1

I am to release a system-on-chip device that, during its lifetime, will come to store sensitive data. I want to make that data hard to extract or duplicate.

Encrypting is good for dealing with MiTM, but it doesn't solve the problem of duplicating the flash memory (and MAC address) of the chip and posing as the original hardware.

TPM's (or security tokens etc) are good to deal with duplication, but a problem arises. An attacker could obtain a new device, including a security token, at the store and transfer the security token onto a duplicated device that contains sensitive data.

I don't know if I can avoid this sounding like "do my product design for me", but I'm very new to hardware security considerations and someone with experience could easily help by pointing me in a meaningful direction.

Thomas Pornin
  • 322,884
  • 58
  • 787
  • 955
user907323
  • 69
  • 1
  • 4
  • A secure HSM won't allow the token to be copied or moved. That's really the only possibility to ensure the owner of a device doesn't move it to another device. You can tamper proof it to reduce chances of successfully removing and reinstalling the chip. – AJ Henderson Feb 02 '14 at 16:34

1 Answers1

2

If attackers can physically move the data around, from Flash to Flash, then you will need to resort to cryptography. If chip A must be able to make sense of some data bytes, but chip B (of the same model) cannot, then chip A must know something that B does not. Encryption reduces the problem: if you encrypt all your sensitive data with a secret key known only to A (let's call it KA) then your problem becomes: how can you make A store its key, in a way that it cannot be extracted ? Length of KA would typically be 128 bits, i.e. 16 bytes; that's the added value of cryptography: the size of your problem has shrunk down to 16 bytes.

The first normal method is the following: during an initial phase (typically at the end of the factory line), a device-specific key KA is injected in device A, to be stored in a tamper-resistant chip. That chip must be able to store the key (only a few bytes), do some encryption/decryption with it, and resist forceful extraction (physical resistance). A "master server" stores a copy of all device keys (warning ! sensitive !) and encrypts data elements which must be afterwards sent securely to device A. Mobile phones use that model; the tamper-resistant chip is the SIM card.

An extended method entails a tamper-resistant chip with a bit more power: it can do asymmetric cryptography (say, RSA) and generate its own private/public key pair. During the initial enrollment phase, under controlled conditions, the device generates its key pair, and exports the public key; the public key is stored externally, and is used for encryption (when some data is to be sent securely to device A) and authentication (when device A wants to prove its identity to an online server). Typically, during the enrollment phase, the public key is wrapped by a custom Certification Authority into a certificate and used in standard protocols such as SSL/TLS. Some payment terminals use this model.

A TPM is a tamper-resistant chip which can usually do asymmetric crypto, including generating and storing a private key. This is the right tool for the job, but you still have to use it: the TPM will not magically, by its mere presence, protect the data; you have to design the initial enrollment phase and do the key management. As described above, this more-or-less implies running your own PKI.

Thomas Pornin
  • 322,884
  • 58
  • 787
  • 955