1Copyright © 2005 InfoGard Laboratories Proprietary 2005 Physical Security Conference Physical Security 101 Tom Caddy September 26, 2005

Copyright © 2005 InfoGard Laboratories Proprietary 1

2005 Physical Security Conference

Physical Security 101

Tom Caddy

September 26, 2005


Agenda• Introduction

– Objective– Threat Models– Threat Taxonomy– Access Threats

• Physical Security– Role– Technologies– External Environment

• Attacks & Mitigations– Attack Points– Level of Effort– Mitigation Strategies

• Challenges– Standard– Validation– Lifecycle

• Constituents• Summary


Objective

““It should be very clear that It should be very clear that compromised physical security always compromised physical security always means that all security layers have been compromisedmeans that all security layers have been compromised. All security . All security discussed in this solution is based on the assumption that physical discussed in this solution is based on the assumption that physical security has been addressed.security has been addressed. Without physical security, Without physical security, nono other other security measures can be considered effectivesecurity measures can be considered effective..”

• Microsoft Website Discussing System Security


Physical Security Role

Physical Security Protects all other Module aspects

Critical Security Parameters

Data, Information or Cargo

Module IntegrityPhysical and Logical

Physical Security at Cryptographic Boundary

Physical Security is Access Control


General Threat Models

Low ThreatLow ThreatEnvironmentEnvironment

User/Owner benefitby module

security

High ThreatHigh ThreatEnvironmentEnvironment

User/Owner benefitby module

compromise

Custom ThreatCustom ThreatEnvironmentEnvironmentHigh Value Data

Unique Environment

Typically 140-2Level 1 and Level 2 Modules

Typically 140-2Level 3 and Level 4 Modules

External Environment Effect• Space• Vault

Data Value• Cost of Loss• Cost of Loss of Integrity


Threat/Attacker Taxonomy

• Class I - (Clever Outsiders) - opportunistic

– Intelligent; limited system knowledge

– Limited access to module, and limited equipment and tools

– Exploit obvious weaknesses

*IBM Systems Journal v30 no 2 (1991)



• Class I - (Clever Outsiders) - opportunistic

– Intelligent; limited system knowledge

– Limited access to module, and limited equipment and tools

– Exploit obvious weakness’

• Class II - (Knowledgeable Insider) - motivated

– Specialized education, knowledge and experience

– Significant access to module; sophisticated equipment and tools

– Exploit subtle vulnerability, create opportunity




• Class I - (Clever Outsiders) - opportunistic– Intelligent; limited system knowledge– Limited access to module, and limited

equipment and tools– Exploit obvious weakness’

• Class II - (Knowledgeable Insider) - motivated– Specialized education, knowledge and

experience– Significant access to module; sophisticated

equipment and tools– Exploit subtle vulnerability, create opportunity

• Class III - (Funded Organization) – highly motivated

– Teams of specialists, complimentary skills, extensive experience

– Virtually unlimited access to module; advanced analysis and tools

– Exploit hidden vulnerabilities or create vulnerabilities



• Availability of the module is a major factor in assessing risk– Time that a threat has access to the module(s)

• Growing risks to module access– Distribution of systems and other lifecycle phases– Flexibility and configurability – Administration, maintenance and remote access roles

• Invasive vs. Non-Invasive– Skills require specific knowledge, skills and practice in

performing a non invasive attack– Non Invasive compromises can be particularly damaging as

compromise may not be discovered for considerable time

Availability Risk


Physical Security Technology

Detection CktZeroization CktAnalog CircuitsElectromagnetic

RF and Emissions

AdhesivesSolvents

LightRadiation

SoundThermal

System RequirementsRisk Assessment

Vulnerability AssessmentSecurity Policy, Manuals

PlasticsMetals

Composites

DesignTolerancesFasteners

Assembly Processes

Cryptographic ModuleLogic, Function

And Data

““Crown Jewels”Crown Jewels”


External Environment

External EnvironmentPhysical SecurityUsually only worksfor limited threatsand roles

Vulnerabilitiesand mitigation

are often hidden in the Details

Interfaces between technologies can be vulnerabilities

Cryptographic ModuleLogic, Function

And Data

““Crown Jewels”Crown Jewels”


Attack Plan

• Identify the weakest points in the “system”– Physical inspection– Available documentation

• Develop “attack” plan based on vulnerable points• Acquire resources

– Skills– Tools– Materials

• Test “attack” plan and refine as necessary

As currently defined, FIPS 140-2 evaluation As currently defined, FIPS 140-2 evaluation is a physical security evaluation not a full attackis a physical security evaluation not a full attack


Mitigation Strategies

Tamper EvidenceTamper Evidence

Tamper ResistanceTamper Resistance

Door and Cover Tamper Door and Cover Tamper Detection and ResponseDetection and Response

Production GradeProduction Grade

Envelope Tamper Detection Envelope Tamper Detection and Responseand Response

Security requires trust; Trust requires reliability Commercial Grade equipment is expected to be reliable

User detectable Evidence vs. Forensic Evidence or Warranty evidence is effective when User is motivated to trust the module

Feature to sense basic threat conditions and respond with defensive action – zeroization of critical security parameters

Adding complexity, difficulty and risk to compromising a module

Feature to sense any breach of the cryptographic boundary and respond with defensive action – zeroization of critical security parameters

Includes concepts of obscurity, vents and pick resistant locks


Attack Level of Effort (LOE)

• Increasing Level of Effort is directly related to an increase in Tamper Resistance not security features

• Range that effectiveness or tamper resistance of the implementation can have on security

LOE

Trus

t and

Lev

el o

f Effo

rt fo

r Suc

cess

ful A

ttack

1 2 3 4Level of Security

EffectivenessRange


Specification Challenges

• Standard – Security Effectiveness

definition vs. Security Feature Definition

– Tamper Resistance Definition

– The affect module embodiment has on tamper resistance

– Allowance for innovation

• Module designs• Attack methods • Tools and techniques


• Testing and Evaluation– Testing Efficiency

• Establishing a DTR to have an effective test that costs significantly less then the value of an attack

– Testing Consistency• Establishing test, lab

and personnel requirements that allow multiple test entities and personnel to consistently obtain similar results

Validation Challenges


Basic…

Manufacturing Initialization ScrapOperational

Typical Transportation Points

Cryptographic ModuleTypical Lifecycle

Current FIPS 140-2 requirements are applicable in Current FIPS 140-2 requirements are applicable in the operational environmentthe operational environment


Manufacturing Initialization ScrapOperational

Typical Transportation Points

For high security devices physical security threats For high security devices physical security threats exist throughout the module lifecycleexist throughout the module lifecycle

High Security Crypto Module Lifecycle

Expanded…..


Summary

• 140-1 and 140-2 have done a remarkable job of establishing a great foundation

• A high Level of Physical Security is complicated and cannot be an after thought

• Recognize that effective physical security requires different skills then used during 140-2 logical and assurance compliance

• Recognize the role of Tamper Resistance as a key characteristic in physical security effectiveness

• 140-3 is an opportunity to review, revisit and improve

Documents

1Copyright © 2005 InfoGard Laboratories Proprietary 2005 Physical Security Conference Physical Security 101 Tom Caddy September 26, 2005