Attacks and defensive measures during production
Attacks during the production of chips or smart cards are typical insider attacks, since the production environments are closed. Access is strictly controlled, and every entry is logged. Nevertheless, security measures cannot be dispensed with in the production stage, since some technically very interesting and effective attacks can be carried out in this stage.

Protection: authentication during the finishing stage
Already at the wafer fabrication stage, smart card microcontrollers are individualized using chip numbers and protected using transport codes.With recent operating systems, the transport code is chip-specific, and an authentication is a mandatory requirement for each access in the finishing process. Although this increases costs and the amount of time required to finish the chips, and naturally requires a security module for every machine, it considerably increases security. An obvious type of attack during finishing is to feed in dummy chips or dummy smart cards, which behave the same as genuine components but which, for example, include a ‘memory dump’ command. The earliest opportunity to replace a genuine chip with a dummy chip is of course after the wafer has been separated into individual dice. This type of attack can be illustrated using a smart card for digital signatures8 as an example. In this case, the attacker replaces a genuine smart card with a dummy card at the initialization stage. This card is then initialized with genuine data and afterwards personalized. Since this smart card has all the functions of a real smart card, the process for generating the key for the asymmetric cryptographic algorithm will also be executed by the microcontroller. It obtains the data needed for this from the initialization and personalization data. After this, the attacker must manage to recover possession of this card, and then he can read the secret signature key from the card using his special dump command. Since the associated public key has been signed by the trust center and is thus confirmed to be genuine, the attacker now knows everything necessary to produce as many duplicate cards as he wishes, all of which will be seen as genuine. This attack is unrealistic, since administrative measures are taken to prevent chips and smart cards from being taken into or removed from finishing stations. In addition, mandatory authentication between the smart card and the security module of the finishing machine before every finishing step makes it difficult to swap chips or cards.

Attacks and defense measures while the card is in use
Access to the component to be attacked – the smart card – is usually much easier for the attacker after the smart card has been issued than in the previous phases of its life cycle. This is why the probability of attack is relatively high while the card is in use. The idea of a self-destroying smart card microcontroller appears again and again in many publications, as a sort of panacea against all sorts of attacks. There are hardware security modules, such as those used for military applications, in which such mechanisms are sometimes employed, but such a defensive measure is not possible in smart cards for a number of reasons. First of all, in the absence of external power a smart card has no way to recognize a potential attack, and there is no possibility of any sort of active defense mechanism, since the smart card does not have any reserve source of energy. Besides this, for purely legal reasons it would probably not be possible to impose true self-destruction capability on cardholders. Who would be responsible for the loss or damage that might occur under unfavorable circumstances simply because a smart card has incorrectly destroyed itself? In addition, true self-destruction is not at all necessary, since in almost all cases it is sufficient to erase the secret keys stored in the card. There is yet another aspect to this subject, which relates to erasing keys or blocking smart cards. It is very difficult for a smart card to even recognize that it is being attacked. There is simply not any sensor that can report ‘Attack! Erase everything!’ Too low a voltage or too high a clock rate could be a sign of an attack, but these situations also occur in normal operation due to unfavorable ambient conditions. Dirty or corroded contacts have high contact resistance and thus cause the operating voltage to be lower than normal. An excessive clock rate can be present in a smart card terminal that is intended to be used with cards that work at high clock rates. Since recognizing an actual attack is so difficult, and usually not even possible, automatic mechanisms for blocking the card or erasing the keys are usually not used.

In the following section, some types of attack that can be considered to be nearly ‘classic’ are described and explained. The descriptions of the attacks can be said to represent the ‘state of the art’. They are intended primarily to provide people who are inexperienced in the area of smart card security with a reasonably solid basic understanding, in order to prevent mechanisms that are already known to be vulnerable from being reused out of simple ignorance. These attacks can be foiled by the defensive measures described below, which in turn can be countered by slightly modified attack scenarios. This leads to the well-known cat and mouse game of measures and countermeasures for attacks and defenses. The scenarios presented here do not form an invitation to break the security of smart card systems, since without exception they are both known and published [Kommerling 99]. They do not represent any serious threat to the security of any contemporary smart card system, since they have long since been dealt with by suitable protective measures. However, a few years ago it would have been possible to achieve a certain amount of success using such scenarios. The attacks are divided into those that are directed against the chip hardware and those in which an attempt is made to break the smart card system at the logical level. The physical attacks and analysis methods can also be subdivided into static and dynamic types. In a static analysis, the chip is not operating, but it may be electrically powered. In a dynamic analysis, which is much more difficult to perform, the chip operates with its full range of functions during the analysis.