Preface
Regardless of bull or bear markets, asset security is always the most important! Especially for decentralized wallet users, self-owned private keys and asset management also mean self-borne risks, so wallet security is inevitably the most concerned topic for users.
Today, we once again enter the security core of the imKey hardware wallet - the secure chip, and learn about the attacks and defenses involving secure chips in history. How does the secure chip of imKey protect users' private key security?
With the development of computers, computer security has become an important part of the modern electronic world, and hardware security has become a key area of computer security. In this field, since the first batch of hardware connected to the Internet in 1982, the attacks and defenses around chip security have never stopped.
Attackers try to illegally obtain users' private information from the chip. To this end, they use methods such as implanting Trojans, opening backdoors, electromagnetic interference, high temperature and humidity, and physical destruction, sparing no effort. In response to the attackers' different attack methods, secure chips have developed a set of corresponding security protection measures in each confrontation.
If the attack and defense of the chip is compared to a long-lasting holy war, then the various attack methods of the attacker are battlefields full of smoke, and the secure chip is the strongest defense line guarding the security of user information on each battlefield.
The Oldest Battlefield - Memory Data Protection
Typically, a security chip contains persistent storage such as FLASH/EEPROM/ROM and dynamic storage such as RAM/CACHE. These memory components are connected to the CPU via a Bus and are used to exchange addresses and data.
Over 20 years ago, one of the daily tasks for attackers was to extract unencrypted data from the chip's memory, in the hope of gaining control of the program code inside the chip or separating the data from the chip's interior.
Initially, chip manufacturers used a technology called "implantation ROM" to encode information by replacing visible metal connections with ions injected into the chip's substrate. However, attackers soon discovered a special etching program called "decoration" that could expose memory data. Chip manufacturers then turned to overall security measures, and one of the earliest countermeasures was to scramble memory addresses. However, shortly afterward, attackers broke this simple obfuscation by reassembling plaintext from scrambled memory dumps through application programs. More importantly, the scrambling signal was easy to recognize and recover from the chip layout at that time. Therefore, in the past decade, simple address scrambling has been widely replaced by memory encryption. In addition, security chips must also consider any fault attacks that may affect chip behavior. The memory system, including the corresponding bus structure, is the target of attackers. If it is not effectively protected, a successful fault attack may destroy keys, dump data, bypass input passwords or PINs, and even gain programming access to the chip.
Several years ago, and even some low-end security chip products today, use a method called "parity bits" for memory integrity checking. An additional Bit of data is used for data verification for each byte (8Bit). Because there is only one bit of data, the parity bit can only be an odd 1 or an even 0. In other words, this verification mechanism provides an opportunity for attackers, who have a 50% chance of success.
Nowadays, high-end security chips (such as the one used in imKey) completely abandon this method and use mathematical error detection codes (as shown in the figure) instead. This not only allows for error detection of one or more bits, but also has some error correction capability.
The most critical battlefield - CPU protection
The CPU is the core of the entire chip, and attacks on instructions and signals around the CPU not only occur in movies or laboratories, but also in reality. In a typical CPU attack, attackers may not only find plaintext during processing, but also find excellent opportunities to induce faults during operations and use them to crack keys or manipulate software execution at will. Early methods for protecting the CPU core included adding sensors outside the kernel to detect environmental conditions such as voltage, light, or temperature, but most sensors typically work within a local distribution range of the chip and cannot protect against local attacks on the CPU itself, such as using lasers, alpha radiation, TIVA (thermally-induced voltage alteration), or direct physical force attacks.
Initially, security chip manufacturers used "Parity Bits," similar to memory protection, to protect CPU registers, but like memory protection, this protection was not long-lasting and was easily breached after a period of time. The most commonly used CPU protection method today is data/code signing. These signatures are typically created during code compilation or data generation and then stored in memory along with the code and data. When the values do not match, an error is triggered and an alert is issued, stopping further processing by the CPU. Code and data signatures are excellent for protecting the so-called "linear" portion of the code, but when there is a lot of branching code, they become the attackers' main target, as attackers attempt to influence the behavior of branching code by attacking the code signature. Nevertheless, code and data signatures are still commonly used protection measures for mid-range security chip products.
In recent years, chip manufacturers have slowly realized that relying solely on a single CPU is not enough to achieve true CPU protection, as it cannot check its own decisions to a certain extent and effectively respond to modern attack methods. Therefore, the most advanced countermeasure is to use tightly-coupled dual CPU cores, where two CPUs constantly check each other's correct operations and execution conditions, and if the CPU's calculated data is encrypted, different dynamic keys can be used for the two CPUs, while adopting multiple-time and multiple-region fault induction methods to further increase the barrier against so-called multi-fault attacks.
The Most Ambiguous Battlefield - Physical Attacks and Protection
Attackers are very interested in signals running on silicon chips because they can use these signals to reverse engineer the chip. Reverse engineering refers to the process of thoroughly examining a target to achieve a comprehensive understanding of its structure or function, and it is a method used by attackers to launch attacks. Reverse engineering is widely used to clone and replicate systems and devices in various security-critical applications. The most famous example in history is during World War II when a B-29 bomber was captured by the Soviet Union, reverse engineered, and cloned.
Reverse engineering for hardware products is mainly divided into chip-level reverse engineering, board-level reverse engineering, and system-level reverse engineering, and security chips mainly face chip-level reverse engineering. Attackers first need to identify the material of the chip packaging and remove the packaging. Attackers will use chemical methods (wet and dry), mechanical methods, nanomanufacturing technology, laser ablation, and other technologies to decapsulate the chip, and then attackers will layer the chip. Modern chips generally consist of several metal layers, passivation layers, vias, contacts, polycrystalline silicon, and active layers. Attackers will perform imaging processing on the cross-section of the chip and use SEM or TEM to identify the layers, metal materials, layer thickness, vias, and contacts. During the layering process, attackers will capture tens of thousands of high-resolution images to capture all the information contained in each layer. These images can then be stitched together and studied to reconstruct the chip.
The Most Cryptic Battlefield - Side-Channel Attacks and Protection
Side-channel attacks, also called side-chain attacks, are a type of non-intrusive attack that targets the implementation of cryptographic algorithms, rather than analyzing their statistical or mathematical weaknesses. These attacks use physical information leaked from various indirect sources or channels, such as power consumption, electromagnetic radiation, or computational time, to launch attacks. Such attacks are collectively referred to as side-channel attacks. Side-channel attacks come in various forms and can be said to have almost limitless applications. They often leave chip manufacturers unable to defend themselves. Attackers have been known to launch attacks on laptops from 4 meters away using side-channel attacks.
Generally speaking, common side-channel attacks include power analysis, electromagnetic analysis, timing analysis, and fault injection. In addition to the common side-channel attack methods listed in the figure below, signals such as sound, temperature, and vibration are also sources that attackers can use.
The common methods used against side-channel attacks are covert channels, CPU signal encryption, and auxiliary protection with coprocessors.
"Chip-Level Security Protection" of imKey
The security chip selected for the imKey hardware wallet is the SLE78CLUFX5000PH produced by Infineon. The relevant parameters are as follows:
The chip uses the "Integrity Guard" design to coordinate the operation of two CPU cores, ensuring that data is not only encrypted and stored in the chip but also processed in encrypted form within the chip. The core of this design is an independent, self-checking system that works like the double helix of DNA in cells.
The working principle of the independent self-checking system consisting of two CPUs is like the double helix of DNA in cells, checking the application code in encrypted form and transmitting it to the mirrored CPU.
Machine commands from the two CPUs form the program code. Commands and data from the memory module are combined in the CPU to process input data and produce the required output data.
Attacks such as reverse engineering, physical attacks, or side-channel analysis will only leak encrypted data, which is useless to attackers.
Integrity Guard is the first security technology in the market to use hardware encryption processing in the CPU itself.
The chip has a shielding layer, secure mixed routing, and current source processing, which can effectively prevent external detection and cracking of the hardware. The chip has comprehensive physical attack protection, ensuring that sensitive information is not leaked in environments such as high and low temperatures, electromagnetic interference, ultraviolet interference, electrostatic interference, and voltage spike interference.
The algorithm implementation of the chip is saved in a special storage area. After the algorithm is downloaded, this area no longer supports debugging and running of the chip. The entire algorithm program runs in an independent program stack, and once the program execution is complete, the stack area is immediately cleared, or else the following call cannot be executed. The hardware algorithm area of the chip is protected by the chip's own access system to ensure the security of the hardware algorithm and keys.
The chip can detect and monitor external clock frequencies and power supply voltages to prevent outsiders from obtaining information by detecting changes in clock and voltage during program execution, ensuring the security of data during program execution. The COS program installed inside the chip cannot be tampered with, and the user's private key is saved inside the chip and cannot be exported.
Summary
The above listed attacks are only a few commonly used by attackers, not all the threats faced by hardware wallets. Malware attacks, testing-oriented attacks, attacks against random numbers, etc. can all cause us to lose our assets. What's more, even if the world's most secure security chip is used, attackers will still use social engineering attacks, such as bribing your family and friends to steal passwords or mnemonic phrases, and the assets will still disappear.
Only by using the imKey hardware wallet with CC EAL6+ security chip externally and always keeping security awareness in mind internally can we ensure the security of the assets we hold.
Postscript
Thanks to Dr. Peter Laackmann and Marcus Janke of Infineon for writing the security chip white paper.
The technologies and solutions mentioned in this article are only basic concepts, only to let everyone understand the attack and defense of security chips, and the necessity of using security chips in hardware wallets.
Reference
- Integrity Guard digital security technology https://www.infineon.com/cms/en/product/promopages/integrity-guard/
