[Cryptech Tech] Alpha board BOM and PCB design requirements

[Warren Kumari]

On Sat, Mar 14, 2015 at 9:02 PM, Павел Шатов <meisterpaul1 at yandex.ru> wrote:
> On 14.03.2015 23:22, Warren Kumari wrote:
>>
>> Well, one thing to keep in mind is that the CR2032 (or whatever) is
>> going to have to have enough power to monitor all of the tamper sensors
>> (temperature, vibration, optical, pressure, wire mesh, perhaps more
>> exotic) *and* have enough power left over to securely erase the MKM.
>> Something that we have not really discussed (but probably should) is
>> having a process that moves the MKM around every now and then, so that
>> we don't get cell burn-in (which apparently happens with SRAM too).
>>
>> All of this suggests (to me at least) that we will need something much
>> beefier than a little coin-cell. For example, one of the HSMs I took
>> apart had 2 D cell NiCad batteries inside the tamper boundary.  One of
>> the standard "lifetime" items in many HSMs is the battery - often
>> opening to replace it makes the key material evaporate... Having an
>> external battery connector doesn't seem to be very common - either
>> because the vendor thinks it might leak EMF, or, more likely because
>> they'd like to sell you a whole new HSM every 5 - 10 years.
>
>
> We should estimate average current consumption of the tamper detection
> circuit. We need to define a list of sensors that we want, find
> corresponding components and download their datasheets. Then write down
> current consumption of all the sensors. This will clearly tell us what kind
> of battery we need.
>
>>      > Btw, you want to
>>      > use MSP430 in this circuit. What is it going to do? Read some
>> sensors
>>      > and toggle its outputs accordingly?
>>
>>     Yes, and use SPI to erase the MKM in case any of the tamper sensors
>> are
>>     triggered.
>
>
> Can we cut MKM power supply instead of erasing it? This should destroy
> memory contents.
>

I suspect erasing it (writing random(ish) stuff / walking patterns)
over it would be much better -- we really don't want to be subject to
a "cold boot" type attack (I'm presuming you've seen
https://www.usenix.org/legacy/event/sec08/tech/full_papers/halderman/halderman.pdf
 ?).
This is the obvious reason that we need a temperature sensor -- flash
flooding the envelope with e.g liquid nitrogen to slow the clock (and
perhaps disable the tamper protection) and try cause bit stickiness is
a standard attack.

W


>>     We opted for the MSP430 since it is well known to us (me).
>>
>>      > How is MSP430 programmed, btw? Will we need a special programming
>>     cable for
>>     it?
>>
>>     The wiki mentions the use of the Spy-bi-wire interface to program
>>     it. Would be
>>     three pads IIRC. FWIW the MSP430 also supports serial programming
>>     using it's
>>     BSL. We could add the ability to program it from the ARM (if a
>>     programming-
>>     enabled jumper is present presumably).
>
>
> I don't understand this. Shouldn't tamper detection circuit be strengthened
> by isolating it from the rest of the system as much as possible?
>
> I don't like this bootloader in MSP430, it looks like a potential backdoor:
>>
>> The MSP430 ™ BSL enables users to communicate with embedded memory in the
>> MSP430 microcontroller during the prototyping phase, final production, and
>> in service. Both the programmable memory (FRAM memory) and the data memory
>> (RAM) can be modified as required.
>>
>> To use the bootstrap loader, a specific BSL entry sequence must be
>> applied. An added sequence of commands initiates the desired function. A
>> boot-loading session can be exited by continuing operation at a defined user
>> program address or by the reset condition.
>>
>> If the device is secured by disabling JTAG, it is still possible to use
>> the BSL. Access to the MSP430 memory through the BSL is protected against
>> misuse by a user-defined password.
>>
>> To avoid accidental overwriting of the BSL code, the code is stored in a
>> secure ROM memory location. To prevent unwanted source readout, any BSL
>> command that directly or indirectly allows data reading is password
>> protected. For more information about password protected commands, refer to
>> Section 3.2.
>>
>> To invoke the bootstrap loader, a BSL entry sequence must be applied to
>> dedicated pins. After that, the BSL header character, followed by the data
>> frame of a specific command, initiates the desired function.
>
>
> I once again suggest to use something like PIC16/18 from Microchip. These
> MCUs are much simpler, they are 8-bit, not 16-bit. They have an order of
> magnitude less power consumption then MSP430. Another nice feature is that
> they have high-voltage programming mode. You can buy or make your own
> high-voltage programmer (and have hand-made JDM and PicKit3 from Microchip).
> This high-voltage programmer can be used to completely disable low-voltage
> in-system programming mode, write-protect program memory and disable
> readback. You will physically not be able to change anything in this MCU
> without attaching a high-voltage programmer. I believe this is the right way
> to make tamper detection circuit.
>
>
> --
> With best regards,
> Pavel Shatov



-- 
I don't think the execution is relevant when it was obviously a bad
idea in the first place.
This is like putting rabid weasels in your pants, and later expressing
regret at having chosen those particular rabid weasels and that pair
of pants.
   ---maf