532 Security Techniques leading to uncontrolled program jumps or plain computation errors in the processor. Such faulty behavior could be used to determine secret keys by using the technique of differential fault analysis (DFA), which is described elsewhere in this book. For this reason, it is important for the voltage monitor to also be able to detect very brief voltage peaks or dropouts, in order to protect against typical attacks involving the intentional introduction of processor errors. As an example, in the case of a smart card intended to be used with a supply voltage of 3–5 V, the usual shutdown thresholds are 2.3 V and 6.3 V. These value lie slightly outside the range of 2.7–5.5 V specified by various standards, in order to allow for tolerances in sensor calibration during semiconductor fabrication. Voltage monitoring in particular is highly important for the security of the microcontroller. A conceivable method of attack would be to first use a focused ion beam (FIB) or similar tool to disable the relevant detectors and then start the actual attack. For this reason, the components that are vital to the security of the microcontroller are often specially protected so that manipulation can be detected, causing the smart card to automatically deactivate itself. Another type of sensor that is partly based on the voltage detector is the power-on detector. This detector, which is also present in all chips, recognizes a power-on condition independently of the external reset signal and ensures that the chip is always placed in a defined initial state when power is first applied. The reasons for doing this are similar to those for using voltage monitoring. Protection: frequency monitoring A smart card is always driven by an external clock, so its processing speed is completely determined outside the card. This means that, at least in theory, it is possible to operate the microcontroller in single-step mode. This would provide outstanding opportunities for analyzing the microcontroller, in particular by measuring its current consumption while it is operating (power analysis) and measuring electrical potentials on the surface of the chip. In order to prevent such attacks, a functional component for detecting underfrequency and overfrequency conditions is built into the chip. This eliminates the possibility of reducing the clock rate to unallowable levels. The minimum clock rate stated in most specifications is 1 MHz. However, for technical reasons the underfrequency detector has a wide tolerance range, so the chip usually stops working at around 500 kHz. This ensures that the chip will always work at the minimum specified clock rate of 1 MHz. The upper frequency limit is 5 MHz in most specifications, and typical overfrequency detectors disable the chip at a frequency of approximately 7 MHz. Modern microcontroller hardware is often built such that the chip cannot be used if the clock rate is too high. In order to protect the microcontroller against the dangers of single-step operation, it is naturally necessary to secure the underfrequency detector with protective layers, so that any attempt to tamper with the detector will be recognized. Protection: temperature monitoring A temperature sensor is used in some types of chips, but the benefit of such a sensor is debatable. The chip will not be damaged if the temperature briefly exceeds the specified operating range, and this does not in itself represent an attack. Shutting down the chip in this marginal situation, however, could lead to an artificially increased failure rate without providing the operator of the smart card system with any additional security. 8.2 Smart Card Security 533 Protection: bus scrambling In many smart card microcontrollers, the internal busses that drive the memory are scrambled. This means that the individual bus lines are not laid out next to each other in increasing or decreasing order, but are instead arranged randomly next to each other and ‘swapped’ several times, or even arranged in several layers on top of each other. This represents an additional hurdle for a potential attacker, who does not know which bus line is associated with which address bit or function. Scrambling the bus lines was originally introduced only in a static version, with the same scrambling scheme used on every chip. With static scrambling, it would probably not be all that difficult for an attacker to discover the scrambling scheme over a moderate length of time, and thus be able to take it into account when tapping the busses. The security provided by this technique can be improved by using chip-specific scrambling. This is naturally not achieved by using a different set of exposure masks for the busses of each chip, since this is currently either not technically possible or affordable. Instead, scrambling is performed by randomizer circuits located just ahead of the memory. These can be driven by the chip serial number, for example. This technique is not difficult in terms of semiconductor technology, and it makes life considerably more difficult for someone who tries to tap the bus. Using variable input values for the randomizer makes it possible to achieve chip-specific and session-specific scrambling. CPU data bus with conventional chip layout RAM CPU data bus with chip-specific scrambling data bus with session-specific scrambling RAM data bus with static scrambling CPU RAM CPU RAM different for each microcontroller different for each session or portion of a session Figure 8.28 Bus scrambling in a smart card microcontroller, illustrated using an 8-bit data bus between the CPU and the RAM. The data bus lines shown here represent information flows rather than electrical leads. The encryption units are shown as separate components for the sake of clarity, but they are actually intermingled with the rest of the components in such a manner that they cannot be recognized as separate components, thus making them immune to attack 534 Security Techniques Protection: irreversible switching from the test mode to the user mode All microcontrollers have a test mode that is used for verifying the chips during the fabrication process, and for executing internal test programs while the semiconductors are still in the wafer or after they have been packaged in modules by the manufacturer. The test mode allows types of access to the memory that are strictly forbidden when the chips are later in actual use. However, for technical production reasons, it is an unavoidable requirement to be able to read data from the EEPROM in this mode. The change from the test mode to the user mode must be irreversible. This can be realized by using a polysilicon fuse on the chip. In this case, a voltage is applied to a test point on the chip that is provided for this purpose, and this voltage causes the fuse to melt through. The chip is thus switched into the user mode using hardware. Normally, this cannot be reversed. However, a fuse is by its nature a relatively large structure on the surface of the chip. It is conceivable that the fuse could be mechanically bridged after the removing the part of the passivation layer that covers the fuse. This would put the microcontroller back into the test mode, and the memory could be read out using the extended access options available in this mode. If the complete content of the memory is known, it is easy to clone the smart card that has been read out. Figure 8.29 Photograph of a polysilicon fuse magnified 2000×. The picture on the left shows a fuse that is still intact, while that on the right shows a blown fuse (Source: Giesecke & Devrient) In order to defend against this type of attack, most semiconductor manufacturers have adopted the practice of reserving a portion of the EEPROM for the switchover mechanism, in addition to using a fuse. If a certain unalterable value is located in this part of the memory, the chip has been irreversibly switched to the user mode. Even if the fuse is bridged over, the chip will not return to the test mode, since the additional logical switch in the EEPROM prevents this. The security of the switchover from the test mode to the user mode can be increased even further by a very simple measure. If the microcontroller chip is laid out on the wafer such that the test pads needed to make contact with the chip for performing the tests are simply sawn off when the wafer is divided into individual dice, neither a fuse nor any EEPROM cells are needed to switch between the modes, since the elements needed for the test mode will no 8.2 Smart Card Security 535 Figure 8.30 Photograph of a polysilicon fuse together with a microprobe needle, magnified 500×. A blown fuse could be bridged using a microprobe needle (Source: Giesecke & Devrient) longer be present. It is also be possible to replace the fuse that switches from the test mode to the user mode by a track that is irreversibly broken when the dice are sawn from the wafer. With present-day technology, it is not possible to make a connection to a sawn-through track on the edge of a chip. test pads I/O CLK RST Vcc GND RAM CPU NPU EEPROM ROM cutting lines for sawing the wafer Figure 8.31 One of several possible ways to irreversibly remove the test pads used for testing the CPU and memory of a smart card microcontroller Dynamic analysis and defense: tapping the memory busses of the microcontroller Before the busses between the CPU and the memories of the microcontroller (ROM, EEPROM and RAM) can be tapped, the chip must be exposed and the passivation layer on the top surface of the chip must be removed. The passivation layer protects the chip against oxidation, but it also protects the chip against attack, since its integrity is monitored by sensors. According to Anderson and Kuhn [Anderson 96b], it can be removed by etching with hydrofluoric acid. In 536 Security Techniques addition, a laser cutter 10 can be used to selectively cut openings in the passivation layer at the necessary locations. After the passivation layer has been removed from the entire surface of the chip, or only from selected locations, it would be at least theoretically possible to make contact with the address, data and control busses for the memory using microprobe needles. If it is possible to make electrical connections to all the lines of these three busses, it is very easy to address the individual memory cells and to read any desired regions of the ROM and EEPROM. The chip does not have to be powered for this, and any desired type of connection jig can be used. The consequences of a successful attack using this method would be serious, since in principle it would make all the secret data in the non-volatile memory readable. This method could be extended by making connections to the busses and then operating the chip in the normal manner. In this way, it would be possible to eavesdrop on the complete data traffic between the CPU and the memories, and this could be recorded using a sufficiently fast logic analyzer. As already indicated, it is very difficult to make electrical contact with the individual tracks on the chip. With an 8-bit microcontroller, the number of connections needed for this attack is 16 for the address bus, 8 for the data bus and 1 to 4 for the control bus. In total, at least 25 simultaneous connections would have to be created between an external analysis computer and the tracks on the chip. Even with modern micromanipulator technology, this is currently not possible, due to the very small dimensions of the semiconductor structures. However, it would be possible to use a focused ion beam (FIB) generator, which is commonly used in the semiconductor industry, to implant a sort of electrically conductive contact surface for each bus line. These surfaces then could be used as contact points for microprobe needles. However, the effort required for this is enormous. Even if an attacker succeeded in making these connections, he would still have to determine how the busses have been scrambled before he could successfully read the data. This is because the individual bus tracks are not arranged on the chip in an orderly fashion next to each other, but are instead arranged in an externally unrecognizable manner. If markedly improved technology in the future should make it possible to make connec- tions to the busses of current microcontrollers, that would probably not have any effect on security, since by that time semiconductor structures will have become significantly finer than they presently are. In addition, micromechanical technology will probably always lag behind semiconductor technology, which is based on optical processes. This means that even in the future, this sort of attack will probably not be suitable for significantly weakening the security of smart cards. Dynamic analysis and defense: measuring the current consumption of the CPU Already in 1995, in the first edition of this book, the following statement appeared at this point: ‘The design of the processor is also crucial with regard to security. A smart card processor must have nearly the same current consumption for all machine instructions. Otherwise, conclusions can be drawn regarding the instruction being processed, based on the current consumption. A certain amount of secret information can be deduced from these conclusions.’ The fact that it 10 A laser cutter is a device for drilling and cutting using a high-power laser beam. It has an precision of a fraction of a micron 8.2 Smart Card Security 537 Figure 8.32 An example of using a focused ion beam (FIB) on a semiconductor chip. The track on the surface of the chip running from the top to the bottom of the picture has been separated using an FIB and then connected to a parallel track using a newly deposited metalization structure, which can be seen in the upper part of the picture. This structure was also created using the FIB (Source: Fraunhofer Institute for Integrated Circuits, Component Technology Group) is possible to draw conclusions about the instructions being executed by a processor, and even about the data being processed, by analyzing the current consumption of the processor while it is executing instructions, was thus already known for several years when Paul Kocher, Joshua Jaffe and Benjamin Jun published a paper on simple power analysis (SPA) and differential power analysis (DPA) in June of 1998 [Kocher 98]. 11 The working principle of simple power analysis is relatively straightforward. The current consumption of the microcontroller is determined by measuring the voltage drop across a resistor connected in series with the power supply. Measurements are made at high time res- olution using an analog-to-digital converter. With a high-performance processor, such as a Pentium or PowerPC, it would not be possible to draw any conclusions about the instruc- tions being executed, due to the complexity of the internal processes. However, the relatively simple structures of the 8051 and 6085 CPUs used in smart card microcontrollers result in 11 A detailed summary of this subject can be found in [Kocher 98b] and [Messerges 99] 538 Security Techniques measurable and thus interpretable variations in current consumption, according to the instruc- tions and data being processed. To help clarify the principle, imagine that a particular program sequence with a particular set of data always produces the same plot of processor current versus time. If the same program is then run using different data, the plot of current versus time will be different. This variation is used to determine which data have been processed by the program. + 5 V GND reset clock data transfer resistor R to voltmeter Vcc RST CLK GND RFU I/O Figure 8.33 Circuit diagram of the connections to a smart card microcontroller needed to make simple current measurements using a series resistor Differential power analysis (DPA) can reveal even finer differences in the current consump- tion of a microcontroller than simple power analysis. With the DPA technique, the current consumption is first measured while the microcontroller is processing known data, and then again while it is processing unknown data. The measurements are repeated many times, so that the effects of noise can be eliminated by taking average values. The differences are calculated once the measurements have been completed, and conclusions regarding the unknown data are drawn from the results. In the paper by Kocher et al., ‘high-order differential power analysis’ (HO-DPA) is men- tioned as a further extension of DPA. This involves measuring not only the current consumption of the microcontroller, but also other variables that depend on the program being executed by the processor, such as the electromagnetic radiation of the chip. The measurement information collected in this manner using both known and unknown data can be used in the same way as in the DPA technique to calculate differences, which can then be used to compute the unknown data. These three types of power analysis for smart card microcontrollers represent very se- rious forms of attack on hardware and software that have not been protected by suitable countermeasures. This is because the current consumption of some microcontrollers is defi- nitely dependent on the machine instructions being executed and the data being processed by the instruction. In addition, the cost and complexity of the equipment needed for a successful attack using this method is relatively limited. However, there are several effective countermea- sures based on suitably improved hardware and modified software. 8.2 Smart Card Security 539 NOP (no operation) machine instruction MUL (multiply) machine instruction JMP (jump) machine instruction time current consumption Figure 8.34 Simplified representation of variations in the current consumption of a smart card micro- controller while it is processing several different machine instructions. Besides being dependent on the machine instruction being processed, the current consumption of the processor may also depend on the data being processed The simplest hardware solution is to incorporate a fast-acting voltage regulator in the chip that uses a sense resistor to monitor the current drawn by the microcontroller and ensures that it is independent of the instructions and data. Artificial noise current generators on the chip are also an effective solution. A technically more complicated solution is to use a modi- fied processor design that always draws a constant current. However, all of these approaches slightly increase the power consumption of the microcontroller, which is undesirable in certain application areas, such as telecommunications. An alternative, simpler defense measure can be to activate certain components of the microcontroller that are not needed for the actual process while performing SPA/DPA-critical processes. The CRC checksum generator or numerical coprocessor could be used for this purpose, using random data as input values in order to generate artificial noise in the current consumption. Using randomly generated delays (random wait states) in the processor considerably in- creases the difficulty of synchronizing the data obtained from current analysis, without in- creasing the chip’s current consumption. A similar approach can be used with smart card microcontrollers that have their own on-chip clock generators, by continuously and randomly varying the clock frequency within certain limits. There is presently an immense range of possible software countermeasures. Here we can de- scribe a few representative examples. The simplest approach is to use only machine instructions that have very similar current consumptions. In this case, machine instructions whose current consumption is significantly different from the average level are not allowed to be used in the assembler code. Another approach is to have several different, randomly selected procedures for performing the same computations in cryptographic algorithms. This makes it consider- ably more difficult for the observer to recognize a correlation between known and unknown machine instructions or processed data. In order to make it more difficult to obtain the data needed to successfully perform a power analysis, all keys should be protected by irreversible 540 Security Techniques command to the smart card microcontroller awakens from the sleep state microcontroller re-enters the sleep state command processing in the smart card response frlom the smart card time time I/O lead Figure 8.35 Simplified representation of the current consumption of a smart card microcontroller in the quiescent state and variations in its current consumption during operation. From the current drawn by the microcontroller, it is possible to recognize when it is awakened from the sleep state by the first falling edge on the I/O line, following which it exhibits a continuously varying current consumption that depends on the machine instructions being executed retry counters. In addition, it is necessary to block free access to all commands (such as INTERNAL AUTHENTICATE) that can be used to pass any desired data through a crypto- graphic algorithm in the smart card. If it is essential to use commands of this sort for some reason, the smart card must test the authenticity of the terminal before executing them. Re- stricting the use of the available commands also makes it more difficult to collect reference data for a subsequent power analysis. As a matter of principle, secret data should never be processed bitwise, since doing so considerably simplifies SPA/DPA analysis. When keys have to be loaded into the registers of a cryptoprocessor, in some implementations they are intermixed with random numbers that are also loaded in these registers as dummy values, in order to render the corresponding measurements meaningless. Of course, the true keys must be located in the registers at the end of the loading process. [...]... parameters, together with sending suitable test commands to the smart card microcontroller Smart Card Handbook, Third Edition W Rankl and W Effing C 2004 John Wiley & Sons, Ltd ISBN: 0-470-8 566 8-8 566 Quality Assurance and Testing Many test specifications for large smart card applications are primarily designed with interoperability between smart cards and terminals in mind A good example is the GSM 11.17... smart card systems 544 Security Techniques Vcc GND RST Vpp CLK I/O RFU RFU 18 8 PIC 16F84 1 24LC 16B 1 Figure 8.37 A typical substitute circuit for an smart card microcontroller built using standard discrete components (PIC 16F84 microcontroller and 24LC16B EEPROM memory chip) These components fit into a typical smart card module, so it is not possible to detect any difference from a genuine smart card. .. unknown with smart cards, since there was no technical provision for downloading program code while the card was in use Modern smart card operating systems, however, have mechanisms that allow program code to be downloaded to smart cards after they have been issued to cardholders, and then executed This means that in principle, the conditions necessary for the existence of computer viruses in smart cards... SW1 || SW2 = '6E00' ? yes SW1 || SW2 = '6D00' ? no 2 1 no INS := INS + 1 CLA := CLA + 1 no CLA = 2 56 ? yes end '6D00' represents a non-supported command receive response APDU '6E00' represents a non-supported class no yes command supported by smart card found (= INS) INS = 2 56 ? yes 2 Figure 8.38 Basic procedure for performing an exhaustive search for all commands supported by a smart card operating... working smart card using a plastic card and a standard microcontroller in an SMD package Such a card can at least be made to imitate the electrical Figure 8. 36 Rear view of an opened smart card module The chip at the left is a standard PIC microcontroller that is connected to an EEPROM memory chip at the right by bonding wires and tracks This type of chip module is typically used for cloned smart cards... their self-sufficiency Protection: disabling the smart card The operating system must allow the smart card to be fully disabled This is very important for the final stage of the smart card life cycle Using statistical methods, it is possible to perform very exact analyses of the software in the chip by collecting discarded but still fully functional smart cards To prevent this, mechanisms for completely... Attack and defense: dummy smart cards Probably the simplest imaginable type of attack is to use a smart card that has been custom programmed and includes additional logging and analysis functions Up until a few years ago, this was practically unfeasible, since only a few companies had access to smart cards and the microcontrollers used to produce them Nowadays, though, smart cards and configuration programs... Analysis: determining the command set of a smart card The instruction classes and commands that are supported by a smart card are of course not often published, but it is very easy to determine what they are This is more interesting with regard to completely determining the command set of a smart card than it is for an attack on the security of the smart card However, it is conceivable that an attack...8.2 Smart Card Security 541 SPA/DPA techniques are not just limited to ferreting out secret data stored in smart cards They can also be used for purposes such as convincingly demonstrating that specific program code is used in a smart card This is done by making an SPA analysis of the function in question in the smart card and comparing the current consumption... the relevant Internet sites interface of a real smart card and to behave the same way for data transfers It is now possible to obtain such cards from a wide variety of sources via the Internet New possibilities are also offered by Java technology for smart cards, which makes it easy to generate programs and load them into dummy cards With such a dummy card, it would be possible to record at least a . working smart card using a plastic card and a standard microcontroller in an SMD package. Such a card can at least be made to imitate the electrical Figure 8. 36 Rear view of an opened smart card. Techniques command to the smart card microcontroller awakens from the sleep state microcontroller re-enters the sleep state command processing in the smart card response frlom the smart card time time I/O. without providing the operator of the smart card system with any additional security. 8.2 Smart Card Security 533 Protection: bus scrambling In many smart card microcontrollers, the internal busses