AES Bitstream Encryption in Virtex-4. How safe it is?

[Allan Herriman]

On Thu, 06 Mar 2008 10:44:13 -0800, austin <austin@xilinx.com> wrote:

Alan,

HSM?

Austin

google suggests High School Musical. Hmmm.

Perhaps this would be better:
http://en.wikipedia.org/wiki/Hardware_Security_Module

It's only when you start designing products like that, that the
distinction between 128 and 256 bit AES becomes important. (IMO)

Regards,
Allan

 

[austin]

Allan,

I presume HSM = Host Security Module?

If so, that is an application, and we do not supply any examples, nor
any IP.

Austin

 

[austin]

Alan,

HSM?

Austin

 

[Allan Herriman]

On Thu, 06 Mar 2008 07:56:18 -0800, austin <austin@xilinx.com> wrote:

3 X 56 bits < 256 bits.

Note that we have AES256, and the "other" competitor only had AES128.

AES128 was not approved (for the crypto modernization program).

I am sure that tells you something.

You would not try to brute force a 128 bit AES system.
Making the brute force attack 2^128 times harder by doubling the key
size, doesn't change all that much since you wouldn't be using that
approach anyway.

(Yes, I do know that only the 256 bit key version is approved for top
secret work in the USA. All our products support the 256 bit key size
for that reason.)


BTW, I think bitstream encryption is an excellect idea for protecting
the intellectual property that the bitstream represents. I'm just not
sure I'd rely on it as an essential part of a security system, where
the threat model includes attacks by well funded military
organisations.

Austin, is there an appnote showing how bitstream encryption can be
used to make an HSM? I'd be intersted in knowing how it's done.


Disclaimer: none of our products rely on bitstream encryption (from
any FPGA vendor) to protect our customers' secrets.


Regards,
Allan

 

[austin]

3 X 56 bits < 256 bits.

Note that we have AES256, and the "other" competitor only had AES128.

AES128 was not approved (for the crypto modernization program).

I am sure that tells you something.

Austin

 

[diogratia]

On Mar 6, 10:54 am, austin <aus...@xilinx.com> wrote:

Antti,

Good points. Even the best component security doesn't equate to a high
level of system security.

You are also correct to point out the Actel antifuse (basically a via
that can be 'popped') where is 'impossible' to map all of them, and
hence how the part is programmed. This is only because no one has
automated this attack: if automated, it could be done (shave off 10
angstroms, take a picture, repeat, then rebuild the connections).

Don't forget some attackers have infinite labor, and infinite patience.
My favorite example is when the students took over the American Embassy
in Iran, and then put back together all of the shredded secret documents
... a massive task, but just a big puzzle after all (and one that could
be, and was, solved).

Austin

There were interesting stories about Intel and a scanning electron
beam prober during the Clipper Chip days (uses anti-fuse). Something
about seeing the charge around a via and telling whether or not the
fuse was conducting or high impedance. Presumably this would be
easier to automate. There was a lot of speculation about tamper proof
chip cases. Also something about the technology getting classified.

 

[diogratia]

On Mar 6, 5:19 am, austin <aus...@xilinx.com> wrote:

Allan,

No Altera product with poly efuse is able to meet FIPS 41, none are
approved by the NSA.

In my book, that means we see no competition (all customers that require
FIPS 41, or NSA approval come to Xilinx).

Now, if you do not require FIPS 41, or you are not interested in NSA
compliance, then the Altera solutions are perfectly good, and useful.
In no way do I imply they are poor solutions, however, they are not in
compliance with the highest level standards, and they are not approved
for generic use in US government contracts.

That means, they are not a solution for banking (which requires FIPS
41), and other commercial markets as well.

What is left? From the "Virtex" point of view, nothing at all of import.

Perhaps in the Cyclone/Spartan world, there are some good sockets they
win (and we do too) for anti-cloning of consumer goods.

I am sure they will have FIPS 41 compliant products at some point. I am
also sure they will eventually get NSA approval (if they can meet their
requirements, as the US government is not allowed to play favorites, and
must treat all fairly). Until then, we enjoy the sockets we are getting,

Austin

The reason the Xilinx parts get approval for single chip Type 1 COMSEC
applications has to do primarily with software tools changes insuring
adequate red/black separation.using the column based architecture
found in Virtex-4 LX, SX and FX.

http://www.mil-embedded.com/PDFs/NSA.Mar07.pdf

FIPS 41 is entitled "Computer Security Guidelines for Implementing the
Privacy Act of 1974" and was withdrawn in 1998.; I think you mean
FIPS140-2 (-3 pending) "Security Requirements for Cryptographic
Modules", wherein you can use the placement tools and column
architecture for functional separation (compartmentalization). The
FIPS 140 criteria derive from the NSAs CCEP program.

One could wonder if the market is sufficiently large or attractive
enough for Altera to make the effort.

 

[Eric Smith]

austin <austin@xilinx.com> writes:

I knew someone would say this,

Yes, there are those that think because the NSA approves a crypto
standard, they either have a back door, or some other way around it.

You give them far too much credit.

They are not that smart.

If there is a weakness, or a back door, then they have created a way for
all systems they certify to be broken.

They are also not that stupid.

They *are* that smart.

When the influenced the design of DES way back when, they *both* strengthened
and weakened it.

They weakened it by reducing the key length to 56 bits. It is generally
believed that they did this because they could afford to build hardware
that would brute-force search a 56-bit key space.

The strengthened it by making design changes, the nature of which was
not obvious at the time. Many years later, cryptographers (re)discovered
linear and differential cryptanalysis methods, and found that the NSA's
changes to the design of DES made it essentially immune to those lines
of attack. The NSA had developed those attacks, but had not published
them, for obvious reasons.

In other words, the NSA wanted the strength of DES to be only 56 bits,
but also not to have weaknesses reducing the effective key size
signficantly below 56 bits.

When the NSA is involved in the development of any cryptosystem made
available for public use, it would be foolish to assume that they
haven't made sure that it is neither too insecure nor too secure.

Eric

 

[Eric Smith]

austin <austin@xilinx.com> writes:

Well, we are unable to get anyone interested to try it, as they tried
the obviously less secure 3DES, and didn't get anywhere.

I think claiming 3DES to be "obviously less secure" is a bit much.
DES has withstood far more attacks than AES. After all that, there
are no known attacks that are significantly better than brute force, so
3DES is quite secure.

AES *might* be as secure or more, but since it hasn't had nearly as
much time to be poked and prodded by cryptographers, I wouldn't count
on it.

Of course, some clever cryptographer might come up with a new attack
against either one.

The biggest advantage of AES over 3DES is that AES is approved by the
US government now, and DES no longer is. (I think 3DES still is for
at least some applications.) For my own data, I prefer 3DES.

 

[Andreas Ehliar]

On 2008-03-05, Antti <Antti.Lukats@googlemail.com> wrote:

What I have heard the "thumb estimate" to read out ANY FLASH
based microcontrollers protected code is about 1000 USD.
Reading back a protected ATmega8 has been as cheap as 800RMB (112USD)
(no I have not done that, I just know the work being quoted at that
price)

A bit off topic, but I have found the following blog quite an
interesting read regarding the security of various products:

http://www.flylogic.net/blog/

They also have very nice photos on it

/Andreas

 

[austin]

Nico,

Universities often crack crypto systems. They are usually the first to
do so. DPA, and other techniques have all been pioneered at schools.

I went out, and solicited bids for various "cracking" jobs.

Unfortunately, no one took any of them.

All I received was "no bid."

There are reputable reverse engineering firms, but they are not stupid,
they will not agree to do work for which they will not be paid.

They had to deliver something in order to get paid.

No bid.

Could a nation-state decide to go and reverse engineer something? Sure,
and that falls into the "infinite resource" attacker category. They
might not succeed, but I am sure they would try their best.

Thankfully, in the commercial segment, I don't have to worry about that
level of attack. That is the level of attack the NSA is worrying about.
And they said: "use Xilinx."

Austin

 

[Nico Coesel]

austin <austin@xilinx.com> wrote:

Frai,

There are many who claim "oh, this is easy..."

However, back in the Virtex II Pro days, we issued a challenge, and more
than 7 universities and research groups accepted the challenge.

We provided a 2vp7 pcb with usb port, and pins for access to power, that
had the key battery installed (300 mA lithiumm coin cell), and the part
was programmed with a 3DES encrypted bitstream.

All 7 challengers gave up. Their basic conclusion was all the things
they thought would work, differential power attack, spoofing by power
glitches, attack with freeze spray, etc. FAILED.

The word is there are companies that specialise in cracking these sort
of security features. You'll have to bring a big amount of cash
though. I'm not at all impressed by claiming the NSA or several
universities couldn't crack it. Nice sales pitch, but I'm not buying
it The really clever people work where the money is and that is
usually not in a government job.

--
Programmeren in Almere?
E-mail naar nico@nctdevpuntnl (punt=.)

 

Also, I presume the NSA tried, as they eventually approved V4. If I was
the NSA, I would have put a great deal of effort to try to break it if I
knew that the devices would go into all modern crypto-systems! However,
I know nothing of what they did (their report is classified).

NSA may have their resons to not approve crypto systems that are "too good".

 

[Sean Durkin]

austin wrote:

Don't forget some attackers have infinite labor, and infinite patience.
My favorite example is when the students took over the American Embassy
in Iran, and then put back together all of the shredded secret documents
... a massive task, but just a big puzzle after all (and one that could
be, and was, solved).
BTW, this is not even a problem of labor and patience anymore:

http://tinyurl.com/2e2lyf



cu,
Sean

--
My email address is only valid until the end of the month.
Try figuring out what the address is going to be after that...

 

[austin]

I knew someone would say this,

Yes, there are those that think because the NSA approves a crypto
standard, they either have a back door, or some other way around it.

You give them far too much credit.

They are not that smart.

If there is a weakness, or a back door, then they have created a way for
all systems they certify to be broken.

They are also not that stupid.

Austin

 

[austin]

Antti,

Good points. Even the best component security doesn't equate to a high
level of system security.

You are also correct to point out the Actel antifuse (basically a via
that can be 'popped') where is 'impossible' to map all of them, and
hence how the part is programmed. This is only because no one has
automated this attack: if automated, it could be done (shave off 10
angstroms, take a picture, repeat, then rebuild the connections).

Don't forget some attackers have infinite labor, and infinite patience.
My favorite example is when the students took over the American Embassy
in Iran, and then put back together all of the shredded secret documents
.... a massive task, but just a big puzzle after all (and one that could
be, and was, solved).

Austin

 

[austin]

Allen,

If your purchasing guy has any problems, have him email me with the SCD
number.

Austin

 

[Antti]

On 5 Mrz., 20:31, austin <aus...@xilinx.com> wrote:

Frai,

There are many who claim "oh, this is easy..."

However, back in the Virtex II Pro days, we issued a challenge, and more
than 7 universities and research groups accepted the challenge.

We provided a 2vp7 pcb with usb port, and pins for access to power, that
had the key battery installed (300 mA lithiumm coin cell), and the part
was programmed with a 3DES encrypted bitstream.

All 7 challengers gave up. Their basic conclusion was all the things
they thought would work, differential power attack, spoofing by power
glitches, attack with freeze spray, etc. FAILED.

Now, can someone crack the scheme, and get the unencrypted bitstream?
Well, we are unable to get anyone interested to try it, as they tried
the obviously less secure 3DES, and didn't get anywhere.

Also, I presume the NSA tried, as they eventually approved V4. If I was
the NSA, I would have put a great deal of effort to try to break it if I
knew that the devices would go into all modern crypto-systems! However,
I know nothing of what they did (their report is classified).

Unfortunately, no one publishes a master's thesis or PhD thesis that
says "I failed to crack this encryption" so there are no records of
these attempts failing. But, no one has been able to get at the key, or
to find anything about the bitstream, ever since we first introduced the
features starting with Virtex II.

On the other hand, polarized light, and a high school microscope, can be
used to read the state of any efuses in a chip (which is why they are
excluded as a solution by the standards). The fact that some vendors
scramble their efuse contents just means that they do not really
understand what security is all about ("there is no security in
obscurity"). Once the "secret" is out (by reverse engineering the
hardware or software), then all of the products shipped become vulnerable.

Our approach has no secrets whatsoever: the algorithm is public, as is
the design of the encryptor and decryptor. That is why it complies with
the standards for constructing a secure system.

Austin

the V2P crack challenge bounty was total 25KUSD?
or was it even less? well doesnt matter it was defenetly less
then needed for anyone to REALLY try crack the V2P key.
it doesnt mean it would be doable, only that the university
results are not "final judge".
And the whatever (if) NSA did is classified...

But, yes the BEST security is FPGA with NONVOLATILE key.
FIPS also requires KEY CLEAR, what is only supported by V-5 without
external circuitry.

Everything flash based or with something nonvolatile is instantly less
secure.

What I have heard the "thumb estimate" to read out ANY FLASH
based microcontrollers protected code is about 1000 USD.
Reading back a protected ATmega8 has been as cheap as 800RMB (112USD)
(no I have not done that, I just know the work being quoted at that
price)

Sure that was thumb estimate, the price for some flash MCU could be
higher.
I assume its only valid for normal Flash MCUs not for those designed
for increased security.

Reading e-fuses with microscope in the UNI, well it sure can be
possible, I have
myself placed a needle with bare hands onto 6 micron track on the die
of Motorola ROM
based smartcard chip. LOOOOONG time ago. that was not-secure
technology, and very old.

With little better tools the modern chips could possible be hacked as
well, but the easiness
of efuses reading, I think its not that trivial either. In the market
segment where product cloning
is major issue there is NO KNOWN case of Actel chip being cloned ever.
And the people who
would like to clone Actel based products are not some students, but
some smaller ASIC people.

But in MOST cases the security is downgraded by other means, not the
main key/algorithm.

As example the Nintendo WII is protected by AES key, stored in OTP
area on custom ASIC.
This key has _never_ been read out, but the protection has been broken
by side-channel attacks.

The first break in into system was by swapping address lines between
main CPU and ASIC,
later a stack-overflow exploit was found. By inserting "Twilight
Princess" DVD and using
modified saved game that causes stack fault the AES security is fully
bypassed without
opening the WII.

.... So having the FPGA AES protected is nice.
But that says NOTHING about the overall system security and protection
at all.

Antti

 

[Allan Herriman]

On Wed, 05 Mar 2008 10:19:48 -0800, austin <austin@xilinx.com> wrote:

Allan,

The special order codes ('SCD') are best when folded into the normal
production, so no special anything is required. The special code goes
away, and the regular product supports the feature.

This is unique to only some parts/packages/test programs, and is never
intended to last forever (only to improve quality for specific customers
when the test program isn't complete). When we are made aware of a test
coverage gap, we improve the test program. Once the test program is
sufficiently integrated, we can retire the special flow.

Understand that a 1000 ppm "test escape" is considered a terrible thing
by Xilinx, as we strive to achieve "0 defects."

We have had cases where a particular customer brings to our awareness a
test escape issue, and often no other customer has noticed the issue
(many 10's of thousands of parts shipped, with no returns whatsoever).

Regardless, every test escape is taken very seriously, as it reflects
directly on the product quality, and our customer's trust in Xilinx (to
do the job right).

The (3DES/AES256 key) features are standard, and fully supported. If a
feature is to be removed, we must issue a 'PCN' (production change
notice, which allows 90 days before it is implemented, and also allows
for last time orders before we remove anything at all), and notify
everyone. That is a very rare event (as it has to be).

Thanks for the clarification. Our purchasing guy was worried about
this. But... no longer.

Regards,
Allan

 

[austin]

Frai,

There are many who claim "oh, this is easy..."

However, back in the Virtex II Pro days, we issued a challenge, and more
than 7 universities and research groups accepted the challenge.

We provided a 2vp7 pcb with usb port, and pins for access to power, that
had the key battery installed (300 mA lithiumm coin cell), and the part
was programmed with a 3DES encrypted bitstream.

All 7 challengers gave up. Their basic conclusion was all the things
they thought would work, differential power attack, spoofing by power
glitches, attack with freeze spray, etc. FAILED.

Now, can someone crack the scheme, and get the unencrypted bitstream?
Well, we are unable to get anyone interested to try it, as they tried
the obviously less secure 3DES, and didn't get anywhere.

Also, I presume the NSA tried, as they eventually approved V4. If I was
the NSA, I would have put a great deal of effort to try to break it if I
knew that the devices would go into all modern crypto-systems! However,
I know nothing of what they did (their report is classified).

Unfortunately, no one publishes a master's thesis or PhD thesis that
says "I failed to crack this encryption" so there are no records of
these attempts failing. But, no one has been able to get at the key, or
to find anything about the bitstream, ever since we first introduced the
features starting with Virtex II.

On the other hand, polarized light, and a high school microscope, can be
used to read the state of any efuses in a chip (which is why they are
excluded as a solution by the standards). The fact that some vendors
scramble their efuse contents just means that they do not really
understand what security is all about ("there is no security in
obscurity"). Once the "secret" is out (by reverse engineering the
hardware or software), then all of the products shipped become vulnerable.

Our approach has no secrets whatsoever: the algorithm is public, as is
the design of the encryptor and decryptor. That is why it complies with
the standards for constructing a secure system.

Austin