The Snowden and subsequent revelations have called into question the integrity of some of the implementations of basic cryptographic functions and of the cryptographic devices used to secure applications and communications on the Internet. There are serious questions about algorithms and about implementations of those algorithms in software and particularly in hardware. The algorithmic issues are in the domain of the heavy math cryptography folk. But we must also deal with the implementation issues.
To fill this need the CrypTech project is developing an open-source hardware cryptographic hardware engine design that meets the needs of high assurance Internet infrastructure systems that use cryptography. The open-source hardware cryptographic engine must be of general use to the broad Internet community, covering needs such as securing email, web, DNSsec, PKIs, etc.
A number of interested organizations has provided funding for development, and public sector cryptographers and security hardware experts provide algorithmic advice and wide and open review.
The resulting open-source hardware cryptographic engine designs are intended to be buildable by anyone from CrypTech’s openly available specifications and the open-source firmware. Anyone can then adapt, modify, and operate it without fees of any kind.
The project is a year in and things are moving along well. There are two prototype platforms; the immediate one is based on the Novena laptop board (see the picture at https://trac.cryptech.is/), which has an ARM System on Chip (SoC) and an unused FPGA. We expect to deliver an ARM and FPGA package able to do DNSsec signing on the Novena to early testers in late May.
At the same time, we are finishing the specification of a small alpha version of a custom CrypTech board, without all the security exposure of the the Novena’s devices needed to support a laptop. We are specifying key types and signing rates for various applications (DNSsec and RPKI signing, Tor consensus, etc.). In April, we will be selecting a board design house so that we can deliver on the order of a hundred custom prototype CrypTech boards in the summer. It is intended to be an ‘agile’ design, oversizing FPGA, ARM, and memory to be sure it will fit all software; and we expect to use it to get more real design parameters for a second board late in the year.
You can see the status of FPGA code at https://trac.cryptech.is/wiki/Dashboard
You can see the alpha board design specifications at https://trac.cryptech.is/wiki/AlphaBoardStrategy
You can find a recent presentation at http://archive.psg.com/141216.verisign-cryptech.pdf
This winter, we added a Russian FPGA developer to increase diversity and to speed up the hardware level development. We are really pleased with his work.
Up the stack, the C team is starting to integrate the ARM-based software on top of the FPGA EIM interface, and has crypto libraries up to the PKCS#11 border. The PKCS#11 application interface code is the main remaining C development this spring.