Author Topic: Tamper Proof Expoxy Tomb - how to secure a board against tampering?  (Read 14756 times)

0 Members and 1 Guest are viewing this topic.

Offline x84Topic starter

  • Newbie
  • Posts: 2
  • Country: us
Greetings,

In the realm of computer security, protecting against an adversary who has physical access to your computer represents a formidable challenge.  With physical access, all sorts of bad things can be done, such as splicing into buses and reading sensitive information directly from chips.  One idea to guard against this is to encase the entire motherboard with epoxy or resin of some sort, leaving only the heat sinks exposed. 

Would anyone please have any ideas about:

Which epoxy or resin would be compatible with high frequency processors, and where to source it?

Are there expoxy compounds which might conduct heat well enough that overheating of components is not a concern?

The idea is to encase the motherboard with an epoxy or resin which will adhere to all components so completely that any attempt to remove the resin will destroy the components.

Thanks!

 

Online SeanB

  • Super Contributor
  • ***
  • Posts: 16272
  • Country: za
Re: Tamper Proof Expoxy Tomb - how to secure a board against tampering?
« Reply #1 on: January 07, 2017, 09:31:02 am »
Works against the casual temperer, but a more determined attacker will simply take time and dissolve the epoxy layer by layer to expose the board, then reverse engineer the components and the circuit, then decap the programmable components and extract the code inside. You need to have more than a plain epoxy potting, as this only slows down the attacker. Even including extra security, like a battery backed SRAM and anti tamper electronics to detect light through the epoxy, a fine flex PCB mesh network to detect tampering, along with encrypting the RAM contents and only having the key in a secure microcontroller, only means they need 5 units to get your firmware image out, or at least enough to figure out your methods and defeat them.

Better is to have a internet connection and a part of the firmware downloaded ( with really good crypto as well, and a private and public key per device per serial number, so getting one does not get all) on power up and held in RAM. That, along with the physical protection measures, will make it more secure.

However in most cases try to make your product low enough in cost that it is better to buy the genuine one, and then only support this and not the pirate versions.
 

Offline daqq

  • Super Contributor
  • ***
  • Posts: 2301
  • Country: sk
    • My site
Believe it or not, pointy haired people do exist!
+++Divide By Cucumber Error. Please Reinstall Universe And Reboot +++
 

Offline tooki

  • Super Contributor
  • ***
  • Posts: 11332
  • Country: ch
Re: Tamper Proof Expoxy Tomb - how to secure a board against tampering?
« Reply #3 on: January 07, 2017, 12:30:58 pm »
Which epoxy or resin would be compatible with high frequency processors, and where to source it?

Are there expoxy compounds which might conduct heat well enough that overheating of components is not a concern?
http://xyproblem.info
 
The following users thanked this post: PointyOintment

Offline Fungus

  • Super Contributor
  • ***
  • Posts: 16560
  • Country: 00
Re: Tamper Proof Expoxy Tomb - how to secure a board against tampering?
« Reply #4 on: January 07, 2017, 01:32:02 pm »
<snip>

All the important information is somehow missing from your post:

What are you protecting? Why?
Who are you protecting against?
What access will they have to the devices?
How much money can you spend (ie. what's the value of whatever it is you're trying to protect)?

 :-//
 

Offline iaeen

  • Regular Contributor
  • *
  • Posts: 65
  • Country: us
Re: Tamper Proof Expoxy Tomb - how to secure a board against tampering?
« Reply #5 on: January 07, 2017, 02:04:05 pm »
I don't think indiscriminately filling up your case with epoxy is a good way to go.

Security is about finding balance between how hard you make it for an attacker vs how much value he expects to get. For most people, an encrypted hard drive is good enough. Even with physical access, the drive can't be decrypted after a hard reboot flushes the keys from memory.

Even if you need more (unlikely), you don't gain anything by potting up the processor. It would take an Intel engineer to tease any data out of it, and even if you did you probably aren't going to get any useful data from the extremely small onboard cache. You'd want to target the parts of the computer where information is actually stored.
 

Offline CatalinaWOW

  • Super Contributor
  • ***
  • Posts: 5170
  • Country: us
Re: Tamper Proof Expoxy Tomb - how to secure a board against tampering?
« Reply #6 on: January 07, 2017, 02:30:39 pm »
As previous posters have said, it is impossible to totally protect information.  You can only decide how hard you want to make it.  Even if you design all of your own custom silicon, with its own unique architecture and instruction set, those with enough interest can figure it out.  Your only defense is making the search more costly than the information to be gained.  You can protect the design of your automatic cat scratcher with an epoxy coating, but Trump's bank account will require something more.
 

Offline filssavi

  • Frequent Contributor
  • **
  • Posts: 433
Re: Tamper Proof Expoxy Tomb - how to secure a board against tampering?
« Reply #7 on: January 07, 2017, 02:32:01 pm »
You have to explain more about a threat model, to be able to have any kind of definitive answer, depending on how determinate is your attacker you might be able to get away with it or not for example let's evaluate few cases:

1) the attacker is a security researcher with limited found and hardware knowledge (the average defcon/black hat talk speaker)  then you might not even need potting, just make sure you can permanently disable any debug peripheral (JTAG, SWD, serial ports and such),  so MCU code cannot be extracted(by software means) if you need code on external flash make sure it is fully encripted with a cryptographically secure symmetric algorithm (ie AES256) and that the key is in the mcu and unretrivable, ditto with external RAM  you must consider that any external comunication might be eavesdropped the bottom line is to avoid them bringing the problem in their field, potting will greatly reduce their ability to mess with you

2) the attacker is a competitor trying to reverse engineer your product, so potting might help but it is is not your only choice, the key here is not only you need to protect the software as before but also the hardware, a good solution is the one suggested by seanB so use a sufficently fine mesh of wires on PCB's (rigid or flex) to fully encase the product, so that if the engineer tries to open/drill into your product you can detect a wire/trace breaking and takes suitable countermeasures

3) state sponsored attacker with unimited found there is pretty much nothing you can do they'll dissolve epoxy decap IC's and extract code/keys with Ion Beam etc
 

Offline x84Topic starter

  • Newbie
  • Posts: 2
  • Country: us
Re: Tamper Proof Expoxy Tomb - how to secure a board against tampering?
« Reply #8 on: January 07, 2017, 04:45:03 pm »
Thanks for all the excellent replies.

<snip>

All the important information is somehow missing from your post:

What are you protecting?
The need is to protect crypto keys contained in rackmount servers.  We are not trying to prevent reverse-engineering of hardware and software, only trying to guard against recovery of keys.

Quote from: Fungus
Why?
This development effort aims to support privacy.

Quote from: Fungus
Who are you protecting against?
We are guarding against any and all adversaries up to and including State-level actors.

Quote from: Fungus
What access will they have to the devices?
We assume adversaries will have unlimited physical access to the servers.

Quote from: Fungus
How much money can you spend (ie. what's the value of whatever it is you're trying to protect)?
When the govt is determined to gain access to your information, the stakes are potentially high.  The idea behind this "epoxy/resin" question is to explore innovative low-cost techniques.  There is the apocryphal story of the engineers who envision all sorts of expensive solutions to remove a truck stuck in a tunnel, until a child suggests deflating the tires...  my gut tells me that there has to be a simple low-cost mouse trap that we can build here that can stand up to even a very smart and very determined mouse, but maybe there isn't?

 

Offline Fungus

  • Super Contributor
  • ***
  • Posts: 16560
  • Country: 00
Re: Tamper Proof Expoxy Tomb - how to secure a board against tampering?
« Reply #9 on: January 07, 2017, 04:48:20 pm »
What are you protecting?
The need is to protect crypto keys contained in rackmount servers.  We are not trying to prevent reverse-engineering of hardware and software, only trying to guard against recovery of keys.

What data are those keys protecting? Who does the data belong to?

If it's your data then install a panic button that zaps it, booby trap the server room door, etc. Store a copy of the keys in a place outside the jurisdiction of your government.

If it's somebody else's data then you shouldn't be storing their keys.


Epoxy won't stop people with unlimited access, especially well-funded people.
« Last Edit: January 07, 2017, 04:59:43 pm by Fungus »
 

Offline CatalinaWOW

  • Super Contributor
  • ***
  • Posts: 5170
  • Country: us
Re: Tamper Proof Expoxy Tomb - how to secure a board against tampering?
« Reply #10 on: January 07, 2017, 04:57:25 pm »
Remember that the state sponsored entities can throw everything at you, including the clever child.  You are in effect betting your keys against the fact that no one attacking is clever or will happen on the strange solution.

As stated your problem is insoluble. 

But perhaps you can live with detecting that the keys have been compromised, or potentially compromised, allowing for re-encryption.  Then a simple physical barrier like epoxy, in combination with a system to detect intrusion and to respond to a detected intrusion will meet your needs.  Determining this will require you to evaluate how long you can stand exposure, and thinking about how you will detect intrusion, and how long it will take you to respond to an intrusion.
 

Offline BrianHG

  • Super Contributor
  • ***
  • Posts: 7660
  • Country: ca
Re: Tamper Proof Expoxy Tomb - how to secure a board against tampering?
« Reply #11 on: January 07, 2017, 04:59:32 pm »
I've successfully used Scotch-Weld DP-270 to entomb an Altera Cyclone 3 with a heatsink on the IC, with the bootprom + additional protective logic.  Everything else was external.

I was running DDR2 ram with it at full 400 Mhz bus.  The ram was outside of the epoxy.  I had a fence surrounding the FPGA and critical components I didn't want any user to have access to which I filled up to encapsulate the beginning of the heatsink, leaving the fins exposed for cooling.  Do NOT use with a forced air fan heatsink.

http://www.alliedelec.com/3m-dp270/70113975/?mkwid=segQi7zGR&pcrid=65989308977&pkw=3m%20dp270&pmt=b&pdv=c&gclid=Cj0KEQiAwMLDBRDCh_r9sMvQ_88BEiQA6zuAQ3AtgEwa76IP2izYs81rlm9tcFbDiVAR7cMF4r45K5gaAh0E8P8HAQ

Careful not to entomb everything, the more you use, the more chance something will go wrong.
 

Offline filssavi

  • Frequent Contributor
  • **
  • Posts: 433
Re: Tamper Proof Expoxy Tomb - how to secure a board against tampering?
« Reply #12 on: January 07, 2017, 05:16:09 pm »
probably your safest option is to mount a small explosive charge inside a suitable containment vessel along with the memory containing the keys, when the unit is opened the charge detonates and keys are no more...

wheater is legal or accepted in a datacenter it's another can of worms entirely
 

Offline Fungus

  • Super Contributor
  • ***
  • Posts: 16560
  • Country: 00
Re: Tamper Proof Expoxy Tomb - how to secure a board against tampering?
« Reply #13 on: January 07, 2017, 05:22:23 pm »
probably your safest option is to mount a small explosive charge inside a suitable containment vessel along with the memory containing the keys, when the unit is opened the charge detonates and keys are no more...

wheater is legal or accepted in a datacenter it's another can of worms entirely

Explosives? Probably not.

There are safer ways to wipe data, eg. you can buy hard disks that lose their keys if powered down.

Do you trust the hard disk makers? That's another story. Point is: There's simpler, less fallible ways than explosives and/or thermite packs.


 

Offline filssavi

  • Frequent Contributor
  • **
  • Posts: 433
Re: Tamper Proof Expoxy Tomb - how to secure a board against tampering?
« Reply #14 on: January 07, 2017, 06:07:40 pm »
probably your safest option is to mount a small explosive charge inside a suitable containment vessel along with the memory containing the keys, when the unit is opened the charge detonates and keys are no more...

wheater is legal or accepted in a datacenter it's another can of worms entirely

Explosives? Probably not.

There are safer ways to wipe data, eg. you can buy hard disks that lose their keys if powered down.

Do you trust the hard disk makers? That's another story. Point is: There's simpler, less fallible ways than explosives and/or thermite packs.


mine was more a provocation than anything else, but then again you are talking of securing against NSA/ chineese/russian intelligence not the average hacker so  how do you know that the HDD doesn't have a backdoor or an exploitable bug that is ended in the database of critical  0days that the NSA keeps for strategic purposes.

Also the hdd will keep the keys in ram are you shure that when cooled at liquid Nitrogen or even helium temperatures the DRAM looses charge fast enough? and so  on

the point is that defense in this case is an extremely asymmetric effort all it takes to the attackers is to find one small weak link, a bug, a shortcut a designer has taken the Friday evening to end the work before the week-end and so on it's a war you can't win

the explosive/thermite/ very High voltage cap that automatically discharges(so no software/firmware involvement at all) on the die (and you need a high enough voltage so that the keys are completely destroyed and cannot be extracted with a Ion beam analysis) are all relative easy systems to engineer and get right without bugs

the only real defense against an attacker with physical access is not to let him have physical access in the first place, so place the server on a small boat in international waters and flee if the navy arrives to board you once they have the machine there is nothing you can do to stop them, delay them for some time (weeks or even months if you are really good) shure but to stop them completely is not possible period
 

Online Someone

  • Super Contributor
  • ***
  • Posts: 4509
  • Country: au
    • send complaints here
Re: Tamper Proof Expoxy Tomb - how to secure a board against tampering?
« Reply #15 on: January 07, 2017, 09:02:49 pm »
the only real defense against an attacker with physical access is not to let him have physical access in the first place, so place the server on a small boat in international waters and flee if the navy arrives to board you once they have the machine there is nothing you can do to stop them, delay them for some time (weeks or even months if you are really good) shure but to stop them completely is not possible period
This has been tried before:
https://en.wikipedia.org/wiki/Principality_of_Sealand#HavenCo
https://en.wikipedia.org/wiki/HavenCo
 

Offline helius

  • Super Contributor
  • ***
  • Posts: 3632
  • Country: us
Re: Tamper Proof Expoxy Tomb - how to secure a board against tampering?
« Reply #16 on: January 07, 2017, 09:14:19 pm »
There are ways of preventing physical access, but you need to be a lot more clever than the ideas in this thread. Knowing your threat model and cost target will point towards the type of solution you must use: there is no such thing as a cost-no-object in the security field.
One hint is that potting is too late; by the time your adversary has the circuit board on their bench you have already lost. Surprise is invaluable.
 

Offline onesixright

  • Frequent Contributor
  • **
  • Posts: 624
  • Country: nl
Re: Tamper Proof Expoxy Tomb - how to secure a board against tampering?
« Reply #17 on: January 07, 2017, 09:42:55 pm »
Since your not after protecting the h/w itself.

How about a detection system (vibration, movement, light, noise?) that secure erases all data when opening/tampering?

A question to ask is, what are the damages when data gets confiscated vs the investment to protect it? There are not many use-cases to protect a system worth x if the protection costs are 2x.

 

Offline CM800

  • Frequent Contributor
  • **
  • Posts: 882
  • Country: 00
Re: Tamper Proof Expoxy Tomb - how to secure a board against tampering?
« Reply #18 on: January 08, 2017, 12:06:50 am »
Mr CM300's Pandora's box:

Upon a vibration proof optics table, set up a vacuum chamber. Within the vacuum chamber should be a magnetically levitated cube with a solar panel for powering it from high intensity LED lights mounted within the chamber.
The cube has a mechanical assembly affixed to it with a high speed, highly sensitive gyroscope / accelerometer that detects the slightest movements of it, triggering data corruption.

The cube holds the cryptographic processor which is a custom ASIC containing, amongst other methods of protection, optical logic gates, MEMS logic gates and possibly some chemical / electrochemical methods of data handling.

Several key parts of the data should rely on external optical delay lines and internal mercury delay lines.

Naturally have the security cube reconfigure the positions of some of the protections using randomized numbers generated from a radio-isotope or heat noise random number generator.

Data to be encrypted / decrypted is transferred to and from the cube with differential light beams using interferometry to ensure the beams are not being extended for listening.

You could also have security lasers exiting the box to go around secure areas of the building, if the beams are broken then it wipes the keys and destructs itself through the release of HF acid onto it's circuit (or just a high voltage spike / overheating)

A thermal sensor would watch it's own temperature to ensure that it isn't being supercooled.

Possibly add computer vision to the security cube (IR, Visual light, X-Ray & Gamma to prevent X-Ray / Gamma visualization of internals)

...... I'll eat my sock if anyone can see a way to get past that. (And record myself doing so.)

« Last Edit: January 08, 2017, 12:15:23 am by CM800 »
 
The following users thanked this post: tooki

Offline mikeselectricstuff

  • Super Contributor
  • ***
  • Posts: 13693
  • Country: gb
    • Mike's Electric Stuff
Re: Tamper Proof Expoxy Tomb - how to secure a board against tampering?
« Reply #19 on: January 08, 2017, 12:58:22 am »
Quote
Quote
What are you protecting?
The need is to protect crypto keys contained in rackmount servers.  We are not trying to prevent reverse-engineering of hardware and software, only trying to guard against recovery of keys.
Epoxy is not the answer here.  Store them in battery-backed memory, inside a box arranged such that it loses power when anyone gets near them - e.g. by opening the case. Add a tamper mesh etc. as required. 
I'm sure there must be plenty of off-the-shelf products out there already to do this as it's hardly an unusual requirement.



Youtube channel:Taking wierd stuff apart. Very apart.
Mike's Electric Stuff: High voltage, vintage electronics etc.
Day Job: Mostly LEDs
 

Offline helius

  • Super Contributor
  • ***
  • Posts: 3632
  • Country: us
Re: Tamper Proof Expoxy Tomb - how to secure a board against tampering?
« Reply #20 on: January 08, 2017, 01:06:58 am »
Mr CM300's Pandora's box:
Mercury delay lines weigh hundreds of pounds, and HF is a weak acid.
How do you effect cooling inside your vacuum sealed box? :palm:
 

Offline Alex Eisenhut

  • Super Contributor
  • ***
  • Posts: 3330
  • Country: ca
  • Place text here.
Re: Tamper Proof Expoxy Tomb - how to secure a board against tampering?
« Reply #21 on: January 08, 2017, 02:32:14 am »
Mr CM300's Pandora's box:
Mercury delay lines weigh hundreds of pounds, and HF is a weak acid.
How do you effect cooling inside your vacuum sealed box? :palm:

Better question, how is Mr CM300 related to CM800?
Hoarder of 8-bit Commodore relics and 1960s Tektronix 500-series stuff. Unconventional interior decorator.
 

Offline eugenenine

  • Frequent Contributor
  • **
  • Posts: 865
  • Country: us
Re: Tamper Proof Expoxy Tomb - how to secure a board against tampering?
« Reply #22 on: January 08, 2017, 04:31:41 am »
In the realm of computer security the end goal is to protect the information not the hardware.  You wouldn't protect the board on the system as someone would just steal the drive.  Epoxy the whole system they can just swap out your keyboard with one that has a logger.  The normal setup for physical security is to limit access to the physical to start with, prevent anyone from being able to get to the computer. 
Then you have a reactive system to detect tampering, a switch inside the case, software that logs changes to the system, etc.  If you then detect tampering you don't use it.
 

Offline raspberrypi

  • Frequent Contributor
  • **
  • !
  • Posts: 358
  • Country: us
Re: Tamper Proof Expoxy Tomb - how to secure a board against tampering?
« Reply #23 on: January 08, 2017, 05:55:02 am »
If you are trying to keep out the government from your device and you have to ask the internet how to do it, I'm afraid that you are not going to be on the winning end. The NSA can see this site too! You would potentially be going up against the people who invented STUXNET.
« Last Edit: January 08, 2017, 06:06:53 am by raspberrypi »
I'm legally blind so sometimes I ask obvious questions, but its because I can't see well.
 
The following users thanked this post: amyk, tooki

Offline MK

  • Regular Contributor
  • *
  • Posts: 233
  • Country: gb
Re: Tamper Proof Expoxy Tomb - how to secure a board against tampering?
« Reply #24 on: January 08, 2017, 09:32:05 am »
FIPS140 level 3 documents, and then have a read of sergei skoroborogatov's research at cambridge university and weep.

http://www.cl.cam.ac.uk/~sps32/

 


Share me

Digg  Facebook  SlashDot  Delicious  Technorati  Twitter  Google  Yahoo
Smf