Extracting a 3DES key from an IBM 4758
Part 1: What is an IBM 4758 ?
Photo of IBM 4758 Cryptographic Coprocessor (courtesy of Steve Weingart)
The IBM 4758 is a commercially available cryptoprocessor. It was the first such device to have been successfully evaluated to the highest level of tamper resistance, the US Government standard called FIPS 140-1 level 41. It is also of interest because there is a great deal of publicly available documentation regarding its design evolution2, protection mechanisms3,4 and the transaction set it supports.5
To understand the substantial physical security provided by the IBM 4758, a history lesson is necessary... (a longer version of this account appears in Chapter 14 of Ross Anderson's book6)
The arrival of multi-user operating systems in the 1960s showed that it was extremely difficult to process sensitive data on a computer and protect it from other programs running on the same computer. The operating systems were meant to provide protection, but in practice there were bugs and design limitations that meant that cryptographic keys and personal identification numbers (PINs) were always at risk. This led to the development of standalone "security modules" such as the IBM 3848 and the VISA security module. These were basically just microprocessors in robust metal enclosures. When you opened the lid the power supply was disabled and they "forgot" their sensitive information.
The obvious attack is to drill through the lid; so devices acquired photocells and tilt devices. Later, it was realised that substantial protection could be acquired by "potting" the device in a block of epoxy resin. The idea was that the device would be "tamper evident" in that the epoxy would be damaged -- and since the device was in a secure location, someone might notice you drilling into it.
However, if you could get a few minutes alone with the device, it turned out to be possible to scrape away the epoxy with a knife and drop a logic analyser probe onto the microprocessor bus. Cryptographic algorithms like RSA and DES have the unfortunate property that monitoring a single bitplane during the computation allows access to the key7. So anyone looking like a maintenance engineer who can get a logic analyser near the device has a reasonable chance of obtaining secret key material.
The response to this threat was the development of tamper-sensing barriers. On the IBM µABYSS system3 this was 40 gauge nichrome wire wound around the device before it was embedded in the epoxy. If you mount a physical attack on the epoxy then you break the wire and the keys are erased. In the IBM 4758 this type of protection has been significantly enhanced. It has four overlapping zig-zag conducting patterns doped into a urethane sheet which in turn is potted in a chemically similar substance. An attacker has difficulty detecting the conductive path and attempts to remove the potting material are very likely to damage it. Other types of attack relate to memory remanence. If keys are stored in the same place in RAM forever then those locations will "remember" the values even when the power is removed. Devices attempt to avoid this 8 by techniques such as constant movement of values from place to place, rather as a screen saver avoids "burning" patterns onto a VDU screen.
If you can get the memory very cold (below -20 degrees C) then it will maintain its contents for many minutes9 -- long enough for a physical attack to get through the outer protective layers. The 4758 detects changes of temperature and erases the key material if it starts getting chilly. Similar issues arise if you bombard the memory chips with X- rays. So the 4758 has a radiation sensor as well.
Computers also leak electromagnetic signals, or consume different amounts of power depending upon what they are doing. So called "Tempest" or "power analysis" looks for these signals and deduces what calculations the processor is performing. The 4758 has solid aluminium shielding and a low-pass filter on the power supply to minimise this type of radiation.
So all in all, the IBM 4758 is a pretty secure device from a physical point of view. There's no known attack upon it.
2 S W Smith, S H Weingart, "Building a High-Performance, Programmable Secure Coprocessor", Computer Networks (Special Issue on Computer Network Security) 31: pp 831-860. (April 1999) http://www.cs.dartmouth.edu/~sws/papers/cn99.pdf
3 S H Weingart, "Physical Security for the µABYSS System", in Proceedings of the 1987 IEEE Symposium on Security and Privacy, IEEE Computer Society Press, pp 52-58.
4 S H Weingart, S R White, W C Arnold, G P Double "An Evaluation System for the Physical Security of Computing Systems", in Sixth Annual Computer Security Applications Conference (Dec 3-7, 1990) Tucson Az. Proceedings published by the IEEE (1990), pp 232-243.
5 IBM PCI Cryptographic Coprocessor Library http://www-3.ibm.com/security/cryptocards/html/library.shtml
7 H Handschuh, P Paillier, J Stern "Probing Attacks on Tamper-Resistant Devices" in "Cryptographic Hardware and Embedded Systems -- CHES 99" Springer LNCS 1717, pp 303-315. http://www.di.ens.fr/~stern/data/St78.pdf
8 Department of Defense, "A Guide to Understanding Data Remanence in Automated Information Systems", NCSC-TG-025 (1991). [usually known as 'The Forest Green Book']