Re: keys to the Kingdom
- From: Austin Lesea <austin@xxxxxxxxxx>
- Date: Fri, 23 Jun 2006 07:47:31 -0700
Jim,
No, I have not cracked the Altera chip. I have received emails from
schools and universities who wish to crack it. These are the same
schools that have published successful smart card attacks.
My quote of $5,000 is what we pay to have a device ground down on the
backside such that we can do analysis on a device.
For another $5,000, one can get up to three or four FIB cuts, and a
couple of jumper wires.
The IEEE paper clearly discusses the technology, and what happens when
the fuse has all of its ions electromigrated to the other end, leaving
intrinsic silicon poly, which has a different index of refraction that
the poly with the ions.
There are difficulties. Find the fuses, read the values, and then
figure out what (if any)logic may be present to confuse the key bits.
That is why the Actel via fuses are considered much better (harder to
find, and read).
None the less, the attack is not 2E128 as the NIST standard implies (the
one they claim to meet FIPS 197, definition of AES 128, 256, 384 and
512). Sure the algorithm is a AES 128 one, but with knowledge of all
the fuse contents, the search space is lessened such that in maybe
twenty minutes or so of permutations on the key bits, you have the
device unlocked (bitstream is now in the clear on your computer, and
ready for cloning, reverse engineering, etc.)
No one has reverse engineered a bitstream for Xilinx or Altera, as far
as we know, on a large device. But that doesn't mean that someone could
not make specific modifications to an existing bitstream (change IO
location, drive strength, etc.) without having to know the whole design.
The question is not one of can I crack it (I believe I can), but one of
a ASSP vendor deciding to place their IP in a component that is not in
compliance with FIPS 140-2. Very, very simple.
For reference:
http://ieeexplore.ieee.org/xpl/freeabs_all.jsp?arnumber=1493126
Remember that any attack that is successful removes the security
forever. So, do you want to use something where there are known ways to
crack it? Or, do you want to use something that today there is no known
method of cracking?
For example, finding the battery backed key has been something that has
been tried and been unsuccessful. Then we were attacked with
differential power attacks (DPA). So far, those have been unsuccessful
as well. As an aside, DPA attacks of ASIC AES has been successful!
Yet another example of how a FPGA can actually be superior to an ASIC
solution.
I will be giving a talk on security in V4 and V5 soon, so watch for the
announcements.
Just as an aside, the coin cell lithium battery vendors have informed me
that for my use, the battery will last "forever." Since we hold the key
down to Vbatt voltages of much less than 1 volt, and the coin cell
starts out life at over 3 volts, and the stated 15 year life is to
discharge to 2 volts, we will last multiples of 15 years. So the
"terrible battery problem" is no big issue.
Set top cable boxes use a lithium battery to store the keys. Cable
companies aren't stupid: they would not use a battery unless there was
a good reason. After all, they make millions of set top boxes. All
they protect is a few movies, and yet they feel that following FIPS
140-2 is the only safe way to go (as everything else has been hacked).
We are examining how to use efuses. I can not say anything right now,
except I think there are going to be very useful, and helpful. They can
be used for device ID, matching a key to a device, factory information
(lot, wafer, serial numbers), control of internal circuits (set
currents, voltages, etc. to get around process variations), repair
faults by substituting redundant features...long long list. And, of
course, to hold a key for those who only have a $5,000 or less secret to
protect.
How much efuse memory should be for the user? How much for the
customer? Unlike my friend, the questions we ask are pretty detailed,
and we are very careful about what we do.
Austin
Jim Granville wrote:
Austin Lesea wrote:.
What is missing from all those press releases:
*Disclaimer: non-volatile poly-efuse EM technology can be read out by a
microscope using polarized light for a total investment of less than
$5,000
.. and that may not quite be the open door you paint.
Have _you_actually_cloned_ a/any device for $5000, or is this more
generic "Austin Arm waving" ? :)
[Until Xilinx have non volatile fuses, then the spin will change ? ]
Being able to read the physical fuses is some way from being able to
duplicate them, or reverse the key those fuses create.
It is not likely that Altera simply mapped Fuse1 = Encryption bit1, etc.
So, to descramble that, will need a LOT of devices, and much more time....
With fully volatile security, yes, the code within is secure,
but the system is _very_ open to spoofing type attacks, so again
security can be a mirage....
-jg
- Follow-Ups:
- Re: keys to the Kingdom
- From: Jim Granville
- Re: keys to the Kingdom
- From: Austin Lesea
- Re: keys to the Kingdom
- References:
- keys to the Kingdom
- From: Austin Lesea
- Re: keys to the Kingdom
- From: Thomas Stanka
- Re: keys to the Kingdom
- From: Austin Lesea
- Re: keys to the Kingdom
- From: Hal Murray
- Re: keys to the Kingdom
- From: Dave Greenfield
- Re: keys to the Kingdom
- From: Austin Lesea
- Re: keys to the Kingdom
- From: Jim Granville
- keys to the Kingdom
- Prev by Date: Re: cache aware programming
- Next by Date: Re: keys to the Kingdom
- Previous by thread: Re: keys to the Kingdom
- Next by thread: Re: keys to the Kingdom
- Index(es):
Relevant Pages
|
