FPGA Central

Annoyed Crypto Folks,

The latest announcement of "security" is just more than a little annoying:

http://biz.yahoo.com/prnews/060619/sfm036.html?.v=56

In the FIPS 140-2 Standard:

"4.7.6 Key Zeroization

A cryptographic module shall provide methods to zeroize all plaintext
secret and private cryptographic keys and CSPs within the module.
Zeroization of encrypted cryptographic keys and CSPs or keys otherwise
physically or logically protected within an additional embedded
validated module (meeting the requirements of this standard) is not
required.

Documentation shall specify the key zeroization methods employed by a
cryptographic module."

Efuse keys can be read easily by inspection:

http://ieeexplore.ieee.org/iel5/9994...isnumber=32106
(IEEE library user name and password required)

Not that there is anything wrong with a low cost, simple, and useful
security method (look at how many cheap locks get sold that are easily
picked by the average pre-teen). But to imply that this is somehow NIST
approved is a complete joke!

In fact, use of poly efuses are great (now that the foundries have them
as a standard feature).

Just don't go advertising them to be more than they really are: a
convenient way to make it cost at least $5,000 to find the key.

Austin

Hi Austin,
besides everything concerning the security gain of an encrypted
bitstream I have a different question.

Xilinx offers a similar feature too in its Virtex4 (and 5?) FPGAs.
Now, that some silicon already is used up by the AES algorithm, wouldn't
it be nice to make it accessible to the custumer? Just the Keyscheduler
and the round function, not the key memory.

Would be a nice feature for some custumers, but (nearly) no drawback for
all others.

Best regards
Eilert

backhus,

That is something that we thought about. But, really what we talking
about is providing access to the crypto-engine through the general
interconnect, and control of that engine.

It was considered that anything we do in this regard would have to be
completely and thoroughly tested so as not to be a back door, and
compromise security.

It wasn't worth the work to have to prove we did not break something.

Even the JTAG is considered a real threat to security, so we have a
method of disabling it once you have been configured with your encrypted
bitstream (in V4 and V5).

Kevin of FPGA Journal is looking for student interns for some security
fun (in FPGAs). If anyone is interested, email me directly.

We submitted our V2 Pro to 9 schools and universities (and some
non-existent agencies) three years ago, and no one has broken the
security, or even compromised it. That is what our security is about:
we gave the students the complete schematics of the PCB, provided series
access for PDA attacks, etc. All we asked was: tell us the key, or
make the TRNG deliver non-random numbers (affect operation). We wqnt to
know every weakness so we can fix it in the next version (and hopefully
not break anything).

Austin

backhus wrote:
> Hi Austin,
> besides everything concerning the security gain of an encrypted
> bitstream I have a different question.
>
> Xilinx offers a similar feature too in its Virtex4 (and 5?) FPGAs.
> Now, that some silicon already is used up by the AES algorithm, wouldn't
> it be nice to make it accessible to the custumer? Just the Keyscheduler
> and the round function, not the key memory.
>
> Would be a nice feature for some custumers, but (nearly) no drawback for
> all others.
>
> Best regards
> Eilert

Further,

At least no one will tell us they broke into the chip.

It could be that when the students worked at it for awhile, they
realized that since they couldn't break it, there would be no degree, so
they moved on to something easier to break into. I am sure that certain
non-existent agencies spent more time hacking at it. But since they
never tell anyone anything, I am just guessing.

Obviously with enough money and enough time ... there is no 'perfect' lock.

But we are in full compliance with FIPS 140-2. And we also have AES256
which is considered acceptable for the most secure crypto boxes. AES128
is not considered 'secure' enough. Don't ask me why, as the details are
secret, and I am not cleared. I just hear and obey.

I am sure that if AES128 had battery backed key storage, it would be
perfectly good for any commercial crypto application. After all, today
we use 3DES which is only 2E112 hard, and that is now considered within
the reach of a mid-level attack. 2E128 provides only (only?) a 16 fold
improvement over 2E112....

Austin

Austin Lesea wrote:
> backhus,
>
> That is something that we thought about. But, really what we talking
> about is providing access to the crypto-engine through the general
> interconnect, and control of that engine.
>
> It was considered that anything we do in this regard would have to be
> completely and thoroughly tested so as not to be a back door, and
> compromise security.
>
> It wasn't worth the work to have to prove we did not break something.
>
> Even the JTAG is considered a real threat to security, so we have a
> method of disabling it once you have been configured with your encrypted
> bitstream (in V4 and V5).
>
> Kevin of FPGA Journal is looking for student interns for some security
> fun (in FPGAs). If anyone is interested, email me directly.
>
> We submitted our V2 Pro to 9 schools and universities (and some
> non-existent agencies) three years ago, and no one has broken the
> security, or even compromised it. That is what our security is about:
> we gave the students the complete schematics of the PCB, provided series
> access for PDA attacks, etc. All we asked was: tell us the key, or
> make the TRNG deliver non-random numbers (affect operation). We wqnt to
> know every weakness so we can fix it in the next version (and hopefully
> not break anything).
>
> Austin
>
> backhus wrote:
>> Hi Austin,
>> besides everything concerning the security gain of an encrypted
>> bitstream I have a different question.
>>
>> Xilinx offers a similar feature too in its Virtex4 (and 5?) FPGAs.
>> Now, that some silicon already is used up by the AES algorithm, wouldn't
>> it be nice to make it accessible to the custumer? Just the Keyscheduler
>> and the round function, not the key memory.
>>
>> Would be a nice feature for some custumers, but (nearly) no drawback for
>> all others.
>>
>> Best regards
>> Eilert

One more thing...

The 'solution' for Startix II requires an NDA for how to program the keys.

Now, since there is 'no security through obscurity', this means that
there is something they wish to hide.

A back door? A flaw? Whatever it is, it must be a goodie...

Full disclosure, and an open invitation to help us improve our solution.
That is what Xilinx offers.

Austin

Austin Lesea wrote:
> backhus,
>
> That is something that we thought about. But, really what we talking
> about is providing access to the crypto-engine through the general
> interconnect, and control of that engine.
>
> It was considered that anything we do in this regard would have to be
> completely and thoroughly tested so as not to be a back door, and
> compromise security.
>
> It wasn't worth the work to have to prove we did not break something.
>
> Even the JTAG is considered a real threat to security, so we have a
> method of disabling it once you have been configured with your encrypted
> bitstream (in V4 and V5).
>
> Kevin of FPGA Journal is looking for student interns for some security
> fun (in FPGAs). If anyone is interested, email me directly.
>
> We submitted our V2 Pro to 9 schools and universities (and some
> non-existent agencies) three years ago, and no one has broken the
> security, or even compromised it. That is what our security is about:
> we gave the students the complete schematics of the PCB, provided series
> access for PDA attacks, etc. All we asked was: tell us the key, or
> make the TRNG deliver non-random numbers (affect operation). We wqnt to
> know every weakness so we can fix it in the next version (and hopefully
> not break anything).
>
> Austin
>
> backhus wrote:
>> Hi Austin,
>> besides everything concerning the security gain of an encrypted
>> bitstream I have a different question.
>>
>> Xilinx offers a similar feature too in its Virtex4 (and 5?) FPGAs.
>> Now, that some silicon already is used up by the AES algorithm, wouldn't
>> it be nice to make it accessible to the custumer? Just the Keyscheduler
>> and the round function, not the key memory.
>>
>> Would be a nice feature for some custumers, but (nearly) no drawback for
>> all others.
>>
>> Best regards
>> Eilert

Hi Austin,
that sounds reasonable. Security proofs are expensive.

For the V2 boards you gave away ... what reward did you offer in case of
success? I suspect there are people out there who would pay good for
that knowledge as long as you don't have it, so why should they tell
you? ;-)

Best regards
Eilert

Austin Lesea schrieb:
> backhus,
>
> That is something that we thought about. But, really what we talking
> about is providing access to the crypto-engine through the general
> interconnect, and control of that engine.
>
> It was considered that anything we do in this regard would have to be
> completely and thoroughly tested so as not to be a back door, and
> compromise security.
>
> It wasn't worth the work to have to prove we did not break something.

Hi,

Austin Lesea schrieb:

> Just don't go advertising them to be more than they really are: a
> convenient way to make it cost at least $5,000 to find the key.

Is it that cheap today to open the die and observe the fuses?
I have no idea, if (and how) Altera protected the key fuses against
optical inspection of die cuts. But If your right, it would be very
cheap to reengineer most Asics.

BTW Am I right, that if I use a Xilinx with security inside a
equipment, the chip could be highjacked (Chipmodded) by just removing
the power supply of the keys and applieing a new bitstream?
Which means the bitstream itself may be protected, but not the chip?
Why did nobody combine software and fuse based technologies? It would
be sufficient to have 128 bit (with secure algorithms) in SW and 128 in
fuses.

bye Thomas

backhus,

No reward but the satisfaction that you were able to outsmart a room
full of very smart people. Such an accomplishment would definitely
qualify the person for a job offer here at Xilinx.

The part was the 2VP4.

Austin

backhus wrote:
> Hi Austin,
> that sounds reasonable. Security proofs are expensive.
>
> For the V2 boards you gave away ... what reward did you offer in case of
> success? I suspect there are people out there who would pay good for
> that knowledge as long as you don't have it, so why should they tell
> you? ;-)
>
> Best regards
> Eilert
>
> Austin Lesea schrieb:
>> backhus,
>>
>> That is something that we thought about. But, really what we talking
>> about is providing access to the crypto-engine through the general
>> interconnect, and control of that engine.
>>
>> It was considered that anything we do in this regard would have to be
>> completely and thoroughly tested so as not to be a back door, and
>> compromise security.
>>
>> It wasn't worth the work to have to prove we did not break something.

Thomas,

Yes, it is that cheap (and easy) to find and read efuses. If they had
used Actel's via fuse technology, it would be much, much harder, but
still do-able for a small number of vias. Of course, you would have to
know where to look. The poly efuse is huge, and is almost big enough to
see with the eye. An array of 128, or 256 has a big sign on it: "efuse
array right here!"

If you use the battery backed ram to store the key, the bitstream is
protected, not the device. Any regular unencrypted bitstream can be
loaded (or else how could you test your boards?).

The use of efuses to make it such that only a particular device is able
to load a particular bitsream is a requirement typical of the gaming
industry (slot machines). This is a feature that we are looking at
introducing in the future (if it does not compromise the higher level of
security).

As I said, I love efuses. They can be used for: serial numbers, lot
and process information, feature selection and control, device
identification, etc. You can even put a key in it, but make sure that
the key in a non-volatile memory is clearly stated as not being NIST
FIPS 140-2 compliant. There are customers for whom a low level of
security is just fine.

But for an IP company, placing my IP in such a low security device
invites every crypto student looking for a job, or a degree, to hack it.

Austin


Thomas Stanka wrote:
> Hi,
>
> Austin Lesea schrieb:
>
>> Just don't go advertising them to be more than they really are: a
>> convenient way to make it cost at least $5,000 to find the key.
>
> Is it that cheap today to open the die and observe the fuses?
> I have no idea, if (and how) Altera protected the key fuses against
> optical inspection of die cuts. But If your right, it would be very
> cheap to reengineer most Asics.
>
> BTW Am I right, that if I use a Xilinx with security inside a
> equipment, the chip could be highjacked (Chipmodded) by just removing
> the power supply of the keys and applieing a new bitstream?
> Which means the bitstream itself may be protected, but not the chip?
> Why did nobody combine software and fuse based technologies? It would
> be sufficient to have 128 bit (with secure algorithms) in SW and 128 in
> fuses.
>
> bye Thomas
>

>Yes, it is that cheap (and easy) to find and read efuses. If they had
>used Actel's via fuse technology, it would be much, much harder, but
>still do-able for a small number of vias. Of course, you would have to
>know where to look. The poly efuse is huge, and is almost big enough to
>see with the eye. An array of 128, or 256 has a big sign on it: "efuse
>array right here!"

Whenever I get involved with a discussion like this, I point people
at these papers:
http://www.cl.cam.ac.uk/~mgk25/sc99-tamper.pdf
http://www.cl.cam.ac.uk/~mgk25/sc99-tamper-slides.pdf

That's from 1999. Still a great read.

The details have changed, but I doubt if the general idea is out of
date. People who build chips have to debug them. They will keep the
technology up to date.

--
The suespammers.org mail server is located in California. So are all my
other mailboxes. Please do not send unsolicited bulk e-mail or unsolicited
commercial e-mail to my suespammers.org address or any of my other addresses.
These are my opinions, not necessarily my employer's. I hate spam.

Hal,

Those slides show a efuse that is really blown. The new technology does
not vaporize the poly, it EM moves the ions all to one end, changing the
poly's behavior under polarized light. But, the method still applies:
you can visually read the values.

Thanks for the posting.

Austin

Hal Murray wrote:
>> Yes, it is that cheap (and easy) to find and read efuses. If they had
>> used Actel's via fuse technology, it would be much, much harder, but
>> still do-able for a small number of vias. Of course, you would have to
>> know where to look. The poly efuse is huge, and is almost big enough to
>> see with the eye. An array of 128, or 256 has a big sign on it: "efuse
>> array right here!"
>
> Whenever I get involved with a discussion like this, I point people
> at these papers:
> http://www.cl.cam.ac.uk/~mgk25/sc99-tamper.pdf
> http://www.cl.cam.ac.uk/~mgk25/sc99-tamper-slides.pdf
>
> That's from 1999. Still a great read.
>
> The details have changed, but I doubt if the general idea is out of
> date. People who build chips have to debug them. They will keep the
> technology up to date.
>

Could be there is a place for both volatile and non-volatile security.
Majority of customers we (Altera) have spoken to prefer the
non-volatile key and are extremely satisfied with the security. This
includes multiple military customers.

Non-volatile security provides significantly more flexibility on the
manufacturing process and enables some new royalty-based business
models that cannot be facilitated with battery back-up security.

If you are interested in further detials, here's a link to an upcoming
net seminar.
http://www.altera.com/education/net_...-security.html

Dave Greenfield
Altera Product Marketing

Dave Greenfield wrote:
> Could be there is a place for both volatile and non-volatile security.

Of course, yes.

To quote Austin :

"The use of efuses to make it such that only a particular device is able
to load a particular bitsream is a requirement typical of the gaming
industry (slot machines). This is a feature that we are looking at
introducing in the future (if it does not compromise the higher level of
security)."

So, seems Xilinx will also be doing this, sometime...

In Security, the more hurdles, the better.

It is, of course, only as strong as the weakest link.

-jg

Dave,

Of course there is room for non-volatile keys!

I am happy that you did your research and discovered what you think your
customers want, but I question the results: was the question "do you
want an easy to use and effective* security system that doesn't need a
battery?"

If so, then the answer is always "yes. I do!"

But, if you had said: "Non-volatile keys are not NIST approved for use
in any federal system, and not generally used in any private security
application. Knowing this, would you choose to use a non-volatile key
to protect your assets? or would you use a battery backed key"

If so, then I suspect the answer would be "no.....you should have told
me this."

To have a press release that touts a "superior security solution" is the
worst of the worst marketing. To claim to be able to protect IP from
ASSP vendors is quite honestly, false and misleading. If I can get the
IP that is a secret for less than $5,000, then I can clone the devices
without paying anything at all.

To imply that you have military customers satisfied with this level of
security is amazing. Perhaps they have a thermite charge to destroy the
device if it is tampered with. That does work, and makes getting parts
back for RMA a non-problem, but is not a preferred solution! Or perhaps
these devices are used for smart bombs and smart bullets. Hard to read
it out when they are blowing up all around you.

If what you are protecting is less than $5,00 in value, then it is
great, and works just fine.

By the way, when will you publish how the keys are programmed into the
device? Seems there is an NDA in place, and you are keeping a secret.

What are you hiding?

Austin

What is missing from all those press releases:

*Disclaimer: non-volatile poly-efuse EM technology can be read out by a
microscope using polarized light for a total investment of less than $5,000




Dave Greenfield wrote:
> Could be there is a place for both volatile and non-volatile security.
> Majority of customers we (Altera) have spoken to prefer the
> non-volatile key and are extremely satisfied with the security. This
> includes multiple military customers.
>
> Non-volatile security provides significantly more flexibility on the
> manufacturing process and enables some new royalty-based business
> models that cannot be facilitated with battery back-up security.
>
> If you are interested in further detials, here's a link to an upcoming
> net seminar.
> http://www.altera.com/education/net_...-security.html
>
> Dave Greenfield
> Altera Product Marketing
>

Austin Lesea wrote:
> What is missing from all those press releases:
>
> *Disclaimer: non-volatile poly-efuse EM technology can be read out by a
> microscope using polarized light for a total investment of less than $5,000

... and that may not quite be the open door you paint.

Have _you_actually_cloned_ a/any device for $5000, or is this more
generic "Austin Arm waving" ?

[Until Xilinx have non volatile fuses, then the spin will change ? ]

Being able to read the physical fuses is some way from being able to
duplicate them, or reverse the key those fuses create.
It is not likely that Altera simply mapped Fuse1 = Encryption bit1, etc.

So, to descramble that, will need a LOT of devices, and much more time....

With fully volatile security, yes, the code within is secure,
but the system is _very_ open to spoofing type attacks, so again
security can be a mirage....

-jg

Jim,

No, I have not cracked the Altera chip. I have received emails from
schools and universities who wish to crack it. These are the same
schools that have published successful smart card attacks.

My quote of $5,000 is what we pay to have a device ground down on the
backside such that we can do analysis on a device.

For another $5,000, one can get up to three or four FIB cuts, and a
couple of jumper wires.

The IEEE paper clearly discusses the technology, and what happens when
the fuse has all of its ions electromigrated to the other end, leaving
intrinsic silicon poly, which has a different index of refraction that
the poly with the ions.

There are difficulties. Find the fuses, read the values, and then
figure out what (if any)logic may be present to confuse the key bits.

That is why the Actel via fuses are considered much better (harder to
find, and read).

None the less, the attack is not 2E128 as the NIST standard implies (the
one they claim to meet FIPS 197, definition of AES 128, 256, 384 and
512). Sure the algorithm is a AES 128 one, but with knowledge of all
the fuse contents, the search space is lessened such that in maybe
twenty minutes or so of permutations on the key bits, you have the
device unlocked (bitstream is now in the clear on your computer, and
ready for cloning, reverse engineering, etc.)

No one has reverse engineered a bitstream for Xilinx or Altera, as far
as we know, on a large device. But that doesn't mean that someone could
not make specific modifications to an existing bitstream (change IO
location, drive strength, etc.) without having to know the whole design.

The question is not one of can I crack it (I believe I can), but one of
a ASSP vendor deciding to place their IP in a component that is not in
compliance with FIPS 140-2. Very, very simple.

For reference:
http://ieeexplore.ieee.org/xpl/freea...number=1493126

Remember that any attack that is successful removes the security
forever. So, do you want to use something where there are known ways to
crack it? Or, do you want to use something that today there is no known
method of cracking?

For example, finding the battery backed key has been something that has
been tried and been unsuccessful. Then we were attacked with
differential power attacks (DPA). So far, those have been unsuccessful
as well. As an aside, DPA attacks of ASIC AES has been successful!

Yet another example of how a FPGA can actually be superior to an ASIC
solution.

I will be giving a talk on security in V4 and V5 soon, so watch for the
announcements.

Just as an aside, the coin cell lithium battery vendors have informed me
that for my use, the battery will last "forever." Since we hold the key
down to Vbatt voltages of much less than 1 volt, and the coin cell
starts out life at over 3 volts, and the stated 15 year life is to
discharge to 2 volts, we will last multiples of 15 years. So the
"terrible battery problem" is no big issue.

Set top cable boxes use a lithium battery to store the keys. Cable
companies aren't stupid: they would not use a battery unless there was
a good reason. After all, they make millions of set top boxes. All
they protect is a few movies, and yet they feel that following FIPS
140-2 is the only safe way to go (as everything else has been hacked).

We are examining how to use efuses. I can not say anything right now,
except I think there are going to be very useful, and helpful. They can
be used for device ID, matching a key to a device, factory information
(lot, wafer, serial numbers), control of internal circuits (set
currents, voltages, etc. to get around process variations), repair
faults by substituting redundant features...long long list. And, of
course, to hold a key for those who only have a $5,000 or less secret to
protect.

How much efuse memory should be for the user? How much for the
customer? Unlike my friend, the questions we ask are pretty detailed,
and we are very careful about what we do.

Austin


Jim Granville wrote:
> Austin Lesea wrote:
>> What is missing from all those press releases:
>>
>> *Disclaimer: non-volatile poly-efuse EM technology can be read out by a
>> microscope using polarized light for a total investment of less than
>> $5,000
>
> .. and that may not quite be the open door you paint.
>
> Have _you_actually_cloned_ a/any device for $5000, or is this more
> generic "Austin Arm waving" ?
>
> [Until Xilinx have non volatile fuses, then the spin will change ? ]
>
> Being able to read the physical fuses is some way from being able to
> duplicate them, or reverse the key those fuses create.
> It is not likely that Altera simply mapped Fuse1 = Encryption bit1, etc.
>
> So, to descramble that, will need a LOT of devices, and much more time....
>
> With fully volatile security, yes, the code within is secure,
> but the system is _very_ open to spoofing type attacks, so again
> security can be a mirage....
>
> -jg
>

Jim,

Part of my problem is that Altera has kept it a secret how to set the
key bits.

Without that knowledge, I can not program a device, in order to crack it.

So, I guess I will have to buy some parts from those trusting ASSP vendors.

Austin

Austin Lesea wrote:
> Jim,
>
> No, I have not cracked the Altera chip. I have received emails from
> schools and universities who wish to crack it. These are the same
> schools that have published successful smart card attacks.
>
> My quote of $5,000 is what we pay to have a device ground down on the
> backside such that we can do analysis on a device.
>
> For another $5,000, one can get up to three or four FIB cuts, and a
> couple of jumper wires.
>
> The IEEE paper clearly discusses the technology, and what happens when
> the fuse has all of its ions electromigrated to the other end, leaving
> intrinsic silicon poly, which has a different index of refraction that
> the poly with the ions.
>
> There are difficulties. Find the fuses, read the values, and then
> figure out what (if any)logic may be present to confuse the key bits.
>
> That is why the Actel via fuses are considered much better (harder to
> find, and read).
>
> None the less, the attack is not 2E128 as the NIST standard implies (the
> one they claim to meet FIPS 197, definition of AES 128, 256, 384 and
> 512). Sure the algorithm is a AES 128 one, but with knowledge of all
> the fuse contents, the search space is lessened such that in maybe
> twenty minutes or so of permutations on the key bits, you have the
> device unlocked (bitstream is now in the clear on your computer, and
> ready for cloning, reverse engineering, etc.)
>
> No one has reverse engineered a bitstream for Xilinx or Altera, as far
> as we know, on a large device. But that doesn't mean that someone could
> not make specific modifications to an existing bitstream (change IO
> location, drive strength, etc.) without having to know the whole design.
>
> The question is not one of can I crack it (I believe I can), but one of
> a ASSP vendor deciding to place their IP in a component that is not in
> compliance with FIPS 140-2. Very, very simple.
>
> For reference:
> http://ieeexplore.ieee.org/xpl/freea...number=1493126
>
> Remember that any attack that is successful removes the security
> forever. So, do you want to use something where there are known ways to
> crack it? Or, do you want to use something that today there is no known
> method of cracking?
>
> For example, finding the battery backed key has been something that has
> been tried and been unsuccessful. Then we were attacked with
> differential power attacks (DPA). So far, those have been unsuccessful
> as well. As an aside, DPA attacks of ASIC AES has been successful!
>
> Yet another example of how a FPGA can actually be superior to an ASIC
> solution.
>
> I will be giving a talk on security in V4 and V5 soon, so watch for the
> announcements.
>
> Just as an aside, the coin cell lithium battery vendors have informed me
> that for my use, the battery will last "forever." Since we hold the key
> down to Vbatt voltages of much less than 1 volt, and the coin cell
> starts out life at over 3 volts, and the stated 15 year life is to
> discharge to 2 volts, we will last multiples of 15 years. So the
> "terrible battery problem" is no big issue.
>
> Set top cable boxes use a lithium battery to store the keys. Cable
> companies aren't stupid: they would not use a battery unless there was
> a good reason. After all, they make millions of set top boxes. All
> they protect is a few movies, and yet they feel that following FIPS
> 140-2 is the only safe way to go (as everything else has been hacked).
>
> We are examining how to use efuses. I can not say anything right now,
> except I think there are going to be very useful, and helpful. They can
> be used for device ID, matching a key to a device, factory information
> (lot, wafer, serial numbers), control of internal circuits (set
> currents, voltages, etc. to get around process variations), repair
> faults by substituting redundant features...long long list. And, of
> course, to hold a key for those who only have a $5,000 or less secret to
> protect.
>
> How much efuse memory should be for the user? How much for the
> customer? Unlike my friend, the questions we ask are pretty detailed,
> and we are very careful about what we do.
>
> Austin
>
>
> Jim Granville wrote:
>> Austin Lesea wrote:
>>> What is missing from all those press releases:
>>>
>>> *Disclaimer: non-volatile poly-efuse EM technology can be read out by a
>>> microscope using polarized light for a total investment of less than
>>> $5,000
>> .. and that may not quite be the open door you paint.
>>
>> Have _you_actually_cloned_ a/any device for $5000, or is this more
>> generic "Austin Arm waving" ?
>>
>> [Until Xilinx have non volatile fuses, then the spin will change ? ]
>>
>> Being able to read the physical fuses is some way from being able to
>> duplicate them, or reverse the key those fuses create.
>> It is not likely that Altera simply mapped Fuse1 = Encryption bit1, etc.
>>
>> So, to descramble that, will need a LOT of devices, and much more time....
>>
>> With fully volatile security, yes, the code within is secure,
>> but the system is _very_ open to spoofing type attacks, so again
>> security can be a mirage....
>>
>> -jg
>>

Austin Lesea wrote:
> Jim,
>
> Part of my problem is that Altera has kept it a secret how to set the
> key bits.
>
> Without that knowledge, I can not program a device, in order to crack it.

Hmmm ... perhaps you might now understand the feelings of those legit
users want the Xilinx bitstream format opened (so they can write their
own tools).

Everybody's got a secret, I guess.

-a

Austin Lesea wrote:
> Jim,
>
> No, I have not cracked the Altera chip. I have received emails from
> schools and universities who wish to crack it. These are the same
> schools that have published successful smart card attacks.
>
> My quote of $5,000 is what we pay to have a device ground down on the
> backside such that we can do analysis on a device.
>
> For another $5,000, one can get up to three or four FIB cuts, and a
> couple of jumper wires.

...and here, you are still a long way from 'get at the IP'.. ?
- and rather a world away from your earlier sweeping claims...:

<paste classic Austin Arm Waving : >
> To have a press release that touts a "superior security solution" is the
> worst of the worst marketing. To claim to be able to protect IP from
> ASSP vendors is quite honestly, false and misleading. If I can get the
> IP that is a secret for less than $5,000, then I can clone the devices
> without paying anything at all.

No, wait, I _can_ see a false and misleading claim

If you are going to rail against Altera, surely it helps to keep your
credibility intact ?

-jg

1. Stratix II FPGAs have been validated as conforming to FIPS-197
standard. You can refer to the NIST web site:
http://csrc.nist.gov/cryptval/aes/aesval.html.

2. NDA is no longer required for using the design security feature. NDA
is still required for getting more information about the key protection
as this adds one more level of protection.

3. Readback is not available in Stratix II FPGAs, so there is no risk
of configuration file being read out after decryption.

4. Additional measures are taken to protect the encryption bits; some
will be discussed in the net seminar while other details are only
available under NDA.

Dave Greenfield
Altera Product Marketing

Isn't Marketing wonderful...
Here we are discussing which physical implementation is more secure,
and dear Dave tells us that Altera was indeed smart enough to implement
the algorithm correctly. I would never have stooped so low to doubt
that. Yes, Altera can do logic design. Bravo! Advance to second grade!

The question, however, was totally different: whether the key is
secure. And that is nowhere mentioned in that long URL.
Marketing 101:
If you have nothing good to say, throw in a big bunch of irrelevant
data.
That might defuse the argument. and calm down the waves...

Peter Alfke, who had expected a more relevant post from Altera.
Don't treat us like dummies.
============================
Dave Greenfield wrote:
> 1. Stratix II FPGAs have been validated as conforming to FIPS-197
> standard. You can refer to the NIST web site:
> http://csrc.nist.gov/cryptval/aes/aesval.html.
>
> 2. NDA is no longer required for using the design security feature. NDA
> is still required for getting more information about the key protection
> as this adds one more level of protection.
>
> 3. Readback is not available in Stratix II FPGAs, so there is no risk
> of configuration file being read out after decryption.
>
> 4. Additional measures are taken to protect the encryption bits; some
> will be discussed in the net seminar while other details are only
> available under NDA.
>
> Dave Greenfield
> Altera Product Marketing

On 26 Jun 2006 20:18:42 -0700, "Peter Alfke" <alfke@sbcglobal.net>
wrote:

>Isn't Marketing wonderful...
>Here we are discussing which physical implementation is more secure,
>and dear Dave tells us that Altera was indeed smart enough to implement
>the algorithm correctly. I would never have stooped so low to doubt
>that. Yes, Altera can do logic design. Bravo! Advance to second grade!
>
>The question, however, was totally different: whether the key is
>secure. And that is nowhere mentioned in that long URL.
>Marketing 101:
>If you have nothing good to say, throw in a big bunch of irrelevant
>data.
>That might defuse the argument. and calm down the waves...
>
>Peter Alfke, who had expected a more relevant post from Altera.
>Don't treat us like dummies.

Hi Peter,

Isn't FUD wonderful...

At least they are not claiming anything which they haven't really
accomplished unlike the statements here:

"If I can get the IP that is a secret for less than $5,000, then I can
clone the devices without paying anything at all."

"*Disclaimer: non-volatile poly-efuse EM technology can be read out
by a microscope using polarized light for a total investment of less
than $5,000 "

and then changing the numbers when confronted if actually done:

"No, I have not cracked the Altera chip."

"My quote of $5,000 is what we pay to have a device ground down on the
backside such that we can do analysis on a device.

For another $5,000, one can get up to three or four FIB cuts, and a
couple of jumper wires. "

Now we are up to $10K. Then claiming:
"The question is not one of can I crack it (I believe I can), but one
of a ASSP vendor deciding to place their IP in a component that is not
in compliance with FIPS 140-2. Very, very simple."

I think it's put up or shut-up time, don't you think ? If you guys are
so sure, why don't you crack it / get it cracked and tell us how much
it costs instead of spreading FUD ?

Let's not quibble over the price tag, and whether $10,000 is a
meaningful hurdle.

The debate was about key security, and the consensus in the crypto
community is that things like efuses can be read out with moderate
effort, while battery-backed up SRAM data is either much more secure or
even perfectly secure, i.e. has never been cracked.

Some people think batteries are a pain, others think they are just fine
and last >15 years.

It's security vs convenience. Xilinx picked security, Altera picked
convenience.
The choice is yours.
Peter Alfke, Xilinx Applications

Peter Alfke wrote:
> Let's not quibble over the price tag, and whether $10,000 is a
> meaningful hurdle.
>
> The debate was about key security, and the consensus in the crypto
> community is that things like efuses can be read out with moderate
> effort, while battery-backed up SRAM data is either much more secure or
> even perfectly secure, i.e. has never been cracked.
>
> Some people think batteries are a pain, others think they are just fine
> and last >15 years.
>
> It's security vs convenience. Xilinx picked security, Altera picked
> convenience.
> The choice is yours.
> Peter Alfke, Xilinx Applications
>

Any security system must be convenient, or it won't be used. A hefty
proportion of windows users have firewall software that came with their
machines, but it's turned off - simply because it is too inconvenient.
When it's enabled, the firewall keeps asking these daft questions about
whether your programs are allowed to do this or that - it's far easier
just to turn the stupid thing off. An advanced application level
software firewall may theoretically be more secure than a simple
"incoming bad, outgoing good" firewall, but it's no help if people don't
use it.

The same thing probably applies here. I've no experience with either
Altera's or Xilinx's solutions, but I can understand the principle that
it's possible to read out efuses but not sram bits. If Altera's
solution is more convenient, then perhaps it is more secure in that
developers are more likely to use it? After all, all they need to do is
choose some options in the software - there is no need to add batteries
to the card, and to handle the support costs of dealing with lost keys
(users are so imaginative - "I took out the battery to make sure the
card got a proper reset").

As to how secure Altera's solution is - the Altera guys are not idiots,
and it is unbecoming of you to them as such. Sure, it's possible to
read out the efuses in theory, but my guess is you're going to have to
do a lot more than just a couple of $5000 rounds. I'm sure there are
theoretical methods of breaking Xilinx's security too, such as probing
the bit stream out of the decoder. Since you have to get access to the
device while power is on, it's going to be difficult - but I'm sure it
can be done given enough time and money (and boards to practise on). To
be secure, all a method has to do is raise the stakes high enough that
alternative methods are cheaper - once it is easer and cheaper to bribe
the original engineers for a copy of the code, the device is secure enough.

David Brown wrote:
> >
> As to how secure Altera's solution is - the Altera guys are not idiots,
> and it is unbecoming of you to them as such.

David, you should be ashamed of yourself for that dumb statement.
I did the opposite, I confirmed earlier that they desigend their logic
and algorithm correctly, and explained then that they chose a different
optimization, convenience over security.

To tell me what is "unbecoming" is a baseless insult.
Peter Alfke