Home page logo
/

pen-test logo Penetration Testing mailing list archives

RE: Grabbing the CORE of a Dallas DS-2250 and DS-5000
From: "Brass, Phil (ISS Atlanta)" <PBrass () iss net>
Date: Mon, 4 Mar 2002 10:10:04 -0500

There is some good text on secure processors in the book "Security
Engineering" by Ross Anderson.  Also, his website has links to work done by
one of his grad students, Mike Bond, on breaking most of the
cryptoprocessors out there.  

Here http://www.cl.cam.ac.uk/users/mkb23/research/API-Attacks.pdf is the
paper on the topic.  

The basic idea is that the cryptoprocessor has some secrets, and it lets you
specify some cryptographic algorithms to run.  The idea is that you specify
really bad algorithms, which leak lots of key material everywhere, and there
you have it.

Good luck!

Phil

-----Original Message-----
From: Holmes, Ben [mailto:Ben.Holmes () getronics com]
Sent: Friday, March 01, 2002 3:06 AM
To: pen-test () securityfocus com; forensics () securityfocus com
Subject: Grabbing the CORE of a Dallas DS-2250 and DS-5000


 
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1


I have been given the (possibly hard) task of extracting the core
program from a Dallas DS-2250 chip.  The chip is part of a currency
validation device and we are assessing its security.

In the same family is a Dallas DS 5000, info on this chip 
would also do.
As far as I know, the chip is not using any external RAM.  The chip is
battery backed.

At the heart of this processor is a piece of software that 
defines what
it is looking for in the currency.  Basically, if I can get this piece
of software from this "secure processor" I can show the system to be
"not completely 100% secure".

Apparently the chip has safeguards against extracting this, and it can
wipe the data, in this case I class that as "failed".

Please don't just point me to resources on the web and tell me that I
can disassemble the chip layer-by-layer, as this is not an option,
however resources on the web where protocol or encryption 
based attacks
can be used would be great!

The chip can be interrogated and the software can be uploaded and
downloaded somehow, that is how I have to do it!  I have 
access to some
excellent electronics hardware and software techs and a full 
electronics
workshop.

If anyone has had any experience with this sort of thing, could you
please respond.

Basically though I get almost no chance for error, one slip 
and the chip
wipes itself!

I really prefer pen-tests on Windows NT :)

- -- Benjamin Holmes
Getronics, Brisbane.

E&OE. All spelling and grammatical errors are for your enjoyment and
entertainment only and are copyright Benjamin Holmes.  This message is
guaranteed free of exotic diseases. This e-mail message and any
attachments are confidential and may be privileged.  If you 
are not the
intended recipient, please notify me immediately by replying to this
message and please destroy all copies of this message and attachments.
Please also try to forget everything you have read that was 
contained in
this E-Mail message, except this part, and you may not copy it. Thank
you.  

-----BEGIN PGP SIGNATURE-----
Version: PGPfreeware 7.0.3 for non-commercial use <http://www.pgp.com>
Comment: Pee Gee Peeeeee!

iQA/AwUBPH82V3LvuelW5gClEQI4WQCgx0IASVqebKJSrfpcPeAqp7gp8dAAn3GH
VPG9lS6UV+7Qz8/sJ5ha+iyk
=AF+c
-----END PGP SIGNATURE-----


--------------------------------------------------------------
--------------
This list is provided by the SecurityFocus Security 
Intelligence Alert (SIA)
Service. For more information on SecurityFocus' SIA service which
automatically alerts you to the latest security 
vulnerabilities please see:
https://alerts.securityfocus.com/


----------------------------------------------------------------------------
This list is provided by the SecurityFocus Security Intelligence Alert (SIA)
Service. For more information on SecurityFocus' SIA service which
automatically alerts you to the latest security vulnerabilities please see:
https://alerts.securityfocus.com/


  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]
AlienVault