Manipulating the smart card microcontroller
Manipulation and defense: altering the memory content of the smart card microcontroller Directly reading the memory content of a microcontroller is a possible attack scenario whose danger can be appreciated at first glance. A similar scenario that is almost as strong a form of attack is intentionally altering the data content in a memory of the smart card microcontroller. This does not mean randomly introducing errors in the computation process of a cryptographic algorithm, which forms the basis of differential fault analysis (DFA), but instead selectively changing the values of certain bits or bytes in the ROM or EEPROM. Non-selective changes in all types of memory can be produced by (for example) exposing the module to X-rays or shining ultraviolet light on the exposed chip. EEPROM cells can be discharged by exposing them to ultraviolet light, which causes their contents to take on the value of the lowest-energy state. This process is exactly the same as erasing a conventional EPROM using an ultraviolet lamp. However, it cannot reasonably be used for an attack, since the attacker has no control over which EEPROM cells are switched. However, the ultraviolet lamp can be replaced by a collimated beam of light or light from a laser, and this can be focused to a fine point. This could certainly be used to alter the contents of individual memory cells. The advantage of using a laser is that it can supply enough power to also modify the contents of ROM cells. A focused ion beam can also be used in a similar manner to change the contents of memory cells. The changes that are possible can certainly be used for theoretically effective attacks. For example, the random number generator could be manipulated such that it no longer produced random numbers, but instead always supplied the same value. If this were possible, authentication of the terminal by the smart card could be broken by a replay attack using a previously employed value.

It is certainly possible to imagine other types of attacks that could be carried out if the contents of specific memory bits could be intentionally modified. For example, all S boxes of the DES algorithm could be intentionally changed to a uniform value of zero or one. This would mean that the DES algorithm would no longer act as an encryption algorithm, but only as a linear transformation [Anderson 96a]. If the exact location of the DES key in the EEPROM is known and it is also possible to modify individual bits in the EEPROM (using focused ultraviolet light, for example), it is naturally possible to utilize these conditions to mount an effective attack. This attack consists of setting an arbitrary bit of the key to 0 and then calling a command that uses the DES algorithm with the modified key. If the return code indicates a parity error in the key, the bit that has been modified was originally set to 1, while if no parity error is reported, the bit was already set to 0. The same procedure is then followed for the remaining 55 bits of the key, with the result that the secret key is known [Zieschang 98]. Many other types of attack along the same lines are possible, such as selectively modifying program processes or altering pointer values. These attacks may look very simple and attractive on paper, but it would be very difficult to carry them out in actual practice. The necessary conditions for a successful attack are not exactly easy to achieve, so this type of attack remains an interesting but theoretical concept. In order to alter bits selectively, an attacker must have detailed knowledge of the physical addresses of the data and program code in the memory, and he must also know the scrambling and/or encryption schemes used for the memory in question. In addition, all data and routines that are significant with regard to security are protected using checksums that are always checked before using the data or routine. This means that the attacker would also have to selectively modify the checksum to match the modified data. You should also not overlook the fact that all protective layers covering the memory in question must be neutralized before any manipulation can take place. All of these considerations together reduce the attractiveness of this type of attack to almost nothing, even though it must be admitted that it sounds very attractive in theory.

.

.

.

.

.

.

.