AES Bitstream Encryption in Virtex-4. How safe it is?

[austin]

Allan,

The special order codes ('SCD') are best when folded into the normal
production, so no special anything is required. The special code goes
away, and the regular product supports the feature.

This is unique to only some parts/packages/test programs, and is never
intended to last forever (only to improve quality for specific customers
when the test program isn't complete). When we are made aware of a test
coverage gap, we improve the test program. Once the test program is
sufficiently integrated, we can retire the special flow.

Understand that a 1000 ppm "test escape" is considered a terrible thing
by Xilinx, as we strive to achieve "0 defects."

We have had cases where a particular customer brings to our awareness a
test escape issue, and often no other customer has noticed the issue
(many 10's of thousands of parts shipped, with no returns whatsoever).

Regardless, every test escape is taken very seriously, as it reflects
directly on the product quality, and our customer's trust in Xilinx (to
do the job right).

The (3DES/AES256 key) features are standard, and fully supported. If a
feature is to be removed, we must issue a 'PCN' (production change
notice, which allows 90 days before it is implemented, and also allows
for last time orders before we remove anything at all), and notify
everyone. That is a very rare event (as it has to be).

Austin

 

[Allan Herriman]

On Wed, 05 Mar 2008 08:19:08 -0800, austin <austin@xilinx.com> wrote:

Allan,

No Altera product with poly efuse is able to meet FIPS 41, none are
approved by the NSA.

In my book, that means we see no competition (all customers that require
FIPS 41, or NSA approval come to Xilinx).

Now, if you do not require FIPS 41, or you are not interested in NSA
compliance, then the Altera solutions are perfectly good, and useful.
In no way do I imply they are poor solutions, however, they are not in
compliance with the highest level standards, and they are not approved
for generic use in US government contracts.

That means, they are not a solution for banking (which requires FIPS
41), and other commercial markets as well.

What is left? From the "Virtex" point of view, nothing at all of import.

Perhaps in the Cyclone/Spartan world, there are some good sockets they
win (and we do too) for anti-cloning of consumer goods.

I am sure they will have FIPS 41 compliant products at some point. I am
also sure they will eventually get NSA approval (if they can meet their
requirements, as the US government is not allowed to play favorites, and
must treat all fairly). Until then, we enjoy the sockets we are getting,

Thanks for the explanation.

We make various data security products, some with FIPS 140
certification (or under evaluation). However, the entire product gets
certified, not just some chip in the middle of the box. On that
basis, I wouldn't have problems using Altera parts in a FIPS certified
product. (Some applications put the "security boundary" at the chip,
but that doesn't apply to us.)


BTW, we had been ordering Xilinx V2P parts for an older product, with
the special order code that means that the DES bitstream encryption
gets tested. We were advised by our supplier that these will no
longer be available. What's the story there? Will the same thing
happen to our V4 designs?

Regards,
Allan

 

[austin]

Allan,

No Altera product with poly efuse is able to meet FIPS 41, none are
approved by the NSA.

In my book, that means we see no competition (all customers that require
FIPS 41, or NSA approval come to Xilinx).

Now, if you do not require FIPS 41, or you are not interested in NSA
compliance, then the Altera solutions are perfectly good, and useful.
In no way do I imply they are poor solutions, however, they are not in
compliance with the highest level standards, and they are not approved
for generic use in US government contracts.

That means, they are not a solution for banking (which requires FIPS
41), and other commercial markets as well.

What is left? From the "Virtex" point of view, nothing at all of import.

Perhaps in the Cyclone/Spartan world, there are some good sockets they
win (and we do too) for anti-cloning of consumer goods.

I am sure they will have FIPS 41 compliant products at some point. I am
also sure they will eventually get NSA approval (if they can meet their
requirements, as the US government is not allowed to play favorites, and
must treat all fairly). Until then, we enjoy the sockets we are getting,

Austin

 

[Allan Herriman]

On Tue, 04 Mar 2008 11:08:27 -0800, austin <austin@xilinx.com> wrote:

Frai,

Other than the public announcement that the NSA has approved V4 for
single chip crypto systems, what else would you need?

Seriously, no one has broken AES256, and no one has broken V4's
implementation of AES256 (using the battery backed key memory).

A hacker would not attack directly, rather they would wait outside your
building, and offer cash to anyone willing to reveal the key to them.

No other device exists that is 'generic' approved for all NSA single
chip crypto systems. No ASIC, ASSP, nor FPGA. It has been called
"completely disruptive technology" and many have told us "V4 will
revolutionize the single chip crypto market."

http://www.xilinx.com/prs_rls/2007/end_markets/0713_v4nsa.htm

I just love it when there is 0 competition!

Hi Austin,

Altera StratixII has bitstream encryption, with keys programmed (one
time!) into poly fuses.

Altera Stratix3 has bitstream encryption, with the option of keys
programmed into poly fuses OR held in battery backed SRAM.


Presumably you are aware of both of these products. Do you know of
some fault in their implementation that would lead you to describe
them as "0 competition"?


Thanks,
Allan

 

3. What could a hacker do to overcome this protection, other than
brute-force?

I'd like to add something to this question.

V4 security protects your bitstream. This is enough when you just
want to avoid the cloning of your product.

If you plan to implement a security application on V4 however, you
will have to go further than just that. It's quite possible that your
design will leak secrets despite the protected bitstream.

Regards,
Marc

 

[Frai]

As Xilinx says in their documents, there is no unbreakable security.

I guess if Virtex-4 security is based on the AES algorithm and a
secret key, the way to break the security would be to play with the
implementation of AES in the FPGA, through manipulation of the
encrypted bitstream, probably combining it with a timing attack or any
other sort of attack that could eventually make the AES algorithm work
in the wrong way, exposing some exploits that might be used for
further attacks. This would be cheap and can be easily automated,
although it would probably take long and might fail. If this or any
similar attack were successful, all designs that reside in a Virtex-4
FPGA would be exposed to hackers. Anyway, from the conceptual point of
view, I agree that Virtex-4 level of security is fairly good.

If you don't need in-field reconfiguration of the FPGA, the Actel Pro-
Asic approach to security might be safer than Xilinx Virtex-4, since
it does not let you play with the bitstream. This gives less tools for
hackers to play with, making it very difficult for cheap attacks. Some
expensive and time-consuming attacks might be possible, but this would
only expose one design from one client, rather than all designs
residing in Pro-Asic FPGAs around the world.

Just a thought...

Regards.

 

[Sylvain Munaut]

1. Does anybody know whether Virtex-4 AES bitstream protection has
been broken?

Didn't hear anything public ... doesn't mean it hasn't been done ...
and even if never done, doesn't mean it can't ... As always with
security it depends on the value of what you're protecting. But unless
it's a control process for cold fusion, I'd say you're most likely in
the clear.

2. Do you consider it a good protection?

Most people do .... so do I

3. What could a hacker do to overcome this protection, other than
brute-force

- Bribe someone at the factory to 'listen' when programming the key
- Physically break into your office and get the source code or
unencrypted bit
- Kidnap one of your lead developer's family members and shoot them
one by one until he gives you what you want ... (iterate over the
whole team as needed)

They may all seem 'weird' options ... but that's how I'd do it if I
had to ...

Sylvain

 

[austin]

Frai,

Other than the public announcement that the NSA has approved V4 for
single chip crypto systems, what else would you need?

Seriously, no one has broken AES256, and no one has broken V4's
implementation of AES256 (using the battery backed key memory).

A hacker would not attack directly, rather they would wait outside your
building, and offer cash to anyone willing to reveal the key to them.

No other device exists that is 'generic' approved for all NSA single
chip crypto systems. No ASIC, ASSP, nor FPGA. It has been called
"completely disruptive technology" and many have told us "V4 will
revolutionize the single chip crypto market."

http://www.xilinx.com/prs_rls/2007/end_markets/0713_v4nsa.htm

I just love it when there is 0 competition!

Austin

 

[Frai]

Hi,

I need to place my FPGA designs in a safe platform, and I have some
questions:

1. Does anybody know whether Virtex-4 AES bitstream protection has
been broken?

2. Do you consider it a good protection?

3. What could a hacker do to overcome this protection, other than
brute-force?

4. Are there other alternatives in the market, from other vendors than
Xilinx, providing the same or higher level of security?

Regards.

 

[kenS]

Hi Austin,

About the security of Virtex, I have recently read a document mentione
that the battery charged key can still be read once the battery is removed
since the memory already being charged for too long and a EM field will no
easily disappeared. They provided a temperature to EM field lastin
prediction as well in their report. There conclusion shows the anti-fus
fpga is the best possible option. What do you think?

Ken



---------------------------------------
Posted through http://www.FPGARelated.com

 

[Ed McGettigan]

On Sep 15, 7:43 am, "kenS" <skypulse1@n_o_s_p_a_m.hotmail.com> wrote:

Hi Austin,

About the security of Virtex, I have recently read a document mentioned
that the battery charged key can still be read once the battery is removed,
since the memory already being charged for too long and a EM field will not
easily disappeared. They provided a temperature to EM field lasting
prediction as well in their report. There conclusion shows the anti-fuse
fpga is the best possible option. What do you think?

Ken

---------------------------------------        
Posted throughhttp://www.FPGARelated.com

Can you post a link to this document? Or provide more details on what
the author had to go through to be able to read the "ghost" EM field
of the security bits?

At first glance this doesn't seem very plausible.

Ed McGettigan
--
Xilinx Inc.