Die Datenschleuder #67 Sommer 1999

Die Datenschleuder

ISSN 0930-1045Sommer 1999, DM 5,00Postvertriebsstück C11301F

Das wissenschaftliche Fachblatt für DatenreisendeEin Organ des Chaos Computer Club

#67

◆ Eckpunkte der deutsche◆ weisses Papier◆ Chaos Communication Camp

O2@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@6KW2@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@6K?

?W&@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@6X??7@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@)XJ@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@0M?gI4@@@@@@@@@@@@@@@@@@@@@17@@@@@@@@@@@@@0M ?I'@@@@@

?J@@@@@@@0M? ?@@@@6X? @@@@hfN@@@@@L??7@@@@@(M? ?3@@@@1?hf?J@@@@hf?3@@@@1??@@@@@(Y ?V'@@@@Lhf?7@@@@hf?N@@@@@??@@@@@H? N@@@@)X?he?@@@@@ 3@@@@LJ@@@@5 ?3@@@@)Xhe?@@@@@ N@@@@17@@@@H ?V'@@@@)X?h?@@@@@ ?@@@@@@@@@@? V'@@@@1?h?@@@@@ ?@@@@@@@@@@? ?V'@@@@Lh?@@@@@ ?3@@@@@@@@@? V'@@@)X?g?@@@@@ ?N@@@@@@@@@? ?N@@@@)Xg?3@@@@L? @@@@@@@@@? 3@@@@)X?f?N@@@@)X @@@@@@@@@? V'@@@@)Xg@@@@@)K? @@6Ke?@@@6X@@@@@? ?V'@@@@)X?f@@@@@@@@@@@6K? O2@@@@@@@@6K 3@@@6X?3@@@)X?@@@@@? V'@@@@1?f@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@6KhV'@@@)XN@@@@)X@@@@@? ?V'@@@@LgI4@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@6K?e?N@@@@)T@@@@@)X?e@@6X@@@@@? N@@@@)X?gI4@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@6K?e3@@@@@R'@@@@1?e@@@1@@@@@? ?3@@@@)Xhe?I4@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@6KS@@@@@LV'@@@@Le@@@@L?@@@@@? ?V'@@@@)X? I4@@@@@@@@@>@@@@1?N@@@@1e3@@@)X@@@@@? V'@@@@)K I4@@@@@@>@@@@L?3@@@@L?N@@@@1@@@@@? ?N@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@6KgI'@@@@@Y@@@)XV'@@@1??3@@@@@@@@@? @@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@6K?S@@@@@@@@@@1?N@@@@L?N@@@@L?@@@@@? ?I4@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@Y@@@@@@@@@@L?3@@@1e@@@@1?@@@@@? ?I4@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@?@@@)XN@@@@L?3@@@@?@@@@@? I4@@@@@@@@@@@@@@@@1?3@@@1?N@@@@?W2@@@@@@@? ?I4@@@@@@@@@@@@@@LN@@@@??@@@@W&@@@@@@@@? O2@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@6K?e@@@@@@@@@?@@@1?3@@@L?@@@@@@@@@@@@@@? W2@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@?@@@@@@@@@@@@LN@@@1?3@@@@@@@5@@@@@? ?W&@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@1?@@@@e@@@@@@@Y@@@@@? W&@@@@@@@@@@@@@0M?f?I4@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@W@@@@W&@@@@@@@@@?@@@@@? ?W&@@@@@@@@0M? @@@@@@@@@@@@@@@@@@Y@@@@@@@@@@@@@@?@@@@@? W&@@@@@@0Mh?O2@@@6K O2@@@@6K?O2@@@@@@@@@@@?@@@@@@@@@@@@@@@?@@@@@@@@@@@@@5?@@@@@? ?W&@@@@@(MgO2@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@?@@@@@@@@@@@@@Y?@@@@@? W&@@@@@(Y?fW2@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@? 7@@@@@(Yf?O&@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@X@@@@@@@@@@@@@? ?J@@@@@(Y?f@@@@@@@@@@@@0Mhe?I4@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@XV@@@@@@@@@3@@@@? W&@@@@(Yf?J@@@@@0M? @@@@@@@@@@@@@@@@@@@@@XV@@@@@@X@@@5N@@@@? ?W&@@@@(Y?f?7@@@@ @@@@@@@@@@@@@@@@@@@XV@@@@@@@V@@@@H?@@@@? ?7@@@@(Yg?@@@@@ @@@@@? @@@@@@@@@@@@@@@@0MS@@@@@@@@@@@@@5?@6X?hg?@@@@L J@@@@(Y?g?@@@@5 @@@@@? I4@@@@@@@0M?e?O&@@@@@@@X@@@@@HJ@@1?hg?@@@@1 ?W&@@@@Hh?@@@@H @@@@@? ?O2@@@@@@@@@(R@@@@@@T&@@@?hg?@@@@@ W&@@@@5?h?@@@@? @@@@@? O2@@@@@@@@@@@@@@@0YJ@@@@(R@@@@5?hg?@@@@@ ?W&@@@@(Y?h?@@@@? @@@@@? ?W2@@@@@@@@@@@@@@@@0M?O&@@@@HJ@@@@H?hg?3@@@@ W&@@@@(Yhe?@@@@L ?J@@@@@? ?7@@@@@@@@@@@@@@@0M?W2@@@@@5?7@@@@?N@@@@L? 7@@@@(Y?he?@@@@1 ?7@@@@@? ?@@@@@@@@@@@@@0Me?W&@@@@@(YJ@@@@@@@@@1? ?J@@@@(Yhf?@@@@@ ?@@@@@5? I4@@@@@@@0M?fO&@@@@@(Y?7@@@@5@@@@@L W&@@@(Y?hf?@@@@@ J@@@@@H? O2@@@@@@(Y?J@@@@@H@@@@@)X? ?W&@@@@H ?@@@@@hf?W&@@@@@ O2@@@@@@@(Y?W&@@@@5?@@@@@@)K ?7@@@@5? ?@@@@5hfO&@@@@@@ O2@@@@@@@@@@(Ye7@@@@@H?@@@@@@@@6K ?@@@@0Y? ?@@@0Yh?O2@@@@@@@@5 @@@@@@@@@@@@@@@@@0Y??J@@@@@5@@@@@@@@@@@@@@6K ?O2@@@@@@@@@@@@@@H @@@@@@@@@@@@@@@0M?eW&@@@@(Y3@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@? 3@@@@@@@@@@@@0M?e?O&@@@@@H?N@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@? V4@@@@@@@@@0M?e?W2@@@@@@@?3@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@5? I4@@@0M?gO&@@@@@@@@@@?V'@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@(Y? O2@@@@@@@@@@@@L?V4@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@0Y O2@@@@@@@@@@X@@@@@1?

?@@@@@@@@@@@0R'@@@@@@L?@@@@@@@@@@XeV'@@@@@1?@@@@@@@@@@)X??N@@@@@@L?hg

?@@@@@1?e3@@@@@1?hg?@@@@@@?eV'@@@@@LhgJ@@@@@@Le?N@@@@@)X?hf7@@@@@@1f3@@@@@)Khf

?J@@@@@@@@fN@@@@@@@6Khe?7@@@@@@@@f?3@@@@@@@@@@@@@@@@@@J@@@@@@@@@L?e?N@@@@@@@@@@@@@@@@@@7@@@@@@@@@1?f@@@@@@@@@@@@@@@@@@

?J@@@@@V'@@@@?f3@@@@@@@@@@@@@@@@@?7@@@@5?N@@@@?fN@@@@?I4@@@@@@@@@0J@@@@(Y??@@@@?f?@@@@Lhf

?W&@@@@He?@@@@?f?@@@@1hf?7@@@@5?e?@@@@?f?@@@@@hfJ@@@@(Y?e?@@@@?f?@@@@@hf

?W&@@@@Hf?@@@@?f?@@@@@hf?7@@@@5?f?@@@@?f?@@@@@hfJ@@@@@H?f?@@@@?f?@@@@5hf7@@@@5g?@@@@?f?@@@@Hhf@@@@@HgJ@@@@?f?@@@@?hf@@@@5?g7@@@5?fJ@@@@?hf@@@@H?g@@@@H?f7@@@5?hf@@@@h@@@@f?J@@@@H?hf@@@@g?J@@@@f?7@@@@hg@@@@g?7@@@@fJ@@@@5hg@@@@g?@@@@5e?W&@@@(Yhg

?@@@@HeO&@@@@H?hgJ@@@@?W2@@@@@57@@@@W&@@@@@(Y@@@@@@@@@@@(Y?

?O2@@@@?@@@@@@@@@@(Y?W2@@@@@@@@?@@@@?@@@@0Y?W&@@@@@@@@@?@@@@?@@0M?7@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@

?@@@@5?@@@@H?@@@@??@@@@L?@@@@1?@@@@@?@@@@@?@@@@@?@@@@@L??3@@@@1??N@@@@@L3@@@@1N@@@@@L??3@@@@)X?N@@@@@13@@@@@V'@@@@?V4@@@

Sommer 1999 Die Datenschleuder #67Die Datenschleuder #67 Sommer 1999

Adressen http://www.ccc.de/ChaosTreffs.htmlChaos im Internet: http://www.ccc.de & news:de.org.ccc

Die Datenschleuder Nr. 67II. Quartal, Sommer 1999Herausgeber: (Abos, Adressen etc.)Chaos Computer Club e.V., Lokstedter Weg 72, D-20251 Hamburg,Tel. +49 (40) 401801-0,Fax +49 (40) 401801-41,EMail: ofÞce@ccc.deRedaktion: (Artikel, Leserbriefe etc.)Redaktion Datenschleuder,Postfach 640236, D-10048 Berlin,Tel +49 (30) 280 974 70Fax +49 (30) 285 986 56EMail: ds@ccc.deDruck: St. Pauli Druckerei Hamburg

CvD und ViSdP: dieser Ausgabe:Andy Mller-Maguhn(andy@ccc.de)

Mitarbeiter dieser Ausgabe:Djenia, Henriette, Chris, Tim, ZapfDingbatz

Eigentumsvorbehalt:Diese Zeitschrift ist solange Eigen-tum des Absenders, bis sie dem Ge-fangenen persnlich ausgehndigtworden ist. Zur-Habe-Nahme istkeine persnliche Aushndigung imSinne des Vorbehalts. Wird die Zeit-schrift dem Gefangenen nicht ausge-hndigt, so ist sie dem Absender mitdem Grund der Nichtaushndigungin Form eines rechtsmittelfhigenBescheides zurckzusenden.

Copyright (C) bei den AutorenAbdruck fr nichtgewerblicheZwecke bei Quellenangabe erlaubt.

Erfa-KreiseHamburg: Lokstedter Weg 72, D-20251 Hamburg, mail@hamburg.ccc.de Web: http://hamburg.ccc.de Phone: +49 (40) 401801-0 Fax: +49(40)401 801 - 41 Voicemailbox +49 (40) 401801-31. Treffen jedenDienstag ab ca. 20.00 Uhr in den Clubrumen. Der jeweils ersteDienstag im Monat ist Chaos-Orga-Plenum (intern), an allen anderenDienstagen ist jede(r) Interessierte herzlich willkommen. ffentlicheWorkshops im Chaos-Bildungswerk fast jeden Donnerstag. Termineaktuell unter http://www.hamburg.ccc.de/Workshops/index.html

Berlin: Club Discordia alle zwei Wochen Donnerstags zwischen 17und 23 Uhr in den Clubrumen in der Marienstr. 11, Hinterhof inBerlin-Mitte. Nhe U-/S-Friedrichstrasse. Tel. (030) 285986-00, Fax.(030) 285986-56. Briefpost CCC Berlin, Postfach 640236, D-10048Berlin. Aktuelle Termine unter http://www.ccc.de/berlin

Kln: Der Chaos Computer Club Cologne zieht gerade um. AktuelleKoordinaten bitte unter mail@koeln.ccc.de bzw. http://www.koeln.ccc.de erfragen. Telefonische Erreichbarkeit erst wieder nach vollstn-digem Bezug neuer Rume.

Ulm: Kontaktperson: Frank Kargl Electronic Mail: contact@ccc.ulm.de Web: http://www.ulm.ccc.de/Treffen: Jeden Montag ab 19.30h im 'Caf Einstein' in derUniversitt Ulm.

Bielefeld: Kontakt Sven Klose Phone: +49 (521) 1365797 EMail:mail@bielefeld.ccc.de. Treffen Donnerstags, ab 19.30 Uhr in derGaststtte 'Pinte', Rohrteichstr. 28, beim Landgericht in Bielefeld.Interessierte sind herzlich eingeladen.

Chaos-Treffs: Aus Platzgrnden knnen wir die Detailsaller Chaos-Treffs hier nicht abdrucken. Es gibt in denfolgenden Stdten Chaos-Treffs, mit Detailinformationenunter http://www.ccc.de/ChaosTreffs.html: Bochum/Essen, Bremen, Burghausen/Obb. und Umgebung, Calw,Dithmarschen/Itzehoe, Dresden, Emden / Ostfriesland, Eisenach,Erlangen/Nrnberg/Frth, Frankfurt a.M., Freiburg, Freudenstadt,Giessen/Marburg, Hanau, Hannover, Ingolstadt, Karlsruhe, Kassel,Lneburg, Mannheim/Ludwigshafen/Heidelberg, Mnchenglad-bach, Mnchen, Mnster/Rheine/Coesfeld/Greeven/Osnabrck,Rosenheim/Bad Endorf, Neunkirchen/Saarland, Wrzburg,Schweiz/Dreyeckland: Basel, sterreich: Wien

Impressum

Worte an die Leser

Die Datenschleuder #67 Sommer 1999

Deutschland von Auslndischen Interessentenerworben wurden. Dezentrale Recherchenangenehm. Sinn wrde es machen: Dieamerikanische Gesetzeslage z.B. gilt ja auch frFirmen in amerikanischem Besitz.

Apropos Amerika: Unsere Werte Justizministerinbekam jngst Post aus Amerika. Sie hat zwar vondem Thema keine Ahnung, wurde aber trotzdemvon einer entsprechenden Stelle gebeten, dafr zusorgen da§ keine harten Kryptoprodukte unterdem Wassenaar-Begriff ãpublic domainÒ fallen.Andere nennen es deutsch-amerikanischeFreundschaft.

Auf dem Camp (6.-8. August, www.ccc.de/camp)werden wir daher hoffentlich nicht nur viel Spa§am Gert haben; viele internationale Gruppen wiez.B. die Cypherpunks haben sich angekndigt ummit uns die Lage zu verbessern. Auch imReengineering-Bereich gibt«s einiges zuuntersuchen; bringt mal mit, was es noch zuuntersuchen gilt.

Zum Thema Untersuchen haben wir in dieserAusgabe eine Einfhrung in die Befreiung vonBits aus Chipkarten; ob das Hacken oderFrderung der Sicherheitsindustrie ist, sollten wirangesichts des derzeitgen Umfelds mal im Detailauf dem Camp diskutieren. Bis dahin viel Spa§beim Sachenpacken... andy@ccc.de

Glaubten einige von uns bisher, nur mehr oderminder minder gesetzestreue Hacker, die sich mitVerschlsselungs- und Sicherheitstechnologiebeschftigen sind in der Gefahr, unter unklarenUmstnden zu verunglcken, so ist dassptestens seit Anfang Mai vorbei. DerReferatsleiter des Bundeswirtschaftsministeriums,der den in dieser Ausgabe dokumentiertenKabinettsbeschlu§ zu den Eckpunkten derdeutschen Kryptopolitik verfasst hat, Þel ausbislang ungeklrten Grnden noch in der Nachtnach Versand des Dokuments an dasInnenministerium aus dem Fenster seiner imdritten Stock gelegenen Wohnung - undberlebte, schwerverletzt. Noch im Dezemberhatte er auf dem Chaos Communication Congressber die aktuelle Frontlage des Kryptowars undden Wassenaarverhandlungen berichtet.Natrlich wird es sich alles tragischer aberzuflliger Unfall entpuppen.

Trotzdem verbleibt ein bitterer Nachgeschmackangesichts der offen liegenden Zusammenhnge,in denen man sich beim Einsatz fr freieVerschlsselung nicht nur beliebt macht.Dokumentieren knnen wir immerhin denzwischenzeitlich verabschiedetenEckpunktekatalog; ein anderes Projekt desverunglckten ist derweil ins Stocken gekommen.So gibt es bisher nicht veriÞzierte Hinweise, da§es die oft genannte deutsche Kryptoindustrie garnicht mehr gibt; die Firmen mit Sitz in

Impressum -1Kontaktadressen -1Editorial / Index ❏❏❏❏❏Kurzmeldungen ❏❏❏❏■

/ds67/cryptowarEckpunkte der dt. Kryptopolitik ❏❏❏■■Trend: full disclosure ❏❏■❏■

/ds67/hackChipkartenhacken..h sicher machen ❏❏■■■

/ds67/counterintelligenceInterception Capabilities 2000 ■❏❏■■Minister enttarnte den eigenenGeheimdienst ■❏■■■ NSA-Patente ■■❏❏❏/ds67/infowarInformation Operations:Protocol I Violation ■■❏■■

Termine im Jahre 1999 33Bestellfetzen 34

Sommer 1999 Die Datenschleuder #67

die israelische Rivalin ECI Telecom Ltd. fr 1,35Mrd. $ verbreitet. Der Kurs der an der Nasdaqgehandelten Aktien von PairGain legte darauf amMittwoch vormittag vorbergehend um ber 30%zu und schloss gleichentags immer noch um 10%hher, obschon beide Unternehmen schon gegenMittag eine solche Fusion dementiert hatten unddie Agentur Bloomberg selber mitgeteilt hatte,dass die Fusionsmeldung nicht von ihr stamme.

http://www.nzz.ch/online/01_nzz_aktuell/Þnanz/04_Þnanz.htm

/Opensource/danndochnochSGI goes Open SourceEin Hinderungsgrund gegen den Einsatz vonLinux in gro§en Servern ist immer noch dasFehlen eines Journaling File Systems, das im Falleeines Crashes ohne Filesystemcheck (fsck)auskommt. Bei gro§en Systemem kann dieserdurchaus Stunden dauern, so da§ einWiederanlauf entsprechend trge wird. Auch dieSuchzeiten in Verzeichnissen werden bei sehrgro§en Dateisystemen (sehr viele Dateien) zulang. Hilfe kommt aus eher unerwarteterRichtung: Silicon Graphics (SGI) stellt ihr XFS-Dateisystem ab dem Sommer als Open Source zurVerfgung. Man darf auf Performancevergleichegespannt sein. Mehr Info:

http://www.sgi.com/newsroom/press_releases/1999/may/xfs.html

/Chaos/Hamburg/BildungChaos-Bildungswerk HamburgDas Chaos-Bildungswerk hat die erstenVeranstaltungen hinter sich gebracht. Mit Elanwurden Vortrge ber Programmiersprachen(Scheme, Perl), Netzwerkgrundlagen undhnliches unters interessierte Volk gebracht.Aktuell stehen PGP, Firewalls, Datenbanken,demnchst Linux und Verhandlungstaktik aufdem Themenplan. Stndig aktuell ist dieser unterhttp://www.hamburg.ccc.de/Workshops/index.

Chaos Realitäts Dienst

/Y2K/Banken/Literatur:Ausfallplanung der deutschen Banken

Eines der bislang am detaillierfreudigsten aus-gearbeiteten ffentlichen Papier zum Jahr-2000Problem gibt es vom Bundesverband deutscherBanken. Dort sind vor allem die Dominoeffektesehr schn geschildert, ohne da§ besondereRcksicht auf die Informationspolitik ffentlicherStellen genommen wurde. Lesenswert:

http://www.bdb.de/verband/jahr2000/ausfallplanung.htm

/Y2K/Stellungnahmen/Regierung:"Kein Anlaß zur Panik"Die Bundesregierung hat mittlerweile einenaktualisierten Bericht zum Jahr-2000-Problem vor-gelegt. Laut einer Meldung des Heise-Tickersvom 21.04. betone BundeswirtschaftsministerWerner Mller (parteilos) , da§ "zu Panik undgro§en Befrchtungen" nach allen Experten-Erkenntnissen kein Anla§ bestehe.

http://www.heise.de/newsticker/data/wst-21.04.99-000/

/Internet/GeldohneUmwegeInternet-Missbrauch fürKursmanipulationen: Falschmeldungüber eine Fusion Wie die Neue Zricher Zeitung am 8. Aprilberichtete, ist es mehreren bislang nichtidentiÞzierten Betrgern gelungen, durch einegeflschte Web-Page sowie mit Meldungen amÇMessageboardÈ von Yahoo eine als Bericht derAgentur Bloomberg vorgetuschteFalschmeldung ber einen Kauf deramerikanischen PairGain Technologies Inc. durch

Die Datenschleuder #67 Sommer 1999

Kurzmeldungen & Update

html zu Þnden. Dort gibt es auchAnfahrtbeschreibungen und hnlichwegweisende Hinweise fr den Datenreisenden.Termine sind in der Regel donnerstags um 19 Uhr30 im CCC, Lokstedter Weg 72. LngereWorkshops geraten aber auch schon einmal insWochenende. Die Veranstaltungen sind kostenlos,der Erfa-Kreis bittet aber um eine kleine Spende,um Flipchartblcke, Folien usw. zu Þnanzieren -wir denken da an etwa 5 Mark, aber das istabsolut freiwillig. Zu einigen Veranstaltungengibt es Handouts oder Folienstze auf Papier oderelektronisch gegen Kostenbeteiligung.Irgendwann sollen die Sachen, soweitelektronisch vorhanden (abfotograÞerte Flipchartssind nicht wirklich sinnvoll :-) auch ihren Weg insNetz Þnden.

pirx@ccc.de

/Dasletzte/SoftwaregutachtenAuszug aus einem Artikel in der NeuenJuristischen Wochenzeitschift Computerreport(NJW-CoR) 4/99, Seite 217ff, in dem es eigentlichum die Besonderheiten der Beweisbeschlsse beiSoftware und Softwaregutachten geht...:

"Das wre weiter nicht schlimm, wenn dieSystemsoftware nur selten ausfallen wrde.Stabile Betriebssysteme wie Unix, OS/2 oderbewhrte Gro§rechner-Systeme laufen heutzutagemonatelang ohne Abschaltung oder Ausfall. DasSystemhaus hatte dem Anwender jedoch, aus wasfr Grnden auch imer, eine notorisch unstabileBetriebssoftware, nennen wir sie W, empfohlen,von der bekannt ist, da§ sie schon bei normalenAnwendungen selten mehr als einen Tag langohne Fehler luft."

Autor des Artikels ist Dr Peter Schnupp,ffentlich bestellter und vereidigterSachverstndiger fr Systemsoftware und Technikder Softwareentwicklung in Falkenberg-Altgmain.

migri@ccc.de

/Durch/DESSollte noch *irgendjemand* glauben, DES waeresinnvoll, mge er sich das hier geben:http://search.ietf.org/internet-drafts/draft-simpson-des-as-01.txt

Zitat: "The PPP DES Encryption Protocol" [RFC-2419], "The ESP DES-CBC Cipher Algorithm WithExplicit IV" [RFC-2405], and "The ESP DES-CBCTransform" [RFC-1829] have been re-classiÞed toHistoric status, and implementation is NotRecommended.

/Datenschutz/Amerika/GanzvorbeiBank sued over client data sale

Snipped from comp.risks digest 20.44

The state of Minnesota last week sued U.S. Bankfor allegedly selling Social Security numbers,account balances and other sensitive customerdata to a telemarketing company in exchange forcommissions. Apparently several other banks arealso hawking customer information, which raisesserious privacy concerns. [Source:*ComputerWorld*, article by Kim S. Nash, 14 Jun1999,http://www.computerworld.com/home/print.nsf/CWFlash/990614AE82 PGN]

Best viewed with...

Sommer 1999 Die Datenschleuder #67

Bundesministerium des Innern /Bundesministerium fr Wirtschaft undTechnologie

Bonn, den 2. Juni 1999

Eckpunkte der deutschen Kryptopolitik

Einleitung

Programme und Chips zur sicherenVerschlsselung von Nachrichten waren bisAnfang der Neunziger Jahre ein relativunbedeutender Nischenbereich derComputerindustrie. Dieser Nischenbereich istheute jedoch von erheblicher Bedeutung fr diewirtschaftliche und gesellschaftliche Entwicklungder Informationsgesellschaft insgesamt. Dennimmer mehr entwickelt sich derProduktionsfaktor ÒInformationÓ zu einembegehrten Rohstoff. Der effektivere Schutz diesesRohstoffs kann ber Erfolg oder Mi§erfolg vonUnternehmen und damit berBeschftigungschancen im Informationszeitalterentscheiden und nur durch den Einsatz starkerkryptographischer Verfahren l§t sich dieserSchutz heute effektiv gewhrleisten. In jedem Fallist die Leistungsfhigkeit dieser Technologieheute gr§er als jemals zuvor.

Die Kryptokontroverse in Deutschland

Bei der Kryptokontroverse geht es um die Frage,ob und in welchem Umfang die Nutzungkryptographischer Verfahren gesetzlichbeschrnkt werden solle. Die Frage ist in vielendemokratischen Industrielndern in den letztenJahren kontrovers diskutiert worden. Auch inDeutschland fand eine intensiveAuseinandersetzung, an der sich dieBundesressorts mit unterschiedlichen Positionen,die Wirtschaft sowie zahlreiche gesellschaftlicheGruppen beteiligten, hierber statt.

Im Oktober 1997 verabschiedete dasBundeskabinett den ÒFortschrittsbericht derBundesregierung Info 2000: Deutschlands Weg indie InformationsgesellschaftÓ, der eine Passagezur Kryptopolitik enthielt:

ÒEs wurde innerhalb der BundesregierungEinvernehmen erzielt, in dieser Legislaturperiodeauf eine gesetzliche Regelung desInverkehrbringens und der Nutzung vonKryptoprodukten und -verfahren zu verzichten,so da§ es bei der uneingeschrnkten Freiheit derNutzer bei der Auswahl und dem Einsatz vonVerschlsselungssystemen bleibt. DieBundesregierung wird die weitere Entwicklungauf dem Gebiet der Kryptographie vor allem imKontext der europischen und internationalenZusammenarbeit aufmerksam verfolgen und ggf.weitere Ma§nahmen zur Umsetzung ihrer Zieleeinleiten.Ó

Die Bundesregierung hat sich bislang allerdingsnoch nicht verbindlich und eindeutig positioniert.

Kryptographie und Wirtschaftsinteressen

Vor allem wegen der dynamischen Entwicklungdes digitalen Geschftsverkehrs verzeichnenheute auch die Mrkte frVerschlsselungsprodukte hohe Wachstumsraten.Wichtige Anwendungsbereiche frkryptographische Systeme sind heute (neben demtraditionellen Schutz der Vertraulichkeit) z.B.Urheberschutz, digitale Signatur sowie digitalesGeld. Darber hinausgehend ist Kryptographieeine Querschnittstechnologie, die fr dieSystemarchitektur und Entwicklung komplexerElectronic Commerce-Anwendungenunverzichtbar ist. Mittelbar geht es hier also umweit gr§ere Mrkte, z.B. den derTelekommunikation, des Online-Banking oder derTelemedizin.

Eckpunkte der deutschen Kryptopolitik

Die Datenschleuder #67 Sommer 1999

Zwar sind heute Sicherheitsstandards, die nochvor wenigen Jahren wegen der hohen Kosten vorallem Gro§unternehmen und staatlichen Stellenvorbehalten waren, auch fr mittelstndischeBetriebe und private Haushalte erschwinglich.Dennoch werden Verschlsselungsprodukte inDeutschland derzeit nicht in dem erforderlichenMa§e eingesetzt. Hier fehlt es vielfach an demnotwendigen IT-Sicherheitsbewu§tsein, obwohldurch die unbefugte Aussphung, Manipulationoder Zerstrung von Daten erheblichewirtschaftliche Schden entstehen knnen.

Deutsche Kryptohersteller haben gute Aussichten,im internationalen Wettbewerb um neue Mrktemitzuhalten, wenn die notwendigenRahmenbedingungen hierfr gewhrleistet sind.Angesichts der strategischen Bedeutung dieserBranche unternehmen viele wichtigeIndustriestaaten erhebliche Anstrengungen, umderen wirtschaftliche und technischeLeistungsfhigkeit im eigenen Land zu strken.

Kryptographie und Sicherheitsinteressen

Der Einsatz kryptographischer Verfahren ist vonau§erordentlicher Bedeutung fr eine efÞzientetechnische Kriminalprvention. Dies gilt sowohlfr die Gewhrleistung der Authentizitt undIntegritt des Datenverkehrs wie auch fr denSchutz der Vertraulichkeit.

Andererseits kann dieser Schutz derVertraulichkeit auch Straftter begnstigen: So istzu erwarten, da§ mit zunehmenderBenutzerfreundlichkeit derVerschlsselungsprodukte auch ihre Verbreitungin kriminellen Kreisen zunimmt. Dies kann dieStrafverfolgungsbehrden vor Probleme stellen.Rechtm§ig angeordnete richterlicheberwachungsma§nahmen mssen ihre Wirkungbehalten, auch wenn die Zielperson diebetreffenden Informationen mit einemkryptographischen Verfahren schtzt.

Bislang stellt der Mi§brauch von Verschlsselungin Deutschland fr die Strafverfolgung kein ernst-haftes Problem dar. Eine Prognose fr dieZukunft l§t sich hieraus allerdings nichtherleiten. Es ist deshalb erforderlich, inDeutschland aktive Technikfolgenabschtzung imHinblick auf die Belange der Strafverfolgungs-und Sicherheitsbehrden zu betreiben, umFehlentwicklungen so frhzeitig zu erkennen, da§ihnen - ggf. unter Zugrundelegung alternativerStrategien - wirksam begegnet werden kann.

Auf der Grundlage der bisherigen nationalenDiskussion sowie der internationalenEntwicklung beschlie§t die Bundesregierung diefolgenden Eckpunkte ihrer Kryptopolitik:

1. Die Bundesregierung beabsichtigt nicht, diefreie Verfgbarkeit vonVerschlsselungsprodukten in Deutschlandeinzuschrnken. Sie sieht in der Anwendungsicherer Verschlsselung eine entscheidendeVoraussetzung fr den Datenschutz der Brger,fr die Entwicklung des elektronischenGeschftsverkehrs sowie fr den Schutz vonUnternehmensgeheimnissen. DieBundesregierung wird deshalb die Verbreitungsicherer Verschlsselung in Deutschland aktivuntersttzen. Dazu zhlt insbesondere dieFrderung des Sicherheitsbewu§tseins bei denBrgern, der Wirtschaft und der Verwaltung.

2. Die Bundesregierung strebt an, das Vertrauender Nutzer in die Sicherheit der Verschlsselungzu strken. Sie wird deshalb Ma§nahmenergreifen, um einen Vertrauensrahmen fr sichereVerschlsselung zu schaffen, insbesondere indemsie die berprfbarkeit vonVerschlsselungsprodukten auf ihreSicherheitsfunktionen verbessert und dieNutzung geprfter Produkte empÞehlt.

3. Die Bundesregierung hlt aus Grnden derSicherheit von Staat, Wirtschaft und Gesellschaft

Trend: full disclosure

Sommer 1999 Die Datenschleuder #67

die Fhigkeit deutscher Hersteller zurEntwicklung und Herstellung von sicheren undleistungsfhigen Verschlsselungsprodukten frunverzichtbar. Sie wird Ma§nahmen ergreifen,um die internationale Wettbewerbsfhigkeitdieses Sektors zu strken.

4. Durch die Verbreitung starkerVerschlsselungsverfahren drfen diegesetzlichen Befugnisse der Strafverfolgungs- undSicherheitsbehrden zurTelekommunikationsberwachung nichtausgehhlt werden. Die zustndigenBundesministerien werden deshalb dieEntwicklung weiterhin aufmerksam beobachtenund nach Ablauf von zwei Jahren hierzuberichten. Unabhngig hiervon setzt sich dieBundesregierung im Rahmen ihrer Mglichkeitenfr die Verbesserung der technischenKompetenzen der Strafverfolgungs- undSicherheitsbehrden ein.

5. Die Bundesregierung legt gro§en Wert auf dieinternationale Zusammenarbeit im Bereich derVerschlsselungspolitik. Sie tritt ein fr am Marktentwickelte offene Standards und interoperableSysteme und wird sich fr die Strkung dermultilateralen und bilateralen Zusammenarbeiteinsetzen.

Trend: full disclosure

05.10.1999 There is a new trend in the reporting ofsecurity vulnerabilities these days. Many of theproblems are being reported by companies thatmake products to detect these problems. Whilemore people researching the security of productsis a good thing, it is certainly having an effect onthe free ßow of security information. Sometimesthis effect is to the detriment of the customers ofthe product that the ßaw exists in.

If a company makes a product that scans for secu-rity problems, they are going to want to add theirnewly discovered vulnerability to their list ofthings to scan for. They are probably, dependingon the seriousness of the problem they have unco-vered, going to want to make the advisory of theproblem into a full scale press release that willhype their product. Usually the press releasewon't really tell you how to Þnd the problem orhow to solve it. You are going to need todownload their product for that.

When security problems exist on productionservers accessible from the internet, time iscritical. Every day that goes by is another day thatthe server is exposed. How many people knowabout the problem? Who is actively exploiting it?It is impossible to tell. Good ethical securitypractice is to tell the people effected quickly, espe-cially if there are steps they can take to mitigateor eliminate the risk themselves.

The L0pht recently found a problem withMicrosoft's IIS 4.0 web server, the showcodeproblem. It allowed web users to read Þlesanywhere on the web server that the Þle permissi-ons were set to be world-readable. This turns outto be the case in many web servers that are notlocked down properly. The L0pht was surprisedat how widespread the problem was. Many highproÞle e-commerce servers were effected. Many,many corporate web servers were effected.

...full disclosure

Die Datenschleuder #67 Sommer 1999

The research of the problem, which took less thana day, came up with a simple solution. Delete thesample Þles which made the machine vulnerable.They don't need to be on production serversanyway. We crafted an advisory and gave out thesolution.

When we reported this to Microsoft they said thatthey had known about the problem for "severalweeks". They had been notiÞed by WebTrendsabout the problem, were researching it, andwould issue a Security Bulletin. It didn't seem tobe that so complicated an issue that would takeseveral weeks to research. And the Þx was simple.Just delete the Þles. No need to download a hotÞxor even tweak the registry. What was taking solong?

The L0pht released the showcode advisory toBugtraq, computer industry reporters, andMicrosoft on May 7, 1999, 9:30am EST. Later thatday, approximately 1:40 pm EST, WebTrendsreleased a press release about the same problem.It spoke of how WebTrends had discovered theproblem. The WebTrends press release didn't tellhow to detect the problem and had no solution tothe problem. Two things that were present in theL0pht advisory. It seemed that you had todownload and run their product if you wantedthis information.

It makes one wonder if the press release was putout at that particular time because the L0pht hadinformed the public about the problem Þrst. It

makes one wonder why Microsoft kept thisproblem and easy solution to themselves forseveral weeks.

Many crackers keep security vulnerabilities secretso that they can exploit them without worryingabout vendor patches or Þxes by systemadministrators. This is looked down upon highlyby the security community as totally unethical.Why keep the vulnerabilities secret unless you aregoing to exploit them, or perhaps trade them forsomething?

Now we have software vendors keeping thingssecret. At least secret for a substantial period oftime. Is this the way we want the industry tobehave?

This is why full disclosure mailing lists such asBugtraq and web sites such as Packet StormSecurity are so important. They allow customersto get vulnerability reports, and hopefully Þxes,in a timely manner. There is no centralizedclearinghouse such as the software vendor orsome government agency to slow things up fortheir own ends.

Vulnerability information is extremely valuableboth to attackers and customers. Companies andorganizations that release this information openlyand as soon as possible are doing the securitycommunity a service. Those who choose to usethe information for their own purposes Þrst putcustomers at risk.

Sommer 1999 Die Datenschleuder #67

Design Principles for Tamper-Resistant Smartcard Processors

Oliver Kömmerling Markus G. Kuhn

Advanced Digital University of CambridgeSecurity Research Computer Laboratory

Mühlstraße 7 Pembroke Street66484 Riedelberg Cambridge CB2 3QG

Germany United Kingdomok@adsr.de mgk25@cl.cam.ac.uk

Abstract

We describe techniques for extracting protectedsoftware and data from smartcard processors. Thisincludes manual microprobing, laser cutting, fo-cused ion-beam manipulation, glitch attacks, andpower analysis. Many of these methods have alreadybeen used to compromise widely-fielded conditional-access systems, and current smartcards offer littleprotection against them. We give examples of low-cost protection concepts that make such attacks con-siderably more difficult.

1 Introduction

Smartcard piracy has become a common occur-rence. Since around 1994, almost every type ofsmartcard processor used in European, and later alsoAmerican and Asian, pay-TV conditional-access sys-tems has been successfully reverse engineered. Com-promised secrets have been sold in the form of il-licit clone cards that decrypt TV channels withoutrevenue for the broadcaster. The industry has hadto update the security processor technology severaltimes already and the race is far from over.

Smartcards promise numerous security benefits.They can participate in cryptographic protocols, andunlike magnetic stripe cards, the stored data can beprotected against unauthorized access. However, thestrength of this protection seems to be frequentlyoverestimated.

In Section 2, we give a brief overview on themost important hardware techniques for breakinginto smartcards. We aim to help software engineerswithout a background in modern VLSI test tech-niques in getting a realistic impression of how phys-ical tampering works and what it costs. Based onour observations of what makes these attacks par-ticularly easy, in Section 3 we discuss various ideas

for countermeasures. Some of these we believe to benew, while others have already been implemented inproducts but are either not widely used or have de-sign flaws that have allowed us to circumvent them.

2 Tampering Techniques

We can distinguish four major attack categories:

• Microprobing techniques can be used to accessthe chip surface directly, thus we can observe, ma-nipulate, and interfere with the integrated circuit.

• Software attacks use the normal communica-tion interface of the processor and exploit secu-rity vulnerabilities found in the protocols, cryp-tographic algorithms, or their implementation.

• Eavesdropping techniques monitor, with hightime resolution, the analog characteristics of allsupply and interface connections and any otherelectromagnetic radiation produced by the pro-cessor during normal operation.

• Fault generation techniques use abnormal en-vironmental conditions to generate malfunctionsin the processor that provide additional access.

All microprobing techniques are invasive attacks.They require hours or weeks in a specialized labora-tory and in the process they destroy the packaging.The other three are non-invasive attacks. After wehave prepared such an attack for a specific proces-sor type and software version, we can usually repro-duce it within seconds on another card of the sametype. The attacked card is not physically harmedand the equipment used in the attack can usually bedisguised as a normal smartcard reader.

Non-invasive attacks are particularly dangerousin some applications for two reasons. Firstly, the

USENIX Workshop on Smartcard Technology, Chicago, Illinois,USA, May 10-11, 1999.

Die Datenschleuder #67 Sommer 1999

owner of the compromised card might not noticethat the secret keys have been stolen, therefore itis unlikely that the validity of the compromised keyswill be revoked before they are abused. Secondly,non-invasive attacks often scale well, as the neces-sary equipment (e.g., a small DSP board with specialsoftware) can usually be reproduced and updated atlow cost.

The design of most non-invasive attacks requiresdetailed knowledge of both the processor and soft-ware. On the other hand, invasive microprobing at-tacks require very little initial knowledge and usuallywork with a similar set of techniques on a wide rangeof products. Attacks therefore often start with in-vasive reverse engineering, the results of which thenhelp to develop cheaper and faster non-invasive at-tacks. We have seen this pattern numerous times onthe conditional-access piracy market.

Non-invasive attacks are of particular concern inapplications where the security processor is primar-ily required to provide tamper evidence, while inva-sive attacks violate the tamper-resistance character-istics of a card [1]. Tamper evidence is of primaryconcern in applications such as banking and digi-tal signatures, where the validity of keys can easilybe revoked and where the owner of the card has al-ready all the access that the keys provide anyway.Tamper resistance is of importance in applicationssuch as copyright enforcement, intellectual propertyprotection, and some electronic cash schemes, wherethe security of an entire system collapses as soon asa few cards are compromised.

To understand better which countermeasures areof practical value, we first of all have to understandthe techniques that pirates have used so far to breakpractically all major smartcard processors on themarket. In the next section, we give a short guidedtour through a typical laboratory of a smartcard pi-rate.

2.1 Invasive Attacks

2.1.1 Depackaging of Smartcards

Invasive attacks start with the removal of the chippackage. We heat the card plastic until it becomesflexible. This softens the glue and the chip mod-ule can then be removed easily by bending the card.We cover the chip module with 20–50 ml of fumingnitric acid heated to around 60 ◦C and wait for theblack epoxy resin that encapsulates the silicon die tocompletely dissolve (Fig. 1). The procedure shouldpreferably be carried out under very dry conditions,as the presence of water could corrode exposed alu-minium interconnects. The chip is then washed with

Figure 1: Hot fuming nitric acid (> 98% HNO3)dissolves the package without affecting the chip.

Figure 2: The depackaged smartcard processor isglued into a test package, whose pins are then con-nected to the contact pads of the chip with fine alu-minium wires in a manual bonding machine.

acetone in an ultrasonic bath, followed optionally bya short bath in deionized water and isopropanol. Weremove the remaining bonding wires with tweezers,glue the die into a test package, and bond its padsmanually to the pins (Fig. 2). Detailed descriptionsof these and other preparation techniques are givenin [2, 3].

2.1.2 Layout Reconstruction

The next step in an invasive attack on a new pro-cessor is to create a map of it. We use an opticalmicroscope with a CCD camera to produce severalmeter large mosaics of high-resolution photographsof the chip surface. Basic architectural structures,such as data and address bus lines, can be identi-fied quite quickly by studying connectivity patterns

Sommer 1999 Die Datenschleuder #67

Figure 3: Left: CMOS AND gate imaged by a con-focal microscope. Right: same gate after removal ofmetal layer (HF wet etching). Polysilicon intercon-nects and diffusion areas are now fully visible.

and by tracing metal lines that cross clearly visiblemodule boundaries (ROM, RAM, EEPROM, ALU,instruction decoder, etc.). All processing modulesare usually connected to the main bus via easily rec-ognizable latches and bus drivers. The attacker ob-viously has to be well familiar with CMOS VLSIdesign techniques and microcontroller architectures,but the necessary knowledge is easily available fromnumerous textbooks [4, 5, 6, 7].

Photographs of the chip surface show the topmetal layer, which is not transparent and thereforeobscures the view on many structures below. Un-less the oxide layers have been planarized, lowerlayers can still be recognized through the heightvariations that they cause in the covering layers.Deeper layers can only be recognized in a second se-ries of photographs after the metal layers have beenstripped off, which we achieve by submerging thechip for a few seconds in hydrofluoric acid (HF) in anultrasonic bath [2]. HF quickly dissolves the siliconoxide around the metal tracks and detaches themfrom the chip surface. HF is an extremely dangeroussubstance and safety precautions have to be followedcarefully when handling it.

Figure 3 demonstrates an optical layout recon-struction of a NAND gate followed by an inverter.These images were taken with a confocal micro-scope (Zeiss Axiotron-2 CSM), which assigns differ-ent colors to different focal planes (e.g., metal=blue,polysilicon=green) and thus preserves depth infor-mation [8]. Multilayer images like those shown inFig. 3 can be read with some experience almost aseasily as circuit diagrams. These photographs helpus in understanding those parts of the circuitry thatare relevant for the planned attack.

If the processor has a commonly accessible stan-dard architecture, then we have to reconstruct the

Figure 4: The vias in this structure found in aST16F48A form a permutation matrix between thememory readout column lines and the 16:1 demulti-plexer. The applied mapping remains clearly visible.

layout only until we have identified those bus linesand functional modules that we have to manipulateto access all memory values. More recently, design-ers of conditional-access smartcards have started toadd proprietary cryptographic hardware functionsthat forced the attackers to reconstruct more com-plex circuitry involving several thousand transistorsbefore the system was fully compromised. How-ever, the use of standard-cell ASIC designs allowsus to easily identify logic gates from their diffusionarea layout, which makes the task significantly easierthan the reconstruction of a transistor-level netlist.

Some manufacturers use non-standard instructionsets and bus-scrambling techniques in their secu-rity processors. In this case, the entire path fromthe EEPROM memory cells to the instruction de-coder and ALU has to be examined carefully beforea successful disassembly of extracted machine codebecomes possible. However, the attempts of busscrambling that we encountered so far in smartcardprocessors were mostly only simple permutations oflines that can be spotted easily (Fig. 4).

Any good microscope can be used in optical VLSIlayout reconstruction, but confocal microscopes havea number of properties that make them particularlysuited for this task. While normal microscopes pro-duce a blurred image of any plane that is out of fo-cus, in confocal scanning optical microscopes, every-thing outside the focal plane just becomes dark [8].Confocal microscopes also provide better resolutionand contrast. A chromatic lens in the system canmake the location of the focal plane wavelength de-pendent, such that under white light different layers

Die Datenschleuder #67 Sommer 1999

Figure 5: The data of this NOR ROM becomesclearly visible when the covering metal and polysili-con access lines plus the surrounding field oxide havebeen removed (HF wet etching). The image shows16×10 bits in an ST16xyz. Every bit is representedby either a present or missing diffusion layer connec-tion.

of the chip will appear simultaneously, but in differ-ent colors.

Automatic layout reconstruction has been demon-strated with scanning electron microscopy [9]. Weconsider confocal microscopy to be an attractive al-ternative, because we do not need a vacuum envi-ronment, the depth information is preserved, andthe option of oil immersion allows the hiding of un-evenly removed oxide layers. With UV microscopy,even chip structures down to 0.1 µm can be resolved.

With semiautomatic image-processing methods,significant portions of a processor can be reverseengineered within a few days. The resulting poly-gon data can then be used to automatically generatetransistor and gate-level netlists for circuit simula-tions.

Optical reconstruction techniques can also beused to read ROM directly. The ROM bit patternis stored in the diffusion layer, which leaves hardlyany optical indication of the data on the chip sur-face. We have to remove all covering layers using HFwet etching, after which we can easily recognize therims of the diffusion regions that reveal the storedbit pattern (Fig. 5).

Some ROM technologies store bits not in theshape of the active area but by modifying transistorthreshold voltages. In this case, additional dopant-selective staining techniques have to be applied tomake the bits visible (Fig. 6). Together with anunderstanding of the (sometimes slightly scrambled,see Fig. 4) memory-cell addressing, we obtain disas-sembler listings of the entire ROM content. Again,automated processing techniques can be used to ex-tract the data from photos, but we also know cases

Figure 6: The implant-mask layout of a NANDROM can be made visible by a dopant-selectivecrystallographic etch (Dash etchand [2]). This im-age shows 16 × 14 bits plus parts of the row selec-tor of a ROM found on an MC68HC05SC2x CPU.The threshold voltage of 0-bit p-channel transistors(stained dark here) was brought below 0 V throughion implantation.

where an enthusiastic smartcard hacker has recon-structed several kilobytes of ROM manually.

While the ROM usually does not contain anycryptographic key material, it does often containenough I/O, access control, and cryptographic rou-tines to be of use in the design of a non-invasiveattack.

2.1.3 Manual Microprobing

The most important tool for invasive attacks is amicroprobing workstation. Its major component isa special optical microscope (e.g., Mitutoyo FS-60)with a working distance of at least 8 mm betweenthe chip surface and the objective lens. On a stableplatform around a socket for the test package, we in-stall several micropositioners (e.g., from Karl Suss,Micromanipulator, or Wentworth Labs), which allowus to move a probe arm with submicrometer preci-sion over a chip surface. On this arm, we install a“cat whisker” probe (e.g., Picoprobe T-4-10). Thisis a metal shaft that holds a 10 µm diameter and5 mm long tungsten-hair, which has been sharpenedat the end into a < 0.1 µm tip. These elastic probehairs allow us to establish electrical contact with on-chip bus lines without damaging them. We connectthem via an amplifier to a digital signal processorcard that records or overrides processor signals andalso provides the power, clock, reset, and I/O signalsneeded to operate the processor via the pins of thetest package.

On the depackaged chip, the top-layer aluminiuminterconnect lines are still covered by a passivation

Sommer 1999 Die Datenschleuder #67

Figure 7: This image shows 9 horizontal bus lineson a depackaged smartcard processor. A UV laser(355 nm, 5 ns) was used to remove small patches ofthe passivation layer over the eight data-bus lines toprovide for microprobing access.

layer (usually silicon oxide or nitride), which pro-tects the chip from the environment and ion migra-tion. On top of this, we might also find a poly-imide layer that was not entirely removed by HNO3but which can be dissolved with ethylendiamine.We have to remove the passivation layer before theprobes can establish contact. The most convenientdepassivation technique is the use of a laser cutter(e.g., from New Wave Research).

The UV or green laser is mounted on the cameraport of the microscope and fires laser pulses throughthe microscope onto rectangular areas of the chipwith micrometer precision. Carefully dosed laserflashes remove patches of the passivation layer. Theresulting hole in the passivation layer can be made sosmall that only a single bus line is exposed (Fig. 7).This prevents accidental contacts with neighbouringlines and the hole also stabilizes the position of theprobe and makes it less sensitive to vibrations andtemperature changes.

Complete microprobing workstations cost tens ofthousands of dollars, with the more luxurious ver-sions reaching over a hundred thousand US$. Thecost of a new laser cutter is roughly in the sameregion.

Low-budget attackers are likely to get a cheapersolution on the second-hand market for semicon-ductor test equipment. With patience and skill itshould not be too difficult to assemble all the re-quired tools for even under ten thousand US$ bybuying a second-hand microscope and using self-designed micropositioners. The laser is not essentialfor first results, because vibrations in the probingneedle can also be used to break holes into the pas-sivation.

2.1.4 Memory Read-out Techniques

It is usually not practical to read the informationstored on a security processor directly out of eachsingle memory cell, except for ROM. The stored datahas to be accessed via the memory bus where all datais available at a single location. Microprobing is usedto observe the entire bus and record the values inmemory as they are accessed.

It is difficult to observe all (usually over 20) dataand address bus lines at the same time. Varioustechniques can be used to get around this problem.For instance we can repeat the same transactionmany times and use only two to four probes to ob-serve various subsets of the bus lines. As long asthe processor performs the same sequence of mem-ory accesses each time, we can combine the recordedbus subset signals into a complete bus trace. Over-lapping bus lines in the various recordings help usto synchronize them before they are combined.

In applications such as pay-TV, attackers can eas-ily replay some authentic protocol exchange withthe card during a microprobing examination. Theseapplications cannot implement strong replay pro-tections in their protocols, because the transactioncounters required to do this would cause an NVRAMwrite access per transaction. Some conditional-access cards have to perform over a thousand pro-tocol exchanges per hour and EEPROM technologyallows only 104–106 write cycles during the lifetimeof a storage cell. An NVRAM transaction counterwould damage the memory cells, and a RAM countercan be reset by the attacker easily by removingpower. Newer memory technologies such as FERAMallow over 109 write cycles, which should solve thisproblem.

Just replaying transactions might not suffice tomake the processor access all critical memory loca-tions. For instance, some banking cards read criti-cal keys from memory only after authenticating thatthey are indeed talking to an ATM. Pay-TV carddesigners have started to implement many differentencryption keys and variations of encryption algo-rithms in every card, and they switch between theseevery few weeks. The memory locations of algorithmand key variations are not accessed by the proces-sor before these variations have been activated by asigned message from the broadcaster, so that passivemonitoring of bus lines will not reveal these secretsto an attacker early.

Sometimes, hostile bus observers are lucky andencounter a card where the programmer believedthat by calculating and verifying some memorychecksum after every reset the tamper-resistance

Die Datenschleuder #67 Sommer 1999

could somehow be increased. This gives the at-tacker of course easy immediate access to all memorylocations on the bus and simplifies completing theread-out operation considerably. Surprisingly, suchmemory integrity checks were even suggested in thesmartcard security literature [10], in order to defeata proposed memory rewrite attack technique [11].This demonstrates the importance of training thedesigners of security processors and applications inperforming a wide range of attacks before they startto design countermeasures. Otherwise, measuresagainst one attack can far too easily backfire andsimplify other approaches in unexpected ways.

In order to read out all memory cells without thehelp of the card software, we have to abuse a CPUcomponent as an address counter to access all mem-ory cells for us. The program counter is alreadyincremented automatically during every instructioncycle and used to read the next address, which makesit perfectly suited to serve us as an address sequencegenerator [12]. We only have to prevent the proces-sor from executing jump, call, or return instructions,which would disturb the program counter in its nor-mal read sequence. Tiny modifications of the in-struction decoder or program counter circuit, whichcan easily be performed by opening the right metalinterconnect with a laser, often have the desired ef-fect.

2.1.5 Particle Beam Techniques

Most currently available smartcard processors havefeature sizes of 0.5–1 µm and only two metal lay-ers. These can be reverse-engineered and observedwith the manual and optical techniques describedin the previous sections. For future card genera-tions with more metal layers and features below thewavelength of visible light, more expensive tools ad-ditionally might have to be used.

A focused ion beam (FIB) workstation consists ofa vacuum chamber with a particle gun, comparableto a scanning electron microscope (SEM). Galliumions are accelerated and focused from a liquid metalcathode with 30 kV into a beam of down to 5–10 nmdiameter, with beam currents ranging from 1 pA to10 nA. FIBs can image samples from secondary par-ticles similar to a SEM with down to 5 nm resolution.By increasing the beam current, chip material can beremoved with the same resolution at a rate of around0.25 µm3 nA−1 s−1 [13]. Better etch rates can beachieved by injecting a gas like iodine via a needlethat is brought to within a few hundred micrometersfrom the beam target. Gas molecules settle down onthe chip surface and react with removed material to

form a volatile compound that can be pumped awayand is not redeposited. Using this gas-assisted etchtechnique, holes that are up to 12 times deeper thanwide can be created at arbitrary angles to get ac-cess to deep metal layers without damaging nearbystructures. By injecting a platinum-based organo-metallic gas that is broken down on the chip surfaceby the ion beam, platinum can be deposited to es-tablish new contacts. With other gas chemistries,even insulators can be deposited to establish surfacecontacts to deep metal without contacting any cov-ering layers.

Using laser interferometer stages, a FIB operatorcan navigate blindly on a chip surface with 0.15 µmprecision, even if the chip has been planarized andhas no recognizable surface structures. Chips canalso be polished from the back side down to a thick-ness of just a few tens of micrometers. Using laser-interferometer navigation or infrared laser imaging,it is then possible to locate individual transistors andcontact them through the silicon substrate by FIBediting a suitable hole. This rear-access techniquehas probably not yet been used by pirates so far,but the technique is about to become much morecommonly available and therefore has to be takeninto account by designers of new security chips.

FIBs are used by attackers today primarily tosimplify manual probing of deep metal and polysil-icon lines. A hole is drilled to the signal line of in-terest, filled with platinum to bring the signal tothe surface, where a several micrometer large prob-ing pad or cross is created to allow easy access(Fig. 11). Modern FIB workstations (for examplethe FIB 200xP from FEI) cost less than half a mil-lion US$ and are available in over hundred organiza-tions. Processing time can be rented from numerouscompanies all over the world for a few hundred dol-lars per hour.

Another useful particle beam tool are electron-beam testers (EBT) [14]. These are SEMs with avoltage-contrast function. Typical acceleration volt-ages and beam currents for the primary electronsare 2.5 kV and 5 nA. The number and energy of sec-ondary electrons are an indication of the local elec-tric field on the chip surface and signal lines can beobserved with submicrometer resolution. The signalgenerated during e-beam testing is essentially thelow-pass filtered product of the beam current mul-tiplied with a function of the signal voltage, plusnoise. EBTs can measure waveforms with a band-width of several gigahertz, but only with periodicsignals where stroboscopic techniques and periodicaveraging can be used. If we use real-time voltage-contrast mode, where the beam is continuously di-

Sommer 1999 Die Datenschleuder #67

rected to a single spot and the blurred and noisystream of secondary electrons is recorded, then thesignal bandwidth is limited to a few megahertz [14].While such a bandwidth might just be sufficient forobserving a single signal line in a 3.5 MHz smart-card, it is too low to observe an entire bus with asample frequency of several megahertz for each line.

EBTs are very convenient attack tools if the clockfrequency of the observed processor can be reducedbelow 100 kHz to allow real-time recording of all buslines or if the processor can be forced to generateperiodic signals by continuously repeating the sametransaction during the measurement.

2.2 Non-invasive Attacks

A processor is essentially a set of a few hundredflipflops (registers, latches, and SRAM cells) that de-fine its current state, plus combinatorial logic thatcalculates from the current state the next state dur-ing every clock cycle. Many analog effects in sucha system can be used in non-invasive attacks. Someexamples are:

• Every transistor and interconnection have a ca-pacitance and resistance that, together with fac-tors such as the temperature and supply voltage,determine the signal propagation delays. Due toproduction process fluctuations, these values canvary significantly within a single chip and betweenchips of the same type.

• A flipflop samples its input during a short timeinterval and compares it with a threshold volt-age derived from its power supply voltage. Thetime of this sampling interval is fixed relative tothe clock edge, but can vary between individualflipflops.

• The flipflops can accept the correct new state onlyafter the outputs of the combinatorial logic havestabilized on the prior state.

• During every change in a CMOS gate, both thep- and n-transistors are open for a short time,creating a brief short circuit of the power supplylines [15]. Without a change, the supply currentremains extremely small.

• Power supply current is also needed to charge ordischarge the load capacitances when an outputchanges.

• A normal flipflop consists of two inverters andtwo transmission gates (8 transistors). SRAMcells use only two inverters and two transistors

to ground one of the outputs during a write oper-ation. This saves some space but causes a signif-icant short-circuit during every change of a bit.

There are numerous other effects. During carefulsecurity reviews of processor designs it is often nec-essary to perform detailed analog simulations andtests and it is not sufficient to just study a digitalabstraction.

Smartcard processors are particularly vulnerableto non-invasive attacks, because the attacker has fullcontrol over the power and clock supply lines. Largersecurity modules can be equipped with backup bat-teries, electromagnetic shielding, low-pass filters,and autonomous clock signal generators to reducemany of the risks to which smartcard processors areparticularly exposed.

2.2.1 Glitch Attacks

In a glitch attack, we deliberately generate a mal-function that causes one or more flipflops to adoptthe wrong state. The aim is usually to replace a sin-gle critical machine instruction with an almost ar-bitrary other one. Glitches can also aim to corruptdata values as they are transferred between registersand memory. Of the many fault-induction attacktechniques on smartcards that have been discussedin the recent literature [11, 12, 16, 17, 18], it hasbeen our experience that glitch attacks are the onesmost useful in practical attacks.

We are currently aware of three techniques for cre-ating fairly reliable malfunctions that affect only avery small number of machine cycles in smartcardprocessors: clock signal transients, power supplytransients, and external electrical field transients.

Particularly interesting instructions that an at-tacker might want to replace with glitches are condi-tional jumps or the test instructions preceding them.They create a window of vulnerability in the process-ing stages of many security applications that oftenallows us to bypass sophisticated cryptographic bar-riers by simply preventing the execution of the codethat detects that an authentication attempt was un-successful. Instruction glitches can also be used toextend the runtime of loops, for instance in serialport output routines to see more of the memory af-ter the output buffer [12], or also to reduce the run-time of loops, for instance to transform an iteratedcipher function into an easy to break single-roundvariant [11].

Clock-signal glitches are currently the simplestand most practical ones. They temporarily increasethe clock frequency for one or more half cycles, suchthat some flipflops sample their input before the new

Die Datenschleuder #67 Sommer 1999

state has reached them. Although many manufac-turers claim to implement high-frequency detectorsin their clock-signal processing logic, these circuitsare often only simple-minded filters that do not de-tect single too short half-cycles. They can be cir-cumvented by carefully selecting the duty cycles ofthe clock signal during the glitch.

In some designs, a clock-frequency sensor that isperfectly secure under normal operating voltage ig-nores clock glitches if they coincide with a carefullydesigned power fluctuation. We have identified clockand power waveform combinations for some widelyused processors that reliably increment the programcounter by one without altering any other processorstate. An arbitrary subsequence of the instructionsfound in the card can be executed by the attackerthis way, which leaves very little opportunity forthe program designer to implement effective coun-termeasures in software alone.

Power fluctuations can shift the threshold volt-ages of gate inputs and anti-tampering sensors rel-ative to the unchanged potential of connected ca-pacitances, especially if this occurs close to the sam-pling time of the flipflops. Smartcard chips do notprovide much space for large buffer capacitors, andvoltage threshold sensors often do not react to veryfast transients.

In a potential alternative glitch technique that wehave yet to explore fully, we place two metal needleson the card surface, only a few hundred micrometersaway from the processor. We then apply spikes ofa few hundred volts for less than a microsecond onthese needles to generate electrical fields in the sil-icon substrate of sufficient strength to temporarilyshift the threshold voltages of nearby transistors.

2.2.2 Current Analysis

Using a 10–15 Ω resistor in the power supply, we canmeasure with an analog/digital converter the fluctu-ations in the current consumed by the card. Prefer-ably, the recording should be made with at least12-bit resolution and the sampling frequency shouldbe an integer multiple of the card clock frequency.

Drivers on the address and data bus often con-sist of up to a dozen parallel inverters per bit, eachdriving a large capacitive load. They cause a sig-nificant power-supply short circuit during any tran-sition. Changing a single bus line from 0 to 1 orvice versa can contribute in the order of 0.5–1 mAto the total current at the right time after the clockedge, such that a 12-bit ADC is sufficient to esti-mate the number of bus bits that change at a time.SRAM write operations often generate the strongest

signals. By averaging the current measurements ofmany repeated identical transactions, we can evenidentify smaller signals that are not transmitted overthe bus. Signals such as carry bit states are of specialinterest, because many cryptographic key schedulingalgorithms use shift operations that single out indi-vidual key bits in the carry flag. Even if the status-bit changes cannot be measured directly, they oftencause changes in the instruction sequencer or mi-crocode execution, which then cause a clear changein the power consumption.

The various instructions cause different levels ofactivity in the instruction decoder and arithmeticunits and can often be quite clearly distinguished,such that parts of algorithms can be reconstructed.Various units of the processor have their switchingtransients at different times relative to the clockedges and can be separated in high-frequency mea-surements.

3 Countermeasures

3.1 Randomized Clock Signal

Many non-invasive techniques require the at-tacker to predict the time at which a certain instruc-tion is executed. A strictly deterministic processorthat executes the same instruction c clock cycles af-ter each reset—if provided with the same input atevery cycle—makes this easy. Predictable processorbehaviour also simplifies the use of protocol reactiontimes as a covert channel.

The obvious countermeasure is to insert random-time delays between any observable reaction andcritical operations that might be subject to an at-tack. If the serial port were the only observablechannel, then a few random delay routine calls con-trolled by a hardware noise source would seem suf-ficient. However, since attackers can use cross-correlation techniques to determine in real-time fromthe current fluctuations the currently executed in-struction sequence, almost every instruction be-comes an observable reaction, and a few localizeddelays will not suffice.

We therefore strongly recommend introducingtiming randomness at the clock-cycle level. A ran-dom bit-sequence generator that is operated withthe external clock signal should be used to generatean internal clock signal. This will effectively reducethe clock frequency by a factor of four, but mostsmartcards anyway reduce internally the 3.5 MHzprovided for contact cards and the 13 MHz providedfor contact-less cards.

Hardware random bit generators (usually the am-plified thermal noise of transistors) are not always

Sommer 1999 Die Datenschleuder #67

good at producing uniform output statistics at highbit rates, therefore their output should be smoothedwith an additional simple pseudo-random bit gener-ator.

The probability that n clock cycles have been exe-cuted by a card with a randomized clock signal afterc clock cycles have been applied can be described asa binomial distribution:

p(n, c) = 2−c[(

c2n

) (c

2n + 1

)]

≈√

8πc

· e− 8c ·(n− c4 )2 as c → ∞

So for instance after we have sent 1000 clock cy-cles to the smartcard, we can be fairly sure (prob-ability > 1 − 10−9) that between 200 and 300 ofthem have been executed. This distribution can beused to verify that safety margins for timing-criticalalgorithms—such as the timely delivery of a pay-TVcontrol word—are met with sufficiently high proba-bility.

Only the clock signals of circuitry such as the se-rial port and timer need to be supplied directly withthe external clock signal, all other processor partscan be driven from the randomized clock.

A lack of switching transients during the inactiveperiods of the random clock could allow the attackerto reconstruct the internal clock signal from the con-sumed current. It is therefore essential that the pro-cessor shows a characteristic current activity evenduring the delay phases of the random clock. Thiscan be accomplished by driving the bus with ran-dom values or by causing the microcode to performa write access to an unused RAM location while theprocessor is inactive.

3.2 Randomized Multithreading

To introduce even more non-determinism intothe execution of algorithms, it is conceivable to de-sign a multithreaded processor architecture [19] thatschedules the processor by hardware between twoor more threads of execution randomly at a per-instruction level. Such a processor would have mul-tiple copies of all registers (accumulator, programcounter, instruction register, etc.), and the combina-torial logic would be used in a randomly alternatingway to progress the execution state of the threadsrepresented by these respective register sets.

The simple 8-bit microcontrollers of smartcardsdo not feature pipelines and caches and the entirestate is defined only by a very small number of reg-isters that can relatively easily be duplicated. Theonly other necessary addition would be new machine

instructions to fork off the other thread(s) and tosynchronize and terminate them. Multithreaded ap-plications could interleave some of the many inde-pendent cryptographic operations needed in secu-rity protocols. For the remaining time, the auxiliarythreads could just perform random encryptions inorder to generate an realistic current pattern duringthe delay periods of the main application.

3.3 Robust Low-frequency Sensor

Bus-observation by e-beam testing becomes mucheasier when the processor can be clocked with onlya few kilohertz, and therefore a low-frequency alarmis commonly found on smartcard processors. How-ever, simple high-pass or low-pass RC elements arenot sufficient, because by carefully varying the dutycycle of the clock signal, we can often prevent theactivation of such detectors. A good low-frequencysensor must trigger if no clock edge has been seen forlonger than some specified time limit (e.g., 0.5 µs).In this case, the processor must not only be reset im-mediately, but all bus lines and registers also have tobe grounded quickly, as otherwise the values on themwould remain visible sufficiently long for a voltage-contrast scan.

Even such carefully designed low-frequency detec-tors can quite easily be disabled by laser cutting orFIB editing the RC element. To prevent such simpletampering, we suggest that an intrinsic self-test bebuilt into the detector. Any attempt to tamper withthe sensor should result in the malfunction of the en-tire processor. We have designed such a circuit thattests the sensor during a required step in the nor-mal reset sequence. External resets are not directlyforwarded to the internal reset lines, but only causean additional frequency divider to reduce the clocksignal. This then activates the low-frequency de-tector, which then activates the internal reset lines,which finally deactivate the divider. The processorhas now passed the sensor test and can start normaloperation. The processor is designed such that itwill not run after a power up without a proper in-ternal reset. A large number of FIB edits would benecessary to make the processor operational withoutthe frequency sensor being active.

Other sensor defenses against invasive attacksshould equally be embedded into the normal opera-tion of the processor, or they will easily be circum-vented by merely destroying their signal or powersupply connections.

3.4 Destruction of Test Circuitry

Microcontroller production has a yield of typicallyaround 95%, so each chip has to be thoroughly tested

Die Datenschleuder #67 Sommer 1999

Figure 8: The interrupted white line at the bot-tom of the cavity in this FIB secondary-electron im-age is a blown polysilicon fuse next to a test pad(MC68HC05SC2x processor).

after production. Test engineers —like microprobingattackers—have to get full access to a complex cir-cuit with a small number of probing needles. Theyadd special test circuitry to each chip, which is usu-ally a parallel/serial converter for direct access tomany bus and control lines. This test logic is acces-sible via small probing pads or multiplexed via thenormal I/O pads. On normal microcontrollers, thetest circuitry remains fully intact after the test. Insmartcard processors, it is common practice to blowpolysilicon fuses that disable access to these test cir-cuits (Fig. 8). However, attackers have been ableto reconnect these with microprobes or FIB editing,and then simply used the test logic to dump the en-tire memory content.

Therefore, it is essential that any test circuitry isnot only slightly disabled but structurally destroyedby the manufacturer. One approach is to place thetest interface for chip n onto the area of chip n + 1on the wafer, such that cutting the wafer into diessevers all its parallel connections. A wafer saw usu-ally removes a 80–200 µm wide area that often onlycontains a few process control transistors. Locat-ing essential parts of the test logic in these cut areaswould eliminate any possibility that even substantialFIB edits could reactivate it.

3.5 Restricted Program Counter

Abusing the program counter as an address pat-tern generator significantly simplifies reading out theentire memory via microprobing or e-beam testing.

Separate watchdog counters that reset the proces-sor if no jump, call, or return instruction is executed

for a number of cycles would either require manytransistors or are too easily disabled.

Instead, we recommend simply not providing aprogram counter that can run over the entire ad-dress space. A 16-bit program counter can easilybe replaced with the combination of a say 7-bit off-set counter O and a 16-bit segment register S, suchthat the accessed address is S + O. Instead of over-flowing, the offset counter resets the processor afterreaching its maximum value. Every jump, call, or re-turn instruction writes the destination address intoS and resets O to zero. The processor will now becompletely unable to execute more than 127 bytesof machine code without a jump, and no simple FIBedit will change this. A simple machine-code post-processor must be used by the programmer to insertjumps to the next address wherever unconditionalbranches are more than 127 bytes apart.

With the program counter now being unavailable,attackers will next try to increase the number of it-erations in software loops that read data arrays frommemory to get access to all bytes. This can for in-stance be achieved with a microprobe that performsa glitch attack directly on a bus-line. Programmerswho want to use 16-bit counters in loops should keepthis in mind.

3.6 Top-layer Sensor Meshes

Additional metallization layers that form a sen-sor mesh above the actual circuit and that donot carry any critical signals remain one of themore effective annoyances to microprobing attack-ers. They are found in a few smartcard CPUs such asthe ST16SF48A or in some battery-buffered SRAMsecurity processors such as the DS5002FPM andDS1954.

A sensor mesh in which all paths are continu-ously monitored for interruptions and short-circuitswhile power is available prevents laser cutter or se-lective etching access to the bus lines. Mesh alarmsshould immediately trigger a countermeasure suchas zeroizing the non-volatile memory. In addition,such meshes make the preparation of lower layersmore difficult, because since the etch progresses un-evenly through them, their pattern remains visiblein the layers below and therefore they complicateautomatic layout reconstruction. Finally, a mesh ontop of a polished oxide layer hides lower layers, whichmakes navigation on the chip surface for probing andFIB editing more tedious.

The implementations of sensor meshes in fieldedproducts however show a number of quite surpris-ing design flaws that significantly reduce the protec-tion (Fig. 9 and 10). The most significant flaw is

Sommer 1999 Die Datenschleuder #67

Figure 9: Escape route for imprisoned crypto bits:The ST16SF48A designers generously added this re-dundant extension of the data bus several micro-meters beyond the protected mesh area, providingeasy probing access.

Figure 10: Every second line is connected to VCCor GND at one end and open at the other. Not allare used to supply lower layers and therefore somecan safely be opened with a laser for probing accessto the bus lines below.

that a mesh breach will only set a flag in a statusregister and that zeroization of the memory is leftcompletely to the application software. We notedin Section 2.1.4 that a common read-out techniqueinvolves severely disabling the instruction decoder,therefore software checks for invasive attacks are oflittle use.

A well-designed mesh can make attacks by man-ual microprobing alone rather difficult, and more so-phisticated FIB editing procedures will be requiredto bypass it. Several techniques can be applied here.The resolution of FIB drilling is much smaller thanthe mesh line spacings, therefore it is no problem toestablish contact through three or more metal layersand make deeply buried signals accessible for micro-

Figure 11: A FIB was used here to drill a fine hole toa bus line through the gap between two sensor meshlines, refill it with metal, and place a metal cross ontop for easy microprobing access.

probing via a platinum or tungsten pad on top ofthe passivation layer (Fig. 11). Alternatively, it isalso possible to etch a larger window into the meshand then reconnect the loose ends with FIB metaldeposits around it.

4 Conclusion

We have presented a basis for understandingthe mechanisms that make microcontrollers partic-ularly easy to penetrate. With the restricted pro-gram counter, the randomized clock signal, andthe tamper-resistant low-frequency sensor, we haveshown some selected examples of low-cost coun-termeasures that we consider to be quite effectiveagainst a range of attacks.

There are of course numerous other more obvi-ous countermeasures against some of the commonlyused attack techniques which we cannot cover in de-tail in this overview. Examples are current regula-tors and noisy loads against current analysis attacksand loosely coupled PLLs and edge barriers againstclock glitch attacks. A combination of these togetherwith e-field sensors and randomized clocks or per-haps even multithreading hardware in new processordesigns will hopefully make high-speed non-invasiveattacks considerably less likely to succeed. Othercountermeasures in fielded processors such as lightand depassivation sensors have turned out to be oflittle use as they can be easily bypassed.

We currently see no really effective short-termprotection against carefully planned invasive tam-pering involving focused ion-beam tools. Zeroiza-tion mechanisms for erasing secrets when tampering

Die Datenschleuder #67 Sommer 1999

is detected require a continuous power supply thatthe credit-card form factor does not allow. The at-tacker can thus safely disable the zeroization mecha-nism before powering up the processor. Zeroizationremains a highly effective tampering protection forlarger security modules that can afford to store se-crets in battery-backed SRAM (e.g., DS1954 or IBM4758), but this is not yet feasible for the smartcardpackage.

5 Acknowledgements

The authors would like to thank Ross Anderson,Simon Moore, Steven Weingart, Matthias Brunner,Gareth Evans and others for useful and highly inter-esting discussions.

References

[1] FIPS PUB 140-1: Security Requirements forCryptographic Modules. National Institute ofStandards and Technology, U.S. Department ofCommerce, 11 January 1994.

[2] F. Beck: Integrated Circuit Failure Analysis –A Guide to Preparation Techniques. John Wiley& Sons, 1998.

[3] T.W. Lee, S.V. Pabbisetty (eds.): Microelec-tronic Failure Analysis, Desk Reference. 3rdedition, ASM International, Ohio, 1993, ISBN0-87170-479-X.

[4] N.H.E. Weste, K. Eshraghian: Principles ofCMOS VLSI Design. Addison-Wesley, 1993.

[5] S.-M. Kang, Y. Leblebici: CMOS Digital Inte-grated Circuits: Analysis and Design. McGraw-Hill, 1996.

[6] J. Carter: Microprocessor Architecture and Mi-croprogramming – A State-Machine Approach.Prentice-Hall, 1996.

[7] S.M. Sze: Semiconductor Devices – Physics andTechnology. John Wiley & Sons, 1985.

[8] T.R. Corle, G.S. Kino: Confocal Scanning Op-tical Microscopy and Related Imaging Systems.Academic Press, 1996.

[9] S. Blythe, et al.: Layout Reconstruction ofComplex Silicon Chips. IEEE Journal of Solid-State Circuits, 28(2):138–145, February 1993.

[10] D.P. Maher: Fault Induction Attacks, TamperResistance, and Hostile Reverse Engineering

in Perspective. In R. Hirschfeld (ed.): Finan-cial Cryptography, FC ’97, Proceedings, LNCS1318, pp. 109–121, Springer-Verlag, 1997.

[11] R.J. Anderson, M.G. Kuhn: Low Cost At-tacks on Tamper Resistant Devices. In M. Lo-mas, et al. (eds.), Security Protocols, 5th Inter-national Workshop, LNCS 1361, pp. 125–136,Springer-Verlag, 1997

[12] R.J. Anderson, M.G. Kuhn: Tamper Resis-tance — a Cautionary Note. In The SecondUSENIX Workshop on Electronic CommerceProceedings, pp. 1–11, Oakland, California, 18–21 November 1996.

[13] J.H. Daniel, D.F. Moore, J.F. Walker: Fo-cused Ion Beams for Microfabrication. Engi-neering Science and Education Journal, pp. 53–56, April 1998.

[14] H. P. Feuerbaum: Electron Beam Testing:Methods and Applications. Scanning, 5(1):14–24, 1982.

[15] H.J.M. Veendrick: Short-Circuit Dissipationof Static CMOS Circuitry and Its Impact onthe Design of Buffer Circuits. IEEE Journalof Solid-State Circuits, 19(4):468–473, August1984.

[16] D. Boneh, R.A. DeMillo, R.J. Lipton: On theImportance of Checking Cryptographic Pro-tocols for Faults. In Advances in Cryptology– EUROCRYPT ’97, LNCS 1233, pp. 37–51,Springer-Verlag, 1997.

[17] F. Bao, et al.: Breaking Public Key Cryp-tosystems on Tamper Resistant Devices in thePresence of Transient Faults. In M. Lomas,et al. (eds.), Security Protocols, 5th Interna-tional Workshop, LNCS 1361, pp. 115–124,Springer-Verlag, 1997.

[18] M. Joye, J.-J. Quisquater, F. Bao, R. H.Deng: RSA-type Signatures in the Presenceof Transient Faults. In Cryptography and Cod-ing, LNCS 1355, pp. 155–160, Springer-Verlag,1997.

[19] S.W. Moore: Multithreaded Processor Design.Kluwer Academic Publishers, 1996.

Sommer 1999 Die Datenschleuder #67

Zusammenfassung Interception

Dies ist eine redaktionell erstellteZusammenfassung des aktuellen STOA-Berichtsan das Europische Parlament zu den aktuellenMethoden und Techniken dergeheimdienstlichenTelekommunikationsberwachung. Dervollstndige Bericht ist in englischer Sprache imInternet abrufbar, URL am Ende des Artikels.

I. Nachrichtendienstliche Ttigkeiten(Communications intelligence=Comint) beinhaltenu.a. das verdeckte Abhren der Kommunikationfremder Staaten und werden von nahezu allenNationen angewandt seit es internationaleNachrichtenverbindungen gibt. Comint wird ingro§em Ma§stab auf industrieller Ebeneangewandt und versorgtseine Auftraggeber mitInformationen ber diplo-matische, konomischeund wissenschaftlicheFortschritte. DieMglichkeiten undAufgaben von Comint las-sen sich am besten mitHilfe des intelligence cycledarstellen:

1. Planung: DieAuftraggeber - u.a.Ministerien derÞnanzierendenRegierungen - deÞnieren ihre Anforderungen ausden Bereichen Verteidigung, auswrtigeAngelegenheiten, Handel und innere Sicherheit.

2. Datensammlung: Moderne Systeme leiten diegesammelten Daten automatisch ber globaleNetzwerke an die Analytiker weiter; dieDatenauswahl passiert in den meisten Fllen auchautomatisch und bedient sich gro§er Online-Datenbanken, die alle interessanten Zielebeinhalten.

3. Datenaufbereitung: Die entweder automatischoder von Menschen gesteuerte Umwandlung dergesammelten Daten in ein Standardformat, dassowohl ihren technischen Inhalt, wie weitereInformationen (z. B. Telephonnummern derbeteiligten Partner) enthlt.

4. Produktion und Verbreitung: Comint beinhaltetdie Datenanalyse, -bewertung, -bersetzung und -interpretation der gesammelten Daten inverwertbare Informationen. Diese werden an denAuftraggeber weitergegeben. Die Daten knnendabei in unbearbeiteter (aber entschlsselterund/oder bersetzter) Form, als Kernthesen,Kommentare oder ausfhrliche Berichte weiterge-geben werden. Qualitt und Bedeutung dieser

Berichte fhren zu einerSpeziÞkation derAbhrma§nahmen und-themen und schlie§endamit denInformationskreislauf.

Eine besondereBedeutung kommt hierder geheimenSammlung vonHandelsdaten zu: denn- so wird argumentiert -w§ten die Betroffenenvon Mglichkeiten undUmfang der

Abhrma§nahmen, fhrte es dazu, da§ sie ihreMethoden der Informationsverbreitung ndernund weitere Lauschangriffe so erschwerenwrden.

II. Weltweit werden ca. 15-20 Billiarden Eurojhrlich fr Abhrma§nahmen ausgegeben. Dergr§te Teil entfllt dabei auf dieenglischsprachigen Nationen der UKUSA-Allianz.Abgehrt werden Telephonverbindungen,Unterseekabel, das Internet, Richtfunkverkehrund Satellitenverbindungen.

Die Datenschleuder #67 Sommer 1999

Capabilities 2000

III. Das global vernetzte und weitgehendautomatisch arbeitende Abhrsystem ECHELON,von der NSA (National Security Agency) entwickeltund betreut, sammelt seit den 1970er JahrenDaten nicht nur militrischer, sondern auch - unddas zunehmend - ziviler Natur. Zwar ist kaumetwas ber Spionagesatelliten bekannt, die nach1990 gestartet wurden, doch wurde das Systemausgeweitet. Die wichtigsten BodenstationenbeÞnden sich in Buckley Field, Denver, Colorado;Pine Gap, Australien; Menwith Hill, England undin Bad Aibling, Bayern. Der Unterhalt derSatelliten und der Einrichtungen zurWeiterverarbeitung ihrer Daten beluft sich aufetwa 1 Milliarde US-Dollar pro Stck. Keine ande-re Nation der Welt verfgt ber eine so weitentwickelte Satellitentechnologie, wie sie von denSatelliten CANYON, RHYOLITE und ihrenNachfolgern reprsentiert wird. Die USAverfgen ber mindestens 120 dieser Satelliten.Zur berwachung des Datenverkehrs wurdensogenannten âWatch-ListsÔ angelegt, diePersonennamen oder Namen von Organisationenenthalten. Wurden diese bis 1970 von Handausgewertet, machte es die Flle der abgehrtenDaten bald notwendig, automatisch geÞltert zuwerden. Seit der Mitte der 1980er Jahre setzt manin den Bodenstationen Computer ein, die gro§eDatenmengen aus verschiedenen Bereichen(Namen, Themen von Interesse, Adressen,Telefonummern etc.) automatisch selektieren undweiterleiten. Diese Art der Datensuche und-auswertung kann mit den Suchmaschinen desInternet verglichen werden. Seit der Einfhrungdes ECHELON-Systems aber werden praktischalle ausgeÞlterten Informationen direkt an dieNSA oder andere Kunden weitergegeben, ohneda§ die lokalen Stationen oder Lnder w§ten,was abgehrt, bzw. an wen es weitergeleitetwurde.

IV. Seit Beginn der 1990er Jahre bemhte sich dieRegierung der USA, ein sog. key escrow-Systemeinzufhren: Nicht-staatliche Behrden sollten

Kopien aller User-Keys bekommen. EigentlichesZiel dieser Aktionen war es wohl, die NSA mitdiesen Schlsseln zu versorgen und so privateund kommerzielle Kommunikation weiterhinerfolgreich abhren zu knnen. Zwischen 1993und 1998 versuchten die USA auf diplomatischemWege die EU-Staaten und die OECD von ihremkey escrow-System zu berzeugen; whrend dieserBemhungen wurde fortwhrend behauptet, dasSystem diene nur der besseren staatlichenVerbrechensbekmpfung, um die Kriminalittund das organisierte Verbrechen unter Kontrollezu halten. Da die Verhandlungen praktischausschlie§lich von Mitarbeitern der NSA - manch-mal unter vollkommenem Ausschlu§ vonAngehrigen der Polizei oder Justiz - gefhrtwurden, ist es wohl naheliegend anzunehmen,da§ das o.g. Argument nur zur Verschleierungder wahren Ziele der Politik der USA diente. Seit1993 treffen sich Angehrige vieler EU- und derUKUSA-Staaten - au§erhalb der Kontrolle deseuropischen Parlamentes - jhrlich zuDiskussionsforen, um ihre Abhrma§nahmen zukoordinieren. Sie kommen unter derSchirmherrschaft einer bisher unbekanntenOrganisation (ILETS=International LawEnforcement Telecommunications Seminar)zusammen; die Grndung von ILETS wurde vomFBI angeregt. Die im Juni 1994 gefa§tenBeschlsse von ILETS orientierten sich im wesent-lichen an den Anforderungen eines vorher vomFBI erstellten Dokumentes. Die Kryptographiewurde lediglich im Zusammenhang mit derNetzwerksicherheit erwhnt. Erst 1998 wurde dieKryptographie in gr§erem Ma§stabbercksichtigt. Vermutlich wurden auch indiesem Jahr die Beschlsse auf das Internet undSatellitenkommunikationssysteme wie Iridiumerweitert; sie beinhalten auch zustzlicheSicherheitsanforderungen fr Netzwerkbetreiberund Provider; verlangen persnlicheInformationen ber Fernsprechteilnehmer undPlanungen, die sich mit der Kryptographiebeschftigen.

kaum abhrbar. Der ntige Aufwand antechnischem Gert und Energie zur Aufzeichnungund Weiterverarbeitung macht geheimeOperationen unpraktisch und gefhrlich. Selbstwenn ein Zugang mglich ist, so werden dieAbhraktivitten doch durch die rapideAusbreitung neuer Systeme gehemmt, z.T. ausKostengrnden, teilweise auch, weil neueSysteme (z.B. Iridium) ber momentanverfgbare Techniken nicht greifbar sind. Dertechnische Vorsprung in der Computertechnik derComint-Organisatioen hat sich in denvergangenen 15 Jahren aufgebraucht. Sie nutzenStandardsysteme, die denen der fhrendenIndustriebetriebe oder wissenschaftlichenEinrichtungen technisch gleichwertig oder sogarunterlegen sind. Sie sind lediglich TEMPEST-abgeschirmt, strahlen also keine Funksignale aus,die abgehrt werden knnten. Comint-Organisationen mu§ten feststellen, da§ ihr Krieggegen zivile und kommerzielle Kryptographieverloren ist. Mehr und mehr wissenschaftliche

V. Comint-Organisationen mssen feststellen, da§die technischen Schwierigkeiten bei derDatensammlung zunehmen und da§ es inZukunft teurer und aufwendiger wird,internationale Kommunikation abzuhren. Frdie Zukunft ist es wichtig, diese Problemeauszuwerten und eine politische Basis zuschaffen, die auf Schutzma§nahmen derWirtschaft und effektive Kryptographie zielt.

VI. Ausblick - Seit Mitte der 90er Jahre habenLauscher zunehmend Schwierigkeiten,weltweiten Zugriff auf die Kommunikationsdatenzu erlangen. Diese Probleme werden sich nochvergr§ern, da vor allem die leistungsfhigenGlasfasernetzwerke ausschlie§lich ber einenphysischen Zugriff abzuhren sind. Verlaufen die-se Netzwerke nicht innerhalb eineskollaborierenden Staates oder passieren diesen, istein Abhren praktisch nur ber die Anbringungeines optischen Repeaters mglich; sehr vieleunterirdisch verlegte Glasfasernetze sind also

Sommer 1999 Die Datenschleuder #67

TK-Überwachung im Jahre 2000

Die Datenschleuder #67 Sommer 1999

/DS67/Counterintelligence

und wirtschaftliche Organisationen verstehen sichauf Kryptographie und Kryptologie. Das Internetund der globale Markt haben den freien Flu§ vonInformationen, Systemen und Softwareermglicht. Der NSA ist es nicht gelungen keyescrow oder verwandte Systeme mit demscheinheiligen Argument derVerbrechensbekmpfung durchzusetzen.In Zukunft wird man wohl in zunehmendemMa§e auf menschliche Agenten setzen, um Codeszu sammeln; auch mit verstrkten Bemhungenum fremde Computersysteme ist zu rechnen, z.B.mit Hilfe des Internet (insbeson