Reply by rickman September 24, 20042004-09-24
Nicholas Weaver wrote:

> 
> In article <41543695.30F6A736@yahoo.com>, rickman  <john@bluepal.net> wrote:
> >So does that make them invisble?  You only need to probe the device with
> >battery power, not main power.  So everything that is not powered by the
> >battery is at gnd potential.  I would be willing to bet that you can
> >still see between the top level runs.
> 
> The cells are static, so you can't track dynamic power which would
> make it easier.  So you need to probe static signals buried under 4-8
> layers of metal, without disrupting the battery power.


I think you may not understand how em viewing of signals works.  Signals
with a positive voltage are bright and everything else is dim.  The
field of the positive tracks will attract electrons, even through the
oxide and other metal.  It is the field that is visualized, not the
metal itself.  Of course being deeply buried will make the field
distorted, but I bet that would not obliterate the image enough that you
can't distinguish the bits.  

This might be a useful research topic.  If the bounty were say, $10,000,
it might result in a few people cracking it.  I don't think many will
bother testing the Xilinx chips security for a couple of hundred
dollars.  

-- 

Rick "rickman" Collins

rick.collins@XYarius.com
Ignore the reply address. To email me use the above address with the XY
removed.

Arius - A Signal Processing Solutions Company
Specializing in DSP and FPGA design      URL http://www.arius.com
4 King Ave                               301-682-7772 Voice
Frederick, MD 21701-3110                 301-682-7666 FAX
Reply by Nicholas Weaver September 24, 20042004-09-24
In article <41543695.30F6A736@yahoo.com>, rickman  <john@bluepal.net> wrote:

>So does that make them invisble?  You only need to probe the device with
>battery power, not main power.  So everything that is not powered by the
>battery is at gnd potential.  I would be willing to bet that you can
>still see between the top level runs.  


The cells are static, so you can't track dynamic power which would
make it easier.  So you need to probe static signals buried under 4-8
layers of metal, without disrupting the battery power.  

You could drill down, but that's going to be annoying, especially
since if it were me, layer 3 & 4 would be a crisscrossing grid of
battery power/gnd links (I don't know if they do that, but I would).

Frankly, it is probably going to be vastly easier to do a sidechannel
analysis on encryptor power & EM signature, at least my gut thinks so,
or drill down to the CONFIG wires and just read the config as its
loaded, as the config info has to go everywhere.
-- 
Nicholas C. Weaver.  to reply email to "nweaver" at the domain
icsi.berkeley.edu
Reply by rickman September 24, 20042004-09-24
Nicholas Weaver wrote:

> 
> In article <4153A8ED.D72961FB@yahoo.com>, rickman  <john@bluepal.net> wrote:
> >Nicholas Weaver wrote:
> >>
> >> In article <41525983.F7389D7E@yahoo.com>, rickman  <john@bluepal.net> wrote:
> >> >I don't need to see the transistors, just a signal that they control.
> >> >That would be in the metal.  It may be hard to sort out, but I am sure
> >> >that is orders of magnitude easier than cracking the key by brute
> >> >force.
> >>
> >> However, those signals are still buried under 8 layers of metal, in a
> >> flip-chip package, with live SRAM cells.
> >
> >Please explain this.  The outputs from the RAM cells never leave the
> >lowest layer of metal?
> 
> The output of the encryptor's ram cells only go to the encryption
> engine itself, and if I was a paranoid designer, that would be a 2-3
> layer metal design, with layers 4-9 on top of it with other stuff to
> make probing difficult.
> 
> I can't confirm, not knowing the design, but I'd lay good odds that
> the bitfile decryption engine is right next to the key storage, and
> that nothing really goes above layer 3, with layers 4-9 being used for
> other signals, power, ground, etc.


So does that make them invisble?  You only need to probe the device with
battery power, not main power.  So everything that is not powered by the
battery is at gnd potential.  I would be willing to bet that you can
still see between the top level runs.  

-- 

Rick "rickman" Collins

rick.collins@XYarius.com
Ignore the reply address. To email me use the above address with the XY
removed.

Arius - A Signal Processing Solutions Company
Specializing in DSP and FPGA design      URL http://www.arius.com
4 King Ave                               301-682-7772 Voice
Frederick, MD 21701-3110                 301-682-7666 FAX
Reply by Nicholas Weaver September 24, 20042004-09-24
In article <4153A8ED.D72961FB@yahoo.com>, rickman  <john@bluepal.net> wrote:

>Nicholas Weaver wrote:
>> 
>> In article <41525983.F7389D7E@yahoo.com>, rickman  <john@bluepal.net> wrote:
>> >I don't need to see the transistors, just a signal that they control.
>> >That would be in the metal.  It may be hard to sort out, but I am sure
>> >that is orders of magnitude easier than cracking the key by brute
>> >force.
>> 
>> However, those signals are still buried under 8 layers of metal, in a
>> flip-chip package, with live SRAM cells.
>
>Please explain this.  The outputs from the RAM cells never leave the
>lowest layer of metal?  


The output of the encryptor's ram cells only go to the encryption
engine itself, and if I was a paranoid designer, that would be a 2-3
layer metal design, with layers 4-9 on top of it with other stuff to
make probing difficult.

I can't confirm, not knowing the design, but I'd lay good odds that
the bitfile decryption engine is right next to the key storage, and
that nothing really goes above layer 3, with layers 4-9 being used for
other signals, power, ground, etc.
-- 
Nicholas C. Weaver.  to reply email to "nweaver" at the domain
icsi.berkeley.edu
Reply by rickman September 24, 20042004-09-24
Nicholas Weaver wrote:

> 
> In article <41525983.F7389D7E@yahoo.com>, rickman  <john@bluepal.net> wrote:
> >I don't need to see the transistors, just a signal that they control.
> >That would be in the metal.  It may be hard to sort out, but I am sure
> >that is orders of magnitude easier than cracking the key by brute
> >force.
> 
> However, those signals are still buried under 8 layers of metal, in a
> flip-chip package, with live SRAM cells.


Please explain this.  The outputs from the RAM cells never leave the
lowest layer of metal?  

-- 

Rick "rickman" Collins

rick.collins@XYarius.com
Ignore the reply address. To email me use the above address with the XY
removed.

Arius - A Signal Processing Solutions Company
Specializing in DSP and FPGA design      URL http://www.arius.com
4 King Ave                               301-682-7772 Voice
Frederick, MD 21701-3110                 301-682-7666 FAX
Reply by Austin Lesea September 23, 20042004-09-23
Nick,

Well, thanks for being the shill in the audience!

All,

It just so happens we do have a challenge board.

Email me directly if you are serious about trying to crack it.

The challenge is this:  tell us the key, or tell us the unencrypted 
bitstream, or even a key part of the bitstream, or change the bitstream 
while still allowing the design to operate (ie add something to it - 
anything, even load some BRAM or change an IO strength - but it has to 
be something you intend to change! and can show you did (as we won't be 
able to tell either unless the effect is observable externally).  Or, 
affect the TRNG in the configuration such that it generates numbers you 
want it to (ie non-random).  I have set the challenges in the order of 
difficulty from most, to least (woth all of them being unbreakable based 
on our knowledge and experience.

You need to supply your own USB port (ie a personnal computer), and if 
you are serious, probably a JTAG cable to a system running our design 
environment (so you can play around).

If you lose the key (because you disconnected the battery and power), 
you can send the unit back to us, and we will rekey it only ONCE for you.

Unit is the size of a business card, with a USB port that powers it. 
There is JTAG access to the part(s) [eprom + fpga].  We supply pcb, and 
the schematic of the pcb.

There is no cash prize like Nick suggests, but I am sure the reputation 
of cracking it would bring in all the business you could handle.

Austin

Nicholas Weaver wrote:

> In article <41525983.F7389D7E@yahoo.com>, rickman  <john@bluepal.net> wrote:
> 
>>I don't need to see the transistors, just a signal that they control. 
>>That would be in the metal.  It may be hard to sort out, but I am sure
>>that is orders of magnitude easier than cracking the key by brute
>>force.  
> 
> 
> However, those signals are still buried under 8 layers of metal, in a
> flip-chip package, with live SRAM cells.
> 
> In general, the best way is probably "Rubber Hose Cryptanalysis": Find
> someone at the company who knows the key and beat it out of him.
> 
> Second best is probably a power and/or EM singnal sidechannel
> analysis: you monitor the power and the EM emissions, and you have a
> boost in that you can probably guess a lot of the zeros (known
> information) based on the target design and its usage, so you have
> known plaintext/cyptertext pairs with an associated power and EM
> signature.
> 
> Somebody would have to DO it (no small feat) but that semes like the
> best way when dealing with volatile cells.
> 
> $100k + the challange of it (EG, release a challange board and "You
> get the key or the data in BlockRAM 0, you get $100k") and it would
> probably happen.
Reply by Nicholas Weaver September 23, 20042004-09-23
In article <41525983.F7389D7E@yahoo.com>, rickman  <john@bluepal.net> wrote:

>I don't need to see the transistors, just a signal that they control. 
>That would be in the metal.  It may be hard to sort out, but I am sure
>that is orders of magnitude easier than cracking the key by brute
>force.  


However, those signals are still buried under 8 layers of metal, in a
flip-chip package, with live SRAM cells.

In general, the best way is probably "Rubber Hose Cryptanalysis": Find
someone at the company who knows the key and beat it out of him.

Second best is probably a power and/or EM singnal sidechannel
analysis: you monitor the power and the EM emissions, and you have a
boost in that you can probably guess a lot of the zeros (known
information) based on the target design and its usage, so you have
known plaintext/cyptertext pairs with an associated power and EM
signature.

Somebody would have to DO it (no small feat) but that semes like the
best way when dealing with volatile cells.

$100k + the challange of it (EG, release a challange board and "You
get the key or the data in BlockRAM 0, you get $100k") and it would
probably happen.
-- 
Nicholas C. Weaver.  to reply email to "nweaver" at the domain
icsi.berkeley.edu
Reply by rickman September 23, 20042004-09-23
I don't need to see the transistors, just a signal that they control. 
That would be in the metal.  It may be hard to sort out, but I am sure
that is orders of magnitude easier than cracking the key by brute
force.  


Peter Alfke wrote:

> 
> Rick, don't forget, there are ten layers of metal above the transistors that
> store the key or the configuration...
> Peter A
> 
> >>
> > I once learned how to use an electron microscope to probe signals on a
> > chip.  Once you figure out where the volatile bits are stored, wouldn't
> > it be a simple matter to read them out with an electron microscope?
> > Just pop the lid and stick the board (assuming it is small enough) under
> > the scope.  Probe it with a very low beam current and you should be able
> > to see which bits are powered and which bits are off.
> >
> > --
> >
> > Rick "rickman" Collins
> >
> > rick.collins@XYarius.com
> > Ignore the reply address. To email me use the above address with the XY
> > removed.
> >
> > Arius - A Signal Processing Solutions Company
> > Specializing in DSP and FPGA design      URL http://www.arius.com
> > 4 King Ave                               301-682-7772 Voice
> > Frederick, MD 21701-3110                 301-682-7666 FAX


-- 

Rick "rickman" Collins

rick.collins@XYarius.com
Ignore the reply address. To email me use the above address with the XY
removed.

Arius - A Signal Processing Solutions Company
Specializing in DSP and FPGA design      URL http://www.arius.com
4 King Ave                               301-682-7772 Voice
Frederick, MD 21701-3110                 301-682-7666 FAX
Reply by Nicholas Weaver September 22, 20042004-09-22
In article <2re9nhF199f5gU1@uni-berlin.de>,
Symon <symon_brewer@hotmail.com> wrote:

>..and dissolving them off with hydrofluoric acid while the chip's battery
>backed bit stays powered up would be a very neat trick indeed!
>Cheers, Syms.


And don't forget that the V4 is a flip-chip package, so you need to
depackage and delid it without disrupting the power.
-- 
Nicholas C. Weaver.  to reply email to "nweaver" at the domain
icsi.berkeley.edu
Reply by Symon September 22, 20042004-09-22
..and dissolving them off with hydrofluoric acid while the chip's battery
backed bit stays powered up would be a very neat trick indeed!
Cheers, Syms.
"Peter Alfke" <peter@xilinx.com> wrote in message
news:BD773898.8C85%peter@xilinx.com...

> Rick, don't forget, there are ten layers of metal above the transistors

that

> store the key or the configuration...
> Peter A
>
> >>
> > I once learned how to use an electron microscope to probe signals on a
> > chip.  Once you figure out where the volatile bits are stored, wouldn't
> > it be a simple matter to read them out with an electron microscope?
> > Just pop the lid and stick the board (assuming it is small enough) under
> > the scope.  Probe it with a very low beam current and you should be able
> > to see which bits are powered and which bits are off.
> >
> > --