 functions, the future technology for physical security enclosures, as probably most of you know, software security is almost useless if your physical security sucks. After all, you should not only lock your screens when you leave your workstations, but you should also lock the doors to your office. And Johannes is our next speaker. He is a researcher at the Fraunhofer Institute for Applied and Integrated Security. And he is going to tell us more about the current and upcoming hardware security issues and solutions. So I would like to invite you to give a warm round of applause for Johannes and please enjoy the talk. Good evening, and welcome to my talk about physical and unclonable functions and whether they are the future technology for physical security enclosures. My name is Johannes Uwe Meyer, and I'm a researcher in the field of embedded system security and physical and unclonable functions. I'm employed at the Fraunhofer Institute for Applied and Integrated Security, where I'm currently about to finish my PhD. In my last years, I have worked in a group that develops path-based technology, and there I have cooperated a lot with my former colleague, Vincent Imler, and we also had corporations with two awesome Fraunhofer Institutes, so the EMFT and the IMS. So first of all, I will give you a short introduction into HSM technology and why we have that and for what we needed. Then I will give you a short look into the past of security enclosures, and then I will present you novel technologies based on paths. So let's first come to the HSMs. So on the left here, we see an example of HSM as it was used for several years. This HSM provides a secure storage for CSPs, and the CSP is a critical security parameter, so this model can store everything from a yes key over a private key, and so on, so everything you consider confidential. And of course, you need that, for example, in banking applications for VPNs or also for certificate authorities. But this topic is quite interesting, you will find only very, very little information online regarding it, but that we are trying to change today as we want to publish more regarding these technologies and how they develop in the near future. So where has this idea of HSM started? I found a very interesting article from 1973. It was written by the NSA, and nowadays it's already declassified, so we can read this here. So I will just cite this now. The grant design was in its elegant. Encapsulate a microcomputer in a protective membrane. And this membrane serves only one function, to provide with high confidence a penalty if penetrated. The penalty could range from a theoretical and explosion to an alarm at some remote place. So they describe the idea of including an embedded system into some sensitive membrane that will detect hardware tampering, and say explicitly say that, well, if you detect some tampering, we will nuke the entire device so that the data is lost for sure. So they are really talking about non-violent shaped charges here. So that was a lot of time ago, but at this time, they considered this to be quite important. So they explicitly wrote in this already declassified document that this technology must only be discussed inside NSA because they want to achieve technological surprise by this. So this was considered to be very, very important in 1973. Nowadays, this has changed a little since we can buy these HSMs, but we'll see how this first ideas even influence the HSMs that we have today. OK. So as we have seen, an HSM must detect tampering from a physical attacker, so we want to detect and then counteract physical access. So first of all, we need tamper detection. So we need to detect an intruder. After we've detected them, we need a tamper response. That means we need to take appropriate actions so that we can ensure that the security of our device, and usually if you detect hardware tampering, you will trigger serialization and tamper evidence. Tamper detection means that the data on your module is either deleted or cannot be accessed anymore. So if you throw away the master key, you can also see this somehow as serialization as no one can any longer access this data. And tamper evidence means that the user must see that this device has been tampered with. Those current modules rely on battery backup for this. So for example, if you have a server and you power it down, the data inside your HSM must still be secured. So we have battery backup for data storage as well as for this monitoring process that does this tamper detection, response, and serialization. So but the question still remains, how can a device ensure its physical integrity? So there of course are some ideas, but well, nope, we don't do that. There are standards for everything nowadays. For example, we have FIPS 142, that's the common standard for security models here. We also have PCIHSM that was created by the payment card industry, and we also have common criteria. And common criteria is more like a general guideline for security processes. These security standards are not really independent from each other. They often reference to each other or even took over some part of them. So it depends on your client which security standards you have to adhere to. So now let's take a short look into the FIPS 142. So it provides four levels of security, ranging from level one up to level four, whereas level four is the highest security level. For level four, it's a quite powerful attacker model. They just say that your HSM resides in a physical unprotected environment. So anyone can access it and it has to still keep your data confidential. And for that, it also explicitly requests a complete envelope of protection. That means you need to wrap your entire device into some protective membrane, like the NSA document said many, many years before. And then, of course, if you detect some tampering, you have to do the serialization of all your secrets. And finally, you even have more requirements. For example, you need some protection against environmental conditions and attacks. For example, many of you may know the cold boot attacks. You also have to be protected against this by monitoring temperature and also voltage that your module is subjected to. So that are quite high requirements regarding your HSM. So after I've given you a short introduction and I hope you're all on the same understanding of HSMs now, I will come to the presentation of the past technologies here. So today, we will have a look at two samples at the IBM 4764 HSM that's a FIPS 142 level four HSM with a full enclosure. I have one with me here. If you're interested, you can come later after the talk to the speaker desk here and we will have a look at this. And since we will do an analysis of this, I also have the same model in the disassembled form here with me. So we will have a look at this in the presentation now. And if you want to see it in person, just come here afterwards. Then the second module we will have a look at is the HP Attala HSM that's only level three. We will see what's the difference later on and it's a cover only solution. So you have a board in the middle and it's like a sandwich where we have protective covers at the top and the bottom of the module. So the edge around the board remains unprotected. Okay. So where did we get all this hardware that we want to take apart now? So usually HSMs cost like thousands or even tens of thousands of dollars if you buy them. So where do you get them, those old HSMs? Well it's really simple because you can just buy them on eBay. They're quite cheap now. And if you have a little bit more time, you can wait on a better offer and then they even get more cheaper and that's just fine to take them apart. Okay. So this is our first HSM that we will have a look inside. So on the left side you can see a network port on the bottom that's the PCI-X connector and this huge silver box here that's the secure module. And on the left side we have the battery A and battery B. So we have redundant batteries that power our supervisor mechanism here. So these two batteries have been removed in this case. So in this case of course the module is already tempered but that doesn't play a role in our analysis of the hardware protection that we will see now. So we decided to take a careful look inside. I don't have to warn you, it won't explode but we will encounter a few very interesting under tempered counter measures. So after I ripped the secure module from the board, we saw basically nothing because there's an auto-metal shielding and we just have some connectors that are used for data and also for supply voltages. So then I proceeded to peel away the metal casing here and then I saw that below there's some black structure. That is not already the enclosure, that is just some potting material. So this potting material fills out like gaps. So this is just some material that has been put inside to fill the gaps and to make attacks more difficult because that material is opaque so you don't see anything through it. And I have to warn you if you try to do this, this material really smells horrible. So the entire room I didn't want to walk inside there for a few days because it was such a strong smell. I'm not sure was it exactly was but I think it's just this rubber material that smells that bad. Okay, then I just proceeded to pull away this metal casing and more potting material appeared and I didn't see anything but I noticed. There is some black spot on this outer casing down there. So and then I realized, oops, I fell into the first trap because they glued part of this enclosure to the outer casing. So by pulling apart the casing and the potting material, I already ripped out a part of this protective enclosure and may have triggered the temper detection for sure in that case. Okay, since it's already destroyed, now I decided to pull away even a larger piece of it. And yeah, what I said, so then is now we see the inner metal casing. So there's another one, not only outer metal casing, but also inner one. And here we see the temper resistant resistive temper sensitive carbon traces. So these traces are made from a carbon material. So they have an omic resistance and this resistance is verified by the temper detection circuitry that's inside the HSM. And if the resistance changes because as an attacker, I short-circuit some of the traces or I interrupt them, then the temper detection mechanism will be triggered. So they are checking for omic resistance of those traces. So now I decided to pull away a small region in the lower left part of this image and now see what happens. Oops, I fell into another trap. So if you compare these images here, you can see that by pulling away a little bit of these carbon traces, I unintentionally pulled away also the underlying layer there. So this is quite tricky to disassemble. I don't think that's possible at all, even if you are very, very careful, because these carbon traces have shown to be quite sensitive to me. So when I tried to probe them with a standard multimeter, I just simply scratched them away. Only when I was very, very careful, I was able to measure the resistance, but that is nothing you really can do reliable here. So this carbon material is really a strong anti-temper measure here. So there's also some very interesting structure in the upper region of this image. So you see those vertical traces. And on the layer above that is not shown in the image, you also have vertical traces here. And we assume that this may be something like a trace randomization where you can, as you see on the red lines here, interconnect different lines so you can reconfigure your envelope during manufacturing. So it might be possible that each envelope that you manufacture has an own trace layout that is just configured during manufacturing by setting and unsetting those connections between these two layers. We are not entirely sure, but we assume that there might be some sort of this mechanism here. And you can also see something else in the lower region here already, and that is the green PCB of the HSM module. We'll have a look at that later on, but first we will come back to our carbon traces. So how do they look like? The first thing that you can see is that we have four layers in total here. These four layers are, as I already explained, surrounded by a potting material. And then we have the first two layers, layer one and layer two. They run in a diagonal manner, so one from the bottom left to upper right and one from the upper left to bottom right. So this is like a checkerboard pattern. And you can also see this in the right image down there. And there are also some features, and these views connect between the layer one and layer two of this enclosure here. So there are also two other layers, that is layer three and layer four. They run in a zigzag pattern. And if you put all those layers atop of each other, you will most likely not have any gaps in the structure. So every spot of this HSM is entirely protected by at least one layer of carbon traces that are extremely sensitive to tempering. So this appears to be a really strong mechanism here. So let's now have a look at the inner workings of this module. You can see in the upper left region that we have a power PC, a FPGA and also a crypto ASIC that does all this cryptographic functionality. Since this develops some high power dissipation here, we also have thermal pads that just pull away all the heat from the module. But then in the lower right region, we have our damper detection circuitry. So what do you expect to find in there? Perhaps you can already see something in the image, but perhaps you also have can do some educated guesses based on that what we've seen in standards. So what do you think? Any ideas so far? Just show them to me. Sorry? Yeah, so what do you expect on a temper counter measures inside this model here? Which mechanisms may be implemented on this PCB? Perhaps you can already see something here. Sorry? Sorry, I didn't understand it. Sorry, so I will just present a solution. So perhaps one of you have already seen that. For example, in the center here, we have a light sensor. So even if you were able to very carefully open this module here, if you only shine a little bit of light on this module, it will immediately start serialization here. Then we also have a temperature sensor that protects us against cold boot attacks. And then for example, we also have the supervisor controller. It watches the supply voltages of the battery as well as of the entire HSM. And then we also have the BB-RAM. This BB-RAM is a battery-backed volatile memory. So as soon as I cut the power, all the data in this memory is lost. So in this memory, all the critical data that is CSP related is stored. So if the temperature detection mechanism is triggered, the supply voltage to this memory is cut, and it's not even cut, it's also pulled to ground here to ensure that no data remains inside this BB-RAM on a temperature event. OK, so far regarding the IBM HSM, now we will have a look at the HP Attala module. The first thing you will notice is that it has really a lot of batteries. So this module seems to consume a lot of power for its temperature detection mechanisms. But now we will also have a look inside. This is just a cover solution, so it's quite easy to take it apart. There are a lot of screws, and if you just unscrew them, you can remove the cover. We did this, and thereby, of course, we triggered the temperature alarm. And you can see around here that we have some conductive form. And this form is pushed onto the cover removal sensors, and as soon as you lift the cover only a little bit, this connection gets lost, and the temperature alarm is triggered. So that's a simple concept, but it seems to work quite well here. So you also see that this is just a level 3 module. Because for a level 4 module, you would need to have an enclosure around your entire device. In this case, we just have covers. So inside this secure compartment, you find just a normal embedded system, so there's nothing special inside. But well, let's take another look at this enclosure, at this cover. So as you can see here, we have also a resistive mesh inside this cover, and it was destroyed during this assembly. You can see this on the lower part of the right image, where the traces are missing. This trace is also checked for continuity. So if you drill through it and you violate this trace, you destroy it, then the endotemper measures will also be triggered so far. And what you also have to keep in mind, since it's not such a high level of security, it needs to develop here, it appears much closer than that what we've seen before here. Okay, so what are the drawbacks that come with these two modules, because they are battery backed? Since they are always in operation, they are very, very sensitive to temperature variations. So for example, if you want to ship them, the vendors usually recommend you to use some thermal controlled packaging where you have gill packs that just dampen the temperature changes around. So if you ship them in the winter or in the summer, they may already be destroyed when they arrive at your facility because they could already be triggered by exceeding this allowed temperature range here. Then the second issue is if you have batteries, there's also some added write and book. So if you have a very space constrained application like an airborne application or in space, this could really be an issue for you because weight costs you a lot of money and you don't have all the space available. And last but not least, batteries need a lot of servicing. So we need personnel that can replace those batteries on this HSM so that they keep operating. And if this personnel makes any mistake when changing these batteries, for example, accidentally taking out two batteries at a time or creating some short circuit, they will destroy your thousands or 10 of thousands dollars worth of HSMs. And that's really unfortunate in this case because it doesn't even take into account any loss of productivity here. So there was always the need that we perhaps have some better technology that could replace this battery-back technologies. And suddenly the puffs appeared. So now we will see how puffs could improve and perhaps later on replace this battery-based monitoring technology. So now we will go first to introduction to puffs, perhaps some of you are already familiar with puffs. For the other ones of you, I will shortly get to a simple explanation of physical, uncontrollable functions. So the word consists of three components. The first part is physical. So that means we need to have a measurable physical quantity. That can be anything. It could be a resistance. It could be a capacitance. It could also be some optical behavior or some radio wave propagation. We will see some examples later on. For this example, I will just use capacitance here. So then we also have the uncontrollable part. That means that we need some unique and random manufacturing variations in that this physical quantity. So it's very important that this manufacturing variation cannot be controlled precisely during production and that makes it uncronable. And for our capacitor, that may be something like surface roughness or the area of the plates of the capacitor that when it's a little bit large or a little bit smaller, so just like a normal manufacturing variation. And the last aspect is one of the most important ones. It needs to return some output after evaluation so it needs to be measurable. And that tells us we also need to measurement system here and perhaps we need to apply some post-processing against noise and so on. And for our capacitor, that means that if we expect a capacitor to have like 10 picofarads, in this case it has 10.05 picofarads and that 0.05 is your variation. So that is your path value that you want to evaluate in this case here. Okay, so now the idea emerged, we could use this paths in an enclosure. So let's fill an entire enclosure with small capacitors with a multitude of them and just wrap them around the embedded system. So that was our first idea. And each time we manufacture this enclosure, we get individual variations that are random each time. So here you can see some pattern that is created when you manufacture this enclosure. So some capacitors will be a little bit smaller, some will be a little bit larger and so on. And so you get a very, very individual pattern for this one enclosure that you have manufactured. And now you measure this variation and apply heat generation to that. And then you can create a device individual encryption key from that that you use to encrypt all the secret data on your module. And thereby now you have interlinked the integrity of your envelope with the readability of your data. Because only if the envelope contains the same path data, the same key will result from it. And each device will get its own individual key because this manufacturer variation, they're really unique here. Okay, so let's just compare this to the technology we already have. So battery backed solutions need continuous power supply that is supplied by batteries here. The temperature detection is done, for example, by checking the trace resistance. And if it's not okay, then we need to raise an alarm and do a temperature response here. So this temperature response mechanism here needs to trigger the serialization of the data here that deletes all the CSPs that are present on the module. So for all that, we need the batteries and we need specific actions here. So all this temperature detection circuitry has to work correctly to really delete all your data. If there's only one step that fails, your data won't be deleted and a taker will gain access to it. For puffs, this is entirely different. Puffs are battery-less. You don't need batteries anymore because if you power down your module, you will lose all your CSPs. But the next time you boot, you can regenerate them by generating the key from the enclosure again and decrypting all your encrypted CSPs. And that steps, step only works if your enclosure is still unmanipulated. So if an attacker manipulates your enclosure, they will manipulate also the puff values that are incorporated in this enclosure. And that will result in an incorrect encryption and decryption key here. And since this key is incorrect, then you cannot decrypt your data anymore. And so by this puff, we have the direct consequence that the data becomes undecryptable as soon as we tamper with the envelope. So we link the integrity of the envelope to the readability of the data. So there's no step in between that can fail. So that makes puffs very powerful. So where does this initial idea come from? So there was a very interesting publication that came out around 12 years ago and that was the coding path. The idea of the coding path was to just protect a single chip. So you take the chip you want to protect and apply the pattern you can see on the left on the upper metal layer. So this is some comp structure. And above this comp structure, you put in those particles here that are denoted by a P and they create a random distribution. And then you measure the capacitance between these two electrodes, E1 and E2. And depending on how the particles are laying on the chip, you get larger or smaller capacitances here. And from that data, you can create your puff. And then you can create a encryption, a decryption key and so on. So this works quite well. There's a publication that has shown that this works in practice. But unfortunately, of course, there's no protection of off-chip components. For example, like buses. So if you have any data stored outside of the chip, someone could, for example, eavesdrop the communication of the bus. And also if you have a multi-chip system, like in most embedded systems, you cannot really apply this method here. But nevertheless, it's a very interesting starting point. So there's also another idea and that's the Polymer Waveguide Puff here. It's one of the optical puffs. You have an LED here that emits light into our Polymer Waveguide. This light gets scattered and reaches an imager. And on this imager, there you see this scattering pattern and this is your puff and you can again create a key from that. This method was shown that it works in practice. Unfortunately, this method does not provide any backside protection. So it just protects the front side of the module. And we were also not able to obtain any statistical data regarding attacks here. So the idea seems to be quite interesting but it still has some flaws and would need further research. Now let's come to another idea that was presented some time ago. There was also an interesting conference talk on that last year at the Congress. So and that is the FISEC Puff. And it's based on the propagation of electromagnetic waves. So they put multiple receivers transmitters into a box that is shielded. And this rough shape of the surface of the box gives a very specific transmission pattern here. And they can evaluate this and extract the puff from that. They even demonstrated this publicly so you can see this online if you're interested. But unfortunately, I was not able to find any details to have a single model on how this works out. And I also suspect that it might be quite sensitive against vibrations and temperatures because wave propagation is a very, very delicate part and it might easily be influenced if there are small movements inside this casing or even by the casing itself. But nevertheless, it's a very interesting idea here. Now we will come to one of the enclosures, our solutions that we've developed at the Institute. And that is called betrepit. It looks a little bit like these common HSMs that we have seen here. It's a puff-based full enclosure so we entirely wrap the module. And instead of four layers, we only have two layers here. So this module is based on a capacitive puff that is measured between these two electrode layers. And we have also some dual security mechanism. So during startup, we check the puff. We can reconstruct our key from that. But when the model is running, we can also do some trace electrode integrity measurement here. So we can combine two methods. So our overall security is higher by using such a method here. So those traces are also really fine, like 100 micrometers in width and also in space here. So it's not very easy to temper with that. I tried it out on my own and it's difficult. You may be able to soldier a little bit on that but it's not very robust, so you easily break it. Fortunately, we have published all that. So if you are interested more in this technology, we have a statistical model, also something attacks and regarding the measurement. So here, we also have an example of how this enclosure currently looks like and how the HSM casing looks like where we want to wrap around our enclosure at some time in the future. So this enclosure has been manufactured in a special technology by the founder of EMFT. It's a very special technology that is currently not offered by any commercial vendor. So they developed a special process just to manufacture this enclosure here. Of course, we also need to measure it and therefore I have developed a measurement system that you can see here. You just plug in the enclosure from the top of it. And this system here can measure down to femtofarads that's 10 to the power of minus 15 that are really small capacitance variations that we have to extract here. And the same circuit can also measure the integrity of the traces. And this is only possible since this is an entirely custom mixed signal circuitry that we have set up here. On the software side, we are currently using a security enhanced version of free RTOS since this matches best to our needs here. So, and now I will also show you a small example of how our data looks like. So each blue star represents the capacitance variation of a single capacitor here. We have in our first prototype 128 of them and they can be measured entirely in less than 100 milliseconds here. So, and you can see that we have a variation that ranges just in the single digit femtofarad range for most of the values here. But also our integrity verification works quite well as you can see in the red box. There we had a broken trace in this envelope that was successfully detected by the circuit. So, this would have been a detected temporary event here. So, we also have an alternative method here that was developed in cooperation with Singapore's DSO National Laboratories. That is basically a comparable solution that's also based on a path-based cover. So, it's not a full enclosure anymore, but it's a cover that is on top and the bottom of the module. This is based on a commercial six-layer flex PCB. So, there are different vendors who are able to produce this cover, but however, since it's flex PCB technology, that's a quite expensive technology here. So, it's comparable in its statistical model as we have seen for Petropit before and also the measurement system works in a comparable manner here. So, this concept has been demonstrated in practice and extensive details have been published at the chess data conference that's currently occurring. So, there's also the paper linked below. So, if you're interested in this, you can also access this. Okay, but now we will ask why has the talk this name? So, why isn't Petropit deployed yet? Because we still have a lot of stuff to do that's ongoing research. For example, we have a very low mechanical flexibility. Currently, the enclosure fails when we try to bend and fold it because some of the traces are breaking. So, currently the EMFT is researching alternative materials that are more flexible here. Then also one of the issues is yield and cost, but personally I hope this could be resolved by just advancing in the production by getting more and more experience so that this could work out better finally then. Of course, as you have seen, the measurement circuit is about this size here so it's too large to incorporate it into an HSM. So, we also need to have a smaller measurement system here and therefore the Fraunhofer IMS is integrating this measurement system partially into an ASIC here that just takes less than one square centimeter of space. Last but not least, we still have observed some humidity and temperature effects that influence the puff output so we also need a lot of compensation algorithms here to tackle these issues and to understand them correctly. So, but these are only the technical issues that we are currently facing here. So, for example, you already said it's cost-reliability versus sensitivity. So, for example, if you have a very high sensitivity, your reliability will go down because you will not be able to differentiate between the, for example, temperature-induced variations and also variations that are induced, for example, by an attack. So, it's always a trade-off between sensitivity and reliability here. Also, the size of the enclosure is a very important factor here. If you can cover larger portions, larger HSMs, of course, you can have more, bigger market share here since you can address other customers too. So, but that's not the only issue here. So, we also have missing standards for puff-based HSMs here because puffs in HSMs are quite new topic. There exists no standard that addresses the assessment of puffs. So, how good is my puff that I am building and how good does it have to be to be used as protection mechanism, missing, for example, in a level for HSM. Then, the next issue is that there are a lot different puff technologies. So, like we have seen, there are optical puffs, there are capacitance-based puffs, there are RF wave propagation-based puffs. So, they all have to be summarized in a standard and that seems to be quite hard if not even impossible. And there are also very specific attacks that target each type of the puff. So, if I attack an optical puff, I may do it different compared to when I'm attacking a capacitance puff here. And finally, we also need some rules for key generation. So, how can we derive a key from the puff variations that we are extracting here? We also need some rules to get the right estimation for the entropy, for example. So, and finally, something that we must not overlook here are also the social aspects of puffs because there seems to be a lot of prejudice against puffs here. So, for example, there are skeptical researchers and also clients that say, like, puffs are a dead end. We got papers rejected because the reviewers didn't like the idea of puffs in general and they just said, well, like, puffs are a dead end. Your paper is rejected. I don't like the idea at all without giving it a chance or having a more detailed look into it. So, and there are also other aspects that, in my opinion, have to be discussed. For example, puffs could also be abused for DIM. And since puffs are very powerful technology to protect confidential information, it may also be something that is a real use technology here. And so, researchers sometimes don't really want to get into contact with puffs because they have fear of supporting something that they don't really like here. And that is something we need to take seriously in this case and we need to have a discussion about that. So, we have a discussion currently about artificial intelligence. So, we are now discussing whether these methods should have some limitations if we need laws to control them. And I think this could also be the point for puffs because if puffs become very good and powerful, the society should not be subjected to puffs. So, they should still be in control and we need to decide what can we really do with puffs and which areas do we want to keep puff free, let's say. So, there are very important points that have to be discussed. The technical and the standardization points, that's just more research and technical issues that have to be done. But we also need to have a discussion of the social aspect of puffs because I have never seen this anywhere before. And I think as puffs evolve more and more, this becomes a very, very important aspect here. Thank you. Thank you very much, Johannes. We have time for about one or two questions. So, if anyone wants to use the chance to ask about this very exciting new concept, we have microphone angels here in the row. So, please move to the microphones if you have a question. Yes, the first question from the microphone, please. Concerning the puffs based on capacitance, how far have you gone in trying to attack them because on the contrary to the other HSMs, if you take it apart, you are still left with quite a bit of the key material and it might very well be possible to reconstruct the rest. Yeah, that's a very interesting point because usually if you just, for example, drill away a small section of the enclosure, you may lose like one, two, three bits of the key, but not enough that you really can consider this key destroyed. So, that's still a question that has to be resolved. For the layout that we did our research on, we had, if you just did a drill attack, you destroyed at least like 16 electrodes in one direction and two electrodes in the other direction, two electrodes in one direction, two electrodes in the other direction. So, it was like several tens of electrodes that have been several tens of capacitances that have been altered all together. So, you won't destroy like a single capacitance here, you will destroy more, but you can still try to reconnect it afterwards. And that is some issue that I also currently doing some research on, on how much of this path can be reconstructed if I reconnect this traces here. So, in my personal opinion, I think we need to solve this on a material basis, like we need to have materials that you cannot solder onto, so that this reconnection is more or less impossible then. Thank you very much. We have a second question from this microphone. Yeah, you spoke a little about temperature and humidity effects and so on, but you haven't said anything about component aging. I mean, all capacitors shift value quite significantly as they age over months or years. So, will that not cause you to lose your key? So, you are asking about the aging of the puff? Okay, so aging is something we haven't looked into yet. So, it's something that we need some working, fully working prototypes first because we assume if we, for example, bend the enclosure around the HSM and we age this, then there could really be effects. So, we have to think about how we can tackle them and usually aging has one specific property and that is it happens very slowly. So, if the puff value changes very, very slowly over years, perhaps you could adapt this because an attacker wouldn't normally take several years to manipulate the puff in very, very small consistent steps. So, perhaps we could solve this by applying some special algorithm to correct this aging effects here. So, I think that could be a viable way here, but as I said, we need to do more research on that also. Thank you. Any other question from the other microphone? Hi, I would like to ask how do you back up the secret if it's unclonable? So, usually it's like in that way, for example, you want to load a private key into that HSM. So, that's like you have this private key loaded into that HSM and it gets encrypted with this unclonable key. So, this unclonable key serves as a master key that encrypts all the, let's say, subkeys that are inside this HSM. So, of course, you have to first load your keys that you want to use into that module. You can do something like an enrollment phase, but that depends on the application you want to use the HSM in. Thank you very much to all of your questions. Thank you very much, Johannes, for answering them. We're out of time, but I think that everybody was thoroughly answered and addressed. Please give another warm round of applause to Johannes for this very special and interesting talk.