2 HSM Technology Today
Tamper response: This is the maximum level of physical protection in the
commercial sector nowadays. The aim is to detect attacks during operation
and during the service life of an HSM. A proven method for detecting mechanical
attacks on the CPU unit of an HSM is to fit a protective shield made
up of a network of tracks inside the epoxy-resin socketing. Monitoring the
current flow within the conductive network made up of tracks makes it possible
to detect an attack on the protective shield. Potential countermeasures
are then active erasing of the HSM hardware memory and resetting of the
CPU data.
Figure 2.3: Cross-section of an HSM with tamper-responsive technology
HSMs also deploy advanced physical monitoring in today’s commercial HSMs.
Firstly, this is stipulated as part of certifications. (Section 4 addresses this topic
in more detail). Secondly, these measures are required to fend off other attack
scenarios. These are the most common actions to take:
Temperature monitoring: The HSM monitors the ambient temperature to
prevent attacks from a drop in ambient temperature. (Also referred to as cold
boot attack: see http://en.wikipedia.org/wiki/Cold_boot_attack.)
Voltage monitoring: The HSM monitors adherence of the operating voltage
to the voltage ranges. If the voltage exceeds or falls below the operating voltage
defined, the electronic circuitry may transition to a non-defined state
and then an attacker can access the restricted data.
19
/Cold_boot_attack
