Tamper Resistance

By Oscar Pozzobon, Chris Wullems, and Marco Detratti

Modern GNSS will provide access control to the signal through spreading-code encryption and/or authentication at the navigation data level. This will require support within the receiver for secure cryptographic keys and the implementation of security functions. This article reviews vulnerabilities of these security functions, and reviews design considerations to mitigate attacks.

The threat of spoofing attack on GNSS has led to the design of signals and receiver technologies addressing this problem at signal, data, and receiver levels. Transportation, governmental, financial, and access-control applications demand trusted position velocity and time. Security functions in the receiver require implementation of cryptographic functions and key storage in the receiver. We can distinguish three uses of cryptographic keys and functions:

• signal access control;
• navigation data authentication and access control; and
• position, velocity, time, and signal authentication state privacy and integrity.

The need to protect the cryptographic functions and keys, software, hardware, and data communication of next-generation secure GNSS receivers against attacks is imperative, to prevent signal spoofing and signal and position access to an hostile party. Here we provide guidelines that can support the design of tamper-resistant GNSS receivers.

Signal access control is achieved through spreading-code encryption. The spreading sequence is encrypted with a stream cipher, and the receiver needs the key in order to locally reproduce the signal and perform operations of acquisition and tracking. If the stream cipher frequency is considerably lower than the original code chipping rate frequency, such as the GPS W-code with respect to the P-code, other codeless and semi-codeless techniques can be used for signal tracking. However, these techniques lie outside the objective of this study that will focus on the need for keys to decode the signal, and the requirements to protect them.

Direct sequence spread-spectrum (DSSS) access-control schemes can be implemented with a binary-stream cipher that acts as pseudorandom spreading sequence, or the spreading sequence can be modulo 2 summed to a stream cipher at the same or different frequency. The encryption module in the transmitter needs the key and initialization vector (IV) to perform the encryption operation. It is assumed that the transmitted signal (neglecting signal amplitute) will be:

(1)

where O_a^k and O_b^k are the publicly known spreading codes such as the C/A and P-code of GPS for every K satellite, SC^k is the is the stream cipher (W code for GPS) and D^k is the transmitted data. After the AD conversion the signal will be:

(2)

where e(n) is the thermal noise introduced in the sampling process.

After the carrier removal by multiplication with sin (2π f_IFn) to obtain the quadrature arm containing the encrypted signal, and after the application of a low-pass filter to cut the 2π (2 f_IF) frequency, the remaining signal for every satellite is:

(3)

The encryption module in the receiver needs the key and IV to recreate the local signal and perform code acquisition and tracking. Cryptographic keys in GNSS are assumed to be secured in the ground and space segment, and the ground control center performs operations of key loading to the satellites. However, key loading to the GNSS receiver is a sensitive operation. An adversary might obtain the keys and use them to access the encrypted signal in other receivers.

A malicious key recovery could be used to generate false encrypted signals, leading to a risk of signal spoofing. Key loading to the receiver can be achieved with a public key encryption and public key infrastructure, where the stream cipher key and IV are encrypted with the receiver public key, and only the receiver private key can decrypt the cipher key and IV.

The receiver private key and stream cipher key must be protected by a tamper-resistant module to prevent attacks. Figure 1 shows a high-level block diagram of a GNSS receiver with functions to access encrypted codes. There are two areas to be protected, depending on the security objectives:

Limit access of the signal to a restricted group: prevent signal spoofing. The red blocks shows the critical components to protect these objectives, including the storage of the secret keys, the stream cipher generation, and the final local secret code (LSC) replica (4) which is a noise-less signal from which the stream cipher can be easily obtained by modulo 2 sum of the local not-secret O_b^k code (5).

(4)

(5)

The red blocks should be protected in order to avoid key recovery or cipher stream analysis by an attacker.

Figure 1. Signal access control sensitive blocks.

Control access to Position, Velocity and Time (PVT). The yellow blocks show the critical components that should also be further protected in order to limit the PVT access. The tracking functions provide information such timing and pseudorange measurement that can be used for positioning, and the communication line should be protected. The navigation processing block performs the position and time solution, and the access to the data shall be protected.

Data Authentication, Access Control. A system might provide access control and authentication to the navigation data only. In such a design, the spreading sequence is publicly known, while the data is encrypted or contains authentication messages. The security objectives can be distinguished as:

◾ Access control to data of the acquisition and tracking functions. If fundamental parameters for the position solutions are encrypted (such as transmission time and satellite position) and therefore unavailable, a GNSS receiver could attempt the PVT solution with standard approaches. Therefore the Navigation Message Encryption (NME) restricts the access of PVT only to the user group that has the cryptographic keys for the navigation message decryption.

◾ Navigation Data Integrity. Navigation data can be authenticated (with cryptographic authentication schemes such as Message Authentication Schemes [MAC] or digital signatures). The objective of Navigation Message Authentication (NMA) is to provide an enhancement to the integrity of the messages towards intentional attacks. Such design can be an option in order to reduce the signal spoofing risk, as an attacker needs to rely on the messages (with a receiver-spoofer architecture for example).

Figure 2 provides an high-level architecture of a GNSS receiver block diagram that supports NMA and/or NME. The red blocks shows the sensitive parts that must be protected. In case of NMA the key that verifies the integrity (for example, a public key certificate) must be stored securely to avoid an attacker substituting the key and spoofing the navigation data with alternative keys (for example, the root CA could be stored in ROM). A trusted clock component is included in the diagram, as it can be an interesting option to consider in order to avoid NMA spoofing attacks.

Figure 2. Schematic of assistance solution.

PVT and Signal Authentication State Integrity and Privacy. Many applications require a PVT integrity to be cryptographically verifiable. Applications that require secure tracking systems (anti-theft, hazmat tracking, road toll, navigation statistics for insurance companies) and information security applications based on GNSS (location-based access control and geo-encryption) require PVT integrity. It is trivial to tamper with the data communication between a GNSS receiver and a final application (for example, interfering with the serial output of the chipset) and generate false PVT, in a data-spoofing attack. In Figure 2 the cryptographic keys used to add integrity to the PVT messages are typically different from the keys used for NMA or NME, and are application-specific. Such an architecture could be also the choice for differential corrections authentication, where the navigation processing block could verify the integrity of the correction data before aiding the position solution algorithm.

Attacks on Security Functions

This section identifies attacks that can compromise the functions of the previous section. Attacks to the signal are not pertinent to this work. We distinguish the attacks in two main categories: physical attacks and side-channel attacks. Among physical attacks, we distinguish:

Microprobing. This refers to techniques that attempt to access the physical components of GNSS receiver such as the baseband processor and RAM/ROM memory chip surface to observe and manipulate sensitive data. A microprobing attack can be targeted to recover the cryptographic keys.

Focused Ion Beam. FIB is a technique for deposition and ablation of materials in semiconductors, where chip material can be removed with micrometer resolution. It consists of a vacuum chamber with a particle gun. FIBs are used by attackers for manually probing the signal of interest. A micrometer hole is created to reach the signal of interest and filled with platinum, terminating with a pad. The signal can then be connected to an external probe.

Software Attacks. These happen through vulnerabilities of the communication interface or security protocols, or through malicious firmware upgrades in the baseband processor.

Eavesdropping Techniques. These monitor sensitive communication lines (such as baseband to HW correlator where the spreading code could be observed).

The most common side-channel attacks are timing, power, and fault analysis, in which an attacker seeks to exploit side-channel information in order to recover a cryptographic key. The most effective mitigation strategy against such attacks is to design and implement the cryptosystems with the assumption that information (time and power) will leak. Different types of side-channel attacks and their respective countermeasures are:

Fault-Generation Techniques. These are used to investigate ciphers and extract keys by generating faults in the system, either by intentionally causing faults or by natural faults that occur. Faults can be most often caused by changing the voltage, tampering with the clock, changing temperatures, and applying radiation of various types.

Timing Analysis. This class of attack allows cryptanalysts to extract keys by analyzing the time taken to execute cryptographic algorithms. Every logical operation in a computer takes time to execute, and the time can differ based on the input; with precise measurements of the time for each operation, an attacker can work backwards to the input.

Simple and Differential Power Analysis. SPA or DPA is a class of attack that allows cryptanalysts to extract secret keys and compromise the security of smart cards and other cryptographic devices by analyzing their power consumption. Differential power analysis attacks use statistical analysis and error-correction statistical methods to obtain information about the keys.

Electromagnetic Radiation Analysis. This is concerned with the monitoring/recording of radiation for the purpose of obtaining information about the operation of associated hardware, which could be used ultimately to determine cryptographic keys. Fluctuations in current generate radio waves, making whatever is producing the currents, in principle, subject to a van Eck (TEMPEST) attack. If the currents concerned are patterned in distinguishable ways, which is typically the case, the radiation can be recorded and analyzed in order to infer information on the operation of such hardware.

Acoustic Analysis is concerned with the observation of the acoustic emissions from a chip in order to obtain information about the code being executed. Information about the operation of cryptosystems and algorithms can be obtained in this way. Flowing currents heat the materials through which they flow. Those materials also continually lose heat to the environment due to other equally fundamental facts of thermodynamic existence, so there is a continually changing thermally induced mechanical stress as a result of these heating and cooling effects. That stress appears to be the most significant contributor to low-level acoustic (that is, noise) emissions from operating CPUs. If the surface of the CPU chip, or in some cases the CPU package, can be observed, infrared images can also provide information about the code being executed on the CPU, known as a thermal imaging attack.

Mitigation Strategies

We derived several design considerations to mitigate attacks from our experience during the development of the Trusted Innovative GNSS rEceiveR (TIGER) project. The TIGER is a tamper-resistant GNSS receiver which provides PVT integrity, signal spoofing and jamming detection, and signal state attestation with an open GNSS signal.

Cryptographic subsystem. This is designed for resistance against timing-based attacks. Timing-based attacks targeted to the cryptographic module can be prevented by careful implementation of the cryptographic functions. A non-exhaustive list of countermeasures that can be considered for mitigation of timing-based attacks includes:

• Ensure that the time a cryptographic operation takes is independent of the input data or key bits. These operations should take the same number of clock cycles.
• Ensure that the software implementation of critical code does not contain conditional branches (i.e., IF statements). Functions should use operations such as AND, OR, or XOR instead .
• Ensure time taken for multiplication and exponentiation is the same, such that an attacker cannot learn how many multiplications and how many exponentiations have been performed. A simple method is to always perform both multiplication and exponentiation.
• Addition of delays such that all operations take the same amount of time, although this can have a detrimental effect on performance. The addition of random delays can increase attack difficulty.

Protection from Electronic Level Interception/Monitoring. One approach for mitigation of microprobing attacks is the use of a tamper-detection mesh. A tamper mesh acts as a continuously powered sensor in which all the paths are continuously monitored for interruptions and short-circuit. For single-chip solutions the mesh is integrated as a top-level metallization layer. For multichip solutions the mesh can be developed in order to cover all the sensitive components. In both cases the tamper-detection mesh is connected to a supervisory circuit that performs an action if tamper is detected such as zeroization of the cryptographic keys and the memory content.

The designer of the mesh must be careful in the pattern design in order to avoid entry points or escape routes that can easily provide access for an attacker. Such vulnerability was found for example in the ST16SF48A tamper mesh. One approach considered in the TIGER security mesh design is the combination of a tamper mesh glued with epoxy to a metal shield (Figure 3). The mesh is wired internally to a security supervisor and linked via connectors. Any attempts to lift the metal shields or tamper the mesh will trigger the security supervisor (SUP) that immediately erases the keys and memory. Furthermore the metal shield limits the electromagnetic emissions, reducing the risk of TEMPEST attacks.

Figure 3. TIGER tamper mesh concept.

Designing the PCB in order to run sensitive signals (such as data communication lines) in the inner layers is another security enhancement that has been integrated in TIGER. TIGER has been designed also to support the GORE Secure Encapsulated Module, which is an envelope that completely covers the module and is connected to the internal security supervisor. This tamper mesh is targeted at FIPS 140-2, Level 4, DoD, NSA Type 1 security and CESG Enhanced Grade security.

Security Supervisor Circuit. A security supervisor can be an option to monitor the tamper mesh status and other physical attacks. The concept of a security supervisor is to store the cryptographic keys in a secure memory, and erase them if a security event is triggered. Security supervisors support the security level requirements of FIPS 140-2 and Common criteria with functions as real-time clock, tamper comparator, tamper logic inputs (for case switch, for example), temperature sensor (required for FIPS 140-2 level 4), and nonimprinting key memory.

A security supervisor has been integrated in TIGER (Figure 4) to support these security functions and facilitate the certification process. The cryptographic keys are loaded to the security supervisor in a non-inprinting key memory via a security processing microcontroller, which performs encryption functions and GNSS security processing such as secure timing synchronization, spoofing, and jamming detection. The non-inprinting key memory addresses the security risk created by the tendency of the memory cells to exhibit charge accumulation or depletion in the oxide layers of the devices composing the memory cells.

Figure 4. TIGER hardware security components.

Standard Memory cells suffer from charge accumulation or depletion in the oxide layers when the data is stored over a long period of time, leaving an imprint of the data that was stored. This data can be recovered also after a memory clear operation.

The non-inprinting key memory addresses this security risk as the technology has been designed and developed to eliminate the problem of oxide stress with a continuous complementing of the device’s SRAM powered by the back-up battery. In case of tamper event the entire memory is cleared leaving no traces in specific sectors.

Tamper-resistant coatings (TRC). This is referred as the use of a protective layer of resin or thermal spray ceramic that limits the direct access to PCB traces and components. Although it can make the attacker’s job harder, with the possibility to break the outer layer traces or components at the first attempt, it does not stop subsequent microprobing attacks once the hardware design has been discovered.

Conclusion

Future secure GNSS receivers should be designed with the considerations presented here in order to protect sensitive signals and the position and time data integrity.

Acknowledgment

The TIGER project received funding from the Galileo Supervisory Authority, via the European Community’s framework programme ([FP7/2007-2013][FP7/2007-2011]) under grant agreement n° 228443.

The material in this article was first presented at the ESA/IEEE NAVITEC 2010 conference, in Noordwijk, the Netherlands, as “Security Considerations in the design of tamper resistant GNSS receivers.”

Oscar Pozzobon is the technical director and co-founder of Qascom S.r.l. Italy. He received a diploma in computer science engineering and a degree in information technology engineering from the University of Padova, Italy, and a master’s degree in telecommunication engineering from the University of Queensland, Australia.

Chris Wullems is a co-founder of Qascom S.r.l. Italy. He has been engaged in projects that range from secure tracking for hazardous and safety-critical applications to development of GNSS receiver security technologies.. He received his Ph.D. from Queensland University of Technology in Australia.

Marco Detratti received a M. Sc. in electronic engineering from the University of Perugia, Italy, and a diploma of advanced studies from the University of Cantabria, Spain. At present he is with the European GNSS Agency (GSA) acting as market innovation officer. His research interests include evolution of GNSSs, implementation and prototyping issues of GNSS receivers, and emerging applications of GNSS technologies.