diff options
author | jaseg <git@jaseg.de> | 2020-11-06 14:35:21 +0100 |
---|---|---|
committer | jaseg <git@jaseg.de> | 2020-11-06 14:35:21 +0100 |
commit | ac6fbd9e8e48e6825b3f4d9558f777822b14b596 (patch) | |
tree | 09e1825a97a264b1bede1ffed9ff49c25c937734 /doc/quick-tech-report | |
parent | e31d7a98d0c4a816270f54af85790a762cd2f44a (diff) | |
download | ihsm-ac6fbd9e8e48e6825b3f4d9558f777822b14b596.tar.gz ihsm-ac6fbd9e8e48e6825b3f4d9558f777822b14b596.tar.bz2 ihsm-ac6fbd9e8e48e6825b3f4d9558f777822b14b596.zip |
techrepor: Update paper. I think this is as far as I'll go before the prototype.
Diffstat (limited to 'doc/quick-tech-report')
-rw-r--r-- | doc/quick-tech-report/rotohsm.bib | 37 | ||||
-rw-r--r-- | doc/quick-tech-report/rotohsm_tech_report.tex | 249 |
2 files changed, 155 insertions, 131 deletions
diff --git a/doc/quick-tech-report/rotohsm.bib b/doc/quick-tech-report/rotohsm.bib index 0250074..17ee18a 100644 --- a/doc/quick-tech-report/rotohsm.bib +++ b/doc/quick-tech-report/rotohsm.bib @@ -20,7 +20,9 @@ date = {2019}, doi = {10.13154/tches.v2019.i1.51-96}, issn = {2569-2925}, + journal = {IACR transactions on cryptographic hardware and embedded systems.}, journaltitle = {IACR Transactions on Cryptographic Hardware and Embedded Systems}, + publisher = {IACR}, title = {Secure Physical Enclosures from Covers with Tamper-Resistance}, url = {https://tches.iacr.org/index.php/TCHES/article/view/7334/6506}, urldate = {2020-09-16} @@ -123,3 +125,38 @@ year = {2018} } +@inproceedings{johnson2018, + author = {Scott Johnson and Dominic Rizzo and Parthasarathy Ranganathan and Jon McCune and Richard Ho}, + booktitle = {Hot Chips: A Symposium on High Performance Chips}, + title = {Titan: enabling a transparent silicon root of trust for Cloud}, + x-fetchedfrom = {Google Scholar}, + year = {2018} +} + +@inproceedings{isaacs2013, + author = {Phil Isaacs and Thomas {Morris Jr} and Michael J Fisher and Keith Cuthbert}, + booktitle = {Pan Pacific Symposium}, + title = {Tamper proof, tamper evident encryption technology}, + x-fetchedfrom = {Google Scholar}, + year = {2013} +} + +@inproceedings{drimer2008, + author = {Saar Drimer and Steven J Murdoch and Ross Anderson}, + booktitle = {2008 IEEE Symposium on Security and Privacy (sp 2008)}, + organization = {IEEE}, + pages = {281–295}, + title = {Thinking inside the box: system-level failures of tamper proofing}, + x-fetchedfrom = {Google Scholar}, + year = {2008} +} + +@misc{terdiman2013, + author = {Daniel Terdiman}, + month = jul, + publisher = {CNET}, + title = {Aboard America's Doomsday command and control plane}, + url = {https://www.cnet.com/news/aboard-americas-doomsday-command-and-control-plane}, + year = {2013} +} + diff --git a/doc/quick-tech-report/rotohsm_tech_report.tex b/doc/quick-tech-report/rotohsm_tech_report.tex index 5947fcc..a1a19fc 100644 --- a/doc/quick-tech-report/rotohsm_tech_report.tex +++ b/doc/quick-tech-report/rotohsm_tech_report.tex @@ -93,63 +93,64 @@ offers a level of security that is comparable to even the best commercial offeri \section{Introduction} While information security technology has matured a great deal in the last half century, physical security has barely -changed. Given the right skills, physical access to a computer still usually equates full compromise. The physical -security of modern server hardware hinges on what lock you put on the room it is in. Systems such as Trusted Platform -Modules attempt to alleviate this problem, but they are hard to use and even with them a system still offers -considerable attack surface\cite{heise2020t2jailbreak}. - -In modern systems, high-level physical security is usually limited to small physical dimensions. Secure enclaves and -smartcards provide security on the scale of a single chip. Commercial HSMs have a small circuit -board\cite{anderson2020,immler2019}. Security systems such as TPMs effectively allow tying a larger system's physical -security to that of a small TPM chip embedded inside. The protection that exists at the level of a single server -enclosure is usually limited to a lid switch and some tamper-evident seals. +changed. Given the right skills, physical access to a computer still often equates full compromise. The physical +security of modern server hardware hinges on what lock you put on the room it is in. + +Currently, servers and other computers are rarely physically secured as a whole. Servers sometimes have a simple lid +switch and are put in locked ``cages'' inside guarded facilities. This usually provides a good compromise between +physical security and ease of maintenance. To handle highly sensitive data in applications such as banking or public key +infrastructure, general-purpose and low-security servers are augmented with dedicated, physically secure cryptographic +co-processors in form of smartcards or hardware security modules (HSMs). Smartcards and HSMs protect a physically small +volume of a single chip or circuit board, respectively. In lower-security applications\cite{heise2020t2jailbreak}, +smartcard-like trusted platform modules (TPMs) and other types of security platform controllers allow an administrator +to tie a whole computer's security to that of the small security chip inside\cite{frazelle2019,johnson2018}. \subsection{Technical approaches to physical security} -Shrinking things to the nanoscopic level to secure them against tampering is increasing in popularity. Apple today uses -a secure enclave IC in their line of laptops. Likewise, Google has developed its own security IC with a similar -application\cite{frazelle2019}. These chips are an engineering solution to problems that cannot be solved with -cryptographic security. The security of these chips rests on the assumption that due to their fine structure, they are -hard to reverse engineer or modify. As of now, this property holds and in the authors' opinion it will likely be a -reasonable assumption for some years to come. However, in its essence this is a type of security by obscurity: -Obscurity here meaning the rarity of the equipment necessary to attack these chips\cite{albartus2020,anderson2020}. +Shrinking things to the nanoscopic level to secure them against tampering is an engineering solution to problems that +cannot be solved (yet) with cryptographic security. The security of these chips rests on the assumption that their fine +structures are hard to reverse engineer and modify. As of now, this property holds and in the authors' opinion it will +likely be a reasonable assumption for some years to come. However, in essence this is a type of security by obscurity: +Obscurity here referring to the rarity of the equipment necessary to attack these chips\cite{albartus2020,anderson2020}. \subsection{Hardware Security Modules} Right now, Hardware security modules (HSMs) are the commercial devices offering the highest ``physical -security-volume-product''. Whereas smartcards secure a single chip, HSMs secure a small circuit board. In contrast to a +security-to-volume-product''. Where smartcards secure a single chip, HSMs secure a small circuit board. In contrast to a smartcard, the HSM actively deletes its secrets when it detects a manipulation. Commercial HSMs commonly employ what we call \emph{boundary monitoring}. They have a physical security barrier that they continuously monitor for holes. Usually, this barrier is a thin foil that is patterned with at least two electrical traces that are folded many times to cover the entire area of the foil. The HSM monitors these traces for shorts or breaks. This simple construction -transforms the security problem into a manufacturing challenge. +transforms the security problem into a manufacturing challenge\cite{isaacs2013,immler2019,anderson2020}. In our classification the other type of HSMs are \emph{volumetric} HSMs. They monitor their entire internal volume for changes using e.g.\ electromagnetic radiation\cite{tobisch2020,kreft2012} or ultrasound. Their security is limited by the analog sensitivity of their transceivers. Their practicality is limited by their complex transceiver and signal -processing circuitry. They promise to secure larger volumes than boundary monitoring at higher parts cost. - -A problem with volumetric designs is their security analysis, which is hard to do without significant guesswork. In -e.g.\ a device that use electromagnetic radiation to monitor its volume, one has to numerically solve the -electromagnetic field equations inside the HSM to validate its impenetrability. - -\subsection{Inertial HSMs: A new approach to physical security} We are certain that there is still much work to be done -and many insights to be gained in both HSM and in smartcard technology\footnote{For example, consider a box with -mirrored walls that contains a smaller box suspended on thin wires that has cameras looking outward in all directions at -the mirrored walls. Given that the defender can control lighting conditions inside this kaleidoscopic box in this -application modern cameras perform better than the human eye. Thus, a successful physical attack on this system would -likely an ``invisibility cloak''--and the system would remain secure as long as no such thing exists. This example is a -useful point of reference. To be viable, an HSM technology must be either cheaper, smaller or more sensitive than this -strawman setup\cite{kim2018}.}. % TODO perhaps misplaced citation and/or poor source? - +processing circuitry. They promise to secure larger volumes than boundary monitoring at higher parts cost. A problem +with volumetric designs is their security analysis, which is hard to do without significant guesswork. In e.g.\ a +device that use electromagnetic radiation to monitor its volume, one has to numerically solve the electromagnetic field +equations inside the HSM to validate its impenetrability. + +\subsection{Inertial HSMs: A new approach to physical security} + +We are certain that there is still much work to be done and many insights to be gained in both HSM and in smartcard +technology\footnote{ + As a baseline, consider a box with mirrored walls that contains a smaller box suspended on thin wires that has + cameras looking outward in all directions at the mirrored walls. Given that the defender can control lighting + conditions inside this kaleidoscopic box in this application modern cameras perform better than the human eye. + Thus, a successful physical attack on this system would likely an ``invisibility cloak''--and the system would + remain secure as long as no such thing exists. To be viable, an HSM technology must be either cheaper, smaller or + more sensitive than this strawman setup\cite{kim2018}. +}. % TODO perhaps misplaced citation and/or poor source? Still, we wish to introduce a novel approach to sidestep the issues of conventional HSMs and provide radically better security against physical attacks. Our core observation is that any cheap but coarse HSM technology can be made much more difficult to attack by moving it very quickly. As a trivial example, consider an HSM as it is used in ecommerce applications for credit card payments. Its physical security level is set by the structure size of its -security mesh. An attack on its mesh might involve fine drill bits, needles, wires, glue, solder and lasers. +security mesh. An attack on its mesh might involve fine drill bits, needles, wires, glue, solder and +lasers\cite{drimer2008}. Now consider the same HSM mounted on a large flywheel. In addition to its usual defenses the HSM is now equipped with an -accelerometer that it uses to verify that it is rotating at high speed. How would an attacker approach this HSM? They +accelerometer that it uses to verify that it is spinning at high speed. How would an attacker approach this HSM? They would have to either slow down the rotation, triggering the accelerometer, or they would have to attack the HSM in motion. The HSM literally becomes a moving target. At slow speeds, rotating the entire attack workbench might be possible but rotating frames of reference quickly become inhospitable to human life\footnote{See Appendix @@ -178,7 +179,7 @@ evolved much in the last two decades. Apart from some auxiliary temperature and attacks on the built-in SRAM memory, the module's main security barrier uses the traditional construction of a flexible mesh wrapped around the module's core. In \cite{smith1998}, the authors claim the module monitors this mesh for short circuits, open circuits and conductivity. The fundamental approach to tamper detection and construction is similar to -other commercial offerings\cite{obermaier2018}. +other commercial offerings\cite{obermaier2018,drimer2008,anderson2020,isaacs2013}. In \cite{immler2019}, Immler et al. describe a HSM based on precise capacitance measurements of a mesh. In contrast to traditional meshes, the mesh they use consists of a large number of individual traces (more than 32 in their example). @@ -205,59 +206,60 @@ transceivers is shaped by the precise three-dimensional distribution of RF-refle compound. Our concept is novel in that mechanical motion has not been proposed before as part of a hardware security module. Most -academic research concentrates on the issue of creating new, more sensitive security barriers for HSMs while commercial -vendors concentrate on means to cheaply manufacture these security barriers. Our concept instead focuses on the issue of -taking any existing, cheap low-performance security barrier and transforming it into a marginally more expensive but -very high-performance one. The closes to a mechanical HSM that we were able to find during our research is an 1988 -patent \cite{rahman1988} that describes an mechanism to detect tampering along a communication cable by enclosing the -cable inside a conduit filled with pressurized gas. +academic research concentrates on the issue of creating new, more sensitive security barriers for HSMs\cite{immler2019} +while commercial vendors concentrate on means to cheaply manufacture and certify these security +barriers\cite{drimer2008}. Our concept instead focuses on the issue of taking any existing, cheap low-performance +security barrier and transforming it into a marginally more expensive but very high-performance one. The closes to a +mechanical HSM that we were able to find during our research is an 1988 patent \cite{rahman1988} that describes an +mechanism to detect tampering along a communication cable by enclosing the cable inside a conduit filled with +pressurized gas. \section{Inertial HSM construction and operation} + \subsection{Using motion for tamper detection} -Mechanical motion has been proposed as a means of making things harder to see with the human eye\cite{haines2006} but we -seem to be the first to use it in tamper detection. Let us think about the constraints of our approach. + +Mechanical motion has been proposed as a means of making things harder to see with the human eye\cite{haines2006} and is +routinely used in military applications to make things harder to hit\cite{terdiman2013} but we seem to be the first to +use it in tamper detection. Let us think about the constraints of our approach. \begin{enumerate} - \item We need the sensor's motion to be fairly fast. If any point of the sensor moves slow enough for a human to - follow, it becomes a weak spot. - \item We need to keep the sensor's motion inside a reasonable space. Otherwise we could just load our HSM on an - airplane and assume that mid-flight, airplanes are hard to stop non-destructively. + \item We need the tamper sensor's motion to be fairly fast. If any point of the sensor moves slow enough for a human + to follow, it becomes a weak spot. + \item We need to keep the entire apparatus compact. \item We need the sensor's motion to be very predictable so that we can detect an attacker trying to stop it. \end{enumerate} From this, we can make a few observations. \begin{enumerate} - \item Non-periodic linear motion is likely to be a poor choice since it requires a large amount of space, and it is - comparatively easy to follow something moving linearly. - \item Oscillatory motion such as linear vibration or a pendulum motion might be a good candidate but for the - instant at its apex when the vibration reverses direction the object is stationary, which is a weak spot. - \item Rotation is a very good choice. Not only does it not require much space to execute, but also if the axis of + \item Non-periodic linear motion (like a train on wheels) is likely to be a poor choice since it requires a large + amount of space, and it is comparatively easy to follow something moving linearly. + \item Oscillatory motion such as linear vibration or a pendulum motion might be a good candidate would there not be + the moment at its apex when the vibration reverses direction the object is stationary. This is a weak spot. + \item Rotation is a very good choice. It does not require much space to execute. Additionally, if the axis of rotation is within the HSM itself, an attacker trying to follow the motion would have to rotate around the same axis. Since their tangential linear velocity would rise linearly with the radius from the axis of rotation, an assumption on tolerable centrifugal force allows one to limit the approximate maximum size and mass of an - attacker. For an HSM measuring at most a few tens of centimeters across, it is easy to build something that - rotates too fast for a human to be able to follow it. The axis of rotation is a weak spot, but this can be - alleviated by placing additional internal sensors around it and locating all sensitive parts of the sensing - circuit radially away from it. + attacker (see Appendix \ref{sec_minimum_angular_velocity}). The axis of rotation is a weak spot, but we can + simply nest multiple layers of protection at an angle to each other. \item We do not have to move the entire contents of the HSM. It suffices if we move the tamper detection barrier - around a stationary payload. This reduces the inertial mass of the moving part and eases data communication and - power supply of the payload. + around a stationary payload. This reduces the moment of inertia of the moving part and it means we can use + cables for payload power and data. \end{enumerate} \begin{figure} \center \includegraphics{concept_vis_one_axis.pdf} - \caption{Concept of a simple rotating inertial HSM. 1 - Axis of rotation. 2 - Security mesh. 3 - Payload. 4 - + \caption{Concept of a simple spinning inertial HSM. 1 - Shaft. 2 - Security mesh. 3 - Payload. 4 - Accelerometer. 5 - Shaft penetrating security mesh.} \label{fig_schema_one_axis} \end{figure} In a rotating reference frame centrifugal force is proportional to the square of angular velocity and proportional to distance from the axis of rotation. We can exploit this fact to create a sensor that detects any disturbance of the -rotation by simply placing a linear accelerometer at some distance from the axis of rotation. During constant rotation, -both acceleration tangential to the rotation and along the axis of rotation will be zero. Centrifugal acceleration will -be constant. At high speeds, this acceleration may become very large. This poses the engineering challenge of preventing +rotation by placing a linear accelerometer at some distance from the axis of rotation. During constant rotation, both +acceleration tangential to the rotation and along the axis of rotation will be zero. Centrifugal acceleration will be +constant. At high speeds, this acceleration may become very large. This poses the engineering challenge of preventing the whole thing from flying apart, but also creates an obstacle to any attacker trying to manipulate the sensor. In Appendix \ref{sec_minimum_angular_velocity} we present some back-of-the-envelope calculations on minimum angular @@ -269,14 +271,14 @@ disturbances if we over-determine the system of equation determining its motion \subsection{Payload mounting mechanisms} -The simplest way to mount a stationary payload in a rotating security mesh is to drive the rotor using a hollow shaft. +The simplest way to mount a stationary payload in a spinning security mesh is to drive the rotor using a hollow shaft. This allows the payload to be mounted on a fixed rod threaded through this hollow shaft along with wires for power and data. The stationary rod and cables on the axis of rotation inside the hollow shaft are a weak spot of the system, but this weak spot can be alleviated through either careful construction or a second layer of rotating meshes with a different axis of rotation. Configurations that do not use a hollow-shaft motor are possible, but may require more bearings to keep the stator from vibrating. -\subsection{Rotating mesh power supply} +\subsection{Spinning mesh power supply} There are several options to transfer power to the rotor from its stationary frame. @@ -296,69 +298,24 @@ There are several options to transfer power to the rotor from its stationary fra \subsection{Payload cooling} -In boundary-sensing HSMs, cooling of the processor inside is a serious issue since any air -duct or heat pipe would have to penetrate the HSM's sensitive boundary. This problem can be solve by complex and costly -siphon-style constructions, but in commercial systems heat conduction is used exclusively. This severely limiting the -maximum power dissipation of the payload and thus its processing power. In our rotating HSM concept, the rotating mesh -can have longitudindal gaps in the mesh without impeding its function. This allows air to pass through the mesh during -rotation, and one could even integrate a fan into the rotor. This greatly increases the maximum possible power -dissipation of the payload and unlocks much more powerful processing capabilities. - -\subsection{Rotating mesh data communication} - -As we discussed above, while slip rings are the obvious choice to couple electrical signals through a rotating joint, -they are likely to be too expensive and have too short a life span for our application. Since the only information that -needs to pass between payload and rotor are the occassional status report and a high-frequency heartbeat signal that -acts as the alarm trigger, a simple optocoupler close to the axis of rotation is a good solution. - -% FIXME note prototype implementation here - -\section{Design space exploration} - -\subsection{Other modes of movement} - -Though we decided to use rotation as an easy-to-implement yet secure option, other modes of movement bear promise as -well. Particularly for less high-security applications without strict space constraints, a variant based on a pendulum -motion may be worth investigating as it would simplify the mechanical construction. Power and data transfer to the -moving part could simply be done with very flexible cables. +In boundary-sensing HSMs, cooling of the processor inside is a serious issue since any air duct or heat pipe would have +to penetrate the HSM's security boundary. This problem can be solve by complex and costly siphon-style constructions, +but in commercial systems heat conduction is used exclusively\cite{isaacs2013}. This limits the maximum power +dissipation of the payload and thus its processing power. In our spinning HSM concept, the spinning mesh can have +longitudindal gaps in the mesh without impeding its function. This allows air to pass through the mesh during rotation, +and one could even integrate an actual fan into the rotor. This greatly increases the maximum possible power dissipation +of the payload and unlocks much more powerful processing capabilities. -\subsection{Multiple axes of rotation} +\subsection{Spinning mesh data communication} -One option to alleviate the weak spot a rotating mesh has at its axis of rotation, a system with two or more axes of -rotation could be used. A single mesh would still suffice in this case, but when evaluating accelerometer readings, the -braking detection algorithm would have to superimpose both. +As for power, slip rings are the obvious choice to couple data signals through the rotating joint. Like for power, for +data, too they are too expensive for our application. -\subsection{Means of power transmission} +In our design with a stationary payload where only the security mesh and sensors are spinning, only occassional status +reports and a high-frequency alarm trigger heartbeat signal have to pass from rotor to stator. For this, a simple +optocoupler close to the axis of rotation is a good solution. -Power transmission from payload to rotor is another point worth investigating. It may be possible to use some statically -mounted permanent magnets with a coil integrated into the rotor's PCB as a low-power generator. While likely -inefficient, this setup would be low-cost and would still suffice for the meager power requirements of the rotor's -monitoring circuitry. - -\subsection{Other sensing modes} - -Since the security requirement the primary tamper-detection barrier needs to measure up to are much more lenient in the -rotating HSM concept than in traditional HSMs, other coarse sensing modes besides low-tech meshes may be attractive. One -possibility that would also eliminate the need of any active circuitry on the rotor would be to print the inside of the -rotor with a pattern, then have a linear array of reflective optical sensors located close to the rotor along a -longitudinal line. These sensors would observe the printed pattern passing by at high speed, and could compare their -measurements against a model of the rotor. Tampering by drilling holes or slots would show up as adding an offset to -part or all of the pattern. Likewise, the speed of rotation can be deducted directly from a sequence of measurements. - -\subsection{Longevity} - -A core issue with a mechanical HSM is component longevity. Save for dust and debris clogging up the system's mechanics -the primary failure point are the bearings. A good partner for further development or even commercialization might be a -manufacturer of industrial ducted fans as they are used e.g.\ in servers for cooling. Small industrial fans usually use -BLDC motors and bearings specially optimized for longevity. - -\subsection{Transportation of an active device} - -A rotating mass responds to torque not co-linear with its axis of rotation with a gyroscopic precession force. In -practice, this means that moving a device containing a spun-up rotating HSM on its inside might induce significant -forces on both the HSM (posing the danger of false alarms) and on the carrier of the device (potentially making handling -challenging). This effect would have to be taken into account in a real-world deployment, especially if the finished -device is to be shipped by post or courier services after spin-up. +% FIXME note prototype implementation here \subsection{Hardware prototype} @@ -379,7 +336,7 @@ itself, to prevent a damaged mesh from triggering an alarm and causing the HSM t locations are electronic attacks, i.e. they require electrical contact to parts of the circuit. Traditionally, this contact is made by soldering, or by placing a probe such as a thin needle. Any kind of electrical contact that does not involve an electron or ion beam or a liquid requires mechanical contact. We consider none of these forms feasible to be -performed on an object rotating at high speed without a complex setup that rotates along with the object. Thus, we +performed on an object spinning at high speed without a complex setup that rotates along with the object. Thus, we consider them to be practically infeasible outside of a well-funded, special-purpose laboratory. \subsection{Attacks on the alarm circuitry} @@ -407,7 +364,7 @@ MEMS accelerometer. An electronic attack on the sensor or the monitoring microco directly bridging the mesh traces and would not make sense. Physical attacks on the accelerometer are possible\cite{trippel2017}, but in the authors' estimate are too hard to control to be practically useful. -A possible attack scenario would be to instantly stop the rotating motion and accelerate the HSM linearly such that the +A possible attack scenario would be to instantly stop the spinning motion and accelerate the HSM linearly such that the linear acceleration as measured equals the previous centrifugal acceleration. Since commercial accelerometers are very precise we do not consider this type of attack feasible. @@ -427,18 +384,47 @@ If the rate of rotation is set to change on a schedule, it is trivially detectab %FIXME FIXME +\section{Future Work} + +\paragraph{Other modes of movement} +We decided to build a spinning HSM because it is the easiest option. Still, other modes of movement are also promising. +Particularly an oscillating HSM may be easier to construct at the expense of security. In it, power and data transfer to +the moving part could simply be done with cables. + +\paragraph{Multiple axes of rotation} +The baseline single-axis spining HSM we propose has a weak spot at its shaft. This weak spot can be alleviated using a +gyroscoping mount, allowing the HSM to continuously change its axis of rotation. + +\paragraph{Other sensing modes} +Beyond traditional security meshes, other sensing modes might be interesting in our unique setting. One possible option +without any moving electronics would be to print the inside of the rotor with a pattern, then have a linear CCD look at +the rotor. The CCD would see the printed pattern passing by at high speed, and one could compare its measurement +against a model of the rotor to check both speed of rotation and rotor integrity at once. + +\paragraph{Longevity} +A core issue with a mechanical HSM is component longevity. Save for dust and debris clogging up the HSM's mechanics, +the primary failure point are the bearings. Industrial ducted fans such as servers fans may be a good source for +inspiration. + +\paragraph{Transportation of an active device} +A rotating mass responds to torque that is not co-linear with its axis of rotation with a gyroscopic precession force. +In practice, this means that moving a device containing a spun-up rotating HSM on its inside might induce significant +forces on both the HSM (and cause false alarms) and on the carrier of the device (making handling challenging). A +real-world deployment would have to take this into account, especially if the finished device is to be shipped by post +or courier services after spin-up. + \section{Conclusion} In this paper, we have presented inertial hardware security modules, a novel concept for the construction of highly secure hardware security modules from inexpensive, commonly available parts. We have elaborated the engineering considerations underlying a practical implementation of this concept. We have analyzed the concept for its security properties and highlighted its ability to significantly strengthen otherwise weak tamper detection barriers. We have -laid out some ideas for future research on the concept, and we will continue our own research on the topic. +laid out some ideas for future research on the concept. \printbibliography[heading=bibintoc] \appendix -\subsection{Rotating mesh energy calculations} +\subsection{Spinning mesh energy calculations} \label{sec_energy_calculations} -Assume that the rotating mesh sensor should send its tamper status to the static monitoring circuit at least once every +Assume that the spinning mesh sensor should send its tamper status to the static monitoring circuit at least once every $T_\text{tx} = \SI{10}{\milli\second}$. At $\SI{100}{\kilo\baud}$ a transmission of a single byte in standard UART framing would take $\SI{100}{\micro\second}$ and yield an $\SI{1}{\percent}$ duty cycle. If we assume an optical or RF transmitter that requires $\SI{10}{\milli\ampere}$ of active current, this yields an average operating current of @@ -484,7 +470,8 @@ already have to circumvent the rotor's security mesh. Assuming the HSM is stationary, a sensor on the rotating part will experience two significant accelerations: \begin{enumerate} \item Gravity $g = 9.8\frac{m}{s^2}$ - \item Centrifugal force $a_C=\omega^2 r$, in the order of $\SI{1000}{\meter\per\second^2}$ or $100 g$ + \item Centrifugal force $a_C=\omega^2 r$, in the order of $\SI{1000}{\meter\per\second^2}$ or $100 g$ at + $r=\SI{100}{\milli\meter}$ and $\SI{1000}{rpm}$ \end{enumerate} Due to the vast differences in both radius and angular velocity, we can neglegt any influence of the earth's rotation on |