The Layer Cake Architecture Picture

Use Cases

• RPKI/DNSSEC Signing
• Transport VPNs
• Routers and TCP/AO
• Email
• Federations, Identity Systems, SSO etc
• Password Stretching & HMAC:ing
• PGP and SSH Keys on a Stick
• High Quality Entropy Randomness
• A Communications Terminal Doing One Thing Well, Like Jabber w/o X11
• HSM for Pond, OTR identity keys, ssh private keys, etc. (i.e. key gen, store, import/export non X.509 packages)
• Password management

Basic Functions of Crypto Chip

• Key Generation
• Key Storage
• Key Wrap
• Key Unwrap
• Hash
• Sign
• M of N Sign
• Verify Signature
• Encrypt
• Decrypt
• KDFs, e.g. Password Stretching (a la PBKDF2)
• Random (RO + noisy diode?)

Key wrapping

We need to support key wrapping. Some pointers:

• https://en.wikipedia.org/wiki/Key_Wrap
• http://tools.ietf.org/html/rfc5297
• http://csrc.nist.gov/groups/ST/toolkit/documents/kms/key-wrap.pdf
• https://tools.ietf.org/html/rfc3394
• https://tools.ietf.org/html/rfc5649

Things we Should Try To Do, Even if we Can't Do Them Perfectly

• Tamper Protection (wipe on signal, suggest detectors, suggest potting features)
• Side Channel Attack Reduction

Rough Cut at v0.01 Proof of Concept Feature Set

As a proof of concept, to validate as much as possible the assurance of the tools and methods, and as a demonstration of the project tools, team, and architecture, we have a proposed version 0.01 product as a proof of concept and a demonstration of the project tools, team, and architecture

Ongoing Decisions and Research

• Security Target Description
• Performance Target(s)
• Tool-Chain Investigation
• Prototype Design
• Testing / Assurance Methods for all Components
• Verilog/RTL assurance, with open source and with proprietary
• Prototyping Platform(s)
• Documentation, Decision History, & Transparency

Ongoing Development

• SUNET is sponsoring the first two development steps currently being done.
• Investigation and planning of a TRNG with entropy sources
• Investigation of possible EDA tools and ways to do open and assured HW development"
• Collection about side-channel attacks and detection, mitigation methods

v0.1 Major Sub-Projects

Security Goals and Documentation

• Agreement
• Specification

Development Platform

• The Bunnie laptop Novena. Includes a Xilinx Spartan 6 LX45 FPGHA. The specs, drivers, source for Novena can be found here: http://www.kosagi.com/w/index.php?title=Novena_Main_Page

• TerasIC C5G Cyclone 5 GX Starter Kit. Includes an Altera C5GX FPGA. This board is used for core, subsystem development and verification. Info, documentation and ordering of the TerasIC board can be found here: http://www.terasic.com.tw/cgi-bin/page/archive.pl?Language=English&CategoryNo=167&No=830

Here is a writeup on how to setup and run coretest_hashes on the C5G board.

• TerasIC DE0-Nano board. This tiny, USB powered board is used for core development and verification. Info, documentation, resources, ordering of the TerasIC board can be found here: http://www.terasic.com.tw/cgi-bin/page/archive.pl?Language=English&CategoryNo=139&No=593

Hardware Development Tools

Component Libraries

• Research
• Select
• On-chip Interconnect Standards to use.

Methods and Validation

• Overall Strategy
• Following the Tool-Chain

Detailed Specification

• Feature Set

QA & Documentation

Green/Yellow Software Support

• Spec / ABI
• Development
• Documentationa and Testing

Assured Linux Platform

• DDC Compiler
• System Build
• Minimal Component Set

v0.1 Project Timeline

February 2014

• Specification of v0.1 Goals and Feature Set
• Security Goals & Documentation Outline

July 2014

• SHA & AES

September 2014

• TRNG
• Assured Linux Platform - Initial Report

November 2014

• Security Goals & Documentation Overall and v0.1
• RSA Signing on Bunnie Board
• Assured Linux Platform - Compiler

March 2015

• v0.1 Protoype

Future Development

The v0.1 version of CrypTech is not the last version nor the only possible version. The project for example consider possible ASIC Implementations.