1997-09-15 - NoneRe: TAMPERPROOFING OF CHIP CARDS

Header Data

From: nobody@REPLAY.COM (Anonymous)
To: cypherpunks@cyberpass.net
Message Hash: 11939510fb1dbab1f3964704fa5adf5dfd44370f0b4d647e8b4399b6ccd1e0c8
Message ID: <199709150725.JAA00859@basement.replay.com>
Reply To: <199709120311.XAA10259@users.invweb.net>
UTC Datetime: 1997-09-15 07:35:03 UTC
Raw Date: Mon, 15 Sep 1997 15:35:03 +0800

Raw message

From: nobody@REPLAY.COM (Anonymous)
Date: Mon, 15 Sep 1997 15:35:03 +0800
To: cypherpunks@cyberpass.net
Subject: NoneRe: TAMPERPROOFING OF CHIP CARDS
In-Reply-To: <199709120311.XAA10259@users.invweb.net>
Message-ID: <199709150725.JAA00859@basement.replay.com>
MIME-Version: 1.0
Content-Type: text/plain



One other option for non-destructive reverse engineering is to drive Vcc
with high frequency AC and measure the resonant frequencies on the chip. 
(Same is true for the ground pins, but this is complicated because the
substrate is often grounded and introduces a large capacitance) 

This produces a general `map' of the chip, although many of the
frequencies will overlap and be indistinguishable.  To remove the unwanted
noise, it is necessary to damp out the parts of the chip that you're not
interested in.  There are a variety of ways to do this but the one of the
easiest is with the magnetoresistance effect.  Disk drive rw heads work
well for this. (it's usually better to magnetize the whole chip and then
unmagnetize the part you want to look at.) 

Input pins are most likely connected to an insulated gate, but this will
act like a capacitor, allowing ac into the channel, so we can probe these
to see where they go.  Newer chips have filters on the inputs which makes
this more difficult. 

once you have selected a target area, turn on the transistor(s) by any of
the usual methods (uv light, electron beam, external e-field...if you're
poor you could try pumping the substrate to induce latch-up, though this
isn't very `selective' in what it turns on) 

Two main problems with this techinque:  One is that the relevant
resonances are on the order of 10-100 GHz.  Obviously you are not just
going to plug that into your average scope and expect it to work.  The
usual advice is to maintain a reference oscillator and measure the
interference with respect to your `probe'.  If you have access to some of
the newer GaAs amps, you can modulate the signals and then measure the
lower sideband. 

The other problem is the finite resolution (even if you have a really good
magnetic head you just can't get close enough to the surface without
destuctive techniques.)  To a large degree, you have to `brute force'
guess, and see what model best fits the data.  I shouldn't have to explain
the details of this technique to a group of cryptographers. 






Thread