Physical security assessment of a microprocessor EMV card

When evaluating the security of an information system, two questions usually arise: what is the level of security of the system and how much it costs to ensure this level of security. Over the past fifteen years, the emergence of standards that allow independent assessments of information system security has made it possible to get answers to these questions.
The Information Technology Security Evaluation Criteria (ITSEC) standard was developed in Europe and recognized by France, Germany, the United Kingdom, and the Netherlands in 1991.at the same time, the United States and Canada developed their own standards for evaluating the security of information systems — TCSEC and STSRES, respectively.
Relatively recently, the Common Criteria standard (ISO/IEC 15408) has appeared, claiming to be a world standard. Each manufacturer of an information system that wants to submit it for independent testing in accordance with the Common Criteria standard must formulate a testing goal (Security Target or ST) consisting of the following components:
Target of Evaluation (TOE)— the system or part of the system submitted for testing;
descriptions of attack scenarios that should be considered in the TOE security assessment;
specifications of countermeasures implemented in the subject of the TOE assessment, the effectiveness of which is evaluated during testing.
In addition, the purpose of ST testing determines the level of assurance that the system meets security requirements, known as the Evaluation Assurance Level. The Common Criteria standard considers 7 levels of guarantee, starting from the lowest EAL1 and ending with the highest level — EAL7.
For the convenience of users, ST testing goals have been pre-defined for various types of information systems and products. The testing goals are defined in the form of so-called protection Profiles. In particular, for smart cards, these profiles are described in the BSI-PP-0002 – 2001 specifications, which define a minimum set of security characteristics that must be verified during the card security assessment process.
For the user, the fact of passing system testing means, first, obtaining an independent assessment of the security of the system used by them, and secondly, realizing the confidence of the developer in their system, which is expressed in their readiness to submit the system to open independent testing. Certification a wide variety of systems can be tested, including operating systems, DBMS, network access protection systems (firewall), PKI systems, smart cards, chips used for smart cards, smart card operating systems, and smart card applications.
Currently, the system’s security can be evaluated in various criteria systems, including Common Criteria, ITSEC (the most commonly used in Europe), and FIPS (a criteria system widely used in North America but rarely used in Europe). Table. 2.8 demonstrates the correspondence between the common Criteria and ITSEC certification levels.

Compliance does not mean that having a certificate in one criteria system automatically implies obtaining a certificate of the appropriate level in another system. In any case, to get a certificate in a certain criteria system, you must pass the necessary tests in this system. For example, the MULTI0S operating system has an ITSEC certificate of the EB level, while its certification level in the Common Criteria system is EAL4+.
The Central aspect of the overall security of any system is its physical security. In this sense, smart cards are an example of a system with high physical security. Placing a smart card microcomputer consisting of a processor, memory system, I/o block, and peripheral components in a single-chip chip allows you to hide connections between computer elements inside the chip. Combining computer elements in a single chip makes it difficult for an external observer to intercept signals transmitted between the elements of the chip, and, consequently, to recognize the information content of these signals.

Of course, it is possible, although difficult and expensive, to attach electrical probes to the internal lines of the chip. In this case, the attacker (the person trying to extract information from the chip) must have a card and expensive equipment to probe it. In addition, it must have knowledge of both the hardware architecture of the chip and its software.
Another method of attack is to study the information received from a working smart card. An example is the attack on the encryption algorithm smart card based on intercepted Shif – of rotext created a card.
The concept of physical security includes resistance to external interference (tamper resistance) and the ability to witness such interference (tamper evidence), if it occurred. One of the elements of physical security of a smart card is the layout of the chip and its connections in the chip module enclosed in an epoxy filler. This layout provides both protection from certain types of external interference, and the ability to witness such interference. You can’t get through the epoxy compound without destroying it, and to do this, you need to take possession of the card. When you enter the module, there are traces that indicate the fact of interference.
In addition, the chip module is embedded in the card plate, where it is actually under the second layer of protection from interference and (or) its certification. Therefore, it is almost impossible to find out the secrets contained in the smart card using physical intervention methods without detecting the fact of interference.
Thus, microprocessor cards have all the necessary components of a high-security computer platform. However, it should be understood that the safety achieved by integrated packaging is not infallible. The card resists interference, but it cannot completely prevent it.
All attacks on the microprocessor card can be divided into software and physical attacks. Software attacks, in turn, are divided into two categories: attacks aimed at revealing the cryptographic algorithms used by the card, and attacks that use weak points in the implementation of programs supported by the card. Examples of attacks of the second category are the use of embedded programs that cause memory buffers to overflow or act on the principle of a Trojan horse. Using such attacks allows you to get extremely important secret information from the card application.
Physical attacks, in turn, are divided into two large categories: penetrating and non-penetrating attacks. Recently, the class of penetrating attacks is distinguished from the class of semi-penetrating attacks.
Penetrating attacks require penetration into the body of the chip. To access the surface of the chip, it is extracted from the plastic card. To do this, the chip, along with the epoxy filler in which it is located, is removed from the polyvinyl chloride plate of the card with a sharp knife. Sometimes it is enough to heat the plastic case of the card, which makes it flexible, and bend the card at the location of the chip, in order to remove it from the plastic case.
Next, a few drops of highly concentrated (>98%) nitric acid (HN03) are used to get rid of the filler’s epoxy resin. Within a few minutes, the acid dissolves the epoxy filler, after which the chip is immersed in an ultrasonic bath, in which the acid and the remains of the filler are washed off with acetone. The entire procedure described is called chip depackaging in the literature.
The chip is now ready to be examined. The purpose of the chip inspection is to reproduce the layout reconstruction of individual chip modules (memory modules, processor and coprocessors, data buses and addresses). The attacker must represent the object of the attack in order to understand how to act to achieve the desired result. Based on reverse engineering methods and a good understanding of CMOS chip design, you can get a full understanding of the architecture of the chip and its modules, identify the “weak” points of the chip, which become a tool for conducting an attack.
There are several ways to examine the chip.
To reproduce the layout of chip modules, an optical microscope equipped with a CCD camera is often used. The main modules of the chip (ROM, EEPROM, RAM, processor, bus) are clearly visible in the photo obtained using a high-resolution CCD camera. To get an image of the deeper layers of the chip, physical removal is performed (by etching with hydrofluoric acid (HF) in an ultrasonic bath) of the already examined chip layer to gain access to the next layer. To create a three-dimensional three-dimensional image of the chip, photos of its individual layers are processed by the image analysis program.
If the chip processor has a standard architecture, it is enough for the attacker to get to the layer, after which the understanding of the location of modules and buses that the attacker is going to manipulate to access memory becomes complete.
Another method of examining the chip is called manual micro-probing. It is based on the use of an optical microscope and a probe, which is a sharpened tungsten hair, with which the attacker is able to make contact with the chip bus without destroying it. The probe is connected via an amplifier to a special signal processor, which records the signals received from the chip processor, as well as supplies the card with a power supply voltage, provides a Reset clock signal (dock) and other input signals necessary for the chip to function in the active state.

There is also a beam method for sensing the chip, which uses focused beams of gallium ions (Focused Ion Beams or FIB). Gallium ions are accelerated and focused in a vacuum chamber into a beam with a diameter of 5-10 nanometers. Radiated by a liquid cathode under a voltage of 30 kilovolts, gallium ions create a current of 10~12 to 10’8 amperes. A focused beam of gallium ions can recreate the chip’s layout by fixing the secondary radiation it causes. The degree of resolution is very high and is up to 5 nanometers. The FIB workstation costs about half a million euros.
Another variation of the beam method of sensing a chip is the use of electron beams. To disperse the electrons, an electric voltage of about 2.5 kilovolts is used. As a result, a current of about 5 nanoamperes is created. In this case, the number and energy of secondary electrons are indicators of the electric field on the surface of the crystal and allow you to examine the signal lines with a resolution measured in fractions of a micron.
Recently, another type of radiation method for examining a chip has appeared — the use of an infrared laser. The frequency of irradiation of the chip is used, at which its silicon base becomes transparent to the laser beam. In this case, the measurement of the currents generated in the chip as a result of irradiation is performed, the size of which reflects the logical state of individual transistors.
To implement manual and beam sensing, in addition to performing the chip extraction procedure, it is necessary to destroy at least some part of the chip passivation layer. The fact is that after removing the chip, you can find that the connecting aluminum lines on the surface of the chip are protected by a special coating called a passivation layer consisting of silicon oxide or nitrogen (nitride). The passivation layer protects the chip from certain types of radiation and harmful environmental influences. To remove the passivation layer, ultraviolet or “green” lasers are used, which irradiate the passivation area with short pulses. Correctly calculating the energy and time of the pulse, it is easy to achieve the destruction of this coating.
Sometimes drilling is also used to destroy a small area of the passivation layer.
At the same time, there are attacks that require removing the chip from the plastic case of the card, but do not require the destruction of the passivation layer. Such attacks are called semi-aggressive attacks. This definition was first introduced by S. Skorobogatov, who demonstrated the possibility of using ultraviolet and x-ray radiation to attack a chip.
Some penetrating attacks are described below, based on the above methods of examining the chip.
Playback of the chip layout allows you to fully read the contents of the ROM memory. Although ROM memory usually does not contain secret keys, it provides a complete picture of programs that provide access to secret information, as well as the cryptographic algorithms used and how to implement them. Information about how to implement cryptographic algorithms is valuable when using non-Intrusive attacks.
Another way to get card information is to probe the chip’s data bus. It allows you not to read all the data contained in the EEPR0M memory, but to intercept the most valuable information for the attack. For example, probing the cryptographic coprocessor bus allows you to extract information about card keys.
Knowing the ROM memory structure, an attacker can try to get the card’s secret keys. This is achieved by unauthorized changes to the ROM memory. For example, to implement an attack on DES keys, it is sufficient to change the instructions of the DES algorithm in a certain way. In particular, you can reduce the number of algorithm cycles (from 16 to 1), eliminate bitwise folding modulo 2 (exclusive or) of two Boolean sequences of the same length, and change the type of S-transformations so that they become linear. Depending on how the DES algorithm is implemented, sometimes it is enough to change just a few ROM bits to make extracting the secret key a simple task.
In General, it is possible for an attacker to completely rewrite the ROM and implement some linear encryption algorithms that can easily extract the secret key value.
Note that a microscope with a laser cutter is used to change the values of individual ROM bits.
Another way to extract DES keys is to sequentially change the bits of EEPR0M memory in which the DES key is stored. By sequentially setting the value of the next bit of the key to a known one (0 or 1), the attacker considers the behavior of the card during the cryptographic operation. If the card does not complain about parity checking, the set key bit was correctly guessed.
Note that to set any preset value of the EEPR0M bit, two needles are used to probe the chip.

Another interesting way to determine the secret key is as follows. Typically, an implementation of the DES algorithm is an instruction describing a repeating loop of the algorithm, and a memory register that stores the result of executing the loop. The register value is also the input value for the next cycle of the algorithm.
The DES algorithm is a recurrent procedure, according to which the encrypted block is divided into left and right parts. On each cycle of the algorithm, these parts are redefined depending on the current values of the right and left parts, the DES algorithm key, and the cycle number. In this case, the left part is always equal to the value of the right part of the previous cycle.
When changing the last bit of the right part of the register on the last sixteenth cycle of the DES algorithm, it turns out that as a result, only the first and last four bits will change in the right part of the ciphertext (before performing the last permutation in the DES algorithm cycle) (this is how the DES algorithm extension and S-conversion function is arranged). Therefore, we can search for an average of 4 values of the first and last sixes of the key K16, which results in known sums of the first and last fours, respectively, in ciphertexts obtained without and with the change of the last bit of the right side of the register.
E. Biham and A. Shamir in their work on differential cryptanalysis established the following result. If we assume that changing a single bit right part of a cycle of the DES, and the position of this bit and the cycle number at which the change occurred bits stochastically distributed evenly, it is possible the analysis of at least 200 pairs chiprotect obtained with and without bit change the right side to determine the key value K16 containing 48 bits of the DES key. The DES key can be found by searching 256’48 = 28 = 256 variants of the missing 8 bits of the key. More information about the method of differential cryptanalysis will be discussed later in this section when discussing the different Fault Attack type.
There are other ways to extract the key, for example, by using the memory residual magnetization property. Even RAM memory continues to store the values of the data stored in it for some time when the power is turned off. Eepr0m memory also has the property of residual magnetization. Therefore, before any secret information is written to it, some random data is pre-recorded and erased. Typically, 10-100 write/erase cycles are used to protect against the possibility of restoring data written to the memory cell earlier.
An attack aimed at reading data from the EEPR0M memory is quite common. To read data stored in THE eepr0m memory without using the card software, the chip processor is used as a program counter. For this purpose, all processor components, except for the component that provides read access to data from EEPR0M, are disconnected from the chip bus. The program counter is automatically incremented after the processor executes the next instruction and is used as a generator for the next address where the data that needs to be read is located. The attacker only needs to connect to the data bus in order to write the information read by the processor.

Penetrating attacks require the use of laboratory equipment, take a lot of time to implement (about several weeks), and are expensive for these reasons.
The most well-known non-penetrating attack methods are described below.
A prominent representative of this type of attack is an attack based on the analysis of the time required to perform a cryptographic operation (Timing Analysis Attack). The fact is that the time required to perform an operation depends on the value of individual bits of the secret key and the encrypted data. Therefore, if you measure the execution time of an operation accurately enough and many times, you can infer the value of the key bits.
To illustrate, we give an example of the sequential squaring method used to calculate the degree of Cd mod p in the RSA algorithm. From the description of the algorithm underlying the sequential squaring method, it follows (see section. 3 ADJ. C) that if the next bit of the key is equal to 1, additional multiplication of the numbers is required, as opposed to the case when this bit of the key is equal to 0. Therefore, if we find out that a lot of time was spent on the next step of the algorithm, we can conclude that the corresponding bit of the key is equal to 1. On the contrary, from the fact that the step in question was performed quickly, we can conclude that the corresponding key bit is 0.
Another representative of non-penetrating attacks is an attack based on the analysis of the card’s energy consumption (Power Consumption Attack). By measuring the current current value using the card’s power supply resistance, you can understand the current activity level of the card when following the instructions of the card application. The card chip consists of hundreds of thousands of transistors, each of which acts as a switch controlled by the voltage applied to the gate of the transistor. When the charge (voltage) of the transistor gate changes, a current flows through the transistor. The currents that occur when the transistor charge changes deliver charges to the gates of other transistors. These currents cause electromagnetic radiation, which can also be used to measure the electrical activity of the card.
The current value of the card’s electrical activity depends on the instruction that the card is currently executing, as well as on the data values that appear in the operation being executed. By analyzing the electrical activity of the card or its individual modules (for example, cryptoprocessors), you can get information about the card’s keys, which is often the goal of an attack.
There are two types of attacks based on the analysis of the energy consumed by the card — Single Power Attack (SPA) and different Power Attack (DPA).
In the case of a SPA attack, cryptographic analysis is performed based on direct measurements of the power consumed by the chip during various operations. Using the SPA method, you can identify the time intervals during which the chip implements the DES or RSA algorithm. This is achieved due to the fact that the General pattern of power consumption at various stages of these algorithms (DES cycles, sequential squaring in the RSA algorithm) is known in advance. Moreover, based on the SPA, you can identify and differentiate individual operations performed within the cryptographic algorithm. For example, you can use SPA to open the RSA algorithm, using the difference in energy consumption when performing squaring and multiplication operations (similar to the Timing Analysis Attack). Similarly, implementations of the DES algorithm detect an obvious difference in the energy consumed by the chip when performing permutation and substitution operations, depending on the key values.
The energy consumed by the chip depends on the values of variables used in the operations performed by the chip. Often these differences are covered by noise or measurement errors. However, statistical methods of correlation analysis of measurement results used in DPA still sometimes allow you to extract information about the card’s secret keys.
Another representative of non-penetrating attacks is an attack based on the use of errors (Fault Attack). All methods of this type of attack are based on the chip’s reaction to changes in the external conditions of its use. For example, the properties of a chip depend on fluctuations in the voltage and clock frequency applied to it, changes in the temperature of individual components of the chip, irradiation of the chip with light or a beam of ions, and the influence of an electromagnetic field on the chip. By applying these external non-penetrating effects to the chip, the attacker seeks to cause improper behavior of the chip, including errors in the execution of the chip’s programs. The attacker seeks to cause the chip to make the wrong decision. For example, if you need to enter a PIN code to access a certain memory element, then if the chip behaves inappropriately, even if you enter an incorrect PIN value, access to the desired memory element may be allowed.
Another example is the so-called memory dump. Instead of giving out some of its identification data, the card shows much more data, including fragments of the operating system, as well as secret information such as keys and PIN code.
An attacker can also use external influence on the card in such a way as to disrupt the process of cryptographic calculations (different Fault Attack), for example, by reducing the number of cycles in the cryptographic algorithm and thereby making it easier to determine the secret key. As part of a different Fault Attack, there may be cases when the card constants are changed, leading to finding out its secret.
Let’s illustrate this with an example of an attack on the RSA algorithm if this algorithm is used to raise the Chinese remainder CRT theorem to the power.
As follows from the formula (B4) of the specified section, the degree of any number C modulo p = pq can be represented as:
Cd = (cq° – s;) p-1 xr + s; (modpq)
The latter equality can obviously be represented as:
Cd=asp+bsq (modpp),
where sp = cdpp; sq = cq”; a = 1-p~gr -, b = p~1P.
Since p~lp = \ (mod q) is being compared, the following comparisons are obvious:
o = l(modp); 6 = 0 (modp);
o^O(modp); 6 = 1 (mode/).
Then the attack on the RSA algorithm is as follows. Let’s assume that the signature s of some message is known .we Change the value of a Prime number p on the card to the value p. Note that neither the value of the number p nor the value of the number p are known to us. If p is set, we will force the card to calculate the signature s’ of the same message.
Then have:
s-s’ = asp+ bsq + AP’q – a’sp – b’q – Bp q.
It is obvious that s-s’ divided by q because it is still:
a sO(modp); 6′ = l(modg).
Thus, it is possible to find the value q, and therefore p. Since the number s-s’ is composite and decomposes, generally speaking, into many simple multipliers, this problem is generally much simpler in comparison with the problem of decomposing into Prime factors the number p = pq, which is the product of only two large Prime numbers. Moreover, it is obvious that q = H0fi(n, s-s’). Therefore, finding q requires 0 ((\ogznf) operations.
Another illustration of a different Fault Attack is an attack on the DES algorithm. As follows from the formula (B1) section. 2 ADJ. In, on the last cycle of the DES algorithm, equality is performed, where /.(16) and /?(16) – respectively the left and right parts of the ciphertext; ©denotes bitwise addition modulo 2; function/ defines 5-Sv transformations …, 5S of b-bit sequences into 4-bit ones; K( 16) is a 48 — bit sequence obtained from the DES key using a fixed set of permutations, shifts, and substitutions defined in the DES standard.
If you now change the value /on the last cycle of the DES algorithm?(15) on /?'(15), while leaving the value /unchanged.(15), then as a result we get the equality:
L'(16) = R'(15)
R'( 16) – /.(15) ©f(R'(15), K (16)).
It’s easy to get equality from here:
/?(16)© /?'(16) = /(/.(16), /With(16))©/ (/.'(16),/S(1B)). (2.1)

The last equality shows that we were able to “trim” the background of the ciphertext calculation (value /- (15)), limiting the cryptanalysis to data only from the last cycle of the algorithm. Now split the 32-bit value of the left side of the last equality into consecutive 4-bit blocks, and split the key To( 16) into eight consecutive b-bit blocks. For each 6-bit block / (/=1, …, 8) the key To( 16) by iterating through no more than 26 different values of the block, we find such values at which equality (2.1) is satisfied. Thus, given the presence of eight 6-bit blocks of the key To (16), finding its possible values will require 29 elementary upper equality checks.
From General considerations, assuming the property of ideal “mixing” of data using the algorithms used in each DES cycle (meaning the applied substitutions, permutations, and table transformations Sg), it can be obtained that each value of the left side of equality (2.1) corresponds to 256 / 232 = 224 different values of the DES key. More accurate calculations show that equality (2.1)reduces the search for the key of the DES algorithm to no more than 226 different values.
Similar results are true for the 3DES algorithm. An error on the last loop of the algorithm in this case reduces the key search procedure to a maximum of 275 different key values.
Spike Attacks are based on the use of rapid changes in the voltage applied to the card. Such attacks cause errors in the operation of the card processor, which in turn leads to skipping or incorrect execution of certain operations. An attacker can use these errors, for example, to bypass PIN verification or block a card.
Similar in application are attacks called Glitch Attacks. In this case, card errors are caused by changes in the clock frequency of the signal sent to the card, but the consequences are the same— the card performs some operations incorrectly.
Although many ways to prevent Spike Attacks and Glitch Attacks are known today, each specific case requires special testing of the chip to counteract these attacks, since the” sensitivity ” of different chips to such attacks is different.
Electromagnetic Induction Attacks became known several years ago. To initiate an attack, an electrical conductor in the form of a ring is used, placed directly above the surface of the chip. A current is passed through the ring, creating an electromagnetic field that causes errors in the operation of the chip. These errors can be used to gain unauthorized access to protected areas of the chip’s memory.
Unlike Spike Attacks and Glitch Attacks, electromagnetic induction attacks can be directed at individual components of the chip. Therefore, it is more difficult to develop countermeasures for this type of attack. For example, you can provide sensors and filters that will track and stabilize power outages supplied to the card. The same applies to clock frequency control. However, if the electromagnetic field affects only a single component of the chip, such as a cryptographic coprocessor, it will not be easy to determine even this effect.
Another type of attack is errors induced by optical irradiation of the chip during the execution of the card application. As a result of light irradiation, currents occur inside the chip, which can cause program execution errors. Such errors, in turn, can lead to the ability to bypass password verification, a memory dump that provides the attacker with secret information, and the ability to change the implementation of the cryptographic algorithm, which allows you to get information about secret keys.
An optical attack is called global if the entire surface of the chip is exposed to light irradiation. In this case, the radiation source is located on the back of the chip. Sources that provide high radiation intensity, such as flashbulbs and lasers, are used. At the same time, there is no need to remove the plastic coating on the back of the chip.
Local optical attacks are aimed at irradiating individual components of the chip and therefore require more complex implementation methods that use a highly focused light flux. This method of attack can be implemented using a microscope equipped with a laser or xenon lamp.
The use of local optical attacks requires the extraction of the chip, as described in the description of penetrating attacks. In this regard, the concept of semi-blocking attacks has recently appeared in the literature, when the chip is removed from the card, but the passivation layer of the chip is not violated. Many optical attacks, according to the above definition, are specifically semi-penetrating attacks.
At the same time, tests show that when using infrared irradiation, no chip shells, including metal plates, do not help. Therefore, by irradiating the card from its back side with an infrared laser, you can achieve the desired result.
Thermal attacks are based on changes in the temperature of individual components of the chip. Most often, thermal attacks are aimed at changing the value of some RAM bits. on the contrary, a significant decrease in temperature leads to freezing of information stored in RAM. The effectiveness of thermal attacks depends significantly on the types of memory used in the chip. To combat thermal attacks, temperature sensors are used that signal if the temperature exceeds the set thresholds.
However, today temperature sensors are no longer an effective means of fighting thermal attacks. This is due to the appearance of a method called Thermally Induced Voltage Alteration (TIVA). The TIVA method uses local light irradiation produced by an infrared laser. Once inside the chip, infrared radiation causes heating. At the same time, the characteristics of long-wave irradiation are such that the irradiation energy is not sufficient for the irradiation to be detected by light sensors. Heating individual chip components causes the same range of errors that was discussed earlier.
In conclusion, consider the attack caused by alpha radiation. Irradiation of the chip surface with alpha particles (helium atom nuclei consisting of two protons and two neutrons) leads to a change in the memory content and delay of the signals used by the chip. In turn, these effects can be used to manipulate calculations performed when the application is running. For example, you can avoid checking the PIN code or checking the integrity of information stored on the card. To initiate this attack, it is enough to have a weak radioactive source, which can be based on radium-226, Thorium-232, Americium-241. Some minerals used in life are also sources of alpha particles.
An attack caused by irradiation of the chip with alpha particles has a significant drawback from the attacker’s point of view, due to the stochastic nature of radiation, it is difficult to predict the moment when an error occurs in the chip.
An effective way to deal with this type of attack is to cover the chip with plastic.
As can be seen from the review of attacks of the Fault Attack class, only some attacks can be explicitly classified as non-penetrating (for example, Spike Attacks, Glitch Attacks). Some attacks of this class should be classified as semi-penetrating attacks, such as local optical attacks.
To combat these types of attacks, chip vendors have developed a large number of countermeasures. For example, Infineon Technologies has implemented more than 50 different countermeasures in its SLE66P/PE and SLE88P chips. The most universal countermeasures include:
sensors and filters for monitoring chip operating conditions (such sensors and filters include light and temperature sensors, as well as filters that smooth out voltage surges and clock frequency changes);
encryption of data of all types of memory (ROM, EEPROM, RAM) to prevent analysis of memory contents;
scrambling or encryption of data transmitted in address and data buses;
using the Memory Management Unit (MMU) to separate applications from the operating system, encrypt data stored in EEPROM and RAM, and control access to various card applications;
means of fighting attacks based on measuring the energy consumed by the chip’s radiation: camouflage radiation or, conversely, reducing radiation due to special filters; variable logic for executing the same program;
using a special processor design;
using a special cryptoprocessor to execute the RSA and DES algorithm;
using a special hardware random number generator used for generating keys in the RSA scheme;
use of active means of protection against penetrating attacks.