Scientists continue to strive to find ways to monitor and/or maintain the security level of a process, processor, coprocessor or processing element. It is recognized that heretofore, a computational device was considered to be secure if it was armored with physical packaging to prevent any access to the internal data and circuits, except via the official interface. The technology and effectiveness of this physical armor varies considerably. All secure devices, by definition, purport to have passive tamper-resistance. Some use more advanced techniques in order to also attempt to be tamper-responsive. A device is said to be tamper-responsive if it provided with a means for actively detecting tamper or penetration, and has the capability of responding by zeroizing and/or erasing sensitive data it contains before it can be observed. An example of a low-end secure device is a simple smart card. The smart card offers limited computational ability and limited, passive physical security. An example of a high-end secure device is a cryptographic server adapter, with active tamper response.
Generally, applications that require secure devices depend on the physical security of these devices. If they did not, the additional expense of physical security is usually not justifiable. Physical security is necessary if someone potentially with direct access to the device might be motivated to attack it. Such potential adversaries includes anyone with physical access. This includes personnel at the factory, along the shipping channel, at retailers and warehouses, and the often overlooked user site.
For example, consider a simple electronic wallet. In this situation, cash is simply a value in a register in the coprocessor resident in the electronic wallet. If a user manages to run their wallet program on hardware which is susceptible to tamper by that user, then that user has effectively created a bottomless wallet. This compromises the security of the entire distributed application.
A bona fide, untampered secure device needs a method by which it can prove that it is untampered and in a state of continued integrity, this is herein referred to as an untampered state method. This has some primary constraints and/or requirements. To begin with, this method needs to be computational, not physical. It is realized that a tampered device might look just like an untampered one. With current commercially viable physical security technology, physical inspection of a device does not suffice to determine if the device has been tampered with by an attacker with at least moderate skills. Without such an untampered state method, a tampered device can appear to carry out its application identically to an untampered one.
As used herein the term device includes a processor, a coprocessor, processing element and/or computational apparatus. The terms erase and/or zeroize as used herein represent any means of disabling the readabilty and/or retrieval of the secrets contained in the device. The terms integrity and untampered state are used interchangeably herein.
An useful untampered state assuredness method, or untampered state method, should employ a technology that provides physical security that also shields a device's internal data, programs, and circuits from any direct examination by the user. Otherwise, an adversary who is able to tamper with a device that performs cryptographic functions, can modify the key generation algorithms. The so tampered device appears to work normally, while the adversary learns and makes use of each key.
In many applications, the program running on such an untamperable device needs to computationally build on this provable untampered state. For example, the electronic wallet program cited above needs not just to run on an untampered device, but also to be able to convince remote agents that it is indeed running on such a device. Thus, untampered state assuredness method must enable an untampered authentic device to distinguish itself from a device that has been modified (say, to install a backdoor or to disable tamper response); and to distinguish itself from a software/hardware clone that may have been constructed after destructive analysis of several real devices.
Some chip-card techniques used heretofore employ the idea of installing a permanent key pair in a device that is merely tamper-resistant. However, these techniques do not address the problem of providing the provable untampered state to third parties in potentially hostile user environments and in an application-available way. Furthermore, tamper-responsive hardware standards do not adequately address this problem.