it is trivially detectable. -% FIXME Appendix \ref{sec_degrees_of_freedom} +In Appendix \ref{sec_degrees_of_freedom} we outline the constraints on sensor placement. \section{Prototype implementation} -%FIXME To validate our theoretical design, we have implemented a prototype rotary HSM. The main engineering challenges we solved in our prototype are: \begin{enumerate} @@ -384,10 +393,10 @@ solved in our prototype are: We sized our prototype to have space for one or two full-size Raspberry Pi boards. Each one of these boards is already more powerful than an ordinary HSM, but they are small enough to simplify our prototype's design. For low-cost prototyping we designed our prototype to use printed circuit boards as its main structural material. The interlocking -parts were designed in FreeCAD mechanical CAD as shown in Figure \ref{proto_3d_design}. The mechanical designs were -exported to KiCAD for electrical design before being sent to a commercial PCB manufacturer. Rotor and stator are built -from interlocking, soldered PCBs. The components are mounted to a $\SI{6}{\milli\meter}$ brass tube using FDM 3D printed -flanges. The rotor is driven by a small hobby quadcopter motor. +parts were designed in FreeCAD as shown in Figure \ref{proto_3d_design}. The mechanical designs were exported to KiCAD +for electrical design before being sent to a commercial PCB manufacturer. Rotor and stator are built from interlocking, +soldered PCBs. The components are mounted to a $\SI{6}{\milli\meter}$ brass tube using FDM 3D printed flanges. The rotor +is driven by a small hobby quadcopter motor. Security is provided by a PCB security mesh enveloping the entire system and extending to within a few millimeters of the shaft. For security it is not necessary to cover the entire circumference of the module with mesh, so we opted to @@ -478,8 +487,9 @@ variations in solar cell illumination directly couple into the microcontroller's with regular residential LED light bulbs, but those turned out to have too much flicker and lead to our microcontroller frequently rebooting. Trials using an incandecent light produced a stable supply, but the large amount of infrared light emitted by the incandecent light bulb severely disturbed our near-infrared communication link. As a consequence of -this, we settled on a small LED light made for photography applications that provdided us with mostly flicker-free -light, leading to a sufficiently stable microcontroller VCC rail without any disturbance to the IR link. +this, we settled on a small LED light intended for use as a studio light that provdided us with almost flicker-free +light at lower frequencies, leading to a sufficiently stable microcontroller VCC rail without any disturbance to the IR +link. \subsection{Evaluation} @@ -501,36 +511,30 @@ larger-scale implementation of the inertial HSM concept practical. \section{Future Work} -\paragraph{Other modes of movement} -We decided to build a spinning HSM because it is the easiest option. Still, other modes of movement are also promising. -Particularly an oscillating HSM may be easier to construct at the expense of security. In it, power and data transfer to -the moving part could simply be done with cables. - -\paragraph{Multiple axes of rotation} -The baseline single-axis spining HSM we propose has a weak spot at its shaft. This weak spot can be alleviated using a -gyroscoping mount, allowing the HSM to continuously change its axis of rotation. - -\paragraph{Other sensing modes} -Beyond traditional security meshes, other sensing modes might be interesting in our unique setting. One possible option -without any moving electronics would be to print the inside of the rotor with a pattern, then have a linear CCD look at -the rotor. The CCD would see the printed pattern passing by at high speed, and one could compare its measurement -against a model of the rotor to check both speed of rotation and rotor integrity at once. - -\paragraph{Longevity} -A core issue with a mechanical HSM is component longevity. Save for dust and debris clogging up the HSM's mechanics, -the primary failure point are the bearings. Industrial ducted fans such as servers fans may be a good source for -inspiration. - -\paragraph{Transportation of an active device} -A rotating mass responds to torque that is not co-linear with its axis of rotation with a gyroscopic precession force. -In practice, this means that moving a device containing a spun-up rotating HSM on its inside might induce significant -forces on both the HSM (and cause false alarms) and on the carrier of the device (making handling challenging). A -real-world deployment would have to take this into account, especially if the finished device is to be shipped by post -or courier services after spin-up. +\subsection{Design space exploration} + +There are several aspects of intertial HSM design that we wish to explore in future work. + +\paragraph{Other modes of movement} An oscillating iHSM might enable power and data transfer to the moving part using +cables. + +\paragraph{Multiple axes of rotation} The weak spot of our prototype design at the stationary shaft can be alleviated +using gyroscope mechanics. + +\paragraph{Other sensing modes} By printing the inside of the rotor with a pattern that is observed by a linear CCD a +completely passive rotor may be possible. + +\paragraph{Bearing longevity} + +\paragraph{Handling of gyroscopic precession forces during shipping} + +\subsection{Penetration testing} +We intend to refine our prototype design to production quality. As part of this, we wish to try out a range of attacks +on our prototype. \section{Conclusion} -In this paper, we have presented inertial hardware security modules, a novel concept for the construction of highly -secure hardware security modules from inexpensive, commonly available parts. We have elaborated the engineering +In this paper, we have presented inertial hardware security modules (iHSMs), a novel concept for the construction of +highly secure hardware security modules from inexpensive, commonly available parts. We have elaborated the engineering considerations underlying a practical implementation of this concept. We have implemented a prototype demonstrating practical solutions to the significant engineering challenges of this concept. We have analyzed the concept for its security properties and highlighted its ability to significantly strengthen otherwise weak tamper detection barriers. We @@ -541,7 +545,7 @@ have laid out some ideas for future research on the concept. \subsection{Spinning mesh energy calculations} \label{sec_energy_calculations} Assume that the spinning mesh sensor should send its tamper status to the static monitoring circuit at least once every -$T_\text{tx} = \SI{10}{\milli\second}$. At $\SI{100}{\kilo\baud}$ a transmission of a single byte in standard UART +$T_\text{tx} = \SI{10}{\milli\second}$. At $\SI{100}{\kilo\baud}$ a transmission of a one-byte message in standard UART framing would take $\SI{100}{\micro\second}$ and yield an $\SI{1}{\percent}$ duty cycle. If we assume an optical or RF transmitter that requires $\SI{10}{\milli\ampere}$ of active current, this yields an average operating current of $\SI{100}{\micro\ampere}$. Reserving another $\SI{100}{\micro\ampere}$ for the monitoring circuit itself we arrive at an @@ -568,12 +572,12 @@ converter boosing the solar cell's $\SI{0.6}{\volt}$ working voltage to the moni An attacker might try to rotate along with the HSM to attack the security mesh without triggering the accelerometer. Let us pessimistically assume that the attacker has the axis of rotation running through their center of mass. The -attacker's body is probably at least $\SI{200}{\milli\meter}$ wide along its shortest back-to-chest axis, resulting in a -minimum radius from axis of rotation to surface of about $\SI{100}{\milli\meter}$. We choose -$\SI{250}{\meter\per\second^2}$ as an arbitrary acceleration well past the range tolerable by humans according to -Wikipedia. Centrifugal acceleration is $a=\omega^2 r$. In our example this results in a minimum angular velocity of -$\omega_\text{min} = \sqrt{\frac{a}{r}} = \sqrt{\frac{\SI{250}{\meter\per\second^2}}{\SI{100}{\milli\meter}}} \approx -16\frac{\pi}{\si{\second}} \approx 500 \text{rpm}$. +attacker's body is probably at least $\SI{200}{\milli\meter}$ wide along its shortest axis, resulting in a minimum +radius from axis of rotation to surface of about $\SI{100}{\milli\meter}$. We choose $\SI{250}{\meter\per\second^2}$ as +an arbitrary acceleration well past the range tolerable by humans according to Wikipedia. Centrifugal acceleration is +$a=\omega^2 r$. In our example this results in a minimum angular velocity of $\omega_\text{min} = \sqrt{\frac{a}{r}} = +\sqrt{\frac{\SI{250}{\meter\per\second^2}}{\SI{100}{\milli\meter}}} \approx 8\cdot 2\pi\frac{1}{\si{\second}} \approx 500 +\text{rpm}$. \subsection{Fooling the accelerometer} \label{sec_degrees_of_freedom} @@ -611,9 +615,8 @@ be a good baseline configuration. \subsection{Patents and licensing} During development, we performed several hours of research on prior art for the inertial HSM concept. Yet, we could not -find any mentions of similar concepts either in academic literature or in patents. Thus, we deem ourselves to be the -inventors of this idea and we are fairly sure it is not covered by any patents or other restrictions at this point in -time. +find any mentions of similar concepts either in academic literature or in patents. Thus, we are likely the inventors of +this idea and we are fairly sure it is not covered by any patents or other restrictions at this point in time. Since the concept is primarily attractive for small-scale production and since cheaper mass-production alternatives are already commercially available, we have decided against applying for a patent and we wish to make it available to the |