accompanied by an armed person that may turn against us. Any new mechanism can provide at the same time a new source of trust and a new source of distrust.

Some sensors are integrated within the circuitry they protect; other internal sensors are more remote from the processor of the secure core. Whatever the length of the link between the processor and the sensor, the link itself is an element to be protected, as well as the sensor itself. Since internal sensors are within the physical protection enclosure of the secure core, some measures of protection apply to them as to any other component of the core. An example of an internal sensor performing an external function would be an on/off toggle that would be present at the surface of the secure core and used for simple interactions, such as that of authorizing a purchase, or even more simply, to turn the secure core on and off. Another example is a microphone. If it is tightly integrated with the secure core then the physical integrity of the transducer can be protected in part by means similar to the rest of the secure core. We say “in part” because with each sensor comes new threats; for example, audio attacks on a microphone.

Internal sensors provide the most secure way to provide sensory capabilities to a secure core. A strong element of trust can be associated with the sensor’s integrity. However, we must note again that the integrity of the sensor provides no guarantee as to the validity of the signal it receives. If the wrong person pushes the yes/no button or if an impostor speaks to the microphone, there may be no way for the sensor itself to know this. Trust goes only as far as the physics of the sensor itself. In order to assert further trust, additional processing must be added; for example, voice recognition for the microphone. In addition, it is possible to use multiple sensors and compute correlations. While this will never provide a total guarantee, it will increase the level of trust. Typically, however, this requires the use of external sensors.

External sensors are not part of the protection enclosure of the secure core. Moreover, they can be near to it or far away. A fingerprint scanner on the same substrate as the secure core is local. A remote camera reached through the connection of the card to the overall network can be located in any part of the world; hence, it is remote. As we are now familiar with, two security weak points are thus created: the sensor itself and its link to the processor. As with any link that is open to physical intrusion, an important defense is cryptography. This means that the sensor itself needs to be capable of cryptographic operations, a characteristic that we’ve found closely associated with secure cores. In other words, the sensor must itself contain a secure core if trust needs to be independently established in the integrity of the sensor. Therefore, we are back to the situation of creating an internal sensor embedded within a secure core. Unfortunately, this is an expensive proposition and it is typically not done with high-volume secure cores. Today, most external sensors sold in high volume don’t have their own specialized secure core; many don’t even have cryptographic means. Information is captured by the sensor and sent as such to the secure core. If we consider for example a fingerprint scanner, it is possible for an interloper to read the data flowing from the scanner to the secure core. It is also possible to modify the scanner itself to alter its properties. That’s why the trust in any external sensor must be limited and precautions taken to increase that trust, again by specialized processing and by multiplying the sensori experience. If the fingerprint matches the voice signature then the likelihood is higher that the right person is there. In fact, that’s how the most secure government operations in the world work: they multiply the sensors. Unfortunately, they can never be sure whether or not someone is pointing a gun at the person being finger printed? We see that we can multiply ad infinitum the ways to defeat the system. That is why there are so many thrillers being written. Trust in the causality of operation of physical systems seems never quite complete.

Book available at Midori Press (regular)
Book available at Midori Press (signed)
Book available at Amazon (regular)