T 5.82 Manipulation of a cryptomodule

An attacker may attempt to manipulate an encryption module in order to read secret keys, to change the keys or even to change critical security parameters. An encryption module may be manipulated in different ways; it may contain:

• a super password that can be used to bypass all the other passwords,
• undocumented test modes that can be used to access sensitive areas at any time,
• Trojan horses, i.e. software performing activities such as password recording that cannot be discerned directly in addition to its actual tasks,
• manipulated access rights for certain commands,

for example. Other examples of such attacks include:

• the modification of cryptographic keys,
• the impairment of internal key generation, e.g. by manipulating the random generator,
• the modification of the procedures within the encryption module,
• modifications to the source code or the executable code of the encryption module,
• going above or below the admissible range regarding power supply, temperature, EMC thresholds, etc. of the encryption module.

During manipulations to the encryption module, the attacker will mostly attempt to conceal this attack so that, for the user, the encryption module works properly at the first glance, but is in an insecure condition. However, there are also destructive attacks within the framework of which the destruction of the encryption module is accepted deliberately, for example when an attacker wants to gain information about the mode of operation of the encryption module or when the cryptographic keys are to be read out.

An attacker may attempt to perform attacks at the installation site of the encryption module or steal it. In the event of a poorly protected installation site, manipulations may be performed very quickly and may possibly remain undetected for a long time. By stealing encryption modules, the attacker may gain important information as to how a component can be manipulated most easily. He/she may use the stolen components in order to gain sensitive information such as keys, software, or knowledge regarding the hardware security mechanisms. However, he/she may also use the stolen component in order to fake an authentic encryption module.