Cypherpatriots, Here's a fairly long posting I made to sci.crypt and comp.lsi about reverse engineering the Clipper chip. Especially on the technical issues about tamper-resistant modules and electron-beam probing. -Tim Newsgroups: sci.crypt,comp.lsi From: tcmay@netcom.com (Timothy C. May) Subject: Re: Clipper Chip Questions Date: Wed, 28 Apr 1993 20:26:51 GMT (followup to comp.lsi added, as they may have something to say on this) allyn (allyn@netcom.com) wrote: : My question is what is to prevent someone who has one of these chips : (from a cellphone or computer or whatever) from taking the chip to : a microelectronic facility with a decent scanning electron microscope and : other equipment that is used to testing and analysis of microcircuits : and taking the darn thing abart and reverse engineer it? : : There must be plenty of microelectronic facilities that are under : relatively minimal security (such as universities) for someone to : try to reverse engineer one of these classified chips that the government : plans to put into the public's hands. I ran an electron microscope/chip testing lab for Intel, circa 1981-84. (We built a kind of "time machine" for imaging the internal states of complex chips--the 286 in those days--and displaying them on an image processing system which "subtracted out" the states of bad chips from known good chips and thus allowed us to analyze the nucleation and propagation of logic faults through the chip. Very useful for finding subtle speed and voltage problems, as well as gross faults, of course.) Analyzing the Clipper chip, or any "tamper-resistant module," will not be trivial, but neither will it be impossible. Some issues, questions, problems: 1. Getting through the package to the chip surface itself is problematic. Proprietray molding compounds may be used to make this tough. (For example, carborundum and sapphire particles are often mixed in, so that mechanical grinding and lapping also destroys the chip. And plasma ashing won't work.) 2. Sometimes the package itself has "traps" which wipe the chip (the data) if breached (fiber optic lines mixed in the epoxy, for example). This seems unlikely for a relatively low-cost solution like the Clipper. Papers presented at the "Crypto Conference" have dealt with this. (The main uses: nuclear weapons "Permissive Action Links" and credit card "smart cards," which use less intensive measures, obviously.) 3. Once at the chip surface, via grinding, chemical etch, plasma ashing, etc., the chip can be analyzed. 4. Carefully photographing the chip as layers are etched away (or even carefully lapped away) can reveal much about the internal operation, though not the data stored in internal ROM, EPROM, EEPROM, Flash EPROM, etc. If the Clipper/Capstone algorithm is embedded in the microcode and not apparent from the visible circuitry, then it must be read by other means. 5. Voltage contrast electron microscopy allows internal chip voltages to be read with good reliability. Cf. any of the the many papers on this. Commercial e-beam probers are available. (How voltage contrast works is itself an interesting issue, and there are many good references on this.) 6. However, operating the chip is necessary to read the internal states and voltage levels, and opening the chip under "hostile conditions" (read: limited numbers of samples, no knowledge of the molding compound, no help from the manufacturer) often destroys the functionality. It can be done, but count on lots of trial and error. 7. Metal layers may be used to shield lower signal-carrying layers from scrutiny by electron beam probes. Intel, for example, builds the new Pentium on a 3-layer metal process in which the top layer almost completely covers the lower layers. (Extremely sophisticated measurements using lasers (Kerr effect) and magnetic field sensing may be possible. Count on a very expensive set-up to do this.) 8. Other "tricks" may route parts of the key circuitry through buried layers, polysilicon lines, several layers of metal, etc. 9. VLSI Technology, Inc., the company with the "tamper-resistant technology" used by Mykotronx (VTI will fab the chips), may also be storing bits in very small EEPROM cells, which are very hard to e-beam probe (especially without disrupting them!). Note also that Intel bought a partial stake in VLSI. (I'm not imputing anything and don't know if Intel is somehow involved in the Clipper/Capstone effort. In fact, I left Intel in 1986.) 10. The easiest way to get the Clipper/Skipjack/Capstone details is probably the old-fashioned way: offer money for it. With anonymous remailers and digital cash, this may be much easier. Just some thoughts on this extremely interesting issue of reverse-engineering the Clipper. -Tim May -- .......................................................................... Timothy C. May | Crypto Anarchy: encryption, digital money, tcmay@netcom.com | anonymous networks, digital pseudonyms, zero 408-688-5409 | knowledge, reputations, information markets, W.A.S.T.E.: Aptos, CA | black markets, collapse of governments. Higher Power: 2^756839 | Public Key: PGP and MailSafe available.