Still working to recover. Please don't edit quite yet.
A secure cryptoprocessor is a dedicated computer or microprocessor for carrying out cryptographic operations, embedded in a packaging with multiple physical security measures, which give it a degree of tamper resistance.
The purpose of a secure cryptoprocessor is to act as the keystone of a security sub-system, eliminating the need to protect the rest of the sub-system with physical security measures.
Smartcards are probably the most widely deployed form of secure cryptoprocessor, although more complex and versatile secure cryptoprocessors are widely deployed in systems such as Automated teller machines, TV set-top boxes, and high-security portable communication equipment. Some secure cryptoprocessors can even run general-purpose operating systems such as Linux inside their security boundary. Cryptoprocessors input program instructions in encrypted form, decrypt the instructions to plain instructions which are then executed within the same cryptoprocessor chip where the decrypted instructions are inaccessibly stored. By never revealing the decrypted program instructions, the cryptoprocessor prevents tampering of programs by technicians who may have legitimate access to the sub-system data bus. This is known as bus encryption. Data processed by a cryptoprocessor is also frequently encrypted.
The Trusted Platform Module is an implementation of a secure cryptoprocessor that brings the notion of trusted computing to ordinary PCs by enabling a secure environment. While envisioned by some as being a method to make it much harder to illegally copy copyrighted software, present implementations tend to focus more on providing a tamper-proof boot environment.
Security measures used in secure cryptoprocessors:
- Tamper-detecting and tamper-evident containment.
- Automatic zeroization of secrets in the event of tampering.
- Internal battery backup.
- Chain of trust boot-loader which authenticates the operating system before loading it.
- Chain of trust operating system which authenticates application software before loading it.
- Hardware-based capability registers, implementing a one-way privilege separation model.
Degree of security
Secure cryptoprocessors, while useful, are not invulnerable to attack, particularly for well-equipped and determined opponents (e.g. a government intelligence agency) who are willing to expend massive resources on the project.
The most famous attack on a secure cryptoprocessor targeted the IBM 4758. A team at the University of Cambridge reported the successful extraction of secret information from an IBM 4758, using a combination of mathematics, and special-purpose codebreaking hardware.
Whilst the vulnerability they exploited was a flaw in the software loaded on the 4758, and not the architecture of the 4758 itself, their attack serves as a reminder that a security system is only as secure as its weakest link: the strong link of the 4758 hardware was rendered useless by flaws in the design and specification of the software loaded on it.
The software flaws reported by the Cambridge team have now been fixed, making the system more secure: a good example of the advantages of full disclosure.
Smartcards are significantly more vulnerable, as they are more open to physical attack.
In the case of full disk encryption applications, especially when implemented without a boot PIN, a cryptoprocessor does not offer any protection against a cold boot attack. In this scenario, data remanence is exploited to dump memory contents after the operating system has retrieved the cryptographic keys from its TPM.
- attack on the IBM 4758
- J. Alex Halderman, Seth D. Schoen, Nadia Heninger, William Clarkson, William Paul, Joseph A. Calandrino, Ariel J. Feldman, Jacob Appelbaum, and Edward W. Felten (February 21, 2008). "Lest We Remember: Cold Boot Attacks on Encryption Keys". Princeton University. Retrieved on 2008-02-22.
- Ross Anderson, Mike Bond, Jolyon Clulow and Sergei Skorobogatov, Cryptographic Processors — A Survey, April 2005 (PDF).
- Robert M. Best, US Patent 4,278,837, July 14, 1981
- R. Elbaz, et al, Hardware Engines for Bus Encryption â€” A Survey, 2005 (PDF).
- David Lie, Execute Only Memory, .
- J. D. Tygar and Bennet Yee, A System for Using Physically Secure Coprocessors, Dyad
- IBMs homepage for its cryptoprocessors
- Extracting a 3DES key from an IBM 4758
- SafeNet security processors