EEVblog Electronics Community Forum

Electronics => Projects, Designs, and Technical Stuff => Topic started by: x84 on January 07, 2017, 07:32:31 PM

Title: Tamper Proof Expoxy Tomb - how to secure a board against tampering?
Post by: x84 on January 07, 2017, 07:32:31 PM
Greetings,

In the realm of computer security, protecting against an adversary who has physical access to your computer represents a formidable challenge.  With physical access, all sorts of bad things can be done, such as splicing into buses and reading sensitive information directly from chips.  One idea to guard against this is to encase the entire motherboard with epoxy or resin of some sort, leaving only the heat sinks exposed. 

Would anyone please have any ideas about:

Which epoxy or resin would be compatible with high frequency processors, and where to source it?

Are there expoxy compounds which might conduct heat well enough that overheating of components is not a concern?

The idea is to encase the motherboard with an epoxy or resin which will adhere to all components so completely that any attempt to remove the resin will destroy the components.

Thanks!

(http://darron.net/wp-content/uploads/sites/6/2013/12/struggling_with_technology.jpg)
Title: Re: Tamper Proof Expoxy Tomb - how to secure a board against tampering?
Post by: SeanB on January 07, 2017, 08:31:02 PM
Works against the casual temperer, but a more determined attacker will simply take time and dissolve the epoxy layer by layer to expose the board, then reverse engineer the components and the circuit, then decap the programmable components and extract the code inside. You need to have more than a plain epoxy potting, as this only slows down the attacker. Even including extra security, like a battery backed SRAM and anti tamper electronics to detect light through the epoxy, a fine flex PCB mesh network to detect tampering, along with encrypting the RAM contents and only having the key in a secure microcontroller, only means they need 5 units to get your firmware image out, or at least enough to figure out your methods and defeat them.

Better is to have a internet connection and a part of the firmware downloaded ( with really good crypto as well, and a private and public key per device per serial number, so getting one does not get all) on power up and held in RAM. That, along with the physical protection measures, will make it more secure.

However in most cases try to make your product low enough in cost that it is better to buy the genuine one, and then only support this and not the pirate versions.
Title: Re: Tamper Proof Expoxy Tomb - how to secure a board against tampering?
Post by: daqq on January 07, 2017, 08:44:13 PM
See: http://www.design-shift.com/orwl/ (http://www.design-shift.com/orwl/)
Title: Re: Tamper Proof Expoxy Tomb - how to secure a board against tampering?
Post by: tooki on January 07, 2017, 11:30:58 PM
Which epoxy or resin would be compatible with high frequency processors, and where to source it?

Are there expoxy compounds which might conduct heat well enough that overheating of components is not a concern?
http://xyproblem.info (http://xyproblem.info)
Title: Re: Tamper Proof Expoxy Tomb - how to secure a board against tampering?
Post by: Fungus on January 08, 2017, 12:32:02 AM
<snip>

All the important information is somehow missing from your post:

What are you protecting? Why?
Who are you protecting against?
What access will they have to the devices?
How much money can you spend (ie. what's the value of whatever it is you're trying to protect)?

 :-//
Title: Re: Tamper Proof Expoxy Tomb - how to secure a board against tampering?
Post by: iaeen on January 08, 2017, 01:04:05 AM
I don't think indiscriminately filling up your case with epoxy is a good way to go.

Security is about finding balance between how hard you make it for an attacker vs how much value he expects to get. For most people, an encrypted hard drive is good enough. Even with physical access, the drive can't be decrypted after a hard reboot flushes the keys from memory.

Even if you need more (unlikely), you don't gain anything by potting up the processor. It would take an Intel engineer to tease any data out of it, and even if you did you probably aren't going to get any useful data from the extremely small onboard cache. You'd want to target the parts of the computer where information is actually stored.
Title: Re: Tamper Proof Expoxy Tomb - how to secure a board against tampering?
Post by: CatalinaWOW on January 08, 2017, 01:30:39 AM
As previous posters have said, it is impossible to totally protect information.  You can only decide how hard you want to make it.  Even if you design all of your own custom silicon, with its own unique architecture and instruction set, those with enough interest can figure it out.  Your only defense is making the search more costly than the information to be gained.  You can protect the design of your automatic cat scratcher with an epoxy coating, but Trump's bank account will require something more.
Title: Re: Tamper Proof Expoxy Tomb - how to secure a board against tampering?
Post by: filssavi on January 08, 2017, 01:32:01 AM
You have to explain more about a threat model, to be able to have any kind of definitive answer, depending on how determinate is your attacker you might be able to get away with it or not for example let's evaluate few cases:

1) the attacker is a security researcher with limited found and hardware knowledge (the average defcon/black hat talk speaker)  then you might not even need potting, just make sure you can permanently disable any debug peripheral (JTAG, SWD, serial ports and such),  so MCU code cannot be extracted(by software means) if you need code on external flash make sure it is fully encripted with a cryptographically secure symmetric algorithm (ie AES256) and that the key is in the mcu and unretrivable, ditto with external RAM  you must consider that any external comunication might be eavesdropped the bottom line is to avoid them bringing the problem in their field, potting will greatly reduce their ability to mess with you

2) the attacker is a competitor trying to reverse engineer your product, so potting might help but it is is not your only choice, the key here is not only you need to protect the software as before but also the hardware, a good solution is the one suggested by seanB so use a sufficently fine mesh of wires on PCB's (rigid or flex) to fully encase the product, so that if the engineer tries to open/drill into your product you can detect a wire/trace breaking and takes suitable countermeasures

3) state sponsored attacker with unimited found there is pretty much nothing you can do they'll dissolve epoxy decap IC's and extract code/keys with Ion Beam etc
Title: Re: Tamper Proof Expoxy Tomb - how to secure a board against tampering?
Post by: x84 on January 08, 2017, 03:45:03 AM
Thanks for all the excellent replies.

<snip>

All the important information is somehow missing from your post:

What are you protecting?
The need is to protect crypto keys contained in rackmount servers.  We are not trying to prevent reverse-engineering of hardware and software, only trying to guard against recovery of keys.

Quote from: Fungus
Why?
This development effort aims to support privacy.

Quote from: Fungus
Who are you protecting against?
We are guarding against any and all adversaries up to and including State-level actors.

Quote from: Fungus
What access will they have to the devices?
We assume adversaries will have unlimited physical access to the servers.

Quote from: Fungus
How much money can you spend (ie. what's the value of whatever it is you're trying to protect)?
When the govt is determined to gain access to your information, the stakes are potentially high.  The idea behind this "epoxy/resin" question is to explore innovative low-cost techniques.  There is the apocryphal story of the engineers who envision all sorts of expensive solutions to remove a truck stuck in a tunnel, until a child suggests deflating the tires...  my gut tells me that there has to be a simple low-cost mouse trap that we can build here that can stand up to even a very smart and very determined mouse, but maybe there isn't?

(http://www.guy-sports.com/fun_pictures/mouse_impossible.jpg)
Title: Re: Tamper Proof Expoxy Tomb - how to secure a board against tampering?
Post by: Fungus on January 08, 2017, 03:48:20 AM
What are you protecting?
The need is to protect crypto keys contained in rackmount servers.  We are not trying to prevent reverse-engineering of hardware and software, only trying to guard against recovery of keys.

What data are those keys protecting? Who does the data belong to?

If it's your data then install a panic button that zaps it, booby trap the server room door, etc. Store a copy of the keys in a place outside the jurisdiction of your government.

If it's somebody else's data then you shouldn't be storing their keys.


Epoxy won't stop people with unlimited access, especially well-funded people.
Title: Re: Tamper Proof Expoxy Tomb - how to secure a board against tampering?
Post by: CatalinaWOW on January 08, 2017, 03:57:25 AM
Remember that the state sponsored entities can throw everything at you, including the clever child.  You are in effect betting your keys against the fact that no one attacking is clever or will happen on the strange solution.

As stated your problem is insoluble. 

But perhaps you can live with detecting that the keys have been compromised, or potentially compromised, allowing for re-encryption.  Then a simple physical barrier like epoxy, in combination with a system to detect intrusion and to respond to a detected intrusion will meet your needs.  Determining this will require you to evaluate how long you can stand exposure, and thinking about how you will detect intrusion, and how long it will take you to respond to an intrusion.
Title: Re: Tamper Proof Expoxy Tomb - how to secure a board against tampering?
Post by: BrianHG on January 08, 2017, 03:59:32 AM
I've successfully used Scotch-Weld DP-270 to entomb an Altera Cyclone 3 with a heatsink on the IC, with the bootprom + additional protective logic.  Everything else was external.

I was running DDR2 ram with it at full 400 Mhz bus.  The ram was outside of the epoxy.  I had a fence surrounding the FPGA and critical components I didn't want any user to have access to which I filled up to encapsulate the beginning of the heatsink, leaving the fins exposed for cooling.  Do NOT use with a forced air fan heatsink.

http://www.alliedelec.com/3m-dp270/70113975/?mkwid=segQi7zGR&pcrid=65989308977&pkw=3m%20dp270&pmt=b&pdv=c&gclid=Cj0KEQiAwMLDBRDCh_r9sMvQ_88BEiQA6zuAQ3AtgEwa76IP2izYs81rlm9tcFbDiVAR7cMF4r45K5gaAh0E8P8HAQ (http://www.alliedelec.com/3m-dp270/70113975/?mkwid=segQi7zGR&pcrid=65989308977&pkw=3m%20dp270&pmt=b&pdv=c&gclid=Cj0KEQiAwMLDBRDCh_r9sMvQ_88BEiQA6zuAQ3AtgEwa76IP2izYs81rlm9tcFbDiVAR7cMF4r45K5gaAh0E8P8HAQ)

Careful not to entomb everything, the more you use, the more chance something will go wrong.
Title: Re: Tamper Proof Expoxy Tomb - how to secure a board against tampering?
Post by: filssavi on January 08, 2017, 04:16:09 AM
probably your safest option is to mount a small explosive charge inside a suitable containment vessel along with the memory containing the keys, when the unit is opened the charge detonates and keys are no more...

wheater is legal or accepted in a datacenter it's another can of worms entirely
Title: Re: Tamper Proof Expoxy Tomb - how to secure a board against tampering?
Post by: Fungus on January 08, 2017, 04:22:23 AM
probably your safest option is to mount a small explosive charge inside a suitable containment vessel along with the memory containing the keys, when the unit is opened the charge detonates and keys are no more...

wheater is legal or accepted in a datacenter it's another can of worms entirely

Explosives? Probably not.

There are safer ways to wipe data, eg. you can buy hard disks that lose their keys if powered down.

Do you trust the hard disk makers? That's another story. Point is: There's simpler, less fallible ways than explosives and/or thermite packs.


Title: Re: Tamper Proof Expoxy Tomb - how to secure a board against tampering?
Post by: filssavi on January 08, 2017, 05:07:40 AM
probably your safest option is to mount a small explosive charge inside a suitable containment vessel along with the memory containing the keys, when the unit is opened the charge detonates and keys are no more...

wheater is legal or accepted in a datacenter it's another can of worms entirely

Explosives? Probably not.

There are safer ways to wipe data, eg. you can buy hard disks that lose their keys if powered down.

Do you trust the hard disk makers? That's another story. Point is: There's simpler, less fallible ways than explosives and/or thermite packs.


mine was more a provocation than anything else, but then again you are talking of securing against NSA/ chineese/russian intelligence not the average hacker so  how do you know that the HDD doesn't have a backdoor or an exploitable bug that is ended in the database of critical  0days that the NSA keeps for strategic purposes.

Also the hdd will keep the keys in ram are you shure that when cooled at liquid Nitrogen or even helium temperatures the DRAM looses charge fast enough? and so  on

the point is that defense in this case is an extremely asymmetric effort all it takes to the attackers is to find one small weak link, a bug, a shortcut a designer has taken the Friday evening to end the work before the week-end and so on it's a war you can't win

the explosive/thermite/ very High voltage cap that automatically discharges(so no software/firmware involvement at all) on the die (and you need a high enough voltage so that the keys are completely destroyed and cannot be extracted with a Ion beam analysis) are all relative easy systems to engineer and get right without bugs

the only real defense against an attacker with physical access is not to let him have physical access in the first place, so place the server on a small boat in international waters and flee if the navy arrives to board you once they have the machine there is nothing you can do to stop them, delay them for some time (weeks or even months if you are really good) shure but to stop them completely is not possible period
Title: Re: Tamper Proof Expoxy Tomb - how to secure a board against tampering?
Post by: Someone on January 08, 2017, 08:02:49 AM
the only real defense against an attacker with physical access is not to let him have physical access in the first place, so place the server on a small boat in international waters and flee if the navy arrives to board you once they have the machine there is nothing you can do to stop them, delay them for some time (weeks or even months if you are really good) shure but to stop them completely is not possible period
This has been tried before:
https://en.wikipedia.org/wiki/Principality_of_Sealand#HavenCo
https://en.wikipedia.org/wiki/HavenCo
Title: Re: Tamper Proof Expoxy Tomb - how to secure a board against tampering?
Post by: helius on January 08, 2017, 08:14:19 AM
There are ways of preventing physical access, but you need to be a lot more clever than the ideas in this thread. Knowing your threat model and cost target will point towards the type of solution you must use: there is no such thing as a cost-no-object in the security field.
One hint is that potting is too late; by the time your adversary has the circuit board on their bench you have already lost. Surprise is invaluable.
Title: Re: Tamper Proof Expoxy Tomb - how to secure a board against tampering?
Post by: onesixright on January 08, 2017, 08:42:55 AM
Since your not after protecting the h/w itself.

How about a detection system (vibration, movement, light, noise?) that secure erases all data when opening/tampering?

A question to ask is, what are the damages when data gets confiscated vs the investment to protect it? There are not many use-cases to protect a system worth x if the protection costs are 2x.

Title: Re: Tamper Proof Expoxy Tomb - how to secure a board against tampering?
Post by: CM800 on January 08, 2017, 11:06:50 AM
Mr CM300's Pandora's box:

Upon a vibration proof optics table, set up a vacuum chamber. Within the vacuum chamber should be a magnetically levitated cube with a solar panel for powering it from high intensity LED lights mounted within the chamber.
The cube has a mechanical assembly affixed to it with a high speed, highly sensitive gyroscope / accelerometer that detects the slightest movements of it, triggering data corruption.

The cube holds the cryptographic processor which is a custom ASIC containing, amongst other methods of protection, optical logic gates, MEMS logic gates and possibly some chemical / electrochemical methods of data handling.

Several key parts of the data should rely on external optical delay lines and internal mercury delay lines.

Naturally have the security cube reconfigure the positions of some of the protections using randomized numbers generated from a radio-isotope or heat noise random number generator.

Data to be encrypted / decrypted is transferred to and from the cube with differential light beams using interferometry to ensure the beams are not being extended for listening.

You could also have security lasers exiting the box to go around secure areas of the building, if the beams are broken then it wipes the keys and destructs itself through the release of HF acid onto it's circuit (or just a high voltage spike / overheating)

A thermal sensor would watch it's own temperature to ensure that it isn't being supercooled.

Possibly add computer vision to the security cube (IR, Visual light, X-Ray & Gamma to prevent X-Ray / Gamma visualization of internals)

...... I'll eat my sock if anyone can see a way to get past that. (And record myself doing so.)

Title: Re: Tamper Proof Expoxy Tomb - how to secure a board against tampering?
Post by: mikeselectricstuff on January 08, 2017, 11:58:22 AM
Quote
Quote
What are you protecting?
The need is to protect crypto keys contained in rackmount servers.  We are not trying to prevent reverse-engineering of hardware and software, only trying to guard against recovery of keys.
Epoxy is not the answer here.  Store them in battery-backed memory, inside a box arranged such that it loses power when anyone gets near them - e.g. by opening the case. Add a tamper mesh etc. as required. 
I'm sure there must be plenty of off-the-shelf products out there already to do this as it's hardly an unusual requirement.



Title: Re: Tamper Proof Expoxy Tomb - how to secure a board against tampering?
Post by: helius on January 08, 2017, 12:06:58 PM
Mr CM300's Pandora's box:
Mercury delay lines weigh hundreds of pounds, and HF is a weak acid.
How do you effect cooling inside your vacuum sealed box? :palm:
Title: Re: Tamper Proof Expoxy Tomb - how to secure a board against tampering?
Post by: Alex Eisenhut on January 08, 2017, 01:32:14 PM
Mr CM300's Pandora's box:
Mercury delay lines weigh hundreds of pounds, and HF is a weak acid.
How do you effect cooling inside your vacuum sealed box? :palm:

Better question, how is Mr CM300 related to CM800?
Title: Re: Tamper Proof Expoxy Tomb - how to secure a board against tampering?
Post by: eugenenine on January 08, 2017, 03:31:41 PM
In the realm of computer security the end goal is to protect the information not the hardware.  You wouldn't protect the board on the system as someone would just steal the drive.  Epoxy the whole system they can just swap out your keyboard with one that has a logger.  The normal setup for physical security is to limit access to the physical to start with, prevent anyone from being able to get to the computer. 
Then you have a reactive system to detect tampering, a switch inside the case, software that logs changes to the system, etc.  If you then detect tampering you don't use it.
Title: Re: Tamper Proof Expoxy Tomb - how to secure a board against tampering?
Post by: raspberrypi on January 08, 2017, 04:55:02 PM
If you are trying to keep out the government from your device and you have to ask the internet how to do it, I'm afraid that you are not going to be on the winning end. The NSA can see this site too! You would potentially be going up against the people who invented STUXNET.
Title: Re: Tamper Proof Expoxy Tomb - how to secure a board against tampering?
Post by: MK on January 08, 2017, 08:32:05 PM
FIPS140 level 3 documents, and then have a read of sergei skoroborogatov's research at cambridge university and weep.

http://www.cl.cam.ac.uk/~sps32/ (http://www.cl.cam.ac.uk/~sps32/)

Title: Re: Tamper Proof Expoxy Tomb - how to secure a board against tampering?
Post by: electrolust on January 08, 2017, 09:40:21 PM
my gut tells me that there has to be a simple low-cost mouse trap that we can build here that can stand up to even a very smart and very determined mouse, but maybe there isn't?

This is my field of expertise.  There isn't [a low cost solution].  You need an HSM.  You can build it yourself but it's almost certainly cheaper [TCO] to buy.  No product is perfect but the commercial solutions readily available today can protect pretty much any secret short of nuclear launch codes (or DNC emails lol).  Your app also has to be designed to actually require use of the HSM in a way that other parts of the system aren't the weak links.  That's quite hard.

I don't mean to be insulting, but you have no idea what you're doing and in the security field that's an absolute recipe for disaster.  Correction: you have "a little knowledge". IOW a dangerous thing.  You should hire and/or consult some top level experts if you expect to protect against state actors.
Title: Re: Tamper Proof Expoxy Tomb - how to secure a board against tampering?
Post by: filssavi on January 08, 2017, 10:07:46 PM
There are ways of preventing physical access, but you need to be a lot more clever than the ideas in this thread. Knowing your threat model and cost target will point towards the type of solution you must use: there is no such thing as a cost-no-object in the security field.
One hint is that potting is too late; by the time your adversary has the circuit board on their bench you have already lost. Surprise is invaluable.

yes there are ways of preventing physical acces if your opponent is a normal copetitor, being against NSA  and friends is a whole lot more complicated, take a look at STUXNET, they were able to infect a security critical air gapped pc that in turn used one of the world's first PLC 0day to destroy uranium centrifuges, apple started encrypring test messages first and the whole memory of a phone later to specifically prevent the US governament to ask them to hand over data from the user's phone (icloud is different), but even apple with a pratically unlimited R&D budget, and lots of clever engineers  they could not prevent the san bernardino phone from being unlocked

the problem is that (provided the device in question is valuable enough) they have a truly limitless amount of money and time, to find a weak spot, anything can be circumvented given enough time and skill, active meshes can be bypassed, you basically attach jumper wires before breaking the existing one, light sensors can be easily identified and neutralized with black paint, case switches can be glued closed before opening the case, battery backed sram looses data only if power is cut so they could easily solder an external battery before they get full acess to the device, dram can be freezed and the data extracted and so on; are all those things easy to do? of course not, will they be able to enter if they don't have multiple devices so that they can reverse engineer the anti tamper system before tampering maybe yes, maybe not who knows; but more importantly assuming they have access to multiple devices (and if you sell the thing you'd be a fool to think otherwise) they will get in, it's just a matter of time

whis is the same thing as asking how to make a system un-reverse engineerable, it simply can't be done, you can make the life of the attackers hard so it's cheaper to design the product than to copy it and that's all
Title: Re: Tamper Proof Expoxy Tomb - how to secure a board against tampering?
Post by: CM800 on January 09, 2017, 02:15:35 AM
Mr CM300's Pandora's box:
Mercury delay lines weigh hundreds of pounds, and HF is a weak acid.
How do you effect cooling inside your vacuum sealed box? :palm:

You got a point there with the mercury delay lines, though HF Acid would be perfect if you wanted to damage the glass optics & silicon.
Oi! no need to palm at me, you simply use jets of cooled gas. I didn't specify perfect vacuum.


I have a more commercially viable State-proof idea, however I don't think I'll be publishing that ;D

Title: Re: Tamper Proof Expoxy Tomb - how to secure a board against tampering?
Post by: CatalinaWOW on January 09, 2017, 02:54:19 AM
Mr CM300's Pandora's box:

Upon a vibration proof optics table, set up a vacuum chamber. Within the vacuum chamber should be a magnetically levitated cube with a solar panel for powering it from high intensity LED lights mounted within the chamber.
The cube has a mechanical assembly affixed to it with a high speed, highly sensitive gyroscope / accelerometer that detects the slightest movements of it, triggering data corruption.

The cube holds the cryptographic processor which is a custom ASIC containing, amongst other methods of protection, optical logic gates, MEMS logic gates and possibly some chemical / electrochemical methods of data handling.

Several key parts of the data should rely on external optical delay lines and internal mercury delay lines.

Naturally have the security cube reconfigure the positions of some of the protections using randomized numbers generated from a radio-isotope or heat noise random number generator.

Data to be encrypted / decrypted is transferred to and from the cube with differential light beams using interferometry to ensure the beams are not being extended for listening.

You could also have security lasers exiting the box to go around secure areas of the building, if the beams are broken then it wipes the keys and destructs itself through the release of HF acid onto it's circuit (or just a high voltage spike / overheating)

A thermal sensor would watch it's own temperature to ensure that it isn't being supercooled.

Possibly add computer vision to the security cube (IR, Visual light, X-Ray & Gamma to prevent X-Ray / Gamma visualization of internals)

...... I'll eat my sock if anyone can see a way to get past that. (And record myself doing so.)

You have violated one of the stated requirements - that physical access is not prevented.  But in general you have put your finger on the problem.  You have made the system extremely expensive, and extremely difficult to use, and have not eliminated all possible attacks.  I will leave it to your cleverness to uncover the weaknesses that I (not an expert in the field) would use to start an exploit.  I will grant that you have made it very difficult.
Title: Re: Tamper Proof Expoxy Tomb - how to secure a board against tampering?
Post by: CM800 on January 09, 2017, 04:42:44 AM
Mr CM300's Pandora's box:

Upon a vibration proof optics table, set up a vacuum chamber. Within the vacuum chamber should be a magnetically levitated cube with a solar panel for powering it from high intensity LED lights mounted within the chamber.
The cube has a mechanical assembly affixed to it with a high speed, highly sensitive gyroscope / accelerometer that detects the slightest movements of it, triggering data corruption.

The cube holds the cryptographic processor which is a custom ASIC containing, amongst other methods of protection, optical logic gates, MEMS logic gates and possibly some chemical / electrochemical methods of data handling.

Several key parts of the data should rely on external optical delay lines and internal mercury delay lines.

Naturally have the security cube reconfigure the positions of some of the protections using randomized numbers generated from a radio-isotope or heat noise random number generator.

Data to be encrypted / decrypted is transferred to and from the cube with differential light beams using interferometry to ensure the beams are not being extended for listening.

You could also have security lasers exiting the box to go around secure areas of the building, if the beams are broken then it wipes the keys and destructs itself through the release of HF acid onto it's circuit (or just a high voltage spike / overheating)

A thermal sensor would watch it's own temperature to ensure that it isn't being supercooled.

Possibly add computer vision to the security cube (IR, Visual light, X-Ray & Gamma to prevent X-Ray / Gamma visualization of internals)

...... I'll eat my sock if anyone can see a way to get past that. (And record myself doing so.)

You have violated one of the stated requirements - that physical access is not prevented.  But in general you have put your finger on the problem.  You have made the system extremely expensive, and extremely difficult to use, and have not eliminated all possible attacks.  I will leave it to your cleverness to uncover the weaknesses that I (not an expert in the field) would use to start an exploit.  I will grant that you have made it very difficult.

Not sure where it was said that physical access needed to be available to the actual board.
I also still can't see any way for you to get access to the keys....

The other idea was to put the board, with optical lines and a power line, into a holding frame, then mount a laser galvometer on the board.
An FPGA on the board with various ADCs and DACs has several 100 outputs that connect via thin wires to 2 copper-plated plastic hemispheres that are placed surrounding the ball.

The board is then supplied with a YAG laser beam to ablate the copper foil with a heat-noise generated random pattern, the ADCs then pass various signals through the wires and foil at constantly varying frequencies and waveforms, the moment a change in characteristics is detected it will erase the keys.

An X-Ray and radiation detector will be put on the board too to detect if it's being observed via X-ray style techniques to reverse engineer it to open it. A temperature sensor detects and erases the keys should it be attempted to cool it beyond 0*C

Keys are wiped should power be lost. (naturally)

Uses a tritium / radioactive battery to supply power to erase / re-write / jumble any data to ensure no memory is kept.

Data is passed in and out to be encrypted or decrypted via fibre connections to an outside holding frame.
Title: Re: Tamper Proof Expoxy Tomb - how to secure a board against tampering?
Post by: MK on January 09, 2017, 05:48:23 AM
my gut tells me that there has to be a simple low-cost mouse trap that we can build here that can stand up to even a very smart and very determined mouse, but maybe there isn't?

This is my field of expertise.  There isn't [a low cost solution].  You need an HSM.  You can build it yourself but it's almost certainly cheaper [TCO] to buy.  No product is perfect but the commercial solutions readily available today can protect pretty much any secret short of nuclear launch codes (or DNC emails lol).  Your app also has to be designed to actually require use of the HSM in a way that other parts of the system aren't the weak links.  That's quite hard.

I don't mean to be insulting, but you have no idea what you're doing and in the security field that's an absolute recipe for disaster.  Correction: you have "a little knowledge". IOW a dangerous thing.  You should hire and/or consult some top level experts if you expect to protect against state actors.

exactly, that is why you read FIPS140 level 3 and realise that it needs to be bought not made from the contents of your spare parts bins.
Title: Re: Tamper Proof Expoxy Tomb - how to secure a board against tampering?
Post by: LaserSteve on January 09, 2017, 07:31:06 AM
HYSOL 1C white ceramic loaded epoxy  mixed with industrial Diamond dust  will slow the casual Dremel tool down to a crawl.. That stops the casual hacker, especially if you heat it pre-cure so it flows.  Nothing will stop a state level hacker short of SCIFs, one way fiber optic  firewall portals etc  best to hire an expert as has been said.

Steve

Title: Re: Tamper Proof Expoxy Tomb - how to secure a board against tampering?
Post by: max_torque on January 09, 2017, 08:10:52 AM
Wouldn't it be easier to leave a "trap" amongst the keys, which when it is used (which you never do because you know it's  a trap) doesn't release the key, but wipes the data?

Therefore, someone steals the device, extracts the keys (and the trap), uses them to access the data, but, blammo, the data is gone!
Title: Tamper Proof Expoxy Tomb - how to secure a board against tampering?
Post by: timb on January 09, 2017, 02:04:59 PM
Okay, so here's my idea:

Start with a 5" layer of epoxy (mixed with powdered magnesium) on the bottom of the case, then place 1x1x1" airtight containers containing iron sulfide every 3" in a grid pattern and cover with 1" of epoxy/magnesium mix; place the PCB on top of that, add more epoxy to cover and then repeat the iron sulfide and epoxy/magnesium covering on top.

Guaranteed to self destruct! (Well, at least the first time. The second time they might get wise and try to cut into it in a vacuum or argon/nitrogen/whatever environment...)
Title: Re: Tamper Proof Expoxy Tomb - how to secure a board against tampering?
Post by: LaserSteve on January 09, 2017, 06:26:57 PM
In reality, thermite is old school. A photoflash cap and the right kind of resonant transformer can insure suitable destruction of an SMD  device.


Steve
Title: Re: Tamper Proof Expoxy Tomb - how to secure a board against tampering?
Post by: vealmike on January 09, 2017, 07:32:11 PM
The need is to protect crypto keys contained in rackmount servers.  We are not trying to prevent reverse-engineering of hardware and software, only trying to guard against recovery of keys.

Read FIPS 140-2. It will not tell you how to do what you want to do, but it will tell you about the fifty things you haven't thought about yet.

Be aware that getting level 3 and higher is extremely difficult once you go to a multi module (i.e. the crypto boundary encloses  a PCB as opposed to a chip).

Finally a good read of 140-2 will tell you how useless FIPS certification can be.
Title: Re: Tamper Proof Expoxy Tomb - how to secure a board against tampering?
Post by: CatalinaWOW on January 10, 2017, 04:21:05 AM
FIPS-140-2 is a good start.  But one need not wear a tin foil hat to believe that an openly published document in no way defines the limits of state sponsored attacks.
Title: Re: Tamper Proof Expoxy Tomb - how to secure a board against tampering?
Post by: helius on January 10, 2017, 04:43:02 AM
And finally, never forget that you could be laboring very efficiently to solve the wrong problem. Suppose you have succeeded, and the keys are effectively forever sealed inside your protected module/box. But since a key that can't be used at all is useless, this implies that encryption/decryption hardware must be inside the box too. Now the adversary takes the fully intact, working box, and commands it to decrypt data X using its key...

In reality, security is a chain, and an intelligent adversary will attack whatever is its weakest link. Maybe that's the key storage, but maybe it isn't. Maybe it's the developer who wrote the random number function.
Title: Re: Tamper Proof Expoxy Tomb - how to secure a board against tampering?
Post by: Brumby on January 10, 2017, 09:27:01 AM
That's the thing about security.... 

You can go into hyper analysis, over engineering and crypto insanity which will safeguard against 10,000 different attack vectors, but your adversary only needs to find 1.
Title: Re: Tamper Proof Expoxy Tomb - how to secure a board against tampering?
Post by: Brumby on January 10, 2017, 09:28:32 AM
... then, one day, you find yourself having to service the thing.
Title: Re: Tamper Proof Expoxy Tomb - how to secure a board against tampering?
Post by: Fungus on January 10, 2017, 06:29:35 PM
That's the thing about security.... 

You can go into hyper analysis, over engineering and crypto insanity which will safeguard against 10,000 different attack vectors, but your adversary only needs to find 1.

Yep.

PS: Watch this:

http://www.youtube.com/watch?v=0Z4aF-qiziM (http://www.youtube.com/watch?v=0Z4aF-qiziM)
Title: Re: Tamper Proof Expoxy Tomb - how to secure a board against tampering?
Post by: vealmike on January 10, 2017, 06:33:57 PM
FIPS-140-2 is a good start.  But one need not wear a tin foil hat to believe that an openly published document in no way defines the limits of state sponsored attacks.

Oh I agree. It's a perfect example of a committee produced standard. FIPS compliance does not equal security.

My favourite example is the definition of a physical enclosure - required to prevent access. There are all kinds of rules and definitions about 90 degree bends to prevent probing through vent holes. Well, believe it or not a fan is considered a contiguous part of enclosure, meaning a FIPS compliant product using this part of the rules can be defeated with a biro.

That said, the approach of defining a crypto boundary and securing that boundary is good.IMHO, the standard is a good starting point for anyone wanting to learn how to design a secure product.