Tamper resistance

Last updated

Tamper resistance is resistance to tampering (intentional malfunction or sabotage) by either the normal users of a product, package, or system or others with physical access to it. There are many reasons for employing tamper resistance.

Sabotage deliberate action aimed at weakening another entity

Sabotage is a deliberate action aimed at weakening a polity, effort, or organization through subversion, obstruction, disruption, or destruction. One who engages in sabotage is a saboteur. Saboteurs typically try to conceal their identities because of the consequences of their actions.

Contents

Tamper resistance ranges from simple features like screws with special drives, more complex devices that render themselves inoperable or encrypt all data transmissions between individual chips, or use of materials needing special tools and knowledge. Tamper-resistant devices or features are common on packages to deter package or product tampering.

Anti-tamper devices have one or more components: tamper resistance, tamper detection, tamper response, and tamper evidence. [1] In some applications, devices are only tamper-evident rather than tamper-resistant.

Tampering

Tampering involves the deliberate altering or adulteration of a product, package, or system. Solutions may involve all phases of product production, packaging, distribution, logistics, sale, and use. No single solution can be considered as "tamper-proof". Often multiple levels of security need to be addressed to reduce the risk of tampering.

Logistics management of the flow of resources

Logistics is generally the detailed organization and implementation of a complex operation. In a general business sense, logistics is the management of the flow of things between the point of origin and the point of consumption in order to meet requirements of customers or corporations. The resources managed in logistics may include tangible goods such as materials, equipment, and supplies, as well as food and other consumable items. The logistics of physical items usually involves the integration of information flow, materials handling, production, packaging, inventory, transportation, warehousing, and often security.

Security degree of resistance to, or protection from, harm

Security is freedom from, or resilience against, potential harm caused by others. Beneficiaries of security may be of persons and social groups, objects and institutions, ecosystems or any other entity or phenomenon vulnerable to unwanted change by its environment.

A tamper evident label with a perforated tape that permanently displays a visual 'VOID OPENED' message after being opened. Security tamper evident label showing a void message when removed.jpg
A tamper evident label with a perforated tape that permanently displays a visual 'VOID OPENED' message after being opened.

Some considerations might include:

Tamper means interfere with (something) without authority or so as to cause damage.

Safety

Nearly all appliances and accessories can only be opened with the use of a screwdriver (or a substitute item such as a nail file or kitchen knife). This prevents children and others who are careless or unaware of the dangers of opening the equipment from doing so and hurting themselves (from electrical shocks, burns or cuts, for example) or damaging the equipment. Sometimes (especially in order to avoid litigation), manufacturers go further and use tamper-resistant screws, which cannot be unfastened with standard equipment. Tamper-resistant screws are also used on electrical fittings in many public buildings primarily to reduce tampering or vandalism that may cause a danger to others.

Warranties and support

A user who breaks equipment by modifying it in a way not intended by the manufacturer might deny they did it, in order to claim the warranty or (mainly in the case of PCs) call the helpdesk for help in fixing it. Tamper-evident seals may be enough to deal with this. However, they cannot easily be checked remotely, and many countries have statutory warranty terms that mean manufacturers may still have to service the equipment. Tamper proof screws will stop most casual users from tampering in the first place. In the US, the Magnuson-Moss Warranty Act prevents manufacturers from voiding warranties solely due to tampering.[ citation needed ] A warranty may be dishonored only if the tampering actually affected the part that has failed, and could have caused the failure.

Chips

Tamper-resistant microprocessors are used to store and process private or sensitive information, such as private keys or electronic money credit. To prevent an attacker from retrieving or modifying the information, the chips are designed so that the information is not accessible through external means and can be accessed only by the embedded software, which should contain the appropriate security measures.

Examples of tamper-resistant chips include all secure cryptoprocessors, such as the IBM 4758 and chips used in smartcards, as well as the Clipper chip.

It has been argued that it is very difficult to make simple electronic devices secure against tampering, because numerous attacks are possible, including:

Tamper-resistant chips may be designed to zeroise their sensitive data (especially cryptographic keys) if they detect penetration of their security encapsulation or out-of-specification environmental parameters. A chip may even be rated for "cold zeroisation", the ability to zeroise itself even after its power supply has been crippled. In addition, the custom-made encapsulation methods used for chips used in some cryptographic products may be designed in such a manner that they are internally pre-stressed, so the chip will fracture if interfered with.[ citation needed ]

Nevertheless, the fact that an attacker may have the device in his possession for as long as they likes, and perhaps obtain numerous other samples for testing and practice, means that it is impossible to totally eliminate tampering by a sufficiently motivated opponent. Because of this, one of the most important elements in protecting a system is overall system design. In particular, tamper-resistant systems should "fail gracefully" by ensuring that compromise of one device does not compromise the entire system. In this manner, the attacker can be practically restricted to attacks that cost less than the expected return from compromising a single device. Since the most sophisticated attacks have been estimated to cost several hundred thousand dollars to carry out, carefully designed systems may be invulnerable in practice.

Military

Anti-tamper (AT) is required in all new military programs in the U.S. [1]

DRM

Tamper resistance finds application in smart cards, set-top boxes and other devices that use digital rights management (DRM). In this case, the issue is not about stopping the user from breaking the equipment or hurting themselves, but about either stopping them from extracting codes, or acquiring and saving the decoded bitstream. This is usually done by having many subsystem features buried within each chip (so that internal signals and states are inaccessible) and by making sure the buses between chips are encrypted. [ citation needed ]

DRM mechanisms also use certificates and asymmetric key cryptography in many cases. In all such cases, tamper resistance means not allowing the device user access to the valid device certificates or public-private keys of the device. The process of making software robust against tampering attacks is referred to as "software anti-tamper".

Nuclear industry

Nuclear reactors that are intended to be sold to countries that otherwise do not possess nuclear weapons must be made tamper-resistant to prevent nuclear proliferation. For example, the proposed SSTAR will feature a combination of anti-tamper techniques that will make it difficult to get at the nuclear material, ensure that where the reactors are transported to is closely tracked, and have alarms in place that sound if attempts at entry are detected (which can then be responded to by the military).

Packaging

Tamper resistance is sometimes needed in packaging, for example:

Resistance to tampering can be built in or added to packaging. [2] Examples include:

The tamper resistance of packaging can be evaluated by consultants and experts in the subject. Also, comparisons of various packages can be made by careful field testing of the lay public.

Software

Software is also said to be tamper-resistant when it contains measures to make reverse engineering harder, or to prevent a user from modifying it against the manufacturer's wishes (removing a restriction on how it can be used, for example). One commonly used method is code obfuscation.

However, effective tamper resistance in software is much harder than in hardware, as the software environment can be manipulated to near-arbitrary extent by the use of emulation.

If implemented, trusted computing would make software tampering of protected programs at least as difficult as hardware tampering, as the user would have to hack the trust chip to give false certifications in order to bypass remote attestation and sealed storage. However, the current specification makes it clear that the chip is not expected to be tamper-proof against any reasonably sophisticated physical attack; [3] that is, it is not intended to be as secure as a tamper-resistant device.

A side effect of this is that software maintenance gets more complex, because software updates need to be validated and errors in the upgrade process may lead to a false-positive triggering of the protection mechanism.

See also

Related Research Articles

Authentication act of confirming the truth of an attribute of a datum or entity

Authentication is the act of confirming the truth of an attribute of a single piece of data claimed true by an entity. In contrast with identification, which refers to the act of stating or otherwise indicating a claim purportedly attesting to a person or thing's identity, authentication is the process of actually confirming that identity. It might involve confirming the identity of a person by validating their identity documents, verifying the authenticity of a website with a digital certificate, determining the age of an artifact by carbon dating, or ensuring that a product is what its packaging and labeling claim to be. In other words, authentication often involves verifying the validity of at least one form of identification.

Trusted Computing (TC) is a technology developed and promoted by the Trusted Computing Group. The term is taken from the field of trusted systems and has a specialized meaning. With Trusted Computing, the computer will consistently behave in expected ways, and those behaviors will be enforced by computer hardware and software. Enforcing this behavior is achieved by loading the hardware with a unique encryption key inaccessible to the rest of the system.

Secure cryptoprocessor

A secure cryptoprocessor is a dedicated computer on a chip or microprocessor for carrying out cryptographic operations, embedded in a packaging with multiple physical security measures, which give it a degree of tamper resistance. Unlike cryptographic processors that output decrypted data onto a bus in a secure environment, a secure cryptoprocessor does not output decrypted data or decrypted program instructions in an environment where security cannot always be maintained.

Smart card pocket-sized card with embedded integrated circuits

A smart card, chip card, or integrated circuit card (ICC) is a physical electronic authorization device, used to control access to a resource. It is typically a plastic credit card sized card with an embedded integrated circuit. Many smart cards include a pattern of metal contacts to electrically connect to the internal chip. Others are contactless, and some are both. Smart cards can provide personal identification, authentication, data storage, and application processing. Applications include identification, financial, mobile phones (SIM), public transit, computer security, schools, and healthcare. Smart cards may provide strong security authentication for single sign-on (SSO) within organizations. Several nations have deployed smart cards throughout their populations.

A screw cap or closure is a common type of closure for bottles, jars, and tubes.

Zeroisation clearing the memory of a cryptographic device

In cryptography, zeroisation is the practice of erasing sensitive parameters from a cryptographic module to prevent their disclosure if the equipment is captured. This is generally accomplished by altering or deleting the contents to prevent recovery of the data. When encryption was performed by mechanical devices, this would often mean changing all the machine's settings to some fixed, meaningless value, such as zero. On machines with letter settings rather than numerals, the letter 'O' was often used instead. Some machines had a button or lever for performing this process in a single step. Zeroisation would typically be performed at the end of an encryption session to prevent accidental disclosure of the keys, or immediately when there was a risk of capture by an adversary.

A security token is a physical device used to gain access to an electronically restricted resource. The token is used in addition to or in place of a password. It acts like an electronic key to access something. Examples include a wireless keycard opening a locked door, or in the case of a customer trying to access their bank account online, the use of a bank-provided token can prove that the customer is who they claim to be.

Closure (container) devices and techniques used to close or seal a bottle, jug, jar, tube, can, etc.

Closures are devices and techniques used to close or seal container such as a bottle, jug, jar, tube, can, etc. Closures can be a cap, cover, lid, plug, etc.

Tamper-evident describes a device or process that makes unauthorized access to the protected object easily detected. Seals, markings or other techniques may be tamper indicating.

The 140 series of Federal Information Processing Standards (FIPS) are U.S. government computer security standards that specify requirements for cryptography modules. As of December 2016, the current version of the standard is FIPS 140-2, issued on 25 May 2001.

Strong cryptography or cryptographic-ally strong are general terms applied to cryptographic systems or components that are considered highly resistant to cryptanalysis.

Trusted Platform Module international standard for a secure cryptoprocessor, a dedicated microcontroller designed to secure hardware through integrated cryptographic keys

Trusted Platform Module is an international standard for a secure cryptoprocessor, a dedicated microcontroller designed to secure hardware through integrated cryptographic keys.

Hardware security module

A hardware security module (HSM) is a physical computing device that safeguards and manages digital keys for strong authentication and provides cryptoprocessing. These modules traditionally come in the form of a plug-in card or an external device that attaches directly to a computer or network server.

Code signing is the process of digitally signing executables and scripts to confirm the software author and guarantee that the code has not been altered or corrupted since it was signed. The process employs the use of a cryptographic hash to validate authenticity and integrity.

Tamperproofing is a term sometimes used for a methodology used to hinder, deter or detect unauthorised access to a device or circumvention of a security system.

Vandal-resistant switch

Vandal-resistant switches are electrical switches designed to be installed in a location and application where they may be subject to abuse and attempts to damage them, as in the case of pedestrian crossing switches. Vandal-resistant switches located on devices that are outdoors must be able to withstand extreme temperatures, dust, rain, snow, and ice. Many vandal-resistant switches are intended to be operated by the general public, and must withstand heavy use and even abuse, such as attempts to damage the switch with metal tools. These switches must also resist dirt and moisture.

Tamper-evident band Tamper

A tamper-evident band or security ring serves as a tamper resistant or tamper evident function to a screw cap, lid, or closure. The term tamper proof is sometimes used but is considered a misnomer given that pilfering is still technically possible

Anti-tamper software is software which makes it harder for an attacker to modify it. The measures involved can be passive such as obfuscation to make reverse engineering difficult or active tamper-detection techniques which aim to make a program malfunction or not operate at all if modified. It is essentially tamper resistance implemented in the software domain. It shares certain aspects but also differs from related technologies like copy protection and trusted hardware, though it is often used in combination with them. Anti-tampering technology typically makes the software somewhat larger and also has a performance impact. There are no provably secure software anti-tampering methods; thus, the field is an arms race between attackers and software anti-tampering technologies.

A trusted execution environment (TEE) is a secure area of a main processor. It guarantees code and data loaded inside to be protected with respect to confidentiality and integrity. A TEE as an isolated execution environment provides security features such as isolated execution, integrity of applications executing with the TEE, along with confidentiality of their assets. In general terms, the TEE offers an execution space that provides a higher level of security than a rich mobile operating system open and more functionality than a 'secure element' (SE).

Security tape

Security tape is a type of adhesive tape used to help reduce shipping losses due to pilfering and reduce tampering or product adulteration. Often it is a pressure sensitive tape or label with special tamper resistant or tamper evident features. It can be used as a ‘’security seal’’ in addition to a container closure or can be used as a security label. They are sometimes used as or with authentication products and can be an anti-pilferage seal.

References

  1. 1 2 Altera. "Anti-Tamper Capabilities in FPGA Designs". p. 1.
  2. Rosette, J L (2009), "Tamper-Evident Packaging", in Yam, K L (ed.), Encyclopedia of Packaging Technology, Wiley (published 2010), ISBN   978-0-470-08704-6
  3. Microsoft Word – TPM 1_2 Changes final.doc