The latest announcement of "security" is just more than a little annoying:
In the FIPS 140-2 Standard:
"4.7.6 Key Zeroization
A cryptographic module shall provide methods to zeroize all plaintext secret and private cryptographic keys and CSPs within the module. Zeroization of encrypted cryptographic keys and CSPs or keys otherwise physically or logically protected within an additional embedded validated module (meeting the requirements of this standard) is not required.
Documentation shall specify the key zeroization methods employed by a cryptographic module."
Efuse keys can be read easily by inspection:
(IEEE library user name and password required)
Not that there is anything wrong with a low cost, simple, and useful security method (look at how many cheap locks get sold that are easily picked by the average pre-teen). But to imply that this is somehow NIST approved is a complete joke!
In fact, use of poly efuses are great (now that the foundries have them as a standard feature).
Just don't go advertising them to be more than they really are: a convenient way to make it cost at least $5,000 to find the key.
Hi Austin, besides everything concerning the security gain of an encrypted bitstream I have a different question.
Xilinx offers a similar feature too in its Virtex4 (and 5?) FPGAs. Now, that some silicon already is used up by the AES algorithm, wouldn't it be nice to make it accessible to the custumer? Just the Keyscheduler and the round function, not the key memory.
Would be a nice feature for some custumers, but (nearly) no drawback for all others.
That is something that we thought about. But, really what we talking about is providing access to the crypto-engine through the general interconnect, and control of that engine.
It was considered that anything we do in this regard would have to be completely and thoroughly tested so as not to be a back door, and compromise security.
It wasn't worth the work to have to prove we did not break something.
Even the JTAG is considered a real threat to security, so we have a method of disabling it once you have been configured with your encrypted bitstream (in V4 and V5).
Kevin of FPGA Journal is looking for student interns for some security fun (in FPGAs). If anyone is interested, email me directly.
We submitted our V2 Pro to 9 schools and universities (and some non-existent agencies) three years ago, and no one has broken the security, or even compromised it. That is what our security is about: we gave the students the complete schematics of the PCB, provided series access for PDA attacks, etc. All we asked was: tell us the key, or make the TRNG deliver non-random numbers (affect operation). We wqnt to know every weakness so we can fix it in the next version (and hopefully not break anything).
At least no one will tell us they broke into the chip.
It could be that when the students worked at it for awhile, they realized that since they couldn't break it, there would be no degree, so they moved on to something easier to break into. I am sure that certain non-existent agencies spent more time hacking at it. But since they never tell anyone anything, I am just guessing.
Obviously with enough money and enough time ... there is no 'perfect' lock.
But we are in full compliance with FIPS 140-2. And we also have AES256 which is considered acceptable for the most secure crypto boxes. AES128 is not considered 'secure' enough. Don't ask me why, as the details are secret, and I am not cleared. I just hear and obey.
I am sure that if AES128 had battery backed key storage, it would be perfectly good for any commercial crypto application. After all, today we use 3DES which is only 2E112 hard, and that is now considered within the reach of a mid-level attack. 2E128 provides only (only?) a 16 fold improvement over 2E112....
Hi Austin, that sounds reasonable. Security proofs are expensive.
For the V2 boards you gave away ... what reward did you offer in case of success? I suspect there are people out there who would pay good for that knowledge as long as you don't have it, so why should they tell you? ;-)
Is it that cheap today to open the die and observe the fuses? I have no idea, if (and how) Altera protected the key fuses against optical inspection of die cuts. But If your right, it would be very cheap to reengineer most Asics.
BTW Am I right, that if I use a Xilinx with security inside a equipment, the chip could be highjacked (Chipmodded) by just removing the power supply of the keys and applieing a new bitstream? Which means the bitstream itself may be protected, but not the chip? Why did nobody combine software and fuse based technologies? It would be sufficient to have 128 bit (with secure algorithms) in SW and 128 in fuses.
Yes, it is that cheap (and easy) to find and read efuses. If they had used Actel's via fuse technology, it would be much, much harder, but still do-able for a small number of vias. Of course, you would have to know where to look. The poly efuse is huge, and is almost big enough to see with the eye. An array of 128, or 256 has a big sign on it: "efuse array right here!"
If you use the battery backed ram to store the key, the bitstream is protected, not the device. Any regular unencrypted bitstream can be loaded (or else how could you test your boards?).
The use of efuses to make it such that only a particular device is able to load a particular bitsream is a requirement typical of the gaming industry (slot machines). This is a feature that we are looking at introducing in the future (if it does not compromise the higher level of security).
As I said, I love efuses. They can be used for: serial numbers, lot and process information, feature selection and control, device identification, etc. You can even put a key in it, but make sure that the key in a non-volatile memory is clearly stated as not being NIST FIPS 140-2 compliant. There are customers for whom a low level of security is just fine.
But for an IP company, placing my IP in such a low security device invites every crypto student looking for a job, or a degree, to hack it.
Those slides show a efuse that is really blown. The new technology does not vaporize the poly, it EM moves the ions all to one end, changing the poly's behavior under polarized light. But, the method still applies: you can visually read the values.
Thanks for the posting.
Aust>> Yes, it is that cheap (and easy) to find and read efuses. If they had
Could be there is a place for both volatile and non-volatile security. Majority of customers we (Altera) have spoken to prefer the non-volatile key and are extremely satisfied with the security. This includes multiple military customers.
Non-volatile security provides significantly more flexibility on the manufacturing process and enables some new royalty-based business models that cannot be facilitated with battery back-up security.
If you are interested in further detials, here's a link to an upcoming net seminar.
"The use of efuses to make it such that only a particular device is able to load a particular bitsream is a requirement typical of the gaming industry (slot machines). This is a feature that we are looking at introducing in the future (if it does not compromise the higher level of security)."
So, seems Xilinx will also be doing this, sometime...
In Security, the more hurdles, the better.
It is, of course, only as strong as the weakest link.
I am happy that you did your research and discovered what you think your customers want, but I question the results: was the question "do you want an easy to use and effective* security system that doesn't need a battery?"
If so, then the answer is always "yes. I do!"
But, if you had said: "Non-volatile keys are not NIST approved for use in any federal system, and not generally used in any private security application. Knowing this, would you choose to use a non-volatile key to protect your assets? or would you use a battery backed key"
If so, then I suspect the answer would be "no.....you should have told me this."
To have a press release that touts a "superior security solution" is the worst of the worst marketing. To claim to be able to protect IP from ASSP vendors is quite honestly, false and misleading. If I can get the IP that is a secret for less than $5,000, then I can clone the devices without paying anything at all.
To imply that you have military customers satisfied with this level of security is amazing. Perhaps they have a thermite charge to destroy the device if it is tampered with. That does work, and makes getting parts back for RMA a non-problem, but is not a preferred solution! Or perhaps these devices are used for smart bombs and smart bullets. Hard to read it out when they are blowing up all around you.
If what you are protecting is less than $5,00 in value, then it is great, and works just fine.
By the way, when will you publish how the keys are programmed into the device? Seems there is an NDA in place, and you are keeping a secret.
What are you hiding?
What is missing from all those press releases:
*Disclaimer: non-volatile poly-efuse EM technology can be read out by a microscope using polarized light for a total investment of less than $5,000
No, I have not cracked the Altera chip. I have received emails from schools and universities who wish to crack it. These are the same schools that have published successful smart card attacks.
My quote of $5,000 is what we pay to have a device ground down on the backside such that we can do analysis on a device.
For another $5,000, one can get up to three or four FIB cuts, and a couple of jumper wires.
The IEEE paper clearly discusses the technology, and what happens when the fuse has all of its ions electromigrated to the other end, leaving intrinsic silicon poly, which has a different index of refraction that the poly with the ions.
There are difficulties. Find the fuses, read the values, and then figure out what (if any)logic may be present to confuse the key bits.
That is why the Actel via fuses are considered much better (harder to find, and read).
None the less, the attack is not 2E128 as the NIST standard implies (the one they claim to meet FIPS 197, definition of AES 128, 256, 384 and
512). Sure the algorithm is a AES 128 one, but with knowledge of all the fuse contents, the search space is lessened such that in maybe twenty minutes or so of permutations on the key bits, you have the device unlocked (bitstream is now in the clear on your computer, and ready for cloning, reverse engineering, etc.)
No one has reverse engineered a bitstream for Xilinx or Altera, as far as we know, on a large device. But that doesn't mean that someone could not make specific modifications to an existing bitstream (change IO location, drive strength, etc.) without having to know the whole design.
The question is not one of can I crack it (I believe I can), but one of a ASSP vendor deciding to place their IP in a component that is not in compliance with FIPS 140-2. Very, very simple.
Remember that any attack that is successful removes the security forever. So, do you want to use something where there are known ways to crack it? Or, do you want to use something that today there is no known method of cracking?
For example, finding the battery backed key has been something that has been tried and been unsuccessful. Then we were attacked with differential power attacks (DPA). So far, those have been unsuccessful as well. As an aside, DPA attacks of ASIC AES has been successful!
Yet another example of how a FPGA can actually be superior to an ASIC solution.
I will be giving a talk on security in V4 and V5 soon, so watch for the announcements.
Just as an aside, the coin cell lithium battery vendors have informed me that for my use, the battery will last "forever." Since we hold the key down to Vbatt voltages of much less than 1 volt, and the coin cell starts out life at over 3 volts, and the stated 15 year life is to discharge to 2 volts, we will last multiples of 15 years. So the "terrible battery problem" is no big issue.
Set top cable boxes use a lithium battery to store the keys. Cable companies aren't stupid: they would not use a battery unless there was a good reason. After all, they make millions of set top boxes. All they protect is a few movies, and yet they feel that following FIPS
140-2 is the only safe way to go (as everything else has been hacked).
We are examining how to use efuses. I can not say anything right now, except I think there are going to be very useful, and helpful. They can be used for device ID, matching a key to a device, factory information (lot, wafer, serial numbers), control of internal circuits (set currents, voltages, etc. to get around process variations), repair faults by substituting redundant features...long long list. And, of course, to hold a key for those who only have a $5,000 or less secret to protect.
How much efuse memory should be for the user? How much for the customer? Unlike my friend, the questions we ask are pretty detailed, and we are very careful about what we do.