Wednesday, June 27, 2018

Hardware security features of modern secure processors

Modern secure processors offer a wide range of hardware security features that are essential for embedded systems such as secure payment terminals. Listed below are some common such features found in secure processors in today's market. The list was compiled based on the secure processors available from NXP, Microchip and Maxim Integrated. You can find all the details mentioned here in publically available documentation (processor reference manuals, datasheets and application notes), or publically available source code (U-boot and Linux). It is also possible to obtain all the security related details pertaining to a processor from the vendor using an NDA.

Secure boot 

Secure boot feature in the processor internal boot ROM makes sure the processor is running authenticated code. This is done by digitally signing the firmware. Signing provides integrity (an attacker cannot modify the firmware) and authenticity (firmware comes from a trusted party). The process is shown in the figure below.

In simple terms, once the firmware is ready, it is digitally signed using the private key. The signature and the certificate is attached to the firmware. On the device, the digital signature is verified at load time using the public key. Usually the public key hash (rather than the key itself) is stored in device OTP memory. In the verification phase, the public key embedded in the certificate is hashed and compared against the one stored in OTP to verify the public key.
Find more about secure boot in [1] and [2].
Firmware signing and verification

Tamper detection circuitry

A tamper can trigger immediate erasure of sensitive data stored in a tamper protected memory. This may also put the processor into a failure state where the operations it can perform are limited. An external battery source is often used to keep the tamper circuitry active during a primary power failure/removal.
Tamper can be categorized into two: internal and external.
  • Internal tamper
    This is the monitoring of the behavior of properties internal to the chip such as voltage, temperature and RTC clock for anomalies. Stability and reliability of the system is questionable when these properties are not within their desired operating ranges.
  •  External tamper
    This is provided through a chip input pin where the tamper circuitry compares the received signal with the desired signal. Tamper is triggered when the input signal differs from the expected signal. External tamper can be used to detect an unauthorized tampering such as opening a device enclosure.
    External tamper can be categorized into two: passive and active.
    • Passive tamper
      The desired signal to which the input is compared is fixed, that is, it expects the input signal to have a fixed level (0 or 1).
    • Active tamper
      The desired signal to which the input is compared varies with time. An active tamper output pin generates a waveform. This is fed to the active tamper input pin. The input signal is then compared against the original waveform by the active tamper circuitry.
    • Another type of tamper detects the tampering of an on-chip ultra-fine mesh, also known as a shield. This is usually used to prevent microprobing of on-chip non-volatile secure memory.Find more about secure shields in [3] and [4].

Tamper protected on-chip secure memory

Secure memory is used for storing sensitive information, long-term (e.g. keys) or short-term (e.g. keys, payment card data) depending on their type.
This is usually a limited amount of battery backed non-volatile secure memory, ranging from few hundred bits to few Kbs, supplemented with volatile secure memory, usually having few Kbs of storage. Their contents are rapidly erased on the event of a tamper.
As stated in the tamper detection section, the non-volatile memory can be tamper protected with an on-chip ultra-fine mesh to prevent microprobing.

Secure real-time clock (RTC), monotonic counters and watchdogs

RTCs are used for system time keeping.
Monotonic counters are either decrement-only or increment-only counters. They are useful for applications that require a counter that does not repeat any of its previous values, and are often used for preventing replay attacks.
Watchdog timers are available in secure and non-secure processors. They are often used for recovering from processor malfunctions. Limiting the CPU time available for a code is another use where they can be used as a security measure against running unnecessary and potentially harmful/untrusted code.
RTCs and monotonic counters are very low power and have battery backup to retain their values over power cycles, and, they are often tamper protected.

Memory encryption, bus encryption and memory integrity checkers

Memory and bus encryption can be used for further strengthening the security of the data exchanged between the CPU and external memory by providing authenticity.
Integrity checkers are used for validating the integrity of memory regions during run time.

NIST compliant true and pseudo random number generators

Any process that requires randomness integrated to it can use random numbers. They are often used for generating cryptographically secure keys and padding.
A common configuration would be the construction of a NIST SP 800-90C compliant RBG (Random Bit Generator) from a NIST SP 800-90B compliant entropy source and a NIST SP 800-90A compliant DRBG (Deterministic Random Bit Generator).

Hardware cryptographic accelerators 

These can include acceleration for hashing (e.g SHA), block ciphers (e.g. TDES/AES), AEAD (e.g. AES-CCM, AES-GCM), MAC (e.g. HMAC) and public-key cryptography (e.g. RSA, DSA, EC).
Block ciphers and public key cryptography modules may also provide additional protection against side-channel attacks such as power and timing analysis.
 

 

In addition to the above features ARM provides ARM TrustZone for its Cotex-A and some of its latest Cortex-M based systems. I don't have experience using it to comment on it here.

You can find more about these and additional security features from processor manuals and application notes from the processor vendor. Specifically, Maxim Integrated provides a wealth of valuable information on their embedded security application notes. 

 

References:

[1] Maxim Integrated application note Secure the IoT: Part 2, A Secure Boot, the "Root of Trust" for Embedded Devices

[2] NXP application note Secure Boot on i.MX50, i.MX53, i.MX 6 and i.MX7 Series using HABv4

[3] Cryptographically secure shields by Jean-Michel Cioranesco, Jean-Luc Danger, Tarik Graba, Sylvain Guilley, Yves Mathieu, David Naccache, Xuan Thuy Ngo

[4] Random Active Shield by Sébastien Briais, Jean-Michel Cioranesco, Jean-Luc Danger, Sylvain Guilley, David Naccache, Thibault Porteboeuf

 

No comments: