[Cryptech Tech] offline attacks on open hardware vs secure chips

[Antoine Beaupré]

Hi,

I'm writing a review of OpenPGP keycards (yubikey, FST-01, Nitrokey,
etc) for LWN.net and one of the things I need to cover is the question
of the "closing" of the Yubikey 4, switching from a partially closed to
a fully-closed model. Their rationale is explained here:

https://www.yubico.com/2016/05/secure-hardware-vs-open-source/

In particular, I find this paragraph interesting:

> Given these developments, we, as a product company, have taken a clear
> stand against implementations based on off-the-shelf components and
> further believe that something like a commercial-grade AVR or ARM
> controller is unfit to be used in a security product. In most cases,
> these controllers are easy to attack, from breaking in via a
> debug/JTAG/TAP port to probing memory contents. Various forms of fault
> injection and side-channel analysis are possible, sometimes allowing
> for a complete key recovery in a shockingly short period of time. In
> this specific context (fault injection and side-channel analysis), an
> open source strategy would provide little or no remedy to a serious
> and growing industry problem. One could say it actually works the
> other way. In fact, the attacker’s job becomes much easier as the code
> to attack is fully known and the attacker owns the hardware
> freely. Without any built-in security countermeasures, the attacker
> can fully profile the behavior in a way that is impossible with a
> secure chip.

In effect, this is a reasonable point: open hardware *may* just be more
vulnerable to such attacks than a "secure chips" (whatever that
means). Now, I personally feel this argument isn't so great: you just
shift the trust into proprietary hardware, and you have no garantees
that is doing anything you actually need it to do - I think I have
plenty of resources to articulate that fundamental free vs closed design
argument on my own.

However, I wonder if there is a less theoritical argument to be
made. For example, I notice that in the 3G design here:

https://trac.cryptech.is/wiki/Hardware

There is a "tamper detection" chip that I guess is designed to work
around physical tampering? Is that something that could address the
concerns of the Yubico people above? Or is this just protection against
physical tampering?

I guess another way to ask the question is: how exactly does that
"secure hardware" work that it makes it so attractive to the Yubico
people? Why can't that be implemented in an open design? Yubico seem to
say there are no "major players" providing such a chip design - but
couldn't such a system be designed with multiple commodity hardware
components without putting all the trust in a single chip?

Is that what the Cryptech designs are trying to do?

Thanks for any comments or feedback,

A.

-- 
Antoine Beaupré
LWN.net