In summary, the speaker was demonstrating how he was able to access the smartcard CPU die and by using probes and other methods, get the chip to reveal its secrets. It turns out that many smartcards aren’t terribly secure against physical attack from an informed, dedicated, and skilled adversary with suitable equipment.
I suspect that I am unlikely to face such an adversary, but it still prompts me to raise the following questions:
How are keys stored on the v1.2 Crypto Stick? (That is, are they written in plaintext to storage? Are they encrypted in storage?)
How are the CPU and relevant circuits physically protected internally? (I am no expert, but the speaker suggests that there are a variety of means of physically protecting the CPU such as putting metal mesh over the circuits.)
There does not appear to be any external physical protection (for example, encasing chips and circuits in epoxy) of the Crypto Stick circuits and components that are visible through the transparent plastic case. Is such protection being considered in the future?
On a computer, GnuPG protects the private key using a symmetric cipher with a key derived from the user’s passphrase. If an adversary acquires one’s private key file, it would be extremely difficult for them to make use of it without knowledge of the passphrase. However, if the private key is stored unencrypted on the Crypto Stick or other OpenPGP smartcard (even if the cards use a PIN to deny use of the key through ordinary communication channels), the key is vulnerable to being read off the card’s storage if the adversary can physically access the internals of the chip.
crypto-stick.com/en/introduction lists features of the Crypto Stick, including “Tamper-proof design prevents sophisticated physical attacks with laboratory equipment.”, “Secret keys are always stored securely inside the Crypto Stick. Their extraction is impossible. All sensitive cryptographic operations are computed in the Crypto Stick.”, and “High security due to embedded smart card which is based on Common Criteria 5-high certification.” – are there any resources that detail these protective measures and certification?
The Crypto Stick contains an OpenPGP Card. You can think of it as an USB smart card adapter combined with one OpenPGP Card. The secret cryptographic keys are stored in the OpenPGP Card and not in the separate micro controller or memory. The OpenPGP Card is not developed or produced by us but we buy it from the vendor. It contains a number of security controls, see the datasheet nxp.com/documents/short_data_sheet/P5CX012_02X_40_73_80_144_FAM_SDS.pdf for details. In smart cards usually a whole bunch of diverse security controls are applied. You name them: memory encryption, metal mesh, diverse disguising etc. The source code and design details of the OpenPGP Card are not published so that we can’t give you an in deep answer. This seems to be unfortunate from our open source perspective but it is best practice in the smart card industry. In fact I don’t think you will find any serious smart card with details published. In the future we might develop our own smart card in order to publish it’s source code.
Using epoxy to physically protect the device is planned for the next version. Note that this increases the security only slightly (An attacker who is able to hack the smart card should also be able to remove the epoxy easily).
Interesting. My view of the internals of the Crypto Stick are limited to the one transparent side (the other side has a label that covers much of the interior) – the transparent side has the ST ARM CPU (which, based on your description, I assume handles the USB communications and other non-crypto stuff), an oscillator, some resistors and capacitors, and an IC labeled “VS 05”. However, the VS 05 IC doesn’t seem to match the physical description that the datasheet provides and I don’t want to void my warranty the day after I received the Crypto Stick by taking it apart!
The data sheet you provided is quite interesting, and mentions that it uses encryption and physical security to protect the RAM, EEPROM, and ROM. I hope that means that such measures are always in use, rather than merely an option. I’d love to see the folks at Flylogic have a go at it .
As for the epoxy, I assume that any adversary who knows what they’re doing could remove the epoxy easily, but it keeps honest people honest.
.