So far we’ve talked in general terms of the appearance of the secure core and its interior circuitry. Now, let us be a bit more specific, starting with the physical enclosure. We’ve already seen that the form factor, as is said in the trade, is a card for phone applications. Actually, the public phone cards are typically the size of standard credit cards, while a SIM card for a cellular phone is smaller. There are even smaller cards now being considered for cellular phones that are getting continuously more miniaturized. The card form factor is very convenient for embedding a secure core in a personal electronic device, as it creates a natural frontier between the untrusted part of the device and its trusted part. The natural question at this point is whether the untrusted part actually somehow taints the trusted part. The answer to that is yes and no. As long as the secure part is using the unsecure part only as a channel to talk to another secure component somewhere on the network, there is little the unsecure part can do to alter the integrity of the secure core. Of course, it can close the channel of communication or flood it with meaningless garbage; therefore it can affect the trust placed in the secure core to function properly. Also, if the secure core relies on the unsecure part for obtaining input information, such as a personal identification number, then the situation is more delicate since the unsecure part can feed bogus data to the secure component. More to the point, the unsecure part can make a copy of the information and perhaps reuse it at a later time. We must then consider that if the input itself cannot be trusted can anything be done to at least have some tamper-evident aspect to the information? As we’ll see, some measures can indeed be taken.

Thus far, our discussion illustrates the fact that it is difficult to limit trust to isolated components of the network, while ignoring other components that may not be themselves trusted. We will come back later to this issue when we explore the sensori-motor environment of the secure core of personal electronic devices. Indeed, in Chapter 9 we will suggest some mutational changes in such devices for just this purpose. For the moment, let us observe that the card form factor is not the only way to physically embed trusted cores. A very common form factor outside of the computer world is that of a key. A number of emergent computer world components, such as the USB (Universal Serial Bus) memory-sticks that readers are probably familiar with, take on very similar characteristics to standard keys. Another form factor is that of an RFID (Radio-Frequency Identification) tag. Yet another is that of an identity document such as a passport in which the trusted core is found inserted in the cover of the document. In all these cases, the form is dictated by the function, but does not necessarily provide additional security properties compared to the card form factor. However, this too can happen. For example, the trusted core embedded in a passport is protected by an electrical shield that prevents reading the passport information contained in the secure chip from a distance. This chip can only be read from close proximity with specialized reading equipment, while the passport is open. In this particular case, we see clearly that trust extends to the physical environment of the secure core.

We have considered the form factor characteristics of the secure core. Now let us review the facilities of the secure core processor itself. The central part of the secure core is, as for any computer, the processor or processors. In some cases there may actually be several processors present. While a general processor might be enough in principle to provide secure operations, for reasons of efficiency, specialization is most often found in secure processors with a sharing of tasks among dedicated modules. The most typical such configuration, almost a signature of secure cores, is a cryptographic co-processor. This is a processor that is specialized in the particular mathematics required by cryptographic operations. Fast processing of special computations requiring long-integer arithmetic can be obtained by dedicated circuitry, coupled with particular security measures necessitated by the very nature of the operations performed. These extra protections are needed because if one wants to attack operations of a secure core the cryptographic processor is an obvious target because it does not just encrypt and decrypt information direct to or

Book available at Midori Press (regular)
Book available at Midori Press (signed)
Book available at Amazon (regular)