How secure is hardware?
Many people assume that using a hardware security module (HSM) to store their keys is much more secure than storing their keys in software. This is probably true, but exactly how secure is hardware? I claim that it's really not that secure, and here's why. This is roughly based on a talk I gave at NIST's Physical Security Testing Workshop a few years ago.
The following graph shows the chances of an adversary being able to beat a cryptographic algorithm.
As their budget increases, they can apply more and more computing resources to the problem. This particular problem scales perfectly linearly. If you double your budget you double your chances of beating the crypto, etc.
For most crypto algorithms, it takes an incredible amount of computing power to get to a reasonable chance of beating most algorithms. The sizes of cryptographic keys is deceptive. Although 128 sounds like a relatively small number, 2128 is actually so big that we really have a hard time understanding how big it really is. The work required to recover a 128-bit key is a number that's that big, so the amount of work required to recover a 128-bit key is also so big that we have a hard time understanding how big it is. You can put billions of dollars of resources into recovering a 128-bit key and still not have much of a chance of success.
Hardware is nowhere near as tough to beat. This graph shows how your chances of beating hardware security change as your budget increases.
This graph is much different than the one for recovering a cryptographic key, and that's because the attacks against hardware are much different that the attacks against cryptography. If you're attacking cryptography, you develop the best attack program that you can and then you run your attack program with as much computing power as you can afford. To attack hardware, you have to take the hardware to your lab and you expensive tools to carry out the attacks against it. If you can't afford the expensive tools, then your chances of succeeding are zero. This explains the first part of this graph, the part labeled "1."
Once you can afford basic engineering tools, however, a certain class of attacks against hardware become possible. If you have a good logic analyzer then you can carry out timing attacks against the hardware, for example. And once you have enough budget to afford tools like these, you will almost always succeed in the attacks that you can carry out using the equipment in your lab. This explains the part of the graph labeled "2." There are still lots of attacks that you can't do at this level, and doing those requires moving to the next level of funding. But the attacks that you can do with the equipment that this budget provides, however, essentially always work. This is why the graph has big jumps in the chances of success as the funding increases. Once you have the right tools, attacks against hardware always work, which is much different that what we get with attacks against cryptography, where the chances of success increase steadily as the budget increases.
Once you get a higher level of funding you can carry out even more advanced attacks. If you have microprobing equipment, for example, then you can collect signals from places that you couldn't with a logic analyzer, and when you can do this, lots of new attacks become feasible. The part of the graph labeled "3" covers what you can do at this point. Even at this level of sophistication there are still things that you can't do, but those become possible at the next level.
If your budget is big enough you can afford to get the specialized types of equipment that integrated circuit failure analysis engineers use. This includes equipment like electron microscopes and focused-ion-beam systems. With these tools you can take apart a chip and look at its components at the lowest level, and there's essentially nothing that you can protect with hardware that equipment like this can't recover. The part of the graph labeled "4" shows what you can do at this point.
The big question for this model is exactly how much funding you need to be able to do the attacks in the various categories. This is only a rough estimate, but I'd say that with $50K or funding you're definitely in area 2 of this graph, with $500K, you're definitely in area 3, and that with $5 million you're definitely in area 4. The interesting things about time model is that it tells us that the security of any hardware device won't withstand a few million dollars of effort. That's equivalent to the level of effort needed to recover a fairly small cryptographic key by doing cryptanalysis.
There are certainly different constraints against an attack on crypto and an attack on hardware. It's reasonable to assume that an attacker can get all the matched plaintext-ciphertext pairs that he needs to carry out an attack against crypto. With hardware, on the other hand, it's almost always necessary for an adversary to take the hardware back to his lab where he has the tools needed to attack it. That's much tougher to get than what you need to attack crypto, but it's probably a reasonable assumption. After all, Kerckhoffs' principle tells us that we should assume that an adversary attacking crypto has everything that he needs except the key that's used to encrypt and decrypt. Assuming that an adversary has the ability to somehow obtain an HSM and take it to his lab for study seems a reasonable way to apply this principle to hardware.