Title: OpenCryptoChip Author: trac Date: 2016-12-15 22:44 # An Open Crypto Chip ## The Layer Cake Architecture Picture
![layer-cake.jpg]({attach}/OpenCryptoChip/layer-cake.jpg)

## Use Cases * RPKI/DNSSEC Signing * Transport VPNs * Routers and TCP/AO * Email * Federations, Identity Systems, SSO etc * Password Stretching & HMAC:ing * PGP and SSH Keys on a Stick * High Quality Entropy Randomness * A Communications Terminal Doing One Thing Well, Like Jabber w/o X11 * HSM for Pond, OTR identity keys, ssh private keys, etc. (i.e. key gen, store, import/export non X.509 packages) * Password management ![cryptech venn.png]({attach}/OpenCryptoChip/cryptech%20venn.png) ## Basic Functions of Crypto Chip * Key Generation * Key Storage * Key Wrap * Key Unwrap * Hash * Sign * M of N Sign * Verify Signature * Encrypt * Decrypt * KDFs, e.g. Password Stretching (a la PBKDF2) * Random (RO + noisy diode?) ## Key wrapping We need to support key wrapping. Some pointers: - https://en.wikipedia.org/wiki/Key_Wrap - http://tools.ietf.org/html/rfc5297 - http://csrc.nist.gov/groups/ST/toolkit/documents/kms/key-wrap.pdf - https://tools.ietf.org/html/rfc3394 - https://tools.ietf.org/html/rfc5649 ## Things we Should Try To Do, Even if we Can't Do Them Perfectly * Tamper Protection (wipe on signal, suggest detectors, suggest potting features) * Side Channel Attack Reduction # Rough Cut at v0.01 Proof of Concept Feature Set As a proof of concept, to validate as much as possible the assurance of the tools and methods, and as a demonstration of the project tools, team, and architecture, we have a [proposed version 0.01 product]({filename}RoughV1.md) as a proof of concept and a demonstration of the project tools, team, and architecture

# Ongoing Decisions and Research * Security Target Description * Performance Target(s) * Tool-Chain Investigation * Prototype Design * Testing / Assurance Methods for all Components * Verilog/RTL assurance, with open source and with proprietary * Prototyping Platform(s) * Documentation, Decision History, & Transparency

# Ongoing Development * [SUNET is sponsoring the first two development steps]({filename}SunetInitialDevelopment.md) currently being done. * [ Investigation and planning of a TRNG with entropy sources]({filename}TRNGDevelopment.md) * [Investigation of possible EDA tools and ways to do open and assured HW development"]({filename}EDAToolchainSurvey.md) * [Collection about side-channel attacks and detection, mitigation methods]({filename}SideChannel.md) # v0.1 Major Sub-Projects ## Security Goals and Documentation * Agreement * Specification ## Development Platform * The Bunnie laptop Novena. Includes a Xilinx Spartan 6 LX45 FPGHA. The specs, drivers, source for Novena can be found here: http://www.kosagi.com/w/index.php?title=Novena_Main_Page * TerasIC C5G Cyclone 5 GX Starter Kit. Includes an Altera C5GX FPGA. This board is used for core, subsystem development and verification. Info, documentation and ordering of the TerasIC board can be found here: http://www.terasic.com.tw/cgi-bin/page/archive.pl?Language=English&CategoryNo=167&No=830 Here is a writeup on how to [setup and run coretest_hashes on the C5G board]({filename}CoretestHashesC5G.md). * TerasIC DE0-Nano board. This tiny, USB powered board is used for core development and verification. Info, documentation, resources, ordering of the TerasIC board can be found here: http://www.terasic.com.tw/cgi-bin/page/archive.pl?Language=English&CategoryNo=139&No=593 ## Hardware Development Tools ## Component Libraries * Research * Select * [On-chip Interconnect Standards]({filename}InterconnectStandards.md) to use. ## Methods and Validation * Overall Strategy * Following the Tool-Chain ## Detailed Specification * Feature Set ## QA & Documentation ## Green/Yellow Software Support * Spec / ABI * Development * Documentationa and Testing ## Assured Linux Platform * DDC Compiler * System Build * Minimal Component Set # v0.1 Project Timeline ## February 2014 * Specification of v0.1 Goals and Feature Set * Security Goals & Documentation Outline ## July 2014 * SHA & AES ## September 2014 * TRNG * Assured Linux Platform - Initial Report ## November 2014 * Security Goals & Documentation Overall and v0.1 * RSA Signing on Bunnie Board * Assured Linux Platform - Compiler ## March 2015 * v0.1 Protoype # Future Development The v0.1 version of CrypTech is not the last version nor the only possible version. The project for example consider possible [ASIC Implementations]({filename}ASICImplementations.md).