Good FPGA for an encryptor

promise

s3-1000

16EUR would be perfect, my sweet dreams come true. :-)

Actually, I wouldn't either. :-P

Thank you Antti once again! It seems that I have to find a Lattice distributor in Poland and purchase a single XP chip.

Reply to
Piotr Wyderski
Loading thread data ...

to

check the disti, yes. but you are bette off to by the XP low cost eval board. the XP10 you would get in BGA and it doesnt makes sense togo doing anything with it.

and íf you have some FPGA then you can simple test your design on whatever you have ready and at the same time verify that your design is also synthesizeable for XP using lattice tools.

BTW the lattice tools look almost 100% the same as xilinx tools as they are both based on Neocad :)

Antti

Reply to
Antti Lukats

Actually, it often helps. You can use the bitstream encryption, IF your encrypted bitstream knows the key and how to modify the encrypted bitfile and encryption-loader key, to store a good amount of nonvolatile key material in a system which should be (ideally) equally hard as breaking the bitfile encryption.

See pages 16-18 in particular in this talk I did:

formatting link

--
Nicholas C. Weaver.  to reply email to "nweaver" at the domain
icsi.berkeley.edu
Reply to
Nicholas Weaver

Hi Piotr,

Not sure if this would meet your needs or not, but MAX II has on-chip flash where you could store the key. The devices aren't as big as Cyclone though -- ~2k LEs is the biggest MAX II device, and it doesn't have on-chip embedded RAM blocks. So whether MAX II is a good fit depends on if you need the density & on-chip RAM of Cyclone as well as the on-chip flash that MAX II has.

Regards,

Vaughn Altera [v b e t z (at) altera.com]

Reply to
vbetz

Piotr Wyderski schrieb:

Hmm. As I understand it, if the algorithm ist known, a skilled attacker will find the key with differential power analysis within hours if he can take the board to the lab. So you do not gain much by an encrypted bitstreams or even a OTP part. You only prevent amateurs from breaking your chip, but they can always pay an expert.

You can ofcourse invent your on algorithm and keep it secret, but I doubt that this will be any more secure.

The only way to be safe is to make sure the key never ands up in a hostile lab, for example by carrying it around on a keychain.

Kolja Sulimma

Reply to
Kolja Sulimma

I'm not an expert (I'm not even an amateur) in cryptography, but can you not fool differential power analysis by adding extra logic to cause unpredictable switching to swamp any useful power analysis?

Reply to
David Brown

If it is random noise, then one could collect many samples of the same cryptographic operation and average them out.

The noise averages toward zero, the signal increases with more samples.

So it puts the cryptanalyst to more trouble but not insurmountable.

In DAC chips, I noticed that bits would switch currents into the output circuit or a 'dumping' load. This is done so there is a constant current load on the power rail and thus less noise to affect other bits.

Ideally a crypto device would do the same thing.

However, I should point out that all current FPGA chips are unsuitable for cryptography where a skilled attacker can get hold of it. They are very regular in structure, relatively easy to probe, and not built with anti-analysis features.

Modern smart card chips are designed to make attack harder. Key bus and control lines might be buried so one has to etch as well as probe, data storage physically jumbled, and so on. They can still be analysed given enough time and money, but the aim is to make this more expensive than what the attacker can gain from the process.

That said, the Cambridge company N-Cypher uses FPGA chips in its web-encryption products. These sit in the service provider's locations, so they are more secure than being out in the field.

K.

Reply to
Kryten

Howdy Antti,

Agreed - the Xilinx press releases are near useless. Looks like you have to get into some decent quantity before the price drops below $100:

formatting link

Marc

Reply to
Marc Randolph

Kolja,

No one has proven that DPA can crack the decryption on the V2, V2Pro, nor V4 .... yet.

And it isn't for the lack of trying.

So, the challenge remains: Can DPA crack 3DES or 256AES as implemented in V2, 2Pro, or V4?

Aust> Piotr Wyderski schrieb:

Reply to
Austin Lesea

Kryten,

I disagree: Virtex 4 FPGAs may be the only really secure means of developing a good crypto application.

What can be more regular than an ASIC? It is all there, every bit of information, to be sliced and diced.

With an encrypted bitstream in an FPGA, there is an additional level of encryption that makes it even harder to crack. Not only is the design a secret, and its implementation, but the attacker does not even know where any wires of interest, or any bits of interest are being kept.

Additionally, security minded companies do not need to have a "secure foundry" build their chips: any foundry that makes the FPGA 'could' modify the masks, but that can be easily detected by comparing the FPGA with the original mask set (simple inspection).

Attacks of DPA, flipping individual bits with laser/particle beams, etc. all fail due to the immense complexity of the problem. The FPGA with a billion transistors is not a stupid 'smart card' running a simple 8 bit uP program than can be easily spoofed.

I have challenged, and continue to challenge anyone to crack the FPGA security (only by breaking it can we make it better).

To that end, we still have some USB V2 Pro Logic Vault cards that are available for serious security hacking.

Austin

Kryten wrote:

Reply to
Austin Lesea

FPGAs also give you yet another level of security here. For any given circuit functionality, and given sufficient timing/size margin, there are billions of different placement and routing combinations that will do the same thing. One could quite easily automate the process of creating a new, individual bitstream for each device to be shipped - particularly in Piotr's case, since he is talking of very small production runs.

This technique doesn't help you against an attack on an individual device, of course. What it *does* mean is that cracking device X doesn't help you to crack device Y as well, because all the wires and logic elements are in different places. You'd have to start again from scratch. The avalanche effect in the bitstream encryption makes each (bitstream, device) combination into a completely unique problem. This would be reassuring to a customer wanting to buy a large number of these magical crypto chips.

Cheers,

-Ben-

Reply to
Ben Jones

Austin,

at FPL2004 differential power analysis on FPGAs was demonstrated. FPGAs have large capacitive loads on the interconnect that help the attacker.

This is not true for bit stream encryption, but here the attacker has the advantage to learn all about your implementation of the algorithm by experimenting with his own V4 and his own keys first before trying to crack a foreign key. Anyway, we are not talking about reverse engineering here, so I do not care about bit stream encryption. I just want the key stored in the FPGA. You can do that without opening up the FPGA and without knowing the bitstream.

I know people who succeed with this approach for most smart cards, which is a lot harder than for FPGAs because these have logic cells and interconnect that tries to consume the same power independent of the data. All differential and so on.

Kolja Sulimma

Austin Lesea schrieb:

Reply to
Kolja Sulimma

How much is the award? ;-)

Good point. BTW, Austin, why isn't it possible to implement bitstream encryption on all Xilinx devices? Is the circuit too complex, i.e. does it consume too much silicon?

Well, good smart cards are extremely hard to crack

-- they are explicitely designed to survive an attack, FPGA chips are not (at least most of them).

Best regards Piotr Wyderski

Reply to
Piotr Wyderski

Pjotr,

I bet you are not getting much direct answers (about the award) when asking in public, so let me anser -

if you could today prove that you can with 100% success crack the V2Pro/V4 security by non destructive methods, then

1) you should be VERY QUIET, asking 'how much is the award is already almost too non-quiet in this matter' 2) get a VERY GOOD lawer

The lawer would negatiote an escrow account for you, up to the sum the cost of one set of masks, that would be yours only if you keep your mouth shut forever, covered by some very strict agreement.

If the lawer doesnt get the deal for you, then you did hire the wrong lawer.

Thats my 2 cent opinion.

You think its worth the trial?

I have done the impossible once, but I would spend my time (unless paid per hour) to crack the V4 security. The impossible I did was an ultimate hack based on 3 info pieces:

1) satellite position in the sky 2) transponder number eg frequency 3) "has digital audio" with true random keys (non machine generated!)

based on the info above and only on that info without ever seeing the original device I designed a PCB board with Z80 + 13GALs

my design did learn the random keys in 130 milliseconds, and had implemented all unknown to me error correction methods and actually proved to have better error recovery then the original ASIC from Matsushita. When snow did fall onto the sattellite dishes in Norway then Filmnet was forced to turn off the keys, as that did bring the signal quality a little better for the matsushite ASIC, my version tolerated more errors in incoming data.

If I would not achived that task, I would consider it impossible. I have done some more things in my early childhood, but I would really not spend my time in attempt to hack the V4 security.

OTOH, I could design a system that makes it possible to use security keys in RAM based FPGA (without bitstream security), but I dont think I could sell it, as I am very bad at selling things :(

Antti

Reply to
Antti Lukats

Piotr,

See below,

Aust> Aust>

The pride and sense of accomplishment. Really, no monetary value. Heck, I'd buy you a dinner (~ $50 or ~ 50 Euro) just because I'm generally a nice guy.

Sure. It is just an IP core.

Is the circuit too

Not really complex, but yes, it consumes area. And since mroe than 99% of present users don't use it, it is not possible that you will see it in any product that is price sensitive (ie Spartan). In products where the price is primarily set by the features (ie Virtex), the decryptor is a very small part of the pricing (perhaps actually 0).

Yet, the research being done does show that in less than an hour, with modest lab equipment, a differential power attack succeeds in finding the hidden key value.

Well, I don't know about anyone else's FPGA, but Xilinx APD FPGAs (Virtex) is designed with security applications in mind. In fact, we have now had more than three annual reviews with the security community (academia, experts, users) on just this subject.

Lots of features some people would like to see, and lots of holes that need to be plugged up (or thoguht through). If someone really cared, and really spent money on FPGAs for this application, it would help us a lot. Right now, it is something that we spend just enough time on to get the basics right, but no more.

We are presently used in many secure applications -- we just don't hear about them (they are secret!). So we do get whispers about what is not liked, and what is liked, and what might be next they would like to see.

For example: 3DES is not OK. 256AES is OK. Poly E-fuse is not OK. BB RAM is OK. No one ever tells us why (that is a secret). SO we are so far in the OK category ....

Reply to
Austin Lesea

But not MUCH area. It's getting into the noise (I doubt it is larger than a single BlockRAM: the point when it gets significant on the smaller parts. Probably significantly smaller).

I suspect that it is mostly

A: A product differentiator. It's one of the real reasons to go for Virtex 4 over ANY other FPGA solution right now. If you are suitably paranoid, its really the best out there to my knowledge of the commodity FPGAs (256b vs 128b AES: 256b papers over a lot of sins, especially if every instance is given its own key, and using SRAM instead of EEPROM is IMO, far better for the paranoids).

as well as

B: Not used enough. It's a very powerful mechanism, and if people started using it on a more regular basis, it would end up in the Spartan line.

You don't need them to tell you why, its pretty obvious:

AES-256 is approved through Top Secret. 3DES isn't. So there is at least hope of getting an instance approved.

256 bit keys paper over a lot of sins in ways that 112 (3DES) and 128 (AES-128) can't. EG, if each instance has its own key, and through some miracle-process, the key bits can be read out with 50% accuracy (half right, half don't know) in a destructive process, the 256-bit system is still brute-force-proof, but the 128-bit system can then be brute-forced.

Nonvolatile keys are easy to recover unless you physically destroy the device (hard to get UL listing for putting Thermite on the chips). Unless there are severe memory effects (and see above for how severe it needs to be), you pull the power, wipe the keys, and all is good.

Also, what the spooks would probably want but telling you would violate what they can say:

Ability to change the key from within the device (no external pins). An abitiy to do partial reconfiguration from within the device (but NOT externally) when encryption is active.

Both together would probably make the JTRS crowd unbelievably happy.

--
Nicholas C. Weaver.  to reply email to "nweaver" at the domain
icsi.berkeley.edu
Reply to
Nicholas Weaver

Nick,

No one has asked for what you mentioned. Probably for the reasons you mention.

My biggest problem is that whatever we do for security needs to be so incredibly well thought through, that adding something in the next generation becomes a real issue. An added feature may bring on a whole new set of issues that have to be thought through again!

I am happy that I received a response from a professor to supply a V2 Pro security pcb. One by one I will get these boards out there into the hands of graduate students looking for fame (if not fortune).

Austin

Reply to
Austin Lesea

Maybe they don't use it because they don't have this feature implemented? :-)

Cryptography is not the main reason for the existence of bitstream encryption. It's simply too easy to clone an FPGA-based device.

BTW, is there any export limitation related to the FPGA chips with embedded bitstream encryption? Most of the cryptographic devices one can buy without special licenses use very short keys (40 bits or so), so this would mean that FPGAs are not considered to be cryptographic devices or they are, but they can be crackd by the NSA guys (implemented using nonlinear keyspaces, internal secret keys, key escrow systems and many other sophisticated ways.). What is the position of the US government on this subject? (of course I would like to know only the publically available facts -- I don't know much about this interesting issue).

Best regards Piotr Wyderski

Reply to
Piotr Wyderski

It seems strange that they haven't asked, because both of these would be "Big Deal" improvements to what is very public knowledge and inference:

The ability to load a NEW encryption key from within the FPGA is a very powerful feature: it allows a bunch of devices who's bitfile is initially encrypted with a common key to all customize themselves: The first time they are powered on by the customer, the device generates its new key, stores it in the key register, reencrypts the bitfile, and is happy.

Now each instance has its own unique random key, that it can use to protect its own particular bitfile and secrets unique to that bitfile (other cryptokeys). Instances could also generate NEW keys giving some interesting/possible properties to generate forward security.

Without this feature, you can only really do this under very restricted conditions (initial customer poweron) because it has to go in the clear over the JTAG pins. But with this feature, you can do it all the time, because an attacker who can monitor the "cleartext" wires WITHIN the FPGA already has probably broken the system.

Partial reconfiguration when encryption is active is FAR more dangerous, as if you could trick the initial config to allow an attacker config to be loaded, all bets are off. But, OTOH, it would be a very, VERY big deal to the JTRS (Joint Tactical Radio System) crowd, as they are going to want to reconfigure large modules at runtime to do the software-defined radio which is the keystone of the system, yet also probably want the bitfile encryption over everything.

Yeup. Rekeying (WRITE only) from within the configuration is probably "not bad" on this. It needs to be thought through, but its pretty easy to wedge the device when rekeying (so it needs to be blanked/restarted), but pretty hard to un-safe the device.

But allowing partial reconfig within the encrypted domain, even limited from within the FPGA, opens up a huge thorny set of potential issues. These issues would come up in particular configurations, but as Xilinx has to provide a lot of guidance to customers already on partial config.

One question: Could you go to the spooks and guys with jitters about JTRS with "Here is what the open community THINKS that you want but are unwilling to say and why" and get a "yes" or "no" answer out of them?

--
Nicholas C. Weaver.  to reply email to "nweaver" at the domain
icsi.berkeley.edu
Reply to
Nicholas Weaver

The crypto restrictions have largely gone away. Now its basically you can't sell serious crypto to the bad-actor countries.

--
Nicholas C. Weaver.  to reply email to "nweaver" at the domain
icsi.berkeley.edu
Reply to
Nicholas Weaver

ElectronDepot website is not affiliated with any of the manufacturers or service providers discussed here. All logos and trade names are the property of their respective owners.