AES Bitstream Encryption in Virtex-4. How safe it is?

Hi,

I need to place my FPGA designs in a safe platform, and I have some
questions:

1. Does anybody know whether Virtex-4 AES bitstream protection has
been broken?

2. Do you consider it a good protection?

3. What could a hacker do to overcome this protection, other than
brute-force?

4. Are there other alternatives in the market, from other vendors than
Xilinx, providing the same or higher level of security?

Regards.

Frai,

Other than the public announcement that the NSA has approved V4 for
single chip crypto systems, what else would you need?

Seriously, no one has broken AES256, and no one has broken V4's
implementation of AES256 (using the battery backed key memory).

A hacker would not attack directly, rather they would wait outside your
building, and offer cash to anyone willing to reveal the key to them.

No other device exists that is 'generic' approved for all NSA single
chip crypto systems.  No ASIC, ASSP, nor FPGA.  It has been called
"completely disruptive technology" and many have told us "V4 will
revolutionize the single chip crypto market."

http://www.xilinx.com/prs_rls/2007/end_markets/0713_v4nsa.htm

I just love it when there is 0 competition!

Austin

> 1. Does anybody know whether Virtex-4 AES bitstream protection has
> been broken?

Didn't hear anything public ... doesn't mean it hasn't been done ...
and even if never done, doesn't mean it can't ... As always with
security it depends on the value of what you're protecting. But unless
it's a control process for cold fusion, I'd say you're most likely in
the clear.


> 2. Do you consider it a good protection?

Most people do .... so do I :)


> 3. What could a hacker do to overcome this protection, other than
> brute-force

 - Bribe someone at the factory to 'listen' when programming the key
 - Physically break into your office and get the source code or
unencrypted bit
 - Kidnap one of your lead developer's family members and shoot them
one by one until he gives you what you want ... (iterate over the
whole team as needed)

They may all seem 'weird' options ... but that's how I'd do it if I
had to ...

Sylvain

As Xilinx says in their documents, there is no unbreakable security.

I guess if Virtex-4 security is based on the AES algorithm and a
secret key, the way to break the security would be to play with the
implementation of AES in the FPGA, through manipulation of the
encrypted bitstream, probably combining it with a timing attack or any
other sort of attack that could eventually make the AES algorithm work
in the wrong way, exposing some exploits that might be used for
further attacks. This would be cheap and can be easily automated,
although it would probably take long and might fail. If this or any
similar attack were successful, all designs that reside in a Virtex-4
FPGA would be exposed to hackers. Anyway, from the conceptual point of
view, I agree that Virtex-4 level of security is fairly good.

If you don't need in-field reconfiguration of the FPGA, the Actel Pro-
Asic approach to security might be safer than Xilinx Virtex-4, since
it does not let you play with the bitstream. This gives less tools for
hackers to play with, making it very difficult for cheap attacks. Some
expensive and time-consuming attacks might be possible, but this would
only expose one design from one client, rather than all designs
residing in Pro-Asic FPGAs around the world.

Just a thought...

Regards.

> 3. What could a hacker do to overcome this protection, other than
> brute-force?

I'd like to add something to this question.

V4 security protects your bitstream.  This is enough when you just
want to avoid the cloning of your product.

If you plan to implement a security application on V4 however, you
will have to go further than just that.  It's quite possible that your
design will leak secrets despite the protected bitstream.

Regards,
Marc

On Tue, 04 Mar 2008 11:08:27 -0800, austin <austin@xilinx.com> wrote:

>Frai,
>
>Other than the public announcement that the NSA has approved V4 for
>single chip crypto systems, what else would you need?
>
>Seriously, no one has broken AES256, and no one has broken V4's
>implementation of AES256 (using the battery backed key memory).
>
>A hacker would not attack directly, rather they would wait outside your
>building, and offer cash to anyone willing to reveal the key to them.
>
>No other device exists that is 'generic' approved for all NSA single
>chip crypto systems.  No ASIC, ASSP, nor FPGA.  It has been called
>"completely disruptive technology" and many have told us "V4 will
>revolutionize the single chip crypto market."
>
>http://www.xilinx.com/prs_rls/2007/end_markets/0713_v4nsa.htm
>
>I just love it when there is 0 competition!

Hi Austin,

Altera StratixII has bitstream encryption, with keys programmed (one
time!) into poly fuses.

Altera Stratix3 has bitstream encryption, with the option of keys
programmed into poly fuses OR held in battery backed SRAM.


Presumably you are aware of both of these products.  Do you know of
some fault in their implementation that would lead you to describe
them as "0 competition"?


Thanks,
Allan

Allan,

No Altera product with poly efuse is able to meet FIPS 41, none are
approved by the NSA.

In my book, that means we see no competition (all customers that require
FIPS 41, or NSA approval come to Xilinx).

Now, if you do not require FIPS 41, or you are not interested in NSA
compliance, then the Altera solutions are perfectly good, and useful.
In no way do I imply they are poor solutions, however, they are not in
compliance with the highest level standards, and they are not approved
for generic use in US government contracts.

That means, they are not a solution for banking (which requires FIPS
41), and other commercial markets as well.

What is left?  From the "Virtex" point of view, nothing at all of import.

Perhaps in the Cyclone/Spartan world, there are some good sockets they
win (and we do too) for anti-cloning of consumer goods.

I am sure they will have FIPS 41 compliant products at some point.  I am
also sure they will eventually get NSA approval (if they can meet their
requirements, as the US government is not allowed to play favorites, and
must treat all fairly).  Until then, we enjoy the sockets we are getting,

Austin

On Wed, 05 Mar 2008 08:19:08 -0800, austin <austin@xilinx.com> wrote:

>Allan,
>
>No Altera product with poly efuse is able to meet FIPS 41, none are
>approved by the NSA.
>
>In my book, that means we see no competition (all customers that require
>FIPS 41, or NSA approval come to Xilinx).
>
>Now, if you do not require FIPS 41, or you are not interested in NSA
>compliance, then the Altera solutions are perfectly good, and useful.
>In no way do I imply they are poor solutions, however, they are not in
>compliance with the highest level standards, and they are not approved
>for generic use in US government contracts.
>
>That means, they are not a solution for banking (which requires FIPS
>41), and other commercial markets as well.
>
>What is left?  From the "Virtex" point of view, nothing at all of import.
>
>Perhaps in the Cyclone/Spartan world, there are some good sockets they
>win (and we do too) for anti-cloning of consumer goods.
>
>I am sure they will have FIPS 41 compliant products at some point.  I am
>also sure they will eventually get NSA approval (if they can meet their
>requirements, as the US government is not allowed to play favorites, and
>must treat all fairly).  Until then, we enjoy the sockets we are getting,

Thanks for the explanation.

We make various data security products, some with FIPS 140
certification (or under evaluation).  However, the entire product gets
certified, not just some chip in the middle of the box.  On that
basis, I wouldn't have problems using Altera parts in a FIPS certified
product.  (Some applications put the "security boundary" at the chip,
but that doesn't apply to us.)


BTW, we had been ordering Xilinx V2P parts for an older product, with
the special order code that means that the DES bitstream encryption
gets tested.  We were advised by our supplier that these will no
longer be available.  What's the story there?  Will the same thing
happen to our V4 designs?

Regards,
Allan

Allan,

The special order codes ('SCD') are best when folded into the normal
production, so no special anything is required.  The special code goes
away, and the regular product supports the feature.

This is unique to only some parts/packages/test programs, and is never
intended to last forever (only to improve quality for specific customers
when the test program isn't complete).  When we are made aware of a test
coverage gap, we improve the test program.  Once the test program is
sufficiently integrated, we can retire the special flow.

Understand that a 1000 ppm "test escape" is considered a terrible thing
by Xilinx, as we strive to achieve "0 defects."

We have had cases where a particular customer brings to our awareness a
test escape issue, and often no other customer has noticed the issue
(many 10's of thousands of parts shipped, with no returns whatsoever).

Regardless, every test escape is taken very seriously, as it reflects
directly on the product quality, and our customer's trust in Xilinx (to
do the job right).

The (3DES/AES256 key) features are standard, and fully supported.  If a
feature is to be removed, we must issue a 'PCN' (production change
notice, which allows 90 days before it is implemented, and also allows
for last time orders before we remove anything at all), and notify
everyone.  That is a very rare event (as it has to be).

Austin

Frai,

There are many who claim "oh, this is easy..."

However, back in the Virtex II Pro days, we issued a challenge, and more
than 7 universities and research groups accepted the challenge.

We provided a 2vp7 pcb with usb port, and pins for access to power, that
had the key battery installed (300 mA lithiumm coin cell), and the part
was programmed with a 3DES encrypted bitstream.

All 7 challengers gave up.  Their basic conclusion was all the things
they thought would work, differential power attack, spoofing by power
glitches, attack with freeze spray, etc. FAILED.

Now, can someone crack the scheme, and get the unencrypted bitstream?
Well, we are unable to get anyone interested to try it, as they tried
the obviously less secure 3DES, and didn't get anywhere.

Also, I presume the NSA tried, as they eventually approved V4.  If I was
the NSA, I would have put a great deal of effort to try to break it if I
knew that the devices would go into all modern crypto-systems!  However,
I know nothing of what they did (their report is classified).

Unfortunately, no one publishes a master's thesis or PhD thesis that
says "I failed to crack this encryption" so there are no records of
these attempts failing.  But, no one has been able to get at the key, or
to find anything about the bitstream, ever since we first introduced the
features starting with Virtex II.

On the other hand, polarized light, and a high school microscope, can be
used to read the state of any efuses in a chip (which is why they are
excluded as a solution by the standards).  The fact that some vendors
scramble their efuse contents just means that they do not really
understand what security is all about ("there is no security in
obscurity").  Once the "secret" is out (by reverse engineering the
hardware or software), then all of the products shipped become vulnerable.

Our approach has no secrets whatsoever:  the algorithm is public, as is
the design of the encryptor and decryptor.  That is why it complies with
the standards for constructing a secure system.

Austin