Hard to clone Micros.

do you have some ressources that explain how to clone micros (you wrote "very easy to clone", how easy is it?)? I would be very interested into knowing the principles.

Even some bookmarks where it is "offered" to recover lost code may be interested.

Best regards

"Unbeliever" schrieb im Newsbeitrag news:42a9791b$0$16494$ snipped-for-privacy@news.optusnet.com.au...

Have a look at .

Depends on the type of clone-attack you expect. The most design effort in this area, is done in smart card controllers, so I'd look in that sector.

-jg

I know of no example of anyone ever defeating the security of a Dallas/Maxim DS5240/DS5250 microcontroller. Perhaps a government agency can, but it has proved to be secure in banking applications.

If you are bound by export restrictions, the Dallas/Maxim DS5002 may be an acceptable (but less secure) alternative.

Atmel also has some chips that they claim to be secure, but I have not evaluated them in detail.

(I had some trouble finding pricing on the Dallas chips; if you get pricing, please post the information here.)

Guy Macon schrieb:

Hello,

Markus Kuhn has shown 1996 that the DS5002 is not very secure:

Bye

Thanks! Alas, I don't speak German; does the paper say whether they were able to extract the entire contents, and if so how long it took to do so?

known plaintext attack on the DS5002 80-bit proprietary algorithm by looking at the encrypted instruction in RAM and what he figured that the instruction might be from looking at it's effect on the I/O. The Dallas/Maxim DS5240/DS5250 uses DES or 3DES. As far as I know, DES is strong under a chosen plaintext attack and 3DES is even stronger. Also, the The Dallas/Maxim DS5240/DS5250 has 5K of internal Program/Data SRAM, so the engineer programming it should be able to make it difficult to associate a particular RAM access with a particular I/O operation.

Here is the patent for these chips and some other info I found.

Services like Babel-Fish or Systran will translate the web-pages for which you provide URL's. I prefer Systran but you have to register to use. If you need translation for a large number of documents they will begin to charge.

Its not very clear how long ( typical & worst case ) and therefore i am sceptical if at all. A RAM-emulator feeds the controller with data and hopes to identify the opcodes. Specifically an opcode that writes one of the 3 ports of the controller. Therefore apart from the RAM-emulator the external machine has to watch if these 3 ports change state. Several other opcodes are needed, but then one could present the controller with a very short program ( page 34 ) to copy the content of the memory byte for byte through the controller to the parallelport. Its not so clear how to get the other opcodes apart via trial & error. As the memorymap is scrambled too the actual system has to use FIFOs to feed the opcodes.

Actually Dallas claimed its inital non-DES has a longer key then DES and thereby is better.

There are some valid points:

• Encoding per byte or only opcode-length 1 - 3 bytes is not a good idea because it makes searching easier. But the usual controller is optimized for these short instructions.

• If the controller has to access program memory externally the speed has to be fast to give acceptable performance for the application. But that makes searching faster too. Requirements for controller and encryption collide head to head in a system with external program-memory.

Its claimed the DS5002 is used in ATMs ( automated teller machines ): Anderson, Bond "Cryptographic Processors - a Survey" IEEE proceedings

MfG JRD

Read the paper more carefully. 2500 attempts @ 300 attempts per second for the initial instruction is about 8.3 seconds, say 10. Another second to test all 256 co0mbinations of this byte and tabulate the results. Inserting NOPs before the instruction might take another 10 seconds or so per byte. Say 650,000 seconds for the entire address space. About 7.5 days worst case (say half that on average).

Cheers, Alf

And on which page of the report is that number ?

MfG JRD

Heree's the English translation

and the sequel:

Cheers, Alf

The orginal text is the Diplomarbeit ( not quite a Ph.D but somewhat similar ) from Kuhn, 31. July 1996. Its making no specific claims. Seems the hardware is ready, and some tests of the software are on the way.

Thats not the translation. Its a probably shortened version of: Ross Anderson, Markus Kuhn "Its Tamper Resistance - a Cautionary Note" The Second USENIX Workshop on Electronic Commerce Proceedings, 18. November 1996 ... It won the best paper award at that conference."

Here are specific claims indeed: "One of us (Kuhn) has designed and demonstrated an effective practical attack that has already yielded all the secrets of some DS5002FP based systems used for pay-TV access control and also broken a code lock provided as a challenge by the German Federal Agency for Information Technology Security (BSI)." "in fact we typically need less than 2,500 attempts." "The details will be presented in a separate publication, ..."

That text Anderson Kuhn "Low cost Attacks on Tamper Resistant Devices" refers only to Ross Anderson, Markus Kuhn "Its Tamper Resistance - a Cautionary Note" and contains no technical detail.

MfG JRD

..and, of course, the attacker can buy ten or a hundred of the devices and test them in parallel.

If every one has a different key ?

Anyway: if he has taken one secure module out of an ATM he has only one module.

MfG JRD

Sorry, the first number two numbers 2500 attempts and 300 attempts per second are from the paper, the numbers after "say" and "might" are my conservative (as the author says the process speeds up, though I can't quite see how) extrapolations.

Cheers, Alf.

Kuhn "Cipher Instruction Search Attack on the Bus-Encryption Security Microcontroller DS5002FP" IEEE Trans. Comp. Oct 1998

"After only a few hours preparation the author was able to extract the protected software from a DS5002FP Rev A based demonstration system that Peter Drescher from the German Information Security Agency (BSI) built as a challenge in July 1996"

Seems it actually worked.

MfG JRD

Guy Macon schrieb:

Hello,

here are some more publications in English:

May be you will find the information here:

• Markus G. Kuhn: Cipher Instruction Search Attack on the Bus-Encryption Security Microcontroller DS5002FP. IEEE Transactions on Computers, Vol. 47, No. 10, October 1998, pp. 1153-1157, ISSN 0018-9340.

# Ross J. Anderson, Markus G. Kuhn: Tamper Resistance -- a Cautionary Note, The Second USENIX Workshop on Electronic Commerce Proceedings, Oakland, California, November 18-21, 1996, pp. 1-11, ISBN 1-880446-83-9.

# Ross J. Anderson, Markus G. Kuhn: Low Cost Attacks on Tamper Resistant Devices, in M. Lomas et al. (ed.): Security Protocols, 5th International Workshop, Paris, France, April 7-9, 1997, Proceedings, LNCS 1361, Springer-Verlag, pp. 125-136, ISBN 3-540-64040-1.

Bye

I think you're right, parallel testing is unlikely to work.

Or, in the context of my original question, he has the capability to clone ATMs and sell as many ATMs as he wants in markets that are not as particular about copyrights as yous and mine.

Cheers, Alf.