customers to plug-in their highly-

specialized proprietary technologies,

policies, and procedures. For

example, the hardware interconnect

design - such as inputs from tamper

detection sensors - can be COTS,

while programmed behavior (such as

in FPGAs) for tamper response can be

Commissioned. The Commissioned

behavior is never exposed since it is

not part the COTS design process, yet

the anti-tamper framework is tightly

coupled with the architecture.

Prevent, Detect,

Respond: The 3 Tenets of

Anti-Tamper

An attacker seeks to gain information

from a secure system. Attacks

can be passive or active in nature.

Passive attacks include side-channel

analysis to ascertain secrets from

timing, dynamic power consumption,

or electromagnetic leaks; as well

as probing circuits or imaging

joint effort with the Communications

Security Establishment (CSE) for the

Canadian government. Laboratory

testing qualifies modules to one

of four levels of security. FIPS140-

3 is a draft standard which aims to

incorporate additional concepts and

provide modified requirements and

limits within the four levels of security.

Going Global: Common

Criteria

The Common Criteria for Information

Technology Security Evaluation (CC),

or ISO/IEC 15408, is an international

standard for computer security

certification. It is a unification of

European, Canadian, and US DoD

standards. Profiles and functional

requirements drive design, and

laboratory testing results in an

Evaluation Assurance Level (EAL)

which indicates the robustness of

a security solution. The Common

Criteria Recognition Arrangement

(CCRA) provides for member countries

to mutually recognize evaluated

systems. CC is typically used for

firewalls and operating systems,

and does not specify cryptographic

implementation.

Anti-Tamper in the COTS

Domain

In-house design expertise and

relationships with key partners and

suppliers make it possible to offer

standard COTS products with optional

security features. However, it becomes

necessarytodrawadistinctionbetween

COTS capabilities and Commissioned

content - sensitive, restricted, or

classified customer-specific methods.

See Figure 1. The AT features

highlighted in yellow are the focus of

this paper. The COTS/Commissioned

dichotomy leverages lower-cost,

reliable COTS software, partitioning,

encryption, silicon features, and

physical materials, while allowing

New-Tech Magazine Europe l 41