 For this talk in particular, I would really like to thank our partners from DSO because they allowed us publishing, which I think is really an exceptional thing to do, especially when it comes to the topic of tamper resistance and tamper evidence. I would also like to thank my colleague Johannes Obermeier. We have been really working a lot on this topic, so we really appreciate the opportunity to present the paper here today. So the physical security challenge, we are always talking about looks like this. You have a box and the attacker can come from any direction, do any sorts of stuff, use any tool, any time and any technique to get inside that box and extract the secret. So this really makes it difficult to, I mean, protect from all these threats. And there is a talk that I really like, and I'm not sure if he's in the audience, but it's a talk by Vency Nikov, who presented this at CARDS 2016. It's called Security Outside the Black Box Model, and there is a figure that really inspired me. And this is kind of a traffic light system, so you have green for we're all good, red for not so good, and then he looked at various topics. So if we look at the top, we see protecting hardware crypto implementations in the gray box model against side channels, fault attacks, combined attacks, coupling and reverse engineering. And we see from green that goes to yellow, orange, some other color and red, and then he looks into various other topics. So I think this is really kind of the agenda we need to look into in the future, so how to turn these red boxes to a green box. And of course, we might start somewhere up here and work on this topic, but of course, as a young desperate PhD student, we thought like, okay, let's start at the bottom. Protecting any platform in the white box model against physical attacks. Of course, we should at least try. I'm not guaranteed, I do not guarantee that we succeeded, but at least we should somehow try. So if we talk about security enclosures, you can think of this as some kind of access denial system. So the goal is always to detect and counteract any type of physical attack. So we have the temper detection, which is basically a trip wire approach, use some sensors for that. Then you have the temper response that you initiate, and then you have the zeroization, which is some kind of self-destruct sequence of your device. So either you blow some fuses, or you wipe the volatile memory holding the critical security parameters. And for that to work, you typically have battery-backed mechanisms for providing this continuous protection, such that even if the device is powered off, that the sensing still continues to work. So some commercial examples for that are, for instance, the ADP Gaussmann database module. So that's a German company providing this module for slot machines to ensure or prevent text fraud. Then we have the HP Attala module, which is a FIPS certified hardware security module at levels three and four. And then this is kind of my favorite real masterpiece of security. It's called the IBM cryptographic code processor featuring the so-called Gore envelope. And across all these commercial examples, what we see is active meshes, obfuscation, light sensory switches, potting, so all sorts of things to really make it secure. But of course it's more in the domain of black box modeling. So what they also have in common, you can see it perhaps here, there's a battery and there's a battery and here would have been a battery, but I took them out before I did the analysis. So if we look at high level goals of these access denial systems, we see there are always a trade-off between producibility, usability and security. So of course we can look at very complex manufacturing processes, but then the usability and the security might be impacted or it might be very expensive. But in general, they tend to be expensive anyway. So what most people look at is the desired level of security for these access denial systems. And typically they want that there is no way to somehow circumvent the security mechanism. So what you achieve when using these access denial systems is that you're secure in the field, you prevent all physical attacks in the field. But of course also you prevent hardware trodents in the distribution chain. So if you sent your device somewhere, you can be quite sure that it has not been tampered with. So when we apply these criteria to the previous shown examples, then when it comes to producibility, we saw this envelope from the IBM hardware security module. There the manufacturing is quite complex, but it provides the highest geometrical security because your device is fully enclosed. If we look at covers and shells, there are of course less complex but also less secure. Then in terms of usability, the battery really makes an impact because it typically limits the operating range with regard to temperature. The shelf life of course is also limited and usually requires additional service to maintain the batteries if you just shelf the device. And from a security perspective, what is quite interesting since all these devices run from a battery, you need to be really energy preserving in the sensing that you do. And this typically leads to a rather crude measurement resolution of the sensors and circuits that you use. They're also a little bit more prone to a single point of failure at the PCB level. So you just cut off the alarm or apply some fake check signal and then you get past that and it's a security mostly based on a black box model. So how can we do better? So what if I told you these machines no longer need a battery and we can do without them and even better yet, we can do it in a white box model? So let's have a look at that. And to no one's surprise, it's based on temper evident puffs as the proposed alternative. If you'd ask me, but of course I'm slightly biased, that's the true purpose of a puff. It's not key stores, it's temper detection without having battery backed sensors. So if we power on the device, we do the key derivation from the temper evident puff enclosure. And if it fails, we have our goal achieved, we could still initiate further counter measures. And if it succeeds, we at least are reasonably assured that no one tampered with the system and we can unlock the critical security parameters or decrypt the system. Unfortunately, there's very little public work in this area, which is why I would like to encourage you to have a look at this and make it even better. But still it's a move towards a white box puff design without diminishing the security. So the whole idea is we can publish the architecture and such that people can check the concept, which is the white box approach to do without diminishing the security. Of course we can still throw in a little bit of obfuscation which still makes it even more difficult to attack. So the proof of concept that we did is, here you see to the right, it's a flex PCB cover about 14 times 14 centimeters. And the architecture looks like this. We have different domains. So one we call the physical domain, then we have the analog domain, the digital domain and the application domain. So these are separated into units just because of the reason we didn't do any customized circuitry. So we use commercial of the shelf components. So we have what is called the evaluation unit and the host system. And what we will focus on here is primarily the evaluation unit where we do capacitance measurement, integrity detection and some other stuff that is going to be explained as part of the next slides. So the design goals and security objectives that we wanted to achieve with that is to investigate how far can we get just using commercial of the shelf components. Also to check the validity of the concept and if it's worth developing further and investing more money on it. Also shifting the scope of the protection mechanism such that we make the physical integrity check as complex as possible and bury it deep inside the AC such that just PCB level tampering no longer works. And what we also wanted to achieve is a concept that scales with future advancements in manufacturing. The security objectives simply put our deny physical access. The disassembly must be destructive. We want the attacker to make multiple holes to circumvent the security mechanism, maximize the distance from enclosure surface to the insides of the targeted chip. The entropy loss upon attack should be substantial of course such that it's not possible to reconstruct the secret from the remainder what the attacker might extract. Increase the need for customized tooling and the considered diameter is 300 micron which is at least back then when we did this work in line with the security certifications from common criteria and FIPS and so on. So if we look at the layer stack up that we have in this cover that I showed to you on the previous slide. So we have a five metal layers and those that are really relevant are the shield, the so-called TX electrodes, RX electrodes and the other shield. And between these electrodes, there's a mutual capacitance and since there's a mesh that I will show on the next slide and the intrinsic manufacturing variations, this mutual capacitance is our path. So on a logical level, how it looks like is we have our cover and then this is like a matrix with 16 RX electrodes, 16 TX electrodes and the opposite end of these electrodes are routed back to the circuit to allow more advanced sensing. So the sensor mesh concept looks like this. We always have these two pairs of electrodes that are being routed on one layer and also on the other layer and then we have these small overlaps and due to the etching process we have a little bit of under etching and impurities of the material and if you measure precisely enough then you see that there is indeed variation. So it's purely intrinsic variation from the PCB manufacturing. So the stochastic model for that is really simple. All tiny overlaps, all tiny track overlaps behave like capacitors in parallel. This mutual capacitance has a nominal offset which we call CN and then we have this variation CV which is really, really, really small compared to the nominal value. So what we need is a really high-resolution differential measurements to cancel out the common offset CN and just extract the variation CV. So we built an analog and digital measurement circuit. This is the measurement chain. So from left to right we have some excitation signal which is two anti-phasic signals that combine in the cover and then we have a complex current as a result that is representative for the differential capacitance and then we process that further and sample it again in the IC. So we have different measurements of different nature such that they complement each other and just tricking one measurement won't do the job so you would have as an attacker trick all the various measurements which in this case is an absolute capacitance measurement measuring the mutual capacitance. The differential capacitance measurement and the integrity check just to see if there's an open or short circuit in the electrodes. Applications for that are for the integrity to do rapid measurements and the factor initialization for the differential measurement to do the key generation and on the fly rate and range limits and for the absolute measurement to do additional temperature detection and it could also be used as a temperature sensor. So the whole boot process looks like this. We have the power on event and our device is running. We check if the electrodes are broken somehow. We start the measurement circuit from the same set of data that we acquire. We do the key generation at the same time we start some runtime temperature detection systems that limit the rate of change and the range of values. And then in addition to that we check if the absolute capacitance value differ too much from what we expect and of course then we continuously repeat these measurements and start decrypting the system and if everything is okay then we can start using the system. So basic statistics have been acquired from a set of 115 flex PCB covers at almost constant environmental conditions so constant voltage, AC controlled room and so on and the differential capacitance and the PDF we get for that somehow matches our expectation not perfectly but reasonably close enough and for the absolute capacitance measurement we see that there is some variation for each of these sensor nodes that we build as part of our mesh but these small crosses always appear in pairs so indeed neighboring electoral pairs have the same offset. So the overall message here is that the data is in line with the expectations and the low noise measurement that we have is essential for this type of application. Now when we look at the entropy and the puff assessment on a global level we can do Shannon entropy over the whole puff population then the entropy per measurement node we get at first is relatively high at room temperature but if we account for the temperature drift and everything then of course we need to reduce the entropy that we extract. Then I was talking about the uniqueness over different distance metrics so this is the uniqueness over hamming distance for symbols or higher order alphabet so it's no longer centered around 50% because if you have bits the best case you can have is that 50% of your bit string changes but if you have symbols and a higher order alphabet then the number of symbols that should change is much higher depending on the size of the alphabet so this is just showcasing the uniqueness for the change symbols and this is the uniqueness for combined symbols and magnitude and as we can see here there's still room for improvement because not all the symbols change all the time and not half of the maximum possible magnitude so this is a rather strong uniqueness metric that we impose on ourselves which is unfortunate because the plot does not look so nice. So if you look at uniqueness for 10 provident paths really start looking beyond hamming distance over binary responses. Something else that we did is a more localized entropy assessment for which we use a spatial contract tree weighting so here we wanted to investigate the spatial entropy dependencies so you make a hole in the cover and then as an attacker you're given all the information around it based on a different radius and what we see here is that the entropy is lower than what we saw beforehand so indeed there is a degradation that exists due to the crude layout and the PCB process but we already have a way of fixing that so this is a rather strong attack for the attacker and of course that's the strongest possible attack anyway that the attacker gets the path output and yeah that's work together with Michael Peale of TU Munich that still needs to be published. We also have more data, more attacks and more environmental tests in the paper it's just way too much to present it in any useful way as part of this talk so here we did some temperature tests some x-rays and also attacks on the cover so the conclusion is this is still just only a very tiny step towards access denial systems without a battery and we definitely need this full stack approach to get the temper evident properties and just using commercial off the shelf components has its limits especially regarding repairs that the attacker can perform. The development of these access denial systems in a white box model I think is very challenging but I hope it can be solved during the next years and as always use a layered approach to security so it wouldn't make any sense to use an access denial system and not protect against side channels on the circuit level itself. So future work is regarding layout randomization because the layer that we used was fixed so what you can do here is just to artificially increase the number of electrode pairs and then before the measurement recombine then based on a challenge that you select and here this concept of challenge response naturally translates to layout randomization where you also break up local dependencies so if this path would be built then the spatial context reweighting would yield better results. Another thing that could be done is to customize the PDF so we could some kind of impregnate different nominal values without changing a CV and right now we have only been working on a Gaussian distribution but there are some ideas how to change that to a bimodal or arbitrary PDF for which the equidistant quantization approach again is the better choice because you don't rely on the shape of your PDF and something else is of course to tailor the materials to increase CV and reduce CN to improve the local entropy loss and of course make repairs more difficult and there are many more things that need to be done and I really hope to see progress in that domain. With that I would like to conclude my talk. Thank you again very much and see my updated contact information and ready for questions. So we have time probably for only one question. Which slide say again please? Oh that one. Yeah so the slides will be available online right? Yes. Yeah you can also find me on LinkedIn and just send me a message. Any other questions? Okay and let's thank the speaker again. Thank you so much. Before closing this session I would like to announce that today we have also a poster session and we have 10 posters. If you'd like you can join us at Augusta Ballroom at 7th floor at 6 p.m. Thank you.