jasonk270
04-11-2008, 09:40 AM
i found this info surfing the web its not new news but ive never heard it put this way and i thought it was rather funny.
Nobody will succeed in a glitch attack that dumps the EEPROM! Not in Nagra 2
or the P4 or even the new telephone smart cards...the reason being that the
designers of of smartcards are making the EEPROM accessible only through RSA
encryption. Know the RSA key and you can request EEPROM contents. Don't know
the RSA key, well then, you are out of luck. Buffer overlows and glitching
attacks against the EEPROM won't work.
Think of the smartcard as a house. The front door is locked and only the
person with the key can enter (RSA key). Now, think of the EEPROM as the
cookie jar! In the old days, Dish and DTV would place the cookie jar(EEPROM)
close to a window in the house. Then came along the cookie monster(hacker)
who didn't have the RSA key to enter from the front door of the house.
Instead, he broke the window and grabbed the cookies (glitch attack)!
However, he had to break a lot of windows before finding the correct window
(required a lot of experiments with clock timing and voltage amplitudes).
Once he knew the correct window (determined exact clock glitch timing) he
could just go to the next house (new smart card) and repeat the process.
Okay, so dish and DTV got smart and moved the cookied jar to the basement
where there are NO windows. Now, the cookie monster can still break all the
windows (i.e. glitch attacks still work) but he can no longer reach the
cookies because they are in the basement. Also, the cookie monster is too
big to fit through any of the windows and get to the basement to get the
cookies. As a further precaution, DTV boarded up all the windows in the
house to prevent anyone from breaking them in the first place (no glitch
attacks are possible at all). Dish on the other hand, just moved the cookie
jar away from the windows and didn't feel it was necessary to board them up.
So how do Dish and DTV communicate with the cookie jar (EEPROM)? That is
simple! They have a slave locked in the house who knows the RSA decrypt key.
Dish and DTV send encrypted letters through the mail slot of the door. The
slave decrypts them and follows the instructions. The most important message
that Dish and DTV will request is: "Does this house have access to a
particular video channel? If yes, produce the video keys". Okay, so when the
slave gets this request, he goes and checks the cookie jar in the basement
to see if the "channel tiers" exist. If so, the slave says "YES" and video
decryption proceeds. If not, then the slave says "NO" and the video is not
decrypted.
So what can the cookie monster do? With DTV, nothing because the windows
have been completely boarded up. With Dish, he can still break the windows.
And now, what he needs to do is hit the slave in the head with a rock (new
kind of glitch attack) when he is making the decisions about whether to
produce the video keys or not. If the cookie monster hits the slave in the
head with the rock at the precise moment (clock glitches must be precisely
timed), then it is possible the slave will get confused and produce the
video keys when he shouldn't have!
But, you can all see that hitting the slave in the head with a rock is much,
much, more difficult than just breaking the window and grabbing the cookies
like in the past!
The only other option the cookie monster has now is to pay a building
contractor millions of dollars to remove the house from its foundation (ie.
microprobe the card with expensive scientific instruments) without
destroying the basement! Then the cookie monster will finally have his jar
of cookies (ie. EEPROM dump)!
Nobody will succeed in a glitch attack that dumps the EEPROM! Not in Nagra 2
or the P4 or even the new telephone smart cards...the reason being that the
designers of of smartcards are making the EEPROM accessible only through RSA
encryption. Know the RSA key and you can request EEPROM contents. Don't know
the RSA key, well then, you are out of luck. Buffer overlows and glitching
attacks against the EEPROM won't work.
Think of the smartcard as a house. The front door is locked and only the
person with the key can enter (RSA key). Now, think of the EEPROM as the
cookie jar! In the old days, Dish and DTV would place the cookie jar(EEPROM)
close to a window in the house. Then came along the cookie monster(hacker)
who didn't have the RSA key to enter from the front door of the house.
Instead, he broke the window and grabbed the cookies (glitch attack)!
However, he had to break a lot of windows before finding the correct window
(required a lot of experiments with clock timing and voltage amplitudes).
Once he knew the correct window (determined exact clock glitch timing) he
could just go to the next house (new smart card) and repeat the process.
Okay, so dish and DTV got smart and moved the cookied jar to the basement
where there are NO windows. Now, the cookie monster can still break all the
windows (i.e. glitch attacks still work) but he can no longer reach the
cookies because they are in the basement. Also, the cookie monster is too
big to fit through any of the windows and get to the basement to get the
cookies. As a further precaution, DTV boarded up all the windows in the
house to prevent anyone from breaking them in the first place (no glitch
attacks are possible at all). Dish on the other hand, just moved the cookie
jar away from the windows and didn't feel it was necessary to board them up.
So how do Dish and DTV communicate with the cookie jar (EEPROM)? That is
simple! They have a slave locked in the house who knows the RSA decrypt key.
Dish and DTV send encrypted letters through the mail slot of the door. The
slave decrypts them and follows the instructions. The most important message
that Dish and DTV will request is: "Does this house have access to a
particular video channel? If yes, produce the video keys". Okay, so when the
slave gets this request, he goes and checks the cookie jar in the basement
to see if the "channel tiers" exist. If so, the slave says "YES" and video
decryption proceeds. If not, then the slave says "NO" and the video is not
decrypted.
So what can the cookie monster do? With DTV, nothing because the windows
have been completely boarded up. With Dish, he can still break the windows.
And now, what he needs to do is hit the slave in the head with a rock (new
kind of glitch attack) when he is making the decisions about whether to
produce the video keys or not. If the cookie monster hits the slave in the
head with the rock at the precise moment (clock glitches must be precisely
timed), then it is possible the slave will get confused and produce the
video keys when he shouldn't have!
But, you can all see that hitting the slave in the head with a rock is much,
much, more difficult than just breaking the window and grabbing the cookies
like in the past!
The only other option the cookie monster has now is to pay a building
contractor millions of dollars to remove the house from its foundation (ie.
microprobe the card with expensive scientific instruments) without
destroying the basement! Then the cookie monster will finally have his jar
of cookies (ie. EEPROM dump)!