FW: Tamperproofing of Chip Cards
Mime-Version: 1.0 (NeXT Mail 3.3 v118.2)
From: Peter Langston <psl>
Date: Wed, 10 Sep 97 13:21:43 -0700
Subject: FW: Tamperproofing of Chip Cards
Forwarded-by: Chris Ausbrooks <firstname.lastname@example.org>
Forwarded-by: Travis Hassloch <email@example.com>
I found this in our database. I've never seen it before.
I found it pretty interesting, despite being somewhat old.
Truncation in original.
* * * * *
TAMPERPROOFING OF CHIP CARDS
Ross J. Anderson
Cambridge University Computer Laboratory
Pembroke Street, Cambridge CB2 3QG
There are two ways of attacking smartcards - destructive reverse
engineering of the silicon circuit (including the contents of ROM), and
discovering the memory contents by other means; a well equipped
laboratory can do both. Persistent amateurs have often managed the
latter, and may shortly be able to do the former as well.
1 Reverse engineering the chip
A recent article gives a good introduction to how reverse engineering
can be carried out in a moderately well equipped academic
microelectronics laboratory (there are three such in the UK, and perhaps
two hundred academic or industrial facilities worldwide which can carry
out such work). We will start off by summarising it and giving some
1.1 How attacks are done
The authors of the article cited above worked at the Cambridge
University microelectronics lab, which is part of the department of
physics. They got interested in reverse engineering chips five years ago
to help an industrial client locate manufacturing defects.
They built an apparatus which consists of a slightly modified
electron beam lithography machine (this functions in effect as an
electron microscope) and a PC with an image processing system (a DCT
chip and locally written software). They then developed techniques for
etching away a layer at a time without doing too much damage.
Conventional wet etching causes too much havoc with half micron chips,
so dry etching is used in which gases such as CF4 or HF strip off layers
of silica and aluminium in turn.
One of their innovations is a technique to show up N and P doped
layers in electron micrographs. This uses the Schottky effect: a thin
film of a metal such as gold or palladium is deposited on the chip
creating a diode effect which can be seen with the electron beam.
Finally, image processing software has been developed to spot
the common chip features and reduce the initially fuzzy image of the
metal tracks into a clean polygon representation. There are also
routines to get images of successive layers, and of adjacent parts of
the chip, in register.
The system has been tested by reverse engineering the Intel
80386 and a number of other devices. The 80386 took two weeks; it takes
about six instances of a given chip to get it right. The output can take
the form of a mask diagram, a circuit diagram or even a list of the
library cells from which the chip was constructed.
This is typical of the kind of attack which an academic lab can
mount. Even more sophisticated attacks, invented at Sandia National
laboratories and recently published, involve looking through the
chip. Light-Induced Voltage Alteration is a non-destructive technique
that involves probing operating ICs from the back side with an infrared
laser to which the silicon substrate is transparent. The photocurrents
thus created allow probing of the device's operation and identification
of logic states of individual transistors. Low-Energy Charge Induced
Voltage Alteration relies on a surface interaction phenomenon that
produces a negative charge-polarization wave using a low-energy electron
beam generated by a scanning electron microscope. This allows imaging
the chip to identify open conductors and voltage levels without damage,
although it does not operate through metalization layers.
Of course, even more sophisticated techniques may be available
in classified government facilities.
1.2 The threat to smartcard systems
Smartcards typically have a few kilobytes of ROM, which being
metal can be read with the above techniques; a few hundred bytes of RAM,
which being cleared between transactions stores no long term secrets;
and a few kilobytes of EEPROM, which typically holds the user data and
The techniques described above are not directly relevant to
reading out EEPROM. However any laboratory at the level under
consideration would be able to determine EEPROM contents using
microprobe techniques. More simply, a reverse engineering operation
would pinpoint the physical location of the write protect bit, which
could then be reset using ultraviolet light.
As mentioned, the number of organisations worldwide which can do
electron beam lithography is of the order of 100-200. These potential
attackers include a number of universities, all the big chip makers and
the governments of the USA, Canada, the UK and China. Of these, the US
and Chinese governments appear to have the greatest experience at chip
For a respectable firm to join this club costs about $2m - $1.5m
for the electron beam lithographer and ancilliary equipment, plus a
year's salary for about five professionals to get it all going
(typically a physicist to deal with the ion beams, a chemist to deal
with packaging, two computer people to write software, and a chip person
to run the whole operation).
The number of club members may rise as more and more firms,
especially in the Far East, start producing ASICs. However it is not
likely that electron beam lithography will ever become a really
widespread technology. The total number of sites with the capability to
do regular hi-tech attacks might rise to about 1000 at most.
An outsider without $2m still has a number of options. For
ex-ample, there are three universities in the UK alone which possess the
necessary equipment (Cambridge, Edinburgh and Southampton) and an
attacker might enrol for a PhD or other degree in order to acquire
access and training. It is also possible to use more primitive equipment
at the cost of spending months rather than weeks on each reconstruction;
this is apparently the approach of the Chinese government, and could be
viable where workers are paid little (or are expecting a share of large
Finally, there are apparently places in the Far East, and at
least one in Silicon Valley, which reverse engineer chips for cash. How
much cash, and how many questions would be asked, are not known to this
1.3 Possible defences
A number of copy trap features are incorporated into commercial
chip designs. For example, we have heard of design elements that look
like a transistor, but are in reality only a connection between gate and
source; and 3-input NORs which function only as 2-input NORs.
Many of these copier traps are based on holes in isolating
layers or on tricks done in the diffusion layer with ion implantation
(based on the assumption that it is hard to distinguish N from P).
However the layer etching and Schottky techniques developed by Haroun
Ahmed's team can detect such traps.
Another possibility is to introduce complexity into the chip
layout and to use nonstandard cell libraries. However the chip still has
to work, which limits the complexity; and nonstandard cells can be
reconstructed at the gate level and incorporated in the recognition
Finally, in the Clipper chip there are a number of silicon
features, of which the most important is a fusible link system. These
links are only fused after fabrication and hold the long term key and
other secret aspects of the chip. Details can of course be found in a
paper in the relevant data book, and from the scanning electron
micrographs there, it is clear that the secret information can be
recovered by sectioning the chip. This technique has been used by
Professor Ahmed's team on occasion on obscure features in other chips.
Thus the effect of current silicon level copy traps is just to
slow down the attacker. In fact, we have heard from a usually reliable
source that Intel has reverse engineered the Clipper chip, but that the
results have been classified.
The same appears to be the case for chemical measures. Chips
intended for classified military use are often protected by passivation
layers of a tenacity never encountered in civilian packaging. But
here again, informed sources agree that with enough effort, techniques
can be developed to remove them.
1.4 Relevance to smartcard products
We understand that neither silicon copy traps not advanced
passivation techniques are used by smartcard manufacturers in the bulk
of their products. The marketing director of a smartcard manufacturer
said that they simply had no demand from their users for anything really
sophisticated. The most that appears to be done is an optical sensor
under an opaque coating.
Hi-tech techniques may indeed have been used by commercial
pirates to duplicate satellite TV smartcards.
Recent postings to a TV hackers' mailing list recount how an
undergraduate used nitric acid and acetone to remove ICs intact from
Sky-TV smartcards; he then put them in the University's electron beam
tester (an ICT 8020, also sold as the Advantest E 1340 - a 1991
machine). The chips were run in a test loop, but he had been unable to
remove the silicon nitride passivation layer; the many secondary
electrons removed from this caused it to get charged positive very
quickly, which obscured the underlying circuit. He did not have access
to a dry etching facility to remove this layer, and could get no
further. However it is significant that a person with no funding or
specialist knowledge could get even this far.
However, amateur hackers have managed to break smartcard
security without having to penetrate the device physically. Instead,
they have used flaws in the design of the card's hardware or software to
determine its contents.
2 Determining the EEPROM contents
Many methods have been employed to determine the EEPROM contents of
smartcards. In addition to the very general reverse engineering
techniques described above, there are a lot of shortcut attacks on
2.1 How attacks are done
The following list is not exhaustive:
* raising the supply voltage above its design limit;
* cutting the supply voltage below its design limit;
* resetting random memory locations using ultraviolet light until
the read protect bit is found;
* exploiting misfeatures in the hardware, including the
manufacturer supplied ROM code;
* exploiting misfeatures in the customer written EEPROM code
(current attacks on UK satellite TV systems take this route);
* some combination of the above.
The appendix contains accounts from a hacker mailing list of two actual
attacks carried out on chips.
2.2 Threat assessment
All systems have bugs, and so the level of threat to smartcard
systems presented by exploitable loopholes is a function of how many
bugs remain (i.e. how mature the design is) and how much effort is spent
in looking for them (i.e. how many motivated attackers there are). This
in turn depends on the application area.
Satellite TV systems attracted a great many attackers for
historical reasons; in the USA, many rural households had got into the
habit of watching satellite TV feeds as there were no terrestrial
stations in range, even although these feeds were intended for
rebroadcast rather than direct consumption. When the feeds were
encrypted, the families who depended on them for their news and
entertainment - and often could not buy decoders through any legal
channel - were outraged.
In Europe, a similar problem arose when the final season of
'Star Trek: The Next Generation' was encrypted. This program's fans
included many with appropriate skills, and soon (March 94) there
appeared a program called Season which decoded Sky TV.
Since then, there has been a battle of wits between Sky and the
Trekkies, which has probably cost Sky somewhere between $10 million and
$100 million. On May 18th 1994, Sky changed from issue 07 cards to their
new issue 09 card. Hackers refer to May 18th as Dark Wednesday. The 09
card proved harder to hack but a temporary solution appeared in June. It
only lasted a few weeks before Sky changed codes again. Though some
attempts at an issue 09 Season were made, a code change by Sky stopped
it until just before Christmas.
Then no less than three new versions of Season appeared - two
for the PC and one for the MAC. Successive code changes on January 4th
and January 25th led to further updates of Season, and by about 8th
March all the secrets in the Sky 09 card were known - and published!
Hackers are awaiting the release of series 10 Sky cards with relish.
In addition to the attacks on satellite TV, there have been a
number of attacks on banking systems and prepayment electricity meter
systems which are documented in three of my recent papers [8, 9, 10]
Most of the attacks documented there resulted from similarly
opportunistic exploitation of design and operational errors, and some of
the target systems were based on smartcards.
Finally, some concern has been expressed that attack skills may
be transferable. For example, a banking industry security expert is
worried that the satellite TV hacking community might next turn its
attention to eftpos systems.
2.3 Possible defences
The main conclusion to be drawn from the above is probably that
just as we do not know how to make a device which resists tampering by a
funded organisation, we do not know how to build a device of any
complexity to resist logical as opposed to physical tampering.
There are a number of other lessons. For example, companies
which rely on smartcard systems should if possible avoid making a lot of
enemies. Diversity of attack has been significant in pay-TV, metering
and banking systems and just as a funded organisation can break the
silicon directly, so one must expect that many tinkering amateurs will
eventually find a flaw in any piece of software. It is well known in the
software testing community that a significant number of bugs come to
light when a piece of software is passed on to another tester or to a
customer; this is because different testers and/or users exercise
different parts of the input space.
It is also imprudent to start off with weak security and then
improve it gradually in response to attacks. The satellite TV people did
this, and trained up a community of hackers. At some point, you must
invest enough to put clear water between your systems and your
opponents, and the sooner you make this investment the smaller it is
likely to be.
The main investment should be in getting the overall design
right, or at least as right as one can, from the beginning. It is unwise
to spend a lot of money on tamperproofing while ignoring the much
simpler and dirtier attacks which exploit errors in design and
operation. Quality control, and examination by multiple independent
experts, should take priority over attempts to mimic the passivation
techniques used by the military.
After all, the three published attacks on Clipper all involve
the logical design (key management protocols and modes of operation)
rather than penetration of the device itself.
At present, there are no portable tamperproof devices. If secrets are
held on smartcards which are allowed outside protected spaces, then both
physical and logical attacks should be expected.
The scale of such attacks will depend on many things. If there is a
capable motivated opponent, such as a chip maker or the government of a
NATO country or China, then it must be assumed that a complete
penetration will take at most weeks. If there are many less capable but
still motivated opponents, then penetrations based on the opportunistic
exploitation of design flaws are to be expected in due course.
We conclude that systems based on portable tamper-resistant devices
should be designed with caution. They should avoid motivating a
determined attack on the cards, and the penetration of a small number of
cards should not be fatal to the system owner.
These considerations interact; for example, if the scope of secrets kept
within the card is limited so that breaking a card allows access to only
one bank account, then it is unlikely that an attack would be economic
to an attacker or prove more than a minor nuisance to the card issuer.
This short essay will show you how to read the EPROM of an AMD87C51,
with all security programmed.
... the SM-card I had was programmed with both Lock bits and it was
impossible to read out the IROM.
But the data sheet also tells:
To ensure proper functionality of the chip, the internally
latched value of the EA pin must agree with its external state.
Perhaps it was possible to confuse the processor.
I build a small device with external EPROM (64KBytes) and RAM. The
EPROM was coded with a monitor program in the upper address range which
gives me the possibility to load and execute code by control of a PC.
Starting the processor with external ROM access disables the access of
the internal ROM and due to the latching of the EA pin during RESET,
changes at the EA pin had no effect. Also the MOVC returns only
external ROM values.
Know my idea was to start the processor with internal ROM and then to
confuse him so that he accesses the external EPROM and run into the
I tried ...
But reduction of the power supply voltage works. At about 1,5 Volt the
processor starts to access the external ROM. Rising the voltage back to
5 Volt the processor (most of the times) still run external, but with
the possibility of access to the internal ROM...
I programmed a small routine, which calls an address within the internal
ROM and execute this. I started at the higher end of the internal ROM
and decreased the calling address with each try by 10h. Most of the time
the processor hangs up. But at some addresses I got a return to the
monitor program. So I analysed this addresses and prepared the registers
in a way to verify that the routine could read ROM data. And I found the
routine which did this. So the internal ROM code reads itself and
returns himself to the monitor program for storage. It took about 3 days
to go through the ROM and find the routine and one long week to
understand the code.
This short story shows how to get access to a secured 87C51
microcontroller. It's a different way, than the one described by ....
Referring to his article, I assume, that this 87C51 microcontrollers and
their features (including security bits) are known.
The idea was, that the security bits are not located near the EPROM
array on the silicon. After some tests in erasing standard EPROMS, I had
the right tools to try it on a real device: With a mask designed from
black, thick paper with a small hole in it, I started to lighten the
silicon on the outer edges and sides. Moving the mask carefully and
checking the security bits (by reading the device in a microcontroller
programmer) after each try is a long job. I did additional tests to open
the chip (by removing the windows or dividing the ceramic carrier
material). But this always led to permanent damage to the chip (broken
silicon, destroyed wires between pads and pins), so I gave this up. So
after 4 destroyed chips the fifth was the right one. You have to be
sure, that your mask is good prepared and the erasing light doesn't
diffuse across the chip. No I'am able to erase such a device in less
than 10 minutes. But ... it's only easy if the device is one of AMD or
Philips. The Intel devices have a window, which is formed like a lens
(the silicon looks very big). On this devices it's nearly impossible to
lighten a specific part of the silicon. The job is easier on devices
with standard window and a _big_ EPROM Array (seems to be devices aged
two or more years).
. . . if somebody is interested in the 4K codes of the MasterCard (bad
and dirty code) or MovieCard (very elegant algorithm and i/o
implementation), just gimme' a direct mail. Disassembled and commented
listings in WinWord format are also available (comments in mixed English
and German language).
 'Layout Reconstruction of Complex Silicon Chips', S Blythe, B
Fraboni, S Lall, H Ahmed, U de Riu, IEEE J. of
Circuits v 28 no 2 (Feb 93) pp 138-145
 'Two New Imaging Techniques Promise To Improve IC Defect
Identification', C Ajluni, Electronic Design Vol 43 No
July 1995) pp 37-38
 'Conducting Filament of the Programmed Metal Electrode
Amorphous Silicon Antifuse', KE Gordon, RJ Wong,
International Electron Devices Meeting, Dec 93;
pp 6-3 to 6-10, QuickLogic Data Book, 1994
 see FIPS PUB 140-1 section 4 level 4: "Removal of the coating
shall have a high probability of resulting in serious damage to
 Philippe Maes, GemPlus, during a panel discussion at Cardis
 message <CovCG9.firstname.lastname@example.org> posted by Anne Anderson of
Hewlett-Packard aha@apollo.HP.COM to sci.crypt 26 Apr 1994
 apparently tiny jets of hot acid have been used to remove the
passivation layers over parts of the chip at a time
 'Why Cryptosystems Fail'
 'Liability and Computer Security - Nine Principles'
 'Cryptographic Credit Control in Pre-payment Metering
Systems' All these can be got from
 'Thermodynamic description of the defects in large
information processing systems', RM Brady, RC Ball, RJ
Anderson, to appear
© 1997 Peter Langston