Originally begun as an investigation to detect attempts to tap into an electrical cable, the emergence of modern encryption hardware rendered impractical attempts to protect communication media such as a cable.

Figure 1. Tamper Respondent Sensors can be provided in an array of physical formats.
The government and end users of encryption modules, however, quickly recognized that cryptographic keys were much easier to steal by physical probing than by breaking the code. Getting access to the leads of a memory chip can allow readout of its contents. Even a BGA-mounted Flash memory chip can be desoldered, and its contents revealed. If an operating device can be probed while operating, hackers can eavesdrop on a communication bus to gain sensitive information.

Figure 2. Module Protected Against Physical Hacking with the anti-tamper intrusion sensor.
The National Institute of Standards and Technology (NIST) led a government/ industry work group to develop “FIPS 140: Security Requirements for Cryptographic Modules” to provide defined levels of security. The most secure, Level 4, requires “a complete envelope of protection around the cryptographic module.” While directed at cryptographic modules, the principles are common with any embedded system that stores sensitive information or is vulnerable to physical hacking.

A sensitive tamper envelope was developed to trigger a response upon attempts at physical probing into electronics. A finely honed balance of cohesive and adhesive properties of conductive ink-tracks on a wrappable polymer film provides precise “frangibility” of an all-polymer flex circuit (see Figure 1). Once triggered, an unattended, protected module can initiate a response, typically a zeroization of cryptographic keys or embedded software.

Used to protect modules certified to FIPS 140-2 Level 4 and various other standards, this polymer flex circuit embodies three key attributes within one technology: invisibility to analysis including X-rays [deterrence], high complexity of possible bridging attacks [delay], and sensitivity to fine hole penetration or sensor removal [detection].

As with traditional flex circuitry, many options exist for size, shape, and complexity. Integrated into an OEM’s hardware packaging scheme, GORE™ Tamper Respondent Sensors can be provided in an array of physical formats to create a protected 3D space for the components storing the critical information (see Figure 2). For each physical format and application, sensors can be specified over a range of security protection levels.

Though developed to protect cryptographic keys in hardware security modules, OEMs need to protect intellectual property such as sensitive algorithms in embedded systems. The U.S. Department of Defense requires that such anti-tamper protection deter reverse engineering, technology transfer, and exploitation or countermeasure development of critical technology contained within weapon systems. While all good security is layered, strong security generally requires “active volume protection” with sensing and response.

This work was done by Dale D. Murray of W.L. Gore & Associates. For more information, Click Here 

Defense Tech Briefs Magazine

This article first appeared in the October, 2009 issue of Defense Tech Briefs Magazine.

Read more articles from this issue here.

Read more articles from the archives here.