RE: Grabbing the CORE of a Dallas DS-2250 and DS-5000

["Brass, Phil (ISS Atlanta)" <PBrass () iss net>]

There is some good text on secure processors in the book "Security
Engineering" by Ross Anderson.  Also, his website has links to work done by
one of his grad students, Mike Bond, on breaking most of the
cryptoprocessors out there.  

Here http://www.cl.cam.ac.uk/users/mkb23/research/API-Attacks.pdf is the
paper on the topic.  

The basic idea is that the cryptoprocessor has some secrets, and it lets you
specify some cryptographic algorithms to run.  The idea is that you specify
really bad algorithms, which leak lots of key material everywhere, and there
you have it.

Good luck!

Phil

> -----Original Message-----
> From: Holmes, Ben [mailto:Ben.Holmes () getronics com]
> Sent: Friday, March 01, 2002 3:06 AM
> To: pen-test () securityfocus com; forensics () securityfocus com
> Subject: Grabbing the CORE of a Dallas DS-2250 and DS-5000
>
>
>  
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
>
>
> I have been given the (possibly hard) task of extracting the core
> program from a Dallas DS-2250 chip.  The chip is part of a currency
> validation device and we are assessing its security.
>
> In the same family is a Dallas DS 5000, info on this chip 
> would also do.
> As far as I know, the chip is not using any external RAM.  The chip is
> battery backed.
>
> At the heart of this processor is a piece of software that 
> defines what
> it is looking for in the currency.  Basically, if I can get this piece
> of software from this "secure processor" I can show the system to be
> "not completely 100% secure".
>
> Apparently the chip has safeguards against extracting this, and it can
> wipe the data, in this case I class that as "failed".
>
> Please don't just point me to resources on the web and tell me that I
> can disassemble the chip layer-by-layer, as this is not an option,
> however resources on the web where protocol or encryption 
> based attacks
> can be used would be great!
>
> The chip can be interrogated and the software can be uploaded and
> downloaded somehow, that is how I have to do it!  I have 
> access to some
> excellent electronics hardware and software techs and a full 
> electronics
> workshop.
>
> If anyone has had any experience with this sort of thing, could you
> please respond.
>
> Basically though I get almost no chance for error, one slip 
> and the chip
> wipes itself!
>
> I really prefer pen-tests on Windows NT :)
>
> - -- Benjamin Holmes
> Getronics, Brisbane.
>
> E&OE. All spelling and grammatical errors are for your enjoyment and
> entertainment only and are copyright Benjamin Holmes.  This message is
> guaranteed free of exotic diseases. This e-mail message and any
> attachments are confidential and may be privileged.  If you 
> are not the
> intended recipient, please notify me immediately by replying to this
> message and please destroy all copies of this message and attachments.
> Please also try to forget everything you have read that was 
> contained in
> this E-Mail message, except this part, and you may not copy it. Thank
> you.  
>
> -----BEGIN PGP SIGNATURE-----
> Version: PGPfreeware 7.0.3 for non-commercial use <http://www.pgp.com>
> Comment: Pee Gee Peeeeee!
>
> iQA/AwUBPH82V3LvuelW5gClEQI4WQCgx0IASVqebKJSrfpcPeAqp7gp8dAAn3GH
> VPG9lS6UV+7Qz8/sJ5ha+iyk
> =AF+c
> -----END PGP SIGNATURE-----
>
>
> --------------------------------------------------------------
> --------------
> This list is provided by the SecurityFocus Security 
> Intelligence Alert (SIA)
> Service. For more information on SecurityFocus' SIA service which
> automatically alerts you to the latest security 
> vulnerabilities please see:
> https://alerts.securityfocus.com/

----------------------------------------------------------------------------
This list is provided by the SecurityFocus Security Intelligence Alert (SIA)
Service. For more information on SecurityFocus' SIA service which
automatically alerts you to the latest security vulnerabilities please see:
https://alerts.securityfocus.com/