Difference between revisions of "Summerschool Aachen 2004/Hardware Hacking Presentation"
Mario Manno (talk | contribs) (copy) |
Mario Manno (talk | contribs) |
||
(One intermediate revision by the same user not shown) | |||
Line 54: | Line 54: | ||
* changing power, frequency, temperature, light | * changing power, frequency, temperature, light | ||
* skip unwanted functions/control statements | * skip unwanted functions/control statements | ||
+ | |||
+ | ==Notes from Presentations== | ||
+ | |||
+ | === TEMPEST === | ||
+ | |||
+ | For those interested in TEMPEST attacks and defences, including both radio and optical based techniques, [http://www.cl.cam.ac.uk/TechReports/UCAM-CL-TR-577.pdf Markus Kuhn's PhD thesis] covers this area well, but is long. If you don't want to read all of it, there are shorter papers on [http://www.cl.cam.ac.uk/~mgk25/ieee02-optical.pdf Optical TEMPEST] and [http://www.cl.cam.ac.uk/~mgk25/pet2004-fpd.pdf Radio TEMPEST on LCD screens] (which also mentions the anti-TEMPEST fonts). There is also an [http://www.cl.cam.ac.uk/~mgk25/emsec/optical-faq.html FAQ on Optical TEMPEST]. | ||
+ | |||
+ | -- [[Steven Murdoch]] | ||
+ | |||
+ | === Locks === | ||
+ | |||
+ | If you are interested in lock picking the [http://www.lysator.liu.se/mit-guide/mit-guide.html MIT Guide to Lock Picking] is a good start. | ||
+ | |||
+ | One of my friends works in [http://www.hmprisonservice.gov.uk/prisoninformation/locateaprison/prison.asp?id=254,15,2,15,254,0 Belmarsh high security prison]. They apparently use keys which have a magnetic combination, since there was a problem where inmates would look at the shape of the original key held by a prison officer and make replacement keys by hand. | ||
+ | |||
+ | -- [[Steven Murdoch]] | ||
+ | |||
+ | === Tampering === | ||
+ | |||
+ | At Cambridge, the [http://www.cl.cam.ac.uk/Research/Security/tamper/ TAMPER Lab] does most of the work investigating hardware security. In particular [http://www.cl.cam.ac.uk/~sps32/ Sergei Skorobogatov's website] is worth looking at. | ||
+ | |||
+ | -- [[Steven Murdoch]] | ||
+ | |||
+ | |||
+ | |||
+ | [[Category:Summerschools]] |
Latest revision as of 04:40, 26 November 2004
Contents
Presentation Summary
Introduction
- Security by using obscure screws, non public systems
- Security by obscurity
Locks
- LINK MIT Lockpicking Guide
- Keys can be memorized
- Master keys possible because of "spacer pins"
- Lockpicking, types of tools
- picks: spanner, snake
- pull the mechanism directly, evading the lock
- automated equipment, using vibrating pins
- magnetic fields, used against locks which hold their pins with magnets
- High Security Locks, 15 pin positions (slits) in a row, 3 pins at a given position
- Master keys may be "bruteforced" by elevating single pins consecutively, if you have a working single key
- Circular locks defeated by empty pen casing
Tampering - opening things you shouldn't
- LINK presentations from "kingpin" by the l0pht - http://www.grandideastudio.com/portfolio
- glue melts faster than casing
- PAPERS Chrysalis (Steven J. Murdoch)
- logic analyzers (used to watch i.e. 16 wires)
- hardware gets obfuscated on a regular basis
- protection against tempering by adding plastic framing to chips, etc.
- jtag interface to hardware devices for "debugging"
- show supported flash
- re flash
- PAPER Keeping Secrets: Opening the XBOX (Andrew Huang)
- PAPER Low Cost Attacks on Tamper Resistant Devices (Ross Anderson, Markus G. Kuhn)
- PAPER Design Principles for Tamper-Resistant Smartcards (Oliver K)
- Chip layout rendered by 3d microscope imaging
- test circuits protected by fuses, burnt upon delivery
Tempest
- Electromagnetic emanations
- Use tinfold to protect your thoughts whenever possible
- Tempest attacks against svga are not simple
- PAPER Soft Tempest (Ross Anderson, Markus G. Kuhn)
- Tempest for Eliza, plays music on a radio by drawing patterns on a monitor
- Optical Tempest, samples brightness changes in the room, effective
- watch leds to capture bits from data lines, which are connected directly to the led, not working on ethernet
Side Channels
- used on smart cards
- Simple Power Analysis
- Timing Analysis
- Differential Power Analysis
- PAPER Power Analysis Tutorial (Manfred Aigner, Elisabeth Oswald)
- PAPER Physical Side-Channel Attacks on Cryptographic Systems (N.P.Smart)
Fault Injection
- changing power, frequency, temperature, light
- skip unwanted functions/control statements
Notes from Presentations
TEMPEST
For those interested in TEMPEST attacks and defences, including both radio and optical based techniques, Markus Kuhn's PhD thesis covers this area well, but is long. If you don't want to read all of it, there are shorter papers on Optical TEMPEST and Radio TEMPEST on LCD screens (which also mentions the anti-TEMPEST fonts). There is also an FAQ on Optical TEMPEST.
Locks
If you are interested in lock picking the MIT Guide to Lock Picking is a good start.
One of my friends works in Belmarsh high security prison. They apparently use keys which have a magnetic combination, since there was a problem where inmates would look at the shape of the original key held by a prison officer and make replacement keys by hand.
Tampering
At Cambridge, the TAMPER Lab does most of the work investigating hardware security. In particular Sergei Skorobogatov's website is worth looking at.