[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
TAMPERPROOFING OF CHIP CARDS
-----BEGIN PGP SIGNED MESSAGE-----
The below message was posted to one of my mailing lists and I thought it
amy be of intrest here.
I found this in our database. I've never seen it before.
I found it pretty interesting, despite being somewhat old.
Truncation in original.
* * * * *
TAMPERPROOFING OF CHIP CARDS
Ross J. Anderson
Cambridge University Computer Laboratory
Pembroke Street, Cambridge CB2 3QG
Email: [email protected]
There are two ways of attacking smartcards - destructive reverse
engineering of the silicon circuit (including the contents of ROM), and
discovering the memory contents by other means; a well equipped
laboratory can do both. Persistent amateurs have often managed the
latter, and may shortly be able to do the former as well.
1 Reverse engineering the chip
A recent article gives a good introduction to how reverse engineering
can be carried out in a moderately well equipped academic
microelectronics laboratory (there are three such in the UK, and perhaps
two hundred academic or industrial facilities worldwide which can carry
out such work). We will start off by summarising it and giving some
1.1 How attacks are done
The authors of the article cited above worked at the Cambridge University
microelectronics lab, which is part of the department of physics. They
got interested in reverse engineering chips five years ago to help an
industrial client locate manufacturing defects.
They built an apparatus which consists of a slightly modified electron
beam lithography machine (this functions in effect as an electron
microscope) and a PC with an image processing system (a DCT chip and
locally written software). They then developed techniques for etching
away a layer at a time without doing too much damage. Conventional wet
etching causes too much havoc with half micron chips, so dry etching is
used in which gases such as CF4 or HF strip off layers of silica and
aluminium in turn.
One of their innovations is a technique to show up N and P doped layers
in electron micrographs. This uses the Schottky effect: a thin film of a
metal such as gold or palladium is deposited on the chip creating a diode
effect which can be seen with the
Finally, image processing software has been developed to spot the common
chip features and reduce the initially fuzzy image of the metal tracks
into a clean polygon representation. There are also routines to get
images of successive layers, and of adjacent parts of the chip, in
The system has been tested by reverse engineering the Intel 80386 and a
number of other devices. The 80386 took two weeks; it takes about six
instances of a given chip to get it right. The output can take the form
of a mask diagram, a circuit diagram or even a list of the library cells
from which the chip was constructed.
This is typical of the kind of attack which an academic lab can mount.
Even more sophisticated attacks, invented at Sandia National laboratories
and recently published, involve looking through the chip.
Light-Induced Voltage Alteration is a non-
destructive technique that involves probing operating ICs from the back
side with an infrared laser to which the silicon
substrate is transparent. The photocurrents thus created allow probing of
the device's operation and identification of logic states of individual
transistors. Low-Energy Charge Induced Voltage Alteration relies on a
surface interaction phenomenon that produces a negative
charge-polarization wave using a low-
energy electron beam generated by a scanning electron microscope. This
allows imaging the chip to identify open conductors and voltage levels
without damage, although it does not operate through metalization layers.
Of course, even more sophisticated techniques may be available in
classified government facilities.
1.2 The threat to smartcard systems
Smartcards typically have a few kilobytes of ROM, which being metal can
be read with the above techniques; a few hundred bytes of RAM, which
being cleared between transactions stores no long term secrets; and a few
kilobytes of EEPROM, which typically holds the user data and key
The techniques described above are not directly relevant to
reading out EEPROM. However any laboratory at the level under
consideration would be able to determine EEPROM contents using microprobe
techniques. More simply, a reverse engineering
operation would pinpoint the physical location of the write
protect bit, which could then be reset using ultraviolet light.
As mentioned, the number of organisations worldwide which can do electron
beam lithography is of the order of 100-200. These
potential attackers include a number of universities, all the big chip
makers and the governments of the USA, Canada, the UK and China. Of
these, the US and Chinese governments appear to have the greatest
experience at chip breaking.
For a respectable firm to join this club costs about $2m - $1.5m for the
electron beam lithographer and ancilliary equipment, plus a year's salary
for about five professionals to get it all going (typically a physicist
to deal with the ion beams, a chemist to deal with packaging, two
computer people to write software, and a chip person to run the whole
The number of club members may rise as more and more firms,
especially in the Far East, start producing ASICs. However it is not
likely that electron beam lithography will ever become a really
widespread technology. The total number of sites with the capability to
do regular hi-tech attacks might rise to about 1000 at most.
An outsider without $2m still has a number of options. For ex-
ample, there are three universities in the UK alone which possess the
necessary equipment (Cambridge, Edinburgh and Southampton) and an
attacker might enrol for a PhD or other degree in order to acquire access
and training. It is also possible to use more primitive equipment at the
cost of spending months rather than weeks on each reconstruction; this is
apparently the approach of the Chinese government, and could be viable
where workers are paid little (or are expecting a share of large criminal
Finally, there are apparently places in the Far East, and at least one in
Silicon Valley, which reverse engineer chips for cash. How much cash, and
how many questions would be asked, are not known to this writer.
1.3 Possible defences
A number of copy trap features are incorporated into commercial chip
designs. For example, we have heard of design elements that look like a
transistor, but are in reality only a connection between gate and source;
and 3-input NORs which function only as 2-input NORs.
Many of these copier traps are based on holes in isolating layers or on
tricks done in the diffusion layer with ion implantation (based on the
assumption that it is hard to distinguish N from P). However the layer
etching and Schottky techniques developed by Haroun Ahmed's team can
detect such traps.
Another possibility is to introduce complexity into the chip layout and
to use nonstandard cell libraries. However the chip still has to work,
which limits the complexity; and nonstandard cells can be reconstructed
at the gate level and incorporated in the recognition software.
Finally, in the Clipper chip there are a number of silicon
features, of which the most important is a fusible link system. These
links are only fused after fabrication and hold the long term key and
other secret aspects of the chip. Details can of course be found in a
paper in the relevant data book, and from the scanning electron
micrographs there, it is clear that the secret information can be
recovered by sectioning the chip. This technique has been used by
Professor Ahmed's team on occasion on obscure features in other chips.
Thus the effect of current silicon level copy traps is just to slow down
the attacker. In fact, we have heard from a usually reliable source that
Intel has reverse engineered the Clipper chip, but that the results have
The same appears to be the case for chemical measures. Chips intended for
classified military use are often protected by
passivation layers of a tenacity never encountered in civilian
packaging. But here again, informed sources agree that with enough
effort, techniques can be developed to remove them.
1.4 Relevance to smartcard products
We understand that neither silicon copy traps not advanced
passivation techniques are used by smartcard manufacturers in the bulk of
their products. The marketing director of a smartcard manufacturer said
that they simply had no demand from their users for anything really
sophisticated. The most that appears to be done is an optical sensor
under an opaque coating.
Hi-tech techniques may indeed have been used by commercial
pirates to duplicate satellite TV smartcards.
Recent postings to a TV hackers' mailing list recount how an
undergraduate used nitric acid and acetone to remove ICs intact from
Sky-TV smartcards; he then put them in the University's electron beam
tester (an ICT 8020, also sold as the Advantest E 1340 - a 1991 machine).
The chips were run in a test loop, but he had been unable to remove the
silicon nitride passivation layer; the many secondary electrons removed
from this caused it to get charged positive very quickly, which obscured
the underlying circuit. He did not have access to a dry etching facility
to remove this layer, and could get no further. However it is
significant that a person with no funding or specialist knowledge could
get even this far.
However, amateur hackers have managed to break smartcard security without
having to penetrate the device physically. Instead, they have used flaws
in the design of the card's hardware or software to determine its
2 Determining the EEPROM contents
Many methods have been employed to determine the EEPROM contents of
smartcards. In addition to the very general reverse engineering
techniques described above, there are a lot of shortcut attacks on
2.1 How attacks are done
The following list is not exhaustive:
o raising the supply voltage above its design limit;
o cutting the supply voltage below its design limit;
o resetting random memory locations using ultraviolet light
until the read protect bit is found;
o exploiting misfeatures in the hardware, including the
manufacturer supplied ROM code;
o exploiting misfeatures in the customer written EEPROM code
(current attacks on UK satellite TV systems take this route);
o some combination of the above.
The appendix contains accounts from a hacker mailing list of two actual
attacks carried out on chips.
2.2 Threat assessment
All systems have bugs, and so the level of threat to smartcard systems
presented by exploitable loopholes is a function of how many bugs remain
(i.e. how mature the design is) and how much effort is spent in looking
for them (i.e. how many motivated attackers there are). This in turn
depends on the application area.
Satellite TV systems attracted a great many attackers for
historical reasons; in the USA, many rural households had got into the
habit of watching satellite TV feeds as there were no terrestrial
stations in range, even although these feeds were intended for
rebroadcast rather than direct consumption. When the feeds were
encrypted, the families who depended on them for their news and
entertainment - and often could not buy decoders through any legal
channel - were outraged.
In Europe, a similar problem arose when the final season of 'Star Trek:
The Next Generation' was encrypted. This program's fans included many
with appropriate skills, and soon (March 94) there appeared a program
called Season which decoded Sky TV.
Since then, there has been a battle of wits between Sky and the Trekkies,
which has probably cost Sky somewhere between $10
million and $100 million. On May 18th 1994, Sky changed from issue 07
cards to their new issue 09 card. Hackers refer to May 18th as Dark
Wednesday. The 09 card proved harder to hack but a temporary solution
appeared in June. It only lasted a few weeks before Sky changed codes
again. Though some attempts at an issue 09 Season were made, a code
change by Sky stopped it until just before Christmas.
Then no less than three new versions of Season appeared - two for the PC
and one for the MAC. Successive code changes on January 4th and January
25th led to further updates of Season, and by about 8th March all the
secrets in the Sky 09 card were known - and published! Hackers are
awaiting the release of series 10 Sky cards with relish.
In addition to the attacks on satellite TV, there have been a number of
attacks on banking systems and prepayment electricity meter systems which
are documented in three of my recent papers [8, 9, 10] Most of the
attacks documented there resulted from similarly opportunistic
exploitation of design and operational errors, and some of the target
systems were based on smartcards.
Finally, some concern has been expressed that attack skills may be
transferable. For example, a banking industry security expert is worried
that the satellite TV hacking community might next turn its attention to
2.3 Possible defences
The main conclusion to be drawn from the above is probably that just as
we do not know how to make a device which resists
tampering by a funded organisation, we do not know how to build a device
of any complexity to resist logical as opposed to physical tampering.
There are a number of other lessons. For example, companies which rely on
smartcard systems should if possible avoid making a lot of enemies.
Diversity of attack has been significant in pay-TV, metering and banking
systems and just as a funded organisation can break the silicon directly,
so one must expect that many tinkering amateurs will eventually find a
flaw in any piece of software. It is well known in the software testing
community that a significant number of bugs come to light when a piece of
software is passed on to another tester or to a customer; this is because
different testers and/or users exercise different parts of the input
It is also imprudent to start off with weak security and then improve it
gradually in response to attacks. The satellite TV people did this, and
trained up a community of hackers. At some point, you must invest enough
to put clear water between your systems and your opponents, and the
sooner you make this investment the smaller it is likely to be.
The main investment should be in getting the overall design
right, or at least as right as one can, from the beginning. It is unwise
to spend a lot of money on tamperproofing while ignoring the much simpler
and dirtier attacks which exploit errors in design and operation. Quality
control, and examination by
multiple independent experts, should take priority over attempts to mimic
the passivation techniques used by the military.
After all, the three published attacks on Clipper all involve the logical
design (key management protocols and modes of operation) rather than
penetration of the device itself.
At present, there are no portable tamperproof devices. If secrets are
held on smartcards which are allowed outside protected spaces, then both
physical and logical attacks should be
The scale of such attacks will depend on many things. If there is a
capable motivated opponent, such as a chip maker or the government of a
NATO country or China, then it must be assumed that a complete
penetration will take at most weeks. If there are many less capable but
still motivated opponents, then
penetrations based on the opportunistic exploitation of design flaws are
to be expected in due course.
We conclude that systems based on portable tamper-resistant
devices should be designed with caution. They should avoid
motivating a determined attack on the cards, and the penetration of a
small number of cards should not be fatal to the system owner.
These considerations interact; for example, if the scope of
secrets kept within the card is limited so that breaking a card allows
access to only one bank account, then it is unlikely that an attack would
be economic to an attacker or prove more than a minor nuisance to the
This short essay will show you how to read the EPROM of an
AMD87C51, with all security programmed.
.... the SM-card I had was programmed with both Lock bits and it was
impossible to read out the IROM.
But the data sheet also tells:
To ensure proper functionality of the chip, the internally
latched value of the EA pin must agree with its external
Perhaps it was possible to confuse the processor.
I build a small device with external EPROM (64KBytes) and RAM. The EPROM
was coded with a monitor program in the upper address range which gives
me the possibility to load and execute code by control of a PC. Starting
the processor with external ROM access disables the access of the
internal ROM and due to the latching of the EA pin during RESET, changes
at the EA pin had no effect. Also the MOVC returns only external ROM
Know my idea was to start the processor with internal ROM and then to
confuse him so that he accesses the external EPROM and run into the
I tried ...
But reduction of the power supply voltage works. At about 1,5 Volt the
processor starts to access the external ROM. Rising the voltage back to 5
Volt the processor (most of the times) still run external, but with the
possibility of access to the internal ROM...
I programmed a small routine, which calls an address within the internal
ROM and execute this. I started at the higher end of the internal ROM and
decreased the calling address with each try by 10h. Most of the time the
processor hangs up. But at some
addresses I got a return to the monitor program. So I analysed this
addresses and prepared the registers in a way to verify that the routine
could read ROM data. And I found the routine which did this. So the
internal ROM code reads itself and returns himself to the monitor program
for storage. It took about 3 days to go through the ROM and find the
routine and one long week to understand the code.
This short story shows how to get access to a secured 87C51
microcontroller. It's a different way, than the one described by .....
Referring to his article, I assume, that this 87C51 microcontrollers and
their features (including security bits) are known.
The idea was, that the security bits are not located near the EPROM array
on the silicon. After some tests in erasing standard EPROMS, I had the
right tools to try it on a real device: With a mask designed from black,
thick paper with a small hole in it, I started to lighten the silicon on
the outer edges and sides. Moving the mask carefully and checking the
security bits (by reading the device in a microcontroller programmer)
after each try is a long job. I did additional tests to open the chip (by
removing the windows or dividing the ceramic carrier material). But this
always led to permanent damage to the chip (broken
silicon, destroyed wires between pads and pins), so I gave this up. So
after 4 destroyed chips the fifth was the right one. You have to be sure,
that your mask is good prepared and the erasing light doesn't diffuse
across the chip. No I'am able to erase such a device in less than 10
minutes. But ... it's only easy if the device is one of AMD or Philips.
The Intel devices have a window, which is formed like a lens (the silicon
looks very big). On this devices it's nearly impossible to lighten a
specific part of the silicon. The job is easier on devices with standard
window and a _big_ EPROM Array (seems to be devices aged two or more
. . . if somebody is interested
in the 4K codes of the MasterCard (bad and dirty code) or MovieCard (very
elegant algorithm and i/o implementation), just gimme' a direct mail.
Disassembled and commented listings in WinWord format are also available
(comments in mixed English and German language).
 'Layout Reconstruction of Complex Silicon Chips', S Blythe, B
Fraboni, S Lall, H Ahmed, U de Riu, IEEE J. of Solid-State
Circuits v 28 no 2 (Feb 93) pp 138-145
 'Two New Imaging Techniques Promise To Improve IC Defect
Identification', C Ajluni, Electronic Design Vol 43 No 14 (10
July 1995) pp 37-38
 'Conducting Filament of the Programmed Metal Electrode
Amorphous Silicon Antifuse', KE Gordon, RJ Wong,
International Electron Devices Meeting, Dec 93; reprinted as
pp 6-3 to 6-10, QuickLogic Data Book, 1994
 see FIPS PUB 140-1 section 4 level 4: "Removal of the coating
shall have a high probability of resulting in serious damage
to the module"
 Philippe Maes, GemPlus, during a panel discussion at Cardis
 message <[email protected]> posted by Anne Anderson of
Hewlett-Packard [email protected] to sci.crypt 26 Apr 1994
 apparently tiny jets of hot acid have been used to remove the
passivation layers over parts of the chip at a time
 'Why Cryptosystems Fail'
 'Liability and Computer Security - Nine Principles'
 'Cryptographic Credit Control in Pre-payment Metering
Systems' All these can be got from
 'Thermodynamic description of the defects in large
information processing systems', RM Brady, RC Ball, RJ
Anderson, to appear
William H. Geiger III http://www.amaranth.com/~whgiii
Geiger Consulting Cooking With Warp 4.0
Author of E-Secure - PGP Front End for MR/2 Ice
PGP & MR/2 the only way for secure e-mail.
OS/2 PGP 2.6.3a at: http://www.amaranth.com/~whgiii/pgpmr2.html
-----BEGIN PGP SIGNATURE-----
-----END PGP SIGNATURE-----