The Trac Wiki that used to hold this site has been converted to a wiki-like setup using git, Markdown, Pelican, and m.css.
The git repository is configured to generate the web content from the
Markdown automatically upon receiving a git push.
linkchecker may also be useful in validating the generated content.
The Tor network is defined by a small number, about ten, of special relays called Directory Authorities (DAs).
Directory Authorities sign the critical status votes and consensus status documents using SHA-1 and SHA-256 together with RSA-2048 or RSA-3072 once per hour, using medium-term on-line authority signing keys signed by …
External projects using CrypTech technology.
This is a sketch of a design for the secure channel that we want to have between the Cryptech HSM and the client libraries which talk to it. Work in progress, and not implemented yet because a few of the pieces are still missing.
Basic design …
Everything you need to build our software, firmware, and FPGA bitstreams from source yourself is publicly available, but the process is a bit complicated. Overall, there are two methods, one of which our developers use while writing this stuff, the other of which we use for the automated reproducible builds …
ST-LINK is STM's implementation of the | Serial Wire Debug (SWD) protocol. Think of it as JTAG if you're more comfortable with that.
ST-LINK is built into all(?) of STM's Nucleo and Discovery evaluation boards, which can be had for as little as US$10 from Mouser …
This page covers a few likely (hopefully unlikely) oh-noes.
You can upload new firmware through the bootloader. On power-up or reset,
the bootloader flashes the blue LED for 10 seconds. During that time, start
cryptech_upload:
$ cryptech_upload --firmware --user …This page explains how to upgrade the Cryptech Alpha firmware, bootloader, and FPGA bitstream (as needed).
All of the operations here use the Alpha's "management" (MGMT) port, so that cable must be connected to your Linux or OSX host machine.
The …
This page attempts to explain the upgrade procedure for testing out the new "ksng" development branch of the Cryptech Alpha firmware.
This particular upgrade is more complicated than we would have preferred, due to the interaction of two unrelated factors:
At present, we can't make any statements at all about the integrity of the hardware before it reached us - assembled and ready.
We test and program the Alphas using a dedicated computer, but not in a secure facility by any means. A concerned user is advised to …
The Cryptech Project maintains APT and Homebrew repositories containing packaged software for the Cryptech Alpha board for Debian and Ubuntu Linux and for Mac OS X. The binary packages also include pre-compiled images for the Alpha Board's Artix-7 FPGA, Cortex M4 ARM CPU, and AVR ATtiny828 MCU.
This document contains a brief summary of different on-chip bus standards. The standards are described and compared based on license and availability, technical specifications and general usage.
The purpose of the document is to provide a basis for selecting the primary bus standard for the Cryptech Open HSM project …
The aim of the Cryptech project is to develop an open, free, and auditable HSM. The Cryptech HSM includes both SW and HW parts. In at least the first iteration of the Cryptech HSM, the HW parts are implemented using FPGA devices. However, the ability to implement the HW …
Target DNSSEC Algorithms:
Algorithms:
Required PKCS11 Mechs:
Target …
Novena is an open hardware and F/OSS-friendly computing platform. It is a small single-board Linux PC, with a Freescale i.MX6 (ARM Cortex-A9) CPU and a Xilinx Spartan-6 LX45 FPGA.
It is available in limited quantities through crowd supply.
The Novena PVT-2 …
Attached to this page are high resolution pictures.
The current revision of the Alpha board is rev03.
rev01 was the board known as the 'dev-bridge'.
rev02 was functionally the same as the rev03, but in another form factor.
This is a writeup on how to setup, build and testrun the coretest_hashes Cryptech subsystem on a Novena PVT1 development board.
Novena is an open hardware and F/OSS-friendly computing platform.
It is a small single-board Linux PC, which happens to include a Xilinx Spartan-6 FPGA …
We do not have any assurance that our basic tools are not compromised.
At the base, is the compiler. The fear was first formally expressed in Ken Thompson's 1984 Turing Award Lecture Reflections on Trusting Trust.
David A …
The Cryptech project is using Avalanche Noise as a physical entropy source connected to the FPGA.
Avalanche breakdown is a physical process that occurs when current is forced backwards through a diode until it cannot hold back anymore. The diode will then begin conducting for a brief time until the …
The pkcs11-proxy is a way to tunnel PKCS11 over TCP (TLS). This page explains how to build and install PKCS11 proxy on the novena. There are various forks of this on github. We're going to use the SUNET fork since it support TLS-PSK for authentication out of the box. The …
The core dev team had a design meeting in Berlin after the alpha workshop. We came up with a plan for the hardware and the software work for the next few months:
This is targeted for the mid-flight revision in the 50 board order from propoint. For …
Page Under Construction
Page Under Development
| State | Component | DNSsec Signing | Let's Encrypt | Tor Consensus | Internal | Ticket |
|---|---|---|---|---|---|---|
| Done | AES / KEY WRAP | Wrap/Bkup | #17 | |||
| ECDSA p256 | secondary | Yes | ||||
| ECDSA p384 | secondary | ? | ||||
| Testing | PKCS#11 | Yes | Yes | Yes | Yes | #14 |
| Done | RSA | Yes | Yes | Yes | #16 | |
| Done | SHA-1 | Yes | ||||
| Done | SHA-256 | Yes | Yes | Yes | ||
| Done … |
Presentation at ICANN
Presentation at ICANN
"I wrote pkcs11 libraries and also have modified BIND that offloads full
RRSIG calculation (including time) to board. Clearly can use anything
other than TPM to do RSA calculations."
Side Channel attacks on hardware are hard to avoid, detect and mitigate. But this should not stop us from trying. The CrypTech platform should be developed with side channel issues in mind. This page tries to collect information about relevant side channel attacks, mitigation strategies, side channel resistant design methods …
One, if not THE key functionality in the Cryptech system is the True Random Number Generator (TRNG). We therefore need to discuss, investigate and test to find a TRNG that we and the users of Cryptech can trust and can verify to be trusted.
Develop a first, custom HSM board that can be used to support a first set of applications as well as being used for further development of new functionality as well as security mechanisms such as tamper detection and protection, key storage etc. Deadline is to …
Various generic FPGA development boards.
//Novena//
An Alpha version of a CrypTech HSM, currently in early design
There is no real tamper wrapping and no tamper sensors. The tamper switch is used to simulate tamper detection to test the system's tamper reaction(s).
For …
Intercontinental Berlin Budapest Str. 2 10787 Berlin, Germany
Meeting Room: Köpenick III
Cost of attendance: None
Alpha Board cost: if you are an alpha tester and plan to take an alpha board home with you, we would like to recover cost for these boards from you. We are asking …
In the process of developing the AlphaBoardComponents design, the project has made what is known as the "dev-bridge board".
This is a board, 100x70 mm, with about 2/3 of the components intended to be on the Alpha design. What is missing is basically the FPGA and it's supporting circuits …
apt-get install cryptech-alpha opendnssec opensc
Once you have the software package installed, you may need to upgrade your HSM's firmware.
The major issue is finding tools that allows a designer, user to verify that the RTL source code (in Verilog or VHDL) matches what is generated at the physical level. As part of the project we need to investigate the current status of open tools in the toolchain for implementation …
This is a writeup on how to setup, build and testrun the coretest_hashes
Cryptech subsystem on a TerasiC C5G Cyclone V GX Starter Kit FPGA
development board 1.
The test setup consists of:
A development computer running the Altera Quartus II FPGA development software. This computer will …
The following documents the first two development steps in Cryptech funded by SUNET. The development is being done by Joachim Strömbergson from Secworks AB.
DONE. We have a Terasic DE0 board and a Terasic Cyclone V GX starter kit board.
Create …
ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQDZJUtfVH0KQfdGhVetTQRpg9Ki8xGKNnO07r6df9DrrmDrsHVSsDOv8zxMoNh4XHbaLtmSCT8IkB8xLU6dXVCH4vWZZwfzaKKRNgMOSfOSc6blKKBV6xEw9qXeMe4dWcfknl3yAr6EqYsg5Lrmqgalr8Vyd6FGAoGbLR4Qh7vrahMqXp3+20kn1xfDm5reSJDbNPmU4eNhJykTNtr6l6CbK/OFzhqcMI/AW5AO0wL8f5wIoHQzescZWQMDMW+1gVyDiS8lGS6nhsSZwZZeAJrXHK/LF3ldz1To5HBxzpU5Sziav8C5bgTeYo5YfqDuBq8m9mgZTzqocXFcXUCr0I6x dol@dolmacbook
ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQCnskRpNxWJE/YgDR3o6sMWwwmbUJ8f2SJa0gHfHM+fcxxC2zQN9/9mqJSxS1E9QdeuRbbHpYxEUtHoX0vSrmia/VALDiQAMps51RBqq6YlrYqvP/Rb0hZ0Z4/YgjTosLdu1PeTzih6mwbyNNF0+gY987Ig31qXQytNF+9G1oSY9dgBAq52lu170QXTRwum4B6Gh4/pCnM6xx+7nY2oqlgvl2wYHVAOJ39W9r4y9kBhcVs51XvJqYehjaoyKYf1+PzA0FsvhJkZuG6ws5eEGSB90lAzKGyFZXedvOLmnFmqAraoLeuKajHIFJDfKNfHHbYpn8ERIfVW66nbqlXFO2g3 fredrik@thulin.net
ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAACAQCo3wT4gGyEmGGw5ePMO+jscvq7lo4hIPQHVZNgrChVWphvD1MkkH6PfoUYNfKwagFjUPQcDotQxGaVfvxL6Y4WzOfwiONHTj/4b2skxdRw5B/K2ZnGw2pbfXP4Nhjb1gry2K+BSVWqP3pVZk5tQ+P0YqbwKNfBFlaqS1dR8uIwo6E/8wGIjcMcDMAioMyRlU2R …Placeholder until somebody fills this in with something else interesting.
== Meeting Presentations and Notes ==
== Technical References ==
== Related Work ==
Page Under Development
The team uses Git to store and track project development. All submissions are signed.
The current hardware is the AlphaBoard. More information (to be organized at some point -- yes, this wiki is a mess, again):
The Alpha …
This page explains some basics on testing for randomness, and the background necessary to understand their outputs.
When testing the randomness of an alleged/assumed random bit/byte stream, there are two fundamentally different categories of tests: There are blackbox tests which are independent of the particular source …
| Comment | Who | Resolution | Status |
|---|---|---|---|
| The LTS3060ITS8 is a 8-lead device but the symbol shows only 6 (there are 3 GND leads). | Kent | ft to correct mapping of pins between symbol and package | Done |
| The output capacitor C13 can have higher capacitance. The 2.2 uF is the lowest … |
This is a proposed version 0.01 product as a proof of concept. The intent is not to have a very useful product, but rather to gain confidence in our architecture, tools, and team. The result is intended to be the basis for further development into a more useful second …
This effort was started at the suggestion of Russ Housley, Stephen Farrell, and Jari Arkko of the IETF, to meet the assurance needs of supporting IETF protocols in an open and transparent manner.
But this is not an IETF, ISOC, ... project. As the saying goes, we work for the Internet …
| ID | Color | Meaning |
|---|---|---|
| 01 | Green | ARM LED 2 |
| 02 | Red | ARM LED 4 |
| 03 | Blue | ARM LED 1 |
| 04 | Yellow | ARM LED 3 |
| 05 | Yellow | Application Access USB UART Rx |
| 06 | Green | Application Access USB … |
The Alpha schematics are almost finished!
PDF and Eagle files available for download here in the hardware repository.
https://wiki.cryptech.is/browser/hardware/eagle/alpha/rev02
The schematics are based on the dev-bridge board that we made in the summer of 2015, which is why it is called rev02 …
Page Under Development
EDAToolchainSurvey
Requirements for the Cryptech Alpha System. Derived from Use Cases (see below). There are also utility, internal requirements (again, see below).
In addition to the actual key data, each key requires
The following lists are open to all:
The following lists require approval …
Advisory board, reviewers etc.
Recent revelations have called into question the integrity of some of the implementations of basic cryptographic functions and devices used to secure communications on the Internet. There are serious questions about algorithms and about implementations of those algorithms in software and particularly hardware. The goal of the CrypTech project …
This document contains a list of component level description and requirements for the Crypteh Alpha board.
The document is to be used as a BOM (Bill Of Materials) and PCB design requirement description for discussing with PCB designers on what we want to have designed.
The block diagram for the …
This page contains a snapshot of the status in the project and will almost certainly be obsolete by the time you read it. If you find something that's wrong, please fix it!
We have a bunch of cores, primarily for FPGA implementation. Some of them implement cryptographic algorithms or …