with how a bank functions, consider that there is the central vault that contains our cherished goods. We want to trust that vault. Then, added to that are all the procedures surrounding taking goods out of the vault or of placing them inside the vault in the first place. In the case of the secure core, the vault derives rather little trust from its physical stature. Most of the trust emanates from the secure core being willing to die for the cause and its tenacity at regulating the access to its most sensitive contents.

Finally, we need to mention that in some situations an alternative element of trust is the assurance that even if some part of the memory is destroyed, the information contained therein may be recoverable, if it is of sufficient importance. This is achieved by using several mechanisms to check the integrity of the memory at all time and by employing enough redundancies so that information can be reconstructed from pieces that have not been altered. This, or course, flies in the face of our desire in many instances to see the data destroyed rather than ever be compromised. Even stronger measures are possible to insure that original data have not been modified. The process to achieve that is called a digital signature. The idea is that when the data, perhaps those of the owner of the personal electronic device, are written, a mathematical function is applied to them that summarizes them in what’s called the signature. The mathematics is such that it is extremely difficult to find ways to change the data while keeping the signature intact. Consequently, if someone attempts to surreptitiously change the data they will be detected when the new data is compared with the existing signature. It will not match and the data will be flagged as fraudulent. Here, the trust that the data are intact is based on the trust in the underlying mathematics.

A rather routine way to find memory corrupted is what’s called tearing in the trade. Tearing arises from the act of interrupting suddenly the functioning of a secure core processor. The term comes from the initial form-factor of secure cores, that of a card. When the card was inserted into the public phone, power was provided by the phone. If somebody suddenly removed the card, i.e. tear it out of the phone, then the current would be interrupted and with the interruption the operation of the card would cease. Whatever was in persistent memory at this point would stay there and the card would possibly be in an unstable state. This unstable state might actually stop it from functioning, or worse from a security point of view, it might let the secure core divulge confidential data when powered-up again. Today, secure cores have sophisticated anti-tearing mechanisms built in, based around the concept of a transaction, a concept that we’ve discussed at some length with respect to interactions in general. Using this concept, data are only written in long-term memory when the processor is sure that even if tearing occurs the memory will be in a stable state. Here again, trust derives from the integrity of the data of the personal electronic device. Trust is conveyed via confidence that the programmer who has defined the functions of the card has designed the programs with the precautions required for tearing protection. Actually, this requires specialized programmers, dedicated to the production of secure cores. There are few such programmers in the world and the authors have had the privilege to meet and work with many of the top specialists.

In order to offer protection against dynamic operational processes, secure cores often use internal and external sensors. Internal sensors include detectors that warn against a surge in current, whether it is accidental or intentional. Light sensors can detect the light-attacks that we have previously described. While such internal sensors provide a degree of trust, since by their presence they can protect against attacks it is worth mentioning that any protection can become a threat in itself. Specifically, the sensor can be used for promulgating an attack. In fact, this has happened with surge detectors, which then had to be themselves protected. It is not unlike hiring a body guard. The body guard provides security, but at the same time we find ourselves

Book available at Midori Press (regular)
Book available at Midori Press (signed)
Book available at Amazon (regular)