From: "William H. Geiger III" <whgiii@invweb.net>
Date: Fri, 12 Sep 1997 11:17:42 +0800
To: cypherpunks@cyberpass.net
Subject: TAMPERPROOFING OF CHIP CARDS
Message-ID: <199709120311.XAA10259@users.invweb.net>
MIME-Version: 1.0
Content-Type: text/plain



-----BEGIN PGP SIGNED MESSAGE-----


The below message was posted to one of my mailing lists and I thought it
amy be of intrest here.



I found this in our database.  I've never seen it before.
I found it pretty interesting, despite being somewhat old.
Truncation in original.

                *       *       *       *       * 

                   TAMPERPROOFING OF CHIP CARDS

                         Ross J. Anderson
             Cambridge University Computer Laboratory
                Pembroke Street, Cambridge CB2 3QG
                Email: ross.anderson@cl.cam.ac.uk

                             Abstract

There are two ways of attacking smartcards - destructive reverse 
engineering of the silicon circuit (including the contents of  ROM), and
discovering the memory contents by other means; a well  equipped
laboratory can do both. Persistent amateurs have often  managed the
latter, and may shortly be able to do the former as  well. 

1 Reverse engineering the chip

A recent article[1] gives a good introduction to how reverse  engineering
can be carried out in a moderately well equipped  academic
microelectronics laboratory (there are three such in the  UK, and perhaps
two hundred academic or industrial facilities  worldwide which can carry
out such work). We will start off by  summarising it and giving some
background. 

1.1 How attacks are done

The authors of the article cited above worked at the Cambridge  University
microelectronics lab, which is part of the department  of physics. They
got interested in reverse engineering chips five  years ago to help an
industrial client locate manufacturing  defects. 

They built an apparatus which consists of a slightly modified  electron
beam lithography machine (this functions in effect as an  electron
microscope) and a PC with an image processing system (a  DCT chip and
locally written software). They then developed  techniques for etching
away a layer at a time without doing too  much damage. Conventional wet
etching causes too much havoc with  half micron chips, so dry etching is
used in which gases such as  CF4 or HF strip off layers of silica and
aluminium in turn. 

One of their innovations is a technique to show up N and P doped  layers
in electron micrographs. This uses the Schottky effect: a  thin film of a
metal such as gold or palladium is deposited on  the chip creating a diode
effect which can be seen with the 
electron beam. 

Finally, image processing software has been developed to spot the  common
chip features and reduce the initially fuzzy image of the  metal tracks
into a clean polygon representation. There are also  routines to get
images of successive layers, and of adjacent  parts of the chip, in
register. 

The system has been tested by reverse engineering the Intel 80386  and a
number of other devices. The 80386 took two weeks; it takes  about six
instances of a given chip to get it right. The output  can take the form
of a mask diagram, a circuit diagram or even a  list of the library cells
from which the chip was constructed. 

This is typical of the kind of attack which an academic lab can  mount.
Even more sophisticated attacks, invented at Sandia  National laboratories
and recently published[2], involve looking  through the chip.
Light-Induced Voltage Alteration is a non-
destructive technique that involves probing operating ICs from  the back
side with an infrared laser to which the silicon 
substrate is transparent. The photocurrents thus created allow  probing of
the device's operation and identification of logic  states of individual
transistors. Low-Energy Charge Induced  Voltage Alteration relies on a
surface interaction phenomenon  that produces a negative
charge-polarization wave using a low-
energy electron beam generated by a scanning electron microscope.  This
allows imaging the chip to identify open conductors and  voltage levels
without damage, although it does not operate  through metalization layers.


Of course, even more sophisticated techniques may be available in 
classified government facilities. 

1.2 The threat to smartcard systems

Smartcards typically have a few kilobytes of ROM, which being  metal can
be read with the above techniques; a few hundred bytes  of RAM, which
being cleared between transactions stores no long  term secrets; and a few
kilobytes of EEPROM, which typically  holds the user data and key
material. 

The techniques described above are not directly relevant to 
reading out EEPROM. However any laboratory at the level under 
consideration would be able to determine EEPROM contents using  microprobe
techniques. More simply, a reverse engineering 
operation would pinpoint the physical location of the write 
protect bit, which could then be reset using ultraviolet light. 

As mentioned, the number of organisations worldwide which can do  electron
beam lithography is of the order of 100-200. These 
potential attackers include a number of universities, all the big  chip
makers and the governments of the USA, Canada, the UK and  China. Of
these, the US and Chinese governments appear to have  the greatest
experience at chip breaking. 

For a respectable firm to join this club costs about $2m - $1.5m  for the
electron beam lithographer and ancilliary equipment, plus  a year's salary
for about five professionals to get it all going  (typically a physicist
to deal with the ion beams, a chemist to  deal with packaging, two
computer people to write software, and a  chip person to run the whole
operation). 

The number of club members may rise as more and more firms, 
especially in the Far East, start producing ASICs. However it is  not
likely that electron beam lithography will ever become a  really
widespread technology. The total number of sites with the  capability to
do regular hi-tech attacks might rise to about 1000  at most. 

An outsider without $2m still has a number of options. For ex-
ample, there are three universities in the UK alone which possess  the
necessary equipment (Cambridge, Edinburgh and Southampton)  and an
attacker might enrol for a PhD or other degree in order to  acquire access
and training. It is also possible to use more  primitive equipment at the
cost of spending months rather than  weeks on each reconstruction; this is
apparently the approach of  the Chinese government, and could be viable
where workers are  paid little (or are expecting a share of large criminal
profits). 

Finally, there are apparently places in the Far East, and at  least one in
Silicon Valley, which reverse engineer chips for  cash. How much cash, and
how many questions would be asked, are  not known to this writer. 

1.3 Possible defences

A number of copy trap features are incorporated into commercial  chip
designs. For example, we have heard of design elements that  look like a
transistor, but are in reality only a connection  between gate and source;
and 3-input NORs which function only as  2-input NORs. 

Many of these copier traps are based on holes in isolating layers  or on
tricks done in the diffusion layer with ion implantation  (based on the
assumption that it is hard to distinguish N from  P). However the layer
etching and Schottky techniques developed  by Haroun Ahmed's team can
detect such traps. 

Another possibility is to introduce complexity into the chip  layout and
to use nonstandard cell libraries. However the chip  still has to work,
which limits the complexity; and nonstandard  cells can be reconstructed
at the gate level and incorporated in  the recognition software. 

Finally, in the Clipper chip there are a number of silicon 
features, of which the most important is a fusible link system.  These
links are only fused after fabrication and hold the long  term key and
other secret aspects of the chip. Details can of  course be found in a
paper in the relevant data book[3], and from  the scanning electron
micrographs there, it is clear that the  secret information can be
recovered by sectioning the chip. This  technique has been used by
Professor Ahmed's team on occasion on  obscure features in other chips. 

Thus the effect of current silicon level copy traps is just to  slow down
the attacker. In fact, we have heard from a usually  reliable source that
Intel has reverse engineered the Clipper  chip, but that the results have
been classified. 

The same appears to be the case for chemical measures. Chips  intended for
classified military use are often protected by 
passivation layers of a tenacity never encountered in civilian 
packaging[4]. But here again, informed sources agree that with  enough
effort, techniques can be developed to remove them. 

1.4 Relevance to smartcard products

We understand that neither silicon copy traps not advanced 
passivation techniques are used by smartcard manufacturers in the  bulk of
their products. The marketing director of a smartcard  manufacturer said
that they simply had no demand from their users  for anything really
sophisticated[5]. The most that appears to be  done is an optical sensor
under an opaque coating[6]. 

Hi-tech techniques may indeed have been used by commercial 
pirates to duplicate satellite TV smartcards[7]. 

Recent postings to a TV hackers' mailing list recount how an 
undergraduate used nitric acid and acetone to remove ICs intact  from
Sky-TV smartcards; he then put them in the University's  electron beam
tester (an ICT 8020, also sold as the Advantest E  1340 - a 1991 machine).
The chips were run in a test loop, but he  had been unable to remove the
silicon nitride passivation layer;  the many secondary electrons removed
from this caused it to get  charged positive very quickly, which obscured
the underlying  circuit. He did not have access to a dry etching facility
to  remove this layer, and could get no further. However it is 
significant that a person with no funding or specialist knowledge  could
get even this far. 

However, amateur hackers have managed to break smartcard security  without
having to penetrate the device physically. Instead, they  have used flaws
in the design of the card's hardware or software  to determine its
contents. 

2 Determining the EEPROM contents

Many methods have been employed to determine the EEPROM contents  of
smartcards. In addition to the very general reverse  engineering
techniques described above, there are a lot of  shortcut attacks on
particular designs. 

2.1 How attacks are done

The following list is not exhaustive: 

o   raising the supply voltage above its design limit; 

o   cutting the supply voltage below its design limit; 

o   resetting random memory locations using ultraviolet light 
    until the read protect bit is found; 

o   exploiting misfeatures in the hardware, including the 
    manufacturer supplied ROM code; 

o   exploiting misfeatures in the customer written EEPROM code 
    (current attacks on UK satellite TV systems take this route); 

o   some combination of the above. 

The appendix contains accounts from a hacker mailing list of two  actual
attacks carried out on chips. 

2.2 Threat assessment

All systems have bugs, and so the level of threat to smartcard  systems
presented by exploitable loopholes is a function of how  many bugs remain
(i.e. how mature the design is) and how much  effort is spent in looking
for them (i.e. how many motivated  attackers there are). This in turn
depends on the application  area. 

Satellite TV systems attracted a great many attackers for 
historical reasons; in the USA, many rural households had got  into the
habit of watching satellite TV feeds as there were no  terrestrial
stations in range, even although these feeds were  intended for
rebroadcast rather than direct consumption. When the  feeds were
encrypted, the families who depended on them for their  news and
entertainment - and often could not buy decoders through  any legal
channel - were outraged. 

In Europe, a similar problem arose when the final season of 'Star  Trek:
The Next Generation' was encrypted. This program's fans  included many
with appropriate skills, and soon (March 94) there  appeared a program
called Season which decoded Sky TV. 

Since then, there has been a battle of wits between Sky and the  Trekkies,
which has probably cost Sky somewhere between $10 
million and $100 million. On May 18th 1994, Sky changed from  issue 07
cards to their new issue 09 card. Hackers refer to May  18th as Dark
Wednesday. The 09 card proved harder to hack but a  temporary solution
appeared in June. It only lasted a few weeks  before Sky changed codes
again. Though some attempts at an issue  09 Season were made, a code
change by Sky stopped it until just  before Christmas. 

Then no less than three new versions of Season appeared - two for  the PC
and one for the MAC. Successive code changes on January  4th and January
25th led to further updates of Season, and by  about 8th March all the
secrets in the Sky 09 card were known -  and published! Hackers are
awaiting the release of series 10 Sky  cards with relish. 

In addition to the attacks on satellite TV, there have been a  number of
attacks on banking systems and prepayment electricity  meter systems which
are documented in three of my recent papers  [8, 9, 10] Most of the
attacks documented there resulted from  similarly opportunistic
exploitation of design and operational  errors, and some of the target
systems were based on smartcards. 

Finally, some concern has been expressed that attack skills may  be
transferable. For example, a banking industry security expert  is worried
that the satellite TV hacking community might next  turn its attention to
eftpos systems. 

2.3 Possible defences

The main conclusion to be drawn from the above is probably that  just as
we do not know how to make a device which resists 
tampering by a funded organisation, we do not know how to build a  device
of any complexity to resist logical as opposed to physical  tampering. 

There are a number of other lessons. For example, companies which  rely on
smartcard systems should if possible avoid making a lot  of enemies.
Diversity of attack has been significant in pay-TV,  metering and banking
systems and just as a funded organisation  can break the silicon directly,
so one must expect that many  tinkering amateurs will eventually find a
flaw in any piece of  software. It is well known in the software testing
community that  a significant number of bugs come to light when a piece of

software is passed on to another tester or to a customer; this is  because
different testers and/or users exercise different parts  of the input
space[11]. 

It is also imprudent to start off with weak security and then  improve it
gradually in response to attacks. The satellite TV  people did this, and
trained up a community of hackers. At some  point, you must invest enough
to put clear water between your  systems and your opponents, and the
sooner you make this  investment the smaller it is likely to be. 

The main investment should be in getting the overall design 
right, or at least as right as one can, from the beginning. It is  unwise
to spend a lot of money on tamperproofing while ignoring  the much simpler
and dirtier attacks which exploit errors in  design and operation. Quality
control, and examination by 
multiple independent experts, should take priority over attempts  to mimic
the passivation techniques used by the military. 

After all, the three published attacks on Clipper all involve the  logical
design (key management protocols and modes of operation)  rather than
penetration of the device itself. 

3 Conclusion

At present, there are no portable tamperproof devices. If secrets  are
held on smartcards which are allowed outside protected  spaces, then both
physical and logical attacks should be 
expected. 

The scale of such attacks will depend on many things. If there is  a
capable motivated opponent, such as a chip maker or the  government of a
NATO country or China, then it must be assumed  that a complete
penetration will take at most weeks. If there are  many less capable but
still motivated opponents, then 
penetrations based on the opportunistic exploitation of design  flaws are
to be expected in due course. 

We conclude that systems based on portable tamper-resistant 
devices should be designed with caution. They should avoid 
motivating a determined attack on the cards, and the penetration  of a
small number of cards should not be fatal to the system  owner. 

These considerations interact; for example, if the scope of 
secrets kept within the card is limited so that breaking a card  allows
access to only one bank account, then it is unlikely that  an attack would
be economic to an attacker or prove more than a  minor nuisance to the
card issuer. 


                             APPENDIX

First account

This short essay will show you how to read the EPROM of an 
AMD87C51, with all security programmed. 

.... the SM-card I had was programmed with both Lock bits and it  was
impossible to read out the IROM. 

But the data sheet also tells: 
    To ensure proper functionality of the chip, the internally 
    latched value of the EA pin must agree with its external 
    state. 

Perhaps it was possible to confuse the processor. 

I build a small device with external EPROM (64KBytes) and RAM.  The EPROM
was coded with a monitor program in the upper address  range which gives
me the possibility to load and execute code by  control of a PC. Starting
the processor with external ROM access  disables the access of the
internal ROM and due to the latching  of the EA pin during RESET, changes
at the EA pin had no effect.  Also the MOVC returns only external ROM
values. 

Know my idea was to start the processor with internal ROM and  then to
confuse him so that he accesses the external EPROM and  run into the
monitor program. 

I tried ...

But reduction of the power supply voltage works. At about 1,5  Volt the
processor starts to access the external ROM. Rising the  voltage back to 5
Volt the processor (most of the times) still  run external, but with the
possibility of access to the internal  ROM... 

I programmed a small routine, which calls an address within the  internal
ROM and execute this. I started at the higher end of the  internal ROM and
decreased the calling address with each try by  10h. Most of the time the
processor hangs up. But at some 
addresses I got a return to the monitor program. So I analysed  this
addresses and prepared the registers in a way to verify that  the routine
could read ROM data. And I found the routine which  did this. So the
internal ROM code reads itself and returns  himself to the monitor program
for storage. It took about 3 days  to go through the ROM and find the
routine and one long week to  understand the code. 

Second account

This short story shows how to get access to a secured 87C51 
microcontroller. It's a different way, than the one described by  .....
Referring to his article, I assume, that this 87C51  microcontrollers and
their features (including security bits) are  known. 

The idea was, that the security bits are not located near the  EPROM array
on the silicon. After some tests in erasing standard  EPROMS, I had the
right tools to try it on a real device: With a  mask designed from black,
thick paper with a small hole in it, I  started to lighten the silicon on
the outer edges and sides.  Moving the mask carefully and checking the
security bits (by  reading the device in a microcontroller programmer)
after each  try is a long job. I did additional tests to open the chip (by
 removing the windows or dividing the ceramic carrier material).  But this
always led to permanent damage to the chip (broken 
silicon, destroyed wires between pads and pins), so I gave this  up. So
after 4 destroyed chips the fifth was the right one. You  have to be sure,
that your mask is good prepared and the erasing  light doesn't diffuse
across the chip. No I'am able to erase such  a device in less than 10
minutes. But ... it's only easy if the  device is one of AMD or Philips.
The Intel devices have a window,  which is formed like a lens (the silicon
looks very big). On this  devices it's nearly impossible to lighten a
specific part of the  silicon. The job is easier on devices with standard
window and a  _big_ EPROM Array (seems to be devices aged two or more
years). 


                                         . . . if somebody is  interested
in the 4K codes of the MasterCard (bad and dirty code)  or MovieCard (very
elegant algorithm and i/o implementation),  just gimme' a direct mail.
Disassembled and commented listings in  WinWord format are also available
(comments in mixed English and  German language). 


                            REFERENCES

[1]  'Layout Reconstruction of Complex Silicon Chips', S Blythe, B 
     Fraboni, S Lall, H Ahmed, U de Riu, IEEE J. of Solid-State 
     Circuits v 28 no 2 (Feb 93) pp 138-145 

[2]  'Two New Imaging Techniques Promise To Improve IC Defect 
     Identification', C Ajluni, Electronic Design Vol 43 No 14 (10 
     July 1995) pp 37-38 

[3]  'Conducting Filament of the Programmed Metal Electrode 
     Amorphous Silicon Antifuse', KE Gordon, RJ Wong, 
     International Electron Devices Meeting, Dec 93; reprinted as 
     pp 6-3 to 6-10, QuickLogic Data Book, 1994 

[4]  see FIPS PUB 140-1 section 4 level 4: &quot;Removal of the coating 
     shall have a high probability of resulting in serious damage 
     to the module&quot; 

[5]  Philippe Maes, GemPlus, during a panel discussion at Cardis 
     94 

[6]  message &lt;CovCG9.581@apollo.hp.com&gt; posted by Anne Anderson of 
     Hewlett-Packard aha@apollo.HP.COM to sci.crypt 26 Apr 1994 

[7]  apparently tiny jets of hot acid have been used to remove the 
     passivation layers over parts of the chip at a time 

[8]  'Why Cryptosystems Fail'

[9]  'Liability and Computer Security - Nine Principles'

[10] 'Cryptographic Credit Control in Pre-payment Metering 
     Systems' All these can be got from 
     http://www.cl.cam.ac.uk:/users/rja14/

[11] 'Thermodynamic description of the defects in large 
     information processing systems', RM Brady, RC Ball, RJ 
     Anderson, to appear


- -- 
- ---------------------------------------------------------------
William H. Geiger III  http://www.amaranth.com/~whgiii
Geiger Consulting    Cooking With Warp 4.0

Author of E-Secure - PGP Front End for MR/2 Ice
PGP & MR/2 the only way for secure e-mail.
OS/2 PGP 2.6.3a at: http://www.amaranth.com/~whgiii/pgpmr2.html                        
- ---------------------------------------------------------------

-----BEGIN PGP SIGNATURE-----
Version: 2.6.3a
Charset: cp850
Comment: Registered_User_E-Secure_v1.1b1_ES000000

iQCVAwUBNBimLI9Co1n+aLhhAQGVFAP9F/tJe/iAeghu8+FPHsJMoaYXzQT05MTr
KAo4ibq7Qe+zJaIOEfMRc8sjRJgVjBHeey7XD0ApvRX9SK0wY0x44KxruBTJqzSq
x/o7jiI8efMBTLuIuJzPqnMYsMYdCrcgmRDzyMj+TSI8cFu5NZKkSaSWVajtq7D1
svv5/ACuQos=
=GfBt
-----END PGP SIGNATURE-----