CrypTech version 3 firmware and software now available

This post is from Rob Austein:

The Cryptech Project is pleased to announce that version 3 of our
firmware and software package is now available. Like version 2, this
runs on the Alpha board. For those who have been following, this is
the code that until last week was the “ksng” branch.

Major new features:

* New keystore implementation which supports thousands of keys instead
of six. 🙂

* Support for multiple clients (eg, the OpenDNSSEC “enforcer” and
“signer” daemons) talking to the HSM in parallel.

* Key backup.

* Verilog support for (much) faster key generation and signing on the
ECDSA P-256 and P-384 curves.

See for more details.

See and for information on how to
download the new packages and upgrade the HSM firmware.

Please read the upgrade instructions BEFORE attempting to update the
firmware. The upgrade is a multi-step process, and the keystore
format change triggers a bug in the old bootloader which can brick
your HSM if you perform the upgrade steps in the wrong order.

If you ignored the above or managed to brick your HSM anyway, see and .

Thank you for your patience with how long this has taken. We spent
far more time than we would have liked in a twisty maze of RTOS bugs
(eventually solved by removing the RTOS, see the release notes).

Special thanks to Yuri Schaeffer for help testing both the upgrade
process and the multi-client support with OpenDNSSEC.

Welcome to Berlin

The cryptech project is hosting a 1 1/2 day workshop in Berlin right before the IETF meeting this week. This will be the first opportunity to get hands-on experience with the new rev03 alpha board (depicted below). If you are unable to join us in Berlin but want to play with the alpha, you will be able to order your very own from this weekend!

rev03 bottom view
rev03 top view


CrypTech Workshop

Alpha board status

Alpha_rev02_bottom Alpha_rev02_top IMG_20160519_170334

Folks who have been following the tech list recently know that the project engineering team has been busy testing the first 5 alpha boards received from our manufacturer. So far the results are beyond expectation.

All the initial tests show the board working as expected which makes it increasingly likely that we will have a working prototype to share with a wider community in time for the Berlin IETF 96.

We plan to hold a workshop where we hope it will be possible to get your hands on a cryptech alpha on the weekend before the IETF. We will be back with more details as soon as possible!

We are also working on an agreement with Crowd Supply to help us deal with some of the logistics.


Rob Austein recently announced that cryptech has a software ECDSA signature and verification implementation which runs on the Novena using the Cryptech TRNG. This is another major milestone for the project and enables a whole set of new usecases for cryptech.

Rob goes on to say the following about the ECDSA implementation:

As with the RSA code, does just enough to support what PKCS #11 wants. Includes just enough ASN.1 code to generate signatures (which are small ASN.1 objects for ECDSA) and to save and restore ECDSA private keys using AES-Keywrap.

Internal structure of the code attempts to be modular in a way that should make it easy to drop in Verilog replacements in the obvious places (either for the low-level field arithmetic operators, or, as we’re currently contemplating, for the entire higher-level point multiplier).

Code is written with an eye towards (relative) simplicity, constant-time (to confound timing channel attacks), and an embedded environment (so no unnecessary use of dynamic memory, etcetera). Price tag for some of this is that some of the elliptic curve math algorithms are not the speediest possible; we hope that the Verilog portions will make this a moot point, if not, we’ll revisit.

Opinions vary on how critical constant-time is for ECDSA. On the one hand, every signature uses a new random number, and, since we think we have a pretty good TRNG, this doesn’t give an attacker much to work with. On the other hand, due to the structure of the ECDSA algorithm, an attacker who can guess the random number used for any particular signature can recover the private key, which is as bad as it gets. So we’re into analyzing (very_low_probability * very_bad_outcome), a kind of multiplication problem humans are notoriously bad at solving. I chose to err on the side of paranoia at the cost of speed.

Next steps is to integrate the new set of mechanisms into the PKCS#11 layer.

Snowden likes us … and also blinkenlights

After the screening of CitizenFour at the Prague IETF there was a q&a with Edward Snowden during which we learned that he not only knows about cryptech but thinks it is a pretty good thing! The team is very happy and proud to to learn this. We are also happy about the good feedback we’re getting from our recent hackathon, like this blogpost from George Michaelson.

Update: According to this blogpost from ISOC covering the same event, we were described as “awsome”.

First dnssec zone signed

Last night in Prague we conducted the first successful “full-up” test: a novena with the cryptech debian packages was successfully used to sign a dns zone using OpenDNSSEC. There are still a bunch of caveats and the project is by no means done but this represents an important milestone for the project. If you have a novena board you can take a look at the instructions for reproducing this test in the cryptech wiki.

Praha open cryptech hackday

The CrypTech team will hold an open hacking workshop in Praha on Saturday 18th of July right before the IETF meeting. This is a great opportunity to become acquainted with the CrypTech software platform using the novena development boards. There will be a limited number of novenas available to play with during the workshop (but we can’t send you home with one unfortunately). We will focus on DNSSEC signing as a use-case.

The workshop will start at 9 AM at the Praha Hilton (the IETF conference site) in the Istambul Room. A draft agenda is here: