Schneier on Security

RobertT • September 22, 2010 10:28 PM

Problems with your proposal
1) you can’t limit the customer to using ONLY the initially issued smart card that is associated with their meter. Basically people loose these things, renters move and take cards with them. So EVERY offline payment system, MUST work with a generic card purchased at an appropriate store.

2) Because of the requirements in 1) a cloned card with a certain credit must work everywhere. The details of the crypto (two key, single key, elliptic, whatever are irrelevant), because the perp does not alter the information on the card, to create value, rather he exactly copies the good cards information, including the encrypted value.
Usually to do this exact copy of a card, the hacker needs to gain direct write access to the EEPROM using a test mode. and needs to change the cards own ID to match the cloned cards ID.

As I said earlier, the easiest hack is to buy a good card and just to kill the EEPROM write circuits. This is detectable / correctable at the system level, but that assumes the meter system person actually knows how to correctly program secure software…..

3) Fixes. All fixes for this problem require that a valueless card be inserted into the electricity meter and have the meter sign the cards info so that the value subsequently added can be uniquely created for this meter. Unfortunately this is a two step procedure for the end customer and is is therefore unpopular. An alternative is to have the meter display an ID which can be written down and entered when the credit is purchased. Unfortunately this puts people in the crypto loop, so this system is prone to error.

Other fixes:
If the generic card has a serial number, which cannot be faked, than even a hacker with access to the correct cards cannot clone a card. Most payment card ID’s have lock bits that theoretically prevent them being reprogrammed BUT…

New solutions:
To achieve this “unfakeable” card ID payment card makers are trying to use fundamental physical differences in the construction of the chips to create unique ID’s. The hackers get around this by changing their clone cards program to query a ROM location for the ID rather than reading the card ID, so the ROM gets programmed with the unfakeable ID of a good card, and so the game continues…

Ultimately the security of the card / payment system depends on protecting a secret, it might be a “key” or a methodology, but IMHO the best security ultimately rests in the undocumented steps that protect the stored key information.

Tamper resistance:
All new electricity meters have tamper resistance built-in, usually this is done by sensing both Active and Neutral current and comparing the two.

Unfortunately without a return comms channel, the meters knowledge that it has been tampered with is of very little value too the electricity provider.

RobertT • September 23, 2010 8:44 PM

@NickP
Interesting, but I think you lost sight of the target market “pre-paid electricity” and the nature of the customers that normally select this option.

Prepaid is most popular in rental accommodation, short term leases and with those who’s credit rating is too low for the electricity retailer to offer credit.

Your scheme appears to offer a fixed 1 month credit and requires that the user take the card to an appropriate store, to have the meter results read every month regardless of their actual usage rates.

So a big reason for prepaid is that no one was offering them 1 month Credit to begin with. The electricity provider also cares more about the amount of electricity used than the date by which it is used. If you are suggesting that the date “time-out” add an extra level of protection then this is a reasonable idea that is already implemented in most meters that I have seen. (basically pre-paid coupon is good for 3 months maximum)

It seems to me that all your added security comes from the requirement than the card be signed by the meter, before value is added to the card. I think this is the same as I said above, unfortunately for the consumer it becomes a 2 step procedure, which makes it unpopular. Secure YES popular NO.

As far as the electricity retailer is concerned there is no real difference between fake cards and meter bypassing (as Clive pointed out). The meter accounting methods that they use to detect both types of theft are basically the same, so if the scheme is used for any significant length of time than meter inspectors will be sent to the appropriate sectors and will check for problems. I have no idea if the law is different for meter bypassing vs use of fake cards, but i suspect both are treated the same way.

I’ll reread your proposal tonight when I have a little more time to focus.

RobertT • September 23, 2010 11:06 PM

@NickP
Just a quick reply
1) People selecting Perpaid electricity often may not want Credit because of the associated on-going liability associated with Credit.

2) for prepaid client: think of someone that moves to a new city rents an apartment month to month and needs electricity. He gladly buys a $100 prepaid coupon. and will try to stretch that amount to last for his intended stay. If needed, or for longer stays, he repeats procedure.

With this customer there is no liability for electricity consumed after he left the premises, but forgot to inform the electricity retailer. There are no hidden account cancellation charges…..He pays $100 and buys some number of KWH or power and leaves (maybe selling any residual value to the next tenant).

He is happy, the retailer has no account setup costs, and no reason for further billing him, power automatically turns off when the credit is exhausted. Simple.

I actually know some people who select prepaid and prefer it because it acts as an in-built consumption limiter. Typically the meter will display residual power, so I know if I have 100KWHr of electricity left on the meter and 10 days to go before, I move or have enough money to again pay, than I know that 10KWHr per day is my maximum consumption rate. When I check the next day and see that I’ve used 20KWhrs than I get an idea about how to adjust my usage to make the available electricity last for the required period. Pensioners and those on fixed incomes fit into this class.

RobertT • September 24, 2010 11:07 PM

@NickP
Lot of interesting work, BUT you are fixing a problem that does not exist, at least not for future Meter systems.

All new meter systems being installed, (basically anywhere in the world today) have two way communications built in. So called Smart Grid Meters.

Once you can remotely control the meter, and remotely read the electricity usage there is very little reason for the Pre-paid Card activated meters.

You can keep this “downcounter” meter functionality if the user wants prepaid “look-alike” meter but the infrastructure is all smart grid.

As Clive has pointed out, users have the privilege of paying for these new meters (sometimes up to $400USD) to have a perfectly good meter replaced by a smart meter. In most cases the only possible beneficiary of the Smart Meter is the electricity retailer, so it is remarkable that the user pays model has been so universally adopted. (but that’s politics not engineering so I’m not at all qualified to comment)

RobertT • September 25, 2010 11:17 PM

@Clive
“Fast forward 6years or so and I was investigating (in my own time) what are now called (in some places) “EM Active Envelop Fault Injection Attacks” on an “electronic purse” and I found I could change values in the purse by large amounts due to simmilar probs with 4byte wide adds on 8bit micros”

Interrupts are an interesting problem with any high security micro. Typically with a realtime system you assign the highest priority interrupts to the time critical tasks (like measurement) and figure the Crypto can be done at the lowest priority. Unfortunately this concept opens the micro to a whole class of attacks where the timer interrupt is flooded. I’ve also seen several EM attacks that injected into the Xtal cct. Surprisingly I don’t think I’ve ever seen this class of attacks talked about before. (I don’t think Ross has ever mentioned these attacks).

In some Micros you can cause a stack overflow which results in the return address overwriting the stored data.

Another class of interrupt attack is to detect the jitter in the start of a certain lower priority interrupts, this attack assumes that during critical adds / multiplies the lower priority interrupts (or os tasks) are masked. as a result the micro reveals the length of each multiply…opps (I love these side channel attacks, because most people are clueless as to how you hacked it. worse than this they still don’t get it when you explain the attack)

.

RobertT • September 28, 2010 12:21 AM

@Nick P
“I wish I could say I wasn’t “most people” in this case but…. grr… You said you’ve seen an attack like this in the real world. Could you give even a filtered explanation of what occurred and how you determined the method they were using? ….”

It wasn’t THEY but rather it was me implementing the attack on a design that a team had been working on, I always like to try out new hardware hacks on my own projects, usually without telling the design team in advance about the intended attack vector. The point is that they need to be independently thinking about information leakage vectors, because if I can dream up an attack than so can lots of other people….

Detecting and prevent attacks:
Detecting is remote EMsec attacks is relatively simple, you need several antenna {hertzian-dipoles} tuned to different frequency ranges. Since all remote Emsec attacks require high intensity RF fields you can detect them with a simple peak detect circuit connected directly to the antenna. Basically you are crudely measure EM field strength over a broad frequency band.

Another common input vector is through the power supply, protecting against this vector is a little more difficult but it requires a LOT of EM power or direct effect to the power supply regulation. So this is a Near field only attack.

My favorite attack is to locally inject power supply interference is by overdriving CMOS output signals. This attack is nice because it can utilize existing fault protection hardware against as a fault injection vector. (for example an enclosure lid switch would typically be directly connected to a CMOS I/O, if I can access this wire than I can reverse drive it to inject substrate current) This method means that the PCB level power supply decoupling caps are now isolated by the bond wire / pads of the chip. This overdrive current forward biases the output ESD protection structures and causes them to locally inject minority carriers into the chip substrate. (sorry no easy way to explain this, but it is related to the physics of a CMOS fault called Latch-up) minority carrier recombination can be used to de-bias internal analog circuits, particularly internal LDO’s (low drop-out regulators) and bandgap references. If the bandgap circuit is susceptible to minority carrier injection, than you can directly modulate the chip internal supply voltage, which is extremely useful for timing and so called “glitch” attacks.

Checking for active EMsec susepibility:

In general, Active EMsec attacks, affect high impedance input nodes of a product. So to check if a particular product is likely to be sensitive to Active Emsec I’ll intentionally add, to suspect nodes, a burst of sine waves, from a highish impedance oscillator source (say 1k to10k ohms). If this results in an observable change in power or functionality than I conclude that an EMsec attack, on this node, COULD compromise the product. So I need to take extra shielding / filtering care with this node. Implementing a real active EMsec attack is not always possible because of the physical constraints of a real product, basically for active Emsec attacks to work the injection node must behave like an efficient antenna at the carrier frequency being used. So where I mentioned Active Emsec sensitivity, I usually take the shortcut of deliberately injecting a burst sine wave on a bench setup. I do this with my own products, and the products of competitors.

Sensitivity of 32 khz crystals:
Usually the xtal oscillator is one of the easiest ccts to inject into. Most crystal oscillators are VERY high impedance common mode circuits, so injecting a disturbance signal into this node is very easy. In many microcontrollers the 32Khz osc is divided down to create a 1msec timer interrupt. If you inject a burst signal at 320khz into this node, the interrupt will occur at 0.1msec intervals. Now since the rest of the tasks are typically scheduled from the timer interrupt, everything will try to run 10 times faster. Unfortunately the actual CPU clock has not been increased, so the round robin tasker will get into a real mess. In some designs, the tasks will rescheduled before they even complete, this results in a return stack overflow. By controlling the timing and length of the injected burst, relative to the program execution, I can intentionally interfere with the execution and the results of crypto tasks, such as mutual authentication. Usually the fault vector is through overwrite of the data stack, however when the return stack is messed up, calls to one task can result in returns to another.

It is also possible to combine burst interference with DPA. Usually this method will try to incrementally speed-up the microcontroller task execution until asynchronous tasks interfere. To do this I would normally do an FFT on a suitable length of power analysis. What you see is the timing sequence for all the software tasks, such as read keyboard every 20 msec, measure temp every 50msec …. these tasks will all speed up, by the incremental change in the effective Xtal frequency( actual freq + injected error). You will also see some tasks that stay at the same repetition frequency. The tasks that change frequency are scheduled as a result of the timer interrupt, and those that stay the same have other real time sources. Since these other tasks are probably interrupt driven themselves, you can use these tasks to interfere with the desired crypto task. (in effect you increase the timer task execution rate until the independent task is exactly harmonically related to the timer task. You can than slowly walk the two sequences across one another and lock when the crypto task occurs. This technique is very powerful, especially if the crypto task disables interrupts during critical adds / multiplies. By doing this you can identify the exact interval over which interrupts are disabled. (on the DPA FFT it shows up as side bands on the independent task spur), the frequency shift of the side band directly gives you the interrupt disable length. If the code is done correctly, BIG IF, than there is NO information in this task jitter, however it is very difficult to make all code execution paths have identical path lengths and execution time, so observing the disable interrupts interval, directly leaks information about the nature of the crypto task multiplies. From here on the attack becomes a standard timing analysis attack…

Unfortunately there is no simple way to combine “real world” real time functionality with the secure computer desire for no information leakage.

RobertT • October 3, 2010 11:09 PM

@Clive,
Interesting find, I was not aware of this work.

On reading the TRNG details (as limited as they are) I’m very skeptical about the ability of the circuit to generate real random results in the presence of modulated Substrate currents and extreme power supply noise.

The problem is always with the Random Noise sampling point. Even very experienced Analog and RF CMOS designers have lots of problems achieving good PSRR (over 70dB) with purpose built custom circuits and lots of balanced symmetric layout tricks. It is somewhat difficult to believe that one FPGA gate + 4 Fets and a small look-up table will somehow out preform full custom mixer circuits (which is essentially what the RGN sampler does)

At the moment they are apparently keeping their circuit secret. If they send me a schematic and or layout I’ll gladly review it. However, my guess is they would rather continue to exist (and publish) in blissful ignorance, it is easier to make incredible claims when you know no better.

I’ll see if I can find out any details of the PUF cells, they also claim to be working on. I have a feeling that their TRNG might be based on an auto-offset correcting PUF cell plus a non-linear dither table. This creates a self oscillating continuous time 1st order sigma delta modulator, which in effect folds thermal noise into frequency domain jitter.