ISO/IEC TS 30104:2015

TECHNICAL ISO/IEC TS
SPECIFICATION 30104
First edition
2015-05-15
Information Technology — Security
Techniques — Physical Security
Attacks, Mitigation Techniques and
Security Requirements
Technologies de l’information — Techniques de sécurité — Attaques
de sécurité physique, techniques d’atténuation et exigences de sécurité
Reference number
©
ISO/IEC 2015
© ISO/IEC 2015, Published in Switzerland
All rights reserved. Unless otherwise specified, no part of this publication may be reproduced or utilized otherwise in any form
or by any means, electronic or mechanical, including photocopying, or posting on the internet or an intranet, without prior
written permission. Permission can be requested from either ISO at the address below or ISO’s member body in the country of
the requester.
ISO copyright office
Ch. de Blandonnet 8 • CP 401
CH-1214 Vernier, Geneva, Switzerland
Tel. +41 22 749 01 11
Fax +41 22 749 09 47
copyright@iso.org
www.iso.org
ii © ISO/IEC 2015 – All rights reserved

Contents Page
Foreword .v
Introduction .vi
1 Scope . 1
2 Normative references . 1
3 Terms and definitions . 1
4 Symbols and abbreviated terms . 5
5 Physical security . 5
6 Physical security invasive mechanisms . 6
6.1 Overview . 6
6.2 Tamper proof . 7
6.3 Tamper resistant . 7
6.4 Tamper detection . 7
6.5 Tamper evident . 7
6.6 Additional physical security considerations . 8
6.6.1 Summary . 8
6.6.2 Size and weight . 8
6.6.3 Mixed and Layered Systems . 8
7 Physical security invasive attacks and defences . 8
7.1 Overview . 8
7.2 Attacks . 9
7.2.1 Attack mechanisms . 9
7.2.2 Machining methods . 9
7.2.3 Shaped charge technology .11
7.2.4 Energy attacks .11
7.2.5 Environmental conditions .12
7.3 Defences .12
7.3.1 Overview .12
7.3.2 Tamper resistant .13
7.3.3 Tamper evident .14
7.3.4 Tamper detection sensor technology .15
7.3.5 Tamper responding .18
8 Physical security non-invasive mechanisms .20
8.1 Overview .20
8.2 Mixed and Layered Systems .20
9 Physical security non-invasive attacks and defences .20
9.1 Overview .20
9.2 Attacks .20
9.2.1 Overview .20
9.2.2 External Probe attacks .20
9.2.3 External EME attacks .21
9.2.4 Timing analysis .21
9.3 Defences .21
10 Operating Envelope Concept .22
11 Development, delivery and operation considerations .22
11.1 Introduction .22
11.2 Development .22
11.2.1 Functional test and debug.22
11.2.2 Security testing . .22
11.2.3 Environmental testing . .23
11.2.4 Factory installed keys or security parameters .23
© ISO/IEC 2015 – All rights reserved iii

11.3 Delivery .23
11.3.1 Documentation .23
11.3.2 Packaging.24
11.3.3 Delivery verification.24
11.4 Operation .24
11.4.1 Overview .24
11.4.2 Implementation feedback .24
11.4.3 Feedback during attack .24
12 Physical security evaluation and testing .24
12.1 Overview .24
12.2 Standards .25
12.2.1 FIPS PUB 140-2, Security Requirements for Cryptographic Modules .25
12.2.2 Derived Test Requirements for FIPS PUB 140-2, Security Requirements
for Cryptographic Modules .25
12.2.3 ISO/IEC 19790:2012, Information technology — Security techniques —
Security requirements for cryptographic modules .25
12.2.4 ISO/IEC 24759:2014 Information technology — Security techniques —
Test requirements for cryptographic modules .26
12.2.5 ISO/IEC 15408-1:2009, Information technology — Security techniques
— Evaluation criteria for IT security — Part 1: Introduction and
general model .26
12.2.6 ISO/IEC 15408-2:2008, Information technology — Security
techniques — Evaluation criteria for IT security — Part 2: Security
functional components .26
12.2.7 ISO/IEC 15408-3:2008, Information technology — Security
techniques — Evaluation criteria for IT security — Part 3: Security
assurance components .27
12.2.8 ISO/IEC 18045:2008, Information technology — Security techniques —
Methodology for IT security evaluation .27
12.3 Programs and schemes .27
12.3.1 NIST and CSE Cryptographic Module Validation Program .27
12.3.2 Japan Cryptographic Module Validation Program .27
12.3.3 Korea Cryptographic Module Validation Program.27
12.3.4 Common Criteria . .28
Annex A (informative) Example of a physical security design .29
Bibliography .30
iv © ISO/IEC 2015 – All rights reserved

Foreword
ISO (the International Organization for Standardization) and IEC (the International Electrotechnical
Commission) form the specialized system for worldwide standardization. National bodies that are
members of ISO or IEC participate in the development of International Standards through technical
committees established by the respective organization to deal with particular fields of technical
activity. ISO and IEC technical committees collaborate in fields of mutual interest. Other international
organizations, governmental and non-governmental, in liaison with ISO and IEC, also take part in the
work. In the field of information technology, ISO and IEC have established a joint technical committee,
ISO/IEC JTC 1.
The procedures used to develop this document and those intended for its further maintenance are
described in the ISO/IEC Directives, Part 1. In particular the different approval criteria needed for
the different types of document should be noted. This document was drafted in accordance with the
editorial rules of the ISO/IEC Directives, Part 2 (see www.iso.org/directives).
Attention is drawn to the possibility that some of the elements of this document may be the subject
of patent rights. ISO and IEC shall not be held responsible for identifying any or all such patent rights.
Details of any patent rights identified during the development of the document will be in the Introduction
and/or on the ISO list of patent declarations received (see www.iso.org/patents).
Any trade name used in this document is information given for the convenience of users and does not
constitute an endorsement.
For an explanation on the meaning of ISO specific terms and expressions related to conformity
assessment, as well as information about ISO’s adherence to the WTO principles in the Technical Barriers
to Trade (TBT), see the following URL: Foreword — Supplementary information.
The committee responsible for this document is ISO/IEC JTC 1, Information technology, SC 27, Security
techniques.
© ISO/IEC 2015 – All rights reserved v

Introduction
The protection of sensitive information does not rely solely on the implementation of software
mechanisms employing cryptographic techniques, but also relies significantly on appropriate hardware
implemented security devices that employ tamper detection and protection of critical security
parameters (e.g. cryptographic keys, authentication data, etc.).
This is especially relevant for devices that may be installed, deployed or operated in hostile, untrusted,
or non-secure environments, or for devices that contain high-value data assets.
An attacker may not be motivated by the economic value or the successful access to sensitive information,
but simply the challenge of compromising a design or system that has been advertised as “secure”. The
challenge to break the design gives such an attacker instant fame and recognition amongst peer groups.
Currently, much of the information in this area originates from disparate sources, may not be presented
consistently, and may not address appropriate evaluation and testing techniques.
vi © ISO/IEC 2015 – All rights reserved

TECHNICAL SPECIFICATION ISO/IEC TS 30104:2015(E)
Information Technology — Security Techniques — Physical
Security Attacks, Mitigation Techniques and Security
Requirements
1 Scope
Physical security mechanisms are employed by cryptographic modules where the protection of the
modules sensitive security parameters is desired. This Technical Specification addresses how security
assurance can be stated for products where the risk of the security environment requires the support of
such mechanisms. This Technical Specification addresses the following topics:
— a survey of physical security attacks directed against different types of hardware embodiments
including a description of known physical attacks, ranging from simple attacks that require minimal
skill or resources, to complex attacks that require trained, technical people and considerable
resources;
— guidance on the principles, best practices and techniques for the design of tamper protection
mechanisms and methods for the mitigation of those attacks; and
— guidance on the evaluation or testing of hardware tamper protection mechanisms and references to
current standards and test programs that address hardware tamper evaluation and testing.
The information in this Technical Specification is useful for product developers designing hardware
security implementations, and testing or evaluation of the final product. The intent is to identify protection
methods and attack methods in terms of complexity, cost and risk to the assets being protected. In this
way cost effective protection can be produced across a wide range of systems and needs.
2 Normative references
The following documents, in whole or in part, are normatively referenced in this document and are
indispensable for its application. For dated references, only the edition cited applies. For undated
references, the latest edition of the referenced document (including any amendments) applies.
ISO/IEC 15408 (all parts), Information technology — Security techniques — Evaluation criteria for IT
security
ISO/IEC 19790, Information technology — Security techniques — Security requirements for cryptographic
modules
ISO/IEC 24759, Information technology — Security techniques — Test requirements for cryptographic
modules
3 Terms and definitions
For the purposes of this document, the terms and definitions given in ISO/IEC 19790 and ISO/IEC 24759
apply and are duplicated here for reference.
NOTE Definitions followed by a reference in square brackets are taken verbatim from ISO/IEC 19790:2012
or ISO/IEC 24759:2014 All other terms and definitions are adapted from those in ISO/IEC 19790:2012 or
ISO/IEC 24759:2014.
© ISO/IEC 2015 – All rights reserved 1

3.1
compromise
unauthorised disclosure, modification, substitution, or use of critical security parameters or the
unauthorised modification or substitution of public security parameters
[SOURCE: ISO/IEC 19790:2012, 3.13]
3.2
conformal coating
material that may be applied in layers or in various thicknesses that adhere directly to the electronic
components or printed circuit boards and provide a hard coating that deters machining, probing, energy
or chemical attacks
3.3
critical security parameter
CSP
security related information whose disclosure or modification can compromise the security of a
cryptographic module
[SOURCE: ISO/IEC 19790:2012, 3.18]
EXAMPLE Secret and private cryptographic keys, authentication data such as passwords, PINs, certificates
or other trust anchors.
Note 1 to entry: A CSP can be plaintext or encrypted.
3.4
cryptographic boundary
explicitly defined perimeter that establishes the boundary of all components (i.e. set of hardware,
software, or firmware) of the cryptographic module
[SOURCE: ISO/IEC 19790:2012, 3.21]
3.5
cryptographic module
module
set of hardware, software, and/or firmware that implements security functions and are contained
within the cryptographic boundary
[SOURCE: ISO/IEC 19790:2012, 3.25]
3.6
differential power analysis
DPA
analysis of the variations of the electrical power consumption of a cryptographic module, for the purpose
of extracting information correlated to a cryptographic operation
[SOURCE: ISO/IEC 19790:2012, 3.29]
3.7
environmental failure protection
EFP
use of features to protect against a compromise of the security of a cryptographic module due to
environmental conditions outside of the module’s normal operating range
[SOURCE: ISO/IEC 19790:2012, 3.39]
2 © ISO/IEC 2015 – All rights reserved

3.8
environmental failure testing
EFT
use of specific methods to provide reasonable assurance that the security of a cryptographic module
will not be compromised by environmental conditions outside of the module’s normal operating range
[SOURCE: ISO/IEC 19790:2012, 3.40]
3.9
firmware
executable code of a cryptographic module that is stored in hardware within the cryptographic boundary
and cannot be dynamically written or modified during execution while operating in a non-modifiable or
limited operational environment
[SOURCE: ISO/IEC 19790:2012, 3.45]
EXAMPLE Storage hardware can include but is not limited to PROM, EEPROM, FLASH, solid state memory,
hard drives, etc.
3.10
hardware
physical equipment/components within the cryptographic boundary used to process programs and
data
[SOURCE: ISO/IEC 19790:2012, 3.50]
3.11
passivation
effect of a reactive process in semiconductor junctions, surfaces or components and integrated circuits
constructed to include means of detection and protection
[SOURCE: ISO/IEC 19790:2012, 3.87]
EXAMPLE Silicon dioxide or phosphorus glass.
Note 1 to entry: Passivation can modify the behaviour of the circuit. Passivation material is technology dependant
3.12
physical protection
safeguarding of a cryptographic module, CSPs and PSPs using physical means
[SOURCE: ISO/IEC 19790:2012, 3.90]
3.13
production-grade
product, component or software that has been tested to meet operational specifications
[SOURCE: ISO/IEC 19790:2012, 3.95]
3.14
physical security invasive attacks
attacks that involve a physical alteration to the implementation that may also cause an operating
aberration different from normal operation
3.15
physical security non-invasive attacks
attacks that do not involve a physical alteration to the implementation cause an operating aberration
different from normal operation
© ISO/IEC 2015 – All rights reserved 3

3.16
removable cover
physical means which permits an intentionally designed non-damaging access to the physical contents
of a cryptographic module
[SOURCE: ISO/IEC 19790:2012, 3.101]
3.17
sensitive security parameters
SSP
critical security parameters (CSP) and public security parameters (PSP)
[SOURCE: ISO/IEC 19790:2012, 3.110]
3.18
simple power analysis
SPA
direct (primarily visual) analysis of patterns of instruction execution (or execution of individual
instructions), in relation to the electrical power consumption of a cryptographic module, for the purpose
of extracting information correlated to a cryptographic operation
[SOURCE: ISO/IEC 19790:2012, 3.114]
3.19
software
executable code of a cryptographic module that is stored on erasable media which can be dynamically
written and modified during execution while operating in a modifiable operational environment
[SOURCE: ISO/IEC 19790:2012, 3.116]
EXAMPLE Erasable media can include but not limited to solid state memory, hard drives, etc.
3.20
tamper detection
automatic determination by a cryptographic module that an attempt has been made to compromise the
security of the module
[SOURCE: ISO/IEC 19790:2012, 3.125]
3.21
tamper evidence
observable indication that an attempt has been made to compromise the security of a cryptographic
module
[SOURCE: ISO/IEC 19790:2012, 3.126]
3.22
tamper response
automatic action taken by a cryptographic module when tamper detection has occurred
[SOURCE: ISO/IEC 19790:2012, 3.127]
3.23
TEMPEST
codename by the US National Security Agency to secure electronic communications equipment from
compromising emanations, which, if intercepted and analysed, may disclose the information transmitted,
received, handled, or otherwise processed
4 © ISO/IEC 2015 – All rights reserved

3.24
timing analysis
TA
analysis of the variations of the response or execution time of an operation in a security function, which
may reveal knowledge of or about a security parameter such as a cryptographic key or PIN
3.25
zeroisation
method of destruction of stored data and unprotected SSPs to prevent retrieval and reuse
[SOURCE: ISO/IEC 19790:2012, 3.134]
4 Symbols and abbreviated terms
For the purposes of this document, the abbreviated terms given in ISO/IEC 19790 or ISO/IEC 24759
apply and are duplicated here for reference.
EDC Error Detection Code
EFP Environmental Failure Protection
EFT Environmental Failure Testing
EME Electro-Magnetic Emanation
HDL Hardware Description Language
IC Integrated Circuit
PROM Programmable Read-Only Memory
RAM Random Access Memory
ROM Read-Only Memory
5 Physical security
Traditionally the term ‘physical security’ has been used to describe protection of material assets such as
cash, jewellery, bonds, etc. from fire, water damage, theft, or similar perils. However on-going concerns
in computer security have caused physical security to take on a new meaning: technologies and
protocols used to safeguard information against physical attack. This information can be anything from
a spreadsheet work file to cryptographic keys which are used to protect other files. This information
can be stolen without being physically removed from where it is kept. If information can be accessed, it
can simply be copied.
Physical security is a barrier placed around a computing system to deter unauthorized physical access.
Physical access can be accomplished by either invasive or non-invasive techniques. This concept is
complementary to both logical and environmental security. Logical security describes the mechanisms
by which operating systems, security protocols and other software prevent unauthorized access to data.
Environmental security describes the procedures that limit or prevent unauthorised physical access of
a computing system by virtue of location such as guards, cameras, fences, structures, etc. Operational
security depends on both the environmental security attributes that the computing system or device
will operate and on the physical and logical security attributes of the computing system itself.
It may be reasonable for an individual to have access to a location (environmental security) and not to
have access to the information stored on a computing system in that environment (physical and logical
security). Physical security is increasingly important because advances in technology have reduced the
footprint of what historically were large and complex computing systems to both smaller and mobile
devices (e.g. tablet computing devices, smart phones and mobile memory tokens). These historically
© ISO/IEC 2015 – All rights reserved 5

complex and compute intensive systems, and their system unique applications with large data storage
mechanisms, are transitioning out of environmentally secure computer rooms and into less secure
offices and homes. They are being migrated on to distributed, cloud-based data platforms and mobile
devices where the physical location of the data may be uncertain. If the environment of the deployed
computing system provided a measured level of protection, then the level of physical protection of the
computing system itself may reduce to a simple tamper detection mechanism (e.g. to detect an insider
attack) or where it is not necessary at all. Whereas sensitive information held on a portable device
such as a smart card, smart phone or similar device, if lost or misplaced, would require much stronger
physical protection. At the same time, the value of the cryptographic critical security parameters (e.g.
cryptographic keys) and similar sensitive security parameters which provide access control to data on
these computing systems is increasing as centralization decreases. The motivation to attack computing
systems is increasing because the rewards for doing so are increasing.
For physical security to be effective the following criteria must be met: in the event of an attack, there
should be a low probability of success and a high probability of detection either during the attack, or
subsequent to penetration.
Physical security systems to protect sensitive data can make unauthorised access to the data difficult,
as a bank vault makes stealing cash a daunting task (tamper resistant). They can trigger mechanisms to
thwart the attack, much like an alarm system (tamper detection). They can make an attempted attack
apparent so that subsequent inspection will show an attack had been attempted (tamper evident).
Physical security systems can be defined as providing protection against either invasive or non-
invasive attacks. Physical security invasive attacks are attacks that involve a physical alteration to the
implementation that may also cause an operating aberration different from normal operation. Physical
security non-invasive attacks are attacks that do not involve a physical alteration to the implementation
or cause an operating aberration different from normal operation.
Classification systems have been proposed, accepted and put into use that evaluate or test computing
systems according to criteria that measure the difficulty of mounting a successful attack. However many
of the methods for evaluation and testing may not lead to comparable results due to the lack of defined
evaluation or test methods, scope of the applied methods or the consistency and competence of the
evaluators or testers. This had led to the advancement of physical security and evaluation and testing
standards; these standards have become accepted as they provide a baseline of repeatable, consistent
and comparable results while at the same time the standards are being rigorously and publicly evaluated.
These standards led organizations and national bodies to develop evaluation and testing programs to
certify or validate implementations to this baseline level of assurance.
6 Physical security invasive mechanisms
6.1 Overview
A variety of physical security techniques are currently employed to protect hardware implementations.
The physical security mechanisms must address a wide range of different technology implementations,
use environments and attack scenarios. This field is increasingly recognized in the commercial market
as users, both business and private individuals, request such features as they have become increasingly
aware of the need to protect their sensitive information. Governments have been working on this problem
for decades as applied to the protection of information for both unclassified and classified domains.
The amount of sensitive, but unclassified, information that governments must protect can be vast, as
includes (but is not limited to) health records, tax records, law enforcement records, business records
(e.g. procurements or bids), communications, transaction records, and voter information. National and
International standards have been developed to address various levels of physical security assurance
which in many cases coincide with the use of cryptographic protocols which require the protection of
the critical security parameters (e.g. cryptographic keys, access credentials, etc.). The ways and means
described here are not an exhaustive list, nor are they represented as ultimate methods.
6 © ISO/IEC 2015 – All rights reserved

Development is continuing in both the protection methods and the attack methods. Any evaluation
or testing of appropriateness of a physical security system is time dependent and must be repeated
periodically. For example ISO standards are re-evaluated at five-year intervals.
6.2 Tamper proof
Tamper proof systems are largely theoretical and unachievable as an implementation. Practical methods
to analyse and test a system against all known attacks and possible emergent attacks are prohibitively
costly and time consuming as there are no clear metrics to determine if the system is truly tamper proof.
Such systems are only tamper proof until a successful attack is devised and accomplished.
6.3 Tamper resistant
Tamper resistant systems take the “bank vault” approach. This type of system is typified by the outer
case design of an automated teller machine. Thick steel or other robust materials are utilized to slow
down the attack by requiring powerful tools and great effort to breach the system. This type of system
can be used in many environments and sometimes has the advantage of being so physically heavy (as in
automated teller machines), that it resists theft by sheer weight. However on-going thefts of automated
teller machines by thieves using towing chains and four-wheel drive vehicles indicate that ATMs relying
solely on this type of protection are no longer sufficiently tamper resistant. A system that is only
tamper resistant has the disadvantage that the owner may not be aware of the loss until the break-in is
discovered. An attacker may be able to replace any material that had been removed or altered to remove
evidence of an attack.
Tamper resistant physical security is usually the easiest to apply. Steel cases and locks are well-known
technologies and are easily manufactured. Weight and bulk can be a problem or benefit, depending on
the application.
Complexity or size can be another variety of tamper resistance. Single chip implementations of secure
devices have a certain level of physical security due to the small size of the features and the complexity
involved in determining which part of a circuit performs which function. However this has become a
race between defenders and attackers as the equipment and skills needed to work with semiconductor
devices at the microscopic level are becoming commonly available at universities and technology centres.
As technologies and circuit densities continue to improve, current layout and placement techniques
make discernment of the circuit details even more difficult.
6.4 Tamper detection
Tamper detection systems use the burglar alarm approach. The defence is the detection of the intrusion
followed by a response to protect the asset. In the case of attended systems the response may consist of
sounding an alarm.
Erasure or destruction of secret data are sometimes employed to prevent theft in the case of isolated
systems which cannot depend on outside response. Tamper detection systems do not depend on robust
construction or weight to guard an asset. Therefore, they are good for portable systems or other systems
where size and bulk are a disadvantage.
6.5 Tamper evident
Tamper evident systems are designed to ensure that if a break-in occurs, evidence of the break-in is left
behind. This is usually accomplished by chemical or chemical/mechanical means, such as a white paint
that ‘bleeds’ red when cut or scratched, or tape or seals that show evidence of removal. This approach
can be very sensitive to even the smallest of penetrations. Frangible (brittle, breakable) covers or seals
are other methods using currently available technology.
These systems are not designed to prevent an attack or to respond to the indication that one is in
progress. Their job is to ensure that the fact of a break-in will remain known and can be ascertained at
© ISO/IEC 2015 – All rights reserved 7

a later time. An audit policy must exist, and be adhered to, for a tamper evident system to be effective;
otherwise it may not be known if, or when, the system was breached.
NOTE If no one looks for the evidence of tampering, that evidence will never be found.
6.6 Additional physical security considerations
6.6.1 Summary
Some of the properties of specific methods of physical security in the prior sub-clauses were included
with the introduction of each type. Additional points are considered in the following sub-clauses. Each
system must be examined to determine the correct protection mechanism.
6.6.2 Size and weight
The size and weight implications of a potential physical security design must be considered in the light
of the application. Thick steel would not be a good idea for a portable system. A lightweight system
would not be effective for an automated teller machine, as it would allow the system to be carried away
more easily.
6.6.3 Mixed and Layered Systems
In many cases a security system can be made substantially more secure by using more than one layer
and more than one kind of system.
For example, a typical safety deposit vault has steel walls, an alarm system, and a high quality vault
lock. These methods might seem sufficient, but the individual safety deposit boxes have significant locks
as well. The individual locks serve two purposes. They provide a second layer of general security by
requiring an attacker to break into each box individually after breaking into the vault. The locks on the
individual boxes also serve as an additional authorization/authentication process which requires an
individual to possess the correct key to open the box.
In many cases tamper response is coupled with a tamper resistant design. If the attacker appears to
be making progress in thwarting the tamper envelope, the device would respond by zeroising internal
sensitive security parameters or data before the envelope is compromised.
Similarly, a layer of tamper evident security placed over a layer of tamper resistance or tamper response
can prevent an attack, which might be attempted over a period of days. A regular audit may turn up
indications of tampering before the system is fully breached and allow additional measures to be taken
before the attack is completed.
Multiple layers of security also make the attack more difficult in general. The requirement for two
different kinds of tools, skills, etc., may not make the two-layered system twice as difficult to attack, but
it does increase the difficulty.
7 Physical security invasive attacks and defences
7.1 Overview
The following sub-clauses describe different methods of invasive physical attacks that may be
attempted upon computing systems, as well as the defence mechanisms that can be useful in deterring
or detecting such attacks. Examples will explore existing and contemplated attack mechanisms, and
the corresponding defence mechanisms that are being brought into commercial use now, or are being
considered for the near future.
8 © ISO/IEC 2015 – All rights reserved

7.2 Attacks
This section deals with mechanisms that range from the generally known types of attacks to those that
used to be considered unusual. The attacks described in this section, and the defences described in
the following section, may far exceed the typical levels of skills and resources available to the common
attacker. However, the skill level of the common attacker is increasing and as data value increases (e.g.
Internet commerce) these defensive techniques should be considered and become a standard part of
common business practice. Many of these techniques are now required to meet certain government
requirements (e.g. FIPS 140-2, ISO/IEC 19790, etc.). The business community is also beginning to
embrace these same government requirements as a means of assurance (Payment Card Industry, Digital
Cinema Initiative, et al.) and demonstrable due diligence.
7.2.1 Attack mechanisms
7.2.1.1 Internal Probe attacks
The purpose of a probe attack is to directly attach conductors to the circuit(s) so that information can
be obtained from, and/or changes injected into, the system under attack.
7.2.1.2 Probing
7.2.1.2.1 Passive probes
These are common oscilloscope or logic analyser probes. They may be used to watch and record
information contained in circuits. When used with a logic analyser, a trigger condition may be set such
that the attacker waits for a predetermined event and then begins recording.
The term passive probe is somewhat of a misnomer in that so-called passive probes may be terminated
in active circuitry, which gives them very high input impedance. This may prevent their detection by, or
interference with, the circuit being attacked.
7.2.1.2.2 Active or injector probes
Active probes are generally used in conjunction with passive probes. Using a pattern generator or
similar device, these probes can inject signals or information into an active system. These are common
electronic development tools.
7.2.1.2.3 Pico-probes
Pico-probes (and micro-probes) can be utilized as either a passive probe or an active probe. Pico-probes
are very tiny and are used to directly probe the surfaces of integrated circuits.
7.2.1.2.4 Energy probes
Energy probes can be electron beams,
...