Session
Programm CCCamp 2019
Security

Physical Unclonable Functions: The Future Technology for Physical Security Enclosures?

Meitner
Johannes
In this talk, I will give an overview of the past, present, and possible future of physical security enclosures, i.e., the physical boundary that protects Hardware Security Modules (HSMs) and separates the untrusted outside from the secret data inside the module. I will present an analysis of the hardware security features in some selected HSMs, ranging from sensitive carbon meshes, over light detectors, up to temperature sensors. Since the security of these solutions has recently been questioned and some of them have been discontinued, new technologies have been proposed by several research groups, which will be presented in the second half of my talk. I will give insight into the current research regarding future solutions whose security is based on Physical Unclonable Functions (PUFs). Via this technology, cryptographic keys are extracted from intrinsic manufacturing variation of the enclosure itself. Thus, a violation of the delicate enclosure results in immediate loss of information and thereby voids cryptographic keys - in theory. Finally, I will discuss existing drawbacks and issues which have to be resolved, which currently prevent PUFs from protecting HSMs.

Hardware Security modules (HSMs) in servers, such as for VPN or banking applications, are commonly protected via physical security enclosures. This boundary, which consists of a conductive mesh that entirely surrounds the module under protection, is continuously monitored to detect any physical intrusion and subsequently wipe critical data. Since attack tools have improved and some enclosure solutions have been discontinued, a desire for a new technology has emerged.

At first, I present state-of-the-art solutions for HSMs which conform up to the highest security level: FIPS 140-2 level 4. Knowledge about these solutions was gained by accurate disassembly of such modules, obtained via a famous online market place. While some solutions have a very delicate mesh surrounding the entire device, others have additional light and temperature sensors that are countermeasures against common physical attacks. However, many physical security enclosures have been discontinued, sometimes due to suspected insecurity, thus, there is demand for a successor.

The second part of my presentation focuses on a novel technology for enclosures, based on Physical Unclonable Functions (PUFs). These PUFs, which are currently investigated by several research groups, are uncontrollable minuscule manufacturing variations which are present, for example, in a conductive mesh of a security enclosure. One solution, that I am doing research at, is able to extract femto-farad (10^-15) capacitance variations from electric traces contained in the enclosure. Cryptographic keys are derived from the PUF which is subsequently used to encrypt the underlying system data. If an attacker damages the enclosure in an attempt to gain access, these delicate variations are altered, the key changes, and critical data cannot be recovered anymore. Despite PUFs provide real tamper-sensitive key storage, they are accompanied by some drawbacks, e.g., sensitivity to environmental conditions, aging, etc. which have to be tackled via additional means.

Finally, I will discuss the current status of the development of PUF enclosures and outline the issues that have to be resolved to enable PUF-based security enclosures to secure future HSMs.

(I will try to bring some real-world samples, so that there is the option to have a close look after the talk. However, I have to check this with my institute first.)

About the presenter:

I am currently doing my PhD at a research institute that focuses on embedded security. I am in the final phase of my dissertation about physical security enclosures, based on PUFs. This offers me a deep insight into the current development status of Physical Security Enclosures. In this talk, I want to share my experience with various solutions, from an analysis of a few up to the development of others. My goal is to discuss novel PUF-based solutions openly to raise awareness and to encourage more research into this interesting direction - from attacks up to countermeasures.

Additional information

Type lecture
Language English

More sessions

8/21/19
Security
Thomas Fricke
Curie
The talks shows the security model of Kubernetes and how to detect and fight security weaknesses with a few lines of scripting.
8/21/19
Security
Carsten Strotmann
Meitner
Seldom have DNS protocol changes sparked such fierce debate as happen in the case of DNS-over-HTTPs (Doh) and it's little cousin, DNS-over-TLS (DoT). While for many people it is a matter of black and white, the reality out there is various shades of grey ;) This talk will discuss the technical and political aspects of these DNS privacy protocols, where they come from, who is implementing DoH/DoT (both in the browser space and otherwise) and why it is a [good|bad] idea to support these protocol ...
8/21/19
Security
Egor
Meitner
Typical home networks use a closed-source Internet Service Provider supplied router/firewall and contain no restrictions on communications between clients within the network. The widespread deployment of network-connected appliances, control systems, lighting, etc, means that this design is insecure. This talk will cover the basics of networking, including why and how segregation of different types of network clients and traffic can be achieved to increase privacy and security.
8/21/19
Security
Meitner
We have learned that Math might be our last defence line against a real existing all-encompassing surveillance. One central challenge in this conflict is to combine authentication and anonymity. Number theory provides us many tools to create really surprising technologies for social communication. A lot of these technologies have not yet been brought to the world of concrete implementations. This has the implication that some ideas which have been presented years ago are not covered by patents ...
8/21/19
Security
Dennis Giese
Meitner
Remember the good old fun sport, where people bought random hard drives from ebay and did forensics on them? Did you know you can do the same thing with used IoT devices too? Most end-users have no idea what kind of information their devices are storing and how to securely clean their devices (if that even is possible). Lets explore together what the risks are and how we can extract that data.
8/22/19
Security
Eileen Wagner
Curie
This case study of NoScript’s UX redesign showcases tried and true design principles that make security tools usable to a wider range of audiences.
8/22/19
Security
cy
Curie
i'll show how the average developer (like me) can secure their software and systems by automatically checking for known vulnerabilities and security issues as part of their CI-Toolchain. The Talk will introduce basic security knowhow, then show how you can use Open Source Frameworks to check for vulnerable dependencies, containers and (web-)APIs in a live demo