path: root/pelican/content/OpenCryptoChip.md

   
Title: OpenCryptoChip
Author: trac
Date: 2016-12-15 22:44
An Open Crypto Chip
The Layer Cake Architecture Picture







Use Cases

RPKI/DNSSEC Signing
Transport VPNs
Routers and TCP/AO
Email
Federations, Identity Systems, SSO etc
Password Stretching & HMAC:ing
PGP and SSH Keys on a Stick
High Quality Entropy Randomness
A Communications Terminal Doing One Thing Well, Like Jabber w/o X11
HSM for Pond, OTR identity keys, ssh private keys, etc. (i.e. key gen, store, import/export non X.509 packages)
Password management


Basic Functions of Crypto Chip

Key Generation
Key Storage
Key Wrap
Key Unwrap
Hash
Sign
M of N Sign
Verify Signature
Encrypt
Decrypt
KDFs, e.g. Password Stretching (a la PBKDF2)
Random (RO + noisy diode?)

Key wrapping
We need to support key wrapping. Some pointers:

https://en.wikipedia.org/wiki/Key_Wrap
http://tools.ietf.org/html/rfc5297
http://csrc.nist.gov/groups/ST/toolkit/documents/kms/key-wrap.pdf
https://tools.ietf.org/html/rfc3394
https://tools.ietf.org/html/rfc5649

Things we Should Try To Do, Even if we Can't Do Them Perfectly

Tamper Protection (wipe on signal, suggest detectors, suggest potting features)
Side Channel Attack Reduction

Rough Cut at v0.01 Proof of Concept Feature Set
As a proof of concept, to validate as much as possible the assurance of the tools and methods, and as a demonstration of the project tools, team, and architecture, we have a proposed version 0.01 product as a proof of concept and a demonstration of the project tools, team, and architecture




Ongoing Decisions and Research

Security Target Description
Performance Target(s)
Tool-Chain Investigation
Prototype Design
Testing / Assurance Methods for all Components
Verilog/RTL assurance, with open source and with proprietary
Prototyping Platform(s)
Documentation, Decision History, & Transparency





Ongoing Development

SUNET is sponsoring the first two development steps currently being done.
 Investigation and planning of a TRNG with entropy sources
Investigation of possible EDA tools and ways to do open and assured HW development"
Collection about side-channel attacks and detection, mitigation methods

v0.1 Major Sub-Projects
Security Goals and Documentation

Agreement
Specification

Development Platform


The Bunnie laptop Novena. Includes a Xilinx Spartan 6 LX45 FPGHA. The specs, drivers, source for Novena can be found here: http://www.kosagi.com/w/index.php?title=Novena_Main_Page


TerasIC C5G Cyclone 5 GX Starter Kit. Includes an Altera C5GX FPGA. This board is used for core, subsystem development and verification. Info, documentation and ordering of the TerasIC board can be found here: http://www.terasic.com.tw/cgi-bin/page/archive.pl?Language=English&CategoryNo=167&No=830


Here is a writeup on how to setup and run coretest_hashes on the C5G board.

TerasIC DE0-Nano board. This tiny, USB powered board is used for core development and verification. Info, documentation, resources, ordering of the TerasIC board can be found here: http://www.terasic.com.tw/cgi-bin/page/archive.pl?Language=English&CategoryNo=139&No=593

Hardware Development Tools
Component Libraries

Research
Select
On-chip Interconnect Standards to use.

Methods and Validation

Overall Strategy
Following the Tool-Chain

Detailed Specification

Feature Set

QA & Documentation
Green/Yellow Software Support

Spec / ABI
Development
Documentationa and Testing

Assured Linux Platform

DDC Compiler
System Build
Minimal Component Set

v0.1 Project Timeline
February 2014

Specification of v0.1 Goals and Feature Set
Security Goals & Documentation Outline

July 2014

SHA & AES

September 2014

TRNG
Assured Linux Platform - Initial Report

November 2014

Security Goals & Documentation Overall and v0.1
RSA Signing on Bunnie Board
Assured Linux Platform - Compiler

March 2015

v0.1 Protoype

Future Development
The v0.1 version of CrypTech is not the last version nor the only possible version. The project for example consider possible ASIC Implementations.