A crucial part of the PSA Certified scheme is the independent testing of silicon for the PSA Root of Trust (PSA-RoT). There are three levels of PSA Certified, which have been introduced to the scheme since its inception in 2019. PSA Certified Level 3 is described as a “substantial level of assurance and robustness”. We wanted to explain exactly how we define “substantial” and what the key different is from PSA Certified Level 2.
PSA Certified Level 3 Snapshot
PSA Certified Level 3 is for chip vendors who want to demonstrate that their Root of Trust protects against substantial physical and software attacks (for example protecting private cryptography keys or debug interfaces against voltage glitching or DPA attacks).
PSA Certified Level 3 at a Glance
|Protection Profile||PSA-RoT Level 3 Protection Profile or PSA-RoT Level 3 SESIP Profile|
|Robustness||Physical and software attacks in scope with Attack Potential <21|
|Assurance||SESIP Level 3 or PSA JSA Level 3 Evaluation Methodology and Attack Methods|
|Certification Body||Trust CB|
The scope of evaluation for PSA Certified Level 3 is the chip’s Root of Trust with a definition of the security problem outlined in a Protection Profile (PP) published on the PSA Certified website. The PP summarizes the threats in scope as well as the security functions that the chip developer must meet such as secure storage, good quality crypto and an attestation method. Before the developer sends off their chip to the evaluation lab to be tested, a Security Target (ST) document must be written to describe how the security functions outlined in the PP have been met. The ST is used by the evaluation lab, along with a code review, in an initial step of vulnerability assessment that helps shape the labs testing plan.
Compared to PSA Certified Level 2 the evaluation laboratory does more vulnerability analysis, including a full literature search of conference and academic papers for guidance on potential vulnerabilities. This vulnerability analysis and access to source code help the lab develop a test plan that is reviewed and approved by the Certification Body. To allow for more in-depth testing, the time to carry out that evaluation is increased from 25 days for PSA Certified Level 2, to 35 days for PSA Certified Level 3. In GlobalPlatform’s SESIP assurance package language this is SESIP Level 3 with a fixed time in lab of 35 days against the security requirements outlined in the PSA Certified PSA-RoT Level 3 SESIP PP.
The sophistication of the attack methods available to the lab, otherwise known as the Attack Potential, is increased at PSA Certified Level 3 when compared to PSA Certified Level 2. The Attack Potential (AP) is represented as a number on a scale used to compare different attack paths. The scale is calculated using factors such as the effort, the time, the equipment, the expertise, and the sophistication of attacks, including other considerations. For reference, a smart card would be 31 on the scale. For PSA Certified Level 3 the AP is increased from 16 for PSA Certified Level 2 to 21 for PSA Certified Level 3. To find out more about how attack paths are calculated please read section 4 of JSADEN008 document “PSA Certified Level 3 Attack Methods” that can be requested from your evaluation lab of choice. Within this document, you can also find worked examples that cover the scope of PSA Certified Level 2 and PSA Certified Level 3.
The biggest change in Attack Methods between PSA Certified Level 2 and PSA Certified Level 3 is that PSA Certified Level 3 considers attacks that require physical presence for the attacker at the exploitation phase – as opposed to only considering attacks that can be carried out remotely, even if they require physical attacks in the investigation phase.
|Level of Evaluation||Security Protection|
|PSA Certified Level 2||Protection of Root of Trust assets from scalable remote software attacks|
|PSA Certified Level 3||Protection of Root of Trust assets from substantial hardware and software attacks|
A Worked Example
So, what does this mean in practice? We’ll look at attacks involving power glitches and see what needs to be addressed at PSA Certified Level 2 and PSA Certified Level 3.
At PSA Certified Level 2, as the attack is assumed to be carried out remotely, the test house can only consider power glitching as a method to identify an attack.
If the design has unique keys, or if the image is signed and the private key is securely protected at the development site – the test house will be able to tell in the analysis phase that there is no class secret to be extracted and hence no scalable attack. Therefore, they would exclude this attack at that point and would not even attempt it, as there are more useful things to test.
However, at PSA Certified Level 3 we consider physical attacks in the exploitation phase. So, the test lab must examine using a spike or dip on the input voltage that could cause a command to be skipped that would result in the bypass of the verification of a firmware boot.
Depending on what protection is implemented against writing to the location for the firmware image, this comes in with an AP rating of approximately 17. This means that apart from some very naïve designs, the attack would be above the level that could be considered for PSA Certified Level 2 even if physical attacks during exploitation were not excluded. But it is going to fall in the attacks to be considered for PSA Certified Level 3.
However, if the attacker needed to mill the top off the die and attack the chip with a laser to make the boot sequence skip the test – that would take the attack potential to at least 22. It would therefore be out of scope and therefore not considered, even at PSA Certified Level 3.
The PSA JSA definition of “substantial” assurance and robustness for the chip’s PSA-RoT provides an easy-to-understand security promise for the OEM – a PSA Certified Level 3 chip will protect critical assets such as crypto keys against substantial physical and software attacks. If you want to understand the detail of which attack methods are in scope with an attack potential of 21 the PSA JSA have published a document with example attacks and their AP rating: PSA Certified Level 3 Attack Methods document (JSADEN008) – this can be requested from your evaluation lab.
For chip vendors, achieving PSA Certified Level 3 is technically challenging as additional counter-measures in hardware and software to protect PSA-RoT assets against voltage glitching and use of ChipWhisperer style DPA equipment are likely to be required.
The following documents are available to help the chip developer with their PSA Certified Level 3 evaluation:
- JSADEN009 – PSA Certified Level 3 Protection Profile (We suggest starting with this document)
- JSADEN011 – PSA Certified Level 3 SESIP Profile
- JSADEN008 – PSA Certified Level 3 Attack Methods
- An example Security Target document.
The documentation can be requested from your evaluation lab.
When considering the level of certification for a chip, a pre-evaluation with an evaluation lab is recommended early in the design-cycle. The lab will outline the expected security requirements and de-risk the project. A pre-evaluation assessment can also help to highlight issues that might need addressing or provide confidence that the chip is likely to pass.