GM/T 0084-2020 English PDF (GMT0084-2020)
GM/T 0084-2020 English PDF (GMT0084-2020)
GM/T 0084-2020: Guideline for the mitigation of physical attacks against cryptographic modules
CRYPTOGRAPHY INDUSTRY STANDARD
OF THE PEOPLE REPUBLIC OF CHINA
CCS L 80
Guideline for the Mitigation of Physical Attacks
against Cryptographic Modules
ISSUED ON: DECEMBER 28, 2020
IMPLEMENTED ON: JULY 1, 2021
Issued by: State Cryptography Administration
Table of Contents
Foreword ... 4
1 Scope ... 5
2 Normative References ... 5
3 Terms and Definitions ... 5
4 Abbreviations ... 6
5 Overview of Physical Security ... 6
6 Physical Security Mechanism ... 7
6.1 Overview ... 7
6.2 Tamper-proofing ... 7
6.3 Tamper Resistance ... 7
6.4 Tamper Detection ... 8
6.5 Tamper Response ... 8
6.6 Tamper with Traces ... 8
6.7 Physical Security Factors ... 8
7 Physical Attack Techniques ... 9
7.1 Overview ... 9
7.2 Internal Probe Attack Technique ... 9
7.3 Processing Technique ... 10
7.4 Energy-converged Cutting Technique ... 11
7.5 Power Attack Technique ... 11
7.6 Environmental Condition Modification Technique ... 12
8 Physical Attack Mitigation Techniques... 13
8.1 Overview ... 13
8.2 Tamper Resistance Technique ... 14
8.3 Technique of Tamper with Traces ... 14
8.4 Tamper Detection Technique ... 16
8.5 Tamper Response Technique ... 18
9 Development, Distribution and Operation ... 19
9.1 Overview ... 19
9.2 Development ... 19
9.3 Distribution ... 20
9.4 Operation ... 21
Bibliography ... 22
Guideline for the Mitigation of Physical Attacks
against Cryptographic Modules
This Standard specifies the physical security mechanism of cryptographic modules, physical attack methods, mitigation techniques used to prevent or detect these attacks, as well as mitigation measures at different stages of the life cycle, such as: development, distribution and operation, etc.
This Standard is applicable to the guidance for the implementation of physical attack mitigation techniques in cryptographic modules and the verification of the tested cryptographic modules to achieve the most essential security assurance. 2 Normative References
The content of the following documents constitutes indispensable clauses of this document through normative references in the text. In terms of references with a specified date, only versions with a specified date are applicable to this document. In terms of references without a specified date, the latest version (including all the modifications) is applicable to this document.
GB/T 25069 Information Security Technology - Glossary
GB/T 37092 Information Security Technology - Security Requirements for
3 Terms and Definitions
What is defined in GB/T 37092, and the following terms and definitions are applicable to this document.
3.1 Data Imprinting Attack
Data imprinting attack refers means to take measures (such as: radiation and high temperature, etc.) to solidify the data in the memory circuit or the equipment containing sensitive information, so that the data cannot be written-in or modified for a certain time.
3.2 Physical Attacks
Physical attacks refer to attacks that cause physical modification or abnormal operation restricts or prevents unauthorized physical access to computing systems by virtue of facilities, such as: guards, cameras, fences and buildings, etc.
The effectiveness of physical security satisfies the following conditions: when an attack is encountered, during the beginning of the attack or the subsequent penetration and destruction, the probability of the attack?€?s success shall be extremely low, and the probability of detecting the attack shall be extremely high.
Physical security mechanism refers to the defensive measure used to protect sensitive data when encountering unauthorized physical access. It includes the utmost difficult to make unauthorized physical access to data (tamper resistance), the possession of a trigger mechanism used to prevent attacks (tamper detection) and the capability of saving traces of an attack attempt and finding previous attack attempts (tamper with traces) in the subsequent detections, etc.
For the cryptographic modules, physical attack refers to an attack that causes physical modification or abnormal operation of the cryptographic modules and performs unauthorized physical access to the cryptographic modules. The mitigation of physical attack refers to the defensive measure used to hinder or mitigate the physical attack. The cryptographic modules not only have physical security threats when in use, but also may be subject to physical attacks at different stages of the life cycle, such as: development, distribution and operation. Thus, the cryptographic modules shall have the capability of mitigating physical attacks during the development and distribution stages.
6 Physical Security Mechanism
The physical security mechanism shall be applicable to different technical implementations, application environments and attack scenarios. Commonly seen physical security mechanisms include physical security mechanisms listed in 6.2 ~ 6.7 and physical security factors that may affect system security.
Tamper-proofing refers to a physical security mechanism that can resist all known attacks and possible sudden attacks.
6.3 Tamper Resistance
Tamper resistance refers to the capability of providing protective measures to prevent physical security attacks and unauthorized physical access to data. For cryptographic modules that only have tamper resistance, only when tampering occurs does the owner of the cryptographic modules become aware of the occurrence of the tampering. 6.4 Tamper Detection
Tamper detection refers to the cryptographic modules?€? automatic determination of the behavior that attempts to destroy the physical security. After the cryptographic modules detect the intrusion behavior, they shall immediately and automatically respond. 6.5 Tamper Response
Tamper response refers to the action automatically taken by the cryptographic modules when the behavior that attempts to destroy the physical security of the cryptographic modules is detected. For cryptographic modules that rely on external responses, the operation of alarm may be adopted. For cryptographic modules that cannot rely on external responses, the operation of erasing or destroying secret data may be adopted. 6.6 Tamper with Traces
Tamper with traces can ensure that after the tempering occurs, the evidence left by the tampering will be retained by the cryptographic modules. This mechanism is achieved by chemistry or a combination of chemistry and mechanics. There shall be a long-term effective audit strategy in the cryptographic modules.
6.7 Physical Security Factors
6.7.1 Volume and weight
When realizing the physical security mechanism, the influence of volume and weight shall be considered in combination with the practical application, so as to increase the difficulty of attack.
6.7.2 Mechanism of mixing and layering
Multiple layers and multiple types of physical security mechanism may be adopted to increase the difficulty of attack. Commonly seen hybrid mechanisms include (but are not limited to) the combination of tamper response and tamper resistance, and the deployment of the mechanism of tamper with traces at the periphery of the tamper resistance or tamper response mechanism.
---Combination of tamper response and tamper resistance. If the attacker enhances the techniques and can destroy the cryptographic modules with
tamper resistance, the cryptographic modules shall be able to respond and reset the internal sensitive security parameters or data to zero before being destroyed.
---The deployment of the mechanism of tamper with traces at the periphery of the tamper resistance or tamper response mechanism can prevent attack attempts within a certain time. Periodic regular audits may find traces of tampering before the cryptographic modules are completely destroyed and allow other mitigation 7.3 Processing Technique
Processing technique refers to the removal of the outer packaging, detachable cover or encapsulating material by cutting and drilling the outer packaging, encapsulation or detachable cover of the cryptographic modules to access the circuit under the outer packaging, encapsulation or detachable cover. After the above-mentioned material is removed, probe attack will be possible.
If the cryptographic modules are protected by a physical security mechanism, the attacker shall be able to perform processing operations on the premise of not touching the sensor or leaving any evidence. After the encapsulating material is removed, the attacker shall be able to disable or bypass the sensor and carry out a probe attack. If the cryptographic modules are protected by the system of tamper with traces, the attacker shall be able to overwrite the evidence after completing the attack. 7.3.2 Manual material removal
Manual material removal refers to the removal of material from encapsulated or airtight containers by using tools like a knife and without triggering the sensor. 7.3.3 Mechanical processing
Mechanical processing refers to a method of material removal that can be completed in a short time using mechanical equipment.
7.3.4 Waterjet processing
Waterjet processing refers to a method of material removal using high-pressure waterjet.
7.3.5 Laser processing
Laser processing refers to a method of material removal using laser. In accordance with the characteristics of the material, the wavelength and intensity of the laser should be adjusted.
7.3.6 Chemical processing
Chemical processing refers to a method of completely removing the coating and encapsulating material through chemical reaction by spraying corrosive solvents. 7.3.7 Sandblasting
Sandblasting refers to a method of accurately removing a small amount of material through high-speed jetting of abrasives, which can achieve micron-level cutting. ?€?Sand?€? refers to various abrasives ranging from sand to silicon carbide.
7.4 Energy-converged Cutting Technique
Energy-converged cutting technique refers to a material removal technique that accurately penetrates the external packaging at a high speed, causing the circuit to fail before triggering any response. After the external packaging is unwrapped through the energy-converged cutting technique, the attacker shall restore power to the memory before the contents stored in the memory completely disappear.
7.5 Power Attack Technique
Power attack technique means to destroy the normal working state of the internal circuit of the cryptographic modules through the mode of applying a strong energy field to the cryptographic modules, so as to obtain sensitive information in the cryptographic modules.
7.5.2 Radiation data imprinting attack
Radiation data imprinting attack refers to the use of radioactive materials to radiate the X-ray band (and possibly other bands) to CMOS RAM that stores the key or other secret data, and physically destroy the RAM unit without considering the power failure or overwriting mechanism, so that the contents in the RAM unit are ?€?solidified?€?. The RAM unit can be read when it is idle.
7.5.3 Temperature data imprinting attack
Temperature data imprinting attack refers to the use of a relatively low temperature (below 0 ??C) to imprint data on CMOS RAM, so that the RAM retains its contents within a few seconds to a few hours after power failure. The lower the temperature is, the longer the contents in the RAM will be retained. The operation of overwriting will erase these contents.
7.5.4 High voltage data imprinting attack
High voltage data imprinting attack refers to the injection of a short-time high-voltage pulse signal into CMOS RAM to imprint the contents in the RAM in a mode similar to the radiation data imprinting attack.
7.5.5 Abnormal high and low voltage
Abnormal high and low voltage refers to the induction of abnormal behaviors in the circuit by changing VCC to an abnormally high or low value. The abnormal behaviors include (but are not limited to) processor misinterpretation of instructions, failure of erasing or overwriting circuits, and retention of unnecessary data in the memory, etc. and forcing the equipment to enter an unpredictable state. Operating the equipment under an unpredictable state may undermine the security of the equipment. 7.6.3 Equipment external encapsulation failure attack
Equipment external encapsulation failure attack refers to the adjustment of the operating temperature that can destroy certain protection mechanisms, for example, tampering with the encapsulating materials or adhesives of the seals.
8 Physical Attack Mitigation Techniques
This Chapter specifies the attack mitigation techniques involved in physical security. The attack mitigation techniques are divided into four types: tamper resistance technique, technique of tamper with traces, tamper detection technique and tamper response technique. Each type of mitigation technique contains multiple mitigation methods, and with the continuous improvement of technology, new mitigation methods will be generated. This document only specifies the commonly seen mitigation methods.
The tamper resistance technique can prevent processing and energy-converged cutting attacks, and other attacks that take processing and energy-converged cutting as the pre-step.
The technique of tamper with traces cannot prevent the attack or entry into the protected area, instead, it leaves evidence of the attack or entry operation for further detection.
The tamper detection technique utilizes sensors that detect a certain type of physical signal or physical quantity to automatically detect and determine the behavior of attempting to use the corresponding physical signal or physical quantity to undermine the physical security of the cryptographic modules. For example, the voltage sensor detects the power supply voltage of the circuit of the cryptographic modules. The tamper response technique refers to the operations automatically taken by the cryptographic modules when a physical attack behavior is detected, making it difficult for the physical attack to achieve the purpose of stealing sensitive security parameters and avoiding further attacks.
The mitigation techniques specified in this Chapter may make it difficult for one or more physical attacks to achieve the intended purpose of attack. Whether each mitigation technique can successfully resist specific physical attacks is closely related to the physical characteristics of the cryptographic modules, the strength of specific physical attacks and the selection of technical parameters and indicators of mitigation, etc. Specific analysis of specific scenarios is necessary. This document does not quantitatively measure the feasibility and effectiveness of the mitigation techniques. 8.2 Tamper Resistance Technique
The tamper resistance technique is often implemented through two modes. One mode is to resist the attack by choosing materials that are difficult to penetrate or increasing the thickness of the materials, which can prevent processing, probe detection, power or chemical attack. The other mode is to firmly attach the equipment to the tamper- resistant barrier, so that the attempt of either separating the equipment from the tamper-resistant barrier or directly penetrating the barrier will cause damage to the equipment being protected.
8.2.2 Hard shell
Hard shell refers to the use of a shell made of hard materials that can prevent processing, probe detection, power or chemical attack.
8.2.3 Conformal coating
Conformal coating refers to conformal coating of various thicknesses that can be directly attached to electrical components or printed circuit boards. The conformal coating can protect the printed circuit boards or components from moisture, fungus, dust, corrosion, abrasion and other damages triggered by environmental stresses. Hard and opaque conformal coating should be used to prevent processing, probe detection, power or chemical attack, and prevent access to actual implementation details.
8.2.4 Insulating substrate
Insulating substrate refers to the use of materials that cannot be penetrated by infrared lasers to replace silicon materials in the paint.
8.2.5 Special semiconductor topology
Special semiconductor topology refers to the disturbance of the layout of the chip to prevent the key structure of the chip from being exposed.
Opaque refers to the use of opaque shells or conformal coatings to prevent visual inspection of the structure of the equipment.
8.3 Technique of Tamper with Traces
checking the change of resistance value of the stress deformation tester inside the shell.
8.3.8 Disposable photosensitive material
Disposable photosensitive material refers to an instrument used to measure an object that has been irradiated by light waves of different wavelengths. The tester shall be placed in an appropriate position of the cryptographic modules. If the wavelength of the irradiated light changes, the photosensitive material in the tester also undergoes irreversible changes in appearance. The illumination variation of the operating environment shall be detected by recording the changes in the appearance of the photosensitive materials.
8.3.9 Gas analysis
Gas analysis means that when the shell is damaged by an attack, the damage of the shell can be detected by monitoring the change of the composition of gas injected into the shell. Common gas analysis includes one-time gas pressure test and one-time composition change test. One-time gas pressure test detects the damage of the shell (the air pressure drops or is no longer vacuum) by checking the change of the air pressure inside the shell. One-time composition change test detects the damage of the shell by checking the change of the gas composition inside the shell.
8.3.10 Dose sensor
Dose sensor means to detect the radiation data imprinting attack by checking the change of the total radiation dose in the dose sensor.
8.3.11 RFID polling
RFID polling means to detect whether the physical location of the cryptographic modules has changed or been replaced by polling the RFID tags embedded in the equipment or the shell.
8.4 Tamper Detection Technique
8.4.1 Voltage sensor
Voltage sensor means that in order to ensure normal operation of the circuit, the power supply of the circuit shall be detected. Any operation beyond the scope of normal operation shall be considered as an attack and shall be responded to. The voltage monitor shall not be affected by power supply changes.
8.4.2 Probe sensor
Probe sensor refers to the detection of active physical attacks by a set of sensors. The probe sensor shall be sufficiently sensitive and / or small.