AES Bitstream Encryption in Virtex-4. How safe it is?
Frai
I need to place my FPGA designs in a safe platform, and I have some
questions:
1. Does anybody know whether Virtex-4 AES bitstream protection has
been broken?
2. Do you consider it a good protection?
3. What could a hacker do to overcome this protection, other than
brute-force?
4. Are there other alternatives in the market, from other vendors than
Xilinx, providing the same or higher level of security?
Regards.
austin
Other than the public announcement that the NSA has approved V4 for
single chip crypto systems, what else would you need?
Seriously, no one has broken AES256, and no one has broken V4's
implementation of AES256 (using the battery backed key memory).
A hacker would not attack directly, rather they would wait outside your
building, and offer cash to anyone willing to reveal the key to them.
No other device exists that is 'generic' approved for all NSA single
chip crypto systems. No ASIC, ASSP, nor FPGA. It has been called
"completely disruptive technology" and many have told us "V4 will
revolutionize the single chip crypto market."
http://www.xilinx.com/prs_rls/2007/end_markets/0713_v4nsa.htm
I just love it when there is 0 competition!
Austin
Sylvain Munaut <SomeOne@SomeDomain.com>
> 1. Does anybody know whether Virtex-4 AES bitstream protection has
> been broken?
Didn't hear anything public ... doesn't mean it hasn't been done ...
and even if never done, doesn't mean it can't ... As always with
security it depends on the value of what you're protecting. But unless
it's a control process for cold fusion, I'd say you're most likely in
the clear.
> 2. Do you consider it a good protection?
Most people do .... so do I :)
> 3. What could a hacker do to overcome this protection, other than
> brute-force
- Bribe someone at the factory to 'listen' when programming the key
- Physically break into your office and get the source code or
unencrypted bit
- Kidnap one of your lead developer's family members and shoot them
one by one until he gives you what you want ... (iterate over the
whole team as needed)
They may all seem 'weird' options ... but that's how I'd do it if I
had to ...
Sylvain
Frai
I guess if Virtex-4 security is based on the AES algorithm and a
secret key, the way to break the security would be to play with the
implementation of AES in the FPGA, through manipulation of the
encrypted bitstream, probably combining it with a timing attack or any
other sort of attack that could eventually make the AES algorithm work
in the wrong way, exposing some exploits that might be used for
further attacks. This would be cheap and can be easily automated,
although it would probably take long and might fail. If this or any
similar attack were successful, all designs that reside in a Virtex-4
FPGA would be exposed to hackers. Anyway, from the conceptual point of
view, I agree that Virtex-4 level of security is fairly good.
If you don't need in-field reconfiguration of the FPGA, the Actel Pro-
Asic approach to security might be safer than Xilinx Virtex-4, since
it does not let you play with the bitstream. This gives less tools for
hackers to play with, making it very difficult for cheap attacks. Some
expensive and time-consuming attacks might be possible, but this would
only expose one design from one client, rather than all designs
residing in Pro-Asic FPGAs around the world.
Just a thought...
Regards.
jet...@hotmail.com
> brute-force?
I'd like to add something to this question.
V4 security protects your bitstream. This is enough when you just
want to avoid the cloning of your product.
If you plan to implement a security application on V4 however, you
will have to go further than just that. It's quite possible that your
design will leak secrets despite the protected bitstream.
Regards,
Marc
Allan Herriman
Hi Austin,
Altera StratixII has bitstream encryption, with keys programmed (one
time!) into poly fuses.
Altera Stratix3 has bitstream encryption, with the option of keys
programmed into poly fuses OR held in battery backed SRAM.
Presumably you are aware of both of these products. Do you know of
some fault in their implementation that would lead you to describe
them as "0 competition"?
Thanks,
Allan
austin
No Altera product with poly efuse is able to meet FIPS 41, none are
approved by the NSA.
In my book, that means we see no competition (all customers that require
FIPS 41, or NSA approval come to Xilinx).
Now, if you do not require FIPS 41, or you are not interested in NSA
compliance, then the Altera solutions are perfectly good, and useful.
In no way do I imply they are poor solutions, however, they are not in
compliance with the highest level standards, and they are not approved
for generic use in US government contracts.
That means, they are not a solution for banking (which requires FIPS
41), and other commercial markets as well.
What is left? From the "Virtex" point of view, nothing at all of import.
Perhaps in the Cyclone/Spartan world, there are some good sockets they
win (and we do too) for anti-cloning of consumer goods.
I am sure they will have FIPS 41 compliant products at some point. I am
also sure they will eventually get NSA approval (if they can meet their
requirements, as the US government is not allowed to play favorites, and
must treat all fairly). Until then, we enjoy the sockets we are getting,
Austin
Allan Herriman
Thanks for the explanation.
We make various data security products, some with FIPS 140
certification (or under evaluation). However, the entire product gets
certified, not just some chip in the middle of the box. On that
basis, I wouldn't have problems using Altera parts in a FIPS certified
product. (Some applications put the "security boundary" at the chip,
but that doesn't apply to us.)
BTW, we had been ordering Xilinx V2P parts for an older product, with
the special order code that means that the DES bitstream encryption
gets tested. We were advised by our supplier that these will no
longer be available. What's the story there? Will the same thing
happen to our V4 designs?
Regards,
Allan
austin
The special order codes ('SCD') are best when folded into the normal
production, so no special anything is required. The special code goes
away, and the regular product supports the feature.
This is unique to only some parts/packages/test programs, and is never
intended to last forever (only to improve quality for specific customers
when the test program isn't complete). When we are made aware of a test
coverage gap, we improve the test program. Once the test program is
sufficiently integrated, we can retire the special flow.
Understand that a 1000 ppm "test escape" is considered a terrible thing
by Xilinx, as we strive to achieve "0 defects."
We have had cases where a particular customer brings to our awareness a
test escape issue, and often no other customer has noticed the issue
(many 10's of thousands of parts shipped, with no returns whatsoever).
Regardless, every test escape is taken very seriously, as it reflects
directly on the product quality, and our customer's trust in Xilinx (to
do the job right).
The (3DES/AES256 key) features are standard, and fully supported. If a
feature is to be removed, we must issue a 'PCN' (production change
notice, which allows 90 days before it is implemented, and also allows
for last time orders before we remove anything at all), and notify
everyone. That is a very rare event (as it has to be).
Austin
austin
There are many who claim "oh, this is easy..."
However, back in the Virtex II Pro days, we issued a challenge, and more
than 7 universities and research groups accepted the challenge.
We provided a 2vp7 pcb with usb port, and pins for access to power, that
had the key battery installed (300 mA lithiumm coin cell), and the part
was programmed with a 3DES encrypted bitstream.
All 7 challengers gave up. Their basic conclusion was all the things
they thought would work, differential power attack, spoofing by power
glitches, attack with freeze spray, etc. FAILED.
Now, can someone crack the scheme, and get the unencrypted bitstream?
Well, we are unable to get anyone interested to try it, as they tried
the obviously less secure 3DES, and didn't get anywhere.
Also, I presume the NSA tried, as they eventually approved V4. If I was
the NSA, I would have put a great deal of effort to try to break it if I
knew that the devices would go into all modern crypto-systems! However,
I know nothing of what they did (their report is classified).
Unfortunately, no one publishes a master's thesis or PhD thesis that
says "I failed to crack this encryption" so there are no records of
these attempts failing. But, no one has been able to get at the key, or
to find anything about the bitstream, ever since we first introduced the
features starting with Virtex II.
On the other hand, polarized light, and a high school microscope, can be
used to read the state of any efuses in a chip (which is why they are
excluded as a solution by the standards). The fact that some vendors
scramble their efuse contents just means that they do not really
understand what security is all about ("there is no security in
obscurity"). Once the "secret" is out (by reverse engineering the
hardware or software), then all of the products shipped become vulnerable.
Our approach has no secrets whatsoever: the algorithm is public, as is
the design of the encryptor and decryptor. That is why it complies with
the standards for constructing a secure system.
Austin
Antti
the V2P crack challenge bounty was total 25KUSD?
or was it even less? well doesnt matter it was defenetly less
then needed for anyone to REALLY try crack the V2P key.
it doesnt mean it would be doable, only that the university
results are not "final judge".
And the whatever (if) NSA did is classified...
But, yes the BEST security is FPGA with NONVOLATILE key.
FIPS also requires KEY CLEAR, what is only supported by V-5 without
external circuitry.
Everything flash based or with something nonvolatile is instantly less
secure.
What I have heard the "thumb estimate" to read out ANY FLASH
based microcontrollers protected code is about 1000 USD.
Reading back a protected ATmega8 has been as cheap as 800RMB (112USD)
(no I have not done that, I just know the work being quoted at that
price)
Sure that was thumb estimate, the price for some flash MCU could be
higher.
I assume its only valid for normal Flash MCUs not for those designed
for increased security.
Reading e-fuses with microscope in the UNI, well it sure can be
possible, I have
myself placed a needle with bare hands onto 6 micron track on the die
of Motorola ROM
based smartcard chip. LOOOOONG time ago. that was not-secure
technology, and very old.
With little better tools the modern chips could possible be hacked as
well, but the easiness
of efuses reading, I think its not that trivial either. In the market
segment where product cloning
is major issue there is NO KNOWN case of Actel chip being cloned ever.
And the people who
would like to clone Actel based products are not some students, but
some smaller ASIC people.
But in MOST cases the security is downgraded by other means, not the
main key/algorithm.
As example the Nintendo WII is protected by AES key, stored in OTP
area on custom ASIC.
This key has _never_ been read out, but the protection has been broken
by side-channel attacks.
The first break in into system was by swapping address lines between
main CPU and ASIC,
later a stack-overflow exploit was found. By inserting "Twilight
Princess" DVD and using
modified saved game that causes stack fault the AES security is fully
bypassed without
opening the WII.
... So having the FPGA AES protected is nice.
But that says NOTHING about the overall system security and protection
at all.
Antti
Allan Herriman
Thanks for the clarification. Our purchasing guy was worried about
this. But... no longer.
Regards,
Allan
sky4...@trline5.org
>the NSA, I would have put a great deal of effort to try to break it if I
>knew that the devices would go into all modern crypto-systems! However,
>I know nothing of what they did (their report is classified).
NSA may have their resons to not approve crypto systems that are "too good".
austin
If your purchasing guy has any problems, have him email me with the SCD
number.
Austin
austin
Good points. Even the best component security doesn't equate to a high
level of system security.
You are also correct to point out the Actel antifuse (basically a via
that can be 'popped') where is 'impossible' to map all of them, and
hence how the part is programmed. This is only because no one has
automated this attack: if automated, it could be done (shave off 10
angstroms, take a picture, repeat, then rebuild the connections).
Don't forget some attackers have infinite labor, and infinite patience.
My favorite example is when the students took over the American Embassy
in Iran, and then put back together all of the shredded secret documents
... a massive task, but just a big puzzle after all (and one that could
be, and was, solved).
Austin
austin
Yes, there are those that think because the NSA approves a crypto
standard, they either have a back door, or some other way around it.
You give them far too much credit.
They are not that smart.
If there is a weakness, or a back door, then they have created a way for
all systems they certify to be broken.
They are also not that stupid.
Austin
Sean Durkin
> Don't forget some attackers have infinite labor, and infinite patience.
> My favorite example is when the students took over the American Embassy
> in Iran, and then put back together all of the shredded secret documents
> ... a massive task, but just a big puzzle after all (and one that could
> be, and was, solved).
:)
cu,
Sean
--
My email address is only valid until the end of the month.
Try figuring out what the address is going to be after that...
Nico Coesel
>Frai,
>
>There are many who claim "oh, this is easy..."
>
>However, back in the Virtex II Pro days, we issued a challenge, and more
>than 7 universities and research groups accepted the challenge.
>
>We provided a 2vp7 pcb with usb port, and pins for access to power, that
>had the key battery installed (300 mA lithiumm coin cell), and the part
>was programmed with a 3DES encrypted bitstream.
>
>All 7 challengers gave up. Their basic conclusion was all the things
>they thought would work, differential power attack, spoofing by power
>glitches, attack with freeze spray, etc. FAILED.
The word is there are companies that specialise in cracking these sort
of security features. You'll have to bring a big amount of cash
though. I'm not at all impressed by claiming the NSA or several
universities couldn't crack it. Nice sales pitch, but I'm not buying
it :-) The really clever people work where the money is and that is
usually not in a government job.
--
Programmeren in Almere?
E-mail naar nico@nctdevpuntnl (punt=.)
austin
Universities often crack crypto systems. They are usually the first to
do so. DPA, and other techniques have all been pioneered at schools.
I went out, and solicited bids for various "cracking" jobs.
Unfortunately, no one took any of them.
All I received was "no bid."
There are reputable reverse engineering firms, but they are not stupid,
they will not agree to do work for which they will not be paid.
They had to deliver something in order to get paid.
No bid.
Could a nation-state decide to go and reverse engineer something? Sure,
and that falls into the "infinite resource" attacker category. They
might not succeed, but I am sure they would try their best.
Thankfully, in the commercial segment, I don't have to worry about that
level of attack. That is the level of attack the NSA is worrying about.
And they said: "use Xilinx."
Austin
Andreas Ehliar
> What I have heard the "thumb estimate" to read out ANY FLASH
> based microcontrollers protected code is about 1000 USD.
> Reading back a protected ATmega8 has been as cheap as 800RMB (112USD)
> (no I have not done that, I just know the work being quoted at that
> price)
A bit off topic, but I have found the following blog quite an
interesting read regarding the security of various products:
They also have very nice photos on it :)
/Andreas
Eric Smith
> Well, we are unable to get anyone interested to try it, as they tried
> the obviously less secure 3DES, and didn't get anywhere.
I think claiming 3DES to be "obviously less secure" is a bit much.
DES has withstood far more attacks than AES. After all that, there
are no known attacks that are significantly better than brute force, so
3DES is quite secure.
AES *might* be as secure or more, but since it hasn't had nearly as
much time to be poked and prodded by cryptographers, I wouldn't count
on it.
Of course, some clever cryptographer might come up with a new attack
against either one.
The biggest advantage of AES over 3DES is that AES is approved by the
US government now, and DES no longer is. (I think 3DES still is for
at least some applications.) For my own data, I prefer 3DES.
Eric Smith
They *are* that smart.
When the influenced the design of DES way back when, they *both* strengthened
and weakened it.
They weakened it by reducing the key length to 56 bits. It is generally
believed that they did this because they could afford to build hardware
that would brute-force search a 56-bit key space.
The strengthened it by making design changes, the nature of which was
not obvious at the time. Many years later, cryptographers (re)discovered
linear and differential cryptanalysis methods, and found that the NSA's
changes to the design of DES made it essentially immune to those lines
of attack. The NSA had developed those attacks, but had not published
them, for obvious reasons.
In other words, the NSA wanted the strength of DES to be only 56 bits,
but also not to have weaknesses reducing the effective key size
signficantly below 56 bits.
When the NSA is involved in the development of any cryptosystem made
available for public use, it would be foolish to assume that they
haven't made sure that it is neither too insecure nor too secure.
Eric
diogratia
The reason the Xilinx parts get approval for single chip Type 1 COMSEC
applications has to do primarily with software tools changes insuring
adequate red/black separation.using the column based architecture
found in Virtex-4 LX, SX and FX.
http://www.mil-embedded.com/PDFs/NSA.Mar07.pdf
FIPS 41 is entitled "Computer Security Guidelines for Implementing the
Privacy Act of 1974" and was withdrawn in 1998.; I think you mean
FIPS140-2 (-3 pending) "Security Requirements for Cryptographic
Modules", wherein you can use the placement tools and column
architecture for functional separation (compartmentalization). The
FIPS 140 criteria derive from the NSAs CCEP program.
One could wonder if the market is sufficiently large or attractive
enough for Altera to make the effort.
diogratia
There were interesting stories about Intel and a scanning electron
beam prober during the Clipper Chip days (uses anti-fuse). Something
about seeing the charge around a via and telling whether or not the
fuse was conducting or high impedance. Presumably this would be
easier to automate. There was a lot of speculation about tamper proof
chip cases. Also something about the technology getting classified.
austin
Note that we have AES256, and the "other" competitor only had AES128.
AES128 was not approved (for the crypto modernization program).
I am sure that tells you something.
Austin
Allan Herriman
You would not try to brute force a 128 bit AES system.
Making the brute force attack 2^128 times harder by doubling the key
size, doesn't change all that much since you wouldn't be using that
approach anyway.
(Yes, I do know that only the 256 bit key version is approved for top
secret work in the USA. All our products support the 256 bit key size
for that reason.)
BTW, I think bitstream encryption is an excellect idea for protecting
the intellectual property that the bitstream represents. I'm just not
sure I'd rely on it as an essential part of a security system, where
the threat model includes attacks by well funded military
organisations.
Austin, is there an appnote showing how bitstream encryption can be
used to make an HSM? I'd be intersted in knowing how it's done.
Disclaimer: none of our products rely on bitstream encryption (from
any FPGA vendor) to protect our customers' secrets.
Regards,
Allan
austin
HSM?
Austin
austin
I presume HSM = Host Security Module?
If so, that is an application, and we do not supply any examples, nor
any IP.
Austin
Allan Herriman
>Alan,
>
>HSM?
>
>Austin
google suggests High School Musical. Hmmm.
Perhaps this would be better:
http://en.wikipedia.org/wiki/Hardware_Security_Module
It's only when you start designing products like that, that the
distinction between 128 and 256 bit AES becomes important. (IMO)
Regards,
Allan
kenS
About the security of Virtex, I have recently read a document mentioned
that the battery charged key can still be read once the battery is removed,
since the memory already being charged for too long and a EM field will not
easily disappeared. They provided a temperature to EM field lasting
prediction as well in their report. There conclusion shows the anti-fuse
fpga is the best possible option. What do you think?
Ken
---------------------------------------
Posted through http://www.FPGARelated.com
Ed McGettigan
Can you post a link to this document? Or provide more details on what
the author had to go through to be able to read the "ghost" EM field
of the security bits?
At first glance this doesn't seem very plausible.
Ed McGettigan
--
Xilinx Inc.