"Rafael Deliano" <Rafael_Deliano@t-online.de> wrote in message
news:42C302E4.9E2F0F0A@t-online.de...
> > ..and, of course, the attacker can buy ten or a hundred of the
> > devices and test them in parallel.
> If every one has a different key ?
I think you're right, parallel testing is unlikely to work.
>
> Anyway: if he has taken one secure module out of an ATM he has
> only one module.
Or, in the context of my original question, he has the capability to clone
ATMs and sell as many ATMs as he wants in markets that are not as particular
about copyrights as yous and mine.
Cheers,
Alf.
Reply by Uwe Hercksen●June 30, 20052005-06-30
Guy Macon schrieb:
>
> Thanks! Alas, I don't speak German; does the paper say whether
> they were able to extract the entire contents, and if so how long
> it took to do so?
Hello,
here are some more publications in English:
http://www.cl.cam.ac.uk/~mgk25/publications.html
May be you will find the information here:
* Markus G. Kuhn: Cipher Instruction Search Attack on the
Bus-Encryption Security Microcontroller DS5002FP. IEEE Transactions on
Computers, Vol. 47, No. 10, October 1998, pp. 1153-1157, ISSN 0018-9340.
# Ross J. Anderson, Markus G. Kuhn: Tamper Resistance -- a Cautionary
Note, The Second USENIX Workshop on Electronic Commerce Proceedings,
Oakland, California, November 18-21, 1996, pp. 1-11, ISBN 1-880446-83-9.
# Ross J. Anderson, Markus G. Kuhn: Low Cost Attacks on Tamper Resistant
Devices, in M. Lomas et al. (ed.): Security Protocols, 5th International
Workshop, Paris, France, April 7-9, 1997, Proceedings, LNCS 1361,
Springer-Verlag, pp. 125-136, ISBN 3-540-64040-1.
Bye
Reply by Rafael Deliano●June 30, 20052005-06-30
> "The details will be presented in a separate publication, ..."
Kuhn "Cipher Instruction Search Attack on the Bus-Encryption
Security Microcontroller DS5002FP" IEEE Trans. Comp. Oct 1998
http://www3.informatik.uni-erlangen.de/Publications/Articles/kuhn_ToC.pdf
"After only a few hours preparation the author was able to extract
the protected software from a DS5002FP Rev A based demonstration system
that Peter Drescher from the German Information Security Agency (BSI)
built as a challenge in July 1996"
Seems it actually worked.
MfG JRD
Reply by Unbeliever●June 29, 20052005-06-29
"Rafael Deliano" <Rafael_Deliano@t-online.de> wrote in message
news:42C2AFFF.D72E036C@t-online.de...
> >> Its not very clear how long ( typical & worst case )
> > Read the paper more carefully. ... About 7.5 days
> > worst case (say half that on average).
> And on which page of the report is that number ?
>
> MfG JRD
Sorry, the first number two numbers 2500 attempts and 300 attempts per
second are from the paper, the numbers after "say" and "might" are my
conservative (as the author says the process speeds up, though I can't quite
see how) extrapolations.
Cheers,
Alf.
Reply by Rafael Deliano●June 29, 20052005-06-29
> ..and, of course, the attacker can buy ten or a hundred of the
> devices and test them in parallel.
If every one has a different key ?
Anyway: if he has taken one secure module out of an ATM he has
only one module.
MfG JRD
Reply by Guy Macon●June 29, 20052005-06-29
Unbeliever wrote:
>
>> Its not very clear how long ( typical & worst case ) and
>> therefore i am sceptical if at all.
>
>Read the paper more carefully. 2500 attempts @ 300 attempts per
>second for the initial instruction is about 8.3 seconds, say 10.
>Another second to test all 256 combinations of this byte and
>tabulate the results.
>
>Inserting NOPs before the instruction might take another 10
>seconds or so per byte. Say 650,000 seconds for the entire
>address space. About 7.5 days worst case (say half that on
>average).
..and, of course, the attacker can buy ten or a hundred of the
devices and test them in parallel.
Reply by Rafael Deliano●June 29, 20052005-06-29
The orginal text is the Diplomarbeit ( not quite a Ph.D
but somewhat similar ) from Kuhn, 31. July 1996. Its
making no specific claims. Seems the hardware is ready,
and some tests of the software are on the way.
Thats not the translation.
Its a probably shortened version of:
Ross Anderson, Markus Kuhn
"Its Tamper Resistance - a Cautionary Note"
The Second USENIX Workshop on Electronic Commerce Proceedings,
18. November 1996
... It won the best paper award at that conference."
Here are specific claims indeed:
"One of us (Kuhn) has designed and demonstrated an effective
practical attack that has already yielded all the secrets of
some DS5002FP based systems used for pay-TV access control
and also broken a code lock provided as a challenge by the
German Federal Agency for Information Technology Security
(BSI)."
"in fact we typically need less than 2,500 attempts."
"The details will be presented in a separate publication, ..."
That text
Anderson Kuhn "Low cost Attacks on Tamper Resistant Devices"
refers only to
Ross Anderson, Markus Kuhn
"Its Tamper Resistance - a Cautionary Note"
and contains no technical detail.
MfG JRD
Reply by Unbeliever●June 29, 20052005-06-29
> Thanks! Alas, I don't speak German; does the paper say whether
> they were able to extract the entire contents, and if so how long
> it took to do so?
>
>> Its not very clear how long ( typical & worst case )
> Read the paper more carefully. ... About 7.5 days
> worst case (say half that on average).
And on which page of the report is that number ?
MfG JRD
Reply by Unbeliever●June 29, 20052005-06-29
> Its not very clear how long ( typical & worst case ) and
> therefore i am sceptical if at all.
Read the paper more carefully. 2500 attempts @ 300 attempts per second for
the initial instruction is about 8.3 seconds, say 10.
Another second to test all 256 co0mbinations of this byte and tabulate the
results.
Inserting NOPs before the instruction might take another 10 seconds or so
per byte. Say 650,000 seconds for the entire address space. About 7.5 days
worst case (say half that on average).
Cheers,
Alf