Tamper resistance

Last updated April 22, 2019

Tamper resistance is resistance to tampering (intentional malfunction or sabotage) by either the normal users of a product, package, or system or others with physical access to it. There are many reasons for employing tamper resistance.

Sabotage is a deliberate action aimed at weakening a polity, effort, or organization through subversion, obstruction, disruption, or destruction. One who engages in sabotage is a saboteur. Saboteurs typically try to conceal their identities because of the consequences of their actions.

Tamper resistance ranges from simple features like screws with special drives, more complex devices that render themselves inoperable or encrypt all data transmissions between individual chips, or use of materials needing special tools and knowledge. Tamper-resistant devices or features are common on packages to deter package or product tampering.

Anti-tamper devices have one or more components: tamper resistance, tamper detection, tamper response, and tamper evidence.^[1] In some applications, devices are only tamper-evident rather than tamper-resistant.

Tampering

Tampering involves the deliberate altering or adulteration of a product, package, or system. Solutions may involve all phases of product production, packaging, distribution, logistics, sale, and use. No single solution can be considered as "tamper-proof". Often multiple levels of security need to be addressed to reduce the risk of tampering.

Logistics is generally the detailed organization and implementation of a complex operation. In a general business sense, logistics is the management of the flow of things between the point of origin and the point of consumption in order to meet requirements of customers or corporations. The resources managed in logistics may include tangible goods such as materials, equipment, and supplies, as well as food and other consumable items. The logistics of physical items usually involves the integration of information flow, materials handling, production, packaging, inventory, transportation, warehousing, and often security.

Security is freedom from, or resilience against, potential harm caused by others. Beneficiaries of security may be of persons and social groups, objects and institutions, ecosystems or any other entity or phenomenon vulnerable to unwanted change by its environment.

Some considerations might include:

Identify who a potential tamperer might be: average user, child, psychopath, misguided joker, saboteur, organized criminals, terrorists, corrupt government. What level of knowledge, materials, tools, etc. might they have?
Identify all feasible methods of unauthorized access into a product, package, or system. In addition to the primary means of entry, also consider secondary or "back door" methods.
Control or limit access to products or systems of interest.
Improve the tamper resistance to make tampering more difficult, time-consuming, etc.
Add tamper-evident features to help indicate the existence of tampering.
Educate people to watch for evidence of tampering.

Tamper means interfere with (something) without authority or so as to cause damage.

Safety

Nearly all appliances and accessories can only be opened with the use of a screwdriver (or a substitute item such as a nail file or kitchen knife). This prevents children and others who are careless or unaware of the dangers of opening the equipment from doing so and hurting themselves (from electrical shocks, burns or cuts, for example) or damaging the equipment. Sometimes (especially in order to avoid litigation), manufacturers go further and use tamper-resistant screws, which cannot be unfastened with standard equipment. Tamper-resistant screws are also used on electrical fittings in many public buildings primarily to reduce tampering or vandalism that may cause a danger to others.

Warranties and support

A user who breaks equipment by modifying it in a way not intended by the manufacturer might deny they did it, in order to claim the warranty or (mainly in the case of PCs) call the helpdesk for help in fixing it. Tamper-evident seals may be enough to deal with this. However, they cannot easily be checked remotely, and many countries have statutory warranty terms that mean manufacturers may still have to service the equipment. Tamper proof screws will stop most casual users from tampering in the first place. In the US, the Magnuson-Moss Warranty Act prevents manufacturers from voiding warranties solely due to tampering.^{[ citation needed ]} A warranty may be dishonored only if the tampering actually affected the part that has failed, and could have caused the failure.

Chips

Tamper-resistant microprocessors are used to store and process private or sensitive information, such as private keys or electronic money credit. To prevent an attacker from retrieving or modifying the information, the chips are designed so that the information is not accessible through external means and can be accessed only by the embedded software, which should contain the appropriate security measures.

Examples of tamper-resistant chips include all secure cryptoprocessors, such as the IBM 4758 and chips used in smartcards, as well as the Clipper chip.

It has been argued that it is very difficult to make simple electronic devices secure against tampering, because numerous attacks are possible, including:

physical attack of various forms (microprobing, drills, files, solvents, etc.)
freezing the device
applying out-of-spec voltages or power surges
applying unusual clock signals
inducing software errors using radiation (e.g., microwaves or ionising radiation)
measuring the precise time and power requirements of certain operations (see power analysis)

Tamper-resistant chips may be designed to zeroise their sensitive data (especially cryptographic keys) if they detect penetration of their security encapsulation or out-of-specification environmental parameters. A chip may even be rated for "cold zeroisation", the ability to zeroise itself even after its power supply has been crippled. In addition, the custom-made encapsulation methods used for chips used in some cryptographic products may be designed in such a manner that they are internally pre-stressed, so the chip will fracture if interfered with.^{[ citation needed ]}

Nevertheless, the fact that an attacker may have the device in his possession for as long as they likes, and perhaps obtain numerous other samples for testing and practice, means that it is impossible to totally eliminate tampering by a sufficiently motivated opponent. Because of this, one of the most important elements in protecting a system is overall system design. In particular, tamper-resistant systems should "fail gracefully" by ensuring that compromise of one device does not compromise the entire system. In this manner, the attacker can be practically restricted to attacks that cost less than the expected return from compromising a single device. Since the most sophisticated attacks have been estimated to cost several hundred thousand dollars to carry out, carefully designed systems may be invulnerable in practice.

Military

Anti-tamper (AT) is required in all new military programs in the U.S.^[1]

DRM

Tamper resistance finds application in smart cards, set-top boxes and other devices that use digital rights management (DRM). In this case, the issue is not about stopping the user from breaking the equipment or hurting themselves, but about either stopping them from extracting codes, or acquiring and saving the decoded bitstream. This is usually done by having many subsystem features buried within each chip (so that internal signals and states are inaccessible) and by making sure the buses between chips are encrypted. ^{[ citation needed ]}

DRM mechanisms also use certificates and asymmetric key cryptography in many cases. In all such cases, tamper resistance means not allowing the device user access to the valid device certificates or public-private keys of the device. The process of making software robust against tampering attacks is referred to as "software anti-tamper".

Nuclear industry

Nuclear reactors that are intended to be sold to countries that otherwise do not possess nuclear weapons must be made tamper-resistant to prevent nuclear proliferation. For example, the proposed SSTAR will feature a combination of anti-tamper techniques that will make it difficult to get at the nuclear material, ensure that where the reactors are transported to is closely tracked, and have alarms in place that sound if attempts at entry are detected (which can then be responded to by the military).

Packaging

Tamper resistance is sometimes needed in packaging, for example:

Regulations for some pharmaceuticals require it.
High value products may be subject to theft.
Evidence needs to remain unaltered for possible legal proceedings.

Resistance to tampering can be built in or added to packaging.^[2] Examples include:

Extra layers of packaging (no single layer or component is "tamper-proof")
Packaging that requires tools to enter
Extra-strong and secure packaging
Packages that cannot be resealed
Tamper-evident seals, security tapes, and features

The tamper resistance of packaging can be evaluated by consultants and experts in the subject. Also, comparisons of various packages can be made by careful field testing of the lay public.

Software

Software is also said to be tamper-resistant when it contains measures to make reverse engineering harder, or to prevent a user from modifying it against the manufacturer's wishes (removing a restriction on how it can be used, for example). One commonly used method is code obfuscation.

However, effective tamper resistance in software is much harder than in hardware, as the software environment can be manipulated to near-arbitrary extent by the use of emulation.

If implemented, trusted computing would make software tampering of protected programs at least as difficult as hardware tampering, as the user would have to hack the trust chip to give false certifications in order to bypass remote attestation and sealed storage. However, the current specification makes it clear that the chip is not expected to be tamper-proof against any reasonably sophisticated physical attack;^[3] that is, it is not intended to be as secure as a tamper-resistant device.

A side effect of this is that software maintenance gets more complex, because software updates need to be validated and errors in the upgrade process may lead to a false-positive triggering of the protection mechanism.

Related Research Articles

Authentication act of confirming the truth of an attribute of a datum or entity

Authentication is the act of confirming the truth of an attribute of a single piece of data claimed true by an entity. In contrast with identification, which refers to the act of stating or otherwise indicating a claim purportedly attesting to a person or thing's identity, authentication is the process of actually confirming that identity. It might involve confirming the identity of a person by validating their identity documents, verifying the authenticity of a website with a digital certificate, determining the age of an artifact by carbon dating, or ensuring that a product is what its packaging and labeling claim to be. In other words, authentication often involves verifying the validity of at least one form of identification.

Trusted Computing (TC) is a technology developed and promoted by the Trusted Computing Group. The term is taken from the field of trusted systems and has a specialized meaning. With Trusted Computing, the computer will consistently behave in expected ways, and those behaviors will be enforced by computer hardware and software. Enforcing this behavior is achieved by loading the hardware with a unique encryption key inaccessible to the rest of the system.

A secure cryptoprocessor is a dedicated computer on a chip or microprocessor for carrying out cryptographic operations, embedded in a packaging with multiple physical security measures, which give it a degree of tamper resistance. Unlike cryptographic processors that output decrypted data onto a bus in a secure environment, a secure cryptoprocessor does not output decrypted data or decrypted program instructions in an environment where security cannot always be maintained.

Smart card pocket-sized card with embedded integrated circuits

A smart card, chip card, or integrated circuit card (ICC) is a physical electronic authorization device, used to control access to a resource. It is typically a plastic credit card sized card with an embedded integrated circuit. Many smart cards include a pattern of metal contacts to electrically connect to the internal chip. Others are contactless, and some are both. Smart cards can provide personal identification, authentication, data storage, and application processing. Applications include identification, financial, mobile phones (SIM), public transit, computer security, schools, and healthcare. Smart cards may provide strong security authentication for single sign-on (SSO) within organizations. Several nations have deployed smart cards throughout their populations.

A screw cap or closure is a common type of closure for bottles, jars, and tubes.

In cryptography, zeroisation is the practice of erasing sensitive parameters from a cryptographic module to prevent their disclosure if the equipment is captured. This is generally accomplished by altering or deleting the contents to prevent recovery of the data. When encryption was performed by mechanical devices, this would often mean changing all the machine's settings to some fixed, meaningless value, such as zero. On machines with letter settings rather than numerals, the letter 'O' was often used instead. Some machines had a button or lever for performing this process in a single step. Zeroisation would typically be performed at the end of an encryption session to prevent accidental disclosure of the keys, or immediately when there was a risk of capture by an adversary.

A security token is a physical device used to gain access to an electronically restricted resource. The token is used in addition to or in place of a password. It acts like an electronic key to access something. Examples include a wireless keycard opening a locked door, or in the case of a customer trying to access their bank account online, the use of a bank-provided token can prove that the customer is who they claim to be.

Closures are devices and techniques used to close or seal container such as a bottle, jug, jar, tube, can, etc. Closures can be a cap, cover, lid, plug, etc.

Tamper-evident describes a device or process that makes unauthorized access to the protected object easily detected. Seals, markings or other techniques may be tamper indicating.

The 140 series of Federal Information Processing Standards (FIPS) are U.S. government computer security standards that specify requirements for cryptography modules. As of December 2016, the current version of the standard is FIPS 140-2, issued on 25 May 2001.

Strong cryptography or cryptographic-ally strong are general terms applied to cryptographic systems or components that are considered highly resistant to cryptanalysis.

Trusted Platform Module international standard for a secure cryptoprocessor, a dedicated microcontroller designed to secure hardware through integrated cryptographic keys

Trusted Platform Module is an international standard for a secure cryptoprocessor, a dedicated microcontroller designed to secure hardware through integrated cryptographic keys.

A hardware security module (HSM) is a physical computing device that safeguards and manages digital keys for strong authentication and provides cryptoprocessing. These modules traditionally come in the form of a plug-in card or an external device that attaches directly to a computer or network server.

Code signing is the process of digitally signing executables and scripts to confirm the software author and guarantee that the code has not been altered or corrupted since it was signed. The process employs the use of a cryptographic hash to validate authenticity and integrity.

Tamperproofing is a term sometimes used for a methodology used to hinder, deter or detect unauthorised access to a device or circumvention of a security system.

Vandal-resistant switches are electrical switches designed to be installed in a location and application where they may be subject to abuse and attempts to damage them, as in the case of pedestrian crossing switches. Vandal-resistant switches located on devices that are outdoors must be able to withstand extreme temperatures, dust, rain, snow, and ice. Many vandal-resistant switches are intended to be operated by the general public, and must withstand heavy use and even abuse, such as attempts to damage the switch with metal tools. These switches must also resist dirt and moisture.

A tamper-evident band or security ring serves as a tamper resistant or tamper evident function to a screw cap, lid, or closure. The term tamper proof is sometimes used but is considered a misnomer given that pilfering is still technically possible

Anti-tamper software is software which makes it harder for an attacker to modify it. The measures involved can be passive such as obfuscation to make reverse engineering difficult or active tamper-detection techniques which aim to make a program malfunction or not operate at all if modified. It is essentially tamper resistance implemented in the software domain. It shares certain aspects but also differs from related technologies like copy protection and trusted hardware, though it is often used in combination with them. Anti-tampering technology typically makes the software somewhat larger and also has a performance impact. There are no provably secure software anti-tampering methods; thus, the field is an arms race between attackers and software anti-tampering technologies.

A trusted execution environment (TEE) is a secure area of a main processor. It guarantees code and data loaded inside to be protected with respect to confidentiality and integrity. A TEE as an isolated execution environment provides security features such as isolated execution, integrity of applications executing with the TEE, along with confidentiality of their assets. In general terms, the TEE offers an execution space that provides a higher level of security than a rich mobile operating system open and more functionality than a 'secure element' (SE).

Security tape is a type of adhesive tape used to help reduce shipping losses due to pilfering and reduce tampering or product adulteration. Often it is a pressure sensitive tape or label with special tamper resistant or tamper evident features. It can be used as a ‘’security seal’’ in addition to a container closure or can be used as a security label. They are sometimes used as or with authentication products and can be an anti-pilferage seal.

References

1 2 Altera. "Anti-Tamper Capabilities in FPGA Designs". p. 1.
↑ Rosette, J L (2009), "Tamper-Evident Packaging", in Yam, K L (ed.), Encyclopedia of Packaging Technology, Wiley (published 2010), ISBN 978-0-470-08704-6
↑ Microsoft Word – TPM 1_2 Changes final.doc

Smith, Sean; Weingart, Steve (1999). "Building a High-Performance, Programmable Secure Coprocessor". Computer Networks. 31 (9): 831–860. CiteSeerX 10.1.1.22.8659 . doi:10.1016/S1389-1286(98)00019-X.
Rosette, Jack L (1992). Improving tamper-evident packaging: Problems, tests, and solutions. ISBN 978-0877629061.

External links

This page is based on this Wikipedia article
Text is available under the CC BY-SA 4.0 license; additional terms may apply.
Images, videos and audio are available under their respective licenses.

[altera-1] 1 2 Altera. "Anti-Tamper Capabilities in FPGA Designs". p. 1.

[2] Rosette, J L (2009), "Tamper-Evident Packaging", in Yam, K L (ed.), Encyclopedia of Packaging Technology, Wiley (published 2010), ISBN 978-0-470-08704-6

[3] Microsoft Word – TPM 1_2 Changes final.doc

v t e Packaging
General topics	Active packaging Child-resistant packaging Contract packager Modified atmosphere/modified humidity packaging Package pilferage Package testing Packaging engineering Reusable packaging Shelf life Shelf-ready packaging Shelf-stable Sustainable packaging Tamper-evident Tamper resistance Wrap rage
Product packages	Alternative wine closure Beer bottle Box wine Case-ready meat Cosmetic packaging Currency packaging Disposable food packaging Drink can Egg carton Evidence packaging Foam food container Food packaging Glass milk bottle Growler Juicebox Luxury packaging Milk bag Optical disc packaging Popcorn bag Pharmaceutical packaging Plastic milk container Self-heating food packaging Screw cap (wine) Water bottle Wine bottle
Containers	Aerosol spray Aluminium bottle Aluminum can Ampoule Antistatic bag Bag-in-box Bag Barrel Biodegradable bag Blister pack Boil-in-bag Bottle Box Bulk box Cage Case Carboy Carton Chub Clamshell Corrugated box design Crate Disposable cup Drum Endcap Envelope Flexible intermediate bulk container Folding carton Glass bottle Inhaler Insulated shipping container Intermediate bulk container Jar Jerrycan Jug Keg Mesh bag Multi-pack Oyster pail Packet (container) Padded envelope Pail Paper bag Paper sack Plastic bag Plastic bottle Retort pouch Sachet Security bag Self-heating can Shipping container Skin pack Spray bottle Tetra Brik Tin can Thermal bag Tub (container) Tube Unit load Vial Wooden box
Materials and components	Adhesive Aluminium foil Bail handle Bioplastic Biodegradable plastic BoPET Bubble wrap Bung Cellophane Closure Coated paper Coating Coextrusion Corrugated fiberboard Corrugated plastic Cushioning Desiccant Double seam Foam peanut Gel pack Glass Hot-melt adhesive Kraft paper Label Lid Linear low-density polyethylene Liquid packaging board Low-density polyethylene Metallised film Modified atmosphere Molded pulp Nonwoven fabric Overwrap Oxygen scavenger Package handle Packaging gas Pallet Paper Paper pallet Paperboard Plastic film Plastic pallet Plastic wrap Polyester Polyethylene Polypropylene Pressure-sensitive tape Pump dispenser Screw cap Screw cap (wine) Security printing Security tape Shock detector Shock and vibration data logger Shrink wrap Slip sheet Staple (fastener) Strapping Stretch wrap Susceptor Tamper-evident band Tear tape Temperature data logger Time temperature indicator Tinplate Velostat
Processes	Aseptic processing Authentication Automatic identification and data capture Blow fill seal Blow molding Calendering Canning Coating Containerization Corona treatment Curtain coating Die cutting Die forming (plastics) Electronic article surveillance Extrusion Extrusion coating Flame treatment Glass production Graphic design HACCP Hermetic seal Induction sealing Injection moulding Lamination Laser cutting Molding Package tracking Papermaking Plastic welding Plastics extrusion Printing Quality assurance Radio-frequency identification Roll slitting Shearing (manufacturing) Thermoforming Track and trace Vacuum forming Ultrasonic welding Vacuum packaging Verification and validation
Machinery	Barcode printer Barcode reader Bottling line Calender Can seamer Cartoning machine Case sealer Check weigher Conveyor system Extended core stretch wrapper Filler Heat gun Heat sealer Industrial robot Injection molding machine Label printer applicator Lineshaft roller conveyor Logistics automation Material-handling equipment Mechanical brake stretch wrapper Multihead weigher Orbital stretch wrapper Packaging machinery Palletizer Rotary wheel blow molding systems Shrink tunnel Staple gun Tape dispenser Turntable stretch wrapper Vertical form fill sealing machine
Environment, post-use	Biodegradation Environmental engineering Glass recycling Industrial ecology Life-cycle assessment Litter Packaging waste Paper recycling Plastic recycling Recycling Reusable packaging Reverse logistics Source reduction Sustainable packaging Waste management
• Category: Packaging