State of cryptech Q1 2015

The Snowden and subsequent revelations have called into question the integrity of some of the implementations of basic cryptographic functions and of the cryptographic devices used to secure applications and communications on the Internet. There are serious questions about algorithms and about implementations of those algorithms in software and particularly in hardware. The algorithmic issues are in the domain of the heavy math cryptography folk. But we must also deal with the implementation issues.

To fill this need the CrypTech project is developing an open-source hardware cryptographic hardware engine design that meets the needs of high assurance Internet infrastructure systems that use cryptography. The open-source hardware cryptographic engine must be of general use to the broad Internet community, covering needs such as securing email, web, DNSsec, PKIs, etc.

A number of interested organizations has provided funding for development, and public sector cryptographers and security hardware experts provide algorithmic advice and wide and open review.

The resulting open-source hardware cryptographic engine designs are intended to be buildable by anyone from CrypTech’s openly available specifications and the open-source firmware. Anyone can then adapt, modify, and operate it without fees of any kind.

The project is a year in and things are moving along well. There are two prototype platforms; the immediate one is based on the Novena laptop board (see the picture at https://trac.cryptech.is/), which has an ARM System on Chip (SoC) and an unused FPGA. We expect to deliver an ARM and FPGA package able to do DNSsec signing on the Novena to early testers in late May.

At the same time, we are finishing the specification of a small alpha version of a custom CrypTech board, without all the security exposure of the the Novena’s devices needed to support a laptop. We are specifying key types and signing rates for various applications (DNSsec and RPKI signing, Tor consensus, etc.). In April, we will be selecting a board design house so that we can deliver on the order of a hundred custom prototype CrypTech boards in the summer. It is intended to be an ‘agile’ design, oversizing FPGA, ARM, and memory to be sure it will fit all software; and we expect to use it to get more real design parameters for a second board late in the year.

You can see the status of FPGA code at https://trac.cryptech.is/wiki/Dashboard

You can see the alpha board design specifications at https://trac.cryptech.is/wiki/AlphaBoardStrategy

You can find a recent presentation at http://archive.psg.com/141216.verisign-cryptech.pdf

This winter, we added a Russian FPGA developer to increase diversity and to speed up the hardware level development. We are really pleased with his work.

Up the stack, the C team is starting to integrate the ARM-based software on top of the FPGA EIM interface, and has crypto libraries up to the PKCS#11 border. The PKCS#11 application interface code is the main remaining C development this spring.

CrypTech project Kickoff meeting

On this day (4-5 December 2013) the CrypTech project held its first face-to-face meeting in Stockholm at the SUNET and NORDUnet offices. The project will try to build a trusted open hardware crypto design and a prototype that demonstrates the design which can be used to secure core Internet infrastructure like DNSSEC, RPKI etc. The first 2 days of meetings focused on two big topics: architecture and entropy. Generating and managing entropy (for key generation) will clearly be a major undertaking for the project going forward. The architecture discussions landed in this diagram that we choose to call the CrypTech layer cake:

CrypTech layer cake

This diagram sets down some of the core design goals of the project: an FPGA core where sensitive and critical crypto functions will live, an interface cpu (or micro controller) running interface code talking to applications.