9

In contrast to digital cryptographic algorithms and protocols where many qualified high-IQ individuals dig into the details and specifics, physical tamper resistance for low-tech packages is not pentested as much.

There are some folks out there who do it for money, though, but their results aren't easily available. There's one link to a Vulnerability Assessment Team at Argonne National Lab with intriguing results: http://www.ne.anl.gov/capabilities/vat/seals/index.html

I have looked for patents at U.S.Patent and Trademark Office and identified quite a few of them, the latest being U.S.Patent 7,230,687 B2, and the earliest dating back to 1916 (U.S.Patent 1,201,519 assigned to one Arvid Sorensen).

I wonder what criteria should one apply to various tamper-resistant offers in the market (numbering upward of 180, based on a shopping engine search), provided that there are no in-house skilled physical pentesters.

One criterion that I've already hinted at is presence or absence of a patent (of course it doesn't prove security - there are loads of patented snake oil recipes, for that matter, but at least it is somewhat analogous to open-source in the digital world).

Another solution would be to sample large outfits' secure tamper-resistant envelopes, hopefully piggy-backing on their evaluations and "going with the flow", but I'm not sure they haven't done the same.

Please note that this is not a shopping question. Answers should avoid naming providers and instead present objective criteria for evaluation.

Deer Hunter
  • 5,297
  • 5
  • 33
  • 50
  • As per Adnan's remark, please read "tamper-evident" instead of "tamper-resistant"... – Deer Hunter Jul 21 '13 at 14:44
  • 3
    I would also watch the events from DEF CON 21's Tamper Evident contest https://forum.defcon.org/showthread.php?t=13482. This will be the third year this is run and there is already a decent amount of bypasses and information circulating now. It will probably increase since this year they are starting a Tamper Evident Village, where everyone can play with numerous Tamper Resistant/Evident/Proof devices. – Casey Jul 21 '13 at 15:04
  • @Casey, this is great! Since it directly overthrows one of my statements ("nobody does that in public, nya, nya") please consider expanding your comment into an answer (maybe with details on past bypasses). I know at least one person who would upvote it. – Deer Hunter Jul 21 '13 at 15:15
  • 1
    Past DEFCON attacks can be found here: http://www.tamperevidentwiki.com/showwiki.php – John Deters Jul 22 '13 at 01:45
  • I think that one of the things which is crucial to monitor is how much time has elapsed since the opening of the package, since that will give us an indication of the status of the contents. Meir – meir Sep 02 '13 at 11:57
  • The DEFCON Tamper Evident Wiki seems to be down and nothing useful in WayBackMachine. Anyone have a working link to the content? – rkagerer Jan 16 '18 at 07:15

2 Answers2

8

Let's get something straight first. In the general sense, there's pretty much no such thing as tamper-resistant in the envelop/packaging world. What you're looking for is tamper-evident.

The criteria upon which you evaluate tamper-evident envelope is same used for evaluating any other security measurement. Forget everything about solution itself and rather think of why you're looking for a solution. It's easy to say that your problem is tampering, but it's not.

So the criteria hugely depends on your threat model. Other than that, there's basically one criterion; If the envelope is tampered with, we'd like to detect that with a high level of confidence.

In 1997, The Nuclear Regulatory Commission issued the RG 5.15 in which they outlined criteria upon which to judge the effectiveness of tamper-evident mediums used to store nuclear documents. I'll quote some of them

  • The information taken and recorded at the time of seal application is inadequately protected, enabling a diverter to forge documentation to support or cover the diversion.

  • The method of postmortem examination of the seal is not sufficient to detect a defective or compromised seal.

  • The location and method of seal application makes the seals vulnerable to accidental damage, providing a history of such incidents that might be used to conceal a willful attack.

After that they list some certain acceptable types of tamper-deviant devices to store the highly sensitive data.

In the same year, researcher R.G. Johnston published a paper outlining some deficiencies in the RG 5.15 and the then-standard ASTM F1158-88 protocol. Johnston did a great job providing crystal clear instructions for the process, combining the pros of the previous standards and patching most of their cons.

A detailed description of the successful attacks. For each attack the following information should be provided:

  • Is the attack theoretical, partially demonstrated, fully demonstrated but not perfected, or practiced to perfection?

  • What are the cost, time, and effort to devise and demonstrate the attack?

  • What time is required on-site to do the attack?

..

  • What is the level of defeat?

  • Is inside information necessary for the attack, or just what is publicly available?

Despite Johnston's findings and recommendations, the ASTM F1158 still the de facto standard protocol for assessing security seals.

Adi
  • 43,808
  • 16
  • 135
  • 167
  • One small note: RG 5.15 is superseded by [RG 5.80](http://pbadupws.nrc.gov/docs/ML1018/ML101800504.pdf). It cites 4 modes of attack on seals: substitution, removal and reapplication, alteration of label data, alteration of separately recorded data. Thanks for the ref, I read the Argonne link, but failed to realize the connexion with the NRC regs. – Deer Hunter Jul 21 '13 at 14:56
  • 1
    @DeerHunter Thanks for the update. I encourage you to read the whole of Johnston's paper. You may ignore his recommended devices and depend on the RG 5.80 for that, but pay close attention to his assessment method. – Adi Jul 21 '13 at 16:03
2

This is an interim post to capture valuable information from Casey's and John Deters' comments. Everybody is welcome to edit this post adding extra details.

Casey:

I would also watch the events from DEF CON 21's Tamper Evident contest. This will be the third year this is run and there is already a decent amount of bypasses and information circulating now. It will probably increase since this year they are starting a Tamper Evident Village, where everyone can play with numerous Tamper Resistant/Evident/Proof devices.

Note: DEFCON 21 will take place at Las Vegas, NV on August 1-4, 2013. What happens in Vegas, stays in Vegas, they say, but I hope it won't be so for takeaway lessons on Tamper Evident Packaging.

John Deters:

Past DEFCON attacks can be found here: https://tamperevidentwiki.com/showwiki.php

Deer Hunter's note on Tamper Evident Wiki: the exploits here aren't really impressive. However, there are a few links worth exploring:

(to be continued)

EDIT:

Community
  • 1
Deer Hunter
  • 5,297
  • 5
  • 33
  • 50