1Copyright © 2005 InfoGard Laboratories Proprietary 2005 Physical Security Conference Physical Security 101 Tom Caddy September 26, 2005

2Copyright © 2005 InfoGard Laboratories Proprietary Agenda Introduction –Objective –Threat Models –Threat Taxonomy –Access Threats Physical Security –Role –Technologies –External Environment Attacks & Mitigations –Attack Points –Level of Effort –Mitigation Strategies Challenges –Standard –Validation –Lifecycle Constituents Summary

3Copyright © 2005 InfoGard Laboratories Proprietary Objective “It should be very clear that compromised physical security always means that all security layers have been compromised. All security discussed in this solution is based on the assumption that physical security has been addressed.Without physical security, no other security measures can be considered effective. “It should be very clear that compromised physical security always means that all security layers have been compromised. All security discussed in this solution is based on the assumption that physical security has been addressed. Without physical security, no other security measures can be considered effective.” Microsoft Website Discussing System Security

4Copyright © 2005 InfoGard Laboratories Proprietary Physical Security Role Physical Security Protects all other Module aspects Critical Security Parameters Data, Information or Cargo Module Integrity Physical and Logical Physical Security at Cryptographic Boundary Physical Security is Access Control

5Copyright © 2005 InfoGard Laboratories Proprietary General Threat Models Low Threat Environment User/Owner benefit by module security High Threat Environment User/Owner benefit by module compromise Custom Threat Environment High Value Data Unique Environment Typically Level 1 and Level 2 Modules Typically Level 3 and Level 4 Modules External Environment Effect Space Vault Data Value Cost of Loss Cost of Loss of Integrity

6Copyright © 2005 InfoGard Laboratories Proprietary Threat/Attacker Taxonomy Class I - (Clever Outsiders) - opportunistic –Intelligent; limited system knowledge –Limited access to module, and limited equipment and tools –Exploit obvious weaknesses *IBM Systems Journal v30 no 2 (1991)

7Copyright © 2005 InfoGard Laboratories Proprietary Threat/Attacker Taxonomy Class I - (Clever Outsiders) - opportunistic –Intelligent; limited system knowledge –Limited access to module, and limited equipment and tools –Exploit obvious weakness’ Class II - (Knowledgeable Insider) - motivated –Specialized education, knowledge and experience –Significant access to module; sophisticated equipment and tools –Exploit subtle vulnerability, create opportunity *IBM Systems Journal v30 no 2 (1991)

8Copyright © 2005 InfoGard Laboratories Proprietary Threat/Attacker Taxonomy Class I - (Clever Outsiders) - opportunistic –Intelligent; limited system knowledge –Limited access to module, and limited equipment and tools –Exploit obvious weakness’ Class II - (Knowledgeable Insider) - motivated –Specialized education, knowledge and experience –Significant access to module; sophisticated equipment and tools –Exploit subtle vulnerability, create opportunity Class III - (Funded Organization) – highly motivated –Teams of specialists, complimentary skills, extensive experience –Virtually unlimited access to module; advanced analysis and tools –Exploit hidden vulnerabilities or create vulnerabilities *IBM Systems Journal v30 no 2 (1991)

9Copyright © 2005 InfoGard Laboratories Proprietary Availability of the module is a major factor in assessing risk –Time that a threat has access to the module(s) Growing risks to module access –Distribution of systems and other lifecycle phases –Flexibility and configurability –Administration, maintenance and remote access roles Invasive vs. Non-Invasive –Skills require specific knowledge, skills and practice in performing a non invasive attack –Non Invasive compromises can be particularly damaging as compromise may not be discovered for considerable time Availability Risk

10Copyright © 2005 InfoGard Laboratories Proprietary Physical Security Technology Detection Ckt Zeroization Ckt Analog Circuits Electromagnetic RF and Emissions Adhesives Solvents Light Radiation Sound Thermal System Requirements Risk Assessment Vulnerability Assessment Security Policy, Manuals Plastics Metals Composites Design Tolerances Fasteners Assembly Processes Cryptographic Module Logic, Function And Data “Crown Jewels”

11Copyright © 2005 InfoGard Laboratories Proprietary External Environment Physical Security Usually only works for limited threats and roles Vulnerabilities and mitigation are often hidden in the Details Interfaces between technologies can be vulnerabilities Cryptographic Module Logic, Function And Data “Crown Jewels”

12Copyright © 2005 InfoGard Laboratories Proprietary Attack Plan Identify the weakest points in the “system” –Physical inspection –Available documentation Develop “attack” plan based on vulnerable points Acquire resources –Skills –Tools –Materials Test “attack” plan and refine as necessary As currently defined, FIPS evaluation is a physical security evaluation not a full attack

13Copyright © 2005 InfoGard Laboratories Proprietary Mitigation Strategies Tamper Evidence Tamper Resistance Door and Cover Tamper Detection and Response Production Grade Envelope Tamper Detection and Response Security requires trust; Trust requires reliability Commercial Grade equipment is expected to be reliable User detectable Evidence vs. Forensic Evidence or Warranty evidence is effective when User is motivated to trust the module Feature to sense basic threat conditions and respond with defensive action – zeroization of critical security parameters Adding complexity, difficulty and risk to compromising a module Feature to sense any breach of the cryptographic boundary and respond with defensive action – zeroization of critical security parameters Includes concepts of obscurity, vents and pick resistant locks

14Copyright © 2005 InfoGard Laboratories Proprietary Attack Level of Effort (LOE) Increasing Level of Effort is directly related to an increase in Tamper Resistance not security features Range that effectiveness or tamper resistance of the implementation can have on security L O E T r u s t a n d L e v e l o f E f f o r t f o r S u c c e s s f u l A t t a c k Level of Security Effectiveness Range

15Copyright © 2005 InfoGard Laboratories Proprietary Specification Challenges Standard –Security Effectiveness definition vs. Security Feature Definition –Tamper Resistance Definition –The affect module embodiment has on tamper resistance –Allowance for innovation Module designs Attack methods Tools and techniques

16Copyright © 2005 InfoGard Laboratories Proprietary Testing and Evaluation –Testing Efficiency Establishing a DTR to have an effective test that costs significantly less then the value of an attack –Testing Consistency Establishing test, lab and personnel requirements that allow multiple test entities and personnel to consistently obtain similar results Validation Challenges

17Copyright © 2005 InfoGard Laboratories Proprietary Basic… Manufacturing Initialization ScrapOperational Typical Transportation Points Cryptographic Module Typical Lifecycle Current FIPS requirements are applicable in the operational environment

18Copyright © 2005 InfoGard Laboratories Proprietary Manufacturing Initialization ScrapOperational Typical Transportation Points For high security devices physical security threats exist throughout the module lifecycle High Security Crypto Module Lifecycle Expanded…..

19Copyright © 2005 InfoGard Laboratories Proprietary Summary and have done a remarkable job of establishing a great foundation A high Level of Physical Security is complicated and cannot be an after thought Recognize that effective physical security requires different skills then used during logical and assurance compliance Recognize the role of Tamper Resistance as a key characteristic in physical security effectiveness is an opportunity to review, revisit and improve