[Foxboron]

I'm still curious how the key is tamper resistent when filling it with transparent epoxy. I asked when the article was published on lobste.rs but never got an answer. It seems to me it should be fairly easy to remove the epoxy and refill after tampering.

I should probably email them about this at this point, but I think it's weird they haven't explained the "tampering resistent" part in their marketing material in any detail.

[ohazi]

FWIW, their choice of microcontroller (LPC55s, which is a Cortex-M33 w/ crypto peripherals and TrustZone) doesn't seem completely terrible.

There's still a lot of things that need to go right for the whole system to be secure, but "everything happens inside one chip, and we cover it in epoxy" seems pretty reasonable. If you can get rid of the epoxy, the only tampering I'd be worried about is removing capacitors for power supply glitching. Power analysis can still be done on an uncompromised device via the USB port (capacitors will make this harder, but may not rule it out).

To go beyond this, you'd probably need to decap the chip. I haven't seen anything about an active die shield in the documentation for this chip, but we're now well beyond the scope of epoxy tamper resistance.

Edit: No die shield, but apparently "cryptographically sensitive" signals and bits have additional out-of-band signals and bits to make shenanigans more difficult. Certainly not perfect, but "not completely terrible" seems like a fair assessment.

[IgorPartola]

What would be your choice of microcontroller?

[ohazi]

I don't actually think it's a bad choice... but that may say more about the state of what's available than about this particular chip.

The Cortex-M version of TrustZone is still fairly new, and these M33 devices are some of the first that implement it. You need a lot of care to use it correctly, but it has the potential to reduce the attack surface significantly. Crypto operations and key memory can live in the trusted world, while things like the USB stack can live in the non-trusted world.

If you really wanted a die shield, Maxim makes a line of "DeepCover" secure microcontrollers (Cortex-M3/M4, no TrustZone) that might fit the bill. They also have tamper pins for driving an external shield (e.g. https://www.edn.com/wp-content/uploads/media-1203638-p118fig...). You could do something like that and then fill the void with epoxy. External shields can be somewhat useful if your device stores keys in battery backed RAM (e.g. ATMs, POS terminals), because the shield remains active even when the device is off (if the shield is ever de-energized, the keys are wiped). USB security tokens typically store keys in (encrypted) flash, and don't have a battery, so you can take all the time you want grinding off the shield while the token is off, and then just short the right pins together before you power it up again.

ARM has a Cortex-M35P design that has TrustZone as well as some more advanced physical security features, but as far as I'm aware, nobody is selling one yet.

Downsides across the board:

Both ARM and silicon manufacturers are cagey about releasing any information about their security products. Most require NDAs before they'll even tell you what's in these chips, let alone how to use them, or how they work. I've worked with a few, and most of them have had some pretty scary bugs. They're worried that if they released the chip errata publicly, nobody would buy their chips. That's probably fair, but it also leaves you (understandably) less than confident that anyone has ever implemented a hardware crypto accelerator correctly.

Trusted execution contexts and memory protection seems like a good idea in theory, but I'm worried about all the complexity we're adding to these little chips. To lock the thing down, you have to pour over a thousand page datasheet and disable all of the debug interfaces you find, and enable all of the protection features that you find. If you're being thorough, you might write some little test programs to confirm that you at least can't use the easy methods to access things that should be protected. But at the end of the day you're crossing your fingers and hoping that there isn't a giant gaping hole off to the side that you forgot about. Reference software for these platforms is often crap.

¯\_(ツ)_/¯

I do have high hopes for this chip though... Apparently Oxide is also using it and has been sharing notes with SoloKeys (https://twitter.com/kc8apf/status/1360415931940302850). I think they'll get there eventually, but I think it'll be a while before we can be confident that it works correctly and that nothing obvious was missed.

[IgorPartola]

Thank you for the info!

[g_p]

It's a good question, and I believe they mean in terms of the epoxy making it harder to get easy access to the chip to do any shenanigans.

It's worth remembering the threat model for U2F tokens (let's set aside PIV, FIDO2, etc for the moment) - if the attacker has physical possession then they're into your account. Game over. As the authentication is to tap the button.

Sure you can add PIN via FIDO2 (then these protections make more sense), but I can't see any particular threat whereby you would be concerned about this threat under normal circumstances.

U2F helps normal (and expert) users resist phishing attacks, credential relaying, and avoid keyloggers etc. It doesn't protect you against in-person physical adversaries who can steal your things, or take them against your will.

The only edge case I can see where this matters more is if a user leaves the token unattended (try not to! Put it on your keyring, though admittedly your backup token probably is at risk a little here) and an attacker can covertly extract the keys and leave it as found, such that the user is unaware. But at that point you are dealing with adversaries in the real world, and most users have already lost at that point (passwords written down, etc.)

[conorpp]

The epoxy can't be physically removed without great risk of ripping off the electronics on the underlying circuit.

The epoxy can be chemically dissolved, but would deteriorate the outside of the device as well. It the epoxy isn't completely cleaned out, then refilling it with new epoxy would look messy. With great care and skill, it could be done with little damage, but would be time consuming.

[zie]

AIUI, Tamper Resistant doesn't mean it's not possible to do, but that it will likely be obvious that tampering was done.

[Foxboron]

Then it would be tamper evident, not resistent?

[smnrchrds]

Water resistant means some resistance to water. Water proof means full resistance to water. And that is a standard term that has been in use for decades to describe watches, tents, jackets, etc. When I read tamper resistant, I imagine the tamper equivalent of water resistant.

[AmericanChopper]

Tamper evident is the correct description of what the parent comment is talking about. You can Google “tamper evident stickers” to see it’s how the phrase is widely used. I would say the epoxy in question is both tamper resistant and evident though. Because it’s both difficult to remove and you’d risk breaking the device if you tried it, and those seem like obvious tamper resistance controls to me.

[zie]

Yes, 2 birds, 1 stone.

[notatoad]

have you ever tried to remove epoxy from a PCB? it's definitely possible, but it's annoying and makes a mess. i'm not sure how you'd remove epoxy without it being blindingly obvious that the epoxy had been removed and replaced.

they're claiming tamper-resistant, not tamper-proof. and counting on the epoxy for that seems reasonable to me.

[chaz6]

My biggest concern is that the key's software is updatable. I would have preferred to have an efuse I could blow to make the keys completely read-only.