Re: AES encryption of bitstream - is my design secure?


First I'm very happy that my post is getting such input. Thank you.
glen:
If it sells more hardware, even though the use is different,
it doesn't seem bad. Assuming that the hardware sale price
includes the price for the FPGA design, then it isn't likely
that someone will find an affordable use for the hardware.

Maybe all are not in agreement on this. Many products are sold as
loss-leaders
and sold with very thin margins which are not good enuff for company
to survive.
The hardware platforms enable the company to sell soft intellectual
property,
songs, videos, iTunes, printer cartridges, DSP algorithms, video/audio
processing algorithms, etc. A common misperception that selling more
hardware for hobbyists to hack is good for the company when the
company is making profit in different area. Hardware profits are
margin thin in many markets, the soft IP is the item of value. The
price point is chosen to enable the hardware to sell in more areas,
the profit to be made by the purchase of the soft IP (which may not be
part of hte product sold but plugged into the product - a game for
instance, a movie for instance) by the customr of the product at a
later time. If my company selling PCB which takes video in and does
"face recognition" as hardware algorithm in FPGA, my company may take
loss or break even on hardware to make market share with plan of
selling updates of new face recognition method or new capability
(higher resolution, better edge detection).

If someone copies the PCB, then sue for copyright infringement.

This is an intellectual construct though isn't it rather than
practical approach?
gotta find copier, gotta find PCB is copied, hire lawyers, hire
lawyers in native country
(China?), dipose witnesses, get trial dates. Many years will go by
and many $$ for
company to spend with potnetial lost of market. Better for Design
engineer to design in
this insurance to prevent cloning, overbuilding, misuse of product or
misuse of product in a way
that is not in company best interest.


But absolutely in concurrence with Mr. Austin, it does not prevent
overbuilding,reverse engineering, cloning.

However, the FPGA design that is encapsulated in the encrypted
bitstream
*is* secure.
agreed Mr. Dave

Expecting it to protect the rest of the system is analogous
to expecting that the firmware protection in your PC's disk drive
should
protect the firmware of your PC's graphics card. If you want to
secure
your system, then you need system security.

Very much agreed. I have similar conclusion. At first I thought AES encryption
was security against these things as literature says it. But it is
only the
case if you plan on programming your own keys or have third party.
http://www.altera.com/corporate/promotions/ads/a/stratix2a.html

I read this paper and thought it was interesting.
http://www.cl.cam.ac.uk/~sd410/papers/fpga_security.pdf

System level solution is needed. FPGA vendors do the job they need to
do,
protect your design. no problem I think. System engineer has to design
to protect against trojans,
hacking, tampering across all FPGAs and configuration devices, but at
same time enable functional test, jtag test and in-the-field secure
updates. Probably this is all outside of FPGA vendor responsiblity
and field. I just was under thought of 'common knowledge' AES
encryption solves this and only recently through HOST and more
research and your input learning that it is not enough, even for
commercial product. or at least some risk in not designing in
insurance.



< 1) getting passwords from users/admin/embedded
< 2) getting OTHER keys (not FPGA key) in system
< 3) snoop system to hack and potentially unlock unpaid-for features
< (turn low end product into high end product)
< 4) learn enough about system to build compatible plug-ins (games,
< software, songs, videos, printer cartridges) which
< may not be part of economic strategy.

Glen:
Maybe, but are these really easier with a new bitstream attack?
If one can float the I/O pins and put logic probes on the
device, it might be about as easy. Otherwise, they are design
failures of some kind.

I do not have proof or evidence that it is easier (yet, I am searching
google still).
I know this: It is not easy to probe signals today directly. There is
no physical
access to probe. The signals are not TTL only. SERDES, SSTL etc,
very speedy
signals. Best way is to use FPGA that is present to capture? Use
JTAG to
access FPGA design which is snooping?
< "cant prevent hardware from being used for other things" sounds
< like simple statement but many hardware products are sold at
< loss or break-even or very low margin in order to make
< market share. Printers for example. Company makes money on
< consumables or plug-ins to the platform.

I have seen many printers that sell for less than the cost
of the ink cartridges included. If someone can find a use
for that printer, even not requiring any modifications, it
would seem to be a loss to the manufacturer.
Correct. that is my point, so i take it this is agreement.
Youtube show how to turn printers into carving plotters, sign makers,
3d printers, x-y pen plotters, CNC drilling machine, etc. While I think that
is cool I like tinkering, I have to think about my company money success
company providing low-cost low-margin 'tinkering platform' and not intended money
maker in printer cartridges. Thisis just example, It is true for many products I think
money made elsewhere so 'open' hardware is not good for that company. Open
hardware is good like open source code but only when that is business model of
company.

< Xbox is example - which is really just Intel PC sold at loss
< to get market to sell games and internet service. Was Hacked
< to run linux which is embarassment for Microsoft
< but also a loss of $200 for each xbox purchased to run linux.

As far as I know, there hasn't been a rush to buy them as
linux systems. It may be $200 loss to MS, but it may still
be more than it would cost to buy a similar PC.

where did u get the data? Linux-Xbox org is international
http://en.wikipedia.org/wiki/Xbox_Linux
http://www.xbox-linux.org/wiki/Main_Page

Maybe misunderstand. MSFT sells Xbox at a LOSS, it is a PC for
all practical purposes. So there is not a way to get a similar PC for
less (no other manufacture making PCs at loss - at least
intentionally)
hence its attractiveness to break it out for linux by groups seeking
low
cost hardware.

< Cisco low end router can be made into high end router with
< hack patch - loss of revenue for Cisco.

The software can check for some feature in the FPGA code.
Otherwise, it is a normal software copyright question.
yes this gets to the point very well to illustrate. that feature maybe just a 'bit' to set to 1 or 0
or maybe just a bitstream difference. If store 'plain' version bitstream in Virtex5 NOR flash
and send new bitstream 'super version' to store in second bitstream area of NOR flash,
very easy for one to read FLASH with JTAG and have second bitstream. Which then you
provide to other users of your product with just 'plain bitstram' via Internet. Not good I think.
encryption no help here unless you take trouble to program different key in each FPGA,
not easy/practical


Well, there is a story about an IBM computer (I believe System/3)
that came in 32K and 64K models, the difference was the position
of a switch. People learned about this and turned the switch,
but had to remember to turn it back when the machine was being
serviced. (They were usually leased, not sold.)
good example this is same thing but for today PCB with FPGA.
don't let customer/internet hackers discover the 'figurative switch'

In the case of the Cisco router, it would normally require different
software (ROM) for the high end router. If someone can get that
ROM contents, unencrypted FPGA code isn't likely to help, and
it is a copyright violation in any case.

See above, this is not good security approach to rely on copyright
protection

< Reader who say 'if simple to mimik then u don't need encryption,
< engineer will build from scratch' maybe missing the point. They are
to
< build a bit data by scratch that is their intent, to have their
design
< in place to do bad things. steal user password (not fpga key),
monitor
< keyboard input, monitor USB connection, insert 'time bomb' to stop
< system functioning at critical time of need.

Possible, but how likely? The encrypted FPGA code stops (for this
discussion) reverse engineering of that code. It doesn't stop one
from removing the FPGA and splicing into the pads. In the case of
password stealing, it doesn't stop one from making a similar looking
box that steals passwords but with completely different content.

correct. Lots of ways to do it, this is just one of many. However, given
the choice of reprogramming a flash over JTAG and depop a 1152 ball
BGA, the jtag appraoch may be attractive. and easier than making different
PCB.

Monitoring keyboard input or USB signals is much easier than writing
new code for the FPGA. No-one will pick your expensive door lock
if you leave the windows open.

Maybe harder to monitor keyboard or USB without dection of user
or remotely without physical access. I am thinking of FPGA based
system where keyboard or USB goes right to FPGA - so there it might
be attractive to load FPGA with design to capture the keystrokes.
Similar to running software program on Windows to spoof windows login
average user will ctrl-alt-delete and type in username/login, which program
just takes and records and then produces 'error'or logs off. Years ago colleagues
and I spoofed RS232 unix login and workers would enter username and password
just to show it could be done. No need to develop entire FPGA or entire software
just enough to get user to enter details. Many many ways to compromise
system if non-authenticated bitstream is present.

< if I have embedded powerpc based fpga it maybe quiet easy for
attacker
< to get it to boot linux and have design which monitor keyboard
input
< for admin logins and store or send over internet. The interfaces
are
< all standard so easy to develop.

If you can do that without access to the box, then it is a design
failure. If I have access to the box, then there are too many
other ways to attack the system.
Correct and we agree here too - design failure. But very common design
failure - updates over internet, JTAG and no security. identify it as design failure,
but that does not make it go away or solve the problem.
If you google many many
leading companies with this design failure so it is not say just the
horrible engineer.
good engineers on iPhone (not fpga) hacked with JTAG.
access to box is quite possible
and JTAG programming of flash is a very used method, so not sure why other methods
are considered first. China incident where US fighter had to land in China, much was
done to destroy documents, but consider hardware left behind like that, modified wiht
trojan and then given back to US. Not good.
commerical area is similar, voting machines, slot machines, routers (flash reprogrammed)

thanks again everyone for input. i am going to try to learn more.

Best Wishes,
Raj
.

Relevant Pages

  • Re: WSJ article on software liability
    ... > It will be better than hardware because of the flexibility. ... "hardware faults are mostly physical faults, ... there are *LOTS* of faults that are design faults. ... an FPGA, either by synthesizing your COSA-machine on the FPGA, or by ...
    (comp.programming)
  • Re: Is FPGA code called gateware?
    ... based computing systems, under Computer Architecture FPGA. ... The days of FPGA's being only for hardware design are slipping away. ...
    (comp.arch.fpga)
  • Re: FPGA - software or hardware -2-
    ... hardware comes from the regulations for medical devices. ... From the perspective of regulatory requirements it makes a difference ... Reconfigurable computing and system-on-chip design strategies blur the ... and will probably solidly move that line so that FPGA ...
    (comp.arch.fpga)
  • Re: A 21st Century Apple II?
    ... Both Xilinx and Altera (major FPGA vendors) ... No need to reserve pins and hack your design to bring signals out - ... particular "instance" of hardware they would like to use, ...
    (comp.sys.apple2)
  • Re: Multiplication operation
    ... Newbies who are probably working on some trivial project should get the fundamentals first and then work towards the actual optimized implementations gradually building in complexity, if constraints deem it necessary. ... design process. ... elegance out of us hardware guys. ... "designing" a system on an FPGA shouldn't be ...
    (comp.arch.fpga)
Loading