[Cryptech Tech] [FORGED] Fwd: [FORGED] Fwd: Status tamper detection and MKM erasure (low dose gamma ray)

[Peter Gutmann]

Richard Lamb <slamb at xtcn.com> writes:

>I am honored.  Whit has spoken highly about you to me.  

Hmm, and I'm honoured that Whit spoke of me :-).

>"discern" was the primary concern through sram imprinting accelerated by 
>radiation (https://ttu-ir.tdl.org/ttu-ir/handle/2346/58641) 

Ah, OK.  So that's not going to be much of an issue compared to the SEU's 
you'll be experiencing in your crypto with that level of ionising radiation.  
Given that he's talking about 100kRad of gamma that'll be for space use, what
you encounter in a reactor environment will typically be much lower levels, 
and then there'll also be fast and thermal neutrons (typical gamma rates
there are 5/10/15kRad and varying levels of neutron flux, with the mix being
50% gamma and 25% each fast and thermal neutrons).  So in the pure-gamma case 
you detect SEUs and restart, and your real concern is with single event 
latchup (SEL) or burnout (SEB) because you can't replace the part if it's in 
low earth orbit (SEL can typically be recovered through a power cycle, SEB 
can't).  Permanent problems are far more likely with neutrons than gamma.

Also, imprinting isn't just caused by radiation, it can also happen in
things like SRAM due to storing the same value for extended amounts of time.  
I mention this in my 1996 paper "Secure Deletion of Data from Magnetic and 
Solid-State Memory", with more detail on what's going on in "Data Remanence 
in Semiconductor Devices" from Usenix '01.  IANAL, but even if someone 
patented this before the 1996 paper was published, the patent would have 
expired by now (there's lots of other work in the area, but I think those ones
are significant in patent terms because they mention the use of bit-flipping 
to protect cryptovariables).

I think the detection of ionising radiation in HSMs today would be more
for fault attacks than imprinting, for most of the public-key cryptosystems
if you can glitch the private-key op you potentially leak the private key
(ECC stuff is really bad in this regard), so you wouldn't want to bathe the
device in radiation, you'd just want a small number of events to glitch the
private-key op and leak it.

On a related note, I'm currently working on characterising the effects of
ionising radiation on crypto, if anyone has any experience with FreeRTOS
and doesn't mind working for s**t wages (it's self-funded :-), let me know.
Once I get the gamma and neutron traces I'll publish the data so anyone
can simulate the effects by replaying the events into a VM.

Peter.