Hi,
I need to place my FPGA designs in a safe platform, and I have some questions:
Regards.
Frai,
Other than the public announcement that the NSA has approved V4 for single chip crypto systems, what else would you need?
Seriously, no one has broken AES256, and no one has broken V4's implementation of AES256 (using the battery backed key memory).
A hacker would not attack directly, rather they would wait outside your building, and offer cash to anyone willing to reveal the key to them.
No other device exists that is 'generic' approved for all NSA single chip crypto systems. No ASIC, ASSP, nor FPGA. It has been called "completely disruptive technology" and many have told us "V4 will revolutionize the single chip crypto market."
I just love it when there is 0 competition!
Austin
Didn't hear anything public ... doesn't mean it hasn't been done ... and even if never done, doesn't mean it can't ... As always with security it depends on the value of what you're protecting. But unless it's a control process for cold fusion, I'd say you're most likely in the clear.
Most people do .... so do I :)
- Bribe someone at the factory to 'listen' when programming the key - Physically break into your office and get the source code or unencrypted bit - Kidnap one of your lead developer's family members and shoot them one by one until he gives you what you want ... (iterate over the whole team as needed)
They may all seem 'weird' options ... but that's how I'd do it if I had to ...
Sylvain
As Xilinx says in their documents, there is no unbreakable security.
I guess if Virtex-4 security is based on the AES algorithm and a secret key, the way to break the security would be to play with the implementation of AES in the FPGA, through manipulation of the encrypted bitstream, probably combining it with a timing attack or any other sort of attack that could eventually make the AES algorithm work in the wrong way, exposing some exploits that might be used for further attacks. This would be cheap and can be easily automated, although it would probably take long and might fail. If this or any similar attack were successful, all designs that reside in a Virtex-4 FPGA would be exposed to hackers. Anyway, from the conceptual point of view, I agree that Virtex-4 level of security is fairly good.
If you don't need in-field reconfiguration of the FPGA, the Actel Pro- Asic approach to security might be safer than Xilinx Virtex-4, since it does not let you play with the bitstream. This gives less tools for hackers to play with, making it very difficult for cheap attacks. Some expensive and time-consuming attacks might be possible, but this would only expose one design from one client, rather than all designs residing in Pro-Asic FPGAs around the world.
Just a thought...
Regards.
I'd like to add something to this question.
V4 security protects your bitstream. This is enough when you just want to avoid the cloning of your product.
If you plan to implement a security application on V4 however, you will have to go further than just that. It's quite possible that your design will leak secrets despite the protected bitstream.
Regards, Marc
Hi Austin,
Altera StratixII has bitstream encryption, with keys programmed (one time!) into poly fuses.
Altera Stratix3 has bitstream encryption, with the option of keys programmed into poly fuses OR held in battery backed SRAM.
Presumably you are aware of both of these products. Do you know of some fault in their implementation that would lead you to describe them as "0 competition"?
Thanks, Allan
Allan,
No Altera product with poly efuse is able to meet FIPS 41, none are approved by the NSA.
In my book, that means we see no competition (all customers that require FIPS 41, or NSA approval come to Xilinx).
Now, if you do not require FIPS 41, or you are not interested in NSA compliance, then the Altera solutions are perfectly good, and useful. In no way do I imply they are poor solutions, however, they are not in compliance with the highest level standards, and they are not approved for generic use in US government contracts.
That means, they are not a solution for banking (which requires FIPS
41), and other commercial markets as well.What is left? From the "Virtex" point of view, nothing at all of import.
Perhaps in the Cyclone/Spartan world, there are some good sockets they win (and we do too) for anti-cloning of consumer goods.
I am sure they will have FIPS 41 compliant products at some point. I am also sure they will eventually get NSA approval (if they can meet their requirements, as the US government is not allowed to play favorites, and must treat all fairly). Until then, we enjoy the sockets we are getting,
Austin
Thanks for the explanation.
We make various data security products, some with FIPS 140 certification (or under evaluation). However, the entire product gets certified, not just some chip in the middle of the box. On that basis, I wouldn't have problems using Altera parts in a FIPS certified product. (Some applications put the "security boundary" at the chip, but that doesn't apply to us.)
BTW, we had been ordering Xilinx V2P parts for an older product, with the special order code that means that the DES bitstream encryption gets tested. We were advised by our supplier that these will no longer be available. What's the story there? Will the same thing happen to our V4 designs?
Regards, Allan
Allan,
The special order codes ('SCD') are best when folded into the normal production, so no special anything is required. The special code goes away, and the regular product supports the feature.
This is unique to only some parts/packages/test programs, and is never intended to last forever (only to improve quality for specific customers when the test program isn't complete). When we are made aware of a test coverage gap, we improve the test program. Once the test program is sufficiently integrated, we can retire the special flow.
Understand that a 1000 ppm "test escape" is considered a terrible thing by Xilinx, as we strive to achieve "0 defects."
We have had cases where a particular customer brings to our awareness a test escape issue, and often no other customer has noticed the issue (many 10's of thousands of parts shipped, with no returns whatsoever).
Regardless, every test escape is taken very seriously, as it reflects directly on the product quality, and our customer's trust in Xilinx (to do the job right).
The (3DES/AES256 key) features are standard, and fully supported. If a feature is to be removed, we must issue a 'PCN' (production change notice, which allows 90 days before it is implemented, and also allows for last time orders before we remove anything at all), and notify everyone. That is a very rare event (as it has to be).
Austin
Frai,
There are many who claim "oh, this is easy..."
However, back in the Virtex II Pro days, we issued a challenge, and more than 7 universities and research groups accepted the challenge.
We provided a 2vp7 pcb with usb port, and pins for access to power, that had the key battery installed (300 mA lithiumm coin cell), and the part was programmed with a 3DES encrypted bitstream.
All 7 challengers gave up. Their basic conclusion was all the things they thought would work, differential power attack, spoofing by power glitches, attack with freeze spray, etc. FAILED.
Now, can someone crack the scheme, and get the unencrypted bitstream? Well, we are unable to get anyone interested to try it, as they tried the obviously less secure 3DES, and didn't get anywhere.
Also, I presume the NSA tried, as they eventually approved V4. If I was the NSA, I would have put a great deal of effort to try to break it if I knew that the devices would go into all modern crypto-systems! However, I know nothing of what they did (their report is classified).
Unfortunately, no one publishes a master's thesis or PhD thesis that says "I failed to crack this encryption" so there are no records of these attempts failing. But, no one has been able to get at the key, or to find anything about the bitstream, ever since we first introduced the features starting with Virtex II.
On the other hand, polarized light, and a high school microscope, can be used to read the state of any efuses in a chip (which is why they are excluded as a solution by the standards). The fact that some vendors scramble their efuse contents just means that they do not really understand what security is all about ("there is no security in obscurity"). Once the "secret" is out (by reverse engineering the hardware or software), then all of the products shipped become vulnerable.
Our approach has no secrets whatsoever: the algorithm is public, as is the design of the encryptor and decryptor. That is why it complies with the standards for constructing a secure system.
Austin
the V2P crack challenge bounty was total 25KUSD? or was it even less? well doesnt matter it was defenetly less then needed for anyone to REALLY try crack the V2P key. it doesnt mean it would be doable, only that the university results are not "final judge". And the whatever (if) NSA did is classified...
But, yes the BEST security is FPGA with NONVOLATILE key. FIPS also requires KEY CLEAR, what is only supported by V-5 without external circuitry.
Everything flash based or with something nonvolatile is instantly less secure.
What I have heard the "thumb estimate" to read out ANY FLASH based microcontrollers protected code is about 1000 USD. Reading back a protected ATmega8 has been as cheap as 800RMB (112USD) (no I have not done that, I just know the work being quoted at that price)
Sure that was thumb estimate, the price for some flash MCU could be higher. I assume its only valid for normal Flash MCUs not for those designed for increased security.
Reading e-fuses with microscope in the UNI, well it sure can be possible, I have myself placed a needle with bare hands onto 6 micron track on the die of Motorola ROM based smartcard chip. LOOOOONG time ago. that was not-secure technology, and very old.
With little better tools the modern chips could possible be hacked as well, but the easiness of efuses reading, I think its not that trivial either. In the market segment where product cloning is major issue there is NO KNOWN case of Actel chip being cloned ever. And the people who would like to clone Actel based products are not some students, but some smaller ASIC people.
But in MOST cases the security is downgraded by other means, not the main key/algorithm.
As example the Nintendo WII is protected by AES key, stored in OTP area on custom ASIC. This key has _never_ been read out, but the protection has been broken by side-channel attacks.
The first break in into system was by swapping address lines between main CPU and ASIC, later a stack-overflow exploit was found. By inserting "Twilight Princess" DVD and using modified saved game that causes stack fault the AES security is fully bypassed without opening the WII.
... So having the FPGA AES protected is nice. But that says NOTHING about the overall system security and protection at all.
Antti
Thanks for the clarification. Our purchasing guy was worried about this. But... no longer.
Regards, Allan
NSA may have their resons to not approve crypto systems that are "too good".
Antti,
Good points. Even the best component security doesn't equate to a high level of system security.
You are also correct to point out the Actel antifuse (basically a via that can be 'popped') where is 'impossible' to map all of them, and hence how the part is programmed. This is only because no one has automated this attack: if automated, it could be done (shave off 10 angstroms, take a picture, repeat, then rebuild the connections).
Don't forget some attackers have infinite labor, and infinite patience. My favorite example is when the students took over the American Embassy in Iran, and then put back together all of the shredded secret documents ... a massive task, but just a big puzzle after all (and one that could be, and was, solved).
Austin
I knew someone would say this,
Yes, there are those that think because the NSA approves a crypto standard, they either have a back door, or some other way around it.
You give them far too much credit.
They are not that smart.
If there is a weakness, or a back door, then they have created a way for all systems they certify to be broken.
They are also not that stupid.
Austin
BTW, this is not even a problem of labor and patience anymore:
:)
cu, Sean
-- My email address is only valid until the end of the month. Try figuring out what the address is going to be after that...
The word is there are companies that specialise in cracking these sort of security features. You'll have to bring a big amount of cash though. I'm not at all impressed by claiming the NSA or several universities couldn't crack it. Nice sales pitch, but I'm not buying it :-) The really clever people work where the money is and that is usually not in a government job.
-- Programmeren in Almere? E-mail naar nico@nctdevpuntnl (punt=.)
Nico,
Universities often crack crypto systems. They are usually the first to do so. DPA, and other techniques have all been pioneered at schools.
I went out, and solicited bids for various "cracking" jobs.
Unfortunately, no one took any of them.
All I received was "no bid."
There are reputable reverse engineering firms, but they are not stupid, they will not agree to do work for which they will not be paid.
They had to deliver something in order to get paid.
No bid.
Could a nation-state decide to go and reverse engineer something? Sure, and that falls into the "infinite resource" attacker category. They might not succeed, but I am sure they would try their best.
Thankfully, in the commercial segment, I don't have to worry about that level of attack. That is the level of attack the NSA is worrying about. And they said: "use Xilinx."
Austin
A bit off topic, but I have found the following blog quite an interesting read regarding the security of various products:
They also have very nice photos on it :)
/Andreas
I think claiming 3DES to be "obviously less secure" is a bit much. DES has withstood far more attacks than AES. After all that, there are no known attacks that are significantly better than brute force, so
3DES is quite secure.AES *might* be as secure or more, but since it hasn't had nearly as much time to be poked and prodded by cryptographers, I wouldn't count on it.
Of course, some clever cryptographer might come up with a new attack against either one.
The biggest advantage of AES over 3DES is that AES is approved by the US government now, and DES no longer is. (I think 3DES still is for at least some applications.) For my own data, I prefer 3DES.
ElectronDepot website is not affiliated with any of the manufacturers or service providers discussed here. All logos and trade names are the property of their respective owners.