cryptech - ietf datatracker

CrypTech

2015.07.23 Praha

150723CrypTech Creative Commons: Attribution-NonCommercial-ShareAlike 2.0 1

Origins •  This effort was started at the suggestion of

Russ Housley, Jari Arkko, and Stephen Farrell of the IETF, to meet the assurance needs of supporting IETF protocols in an open and transparent manner.

•  But this is NOT an IETF, ISOC, ... project, though both contribute. As the saying goes, “We work for the Internet.”


Goals •  An open-source reference design for

HSMs, not a manufactured product

•  Scalable, first cut in an FPGA and CPU, plan higher speed (ASIC)options later

•  Composable, e.g. “Give me a key store and signer suitable for DNSsec”

•  Reasonable assurance by being open, diverse design team, and an increasingly assured tool-chain


CrypTech Project •  An Open Design, not a Product

•  Open – everything (docs, design, code)

•  BSD, CC license for all we develop

•  Diverse engineers and review

•  Support for transparency, testing, …

•  Multiple contributors: IETF, Comcast, Google, .SE, SUNET, PIR, ISOC, Afilias, RIPE, IANA, Cisco, etc.


Creative Commons: Attribution-NonCommercial-ShareAlike 2.0

Diverse Engineering Verilog Göteborg & Moscow Hardware Adaption Layer (HAL) in Boston Software, PKCS#11, … from Boston TRNG advice from Germany and States Hardware Design & Build from Stockholm DNSsec from Göteborg & Stockholm Engineering coordination from Tokyo

150723CrypTech 5 Creative Commons: Attribution-NonCommercial-ShareAlike 2.0

150718 CrypTech 7 Creative Commons: Attribution-NonCommercial-ShareAlike 2.0

FPGA (ASIC) Hashes: SHA*/MD5/GOST Encrypt: AES/Camellia PublicKey RSA/ECC/DSA, Block Crypto Modes

TRNG, BigNum, Modular Exponentiation

On-Chip Core(s) KeyGen/Store, Hash, Sign, Verify, Encrypt, Decrypt, DH, ECDH,

PKCS#1/5/8, [Un]Load, Stretching, Device Activation/Wipe

Off-ChipSupport Code X.509/PGP/… Packaging, PKCS#7/10/11/15, Backup

Applications DNSSEC, RPKI, PGP, VPN, OTR, random, TCP/AO, …

Security Boundary

& Tamper Power Timing

Layer Cake Model

7 7 150723CrypTech Creative Commons: Attribution-NonCommercial-ShareAlike 2.0

Novena Spartan ‘Laptop’

FPGA

ARM

150718 CrypTech 8 Creative Commons: Attribution-NonCommercial-ShareAlike 2.0 150723CrypTech Creative Commons: Attribution-NonCommercial-ShareAlike 2.0 8

150718 CrypTech Creative Commons: Attribution-NonCommercial-ShareAlike 2.0

Entropy Noise Board

9 150723CrypTech Creative Commons: Attribution-NonCommercial-ShareAlike 2.0

Alpha Board Blocks


Alpha Board EOY 2015

150718 CrypTech Creative Commons: Attribution-NonCommercial-ShareAlike 2.0 11

CPUARM Cortex-M4

STM32F429BIT6208-PIN LQFP

FPGA

Xilinx Artix-7 200TFBG484-3

Layout compatible withFGG484

Cryptech Alpha BoardRev 0.0102015-05-27 (JoachimS)

Tamper Detect MCUAtmel AVR @ 20 MHzClocked using internal

oscillator

AT Tiny 828R-AYTQFP-32

SDRAM 64 MbitISSI IS42S16400J

TSOP

USB-UARTinterface

FT232H LQFP48

USB-UARTinterface

FT232H LQFP48

On boardPower Suppy

block

DCconnector

USBconnector

USBconnector

12V5V3V3

2V5

3V1V2

1V37

5

12-1

9V D

C2.

5A ty

pM

ax 3

A pe

ak @

12V

MicroSD Card2 GByte

4-bit MMC

Keystore memSerial Flash

At least 64 Mbit

SPI

Real Time ClockMicrochip

MCP79412TSSOP

I2C

CPULEDs

4 G

PIO

s

8 GPIOsCPU

GPIOsCPUJTAG

Tamper eventsto CPU

TamperJTAG

2GPIOs

JTAG

JTAG

TamperLEDs

4 GPIOs

FMC SRAM IF @ 45-90 MHz

32 bit data bus26 bit separate address bus

FPGA Events

4 GPIOs

TamperGPIOs

8 GPIOs

CPU - Tamperserial port

via jumpersto disable

Rx, Tx2 wire UART or 2 GPIOs

3V31 GPIO

Tamper button

Tamper eventsto FPGA

2GPIOs

3V3TamperPower Supply

can be replacedby power fromPSU by setting

jumper

FPGA LEDs4 + 8 GPIOs

FPGA GPIOs8 GPIOs

Xilinx Platform CableJTAG

Master KeyMemory

8 kByteSerial SRAM

Microchip23A640 8TSSOP

Analog Switch

OnSemiMC14551B

FPG

A M

KM S

PI

MISO can bepulled low by setting

jumper

Switch control

MKM Tamper SPI

1 GPIOMKM Tamper power control

1V8

MKM power supply can beconnected to PSU by

Setting jumperMKM

Battery1V8

FPGAConfig mem

Analog Switch

OnSemiMC14551B

CPU FPGA Config Mem SPI

CPU FPGA Config Mem Switch Control

SPI

1 GPIO

SPI from CPU to FPGAConfig Mem

and control of switchcan be disabled byremoving jumpers

SPI

SPI

SPI

1V8Write Enable ofConfig Mem

can be disabled byremoving jumper

CryptechAvalanche

noiseblock

FPGAresetblock

FPGAclock

source@ 50 MHz

CPU FPGA Reset

1 GPIO

Reset of FPGA by CPUcan be disabled byremoving jumper

Noise1 GPIO

Reset_n

FPGA clk

12V must be stable,low noise since itfeeds the noise

source.

UARTUART

USB 2.0USB 2.0

SPI

3VBattery

32.768 kHzCrystal

CPUreset block

CPUclock

source

CPUreset block

FPGA chip select and clock

32 bit data bus26 bit address bus

SDRAM 512 MbitISSI IS45S32160F

TSOP-II

One chip for each of thetwo SDRAM interfaces

SDRAM control foreach SDRAM IF

USART with ISO 7816-3

I2C

Interfaces for possibleSmart Card readerand display/controlon separate board

150723CrypTech Creative Commons: Attribution-NonCommercial-ShareAlike 2.0


Bridge Board



PKCS#11

Entropy (noise board)

Hashes (SHA-1/256/512, SHA-3, GOST) Symmetric (AES, ChaCha)

Entropy (Ring Oscillators)

CSPRNG (ChaCha) Mixer (SHA-512)

Entropy Provider Sensing

TRNG Control & Test

ModExp / BigNum

AES Key-Wrap, CRT, ...

FPGA

ARM RSA Sign & Verify

Ethernet / USB

Applications (DNSsec, RPKI, ...) Off Board

Core Selector and Interface


General Core Design l  Plain Verilog 2001 compliant RTL code l  FPGA vendor and FPGA/ASIC agnostic design

-  No explicitly instantiated technology specific macros

l  All cores are independent co-processors -  Cores do not share resources -  Load data and configure, start core and wait for ready signal

l  32-bit memory like interface -  Implemented by core wrapper -  API structured similarly for all cores

l  The real functionality is in _core.v and its sub modules

150718 CrypTech Creative Commons: Attribution-NonCommercial-ShareAlike 2.0 14 150723CrypTech Creative Commons: Attribution-NonCommercial-ShareAlike 2.0 14

General Core Structure

foo_core.v

mux

and

hold- regs

foo.v

clk reset_n

read_data

write_data

address

cs

write_data

we


API Example ADDR_NAME0 = 8'h00; ADDR_NAME1 = 8'h01; ADDR_VERSION = 8'h02; ADDR_CTRL = 8'h08; CTRL_INIT_BIT = 0; CTRL_NEXT_BIT = 1; ADDR_STATUS = 8'h09; STATUS_READY_BIT = 0; STATUS_VALID_BIT = 1; ADDR_BLOCK0 = 8'h10; ... ... ADDR_BLOCK15 = 8'h1f; ADDR_DIGEST0 = 8'h20; ... ... ADDR_DIGEST7 = 8'h27;


Core Selector l  Current version hard coded for the use

case l  Next version auto generated -  Generate Verilog based on config

l  Instantiate types and number of instances of cores

-  SW support for discovery of cores in a given FPGA bitstream


Cryptech FPGA system

Core 0

Core 1

Core n

core select

system IF

Possible clock boundary

Platform independent Cryptech HW system

Platform specific Cryptech HW/SW

interface

noise input

FPGA

Interface to CPU


Core Walk Through


SHA1 l  Implements SHA-1 as specified in FIPS

180-2

l  Iterative, one cycle/round -  82 cycles/block with setup and finish

l  Block expansion (W mem) implemented using sliding window with 16 separate 32-bit registers

l  Testbenches for w_mem, core and top level -  Using NIST test vectors


SHA256 l  Implements SHA-256 as specified in

FIPS 180-4




l  Heavily tested with SW on the Novena

l  Used for DNSSEC


SHA512 l  Implements SHA-512/x (FIPS 180-4)

-  Including SHA-512/224, SHA-512/256, SHA-512/384 and SHA-512



l  Support for work factor processing with up to 2**32-1 iterations/block


l  Heavily tested with SW on the Novena l  Used in Cryptech as mixer in the TRNG


AES (1)

l  As specified in FIPS 197 - Support for 128 and 256 bit keys

l  Iterative, four cycles/round - 42 cycles/block with setup and finish

for AES-128 - 58 cycles/block with setup and finish

for AES-256


AES (2) l  Key expansion performed before any block

processing -  10 cycles for 128 bit keys, 14 cycles for 256 bit

keys

l  Separate encipher and decipher data paths -  Decipher can be removed for use cases where only

encipher is needed (CTR mode etc) -  Encipher and decipher share key expansion


AES (3) l  Four sbox ROMs -  Shared between encipher data path and key

expansion

l  Testbenches for key expansion, data paths, core and and top level -  Using NIST test vectors and vectors by

Sam Trenholme (http://www.samiam.org/key-schedule.html)


AES (4)

l  Heavily tested with SW on the Novena

l  Used in Cryptech to implement AES Key Wrap (RFC 5649, https://tools.ietf.org/html/rfc5649)


ChaCha (1) l  Implements the ChaCha stream cipher -  http://cr.yp.to/chacha/chacha-20080128.pdf -  Support for 128 and 256 bit keys -  Support for up to 32 rounds -  Support for settable 64-bit initial counter value

l  Iterative, two cycles/double round -  42 cycles/block with setup and finish for

ChaCha20


ChaCha (2) l  Testbenches for core and top level -  Using DJB test vectors and generated test

vectors for draft https://tools.ietf.org/html/draft-strombergson-chacha-test-vectors-00

l  Used in Cryptech as CSPRNG in the TRNG -  With 256 bit key and 24 rounds -  Key, block, IV and initial counter as seed


TRNG


TRNG (1) l  Sub system using multiple cores -  avalanche noise entropy provider core -  ring oscillator entropy provider core - SHA512 core used as entropy mixer - ChaCha core used as CSPRNG


TRNG (2) l  Modular architecture -  Support for adding more entropy sources -  Support for replacing SHA512 in mixer and ChaCha

in CSPRNG with other cores

l  Support for observability and testing and of all parts and output -  Extract raw noise and entropy from the sources -  Inject test vectors and extract results to allow

verification of functionality -  Planned support for on-line testing and alarms for

entropy sources and CSPRNG 150718 CrypTech 31 Creative Commons: Attribution-NonCommercial-ShareAlike 2.0 150723CrypTech Creative Commons: Attribution-NonCommercial-ShareAlike 2.0 31

TRNG (3) l  Scalable performance and security -  Number of rounds (default 24) can be

configured via API -  Reseed frequency settable and can be

forced via API -  Can generate ~500 Mbps @50 MHz clock

frequency -  Can instantiate multiple ChaCha cores

(seeded separately) to scale performance to multiple Gbps performance


TRNG (4) l  Tested using ent, diehard, dieharder

and several custom tools - TBytes of data generated and tested

so far - Test server that provides public

access to continiously generated data being setup



Avalanche Noise Board


Noise Generation


Raw noise


Amplified (yellow)


Digitized (yellow)


Twitterized explanation •  To combat component ageing, measure

time between flanks, use LSB of time delta as entropy. Do whitening.


Avalanche Entropy (1)

l  Entropy provider using external noise source -  Used with the Cryptech Avalanche noise

source -  Noise digitized by board using a schmitt-

trigger and provided as single bit stream


Avalanche Entropy (2)

l  Measures time (cycles) between positive flanks on noise source -  LSB from cycle counter used as

entropy bit - 32 consecutive bits provided as

entropy data to consumer (mixer)


Avalanche Entropy (3) l  Heavily tested using ent, several custom

tools -  Good confidence that the entropy provided

has good quality -  Long term stability needs to be evaluated

(and being worked on)

l  ~10 kbps data rate


Adder based Ring Oscillator


ROSC Entropy (1) l  Entropy provider using internal

jitter source - Using a novel adder based ring

oscillator (ROSC) suitable for FPGA implementation. - Designed by Bernd Paysan -  ~2 kbps data rate


ROSC Entropy (2) l  Generates entropy using jitter between

ring oscillators -  Uses 32 separate ring oscillators (running

at 300+ MHz in Spartan-6) -  Samples the output values from the

oscillators every 256 clock cycles -  The outputs from the oscillators are XOR

combined into a single bit value -  32 consequtive bits provided as entropy

data to consumer (mixer) 150718 CrypTech Creative Commons: Attribution-NonCommercial-ShareAlike 2.0 45 150723CrypTech Creative Commons: Attribution-NonCommercial-ShareAlike 2.0 45

ROSC Entropy (3) l  Heavily tested using ent, several custom

tools -  Fairly good confidence that the entropy

provides sufficient quality -  ROSC feedback path routing critical to

clock frequency. Should preferrably be locked down using Place & Route constraints

-  rosc_entropy core should be requalified when moved to a new technology (for example a new FPGA family)


Mixer (1) l  Combines entropy from providers to

create seeds for the CSPRNG -  Strict round robin extraction from a set of

entropy providers

l  Decouples the entropy collection from the random number generation by the CSPRNG


Mixer (2) l  Make it hard to predict seed when trying

to control an entropy source

l  Make it hard (infeasible) to guess mixer state and entropy state based on guess of bits in seed


Mixer (3) l  Seeds are intermediate digests for an

arbitrarily long message l  Unless full restart is forced

l  With SHA-512 as mixer primitive, 1024 bits of entropy is needed to generate 512 bits of seed -  With the current Cryptech CSPRNG, two

512-bit seed words are needed. In total 2048 bits of entropy is needed to be able to reseed the CSPRNG


CSPRNG l  Using the ChaCha stream cipher as

primitive -  24 rounds by default

l  Cipher initialized by -  256 bit key -  512 bit message block -  64 bit IV -  64 bit initial counter value

896 bits in total


CSPRNG (2)

l  Blocks of 512 bits of stream data extracted via a FIFO as 32-bit random words by consumers

l  Decouples data generation from consumption



Funding From

A Few Private Donations


cryptech - ietf datatracker

Documents