Cryptography Reference
In-Depth Information
stored — usually in the lowest address. It is astonishingly simple to open such
a chip (also described by the author in [AndKuhn.tamp], since insiders have
known this for a long time) and to localize the corresponding bits. Only reading
the bits is not that simple.
But that's no problem. You can use simple means to
set
an EEPROM bit from
the outside. You won't need an expensive UV laser for it. Two micro needles
and an 18-V pulse over 10 ms will do and are much cheaper. Anderson suggests
the following method: Set the lowest key bit to 1. If the chip complains about
a parity error, then it should have been 0; otherwise 1 was correct. Next, set
the second bit to 1. Depending on the previous result and the current parity
displayed, you will get this bit, and so on. Once he has read the key, the
attacker might burn another chip card himself to this key and use it to cause
considerable damage.
That's cryptanalysis at the lowest level and independent of the ciphering
method! You may reasonably assume that there are plenty of code cards out
there on which this attack works.
This attack is also of interest against bank computers. In his article [AndDES],
Anderson mentions a security module produced at the end of the 1980s that
held twelve DES keys in memory. Every few years, the internal battery had
to be replaced. The power went off as soon as a maintenance engineer opened
the device, and the memory cells were deleted. With a fresh battery in place,
the bank people stored the keys safely again.
However, memories (SRAMs and DRAMs) tend to 'burn in' bits after years.
This is analogous to a picture tube: if you display the same block of letters in
the same position over many months, then the internal coating of the picture
tube will change at that place, and the letters will become indistinctly readable
if the screen is equally gray (that's the main reason why we use screen savers).
Similarly, a memory cell has an indefinite ('gray') state after voltage was fed,
unless its content has been exactly the same over several years — then this
content is preferred. Together with parity check, this allows an intruder to
even attack Triple-DES (Section 5.2.1) using a 112-bit key. Anderson doesn't
speculate in this respect; he actually studied a bank computer and recommends
banks to observe the following:
1. have your maintenance engineers supervised during their work; and
2. thoroughly destroy the memory modules when scrapping computers.
