diff options
author | jaseg <git@jaseg.de> | 2021-07-07 17:26:50 +0200 |
---|---|---|
committer | jaseg <git@jaseg.de> | 2021-07-07 17:26:50 +0200 |
commit | ab8b56fa00d320d107fbd50029063d2e680aa0ff (patch) | |
tree | 5fd830847b3e90c7d1aaf28ebc365eb87310a55b | |
parent | 63040fbadebd0929a71688523978debcce7baa49 (diff) | |
download | ihsm-ab8b56fa00d320d107fbd50029063d2e680aa0ff.tar.gz ihsm-ab8b56fa00d320d107fbd50029063d2e680aa0ff.tar.bz2 ihsm-ab8b56fa00d320d107fbd50029063d2e680aa0ff.zip |
major review work
-rw-r--r-- | paper/ihsm.bib | 416 | ||||
-rw-r--r-- | paper/ihsm_paper.tex | 96 |
2 files changed, 355 insertions, 157 deletions
diff --git a/paper/ihsm.bib b/paper/ihsm.bib index de4c755..680c282 100644 --- a/paper/ihsm.bib +++ b/paper/ihsm.bib @@ -1,12 +1,12 @@ -% Encoding: UTF-8
-@comment{x-kbibtex-encoding=utf-8}
-
-@Book{anderson2020,
- author = {Ross Anderson},
- date = {2020-09-16},
- title = {Security Engineering},
- isbn = {978-1-119-64281-7},
-}
+% Encoding: UTF-8 +@comment{x-kbibtex-encoding=utf-8} + +@Book{anderson2020, + author = {Ross Anderson}, + date = {2020-09-16}, + title = {Security Engineering}, + isbn = {978-1-119-64281-7}, +} @techreport{gs21, author = {{\censorIfSubmission{Jan Sebastian Götte and Björn Scheuermann}}}, @@ -71,13 +71,13 @@ title = {Cocoon-PUF, a novel mechatronic secure element technology}, year = {2012} } -
-@Patent{rahman1988,
- author = {Mujib Rahman},
- date = {1988-03-10},
- number = {US Patent US4859024A},
- title = {Optical fiber cable with tampering detecting means},
-}
+ +@Patent{rahman1988, + author = {Mujib Rahman}, + date = {1988-03-10}, + number = {US Patent US4859024A}, + title = {Optical fiber cable with tampering detecting means}, +} @www{haines2006, author = {Lester Haines}, @@ -97,39 +97,86 @@ url = {https://dl.acm.org/doi/fullHtml/10.1145/3380774.3382016}, urldate = {2020-10-22} } -
-@Article{albartus2020,
- author = {Nils Albartus and Max Hoffmann and Sebastian Temme and Leonid Azriel and Christof Paar},
- date = {2020},
- title = {{DANA} Universal Dataflow Analysis for Gate-Level Netlist Reverse Engineering},
- doi = {10.13154/tches.v2020.i4.309-336},
- number = {4},
- pages = {309–336},
- volume = {2020},
- bibsource = {dblp computer science bibliography, https://dblp.org},
- biburl = {https://dblp.org/rec/journals/tches/AlbartusHTAP20.bib},
- journal = {{IACR} Transactions on Cryptographic Hardware and Embedded Systems},
- year = {2020},
-}
-
-@InProceedings{trippel2017,
- author = {Timothy Trippel and Ofir Weisse and Wenyuan Xu and Peter Honeyman and Kevin Fu},
- booktitle = {2017 IEEE European symposium on security and privacy},
- title = {WALNUT: Waging doubt on the integrity of MEMS accelerometers with acoustic injection attacks},
- organization = {IEEE},
- pages = {3–18},
- x-fetchedfrom = {Google Scholar},
- year = {2017},
-}
-
-@WWW{heise2020t2jailbreak,
- author = {Leo Becker},
- date = {2020-03-11},
- title = {Jailbreaker nehmen T2-Sicherheitschip von Macs ins Visier},
- url = {https://www.heise.de/mac-and-i/meldung/Jailbreaker-nehmen-T2-Sicherheitschip-von-Macs-ins-Visier-4681131.html},
- organization = {Heise Online},
- publisher = {Heise Online},
-}
+ +@Article{albartus2020, + author = {Nils Albartus and Max Hoffmann and Sebastian Temme and Leonid Azriel and Christof Paar}, + date = {2020}, + title = {{DANA} Universal Dataflow Analysis for Gate-Level Netlist Reverse Engineering}, + doi = {10.13154/tches.v2020.i4.309-336}, + number = {4}, + pages = {309–336}, + volume = {2020}, + bibsource = {dblp computer science bibliography, https://dblp.org}, + biburl = {https://dblp.org/rec/journals/tches/AlbartusHTAP20.bib}, + journal = {{IACR} Transactions on Cryptographic Hardware and Embedded Systems}, + year = {2020}, +} + +@InProceedings{trippel2017, + author = {Timothy Trippel and Ofir Weisse and Wenyuan Xu and Peter Honeyman and Kevin Fu}, + booktitle = {2017 IEEE European symposium on security and privacy}, + title = {WALNUT: Waging doubt on the integrity of MEMS accelerometers with acoustic injection attacks}, + organization = {IEEE}, + pages = {3–18}, + x-fetchedfrom = {Google Scholar}, + year = {2017}, +} + +@WWW{heise2020t2jailbreak, + author = {Leo Becker}, + date = {2020-03-11}, + title = {Jailbreaker nehmen T2-Sicherheitschip von Macs ins Visier}, + url = {https://www.heise.de/mac-and-i/meldung/Jailbreaker-nehmen-T2-Sicherheitschip-von-Macs-ins-Visier-4681131.html}, + organization = {Heise Online}, + publisher = {Heise Online}, +} + +@WWW{faa2018, + author = {US Federal Aviation Administration}, + date = {2018-05-31}, + title = {Pack Safe: Batteries, lithium}, + url = {https://www.faa.gov/hazmat/packsafe/more_info/?hazmat=7}, + publisher = {US Federal Aviation Administration}, +} + +@WWW{heise2021ovh, + author = {Martin Holland}, + date = {2021-03-10}, + title = {Cloud-Dienstleister OVH: Feuer zerstört Rechenzentrum, ein weiteres beschädigt}, + url = {https://www.heise.de/news/OVH-Feuer-zerstoert-Rechenzentrum-in-Strassburg-ein-weiteres-beschaedigt-5076320.html}, + organization = {Heise Online}, + publisher = {Heise Online}, +} + +@WWW{signal2019, + author = {Joshua Lund}, + date = {2019-12-19}, + title = {Technology Preview for secure value recovery}, + url = {https://signal.org/blog/secure-value-recovery/}, + organization = {signal.org}, + publisher = {signal.org}, +} + +@InProceedings{ongaro2019, + author = {Diego Ongaro and John Ousterhout}, + title = {In Search of an Understandable Consensus Algorithm}, + booktitle = {2014 {USENIX} Annual Technical Conference ({USENIX} {ATC} 14)}, + year = {2014}, + isbn = {978-1-931971-10-2}, + address = {Philadelphia, PA}, + pages = {305--319}, + url = {https://www.usenix.org/conference/atc14/technical-sessions/presentation/ongaro}, + publisher = {{USENIX} Association}, + month = jun, +} + +@WWW{thales2015hsmha, + author = {Gemalto NV}, + date = {2015-12-18}, + title = {SafeNet PCI-E HSM 6.2 Product Documentation: High Availability (HA) Overview}, + url = {https://thalesdocs.com/gphsm/luna/6.2/docs/pci/Content/administration/ha/ha_overview.htm}, + publisher = {Gemalto NV}, +} @article{kim2018, author = {Seung Hyun Kim and Su Chang Lim and others}, @@ -141,27 +188,27 @@ x-fetchedfrom = {Google Scholar}, year = {2018} } -
-@Conference{johnson2018,
- author = {Scott Johnson and Dominic Rizzo and Parthasarathy Ranganathan and Jon McCune and Richard Ho},
- booktitle = {Hot Chips: A Symposium on High Performance Chips},
- date = {2018},
- title = {Titan: enabling a transparent silicon root of trust for Cloud},
- url = {https://www.hotchips.org/hc30/1conf/1.14_Google_Titan_GoogleFinalTitanHotChips2018.pdf},
- x-fetchedfrom = {Google Scholar},
- year = {2018},
-}
-
-@TechReport{isaacs2013,
- author = {Phil Isaacs and Thomas {Morris Jr} and Michael J Fisher and Keith Cuthbert},
- date = {2013},
- institution = {Surface Mount Technology Association},
- title = {Tamper proof, tamper evident encryption technology},
- booktitle = {Pan Pacific Microelectronics Symposium},
- organization = {Surface Mount Technology Association},
- x-fetchedfrom = {Google Scholar},
- year = {2013},
-}
+ +@Conference{johnson2018, + author = {Scott Johnson and Dominic Rizzo and Parthasarathy Ranganathan and Jon McCune and Richard Ho}, + booktitle = {Hot Chips: A Symposium on High Performance Chips}, + date = {2018}, + title = {Titan: enabling a transparent silicon root of trust for Cloud}, + url = {https://www.hotchips.org/hc30/1conf/1.14_Google_Titan_GoogleFinalTitanHotChips2018.pdf}, + x-fetchedfrom = {Google Scholar}, + year = {2018}, +} + +@TechReport{isaacs2013, + author = {Phil Isaacs and Thomas {Morris Jr} and Michael J Fisher and Keith Cuthbert}, + date = {2013}, + institution = {Surface Mount Technology Association}, + title = {Tamper proof, tamper evident encryption technology}, + booktitle = {Pan Pacific Microelectronics Symposium}, + organization = {Surface Mount Technology Association}, + x-fetchedfrom = {Google Scholar}, + year = {2013}, +} @inproceedings{drimer2008, author = {Saar Drimer and Steven J Murdoch and Ross Anderson}, @@ -172,90 +219,145 @@ x-fetchedfrom = {Google Scholar}, year = {2008} } -
-@WWW{terdiman2013,
- author = {Daniel Terdiman},
- date = {2013-07-23},
- title = {Aboard America's Doomsday command and control plane},
- url = {https://www.cnet.com/news/aboard-americas-doomsday-command-and-control-plane},
- organization = {cnet.com},
- month = jul,
- publisher = {CNET},
- year = {2013},
-}
-
-@Thesis{vrijaldenhoven2004,
- author = {Serge Vrijaldenhoven},
- date = {2004-10-01},
- institution = {Technische Universiteit Eindhoven},
- title = {Acoustical Physical Uncloneable Functions},
- type = {mathesis},
- url = {https://pure.tue.nl/ws/files/46971492/600055-1.pdf},
-}
-
-@WWW{dexter2015,
- author = {Karsten Nohl and Fabian Bräunlein and dexter},
- date = {2015-12-27},
- title = {Shopshifting: The potential for payment system abuse},
- url = {https://media.ccc.de/v/32c3-7368-shopshifting#t=2452},
- organization = {32C3 Chaos Communication Congress},
-}
-
-@WWW{newman2020,
- author = {Lily Hay Newman},
- date = {2020-10-06},
- title = {Apple's T2 Security Chip Has an Unfixable Flaw},
- url = {https://www.wired.com/story/apple-t2-chip-unfixable-flaw-jailbreak-mac/},
- organization = {Wired Magazine},
-}
-
-@Article{sh2016,
- author = {Maruthi G. S. and Vishwanath Hegde},
- date = {2016},
- journaltitle = {IEEE Sensors Journal},
- title = {Application of MEMS Accelerometer for Detection and Diagnosis of Multiple Faults in the Roller Element Bearings of Three Phase Induction Motor},
- doi = {https://doi.org/10.1109/JSEN.2015.2476561},
- issn = {1558-1748},
- issue = {1},
- url = {https://www.researchgate.net/profile/Vishwanath-Hegde-2/publication/282389149_Application_of_MEMS_Accelerometer_for_Detection_and_Diagnosis_of_Multiple_Faults_in_the_Roller_Element_Bearings_of_Three_Phase_Induction_Motor/links/568bace808aebccc4e1c01fa/Application-of-MEMS-Accelerometer-for-Detection-and-Diagnosis-of-Multiple-Faults-in-the-Roller-Element-Bearings-of-Three-Phase-Induction-Motor.pdf},
- volume = {16},
-}
-
-@Article{kvk2019,
- author = {Ivar Koene and Raine Viitala and Petri Kuosmanen},
- date = {2019},
- journaltitle = {IEEE Access},
- title = {Internet of Things Based Monitoring of Large Rotor Vibration With a Microelectromechanical Systems Accelerometer},
- doi = {https://doi.org/10.1109/ACCESS.2019.2927793},
-}
-
-@TechReport{adc2019,
- author = {Bertrand Campagnie},
- date = {2019},
- institution = {Analog Devices},
- title = {Choose the Right Accelerometer for Predictive Maintenance},
- url = {https://www.analog.com/media/en/technical-documentation/tech-articles/Choose-the-Right-Accelerometer-for-Predictive-Maintenance.pdf},
- urldate = {2021-04-01},
-}
-
-@PhdThesis{e2013,
- author = {Maged Elsaid Elnady},
- date = {2013},
- institution = {University of Manchester},
- title = {On-Shaft Vibration Measurement Using a MEMS Accelerometer for Faults Diagnosis in Rotating Machines},
- url = {https://www.research.manchester.ac.uk/portal/files/54530535/FULL_TEXT.PDF},
- urldate = {2021-04-01},
-}
-
-@Book{iaea2011,
- author = {{{International Atomic Energy Agency}}},
- date = {2011},
- title = {Safeguards, techniques and equipment},
- isbn = {978-92-0-118910-3},
- series = {International Nuclear Verification Series},
- url = {https://www-pub.iaea.org/MTCD/Publications/PDF/nvs1_web.pdf},
- urldate = {2021-04-01},
- volume = {1},
-}
-
-@Comment{jabref-meta: databaseType:biblatex;}
+ +@WWW{terdiman2013, + author = {Daniel Terdiman}, + date = {2013-07-23}, + title = {Aboard America's Doomsday command and control plane}, + url = {https://www.cnet.com/news/aboard-americas-doomsday-command-and-control-plane}, + organization = {cnet.com}, + month = jul, + publisher = {CNET}, + year = {2013}, +} + +@Thesis{vrijaldenhoven2004, + author = {Serge Vrijaldenhoven}, + date = {2004-10-01}, + institution = {Technische Universiteit Eindhoven}, + title = {Acoustical Physical Uncloneable Functions}, + type = {mathesis}, + url = {https://pure.tue.nl/ws/files/46971492/600055-1.pdf}, +} + +@WWW{dexter2015, + author = {Karsten Nohl and Fabian Bräunlein and dexter}, + date = {2015-12-27}, + title = {Shopshifting: The potential for payment system abuse}, + url = {https://media.ccc.de/v/32c3-7368-shopshifting#t=2452}, + organization = {32C3 Chaos Communication Congress}, +} + +@WWW{newman2020, + author = {Lily Hay Newman}, + date = {2020-10-06}, + title = {Apple's T2 Security Chip Has an Unfixable Flaw}, + url = {https://www.wired.com/story/apple-t2-chip-unfixable-flaw-jailbreak-mac/}, + organization = {Wired Magazine}, +} + +@Article{sh2016, + author = {Maruthi G. S. and Vishwanath Hegde}, + date = {2016}, + journaltitle = {IEEE Sensors Journal}, + title = {Application of MEMS Accelerometer for Detection and Diagnosis of Multiple Faults in the Roller Element Bearings of Three Phase Induction Motor}, + doi = {https://doi.org/10.1109/JSEN.2015.2476561}, + issn = {1558-1748}, + issue = {1}, + url = {https://www.researchgate.net/profile/Vishwanath-Hegde-2/publication/282389149_Application_of_MEMS_Accelerometer_for_Detection_and_Diagnosis_of_Multiple_Faults_in_the_Roller_Element_Bearings_of_Three_Phase_Induction_Motor/links/568bace808aebccc4e1c01fa/Application-of-MEMS-Accelerometer-for-Detection-and-Diagnosis-of-Multiple-Faults-in-the-Roller-Element-Bearings-of-Three-Phase-Induction-Motor.pdf}, + volume = {16}, +} + +@Article{kvk2019, + author = {Ivar Koene and Raine Viitala and Petri Kuosmanen}, + date = {2019}, + journaltitle = {IEEE Access}, + title = {Internet of Things Based Monitoring of Large Rotor Vibration With a Microelectromechanical Systems Accelerometer}, + doi = {https://doi.org/10.1109/ACCESS.2019.2927793}, +} + +@TechReport{adc2019, + author = {Bertrand Campagnie}, + date = {2019}, + institution = {Analog Devices}, + title = {Choose the Right Accelerometer for Predictive Maintenance}, + url = {https://www.analog.com/media/en/technical-documentation/tech-articles/Choose-the-Right-Accelerometer-for-Predictive-Maintenance.pdf}, + urldate = {2021-04-01}, +} + +@PhdThesis{e2013, + author = {Maged Elsaid Elnady}, + date = {2013}, + institution = {University of Manchester}, + title = {On-Shaft Vibration Measurement Using a MEMS Accelerometer for Faults Diagnosis in Rotating Machines}, + url = {https://www.research.manchester.ac.uk/portal/files/54530535/FULL_TEXT.PDF}, + urldate = {2021-04-01}, +} + +@Book{iaea2011, + author = {{{International Atomic Energy Agency}}}, + date = {2011}, + title = {Safeguards, techniques and equipment}, + isbn = {978-92-0-118910-3}, + series = {International Nuclear Verification Series}, + url = {https://www-pub.iaea.org/MTCD/Publications/PDF/nvs1_web.pdf}, + urldate = {2021-04-01}, + volume = {1}, +} + +@Book{kelly1993, + author = {S. Graham Kelly}, + edition = {2}, + date = {1993}, + title = {Fundamentals of Mechanical Vibrations}, + isbn = {0-07-230092-2}, + publisher = {McGraw-Hill}, + series = {McGraw-Hill Series in Mechanical Engineering}, +} + +@Book{dixon2007, + author = {John C. Dixon}, + title = {The Shock Absorber Handbook}, + date = {2007}, + isbn = {978-0-470-51020-9}, + publisher = {Wiley}, +} + +@Book{beards1996, + author = {C. F. Beards}, + title = {Structural Vibration: Analysis and Damping}, + date = {1996}, + publisher = {Wiley}, + isbn = {0-340-64580-6}, +} + +@InProceedings{irikura2012, + title = {High Acceleration Motions generated from the 2011 Pacific coast off Tohoku, Japan Earthquake}, + author = {Irikura, K and Kurahashi, S}, + date = {2012}, + booktitle = {Proceedings of the 15th World Conference on Earthquake Engineering}, + pages = {24-28}, +} + +@WWW{ika2002, + title = {A test procedure for airbags}, + year = {2002}, + organization = {Rheinisch-Westfälischen Technischen Hochschule (RWTH) Aachen, Institut für Kraftfahrwesen Aachen (IKA)}, + publisher = {International Motor Vehicle Inspection Commitee}, + series = {CITA Research study programme on Electronically controlled systems on vehicles}, +} + +@article{yoshimitsu1990, + author = {Fukushima, Yoshimitsu and Tanaka, Teiji}, + date = {1990}, + journaltitle = {Bulletin of the Seismological Society of America}, + volume = {80}, + issue = {4}, + pages = {757 - 783}, + issn = {0037-1106}, + title = {A new attenuation relation for peak horizontal acceleration of strong earthquake ground motion in Japan}, + url = {https://pubs.geoscienceworld.org/ssa/bssa/article-abstract/80/4/757/102395/A-new-attenuation-relation-for-peak-horizontal}, + urldate = {2021-07-07} +} + +@Comment{jabref-meta: databaseType:biblatex;} diff --git a/paper/ihsm_paper.tex b/paper/ihsm_paper.tex index 0188b48..4886693 100644 --- a/paper/ihsm_paper.tex +++ b/paper/ihsm_paper.tex @@ -352,6 +352,102 @@ Using longitudinal gaps in the mesh, our setup allows direct air cooling of regu powerful processing capabilities that greatly increase the maximum possible power dissipation of the payload. In an evolution of our design, the spinning mesh could even be designed to \emph{be} a cooling fan. +\subsection{Long-term Operation} + +Like with other HSMs, practical use may require an IHSM to continuously run for a decade or even longer. As with other +setups utilizing HSMs, a setup including IHSMs must be designed in a way that the failure of a small number of IHSMs +does not compromise the system's security or reliability. Neither IHSMs nor traditional HSMs can withstand fire or +flooding, so while a breach of security can be ruled out, a catastrophic failure of the device and erasure of data +cannot~\cite{heise2021ovh}. Traditionally, this problem is solved by storing all secrets in multiple, geographically +redundant HSMs~\cite{thales2015hsmha}. The problem of providing fault-tolerance in IHSMs is easier since they are based +on general-purpose computer hardware and use general-purpose operating systems and thus allow for state-of-the-art +database replication techniques to be applied. One example of this approach is a 2019 technology +demonstration~\cite{signal2019} created by the signal.org, the organization running the signal secure messenger app. In +this demonstration, signal.org have implemented the Raft consensus algorithm~\cite{ongaro2019} inside Intel SGX to +replicate state between redundant instances. + +There are three main categories of challenges to an IHSM's longevity: Failure of components of the IHSM due to age and +wear, failure of the external power supply and spurious triggering of the intrusion alarm by changes in the IHSM's +environment. In the following paragraphs we will evaluate each of these categories in its practical impact. + +\paragraph{Component failure.} +The failure mode of an IHSM's components is the same as in any other computer system and the same generic mitigation +techniques apply. The expected lifetime of electronic components can be increased by using higher-spec components and by +reducing thermal, mechanical and electrical stress. To reduce vibration stress on both rotor and stator, the rotor must +be balanced. The main mechanical failure mode of an IHSM's is failure of the shaft bearings. By incorporating knowledge +from other rotating devices that have a long lifetime such as cooling fans, this failure mode can be mitigated. A final +noteworthy mechanical failure mode of an IHSM is dust buildup on the optical components of the communication link. This +failure mode can be mitigated by routing cooling airflow such that it does not go past the communication link's optical +components, as well as by filtering cooling air at the device's intakes. + +\paragraph{Power failure.} +\label{sec-power-failure} +After engineering an IHSM's components to survive years of continuous operation, the next major failure mode to be +considered is power loss. Traditional HSMs solve the need for an always-on backup power supply by carrying large backup +batteries. The low static power consumption of a traditional HSM's simple tamper detection circuitry allows for the use +of non-replaceable backup batteries. An IHSM in contrast would likely require a rechargeable backup battery since its +motor requires more power than the mesh monitoring circuit of a traditional HSM. In principle, a conventional +Uninterruptible Power Supply (UPS) can be used, but in practice a productized IHSM might have a small, simple UPS +integrated into its case. Conservatively assuming an average operating power consumption of $\SI{10}{\watt}$ for an +IHSM's motor, a single large laptop battery with a capacity of $\SI{100}{\watt\hour}$~\cite{faa2018} could already power +an IHSM for 10 hours continuously. If a built-in battery is undesirable, or if power outages of more than a few seconds +at a time are unlikely (e.g.\ because the IHSM is connected to an external UPS or generator), the IHSM's rotor itself +can be used as a flywheel for energy storage up to several seconds. By designing the IHSM's rotor to have low friction +loss and high mass (e.g.\ by coupling it to an actual metal flywheel), longer power outages can be bridged. % FIXME + +\paragraph{Spurious alarms.} +A spurious alarm would be as catastrophic as a failure of a critical component of an IHSM. For this reason, the +likelihood of such an alarm failure must be minimized. In principle, there are two possible causes for a spurious alarm. +One is a component failure such as a mesh trace breaking under vibration. This failure mode can be mitigated in the same +way other failure modes are mitigated. The second possible cause is that the device is accelerated in excess of the +range expected by its designers. There are several possible causes why an IHSM might move during normal operation. The +IHSM may have to be transported between datacenters or relocated within a dataceter. Other vibrating machinery such as +backup generators or large hard disk storage arrays may conduct vibration through the rack the IHSM is mounted inside +into the IHSM. People working in the datacenter might bump the IHSM. Vibrations from nearby traffic such as trains may +couple through the ground into the datacenter and into the IHSM. Finally, earthquakes will couple through any reasonable +amount of vibration dampening. + +There are two key points to note on vibration dampening. One, the instantaneous mechanical power of a vibrating motion +is proportional to the square of its amplitude when fixing frequency and the cube of its frequency when fixing +amplitude. This means that to reach a certain instantaneous acceleration, much more power is needed in a high-frequency +vibrating motion compared to lower frequencies. This observation interacts the second key point we want to note here: +An ideal vibration dampener works the better the higher the frequency, and has a lower bound below which it does no +longer dampen vibration transmission~\cite{kelly1993,beards1996,dixon2007}. In conclusion, these two observations mean +that if we wish to reduce the likelihood of false detections by our IHSM tamper alarm we can effectively achieve this +goal by damping high-frequency shock and vibration, as low-frequency shock or vibration components will not reach +accelerations large enough to cause a false alarm. + +To put the above relations into perspective, consider that at an angular frequency of $\SI{1000}{rpm}$, we can expect an +IHSM's tamper sensor to measure an acceleration of about $\SI{100}{g}$. Even the strongest earthquakes rarely reach a +Peak Ground Acceleration (PGA) of $\SI{0.1}{g}$~\cite{yoshimitsu1990}. The highest measured PGA of the 2011 Tohoku +earthquake was approximately $\SI{0.3}{g}$. Since earthquake vibrations are low-frequency and happen across a large +geographic area, they nontheless dissipate a tremendous amound of mechanical power through an absolute acceleration that +may seem low at first glance, but we can largely ignore them for the purposes of our tamper detection system. As +another point of reference, consider a car crash. An acceleration above $\SI{10}{g}$ corresponds to a crash at roughly +$\SI{30}{\kilo\meter\per\hour}$~\cite{ika2002}. Thus, an IHSM's tamper detection subsystem will be able to clearly +distinguish attempts to stop the IHSM's rotation at an amplitude of $\SI{100}{g}$ from external accelerations. External +acceleration that would come close in order of magnitude to the operating centrifugal acceleration at the periphery of +an IHSM's rotor would likely destroy the IHSM. + +\subsection{Transportation} + +While unintentional acceleration is unlikely to cause false alarms in an IHSM when simple vibration damping is employed, +there is an issue with intentionally moving an IHSM: The IHSM's rotor stores significant rotational energy and will +respond to tipping with a precession force. This could become an issue when a larger IHSM is transported between e.g.\ +the manufacturer's premises and its destination data center. One solution to this problem is to transport the IHSM +elastically mounted inside a shipping box that is weighted to resist precession forces. To reduce the amount of +precession, the IHSM should be transported with its axis of rotation pointing upwards and its speed of rotation set to +the lower end of the range permitted by its application's security requirements. The IHSM's software could allow for a +temporary ``shipping mode'' to be entered that could slow down the IHSM and increase the tamper sensing accelerometer's +thresholds. + +During shipping, the IHSM will require a continuous power supply. The most practical solution to this challenge is to +ship the IHSM along with a small backup battery. Following our conservative estimate in Section~\ref{sec-power-failure}, +a 48-hour shipping window as is offered by many courier shipping services could easily be bridged with the equivalent of +5-10 laptop batteries. In case a built-in battery backup is not necessary in the IHSM's application, these batteries +could be connected as an external device that is disconnected and sent back to the IHSM's manufacturer after the IHSM +has been installed. + \section{Attacks} \label{sec_attacks} |