News outlets are always eager to report on security system attacks: operating system vulnerabilities, unauthorized intrusions into government networks, the theft of laptop account information, and so on. Security isn't just limited to laptops and servers; the embedded systems field is also increasingly focused on security issues, including traffic lights, home security systems, smoke detectors, ATMs, and cash registers. This demonstrates that risks are ubiquitous.
There are various reasons why embedded systems require security protection. In some applications, government agencies need to protect sensitive data, such as medical records and personal information. Sometimes, security is also needed for sales processes; for example, a company might sell printers below cost, compensating for this with the high profits from printer consumables. Security technologies can be used to verify the authenticity of consumables, preventing the use of counterfeit products from third parties. In some cases, security technologies are used to protect intellectual property. Embedded devices may contain highly innovative algorithms, and after production, enhanced security is needed to protect the hard-won product design and prevent piracy.
Security design is a trade-off—ideal security product designs will be incredibly expensive, while designs without security features require no security expenditure at all. Each specific application must define the required level of security, specifically understanding what the security system needs to protect.
Is encryption secure?
Choosing the right encryption tool is crucial for communication architecture. Public algorithms should be selected, with commonly used algorithms including DES, RSA, and DSA. Many people believe that choosing a vague, proprietary algorithm is more secure, but this is not the case. Public algorithms have already been evaluated by academia, government agencies, and industry experts. While proprietary algorithms may appear secure and have been reviewed by a paid expert, how can the underlying security be guaranteed, and how can the credibility of the reviewers be ensured? Furthermore, proprietary algorithms may require licensing fees and copyright fees, limiting future choices.
While encryption is crucial for the security of embedded systems, it's only one aspect. Consider a real-world scenario where two people communicate by exchanging coded messages. An attacker could steal this information, but if the encryption used to encode the message is reliable, such an attack would be ineffective. A daring attacker might directly target the person. Forcing participants to reveal their communication password is far easier than cracking the encrypted message.
This example is very illustrative for embedded applications, such as encrypted communication between an ATM and a bank. Trying to decipher encrypted PIN data on the transmission line is nearly impossible, and some attackers might think attacking the ATM itself is more effective. An attacker might open the ATM late at night. After a series of attacks, they could obtain the key for the ATM's communication with the bank. Then, the attacker would restore the ATM to its original position and leave. In this scenario, monitoring the transmission line allows the attacker to obtain the key, enabling them to decrypt all account and PIN data.
Fortunately, current ATMs are protected by robust physical and logical security technologies. However, the above examples also raise several security concerns:
Encryption technology only provides one layer of protection and cannot completely prevent attackers from acting.
The most valuable thing stored in an ATM is the key, not the account number, PIN data, or cash.
A secure embedded device must react to an attack and erase valuable keys.
Attacks on embedded systems
Attackers might start with the simplest operations; if the key is stored in external memory, an attacker can simply access the address and data bus to steal it. Even if the key is not stored contiguously in memory, an attacker can still crack the external code to determine which memory contains the key. Boot loading, debugging, and measurement states are all vulnerable to simple attacks. These states typically allow read/write operations on the microprocessor's memory and registers. Even if these states are not publicly documented, it is easy for engineers with extensive social experience to obtain this information through employees of the microprocessor manufacturer.
If simple attack methods fail to achieve their goal, attackers will resort to more insidious approaches. They might observe the timing and power consumption of encryption operations through simple timing and power analysis. A poorly designed encryption process might consume more time and power processing key 1s than key 0s, providing attackers with sufficient information to deduce the key. If this simple analysis fails, attackers will use Differential Power Analysis (DPA). DPA is a statistical attack method that collects energy consumption data from thousands of runs, ultimately extracting the password from the power pulse signal. While time-consuming, this method can be automated. Furthermore, attackers might employ fault injection attacks, causing the microprocessor to operate outside its operating range, generating fault information and leading to password leakage. Attackers might also attempt to remove the microprocessor's plastic packaging and analyze the password data using microprobes. Memory has a regular structure and is easily identifiable within the silicon chip, making it easy to manipulate using microprobe devices.
Faced with these attacks, engineers must take appropriate measures to provide effective protection for embedded systems.
Anti-attack measures
High-security applications require uniquely challenged, single-brand processors. Secure microprocessors, such as Dallas Semiconductor's DS5250, can meet the design requirements for the highest security levels.
High-quality security processors prioritize key protection, using non-volatile battery-backed SRAM to store sensitive information. This SRAM should employ custom-designed, zero-reset or instantaneously erasable memory, erasing its contents immediately upon detecting tampering. Tampering events (such as temperature attacks, voltage attacks, or microprobe attacks) are detected using continuously operating sensors or a battery-powered clock. This security monitoring ensures that attackers cannot prevent the zeroing process using external clock control. Using on-chip memory prevents attackers from stealing keys transmitted internally. Furthermore, in the event of a physical attack on the device, the keys will be immediately erased.
To ensure attackers cannot control the memory bus or insert instructions that could steal keys, the security processor encrypts the external memory bus and provides integrity monitoring of the program memory. The keys are randomly generated and different for each device. This encryption method ensures attackers cannot copy or steal product design, providing effective intellectual property protection. If an attacker attempts to insert random instructions, the integrity check will report a detection error, indicating that tampering has been detected.
The secure processor also features a hardware encryption accelerator that can execute the 3DES algorithm in nanoseconds (rather than milliseconds). Furthermore, the hardware accelerator is designed to run on a fixed number of clock cycles, consuming the same amount of energy regardless of the key content. The random number generator can also add a series of spurious execution cycles to the beginning and end of the encryption algorithm, preventing power timing analysis.
Designers must determine the specific application's security requirements and the consequences of a successful attack. For embedded systems with high security requirements, it's better to disable operational functions than to leak passwords; multiple attack methods must be considered. For applications with high attack prevention requirements, secure microprocessors such as the DS5250 can be used, providing effective protection for encrypted data under any circumstances.
