summaryrefslogblamecommitdiff
path: root/raw-wiki-dump/OpenCryptoChip.md
blob: 521d19caa76274702264e5ccb8f230bd2d7ea3f8 (plain) (tree)






















































































































































































                                                                                                                                                                                                                                                                                                                 

   

[[PageOutline]]

An Open Crypto Chip

The Layer Cake Architecture Picture

\ [[Image(layer-cake.jpg)]]

\ \

Use Cases

  • RPKI/DNSSEC Signing
  • Transport VPNs
  • Routers and TCP/AO
  • Email
  • Federations, Identity Systems, SSO etc
  • Password Stretching & HMAC:ing
  • PGP and SSH Keys on a Stick
  • High Quality Entropy Randomness
  • A Communications Terminal Doing One Thing Well, Like Jabber w/o X11
  • HSM for Pond, OTR identity keys, ssh private keys, etc. (i.e. key gen, store, import/export non X.509 packages)
  • Password management

[[Image(cryptech venn.png)]]

Basic Functions of Crypto Chip

  • Key Generation
  • Key Storage
  • Key Wrap
  • Key Unwrap
  • Hash
  • Sign
  • M of N Sign
  • Verify Signature
  • Encrypt
  • Decrypt
  • KDFs, e.g. Password Stretching (a la PBKDF2)
  • Random (RO + noisy diode?)

Key wrapping

We need to support key wrapping. Some pointers:

  • https://en.wikipedia.org/wiki/Key_Wrap
  • http://tools.ietf.org/html/rfc5297
  • http://csrc.nist.gov/groups/ST/toolkit/documents/kms/key-wrap.pdf
  • https://tools.ietf.org/html/rfc3394
  • https://tools.ietf.org/html/rfc5649

Things we Should Try To Do, Even if we Can't Do Them Perfectly

  • Tamper Protection (wipe on signal, suggest detectors, suggest potting features)
  • Side Channel Attack Reduction

Rough Cut at v0.01 Proof of Concept Feature Set

As a proof of concept, to validate as much as possible the assurance of the tools and methods, and as a demonstration of the project tools, team, and architecture, we have a [wiki:RoughV1 proposed version 0.01 product] as a proof of concept and a demonstration of the project tools, team, and architecture \ \

Ongoing Decisions and Research

  • Security Target Description
  • Performance Target(s)
  • Tool-Chain Investigation
  • Prototype Design
  • Testing / Assurance Methods for all Components
  • Verilog/RTL assurance, with open source and with proprietary
  • Prototyping Platform(s)
  • Documentation, Decision History, & Transparency

\ \

Ongoing Development

  • [wiki:SunetInitialDevelopment "SUNET is sponsoring the first two development steps"] currently being done.
  • [wiki:TRNGDevelopment " Investigation and planning of a TRNG with entropy sources"]
  • [wiki:EDAToolchainSurvey" Investigation of possible EDA tools and ways to do open and assured HW development"]
  • [wiki:SideChannel" Collection about side-channel attacks and detection, mitigation methods"]

v0.1 Major Sub-Projects

Security Goals and Documentation

  • Agreement
  • Specification

Development Platform

  • The Bunnie laptop Novena. Includes a Xilinx Spartan 6 LX45 FPGHA. The specs, drivers, source for Novena can be found here: http://www.kosagi.com/w/index.php?title=Novena_Main_Page

  • TerasIC C5G Cyclone 5 GX Starter Kit. Includes an Altera C5GX FPGA. This board is used for core, subsystem development and verification. Info, documentation and ordering of the TerasIC board can be found here: http://www.terasic.com.tw/cgi-bin/page/archive.pl?Language=English&CategoryNo=167&No=830

Here is a writeup on how to [wiki:CoretestHashesC5G "setup and run coretest_hashes on the C5G board"].

  • TerasIC DE0-Nano board. This tiny, USB powered board is used for core development and verification. Info, documentation, resources, ordering of the TerasIC board can be found here: http://www.terasic.com.tw/cgi-bin/page/archive.pl?Language=English&CategoryNo=139&No=593

Hardware Development Tools

Component Libraries

  • Research
  • Select
  • [wiki:InterconnectStandards "On-chip Interconnect Standards"] to use.

Methods and Validation

  • Overall Strategy
  • Following the Tool-Chain

Detailed Specification

  • Feature Set

QA & Documentation

Green/Yellow Software Support

  • Spec / ABI
  • Development
  • Documentationa and Testing

Assured Linux Platform

  • DDC Compiler
  • System Build
  • Minimal Component Set

v0.1 Project Timeline

February 2014

  • Specification of v0.1 Goals and Feature Set
  • Security Goals & Documentation Outline

July 2014

  • SHA & AES

September 2014

  • TRNG
  • Assured Linux Platform - Initial Report

November 2014

  • Security Goals & Documentation Overall and v0.1
  • RSA Signing on Bunnie Board
  • Assured Linux Platform - Compiler

March 2015

  • v0.1 Protoype

Future Development

The v0.1 version of CrypTech is not the last version nor the only possible version. The project for example consider possible [wiki:ASICImplementations "ASIC Implementations"].